当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158810

漏洞标题:东北师范大学某分站SQL注入漏洞

相关厂商:东北师范大学

漏洞作者: Redy

提交时间:2015-12-08 22:20

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-08: 细节已通知厂商并且等待厂商处理中
2015-12-09: 厂商已经确认,细节仅向厂商公开
2015-12-19: 细节向核心白帽子及相关领域专家公开
2015-12-29: 细节向普通白帽子公开
2016-01-08: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

某大学存在sql注入,于是乎百度一下下看到有先人上过,但是我没发现他注入的洞,存在我今天的这个洞,so 就开始了魔性的日站了。

详细说明:

还请审核的哥哥姐姐打上马赛克,否者这醉我担当不起啊。

http://**.**.**.**/page/show_news.php?id=420
我是从这进去的,悄悄的悄悄的
Database: phyweb                                                                 
Table: t_zxbz_xb
[2 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| DM     | varchar(2)  |
| MC     | varchar(30) |
+--------+-------------+
Database: phyweb
Table: t_retire_title
[2 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| DM     | varchar(10)  |
| MC     | varchar(255) |
+--------+--------------+
Database: phyweb
Table: t_zxbz_jzglb
[2 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| DM     | varchar(2)  |
| MC     | varchar(50) |
+--------+-------------+
Database: phyweb
Table: link_copy
[4 columns]
+--------------+--------------+
| Column       | Type         |
+--------------+--------------+
| create_time  | int(12)      |
| link_address | varchar(255) |
| link_id      | int(4)       |
| link_name    | varchar(255) |
+--------------+--------------+
Database: phyweb
Table: picnews
[9 columns]
+---------------+--------------+
| Column        | Type         |
+---------------+--------------+
| news_alt      | varchar(255) |
| news_content  | text         |
| news_id       | int(11)      |
| news_pic      | varchar(255) |
| news_pubtime  | int(11)      |
| news_readtime | int(11)      |
| news_title    | varchar(255) |
| order_id      | tinyint(1)   |
| type_id       | int(11)      |
+---------------+--------------+
Database: phyweb
Table: edu
[11 columns]
+--------------+--------------+
| Column       | Type         |
+--------------+--------------+
| admin_id     | text         |
| edu_content  | text         |
| edu_id       | int(11)      |
| edu_pic      | tinyint(1)   |
| edu_pubtime  | int(11)      |
| edu_readtime | int(11)      |
| edu_show     | tinyint(1)   |
| edu_title    | varchar(255) |
| edu_top      | tinyint(1)   |
| edu_type     | int(11)      |
| type_id      | int(11)      |
+--------------+--------------+
Database: phyweb
Table: edu_copy
[11 columns]
+--------------+--------------+
| Column       | Type         |
+--------------+--------------+
| admin_id     | text         |
| edu_content  | text         |
| edu_id       | int(11)      |
| edu_pic      | tinyint(1)   |
| edu_pubtime  | int(11)      |
| edu_readtime | int(11)      |
| edu_show     | tinyint(1)   |
| edu_title    | varchar(255) |
| edu_top      | tinyint(1)   |
| edu_type     | int(11)      |
| type_id      | int(11)      |
+--------------+--------------+
Database: phyweb
Table: message
[19 columns]
+-------------+-------------+
| Column      | Type        |
+-------------+-------------+
| m_address   | varchar(50) |
| m_addtime   | int(10)     |
| m_content   | text        |
| m_email     | varchar(50) |
| m_hits      | int(10)     |
| m_id        | int(10)     |
| m_meid      | int(10)     |
| m_mename    | varchar(50) |
| m_mid       | int(10)     |
| m_no        | int(4)      |
| m_parentid  | int(4)      |
| m_pass      | int(4)      |
| m_recontent | text        |
| m_sorting   | int(10)     |
| m_tel       | varchar(50) |
| m_title     | varchar(50) |
| m_tuijian   | int(4)      |
| m_uname     | varchar(50) |
| m_yes       | int(4)      |
+-------------+-------------+
Database: phyweb
Table: t_jzg_copy
[43 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| BGDD    | varchar(100) |
| BGDH    | varchar(100) |
| BZ      | mediumtext   |
| CSRQ    | date         |
| DQZTDM  | varchar(2)   |
| GXRQ    | date         |
| ID      | int(11)      |
| IFHGZ   | varchar(100) |
| IFSJXS  | varchar(100) |
| IGDZGN  | varchar(100) |
| IGH     | varchar(100) |
| IJCWL   | varchar(100) |
