当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-059712

漏洞标题:某高校学生管理系统存在通用SQL注入(安全机制绕过技巧)

相关厂商:Cncert国家互联网应急中心

漏洞作者: U神

提交时间:2014-05-07 00:03

修复时间:2014-06-21 00:04

公开时间:2014-06-21 00:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-07: 细节已通知厂商并且等待厂商处理中
2014-05-10: 厂商已经确认,细节仅向厂商公开
2014-05-20: 细节向核心白帽子及相关领域专家公开
2014-05-30: 细节向普通白帽子公开
2014-06-09: 细节向实习白帽子公开
2014-06-21: 细节向公众公开

简要描述:

大家都听说Cncert要发钱了,都吓得坐地上了,当时大家接到消息就以为要查水表了~吓得我也坐地上了=_=!!

详细说明:

#1.由奥达软件开发的一所高校管理系统存在注入漏洞,注入漏洞发生在登录框中虽然存在s的判断用户数据提交的合法性,但是这都是可以绕过的=_=!
例子:

http://202.***.***.50/login/loginpageforuserb.aspx?LogoutURL=%2flogin


04.jpg


01.jpg


看看登录页面源代码,可以看到的确是JS限制了=_=!

<script type="text/javascript">
//<![CDATA[
var VS___Page = document.all ? document.all["VS___Page"] : document.getElementById("VS___Page");
VS___Page.headertext = "您的输入有以下错误:";
VS___Page.showmessagebox = "True";
VS___Page.showsummary = "False";
var RFV_txtUserId = document.all ? document.all["RFV_txtUserId"] : document.getElementById("RFV_txtUserId");
RFV_txtUserId.controltovalidate = "txtUserId";
RFV_txtUserId.errormessage = "[用户名]不能为空!";
RFV_txtUserId.display = "None";
RFV_txtUserId.evaluationfunction = "RequiredFieldValidatorEvaluateIsValid";
RFV_txtUserId.initialvalue = "";
var REV_txtUserId = document.all ? document.all["REV_txtUserId"] : document.getElementById("REV_txtUserId");
REV_txtUserId.controltovalidate = "txtUserId";
REV_txtUserId.errormessage = "[用户名]格式错误,正确形式:不允许输入英文单引号\'";
REV_txtUserId.display = "None";
REV_txtUserId.evaluationfunction = "RegularExpressionValidatorEvaluateIsValid";
REV_txtUserId.validationexpression = "[^\']*";
var RFV_txtPwd = document.all ? document.all["RFV_txtPwd"] : document.getElementById("RFV_txtPwd");
RFV_txtPwd.controltovalidate = "txtPwd";
RFV_txtPwd.errormessage = "[密码]不能为空!";
RFV_txtPwd.display = "None";
RFV_txtPwd.evaluationfunction = "RequiredFieldValidatorEvaluateIsValid";
RFV_txtPwd.initialvalue = "";
var REV_txtPwd = document.all ? document.all["REV_txtPwd"] : document.getElementById("REV_txtPwd");
REV_txtPwd.controltovalidate = "txtPwd";
REV_txtPwd.errormessage = "[密码]格式错误,正确形式:不允许输入英文单引号\'";
REV_txtPwd.display = "None";
REV_txtPwd.evaluationfunction = "RegularExpressionValidatorEvaluateIsValid";
REV_txtPwd.validationexpression = "[^\']*";
//]]>
</script>


抓包吧=_=!!然后我们继续提交,绕过本地JS限制=_=!!

02.jpg


枚举几个案例<警:以下案例仅供Cncert复现测试,其它人不得非法使用,否则后果自负>:

http://zhaojiu.xzmy.edu.cn/login/loginpageforuserb.aspx?LogoutURL=/login&c=1  西藏民族学院
http://job.***.edu.cn/Login/loginpageforuserb.aspx?LogoutURL=
http://202.***.***.50/login/loginpageforuserb.aspx?LogoutURL=/login
http://202.***.***.29/Login/loginpageforuserb.aspx?LogoutURL=/login
http://202.***.***.62:5002/Login/LoginPageForuserB.aspx
http://xg.***.edu.cn/Login/loginpageforuserb.aspx?LogoutURL=/login&c=1
http://219.***.***.28/login/loginpageforstudentb.aspx


