当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082017

漏洞标题:某大学近10个学院的多处SQL注入漏洞

相关厂商:CCERT教育网应急响应组

漏洞作者: Mr_Blithe

提交时间:2014-11-05 10:12

修复时间:2014-11-10 10:14

公开时间:2014-11-10 10:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-05: 细节已通知厂商并且等待厂商处理中
2014-11-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某大学近10个学院的多处SQL注入漏洞,没有对输入参数进行过滤,学院学生的数据安全受到影响

详细说明:

怎么说呢,就没有见过这样不注重安全的大学。多个学院网站爆出SQL注入漏洞,而且数量较多,而且还不知道修复。。。。。找了这些个,我都懒得找了。。。
该大学的研究生部,信息工程学院,自动化工程学院,外国语学院,学工在线,后勤,招生就业处,党委等等网站SQL注入漏洞。
我整理了将近一下午,作为网安实习生,面对这样没有安全意识的大学,我也是醉了。。。但是这一星期的周报解决了,哈哈

漏洞证明:

如下:
一 研究生部 http://grad.nedu.edu.cn/index/index.php?c=article&id=562
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL 5.0.11
Database: gradsql1
[83 tables]
+------------------+
| 2013cha |
| user |
| category |
| content |
| dy_admin_group |
| dy_admin_per |
| dy_admin_user |
| dy_ads |
| dy_adstype |
| dy_article |
| dy_article_field |
| dy_classtype |
| dy_comment |
| dy_custom |
| dy_fields |
| dy_funs |
| dy_labelcus |
| dy_links |
| dy_linkstype |
| dy_member |
| dy_member_field |
| dy_member_file |
| dy_member_group |
| dy_message |
| dy_message_field |
| dy_molds |
| dy_product |
| dy_product_field |
| dy_special |
| dy_traits |
| dy_update |
| j_category |
| j_content |
| luqu |
| menu |
| menu4 |
| menu6 |
| menu8 |
| profile1 |
| profile2 |
| profile3 |
| profile4 |
| profile5 |
| specialty |
| t_dlist |
| t_elist |
| t_ilist |
| t_jlist |
| t_rlist |
| t_slist |
| t_tlist |
| t_wlist |
| tuitors |
| users |
| v8_admin_group |
| v8_admin_per |
| v8_admin_user |
| v8_ads |
| v8_adstype |
| v8_article |
| v8_article_field |
| v8_classtype |
| v8_comment |
| v8_custom |
| v8_fields |
| v8_funs |
| v8_labelcus |
| v8_links |
| v8_linkstype |
| v8_member |
| v8_member_field |
| v8_member_file |
| v8_member_group |
| v8_message |
| v8_message_field |
| v8_molds |
| v8_product |
| v8_product_field |
| v8_special |
| v8_traits |
| v8_update |
| zc_userprofiles |
| zc_users |
+------------------+
Database: gradsql1
Table: dy_admin_user
[9 columns]
+------------+----------------------+
| Column | Type |
+------------+----------------------+
| level | tinyint(1) unsigned |
| amail | char(100) |
| aname | char(30) |
| apass | char(32) |
| atel | char(100) |
| auid | smallint(5) unsigned |
| auser | char(20) |
| gid | smallint(5) unsigned |
| pclasstype | text |
+------------+----------------------+

2.png


二 信息工程学院 http://ie.nedu.edu.cn/templete/newslist.php?id=301
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL 5.0.11
Database: iesql1
[13 tables]
+---------------+
| article |
| file |
| image |
| inform |
| jinpinkecheng |
| new_image |
| newslist |
| password |
| redianwz |
| studentwork |
| teacherf |
| teachstudy |
| zuixinwz |
+---------------+
Table: password
[2 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| id | int(11) |
| pa | varchar(50) |
+--------+-------------+

