漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0133737
漏洞标题:某市交警信息服务网SQL注射(DBA权限,4万多名司机身份证信息可泄露)
相关厂商:某市交警信息服务网
漏洞作者: 路人甲
提交时间:2015-08-13 09:12
修复时间:2015-10-01 08:18
公开时间:2015-10-01 08:18
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:8
漏洞状态:已交由第三方合作机构(公安部一所)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-13: 细节已通知厂商并且等待厂商处理中
2015-08-17: 厂商已经确认,细节仅向厂商公开
2015-08-27: 细节向核心白帽子及相关领域专家公开
2015-09-06: 细节向普通白帽子公开
2015-09-16: 细节向实习白帽子公开
2015-10-01: 细节向公众公开
简要描述:
服务重要,安全更重要!
审核辛苦了!求邀请码一枚。
详细说明:
http://**.**.**.**/Pages/Foreground/MainFrame.aspx?TargetKey=DriverLicenseResubmit#
http://**.**.**.**/Pages/Foreground/Common/FeekbackList.aspx
搜索查询处加当引号直接报错。
![%(G]JBHRXJ$`($O9_UH7({M.png](http://wimg.zone.ci/upload/201508/11002953f40072bb29067dd24212f4151cd59962.png)
![T[DKM5G1C8%U%HJO{5Z0]D4.png](http://wimg.zone.ci/upload/201508/11003036b6e976cd2bc382fdb46a06876f37faf7.png)
漏洞证明:
抓包丢进sqlmap里面跑
DBA权限
Database: ZSTP_ServiceHall
[84 tables]
+---------------------------------+
| AUT_AuthorityItem |
| AUT_Module |
| AUT_ModuleAuthorityItem |
| AUT_Role |
| AUT_RoleModuleAuthority |
| AUT_RoleRegion |
| AUT_User |
| AUT_UserRole |
| BAS_BusiRefuseReason |
| BAS_Community |
| BAS_Feekback |
| BAS_PassageRoute |
| BAS_Region |
| BAS_School |
| BAS_School_Bak |
| BAS_Stamp |
| BAS_User |
| EMS_Business |
| EMS_Service |
| Exch_DataBeProcess |
| Exch_DataProcessed |
| Exch_FieldsDefine |
| FLW_BusinessFlow |
| FLW_BusinessFlowNode |
| FLW_BusinessVerification |
| FLW_FlowNode |
| FLW_RoleFlowNode |
| GPS_VehicleGPSDevice |
| Inf_Notice |
| Inf_TrafficRule |
| LCS_DriverLicense |
| LCS_VehicleLicense |
| Pay_BankList |
| Pay_PayRecord |
| UNIMAS_20110304175815 |
| UNIMAS_20110304180341 |
| UNIMAS_20110304181138 |
| UNIMAS_DC360B_FABAA_1 |
| UNIMAS_DC360B_FABAA_3 |
| UNIMAS_DC360B_FABAA_57 |
| UNIMAS_DC390B_FGAJA_1 |
| UNIMAS_DC390B_FGAJA_18 |
| UNIMAS_DC390B_FGAJA_2 |
| UNIMAS_DC390B_FGAJA_3 |
| VIEW_AllEMSDatas |
| VehicleVIN |
| View_DriverBusi |
| View_VehicleBusi |
| WOK_CommonTruckPassProcessing |
| WOK_DGTransporterPassProcessing |
| WOK_DriverLicenseImport |
| WOK_DriverLicenseModifying |
| WOK_DriverLicenseRenew |
| WOK_DriverLicenseResubmit |
| WOK_DumpTruckPassProcessing |
| WOK_HealthCheck |
| WOK_MsgFinishSend |
| WOK_MsgUnSend |
| WOK_NoCheckVehicle |
| WOK_PassportRelation |
| WOK_RequestQueue |
| WOK_ResponseQueue |
| WOK_SchoolBusDriverWorkpermit |
| WOK_SchoolBusTag |
| WOK_TagNoSerialNum |
| WOK_TarfficWorkTimeRange |
| WOK_TestingStation |
| WOK_TrafficAppointment |
| WOK_TrafficAppointmentTimeRange |
| WOK_TrafficOffenseActionCode |
| WOK_TrafficOffenseTransaction |
| WOK_TransitMixerPassProcessing |
