当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169713

漏洞标题:某高职院校系统存在SQL注入

相关厂商:CCERT教育网应急响应组

漏洞作者: SnailPP

提交时间:2016-01-20 09:50

修复时间:2016-03-04 13:27

公开时间:2016-03-04 13:27

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-20: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-03-04: 细节向公众公开

简要描述:

存在注入点、弱口令,泄漏数据

详细说明:

http://**.**.**.**/Article_List.aspx?ClassID=1 搜索框存在注入

漏洞证明:

存在15张表
available databases [15]:
[*] cnbect
[*] ForumMember
[*] Lib_MIS
[*] master
[*] mingshi
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] sq_tongji
[*] SzptSearch
[*] szumailbox
[*] team
[*] tempdb
[*] webcourse
Database: cnbect
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| dbo.LUMIGENT_PROFILER | 920395 |
| dbo.Ve1_Baoming | 11652 |
| dbo.Ve1_Log | 9154 |
| dbo.Cn1_Log | 7038 |
| dbo.Cn1_Baoming | 5060 |
| dbo.Cn2_Log | 4489 |
| dbo.Cn2_Baoming | 2962 |
| dbo.SystemLog | 2283 |
| dbo.Cn1_Teacher | 1809 |
| dbo.Resource | 644 |
| dbo.Cn2_Teacher | 424 |
| dbo.Cn1_Userinfo | 419 |
| dbo.Article | 326 |
| dbo.Cn1_KaoChang | 318 |
| dbo.Cn1_Kaodian | 309 |
| dbo.Cn1_PeixunDian | 290 |
| dbo.Cn2_KaoChang | 206 |
| dbo.Cn2_UserInfo | 186 |
| dbo.Cn2_Kaodian | 178 |
| dbo.Cn2_PeixunDian | 168 |
| dbo.sysconstraints | 158 |
| dbo.Ve1_UserInfo | 150 |
| dbo.Ve1_Kaodian | 149 |
| dbo.User_Online | 60 |
| dbo.Menu | 51 |
| dbo.Province | 36 |
| dbo.ArticleClass | 23 |
| dbo.HistoryScore | 10 |
| dbo.Link | 10 |
| dbo.Item | 9 |
| dbo.Admin | 8 |
| dbo.AboutInfo | 6 |
| dbo.TestSetting | 4 |
| dbo.syssegments | 3 |
| dbo.Test | 2 |
| dbo.Test_level | 2 |
| dbo.bbs | 1 |
| dbo.Config | 1 |
| dbo.Counters | 1 |
| dbo.News | 1 |
| dbo.Setting | 1 |
| dbo.Style | 1 |
| dbo.Vote | 1 |
+-----------------------+---------+
Database: ForumMember
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| dbo.SystemLog | 6399 |
| dbo.Member | 259 |
| dbo.Admin | 223 |
| dbo.Country | 216 |
| dbo.Article | 15 |
| dbo.sysconstraints | 15 |
| dbo.Link | 9 |
| dbo.Continent | 7 |
| dbo.Resource | 6 |
| dbo.ResourceClass | 6 |
| dbo.VoteResult | 5 |
| dbo.syssegments | 3 |
| dbo.Config | 1 |
| dbo.Message | 1 |
+--------------------+---------+
Database: Lib_MIS
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| dbo.LibraryData | 32815 |
| dbo.SystemLog | 18729 |
| dbo.Evaluation | 706 |
| dbo.Suggestion | 454 |
| dbo.ProveList | 356 |
| dbo.Article | 309 |
| dbo.FillStatic | 255 |
| dbo.ZBList | 246 |
| dbo.LibraryVIEW | 242 |
| dbo.UserInfo | 228 |
| dbo.VIEW1static | 214 |
| dbo.ZBScore | 214 |
| dbo.ZBScoreVIEW | 214 |
| dbo.ZBVIEW | 214 |
| dbo.CalculationRules | 206 |
| dbo.LibraryInfo | 195 |
| dbo.LibraryInfoVIEW | 195 |
| dbo.ZBClass | 107 |
| dbo.CompareData | 99 |
| dbo.CompareData1 | 74 |
| dbo.Library | 69 |
| dbo.sysconstraints | 52 |
| dbo.City | 21 |
| dbo.Admin | 8 |
| dbo.TheYear | 6 |
| dbo.Area | 5 |
| dbo.ArticleClass | 5 |
| dbo.Link | 5 |
| dbo.syssegments | 3 |
| dbo.testt | 2 |
| dbo.UserOnline | 2 |
| dbo.ZhiBiao | 2 |
| dbo.Config | 1 |
+----------------------+---------+
Database: master
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| dbo.spt_values | 730 |
| dbo.spt_datatype_info | 36 |
| dbo.spt_server_info | 29 |
| dbo.spt_provider_types | 25 |
| dbo.spt_datatype_info_ext | 10 |
| dbo.syslogins | 10 |
| dbo.syssegments | 3 |
| dbo.MSreplication_options | 2 |
| dbo.sysoledbusers | 2 |
| dbo.spt_monitor | 1 |
| dbo.sysconstraints | 1 |
+---------------------------+---------+
Database: mingshi
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| dbo.SystemLog | 9450 |
| dbo.TeacherCG | 523 |
| dbo.ZhiBiao | 324 |
| dbo.TeacherPhoto | 168 |
| dbo.Cailiao | 78 |
| dbo.Teacher | 36 |
| dbo.Department | 24 |
| dbo.sysconstraints | 21 |
| dbo.UserOnline | 20 |
| dbo.Link | 9 |
| dbo.Template | 8 |
| dbo.Major | 4 |
| dbo.syssegments | 3 |
| dbo.Admin | 2 |
| dbo.Setting | 1 |
+--------------------+---------+
Database: szumailbox
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| dbo.Users | 65540 |
| dbo.c_patron | 28681 |
| dbo.message | 426 |
| dbo.admin | 53 |
| dbo.sysconstraints | 17 |
| dbo.syssegments | 3 |
+--------------------+---------+
Database: SzptSearch
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| dbo.ReSearch | 6288 |
| dbo.VoteIP | 4911 |
| dbo.SX_ReSearch | 4246 |
| dbo.SX_Research13 | 3362 |
| dbo.SJB_Research | 396 |
| dbo.JK_Research | 310 |
| dbo.jpkcsearch | 103 |
| dbo.servicesearch | 57 |
| dbo.sysconstraints | 17 |
| dbo.syssegments | 3 |
+--------------------+---------+
Database: team
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| dbo.SystemLog | 8495 |
| dbo.TeamZhibiao | 723 |
| dbo.TeamCailiao | 460 |
| dbo.TeamCG | 254 |
| dbo.TeamPhoto | 59 |
| dbo.Team | 30 |
| dbo.Department | 21 |
| dbo.UserOnline | 20 |
| dbo.sysconstraints | 18 |
| dbo.Link | 9 |
| dbo.Major | 4 |
| dbo.syssegments | 3 |
| dbo.Admin | 2 |
| dbo.Template | 2 |
| dbo.Setting | 1 |
+--------------------+---------+
敏感资料比较多,挑了几个敏感的表进行尝试
Database: Lib_MIS
[38 tables]
+----------------------+
| dbo.Admin |
| dbo.Area |
| dbo.Article |
| dbo.ArticleClass |
| dbo.CalculationRules |
| dbo.City |
| dbo.CompareData |
| dbo.CompareData1 |
| dbo.Config |
| dbo.Evaluation |
| dbo.EvaluationClass |
| dbo.FillStatic |
| dbo.Library |
| dbo.LibraryData |
| dbo.LibraryInfo |
| dbo.LibraryInfoVIEW |
| dbo.LibraryScore |
| dbo.LibraryVIEW |
| dbo.Link |
| dbo.ProveList |
| dbo.Suggestion |
| dbo.SuggestionClass |
| dbo.SystemLog |
| dbo.TheYear |
| dbo.UserInfo |
| dbo.UserOnline |
| dbo.VIEW1static |
| dbo.ZBClass |
| dbo.ZBList |
| dbo.ZBScore |
| dbo.ZBScoreVIEW |
| dbo.ZBVIEW |
| dbo.ZhiBiao |
| dbo.dtproperties |
| dbo.sqlmapoutput |
| dbo.sysconstraints |
| dbo.syssegments |
| dbo.testt |
+----------------------+
Database: Lib_MIS
Table: dbo.Admin
[8 entries]
+-----------------+-------------+------------------+
| Email | AdminName | AdminPassword |
+-----------------+-------------+------------------+
| <blank> | 18923746180 | 0e7aaf7044a2cf87 |
| <blank> | admin | b949a2769b401bdf |
| aolong6@**.**.**.** | aol | 1ce8b1d739b19d6f |
| <blank> | crh | 49ba59abbe56e057 |
| <blank> | test1 | 49ba59abbe56e057 |
| | test2 | 7499d25e1fe93c2e |
| wj@**.**.**.** | wj | 49ba59abbe56e057 |
| <blank> | wy | 7499d25e1fe93c2e |
+-----------------+-------------+------------------+
超级管理员crh,密码123456

