当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-059712

漏洞标题:某高校学生管理系统存在通用SQL注入(安全机制绕过技巧)

相关厂商:Cncert国家互联网应急中心

漏洞作者: U神

提交时间:2014-05-07 00:03

修复时间:2014-06-21 00:04

公开时间:2014-06-21 00:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-07: 细节已通知厂商并且等待厂商处理中
2014-05-10: 厂商已经确认,细节仅向厂商公开
2014-05-20: 细节向核心白帽子及相关领域专家公开
2014-05-30: 细节向普通白帽子公开
2014-06-09: 细节向实习白帽子公开
2014-06-21: 细节向公众公开

简要描述:

大家都听说Cncert要发钱了,都吓得坐地上了,当时大家接到消息就以为要查水表了~吓得我也坐地上了=_=!!

详细说明:

#1.由奥达软件开发的一所高校管理系统存在注入漏洞,注入漏洞发生在登录框中虽然存在s的判断用户数据提交的合法性,但是这都是可以绕过的=_=!
例子:

http://202.***.***.50/login/loginpageforuserb.aspx?LogoutURL=%2flogin


04.jpg


01.jpg


看看登录页面源代码,可以看到的确是JS限制了=_=!

<script type="text/javascript">
//<![CDATA[
var VS___Page = document.all ? document.all["VS___Page"] : document.getElementById("VS___Page");
VS___Page.headertext = "您的输入有以下错误:";
VS___Page.showmessagebox = "True";
VS___Page.showsummary = "False";
var RFV_txtUserId = document.all ? document.all["RFV_txtUserId"] : document.getElementById("RFV_txtUserId");
RFV_txtUserId.controltovalidate = "txtUserId";
RFV_txtUserId.errormessage = "[用户名]不能为空!";
RFV_txtUserId.display = "None";
RFV_txtUserId.evaluationfunction = "RequiredFieldValidatorEvaluateIsValid";
RFV_txtUserId.initialvalue = "";
var REV_txtUserId = document.all ? document.all["REV_txtUserId"] : document.getElementById("REV_txtUserId");
REV_txtUserId.controltovalidate = "txtUserId";
REV_txtUserId.errormessage = "[用户名]格式错误,正确形式:不允许输入英文单引号\'";
REV_txtUserId.display = "None";
REV_txtUserId.evaluationfunction = "RegularExpressionValidatorEvaluateIsValid";
REV_txtUserId.validationexpression = "[^\']*";
var RFV_txtPwd = document.all ? document.all["RFV_txtPwd"] : document.getElementById("RFV_txtPwd");
RFV_txtPwd.controltovalidate = "txtPwd";
RFV_txtPwd.errormessage = "[密码]不能为空!";
RFV_txtPwd.display = "None";
RFV_txtPwd.evaluationfunction = "RequiredFieldValidatorEvaluateIsValid";
RFV_txtPwd.initialvalue = "";
var REV_txtPwd = document.all ? document.all["REV_txtPwd"] : document.getElementById("REV_txtPwd");
REV_txtPwd.controltovalidate = "txtPwd";
REV_txtPwd.errormessage = "[密码]格式错误,正确形式:不允许输入英文单引号\'";
REV_txtPwd.display = "None";
REV_txtPwd.evaluationfunction = "RegularExpressionValidatorEvaluateIsValid";
REV_txtPwd.validationexpression = "[^\']*";
//]]>
</script>


抓包吧=_=!!然后我们继续提交,绕过本地JS限制=_=!!