| WOK_VehicleCertBusi |
| WOK_VehicleLicenseModifying |
| WOK_VehicleLicenseRenew |
| WOK_VehicleLicenseResubmit |
| WOK_VehiclePeriodicCheck |
| WOK_VehiclePlateBusi |
| WOK_VehiclePlateDischarge |
| WOK_VehiclePlateTransfer |
| WOK_VehicleRegister |
| WOK_VehicleType |
| WOK_WorkpermitNoSerialNum |
| sysdiagrams |
+---------------------------------+
Database: ZSTP_ServiceHall_GA
[84 tables]
+----------------------------------------+
| AUT_AuthorityItem |
| AUT_Module |
| AUT_ModuleAuthorityItem |
| AUT_Role |
| AUT_RoleModuleAuthority |
| AUT_RoleRegion |
| AUT_User |
| AUT_UserRole |
| BAS_BusiRefuseReason |
| BAS_Community |
| BAS_Feekback |
| BAS_PassageRoute |
| BAS_Region |
| BAS_School |
| BAS_School_Bak |
| BAS_Stamp |
| BAS_User |
| DriveTagImport |
| DriverImport |
| DriverImport_New |
| EMS_Business |
| EMS_Service |
| Exch_DataBeProcess |
| Exch_DataProcessed |
| Exch_FieldsDefine |
| FLW_BusinessFlow |
| FLW_BusinessFlowNode |
| FLW_BusinessVerification |
| FLW_FlowNode |
| FLW_RoleFlowNode |
| GPS_VehicleGPSDevice |
| Inf_Notice |
| Inf_TrafficRule |
| LCS_DriverLicense |
| LCS_VehicleLicense |
| Pay_BankList |
| Pay_PayRecord |
| UNIMAS_20110304175815 |
| UNIMAS_20110304180341 |
| UNIMAS_20110304181138 |
| VIEW_AllEMSDatas |
| VehicleVIN |
| View_DriverBusi |
| View_VehicleBusi |
| WOK_CommonTruckPassProcessing |
| WOK_DGTransporterPassProcessing |
| WOK_DriverLicenseImport |
| WOK_DriverLicenseModifying |
| WOK_DriverLicenseRenew |
| WOK_DriverLicenseResubmit |
| WOK_DumpTruckPassProcessing |
| WOK_HealthCheck |
| WOK_MsgFinishSend |
| WOK_MsgUnSend |
| WOK_PassportRelation |
| WOK_RequestQueue |
| WOK_ResponseQueue |
| WOK_SchoolBusDriverWorkpermit |
| WOK_SchoolBusTag |
| WOK_SchoolBusTag_20110830 |
| WOK_TagNoSerialNum |
| WOK_TarfficWorkTimeRange |
| WOK_TestingStation |
| WOK_TrafficAppointment |
| WOK_TrafficAppointmentTimeRange |
| WOK_TrafficOffenseActionCode |
| WOK_TrafficOffenseTransaction |
| WOK_TrafficOffenseTransaction_20110217 |
| WOK_TrafficOffenseTransaction_20110308 |
| WOK_TransitMixerPassProcessing |
| WOK_VehicleCertBusi |
| WOK_VehicleLicenseModifying |
| WOK_VehicleLicenseRenew |
| WOK_VehicleLicenseResubmit |
| WOK_VehiclePeriodicCheck |
| WOK_VehiclePlateBusi |
| WOK_VehiclePlateDischarge |
| WOK_VehiclePlateTransfer |
| WOK_VehicleRegister |
| WOK_VehicleType |
| WOK_WorkpermitNoSerialNum |
| sysdiagrams |
| wok_SchoolBusTag_20110929 |
| wok_SchoolBusTag_bak |
+----------------------------------------+
dump了其中几条数据:
| 20120803000034 | 001001 | + | %u674e%u56db | + | %u672c%u793e%u533a%u5e10%u53f7 | + | 6 | + | 08/08/2012 | 08/08/2012 | + | 08++3+2012++3:26PM | + | 140122198403248133 |
