当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157821

漏洞标题:中国电信某站从sql注入到GETSHELL可导致百万数据泄露(包括姓名/邮箱/电话/身份证号等敏感信息)

相关厂商:中国电信

漏洞作者: 路人甲

提交时间:2015-12-03 12:28

修复时间:2016-01-21 11:00

公开时间:2016-01-21 11:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-07: 厂商已经确认,细节仅向厂商公开
2015-12-17: 细节向核心白帽子及相关领域专家公开
2015-12-27: 细节向普通白帽子公开
2016-01-06: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

中国电信某站从sql注入到GETSHELL,400W+数据泄露(包括姓名/邮箱/电话/身份证号等敏感信息)

详细说明:

中国电信某商城主站

QQ20151202-0.png


QQ20151202-1.png


QQ20151202-2.png


存在注入 current user: 'root@localhost'

QQ20151202-11.png


400w+数据

QQ20151202-5.png


密码明文存储 66666

QQ20151202-3.png


某接口报错可泄露管理路径

QQ20151202-4.png


登陆管理后台

QQ20151202-6.png


大量敏感数据泄露

QQ20151202-7.png


可以修改各种接口

QQ20151202-8.png


QQ20151202-9.png


抓包上传绕过
GETSHELL

QQ20151202-10.png


数据库表如下

Database: hallylure
[293 tables]
+-----------------------------------------+
| hallylure_common_admincp_cmenu |
| hallylure_common_admincp_group |
| hallylure_common_admincp_member |
| hallylure_common_admincp_perm |
| hallylure_common_admincp_session |
| hallylure_common_admingroup |
| hallylure_common_adminnote |
| hallylure_common_advertisement |
| hallylure_common_advertisement_custom |
| hallylure_common_banned |
| hallylure_common_block |
| hallylure_common_block_favorite |
| hallylure_common_block_item |
| hallylure_common_block_item_data |
| hallylure_common_block_permission |
| hallylure_common_block_pic |
| hallylure_common_block_style |
| hallylure_common_block_xml |
| hallylure_common_cache |
| hallylure_common_card |
| hallylure_common_card_log |
| hallylure_common_card_type |
| hallylure_common_connect_guest |
| hallylure_common_credit_log |
| hallylure_common_credit_log_field |
| hallylure_common_credit_rule |
| hallylure_common_credit_rule_log |
| hallylure_common_credit_rule_log_field |
| hallylure_common_cron |
| hallylure_common_devicetoken |
| hallylure_common_district |
| hallylure_common_diy_data |
| hallylure_common_domain |
| hallylure_common_failedip |
| hallylure_common_failedlogin |
| hallylure_common_friendlink |
| hallylure_common_grouppm |
| hallylure_common_invite |
| hallylure_common_magic |
| hallylure_common_magiclog |
| hallylure_common_mailcron |
| hallylure_common_mailqueue |
| hallylure_common_member |
| hallylure_common_member_action_log |
| hallylure_common_member_connect |
| hallylure_common_member_count |
| hallylure_common_member_crime |
| hallylure_common_member_field_forum |
| hallylure_common_member_field_home |
| hallylure_common_member_forum_buylog |
| hallylure_common_member_grouppm |
| hallylure_common_member_log |
| hallylure_common_member_magic |
| hallylure_common_member_medal |
| hallylure_common_member_newprompt |
| hallylure_common_member_profile |
| hallylure_common_member_profile_setting |
| hallylure_common_member_security |
| hallylure_common_member_secwhite |
| hallylure_common_member_stat_field |
| hallylure_common_member_status |
| hallylure_common_member_validate |
| hallylure_common_member_verify |
| hallylure_common_member_verify_info |
| hallylure_common_myapp |
| hallylure_common_myinvite |
| hallylure_common_mytask |
| hallylure_common_nav |
| hallylure_common_onlinetime |
| hallylure_common_optimizer |
| hallylure_common_patch |
| hallylure_common_plugin |
| hallylure_common_pluginvar |
| hallylure_common_process |
| hallylure_common_regip |
| hallylure_common_relatedlink |
| hallylure_common_remote_port |
| hallylure_common_report |
| hallylure_common_searchindex |
| hallylure_common_seccheck |
| hallylure_common_secquestion |
| hallylure_common_session |
| hallylure_common_setting |
| hallylure_common_smiley |
| hallylure_common_sphinxcounter |
| hallylure_common_stat |
| hallylure_common_statuser |
| hallylure_common_style |
| hallylure_common_stylevar |
| hallylure_common_syscache |
| hallylure_common_tag |
| hallylure_common_tagitem |
| hallylure_common_task |
| hallylure_common_taskvar |
| hallylure_common_template |