漏洞证明:

以某科技大学为例演示:

http://202.***.***.50/login/loginpageforuserb.aspx?LogoutURL=/login


03.jpg


Database: Studwork6
[353 tables]
+-------------------------------+
| dbo.I$_tstud_Student |
| dbo.J$tsys_NoticeType |
| dbo.JV$Dtsys_NoticeType |
| dbo.JV$tsys_NoticeType |
| dbo.SNP_CDC_OBJECTS |
| dbo.SNP_CDC_SET |
| dbo.SNP_CDC_SET_TABLE |
| dbo.SNP_CDC_SUBS |
| dbo.SNP_CHECK_TAB |
| dbo.VoteList |
| dbo.Vsign_AgtRegistry |
| dbo.Vsign_AgtRegistryFell |
| dbo.Vsign_AgtRegistryOrder |
| dbo.[Vdorm_buildingInfo【不用】] |
| dbo.[tDorm_User[不用] |
| dbo.[tsys_Modules_测试] |
| dbo.[tsys_NoticeType学工网站] |
| dbo.[vDorm_OccupiedRoom[不用] |
| dbo.dtproperties |
| dbo.qg |
| dbo.setup |
| dbo.sysconstraints |
| dbo.syssegments |
| dbo.tAcc_File |
| dbo.tCadreGroup_state |
| dbo.tCadre_dimission |
| dbo.tCode_DeregReason |
| dbo.tDerate_Temp |
| dbo.tDorm_Area |
| dbo.tDorm_Bed |
| dbo.tDorm_Building |
| dbo.tDorm_ChargeHistory |
| dbo.tDorm_History |
| dbo.tDorm_RewardHistory |
| dbo.tDorm_Room |
| dbo.tDorm_RoomMaster |
| dbo.tDorm_RoomType |
| dbo.tDrom_BuildingUser |
| dbo.tEmp_BothMeeting |
| dbo.tEmp_BothMeetingUnit |
| dbo.tEmp_BothMeetingUnitSpec |
| dbo.tEmp_UnitVideo |
| dbo.tEmp_ViewCounter |
| dbo.tEmp_codeComputerLevel |
| dbo.tEmp_codeLiteracyDegree |
| dbo.tEmp_codeMandarin |
| dbo.tEmp_codeUnitEconomyType |
| dbo.tEmp_codeUnitLevel |
| dbo.tEmp_codeUnitSubjection |
| dbo.tEmp_codeUnitTrade |
| dbo.tEmp_codeUnitType |
| dbo.tEmp_codeWageManageType |
| dbo.tEmp_gbRegionalism |
| dbo.tEmp_pblDeptDate |
| dbo.tEmp_pblEmployment |
| dbo.tEmp_pblSpecIntro |
| dbo.tEmp_signAgtRegistry |
| dbo.tEmp_studAcc |
| dbo.tEmp_studFavorite |
| dbo.tEmp_studIntro |
| dbo.tEmp_studTouch |
| dbo.tEmp_unitAcc |
| dbo.tEmp_unitBaseInfo |
| dbo.tEmp_unitEmploy |
| dbo.tEmp_unitFavorite |
| dbo.tFile_Video |
| dbo.tGreen_Apply |
| dbo.tMin_Activity |
| dbo.tMin_InMoney |
| dbo.tMin_OutMoney |
| dbo.tMin_Visit |
| dbo.tPoor_Student |
| dbo.tPoor_StudentRevocation |
| dbo.tPopedom_Atom |
| dbo.tReg_register |
| dbo.tSim_Appraise |
| dbo.tSim_Punish |
| dbo.tSim_Reward |
| dbo.tSloan_Apply |
| dbo.tSloan_ApplyAuditing |
| dbo.tSloan_Condition |
| dbo.tSloan_Exempt |
| dbo.tSloan_ExemptAuditing |
| dbo.tSloan_Repay |
| dbo.tSloan_Type |
| dbo.tSloan_Unit |
| dbo.tStudCadre_Info |
| dbo.tStudCadre_Type |
| dbo.tStudCadre_Unit |
| dbo.tStud_AllowApply |
| dbo.tTemp_Apply |
| dbo.tarm_AwardList |
| dbo.tarm_StudCourse |
| dbo.tarm_StudLevy |
| dbo.tarm_StudRecord |
| dbo.tarm_policy |
| dbo.tarrear_enrol |
| dbo.tarrear_ratify |
| dbo.tarrear_repay |
| dbo.tasl_Affirm |
| dbo.tasl_Bank |
| dbo.tasl_BankAuditing |
| dbo.tasl_BankBargain |
| dbo.tasl_Breach |
| dbo.tasl_Compensate |
| dbo.tasl_End |
| dbo.tasl_Estate |
| dbo.tasl_Extend |
| dbo.tasl_Familial |
| dbo.tasl_Imburse |
| dbo.tasl_LoanType |
| dbo.tasl_Postponed |
| dbo.tasl_SchoolAuditing |
| dbo.tasl_SchoolAuditingIdea |
| dbo.tasl_StudRequisition |