11.jpg


敏感数据的泄漏

12.jpg


13.jpg


14.jpg


15.jpg


获取的163邮箱也泄漏,可以登录

16.png


又翻了一个用户表
Database: Lib_MIS
Table: userinfo
[17 entries]
+-----------+------------------+---------------+-------------+
| adminname | adminpassword | telephone | realname |
+-----------+------------------+---------------+-------------+
| 10831_1 | 31dea380b4ee18ce | 11111111 | 11 |
| user1 | ac59075b964b0715 | 123 | 123 |
| 12574_1 | f0089b653efece3e | 12574_1 | 12574_1 |
| 12574_2 | a005bb5556ec3337 | <blank> | 12574_2 |
| 12574_3 | 999be08c47813f5e | <blank> | 12574_3 |
| 12953_1 | 1bd97a761b405deb | 83969100-8220 | 12953_1 |
| 13709_1 | 49ba59abbe56e057 | 02087969638 | chengquan |
| 12960_1 | 8e70eb75a4ba3c93 | 87084377 | h |
| test01 | fc1a0af622c7b4db | <blank> | test01 |
| test03 | 0e0dc2e51ad32a93 | <blank> | test03 |
| 12770_2 | 3fb76bdb60b71c8f | 0766-3782927 | TRF |
| 12765_2 | 4af70cb939670131 | <blank> | yff |
| <blank> | <blank> | <blank> | 噥馟 |
| <blank> | <blank> | <blank> | 塯饙規???????? |
| <blank> | <blank> | <blank> | 坿晫艹???????? |
| <blank> | <blank> | <blank> | ᡵ侞㽜㠹㽜敤 |
| <blank> | <blank> | <blank> | ㍗❙晛??????? |
+-----------+------------------+---------------+-------------+
其中有很多弱口令,尝试登录

17.png


其他数据太多了,就不做进一步的探究了

修复方案:

严格过滤用户传入参数,还有求邀请码,前两次蠢了忘记要邀请码T_T

版权声明:转载请注明来源 SnailPP@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2016-01-20 10:13

厂商回复:

通知处理中

最新状态:

暂无