02.jpg


枚举几个案例<警:以下案例仅供Cncert复现测试,其它人不得非法使用,否则后果自负>:

http://zhaojiu.xzmy.edu.cn/login/loginpageforuserb.aspx?LogoutURL=/login&c=1  西藏民族学院
http://job.***.edu.cn/Login/loginpageforuserb.aspx?LogoutURL=  
http://202.***.***.50/login/loginpageforuserb.aspx?LogoutURL=/login 
http://202.***.***.29/Login/loginpageforuserb.aspx?LogoutURL=/login  
http://202.***.***.62:5002/Login/LoginPageForuserB.aspx 
http://xg.***.edu.cn/Login/loginpageforuserb.aspx?LogoutURL=/login&c=1  
http://219.***.***.28/login/loginpageforstudentb.aspx


漏洞证明:

以某科技大学为例演示:

http://202.***.***.50/login/loginpageforuserb.aspx?LogoutURL=/login


03.jpg


Database: Studwork6
[353 tables]
+-------------------------------+
| dbo.I$_tstud_Student          |
| dbo.J$tsys_NoticeType         |
| dbo.JV$Dtsys_NoticeType       |
| dbo.JV$tsys_NoticeType        |
| dbo.SNP_CDC_OBJECTS           |
| dbo.SNP_CDC_SET               |
| dbo.SNP_CDC_SET_TABLE         |
| dbo.SNP_CDC_SUBS              |
| dbo.SNP_CHECK_TAB             |
| dbo.VoteList                  |
| dbo.Vsign_AgtRegistry         |
| dbo.Vsign_AgtRegistryFell     |
| dbo.Vsign_AgtRegistryOrder    |
| dbo.[Vdorm_buildingInfo【不用】]      |
| dbo.[tDorm_User[不用]             |
| dbo.[tsys_Modules_测试]           |
| dbo.[tsys_NoticeType学工网站]         |
| dbo.[vDorm_OccupiedRoom[不用]     |
| dbo.dtproperties              |
| dbo.qg                        |
| dbo.setup                     |
| dbo.sysconstraints            |
| dbo.syssegments               |
| dbo.tAcc_File                 |
| dbo.tCadreGroup_state         |
| dbo.tCadre_dimission          |
| dbo.tCode_DeregReason         |
| dbo.tDerate_Temp              |
| dbo.tDorm_Area                |
| dbo.tDorm_Bed                 |
| dbo.tDorm_Building            |
| dbo.tDorm_ChargeHistory       |
| dbo.tDorm_History             |
| dbo.tDorm_RewardHistory       |
| dbo.tDorm_Room                |
| dbo.tDorm_RoomMaster          |
| dbo.tDorm_RoomType            |
| dbo.tDrom_BuildingUser        |
| dbo.tEmp_BothMeeting          |
| dbo.tEmp_BothMeetingUnit      |
| dbo.tEmp_BothMeetingUnitSpec  |
| dbo.tEmp_UnitVideo            |
| dbo.tEmp_ViewCounter          |
| dbo.tEmp_codeComputerLevel    |
| dbo.tEmp_codeLiteracyDegree   |
| dbo.tEmp_codeMandarin         |
| dbo.tEmp_codeUnitEconomyType  |
| dbo.tEmp_codeUnitLevel        |
| dbo.tEmp_codeUnitSubjection   |
| dbo.tEmp_codeUnitTrade        |
| dbo.tEmp_codeUnitType         |
| dbo.tEmp_codeWageManageType   |
| dbo.tEmp_gbRegionalism        |
| dbo.tEmp_pblDeptDate          |
| dbo.tEmp_pblEmployment        |
| dbo.tEmp_pblSpecIntro         |
| dbo.tEmp_signAgtRegistry      |
| dbo.tEmp_studAcc              |
| dbo.tEmp_studFavorite         |
| dbo.tEmp_studIntro            |
| dbo.tEmp_studTouch            |
| dbo.tEmp_unitAcc              |
| dbo.tEmp_unitBaseInfo         |
| dbo.tEmp_unitEmploy           |
| dbo.tEmp_unitFavorite         |
| dbo.tFile_Video               |
| dbo.tGreen_Apply              |
| dbo.tMin_Activity             |
| dbo.tMin_InMoney              |
| dbo.tMin_OutMoney             |
| dbo.tMin_Visit                |
| dbo.tPoor_Student             |
| dbo.tPoor_StudentRevocation   |
| dbo.tPopedom_Atom             |
| dbo.tReg_register             |
