记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

某高校学生管理系统存在通用SQL注入(安全机制绕过技巧)

2014-06-21 05:50

#1.由奥达软件开发的一所高校管理系统存在注入漏洞,注入漏洞发生在登录框中虽然存在s的判断用户数据提交的合法性,但是这都是可以绕过的=_=!



例子:

http://202.117.144.50/login/loginpageforuserb.aspx?LogoutURL=%2flogin



04.jpg



01.jpg



看看登录页面源代码,可以看到的确是JS限制了=_=!

<script type="text/javascript">

//<![CDATA[

var VS___Page = document.all ? document.all["VS___Page"] : document.getElementById("VS___Page");

VS___Page.headertext = "您的输入有以下错误:";

VS___Page.showmessagebox = "True";

VS___Page.showsummary = "False";

var RFV_txtUserId = document.all ? document.all["RFV_txtUserId"] : document.getElementById("RFV_txtUserId");

RFV_txtUserId.controltovalidate = "txtUserId";

RFV_txtUserId.errormessage = "[用户名]不能为空!";

RFV_txtUserId.display = "None";

RFV_txtUserId.evaluationfunction = "RequiredFieldValidatorEvaluateIsValid";

RFV_txtUserId.initialvalue = "";

var REV_txtUserId = document.all ? document.all["REV_txtUserId"] : document.getElementById("REV_txtUserId");

REV_txtUserId.controltovalidate = "txtUserId";

REV_txtUserId.errormessage = "[用户名]格式错误,正确形式:不允许输入英文单引号\'";

REV_txtUserId.display = "None";

REV_txtUserId.evaluationfunction = "RegularExpressionValidatorEvaluateIsValid";

REV_txtUserId.validationexpression = "[^\']*";

var RFV_txtPwd = document.all ? document.all["RFV_txtPwd"] : document.getElementById("RFV_txtPwd");

RFV_txtPwd.controltovalidate = "txtPwd";

RFV_txtPwd.errormessage = "[密码]不能为空!";

RFV_txtPwd.display = "None";

RFV_txtPwd.evaluationfunction = "RequiredFieldValidatorEvaluateIsValid";

RFV_txtPwd.initialvalue = "";

var REV_txtPwd = document.all ? document.all["REV_txtPwd"] : document.getElementById("REV_txtPwd");

REV_txtPwd.controltovalidate = "txtPwd";

REV_txtPwd.errormessage = "[密码]格式错误,正确形式:不允许输入英文单引号\'";

REV_txtPwd.display = "None";

REV_txtPwd.evaluationfunction = "RegularExpressionValidatorEvaluateIsValid";

REV_txtPwd.validationexpression = "[^\']*";

//]]>

</script>



抓包吧=_=!!然后我们继续提交,绕过本地JS限制=_=!!

02.jpg





枚举几个案例<警:以下案例仅供Cncert复现测试,其它人不得非法使用,否则后果自负>:

http://zhaojiu.xzmy.edu.cn/login/loginpageforuserb.aspx?LogoutURL=/login&c=1  西藏民族学院

http://job.xaufe.edu.cn/Login/loginpageforuserb.aspx?LogoutURL= 西安财经学院

http://202.117.144.50/login/loginpageforuserb.aspx?LogoutURL=/login 陕西师范大学

http://202.117.112.29/Login/loginpageforuserb.aspx?LogoutURL=/login 西安电子科技大学

http://202.117.3.62:5002/Login/LoginPageForuserB.aspx 西安交通大学

http://xg.chd.edu.cn/Login/loginpageforuserb.aspx?LogoutURL=/login&c=1 长安大学

http://219.244.0.28/login/loginpageforstudentb.aspx 延安大学



漏洞证明:

以陕西科技大学为例演示:

http://202.117.144.50/login/loginpageforuserb.aspx?LogoutURL=/login



03.jpg



Database: Studwork6

[353 tables]