| hallylure_common_template_block |
| hallylure_common_template_permission |
| hallylure_common_uin_black |
| hallylure_common_usergroup |
| hallylure_common_usergroup_field |
| hallylure_common_visit |
| hallylure_common_word |
| hallylure_common_word_type |
| hallylure_connect_disktask |
| hallylure_connect_feedlog |
| hallylure_connect_memberbindlog |
| hallylure_connect_postfeedlog |
| hallylure_connect_tthreadlog |
| hallylure_forum_access |
| hallylure_forum_activity |
| hallylure_forum_activityapply |
| hallylure_forum_announcement |
| hallylure_forum_attachment |
| hallylure_forum_attachment_0 |
| hallylure_forum_attachment_1 |
| hallylure_forum_attachment_2 |
| hallylure_forum_attachment_3 |
| hallylure_forum_attachment_4 |
| hallylure_forum_attachment_5 |
| hallylure_forum_attachment_6 |
| hallylure_forum_attachment_7 |
| hallylure_forum_attachment_8 |
| hallylure_forum_attachment_9 |
| hallylure_forum_attachment_exif |
| hallylure_forum_attachment_unused |
| hallylure_forum_attachtype |
| hallylure_forum_bbcode |
| hallylure_forum_collection |
| hallylure_forum_collectioncomment |
| hallylure_forum_collectionfollow |
| hallylure_forum_collectioninvite |
| hallylure_forum_collectionrelated |
| hallylure_forum_collectionteamworker |
| hallylure_forum_collectionthread |
| hallylure_forum_creditslog |
| hallylure_forum_debate |
| hallylure_forum_debatepost |
| hallylure_forum_faq |
| hallylure_forum_filter_post |
| hallylure_forum_forum |
| hallylure_forum_forum_threadtable |
| hallylure_forum_forumfield |
| hallylure_forum_forumrecommend |
| hallylure_forum_groupcreditslog |
| hallylure_forum_groupfield |
| hallylure_forum_groupinvite |
| hallylure_forum_grouplevel |
| hallylure_forum_groupuser |
| hallylure_forum_hotreply_member |
| hallylure_forum_hotreply_number |
| hallylure_forum_imagetype |
| hallylure_forum_medal |
| hallylure_forum_medallog |
| hallylure_forum_memberrecommend |
| hallylure_forum_moderator |
| hallylure_forum_modwork |
| hallylure_forum_newthread |
| hallylure_forum_onlinelist |
| hallylure_forum_order |
| hallylure_forum_poll |
| hallylure_forum_polloption |
| hallylure_forum_polloption_image |
| hallylure_forum_pollvoter |
| hallylure_forum_post |
| hallylure_forum_post_location |
| hallylure_forum_post_moderate |
| hallylure_forum_post_tableid |
| hallylure_forum_postcache |
| hallylure_forum_postcomment |
| hallylure_forum_postlog |
| hallylure_forum_poststick |
| hallylure_forum_promotion |
| hallylure_forum_ratelog |
| hallylure_forum_relatedthread |
| hallylure_forum_replycredit |
| hallylure_forum_rsscache |
| hallylure_forum_sofa |
| hallylure_forum_spacecache |
| hallylure_forum_statlog |
| hallylure_forum_thread |
| hallylure_forum_thread_moderate |
| hallylure_forum_threadaddviews |
| hallylure_forum_threadcalendar |
| hallylure_forum_threadclass |
| hallylure_forum_threadclosed |
| hallylure_forum_threaddisablepos |
| hallylure_forum_threadhidelog |
| hallylure_forum_threadhot |
| hallylure_forum_threadimage |
| hallylure_forum_threadlog |
| hallylure_forum_threadmod |
| hallylure_forum_threadpartake |
| hallylure_forum_threadpreview |
| hallylure_forum_threadprofile |
| hallylure_forum_threadprofile_group |
| hallylure_forum_threadrush |
| hallylure_forum_threadtype |
| hallylure_forum_trade |
| hallylure_forum_tradecomment |
| hallylure_forum_tradelog |
| hallylure_forum_typeoption |
| hallylure_forum_typeoptionvar |
| hallylure_forum_typevar |
| hallylure_forum_warning |
| hallylure_home_album |
| hallylure_home_album_category |
| hallylure_home_appcreditlog |
| hallylure_home_blacklist |
| hallylure_home_blog |
| hallylure_home_blog_category |
| hallylure_home_blog_moderate |
| hallylure_home_blogfield |
| hallylure_home_class |
| hallylure_home_click |
| hallylure_home_clickuser |
| hallylure_home_comment |
| hallylure_home_comment_moderate |
| hallylure_home_docomment |
| hallylure_home_doing |
| hallylure_home_doing_moderate |
