当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-067397

漏洞标题:河南教育网某分站存在SQL注入漏洞

相关厂商:河南教育网

漏洞作者: 浮萍

提交时间:2014-07-04 16:46

修复时间:2014-08-18 16:48

公开时间:2014-08-18 16:48

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-08-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

还有几个洞没给审呢

详细说明:

河南教育网分站http://book.haedu.cn/book/view.asp?bh=278818

Snap16.jpg


Snap17.jpg


服务器和数据库类型

web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi'
current user:    'HAEDU'
current schema (equivalent to database on Oracle):    'HAEDU'
current user is DBA:    True


其中数据库

available databases [25]:
[*] BJ_ERP
[*] BODANI
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] ERP2
[*] ERP2_TEST
[*] EXFSYS
[*] HAEDU
[*] KGBOOK
[*] MAIWANG1KG
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TANFU
[*] TEST
[*] TEST_KGBOOK
[*] TONGSHU
[*] TSMSYS
[*] WMSYS
[*] XDB


HAEDU中的表

Database: HAEDU
[114 tables]
+------------------------+
| DIMING                 |
| DV_ACTION              |
| DV_BAOZHANG            |
| DV_BASE                |
| DV_BOOKCOUPON          |
| DV_BOOKSHELF           |
| DV_BOOKWARNING         |
| DV_BOOK_HOT            |
| DV_BT                  |
| DV_CART                |
| DV_CHAT                |
| DV_CLIENTMODULE        |
| DV_CUXIAO              |
| DV_CUXIAO_ITEM         |
| DV_DEPART              |
| DV_DISPATCH_BOOK       |
| DV_DISPATCH_PLAN       |
| DV_DISPATCH_PLAN_PLAT  |
| DV_ERP_PARA            |
| DV_FANKUI              |
| DV_FAVORITE            |
| DV_FOCUSBOOK           |
| DV_HUODONG             |
| DV_KC_ITEM             |
| DV_LB2                 |
| DV_LB3                 |
| DV_LB31                |
| DV_LB_INDEX            |
| DV_LB_INDEX_ITEM       |
| DV_LOSTBOOK            |
| DV_MODULE              |
| DV_NEWS                |
| DV_ORDER               |
| DV_ORDERITEM           |
| DV_ORDER_ITEM_IMPORT   |
| DV_PIC                 |
| DV_PINDAO              |
| DV_PINDAO_ITEM         |
| DV_PLAT                |
| DV_PLAT_LINK           |
| DV_PLAT_MAC            |
| DV_PLAT_USER           |
| DV_PROMOTORDER_ITEM_KC |
| DV_QIANGGOU            |
| DV_REPORT_BOOK         |
| DV_REPORT_FS           |
| DV_REPORT_FS_SEASON    |
| DV_REPORT_PROJECT      |
| DV_ROLE                |
| DV_ROLEUSER_PLAT       |
| DV_ROLE_ACTION         |
| DV_ROLE_MODULE         |
| DV_ROLE_USER           |
| DV_SEARCH              |
| DV_SITE                |
| DV_SITE_BOOK           |
| DV_SUMPLAT             |
| DV_SUMPLAT_PLAT        |
| DV_TEMP_ORDER          |
| DV_TEMP_ORDER_ITEM     |
| DV_TOP                 |
| DV_TOP_ITEM            |
| DV_TUIJIE              |
| DV_TUIJIE_ITEM         |
| DV_USER                |
| DV_USER_ZSY            |
| DV_VIEW_LOG            |
| ERP_BASE               |
| ERP_BASE_BZBOOK_ITEM   |
| ERP_BASE_HOTBOOK_ITEM  |
| ERP_BASE_HOT_ITEM      |
| ERP_BASE_OLD           |
| ERP_BASE_TBTJ_ITEM     |
| ERP_BASE_TJBOOK_ITEM   |
| ERP_CBS                |
| ERP_CBS_TMP            |
| ERP_CHEAP              |
| ERP_FS                 |
| ERP_FS_DZ              |
| ERP_JK                 |
| ERP_LB                 |
| ERP_LB2                |
| ERP_LB3                |
| ERP_LOGIN              |
| ERP_MODULE             |
| ERP_NEWS               |
| ERP_NEWS_READ          |
| ERP_NEW_LB             |
| ERP_ORDERITEM_ERP      |
| ERP_PART               |
| ERP_PART_MODULE        |
| ERP_PICK               |
| ERP_PICK_ITEM          |
| ERP_PICK_ITEM_BOOK     |
| ERP_PLUS               |
| ERP_RK_USER            |
| ERP_ROLL               |
| ERP_TSD_DBF            |
| ERP_USER               |
| ERP_USER_MODULE        |
| ERP_YCK_CBS            |
| ERP_YCK_DW             |
| ERP_YCK_FS             |
| ERP_YCK_USER           |
| ERP_YF                 |
| ERP_YF_ITEM            |
| ERP_YF_ITEM_SUB        |
| ERP_ZK_MANAGEMENT      |
| ERP_ZTF_TYPE           |
| MAIWANG_COMMODITY      |
| PLAN_TABLE             |
| SHIBAIDV_USER          |
| TEMPBOOK               |
| TESTBH                 |
+------------------------+


漏洞证明:

河南教育网分站http://book.haedu.cn/book/view.asp?bh=278818

Snap16.jpg


Snap17.jpg


服务器和数据库类型

web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi'
current user:    'HAEDU'
current schema (equivalent to database on Oracle):    'HAEDU'
current user is DBA:    True