+-------------------------------+

| dbo.I$_tstud_Student |

| dbo.J$tsys_NoticeType |

| dbo.JV$Dtsys_NoticeType |

| dbo.JV$tsys_NoticeType |

| dbo.SNP_CDC_OBJECTS |

| dbo.SNP_CDC_SET |

| dbo.SNP_CDC_SET_TABLE |

| dbo.SNP_CDC_SUBS |

| dbo.SNP_CHECK_TAB |

| dbo.VoteList |

| dbo.Vsign_AgtRegistry |

| dbo.Vsign_AgtRegistryFell |

| dbo.Vsign_AgtRegistryOrder |

| dbo.[Vdorm_buildingInfo【不用】] |

| dbo.[tDorm_User[不用] |

| dbo.[tsys_Modules_测试] |

| dbo.[tsys_NoticeType学工网站] |

| dbo.[vDorm_OccupiedRoom[不用] |

| dbo.dtproperties |

| dbo.qg |

| dbo.setup |

| dbo.sysconstraints |

| dbo.syssegments |

| dbo.tAcc_File |

| dbo.tCadreGroup_state |

| dbo.tCadre_dimission |

| dbo.tCode_DeregReason |

| dbo.tDerate_Temp |

| dbo.tDorm_Area |

| dbo.tDorm_Bed |

| dbo.tDorm_Building |

| dbo.tDorm_ChargeHistory |

| dbo.tDorm_History |

| dbo.tDorm_RewardHistory |

| dbo.tDorm_Room |

| dbo.tDorm_RoomMaster |

| dbo.tDorm_RoomType |

| dbo.tDrom_BuildingUser |

| dbo.tEmp_BothMeeting |

| dbo.tEmp_BothMeetingUnit |

| dbo.tEmp_BothMeetingUnitSpec |

| dbo.tEmp_UnitVideo |

| dbo.tEmp_ViewCounter |

| dbo.tEmp_codeComputerLevel |

| dbo.tEmp_codeLiteracyDegree |

| dbo.tEmp_codeMandarin |

| dbo.tEmp_codeUnitEconomyType |

| dbo.tEmp_codeUnitLevel |

| dbo.tEmp_codeUnitSubjection |

| dbo.tEmp_codeUnitTrade |

| dbo.tEmp_codeUnitType |

| dbo.tEmp_codeWageManageType |

| dbo.tEmp_gbRegionalism |

| dbo.tEmp_pblDeptDate |

| dbo.tEmp_pblEmployment |

| dbo.tEmp_pblSpecIntro |

| dbo.tEmp_signAgtRegistry |

| dbo.tEmp_studAcc |

| dbo.tEmp_studFavorite |

| dbo.tEmp_studIntro |

| dbo.tEmp_studTouch |

| dbo.tEmp_unitAcc |

| dbo.tEmp_unitBaseInfo |

| dbo.tEmp_unitEmploy |

| dbo.tEmp_unitFavorite |

| dbo.tFile_Video |

| dbo.tGreen_Apply |

| dbo.tMin_Activity |

| dbo.tMin_InMoney |

| dbo.tMin_OutMoney |

| dbo.tMin_Visit |

| dbo.tPoor_Student |

| dbo.tPoor_StudentRevocation |

| dbo.tPopedom_Atom |

| dbo.tReg_register |

| dbo.tSim_Appraise |

| dbo.tSim_Punish |

| dbo.tSim_Reward |

| dbo.tSloan_Apply |

| dbo.tSloan_ApplyAuditing |

| dbo.tSloan_Condition |

| dbo.tSloan_Exempt |

| dbo.tSloan_ExemptAuditing |

| dbo.tSloan_Repay |

| dbo.tSloan_Type |

| dbo.tSloan_Unit |

| dbo.tStudCadre_Info |

| dbo.tStudCadre_Type |

| dbo.tStudCadre_Unit |

| dbo.tStud_AllowApply |

| dbo.tTemp_Apply |

| dbo.tarm_AwardList |

| dbo.tarm_StudCourse |

| dbo.tarm_StudLevy |

| dbo.tarm_StudRecord |

| dbo.tarm_policy |

| dbo.tarrear_enrol |

| dbo.tarrear_ratify |

| dbo.tarrear_repay |

| dbo.tasl_Affirm |

| dbo.tasl_Bank |

| dbo.tasl_BankAuditing |

| dbo.tasl_BankBargain |

| dbo.tasl_Breach |

| dbo.tasl_Compensate |

| dbo.tasl_End |

| dbo.tasl_Estate |

| dbo.tasl_Extend |

| dbo.tasl_Familial |

| dbo.tasl_Imburse |

| dbo.tasl_LoanType |

| dbo.tasl_Postponed |

| dbo.tasl_SchoolAuditing |

| dbo.tasl_SchoolAuditingIdea |

| dbo.tasl_StudRequisition |

| dbo.tasl_Whither |

| dbo.tbase_Department |

| dbo.tbase_Teacher |

| dbo.tbase_User |

| dbo.tbase_UserID_UserNO |

| dbo.tborrow_enrol |

| dbo.tborrow_ratify |

| dbo.tborrow_repay |