| hallylure_home_favorite |
| hallylure_home_feed |
| hallylure_home_feed_app |
| hallylure_home_follow |
| hallylure_home_follow_feed |
| hallylure_home_follow_feed_archiver |
| hallylure_home_friend |
| hallylure_home_friend_request |
| hallylure_home_friendlog |
| hallylure_home_notification |
| hallylure_home_pic |
| hallylure_home_pic_moderate |
| hallylure_home_picfield |
| hallylure_home_poke |
| hallylure_home_pokearchive |
| hallylure_home_share |
| hallylure_home_share_moderate |
| hallylure_home_show |
| hallylure_home_specialuser |
| hallylure_home_userapp |
| hallylure_home_userappfield |
| hallylure_home_visitor |
| hallylure_mobile_setting |
| hallylure_mobileoem_member |
| hallylure_mobileoem_pushthreads |
| hallylure_portal_article_content |
| hallylure_portal_article_count |
| hallylure_portal_article_moderate |
| hallylure_portal_article_related |
| hallylure_portal_article_title |
| hallylure_portal_article_trash |
| hallylure_portal_attachment |
| hallylure_portal_category |
| hallylure_portal_category_permission |
| hallylure_portal_comment |
| hallylure_portal_comment_moderate |
| hallylure_portal_rsscache |
| hallylure_portal_topic |
| hallylure_portal_topic_pic |
| hallylure_security_evilpost |
| hallylure_security_eviluser |
| hallylure_security_failedlog |
| hallylure_ucenter_admins |
| hallylure_ucenter_applications |
| hallylure_ucenter_badwords |
| hallylure_ucenter_domains |
| hallylure_ucenter_failedlogins |
| hallylure_ucenter_feeds |
| hallylure_ucenter_friends |
| hallylure_ucenter_mailqueue |
| hallylure_ucenter_memberfields |
| hallylure_ucenter_members |
| hallylure_ucenter_mergemembers |
| hallylure_ucenter_newpm |
| hallylure_ucenter_notelist |
| hallylure_ucenter_pm_indexes |
| hallylure_ucenter_pm_lists |
| hallylure_ucenter_pm_members |
| hallylure_ucenter_pm_messages_0 |
| hallylure_ucenter_pm_messages_1 |
| hallylure_ucenter_pm_messages_2 |
| hallylure_ucenter_pm_messages_3 |
| hallylure_ucenter_pm_messages_4 |
| hallylure_ucenter_pm_messages_5 |
| hallylure_ucenter_pm_messages_6 |
| hallylure_ucenter_pm_messages_7 |
| hallylure_ucenter_pm_messages_8 |
| hallylure_ucenter_pm_messages_9 |
| hallylure_ucenter_protectedmembers |
| hallylure_ucenter_settings |
| hallylure_ucenter_sqlcache |
| hallylure_ucenter_tags |
| hallylure_ucenter_vars |
+-----------------------------------------+
Database: shopstit
[32 tables]
+-----------------------------------------+
| act_award_info |
| act_user_award_info |
| activityinfo |
| admingroup |
| adminmenu |
| adminuser |
| ask_goods_info |
| attribute_class_info |
| attribute_class_select_value_info |
| attribute_value_info |
| class_info |
| create_html |
| dispatch_mode_info |
| dispatch_pay_mutuality_info |
| goods_fav |
| goods_fitting_mutuality_info |
| goods_image_info |
| goods_info |
| goods_mutuality_info |
| gp_class |
| news |
| notice |
| order_detail_info |
| order_info |
| rcmdgoods |
| repair |
| search_log |
| shop_basket |
| sms |
| telnumber |
| usercent |
| userinfo |
+-----------------------------------------+
Database: ybzdb
[99 tables]
+-----------------------------------------+
| v9_admin |
| v9_admin_panel |
| v9_admin_role |
| v9_admin_role_priv |
| v9_announce |
| v9_attachment |
| v9_attachment_index |
| v9_badword |
| v9_biaodan |
| v9_biaodan_data |
| v9_block |
| v9_block_history |
| v9_block_priv |
| v9_cache |
| v9_category |
| v9_category_priv |
| v9_collection_content |
| v9_collection_history |
| v9_collection_node |
| v9_collection_program |
| v9_comment |
| v9_comment_check |
| v9_comment_data_1 |
| v9_comment_setting |
| v9_comment_table |
| v9_content_check |
| v9_copyfrom |
| v9_datacall |
| v9_dbsource |
| v9_download |
| v9_download_data |
| v9_downservers |
| v9_extend_setting |
| v9_favorite |
| v9_guestbook |
| v9_hits |
| v9_ipbanned |
| v9_keylink |
| v9_link |
| v9_linkage |
| v9_log |
| v9_member |
| v9_member_detail |
| v9_member_group |
| v9_member_menu |