| IJLSS   | varchar(100) |
| IJSWYH  | varchar(100) |
| IJSZN   | varchar(100) |
| IJWWY   | varchar(100) |
| IKCYJX  | varchar(100) |
| ILLWLS  | varchar(100) |
| ILTU    | varchar(100) |
| ILZKXZX | varchar(100) |
| IWLSY   | varchar(100) |
| IWLSYZX | varchar(100) |
| IWLXKS  | varchar(100) |
| IXSGZZ  | varchar(100) |
| IXWPD   | varchar(100) |
| IXXYZD  | varchar(100) |
| IXYBGS  | varchar(100) |
| IXYDW   | varchar(100) |
| IXYGZ   | varchar(100) |
| IXZLD   | varchar(100) |
| IYYDZ   | varchar(100) |
| IZHFZ   | varchar(100) |
| JZGLBDM | varchar(2)   |
| LIANJ   | varchar(255) |
| MZDM    | varchar(2)   |
| PIC     | varchar(255) |
| SFBD    | varchar(11)  |
| WHCDDM  | varchar(2)   |
| XBDM    | varchar(1)   |
| XM      | varchar(100) |
| XNYX    | varchar(100) |
| ZGH     | varchar(20)  |
| ZWJS    | mediumtext   |
+---------+--------------+
Database: phyweb
Table: t_jzg_szrecord
[4 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| table  | varchar(255) |
| value  | varchar(255) |
| id     | int(11)      |
| zgh    | varchar(60)  |
+--------+--------------+
Database: phyweb
Table: news(beifen)
[11 columns]
+---------------+--------------+
| Column        | Type         |
+---------------+--------------+
| admin_id      | text         |
| new_pic       | tinyint(1)   |
| news_content  | text         |
| news_id       | int(11)      |
| news_pubtime  | int(11)      |
| news_readtime | int(11)      |
| news_show     | tinyint(1)   |
| news_title    | varchar(255) |
| news_top      | tinyint(1)   |
| news_type     | int(11)      |
| type_id       | int(11)      |
+---------------+--------------+
Database: phyweb
Table: teacher_info
[4 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| content    | text        |
| id         | int(11)     |
| name       | varchar(20) |
| teacher_id | int(11)     |
+------------+-------------+
Database: phyweb
Table: t_zxbz_zzlb
[2 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| DM     | varchar(2)  |
| MC     | varchar(30) |
+--------+-------------+
Database: phyweb
Table: link_picture
[11 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| size        | int(9)       |
| category    | int(5)       |
| download    | int(6)       |
| file_name   | varchar(255) |
| file_path   | varchar(255) |
| id          | int(5)       |
| imgDesc     | varchar(255) |
| imgURL      | varchar(255) |
| is_show     | tinyint(1)   |
| publisher   | varchar(50)  |
| upload_date | date         |
+-------------+--------------+
Database: phyweb
Table: news_type
[2 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| news_type_desc | varchar(255) |
| news_type_id   | int(11)      |
+----------------+--------------+
Database: phyweb
Table: t_jzg_jglj
[3 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| DM     | varchar(255) |
| id     | int(11)      |
| MC     | varchar(255) |
+--------+--------------+
Database: phyweb
Table: sciresearch
[12 columns]
+---------------+--------------+
| Column        | Type         |
+---------------+--------------+
| admin_id      | text         |
| new_pic       | tinyint(1)   |
| news_content  | text         |
| news_id       | int(11)      |
| news_pubtime  | int(11)      |
| news_readtime | int(11)      |
| news_show     | tinyint(1)   |
| news_title    | varchar(255) |
| news_top      | tinyint(1)   |
| news_type     | int(11)      |
| public_time   | date         |
| type_id       | int(11)      |
+---------------+--------------+
Database: phyweb
Table: t_zxbz_mz
[2 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| DM     | varchar(255) |
| MC     | varchar(255) |
+--------+--------------+
Database: phyweb
Table: t_jeg_xztab
[6 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| value   | varchar(255) |
| btbx    | int(5)       |
| id      | int(11)      |
| name    | varchar(255) |
| namesx  | varchar(255) |
| valuesx | varchar(255) |
+---------+--------------+
Database: phyweb
Table: message_copy
[19 columns]
+-------------+-------------+
| Column      | Type        |
+-------------+-------------+
| m_address   | varchar(50) |