| dbo.tSim_Appraise             |
| dbo.tSim_Punish               |
| dbo.tSim_Reward               |
| dbo.tSloan_Apply              |
| dbo.tSloan_ApplyAuditing      |
| dbo.tSloan_Condition          |
| dbo.tSloan_Exempt             |
| dbo.tSloan_ExemptAuditing     |
| dbo.tSloan_Repay              |
| dbo.tSloan_Type               |
| dbo.tSloan_Unit               |
| dbo.tStudCadre_Info           |
| dbo.tStudCadre_Type           |
| dbo.tStudCadre_Unit           |
| dbo.tStud_AllowApply          |
| dbo.tTemp_Apply               |
| dbo.tarm_AwardList            |
| dbo.tarm_StudCourse           |
| dbo.tarm_StudLevy             |
| dbo.tarm_StudRecord           |
| dbo.tarm_policy               |
| dbo.tarrear_enrol             |
| dbo.tarrear_ratify            |
| dbo.tarrear_repay             |
| dbo.tasl_Affirm               |
| dbo.tasl_Bank                 |
| dbo.tasl_BankAuditing         |
| dbo.tasl_BankBargain          |
| dbo.tasl_Breach               |
| dbo.tasl_Compensate           |
| dbo.tasl_End                  |
| dbo.tasl_Estate               |
| dbo.tasl_Extend               |
| dbo.tasl_Familial             |
| dbo.tasl_Imburse              |
| dbo.tasl_LoanType             |
| dbo.tasl_Postponed            |
| dbo.tasl_SchoolAuditing       |
| dbo.tasl_SchoolAuditingIdea   |
| dbo.tasl_StudRequisition      |
| dbo.tasl_Whither              |
| dbo.tbase_Department          |
| dbo.tbase_Teacher             |
| dbo.tbase_User                |
| dbo.tbase_UserID_UserNO       |
| dbo.tborrow_enrol             |
| dbo.tborrow_ratify            |
| dbo.tborrow_repay             |
| dbo.tcard_AllowSpec           |
| dbo.tcard_InviteUnit          |
| dbo.tcard_MakeCard            |
| dbo.tcard_ScanCard            |
| dbo.tcgb_Folk                 |
| dbo.tcgb_PolityVisage         |
| dbo.tcgb_Regionalism          |
| dbo.tcgt_AwardGrade           |
| dbo.tcgt_AwardList            |
| dbo.tcgt_ClassRelation        |
| dbo.tcgt_StudCourse           |
| dbo.tcgt_StudRecord           |
| dbo.tcgt_stdResultCell        |
| dbo.tcgt_stdScale             |
| dbo.tcmoe_BloodType           |
| dbo.tcmoe_Emigrant            |
| dbo.tcmoe_PunishType          |
| dbo.tcmoe_RewardLevel         |
| dbo.tcmoe_RewardType          |
| dbo.tcmoe_StatusChangeCause   |
| dbo.tcmoe_StatusChangeType    |
| dbo.tcode_Academic            |
| dbo.tcode_Aspect              |
| dbo.tcode_Degree              |
| dbo.tcode_LenOfSchool         |
| dbo.tcode_Post                |
| dbo.tcode_PsychologyLevel     |
| dbo.tcode_StudType            |
| dbo.tcode_TeacherRole         |
| dbo.tcode_poorType            |
| dbo.tcpt_BranchActivity       |
| dbo.tcpt_ClassRelation        |
| dbo.tcpt_Document             |
| dbo.tcpt_MemberStudy          |
| dbo.tcpt_PartyActive          |
| dbo.tcpt_PartyBranch          |
| dbo.tcpt_PartyMember          |
| dbo.tcpt_PartyPrep            |
| dbo.tcpt_PersonRelation       |
| dbo.tcpt_Requisition          |
| dbo.tderate_AuditSchooling    |
| dbo.tderate_RegSchooling      |
| dbo.temp_CodeStudType         |
| dbo.temp_SMS                  |
| dbo.temp_Student              |
| dbo.temp_displayitem          |
| dbo.tev_ClassAssess           |