| v9_member_verify |
| v9_member_vip |
| v9_menu |
| v9_message |
| v9_message_data |
| v9_message_group |
| v9_model |
| v9_model_field |
| v9_module |
| v9_mood |
| v9_news |
| v9_news_data |
| v9_page |
| v9_pay_account |
| v9_pay_payment |
| v9_pay_spend |
| v9_picture |
| v9_picture_data |
| v9_plugin |
| v9_plugin_var |
| v9_position |
| v9_position_data |
| v9_poster |
| v9_poster_201206 |
| v9_poster_201207 |
| v9_poster_space |
| v9_queue |
| v9_release_point |
| v9_search |
| v9_search_keyword |
| v9_session |
| v9_site |
| v9_sms_report |
| v9_special |
| v9_special_c_data |
| v9_special_content |
| v9_sphinx_counter |
| v9_sso_admin |
| v9_sso_applications |
| v9_sso_members |
| v9_sso_messagequeue |
| v9_sso_session |
| v9_sso_settings |
| v9_tag |
| v9_template_bak |
| v9_times |
| v9_type |
| v9_urlrule |
| v9_vote_data |
| v9_vote_option |
| v9_vote_subject |
| v9_wap |
| v9_wap_type |
| v9_workflow |
+-----------------------------------------+
Database: mysql
[40 tables]
+-----------------------------------------+
| user |
| abcgv |
| abcgvmo |
| cgfuhc |
| columns_priv |
| db |
| ehuyzk32 |
| ejfjxv32 |
| event |
| func |
| general_log |
| gjippi |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| jtjqbr |
| nciupb32 |
| ndb_binlog_index |
| omrnqa |
| plugin |
| proc |
| procs_priv |
| qpicbb |
| servers |
| slow_log |
| tables_priv |
| tempEx |
| tempExT |
| tempExT1 |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| ysqzut |
| yttxfg32 |
| zcsxqm32 |
| zfdipw32 |
+-----------------------------------------+
Database: dspam
[5 tables]
+-----------------------------------------+
| dspam_preferences |
| dspam_signature_data |
| dspam_stats |
| dspam_token_data |
| dspam_virtual_uids |
+-----------------------------------------+
Database: ego10000
[46 tables]
+-----------------------------------------+
| act_award_info |
| act_user_award_info |
| activityinfo |
| ad_info |
| admingroup |
| adminmenu |
| adminuser |
| ask_goods_info |
| attribute_class_info |
| attribute_class_select_value_info |
| attribute_value_info |
| class_info |
| create_html |
| dianxin_order |
| dispatch_mode_info |
| dispatch_pay_mutuality_info |
| gift_info |
| gift_order |
| goods_fav |
| goods_fitting_mutuality_info |
| goods_image_info |
| goods_info |
| goods_more_info |
| goods_mutuality_info |
| goods_taocan |
| goods_taocan_attr |
| goods_taocan_value |
| gp_class |
| news |
| notice |
| order_detail_info |
| order_info |
| order_network |
| rcmdgoods |
| repair |
| search_log |
| shop_basket |
| sms |
| tel_number |
| tel_taocan_value |
| tel_type |
| tel_type_template |
| tel_type_template_attr |
| telnumber |
| usercent |
| userinfo |
+-----------------------------------------+
Database: information_schema
[28 tables]
+-----------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+-----------------------------------------+
Database: stit_v3
[45 tables]
+-----------------------------------------+
| act_award_info |
| act_user_award_info |
| activityinfo |
| ad_info |
| admingroup |
| adminmenu |
| adminuser |
| ask_goods_info |
| attribute_class_info |
| attribute_class_select_value_info |
| attribute_value_info |
| class_info |
| create_html |
| dispatch_mode_info |
| dispatch_pay_mutuality_info |
| gift_info |
| gift_order |
| goods_fav |
| goods_fitting_mutuality_info |
| goods_image_info |
| goods_info |
| goods_more_info |
| goods_mutuality_info |
| goods_taocan |
| goods_taocan_attr |
| goods_taocan_value |
| gp_class |
| news |
| notice |
| order_detail_info |
| order_info |
| order_network |
| rcmdgoods |
| repair |
| search_log |
| shop_basket |
| sms |
| tel_number |
| tel_taocan_value |
| tel_type |
| tel_type_template |
| tel_type_template_attr |
| telnumber |
| usercent |
| userinfo |
+-----------------------------------------+

漏洞证明:

已经证明

修复方案:

过滤 密码加密啊亲

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-12-07 10:57

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无