| dbo.tcard_AllowSpec |

| dbo.tcard_InviteUnit |

| dbo.tcard_MakeCard |

| dbo.tcard_ScanCard |

| dbo.tcgb_Folk |

| dbo.tcgb_PolityVisage |

| dbo.tcgb_Regionalism |

| dbo.tcgt_AwardGrade |

| dbo.tcgt_AwardList |

| dbo.tcgt_ClassRelation |

| dbo.tcgt_StudCourse |

| dbo.tcgt_StudRecord |

| dbo.tcgt_stdResultCell |

| dbo.tcgt_stdScale |

| dbo.tcmoe_BloodType |

| dbo.tcmoe_Emigrant |

| dbo.tcmoe_PunishType |

| dbo.tcmoe_RewardLevel |

| dbo.tcmoe_RewardType |

| dbo.tcmoe_StatusChangeCause |

| dbo.tcmoe_StatusChangeType |

| dbo.tcode_Academic |

| dbo.tcode_Aspect |

| dbo.tcode_Degree |

| dbo.tcode_LenOfSchool |

| dbo.tcode_Post |

| dbo.tcode_PsychologyLevel |

| dbo.tcode_StudType |

| dbo.tcode_TeacherRole |

| dbo.tcode_poorType |

| dbo.tcpt_BranchActivity |

| dbo.tcpt_ClassRelation |

| dbo.tcpt_Document |

| dbo.tcpt_MemberStudy |

| dbo.tcpt_PartyActive |

| dbo.tcpt_PartyBranch |

| dbo.tcpt_PartyMember |

| dbo.tcpt_PartyPrep |

| dbo.tcpt_PersonRelation |

| dbo.tcpt_Requisition |

| dbo.tderate_AuditSchooling |

| dbo.tderate_RegSchooling |

| dbo.temp_CodeStudType |

| dbo.temp_SMS |

| dbo.temp_Student |

| dbo.temp_displayitem |

| dbo.tev_ClassAssess |

| dbo.tev_ClassAssessTemp |

| dbo.tev_EvaluatingItem |

| dbo.tev_EvaluatingType |

| dbo.tev_StudAssess |

| dbo.tev_StudAssessTemp |

| dbo.tgreen_Charge |

| dbo.tgreen_temp |

| dbo.titem_DeregType |

| dbo.titem_PartyBranchType |

| dbo.titem_PartyMemberType |

| dbo.titem_PartySchoolType |

| dbo.tlv_Procedure |

| dbo.tlv_RegForGraduate |

| dbo.tlv_Schema |

| dbo.tmem_BookEnrol |

| dbo.tmem_ChooseCadre |

| dbo.tmem_Development |

| dbo.tmem_DevelopmentNum |

| dbo.tmem_MemBerDocment |

| dbo.tmem_MemCharge |

| dbo.tmem_Member |

| dbo.tmem_OrgType |

| dbo.tmem_Party |

| dbo.tmem_PartyNum |

| dbo.tmem_Record |

| dbo.tmem_Rewards |

| dbo.tmem_TrainDepartment |

| dbo.tmem_TrainManInfo |

| dbo.tmem_orgMan |

| dbo.tmem_organization |

| dbo.tmema_ActivityApply |

| dbo.tmema_ActivityAudit |

| dbo.tmema_ActivityField |

| dbo.tmema_AssnJob |

| dbo.tmema_AssnMember |

| dbo.tmemp_Activity |

| dbo.tmemp_ComAuthor |

| dbo.tmemp_ComManuscript |

| dbo.tmemp_ComReport |

| dbo.tmemp_PublicationIssue |

| dbo.tmemp_PulicJob |

| dbo.tpopedom_UserBackManage |

| dbo.tpopedom_UserModule |

| dbo.tpsy_BBSMain |

| dbo.tpsy_BBSRestore |

| dbo.tpsy_Dossier |

| dbo.tpsy_Emphases |

| dbo.tpsy_Preengage |

| dbo.tpsy_Talk |

| dbo.tpsy_Work |

| dbo.tpunish_Information |

| dbo.tpunish_Repeal |

| dbo.tqgzx |

| dbo.tqgzx1128 |

| dbo.tqgzxbf |

| dbo.treward_Information |

| dbo.treward_InformationG |

| dbo.treward_Repeal |

| dbo.treward_Type |

| dbo.tsafety_InsurePayforMoney |

| dbo.tsafety_InsureRegStudent |

| dbo.tsafety_SafetyGrade |

| dbo.tschol_Annotion |

| dbo.tschol_Apply |

| dbo.tschol_Classify |

| dbo.tschol_Quotas |

| dbo.tschol_RankObj |

| dbo.tssc_History |

| dbo.tstipend_Annotion |

| dbo.tstipend_Apply |

| dbo.tstipend_Classify |

| dbo.tstipend_Quotas |

| dbo.tstipend_RankObj |

| dbo.tstud_Accessories |

| dbo.tstud_CardPrint |