| dbo.tev_ClassAssessTemp       |
| dbo.tev_EvaluatingItem        |
| dbo.tev_EvaluatingType        |
| dbo.tev_StudAssess            |
| dbo.tev_StudAssessTemp        |
| dbo.tgreen_Charge             |
| dbo.tgreen_temp               |
| dbo.titem_DeregType           |
| dbo.titem_PartyBranchType     |
| dbo.titem_PartyMemberType     |
| dbo.titem_PartySchoolType     |
| dbo.tlv_Procedure             |
| dbo.tlv_RegForGraduate        |
| dbo.tlv_Schema                |
| dbo.tmem_BookEnrol            |
| dbo.tmem_ChooseCadre          |
| dbo.tmem_Development          |
| dbo.tmem_DevelopmentNum       |
| dbo.tmem_MemBerDocment        |
| dbo.tmem_MemCharge            |
| dbo.tmem_Member               |
| dbo.tmem_OrgType              |
| dbo.tmem_Party                |
| dbo.tmem_PartyNum             |
| dbo.tmem_Record               |
| dbo.tmem_Rewards              |
| dbo.tmem_TrainDepartment      |
| dbo.tmem_TrainManInfo         |
| dbo.tmem_orgMan               |
| dbo.tmem_organization         |
| dbo.tmema_ActivityApply       |
| dbo.tmema_ActivityAudit       |
| dbo.tmema_ActivityField       |
| dbo.tmema_AssnJob             |
| dbo.tmema_AssnMember          |
| dbo.tmemp_Activity            |
| dbo.tmemp_ComAuthor           |
| dbo.tmemp_ComManuscript       |
| dbo.tmemp_ComReport           |
| dbo.tmemp_PublicationIssue    |
| dbo.tmemp_PulicJob            |
| dbo.tpopedom_UserBackManage   |
| dbo.tpopedom_UserModule       |
| dbo.tpsy_BBSMain              |
| dbo.tpsy_BBSRestore           |
| dbo.tpsy_Dossier              |
| dbo.tpsy_Emphases             |
| dbo.tpsy_Preengage            |
| dbo.tpsy_Talk                 |
| dbo.tpsy_Work                 |
| dbo.tpunish_Information       |
| dbo.tpunish_Repeal            |
| dbo.tqgzx                     |
| dbo.tqgzx1128                 |
| dbo.tqgzxbf                   |
| dbo.treward_Information       |
| dbo.treward_InformationG      |
| dbo.treward_Repeal            |
| dbo.treward_Type              |
| dbo.tsafety_InsurePayforMoney |
| dbo.tsafety_InsureRegStudent  |
| dbo.tsafety_SafetyGrade       |
| dbo.tschol_Annotion           |
| dbo.tschol_Apply              |
| dbo.tschol_Classify           |
| dbo.tschol_Quotas             |
| dbo.tschol_RankObj            |
| dbo.tssc_History              |
| dbo.tstipend_Annotion         |
| dbo.tstipend_Apply            |
| dbo.tstipend_Classify         |
| dbo.tstipend_Quotas           |
| dbo.tstipend_RankObj          |
| dbo.tstud_Accessories         |
| dbo.tstud_CardPrint           |
| dbo.tstud_CardPrintFiled      |
| dbo.tstud_Educate             |
| dbo.tstud_Family              |
| dbo.tstud_FieldEdit           |
| dbo.tstud_Graduate            |
| dbo.tstud_NewStudent          |
| dbo.tstud_Student             |
| dbo.tstud_StudentTest         |
| dbo.tsubsidy_Annotion         |
| dbo.tsubsidy_Apply            |
| dbo.tsubsidy_Classify         |
| dbo.tsubsidy_Quotas           |
| dbo.tsubsidy_RankObj          |
| dbo.tsys_Download             |
| dbo.tsys_EmpNavigation        |
| dbo.tsys_FriendlyLink         |
| dbo.tsys_Message              |
| dbo.tsys_Modules              |
| dbo.tsys_Notice               |
| dbo.tsys_NoticeInterface      |
| dbo.tsys_NoticeType           |