3.png


三 自动化工程学院 http://auto.nedu.edu.cn/1xuezijiayuan.php POST sql注入漏洞
eb application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL 5.0.11
Database: autosql1
[17 tables]
+------------------+
| book |
| dongtai |
| download_files |
| file |
| jihua |
| jishu |
| login |
| news |
| pic |
| spbook |
| spdownload_files |
| spusers |
| tongzhi |
| users |
| weiji_liuyan |
| xuezi |
| xy |
+------------------+
Table: spusers
[4 columns]
+--------+----------------+
| Column | Type |
+--------+----------------+
| id | mediumint(100) |
| Name | varchar(40) |
| Psw | varchar(40) |
| sh | int(11) |
+--------+----------------+

4.png


四 外国语学院 http://fld.nedu.edu.cn/djyd/html/content.php?id=389
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL 5.0.11
Database: fldsql1
[3 tables]
+-------+
| book |
| news |
| users |
+-------+
Table: users
[4 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| id | int(100) |
| Name | varchar(40) |
| Psw | varchar(40) |
| sh | int(11) |
+--------+-------------+

5.jpg



五 学工在线 http://xsc.nedu.edu.cn/xgkx.php?id=183
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL 5.0.11
Database: xscsql1
[54 tables]
+-------------+
| user |
| aims |
| aqjs |
| article |
| bmjsz |
| bszn |
| bsznkn |
| cfgs |
| comment |
| ddyc |
| dwjs |
| dxjshdxwhzl |
| dxsrwzl |
| file |
| friends |
| gltl |
| glzd |
| gywh |
| image |
| img |
| jphd |
| jzxj |
| jzxjkn |
| jzzx |
| kfkjzl |
| llyj |
| lpxz |
| new_image |
| news |
| pjpy |
| qgjx |
| qgzx |
| resources |
| sign |
| tzgg |
| tztg |
| tztg1 |
| upfile |
| user_info |
| wjcl |
| wygspdx |
| xfjs |
| xfjszl |
| xgkx |
| xgzj |
| xizs |
| xizt |
| xsyb |
| xygg |
| yxfc |
| zcjd |
| zlxz |
| zxdk |
| zxjj |
+-------------+
Table: user
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(10) |
| name | varchar(50) |
| password | varchar(50) |
+----------+-------------+

6.png


六 后勤 http://hqbzb.nedu.edu.cn/show.php?id=227
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL 5.0
Database: hqbzbsql1
[8 tables]
+----------------+
| cms_article |
| cms_category |
| cms_file |
| cms_friendlink |
| cms_message |
| cms_notice |
| cms_page |
| cms_users |
+----------------+
Table: cms_users
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| password | varchar(32) |
| userid | int(11) |
| username | varchar(20) |
+----------+-------------+

7.png



七 招生就业处 xxx团队 http://first.nedu.edu.cn/article_content.php?id=75
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL 5.0.11
Database: firstsql1
[6 tables]
+----------------+
| articles |
| download_files |
| member_photos |
| members |
| messages |
| websites |
+----------------+
Table: members
[9 columns]
+-----------------+-------------+
| Column | Type |
+-----------------+-------------+
| dep | varchar(20) |
| id | int(11) |
| last_visit_time | datetime |
| limits | varchar(10) |
| name | varchar(20) |
| password | varchar(20) |
| sex | varchar(4) |
| tel | varchar(20) |
| this_visit_time | datetime |
+-----------------+-------------+

8.jpg


八 党xxx http://ddqzlx.nedu.edu.cn/readartical/readarticle.php?id=399
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL 5.0.11
Database: ddqzlxsql1
[3 tables]
+----------+
| news |
| times |
| username |
+----------+
Table: username
[2 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| password | varchar(30) |
| username | varchar(30) |
+----------+-------------+

9.png


好了,其他的我是在是懒得找了。问题太多了,累死我了

修复方案:

就算是你们没有进行指令和参数分离,就算是你们没有进行过滤,那你装一个安全软件也好啊,免费的多的是啊。
想不明白。。。。

版权声明:转载请注明来源 Mr_Blithe@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-11-10 10:14

厂商回复:

最新状态:

暂无