| m_addtime   | int(10)     |
| m_content   | text        |
| m_email     | varchar(50) |
| m_hits      | int(10)     |
| m_id        | int(10)     |
| m_meid      | int(10)     |
| m_mename    | varchar(50) |
| m_mid       | int(10)     |
| m_no        | int(4)      |
| m_parentid  | int(4)      |
| m_pass      | int(4)      |
| m_recontent | text        |
| m_sorting   | int(10)     |
| m_tel       | varchar(50) |
| m_title     | varchar(50) |
| m_tuijian   | int(4)      |
| m_uname     | varchar(50) |
| m_yes       | int(4)      |
+-------------+-------------+
Database: phyweb
Table: users
[7 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| create_time | int(11)      |
| remark      | varchar(255) |
| user_id     | int(4)       |
| user_name   | varchar(255) |
| user_power  | tinyint(2)   |
| user_pswd   | varchar(255) |
| user_right  | text         |
+-------------+--------------+
Database: phyweb
Table: t_member_copy
[7 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| column | varchar(255) |
| module | varchar(255) |
| auth   | int(5)       |
| id     | int(11)      |
| mail   | varchar(100) |
| name   | varchar(255) |
| zgh    | varchar(100) |
+--------+--------------+
Database: phyweb
Table: link_picture1
[12 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| size        | int(9)       |
| category    | int(5)       |
| download    | int(6)       |
| file_name   | varchar(255) |
| file_path   | varchar(255) |
| imgURL      | varchar(255) |
| is_show     | tinyint(1)   |
| order_id    | tinyint(1)   |
| picture_id  | int(5)       |
| publisher   | varchar(50)  |
| type_id     | int(11)      |
| upload_date | date         |
+-------------+--------------+
Database: phyweb
Table: t_member_class
[4 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| class   | int(5)       |
| code    | int(5)       |
| content | varchar(255) |
| id      | int(11)      |
+---------+--------------+
Database: phyweb
Table: floatlink
[6 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| addtime | date         |
| backid  | int(11)      |
| content | varchar(50)  |
| id      | int(11)      |
| is_show | int(11)      |
| url     | varchar(100) |
+---------+--------------+
Database: phyweb
Table: link
[4 columns]
+--------------+--------------+
| Column       | Type         |
+--------------+--------------+
| create_time  | int(12)      |
| link_address | varchar(255) |
| link_id      | int(4)       |
| link_name    | varchar(255) |
+--------------+--------------+
Database: phyweb
Table: news_copy
[12 columns]
+---------------+--------------+
| Column        | Type         |
+---------------+--------------+
| admin_id      | text         |
| new_pic       | tinyint(1)   |
| news_content  | text         |
| news_id       | int(11)      |
| news_pubtime  | int(11)      |
| news_readtime | int(11)      |
| news_show     | tinyint(1)   |
| news_title    | varchar(255) |
| news_top      | tinyint(1)   |
| news_type     | int(11)      |
| public_time   | date         |
| type_id       | int(11)      |
+---------------+--------------+
Database: phyweb
Table: t_zxbz_jzgdqzt
[2 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| DM     | varchar(2)  |
| MC     | varchar(30) |
+--------+-------------+
Database: phyweb
Table: news
[12 columns]
+---------------+--------------+
| Column        | Type         |
+---------------+--------------+
| admin_id      | text         |
| new_pic       | tinyint(1)   |
| news_content  | text         |
| news_id       | int(11)      |
| news_pubtime  | int(11)      |
| news_readtime | int(11)      |
| news_show     | tinyint(1)   |
| news_title    | varchar(255) |
| news_top      | tinyint(1)   |
| news_type     | int(11)      |
| public_time   | date         |
| type_id       | int(11)      |
+---------------+--------------+
Database: phyweb
Table: article
[4 columns]
+-----------------+--------------+
| Column          | Type         |
+-----------------+--------------+
| article_content | text         |
| article_id      | int(11)      |
