当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080738

漏洞标题:4个 大学OA系统 SQL注入打包

相关厂商:CCERT教育网应急响应组

漏洞作者: 小饼仔

提交时间:2014-10-27 12:19

修复时间:2014-12-11 12:20

公开时间:2014-12-11 12:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-27: 细节已通知厂商并且等待厂商处理中
2014-10-31: 厂商已经确认,细节仅向厂商公开
2014-11-10: 细节向核心白帽子及相关领域专家公开
2014-11-20: 细节向普通白帽子公开
2014-11-30: 细节向实习白帽子公开
2014-12-11: 细节向公众公开

简要描述:

4个大学OA SQL注入打包,能否不走小厂商,上个首页!

详细说明:

1.同济大学协同办公系统
地址:http://oa.tongji.edu.cn/login/Login.jsp?logintype=1
POST请求

POST /login/VerifyLogin.jsp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://oa.tongji.edu.cn/wui/theme/ecology7/page/login.jsp?templateId=21&logintype=1&gopage=&languageid=7&message=17
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 247
DNT: 1
Host: oa.tongji.edu.cn
Pragma: no-cache
Cookie: JSESSIONID=abcwZomBNBpky5jhbJPKu; testBanCookie=test
loginfile=%2Fwui%2Ftheme%2Fecology7%2Fpage%2Flogin.jsp%3FtemplateId%3D21%26logintype%3D1%26gopage%3D&logintype=1&fontName=%CE%A2%C8%ED%D1%C5%BA%DA&message=17&gopage=&formmethod=post&rnd=&serial=&username=&isie=true&loginid=a&userpassword=a&submit=


证明:

同济OA证明.png


2. 天津外国语大学oa
地址:http://oa.tjfsu.edu.cn/login.asp
post请求

POST /loginverify.asp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://oa.tjfsu.edu.cn/login.asp
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 38
DNT: 1
Host: oa.tjfsu.edu.cn
Pragma: no-cache
Cookie: ASPSESSIONIDAQCDCARR=HECPCHACBNFCNCJECFGKFNNG; CNZZDATA1000434362=881530955-1413746308-%7C1413746308
Digest=&urlFrom=&username=a&password=a


证明

天津外国语大学.png


3. 西南林业大学OA
地址:http://oa.swfu.edu.cn/thinkeroa/
post请求:

POST /thinkeroa/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://oa.swfu.edu.cn/thinkeroa/
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 365
DNT: 1
Host: oa.swfu.edu.cn
Pragma: no-cache
Cookie: ASP.NET_SessionId=ah4242h012gmy3ibjsy5dpbh
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE2OTYxMTMyNTRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQhidG5Mb2dpbtOux9I9C%2BNIgNDwIOBO3b0aNvY68fNKNOU2x6KvV0W4&__VIEWSTATEGENERATOR=D101C769&__EVENTVALIDATION=%2FwEWBAKS4IK6BAKUj8fhDAKd%2B7qdDgKC3IeGDD%2BkJC4qTKBqogjay%2FvZ3g1wtz3ar2mMYmzvG%2B0EgLb4&txtAccount=a&txtPwd=a&btnLogin.x=23&btnLogin.y=12


证明:

xnlydx.png


4. 河北职业技术学院OA
地址:http://oa.hbsi.edu.cn/
post请求

POST /Login.MSPX HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://oa.hbsi.edu.cn/
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Content-Length: 23
DNT: 1
Host: oa.hbsi.edu.cn
Pragma: no-cache
Cookie: ASPSESSIONIDAQCSRSTC=PCHFBBIBJMMFNABIPEIMKKOB
txtUserLogin=a&txtPWD=a


证明:

hboa.png

漏洞证明:

修复方案:

能否别走小厂商!

版权声明:转载请注明来源 小饼仔@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2014-10-31 11:24

厂商回复:

正在通知相关学校处理

最新状态:

暂无