| dbo.tstud_CardPrintFiled |

| dbo.tstud_Educate |

| dbo.tstud_Family |

| dbo.tstud_FieldEdit |

| dbo.tstud_Graduate |

| dbo.tstud_NewStudent |

| dbo.tstud_Student |

| dbo.tstud_StudentTest |

| dbo.tsubsidy_Annotion |

| dbo.tsubsidy_Apply |

| dbo.tsubsidy_Classify |

| dbo.tsubsidy_Quotas |

| dbo.tsubsidy_RankObj |

| dbo.tsys_Download |

| dbo.tsys_EmpNavigation |

| dbo.tsys_FriendlyLink |

| dbo.tsys_Message |

| dbo.tsys_Modules |

| dbo.tsys_Notice |

| dbo.tsys_NoticeInterface |

| dbo.tsys_NoticeType |

| dbo.tsys_Options |

| dbo.tsys_VoteList |

| dbo.tsys_VoteProject |

| dbo.tsys_VoteRen |

| dbo.tsys_loginLog |

| dbo.tsys_loginSession |

| dbo.tt |

| dbo.twl_WorkLog |

| dbo.twork_Apply |

| dbo.twork_CheckIn |

| dbo.twork_Department |

| dbo.twork_PayMoney |

| dbo.twork_PostObj |

| dbo.twork_PostType |

| dbo.vAloan_ListAff |

| dbo.vAloan_ListBasic |

| dbo.vAloan_ListExtend |

| dbo.vCadreGroup_state |

| dbo.vDerate_green_Stat |

| dbo.vDorm_AllRoomDetail |

| dbo.vDorm_Bed |

| dbo.vDorm_BuidingCode |

| dbo.vDorm_CanBePreared |

| dbo.vDorm_CanUseBed |

| dbo.vDorm_Preared |

| dbo.vDorm_StudBedInfo |

| dbo.vDorm_UsedBed |

| dbo.vDorm_building |

| dbo.vDorm_room |

| dbo.vDorm_student |

| dbo.vGreen_Apply |

| dbo.vGreen_YearsMoney |

| dbo.vMin_EmpSearch |

| dbo.vMin_RPSearch |

| dbo.vMin_ScholSearch |

| dbo.vMin_Stipent |

| dbo.vMin_SubSearch |

| dbo.vMin_SysNumber |

| dbo.vMin_WorkStudSearch |

| dbo.vSchol_QuotaForDept |

| dbo.vSim_Reward |

| dbo.vbase_Department |

| dbo.vbase_UserStudAllForLogin |

| dbo.vcard_Student |

| dbo.vcgt_AwardList |

| dbo.vcgt_StatGradeRecord |

| dbo.vcgt_StudSumRecord |

| dbo.vcgt_student |

| dbo.vderate_RegSchooling |

| dbo.vderate_XNMoney |

| dbo.vderate_YearsMoney |

| dbo.vemp_StudCompleteInfo |

| dbo.vemp_Student |

| dbo.vemp_StudentAll |

| dbo.vgreen_StudApply |

| dbo.vins_InsGrade |

| dbo.vjob_StudInfo |

| dbo.vlv_GraduateState |

| dbo.vparty_PersonRelation |

| dbo.vparty_StatBranchSum |

| dbo.vpopedom_UserModule |

| dbo.vpsy_Dossier |

| dbo.vsafety_StatDeptInsurePay |

| dbo.vsafety_StatDeptInsureSum |

| dbo.vschol_Classify |

| dbo.vschol_QuotaForClass |

| dbo.vschol_QuotaForGrade |

| dbo.vschol_XNMoney |

| dbo.vschol_YearsMoney |

| dbo.vstipend_Classify |

| dbo.vstipend_QuotaForClass |

| dbo.vstipend_QuotaForDept |

| dbo.vstipend_QuotaForGrade |

| dbo.vstipend_XNMoney |

| dbo.vstipend_YearsMoney |

| dbo.vstud_Student |

| dbo.vstud_StudentAll |

| dbo.vstud_StudentGraduate |

| dbo.vstud_StudentInschool |

| dbo.vsubsidy_Classify |

| dbo.vsubsidy_QuotaForClass |

| dbo.vsubsidy_QuotaForDept |

| dbo.vsubsidy_QuotaForGrade |

| dbo.vsubsidy_XNMoney |

| dbo.vsubsidy_YearsMoney |

| dbo.vunit_Unit |

| dbo.vwork_Department |

+-------------------------------+





后台就不入了,学生管理系统,没有学生信息就不可能的事情了~

修复方案:

后台就不入了,学生管理系统,没有学生信息就不可能的事情了~

知识来源: www.wooyun.org/bugs/wooyun-2014-059712

阅读:84125 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“某高校学生管理系统存在通用SQL注入(安全机制绕过技巧)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云