| article_title   | varchar(255) |
| type_id         | int(11)      |
+-----------------+--------------+
Database: phyweb
Table: t_jzg
[44 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| BGDD    | varchar(100) |
| BGDH    | varchar(100) |
| BZ      | mediumtext   |
| CSRQ    | varchar(255) |
| DQZTDM  | varchar(2)   |
| GXRQ    | varchar(255) |
| ID      | int(11)      |
| IFHGZ   | varchar(100) |
| IFSJXS  | varchar(100) |
| IGDZGN  | varchar(100) |
| IGH     | varchar(100) |
| IJCWL   | varchar(100) |
| IJLSS   | varchar(100) |
| IJSWYH  | varchar(100) |
| IJSZN   | varchar(100) |
| IJWWY   | varchar(100) |
| IKCYJX  | varchar(100) |
| ILLWLS  | varchar(100) |
| ILTU    | varchar(100) |
| ILZKXZX | varchar(100) |
| IRCCH   | varchar(255) |
| IWLSY   | varchar(100) |
| IWLSYZX | varchar(100) |
| IWLXKS  | varchar(100) |
| IXSGZZ  | varchar(100) |
| IXWPD   | varchar(100) |
| IXXYZD  | varchar(100) |
| IXYBGS  | varchar(100) |
| IXYDW   | varchar(100) |
| IXYGZ   | varchar(100) |
| IXZLD   | varchar(100) |
| IYYDZ   | varchar(100) |
| IZHFZ   | varchar(100) |
| JZGLBDM | varchar(2)   |
| LIANJ   | varchar(255) |
| MZDM    | varchar(2)   |
| PIC     | varchar(255) |
| SFBD    | varchar(11)  |
| WHCDDM  | varchar(2)   |
| XBDM    | varchar(1)   |
| XM      | varchar(100) |
| XNYX    | varchar(100) |
| ZGH     | varchar(20)  |
| ZWJS    | longtext     |
+---------+--------------+
Database: phyweb
Table: t_jzg_rc
[3 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| DM     | varchar(255) |
| id     | int(11)      |
| MC     | varchar(255) |
+--------+--------------+
Database: phyweb
Table: teacher
[20 columns]
+--------------+--------------+
| Column       | Type         |
+--------------+--------------+
| birthday     | varchar(255) |
| fax          | varchar(50)  |
| guide        | tinyint(1)   |
| location     | varchar(255) |
| mail         | varchar(100) |
| order_id     | int(11)      |
| orginal_pic  | varchar(255) |
| pic          | varchar(255) |
| remarks      | text         |
| sex          | tinyint(2)   |
| teacher_id   | int(11)      |
| teacher_name | varchar(50)  |
| tel          | varchar(50)  |
| update_ip    | varchar(20)  |
| update_time  | datetime     |
| user_name    | varchar(255) |
| user_pswd    | varchar(255) |
| zhicheng     | varchar(255) |
| zhiwu        | varchar(255) |
| zhuanye      | varchar(255) |
+--------------+--------------+
Database: phyweb
Table: t_zxbz_whcd
[2 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| DM     | varchar(2)  |
| MC     | varchar(30) |
+--------+-------------+
Database: phyweb
Table: type
[8 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| address     | text         |
| controlpage | varchar(100) |
| father      | int(11)      |
| grade       | tinyint(3)   |
| id          | int(11)      |
| name        | varchar(100) |
| orderid     | text         |
| tlu         | text         |
+-------------+--------------+
Database: phyweb
Table: t_jzg_zz
[4 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| GXRQ   | date        |
| ZGH    | varchar(20) |
| ZW     | varchar(20) |
| ZZLB   | varchar(2)  |
+--------+-------------+
Database: phyweb
Table: t_zxbz_jzgzzlb
[2 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| DM     | varchar(2)  |
| MC     | varchar(30) |
+--------+-------------+
Database: phyweb
Table: t_member_class1
[6 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| class   | int(11)      |
| code    | int(11)      |
| content | varchar(255) |
| father  | int(11)      |
| grade   | int(11)      |
| id      | int(11)      |
+---------+--------------+
Database: phyweb
Table: t_member
[7 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| column | varchar(255) |
| module | varchar(255) |
| auth   | int(5)       |
| id     | int(11)      |
| mail   | varchar(100) |
| name   | varchar(255) |
| zgh    | varchar(100) |
+--------+--------------+


话说贴图好麻烦事的啊

2.png

3.png

4.png


好了我感觉图麻烦

漏洞证明:

如上

修复方案:

修复

版权声明:转载请注明来源 Redy@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-12-09 09:54

厂商回复:

通知处理中

最新状态:

暂无