| dbo.tsys_Options              |
| dbo.tsys_VoteList             |
| dbo.tsys_VoteProject          |
| dbo.tsys_VoteRen              |
| dbo.tsys_loginLog             |
| dbo.tsys_loginSession         |
| dbo.tt                        |
| dbo.twl_WorkLog               |
| dbo.twork_Apply               |
| dbo.twork_CheckIn             |
| dbo.twork_Department          |
| dbo.twork_PayMoney            |
| dbo.twork_PostObj             |
| dbo.twork_PostType            |
| dbo.vAloan_ListAff            |
| dbo.vAloan_ListBasic          |
| dbo.vAloan_ListExtend         |
| dbo.vCadreGroup_state         |
| dbo.vDerate_green_Stat        |
| dbo.vDorm_AllRoomDetail       |
| dbo.vDorm_Bed                 |
| dbo.vDorm_BuidingCode         |
| dbo.vDorm_CanBePreared        |
| dbo.vDorm_CanUseBed           |
| dbo.vDorm_Preared             |
| dbo.vDorm_StudBedInfo         |
| dbo.vDorm_UsedBed             |
| dbo.vDorm_building            |
| dbo.vDorm_room                |
| dbo.vDorm_student             |
| dbo.vGreen_Apply              |
| dbo.vGreen_YearsMoney         |
| dbo.vMin_EmpSearch            |
| dbo.vMin_RPSearch             |
| dbo.vMin_ScholSearch          |
| dbo.vMin_Stipent              |
| dbo.vMin_SubSearch            |
| dbo.vMin_SysNumber            |
| dbo.vMin_WorkStudSearch       |
| dbo.vSchol_QuotaForDept       |
| dbo.vSim_Reward               |
| dbo.vbase_Department          |
| dbo.vbase_UserStudAllForLogin |
| dbo.vcard_Student             |
| dbo.vcgt_AwardList            |
| dbo.vcgt_StatGradeRecord      |
| dbo.vcgt_StudSumRecord        |
| dbo.vcgt_student              |
| dbo.vderate_RegSchooling      |
| dbo.vderate_XNMoney           |
| dbo.vderate_YearsMoney        |
| dbo.vemp_StudCompleteInfo     |
| dbo.vemp_Student              |
| dbo.vemp_StudentAll           |
| dbo.vgreen_StudApply          |
| dbo.vins_InsGrade             |
| dbo.vjob_StudInfo             |
| dbo.vlv_GraduateState         |
| dbo.vparty_PersonRelation     |
| dbo.vparty_StatBranchSum      |
| dbo.vpopedom_UserModule       |
| dbo.vpsy_Dossier              |
| dbo.vsafety_StatDeptInsurePay |
| dbo.vsafety_StatDeptInsureSum |
| dbo.vschol_Classify           |
| dbo.vschol_QuotaForClass      |
| dbo.vschol_QuotaForGrade      |
| dbo.vschol_XNMoney            |
| dbo.vschol_YearsMoney         |
| dbo.vstipend_Classify         |
| dbo.vstipend_QuotaForClass    |
| dbo.vstipend_QuotaForDept     |
| dbo.vstipend_QuotaForGrade    |
| dbo.vstipend_XNMoney          |
| dbo.vstipend_YearsMoney       |
| dbo.vstud_Student             |
| dbo.vstud_StudentAll          |
| dbo.vstud_StudentGraduate     |
| dbo.vstud_StudentInschool     |
| dbo.vsubsidy_Classify         |
| dbo.vsubsidy_QuotaForClass    |
| dbo.vsubsidy_QuotaForDept     |
| dbo.vsubsidy_QuotaForGrade    |
| dbo.vsubsidy_XNMoney          |
| dbo.vsubsidy_YearsMoney       |
| dbo.vunit_Unit                |
| dbo.vwork_Department          |
+-------------------------------+


后台就不入了,学生管理系统,没有学生信息就不可能的事情了~

修复方案:

后台就不入了,学生管理系统,没有学生信息就不可能的事情了~

版权声明:转载请注明来源 U神@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-05-10 00:10

厂商回复:

CNVD确认并复现所述情况(由上海交通大学协助完成教育网内验证工作),已经转由CNCERT通报给教育网应急组织赛尔网络公司并抄报CCERT处置。

最新状态:

暂无