| dbo.tasl_Whither |
| dbo.tbase_Department |
| dbo.tbase_Teacher |
| dbo.tbase_User |
| dbo.tbase_UserID_UserNO |
| dbo.tborrow_enrol |
| dbo.tborrow_ratify |
| dbo.tborrow_repay |
| dbo.tcard_AllowSpec |
| dbo.tcard_InviteUnit |
| dbo.tcard_MakeCard |
| dbo.tcard_ScanCard |
| dbo.tcgb_Folk |
| dbo.tcgb_PolityVisage |
| dbo.tcgb_Regionalism |
| dbo.tcgt_AwardGrade |
| dbo.tcgt_AwardList |
| dbo.tcgt_ClassRelation |
| dbo.tcgt_StudCourse |
| dbo.tcgt_StudRecord |
| dbo.tcgt_stdResultCell |
| dbo.tcgt_stdScale |
| dbo.tcmoe_BloodType |
| dbo.tcmoe_Emigrant |
| dbo.tcmoe_PunishType |
| dbo.tcmoe_RewardLevel |
| dbo.tcmoe_RewardType |
| dbo.tcmoe_StatusChangeCause |
| dbo.tcmoe_StatusChangeType |
| dbo.tcode_Academic |
| dbo.tcode_Aspect |
| dbo.tcode_Degree |
| dbo.tcode_LenOfSchool |
| dbo.tcode_Post |
| dbo.tcode_PsychologyLevel |
| dbo.tcode_StudType |
| dbo.tcode_TeacherRole |
| dbo.tcode_poorType |
| dbo.tcpt_BranchActivity |
| dbo.tcpt_ClassRelation |
| dbo.tcpt_Document |
| dbo.tcpt_MemberStudy |
| dbo.tcpt_PartyActive |
| dbo.tcpt_PartyBranch |
| dbo.tcpt_PartyMember |
| dbo.tcpt_PartyPrep |
| dbo.tcpt_PersonRelation |
| dbo.tcpt_Requisition |
| dbo.tderate_AuditSchooling |
| dbo.tderate_RegSchooling |
| dbo.temp_CodeStudType |
| dbo.temp_SMS |
| dbo.temp_Student |
| dbo.temp_displayitem |
| dbo.tev_ClassAssess |
| dbo.tev_ClassAssessTemp |
| dbo.tev_EvaluatingItem |
| dbo.tev_EvaluatingType |
| dbo.tev_StudAssess |
| dbo.tev_StudAssessTemp |
| dbo.tgreen_Charge |
| dbo.tgreen_temp |
| dbo.titem_DeregType |
| dbo.titem_PartyBranchType |
| dbo.titem_PartyMemberType |
| dbo.titem_PartySchoolType |
| dbo.tlv_Procedure |
| dbo.tlv_RegForGraduate |
| dbo.tlv_Schema |
| dbo.tmem_BookEnrol |
| dbo.tmem_ChooseCadre |
| dbo.tmem_Development |
| dbo.tmem_DevelopmentNum |
| dbo.tmem_MemBerDocment |
| dbo.tmem_MemCharge |
| dbo.tmem_Member |
| dbo.tmem_OrgType |
| dbo.tmem_Party |
| dbo.tmem_PartyNum |
| dbo.tmem_Record |
| dbo.tmem_Rewards |
| dbo.tmem_TrainDepartment |
| dbo.tmem_TrainManInfo |
| dbo.tmem_orgMan |
| dbo.tmem_organization |
| dbo.tmema_ActivityApply |
| dbo.tmema_ActivityAudit |
| dbo.tmema_ActivityField |
| dbo.tmema_AssnJob |
| dbo.tmema_AssnMember |
| dbo.tmemp_Activity |
| dbo.tmemp_ComAuthor |
| dbo.tmemp_ComManuscript |
| dbo.tmemp_ComReport |
| dbo.tmemp_PublicationIssue |
| dbo.tmemp_PulicJob |
| dbo.tpopedom_UserBackManage |
| dbo.tpopedom_UserModule |
| dbo.tpsy_BBSMain |
| dbo.tpsy_BBSRestore |
| dbo.tpsy_Dossier |
| dbo.tpsy_Emphases |
| dbo.tpsy_Preengage |
| dbo.tpsy_Talk |
| dbo.tpsy_Work |
| dbo.tpunish_Information |
| dbo.tpunish_Repeal |
| dbo.tqgzx |
| dbo.tqgzx1128 |
| dbo.tqgzxbf |
| dbo.treward_Information |
| dbo.treward_InformationG |
| dbo.treward_Repeal |
| dbo.treward_Type |
| dbo.tsafety_InsurePayforMoney |
| dbo.tsafety_InsureRegStudent |
| dbo.tsafety_SafetyGrade |
| dbo.tschol_Annotion |
| dbo.tschol_Apply |
| dbo.tschol_Classify |
| dbo.tschol_Quotas |