其中数据库

available databases [25]:
[*] BJ_ERP
[*] BODANI
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] ERP2
[*] ERP2_TEST
[*] EXFSYS
[*] HAEDU
[*] KGBOOK
[*] MAIWANG1KG
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TANFU
[*] TEST
[*] TEST_KGBOOK
[*] TONGSHU
[*] TSMSYS
[*] WMSYS
[*] XDB


HAEDU中的表

Database: HAEDU
[114 tables]
+------------------------+
| DIMING                 |
| DV_ACTION              |
| DV_BAOZHANG            |
| DV_BASE                |
| DV_BOOKCOUPON          |
| DV_BOOKSHELF           |
| DV_BOOKWARNING         |
| DV_BOOK_HOT            |
| DV_BT                  |
| DV_CART                |
| DV_CHAT                |
| DV_CLIENTMODULE        |
| DV_CUXIAO              |
| DV_CUXIAO_ITEM         |
| DV_DEPART              |
| DV_DISPATCH_BOOK       |
| DV_DISPATCH_PLAN       |
| DV_DISPATCH_PLAN_PLAT  |
| DV_ERP_PARA            |
| DV_FANKUI              |
| DV_FAVORITE            |
| DV_FOCUSBOOK           |
| DV_HUODONG             |
| DV_KC_ITEM             |
| DV_LB2                 |
| DV_LB3                 |
| DV_LB31                |
| DV_LB_INDEX            |
| DV_LB_INDEX_ITEM       |
| DV_LOSTBOOK            |
| DV_MODULE              |
| DV_NEWS                |
| DV_ORDER               |
| DV_ORDERITEM           |
| DV_ORDER_ITEM_IMPORT   |
| DV_PIC                 |
| DV_PINDAO              |
| DV_PINDAO_ITEM         |
| DV_PLAT                |
| DV_PLAT_LINK           |
| DV_PLAT_MAC            |
| DV_PLAT_USER           |
| DV_PROMOTORDER_ITEM_KC |
| DV_QIANGGOU            |
| DV_REPORT_BOOK         |
| DV_REPORT_FS           |
| DV_REPORT_FS_SEASON    |
| DV_REPORT_PROJECT      |
| DV_ROLE                |
| DV_ROLEUSER_PLAT       |
| DV_ROLE_ACTION         |
| DV_ROLE_MODULE         |
| DV_ROLE_USER           |
| DV_SEARCH              |
| DV_SITE                |
| DV_SITE_BOOK           |
| DV_SUMPLAT             |
| DV_SUMPLAT_PLAT        |
| DV_TEMP_ORDER          |
| DV_TEMP_ORDER_ITEM     |
| DV_TOP                 |
| DV_TOP_ITEM            |
| DV_TUIJIE              |
| DV_TUIJIE_ITEM         |
| DV_USER                |
| DV_USER_ZSY            |
| DV_VIEW_LOG            |
| ERP_BASE               |
| ERP_BASE_BZBOOK_ITEM   |
| ERP_BASE_HOTBOOK_ITEM  |
| ERP_BASE_HOT_ITEM      |
| ERP_BASE_OLD           |
| ERP_BASE_TBTJ_ITEM     |
| ERP_BASE_TJBOOK_ITEM   |
| ERP_CBS                |
| ERP_CBS_TMP            |
| ERP_CHEAP              |
| ERP_FS                 |
| ERP_FS_DZ              |
| ERP_JK                 |
| ERP_LB                 |
| ERP_LB2                |
| ERP_LB3                |
| ERP_LOGIN              |
| ERP_MODULE             |
| ERP_NEWS               |
| ERP_NEWS_READ          |
| ERP_NEW_LB             |
| ERP_ORDERITEM_ERP      |
| ERP_PART               |
| ERP_PART_MODULE        |
| ERP_PICK               |
| ERP_PICK_ITEM          |
| ERP_PICK_ITEM_BOOK     |
| ERP_PLUS               |
| ERP_RK_USER            |
| ERP_ROLL               |
| ERP_TSD_DBF            |
| ERP_USER               |
| ERP_USER_MODULE        |
| ERP_YCK_CBS            |
| ERP_YCK_DW             |
| ERP_YCK_FS             |
| ERP_YCK_USER           |
| ERP_YF                 |
| ERP_YF_ITEM            |
| ERP_YF_ITEM_SUB        |
| ERP_ZK_MANAGEMENT      |
| ERP_ZTF_TYPE           |
| MAIWANG_COMMODITY      |
| PLAN_TABLE             |
| SHIBAIDV_USER          |
| TEMPBOOK               |
| TESTBH                 |
+------------------------+


修复方案:

版权声明:转载请注明来源 浮萍@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论

  1. 2014-07-04 16:52 | 浮萍 ( 普通白帽子 | Rank:555 漏洞数:118 | 默默潜水)

    @xss@疯狗求审核http://www.wooyun.org/bugs/wooyun-2014-066956/trace/45132eae6c31be5325e6a36dd732e441 http://www.wooyun.org/bugs/wooyun-2014-067211/trace/b763a44568b7397e4bb51fe585094415 http://www.wooyun.org/bugs/wooyun-2014-067215/trace/868998f6ccf55643d4701e80d7b5888d http://www.wooyun.org/bugs/wooyun-2014-067336/trace/82cb39e064a2cbde4ccc58da750cd2f5还有几个