| dbo.tschol_RankObj |
| dbo.tssc_History |
| dbo.tstipend_Annotion |
| dbo.tstipend_Apply |
| dbo.tstipend_Classify |
| dbo.tstipend_Quotas |
| dbo.tstipend_RankObj |
| dbo.tstud_Accessories |
| dbo.tstud_CardPrint |
| dbo.tstud_CardPrintFiled |
| dbo.tstud_Educate |
| dbo.tstud_Family |
| dbo.tstud_FieldEdit |
| dbo.tstud_Graduate |
| dbo.tstud_NewStudent |
| dbo.tstud_Student |
| dbo.tstud_StudentTest |
| dbo.tsubsidy_Annotion |
| dbo.tsubsidy_Apply |
| dbo.tsubsidy_Classify |
| dbo.tsubsidy_Quotas |
| dbo.tsubsidy_RankObj |
| dbo.tsys_Download |
| dbo.tsys_EmpNavigation |
| dbo.tsys_FriendlyLink |
| dbo.tsys_Message |
| dbo.tsys_Modules |
| dbo.tsys_Notice |
| dbo.tsys_NoticeInterface |
| dbo.tsys_NoticeType |
| dbo.tsys_Options |
| dbo.tsys_VoteList |
| dbo.tsys_VoteProject |
| dbo.tsys_VoteRen |
| dbo.tsys_loginLog |
| dbo.tsys_loginSession |
| dbo.tt |
| dbo.twl_WorkLog |
| dbo.twork_Apply |
| dbo.twork_CheckIn |
| dbo.twork_Department |
| dbo.twork_PayMoney |
| dbo.twork_PostObj |
| dbo.twork_PostType |
| dbo.vAloan_ListAff |
| dbo.vAloan_ListBasic |
| dbo.vAloan_ListExtend |
| dbo.vCadreGroup_state |
| dbo.vDerate_green_Stat |
| dbo.vDorm_AllRoomDetail |
| dbo.vDorm_Bed |
| dbo.vDorm_BuidingCode |
| dbo.vDorm_CanBePreared |
| dbo.vDorm_CanUseBed |
| dbo.vDorm_Preared |
| dbo.vDorm_StudBedInfo |
| dbo.vDorm_UsedBed |
| dbo.vDorm_building |
| dbo.vDorm_room |
| dbo.vDorm_student |
| dbo.vGreen_Apply |
| dbo.vGreen_YearsMoney |
| dbo.vMin_EmpSearch |
| dbo.vMin_RPSearch |
| dbo.vMin_ScholSearch |
| dbo.vMin_Stipent |
| dbo.vMin_SubSearch |
| dbo.vMin_SysNumber |
| dbo.vMin_WorkStudSearch |
| dbo.vSchol_QuotaForDept |
| dbo.vSim_Reward |
| dbo.vbase_Department |
| dbo.vbase_UserStudAllForLogin |
| dbo.vcard_Student |
| dbo.vcgt_AwardList |
| dbo.vcgt_StatGradeRecord |
| dbo.vcgt_StudSumRecord |
| dbo.vcgt_student |
| dbo.vderate_RegSchooling |
| dbo.vderate_XNMoney |
| dbo.vderate_YearsMoney |
| dbo.vemp_StudCompleteInfo |
| dbo.vemp_Student |
| dbo.vemp_StudentAll |
| dbo.vgreen_StudApply |
| dbo.vins_InsGrade |
| dbo.vjob_StudInfo |
| dbo.vlv_GraduateState |
| dbo.vparty_PersonRelation |
| dbo.vparty_StatBranchSum |
| dbo.vpopedom_UserModule |
| dbo.vpsy_Dossier |
| dbo.vsafety_StatDeptInsurePay |
| dbo.vsafety_StatDeptInsureSum |
| dbo.vschol_Classify |
| dbo.vschol_QuotaForClass |
| dbo.vschol_QuotaForGrade |
| dbo.vschol_XNMoney |
| dbo.vschol_YearsMoney |
| dbo.vstipend_Classify |
| dbo.vstipend_QuotaForClass |
| dbo.vstipend_QuotaForDept |
| dbo.vstipend_QuotaForGrade |
| dbo.vstipend_XNMoney |
| dbo.vstipend_YearsMoney |
| dbo.vstud_Student |
| dbo.vstud_StudentAll |
| dbo.vstud_StudentGraduate |
| dbo.vstud_StudentInschool |
| dbo.vsubsidy_Classify |
| dbo.vsubsidy_QuotaForClass |
| dbo.vsubsidy_QuotaForDept |
| dbo.vsubsidy_QuotaForGrade |
| dbo.vsubsidy_XNMoney |
| dbo.vsubsidy_YearsMoney |
| dbo.vunit_Unit |
| dbo.vwork_Department |
+-------------------------------+


后台就不入了,学生管理系统,没有学生信息就不可能的事情了~

修复方案:

后台就不入了,学生管理系统,没有学生信息就不可能的事情了~

版权声明:转载请注明来源 U神@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-05-10 00:10

厂商回复:

CNVD确认并复现所述情况(由上海交通大学协助完成教育网内验证工作),已经转由CNCERT通报给教育网应急组织赛尔网络公司并抄报CCERT处置。

最新状态:

暂无


漏洞评价:

评论

  1. 2014-05-07 08:51 | 西北狼 ( 路人 | Rank:4 漏洞数:5 | 来自大漠的苦逼程序员)

    楼主是红盟的U神?

  2. 2014-05-07 09:15 | ( 普通白帽子 | Rank:1207 漏洞数:104 | 传闻中魇是一个惊世奇男子,但是除了他华...)

    爱卿可以起来了

  3. 2014-05-07 11:18 | huc-ray ( 路人 | Rank:25 漏洞数:7 | 菜鸟一枚)

    U神来求公开

  4. 2014-05-07 13:36 | nextdoor ( 普通白帽子 | Rank:325 漏洞数:74 )

    此水表非彼水表

  5. 2014-05-07 21:39 | Mr .LZH ( 普通白帽子 | Rank:583 漏洞数:75 | 非妹子勿扰···)

    尼玛你这是什么节奏啊,几个月狂刷这么多,整天闲着蛋疼挖洞??

  6. 2014-05-30 00:17 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    这……绕过JS和绕过安全机制……还是有一点区别的吧

  7. 2014-06-21 08:46 | U神 ( 核心白帽子 | Rank:1285 漏洞数:142 | 感谢乌云,知恩不忘,其实我一直都在乌云默...)

    @wefgod 标题是疯狗改的,本来选的通用的也被改掉了

  8. 2014-12-01 21:49 | Mark ( 路人 | Rank:8 漏洞数:2 | 渗透你的心)

    具体是怎么绕过 登录后台的,能否细说一下?!