| 20120803000039 | 001025 | + | %u9648%u4f2f%u5e73 | C1E | %u957f%u6c5f%u5317%u8def161%u53f7 | + | 6 | + | 10/13/2007 | 10/13/2007 | + | 08++3+2012++3:57PM | + | 442000198601132333 |
| 20120806000002 | 001027 | + | %u9648%u7eee%u6f8e | A2E | %u4e1c%u533a%u6c99%u5c97%u6b63%u885768%u53f7 | + | 6 | + | 09/11/2008 | 09/11/1995 | + | 08++6+2012++2:53PM | + | 442000197505058378 |
| 20120818000011 | 001025001 | + | %u5f20%u73ee%u73ca | C1E | %u5e7f%u4e1c%u7701%u4e2d%u5c71%u5e02%u77f3%u5c90%u533a%u4e0b%u6cb3%u6cca47%u53f7202%u623f | + | 6 | + | 12/08/2006 | 12/08/2000 | + | 08+18+2012++3:14PM | + | 442000198010060040 |
| 20120818000016 | 001025001 | + | %u5218%u54f2%u96c4 | B1E | %u5e7f%u4e1c%u7701%u4e2d%u5c71%u5e02%u4e1c%u533a%u5b59%u6587%u4e1c%u8def277%u53f7 | + | 6 | + | 04/11/2007 | 04/11/1994 | + | 08+18+2012++3:32PM | + | 440521196702043119 |
| 20120818000019 | 001025001 | + | %u7f57%u4f1f%u6587 | C1E | %u5e7f%u4e1c%u7701%u4e2d%u5c71%u5e02%u4e1c%u533a%u4e1c%u82d1%u5357%u8def%u6587%u5174%u885737%u53f7 | + | 6 | + | 04/11/2010 | 04/11/1995 | + | 08+18+2012++3:40PM | + | 44200019681013837X |
| 20120818000023 | 001025001 | + | %u949f%u60e0%u840d | E | %u5e7f%u897f%u58ee%u65cf%u81ea%u6cbb%u533a%u8d35%u6e2f%u5e02%u5e73%u5357%u53bf%u601d%u65fa%u9547%u82b1%u77f3%u6751%u5927%u5858%u8fb9%u4e09%u5c6f23%u53f7 | + | 10 | + | 04/07/2011 | 04/07/1999 | + | 08+18+2012++3:53PM | + | 452524197710104089 |
| 20120818000026 | 001025001 | + | %u738b%u52c7 | C1D | %u5e7f%u4e1c%u7701%u4e2d%u5c71%u5e02%u77f3%u5c90%u533a%u5bcc%u5eb7%u8def1%u53f7%u4e8c%u5341%u4e94%u5e62 | + | 10 | + | 07/08/2010 | 07/08/2004 | + | 08+18+2012++3:58PM | + | 430522197412221019 |
| 20120818000029 | 001025001 | + | %u8c2d%u701a%u9716 | B1E | %u5e7f%u4e1c%u7701%u4e2d%u5c71%u5e02%u77f3%u5c90%u533a%u78a7%u6e56%u4e1c%u885713%u53f7702%u623f | + | 6 | + | 07/25/2009 | 07/25/1992 | + | 08+18+2012++4:14PM | + | 440620196205080014 |
| 20120918000002 | 001025001 | + | %u9093%u9526%u8363 | C1 | %u4e2d%u5c71%u5e02%u4e1c%u533a | + | 6 | + | 11/20/2006 | 11/20/2006 | + | 09+18+2012++3:17PM | + | 12345678 |
| 20120921000002 | 001025001 | + | %u65b9%u9648%u601d | C1D | %u6e56%u5317%u7701%u9ec4%u77f3%u5e02%u9ec4%u77f3%u6e2f%u533a%u7ea2%u65d7%u6865%u5929%u6d25%u8def6-54%u53f7 | + | 6 | + | 07/21/2011 | 07/21/2011 | + | 09+21+2012+12:23PM | + | 420202198108140813 |
| 20121015000069 | 001025001 | + | %u9646%u5149%u660e | + | %u5e7f%u4e1c%u7701%u4e2d%u5c71%u5e02%u6d4b%u8bd5%u5730%u5740 | -+- | 6 | + | 04/10/2012 | 04/10/2012 | + | 10+15+2012+11:30PM | + | 450681198007072295 |
| 20121024000051 | 022029 | + | %u5434%u73b2%u6839 | A1 | + | + | 6 | + | 11/19/2008 | 11/19/1986 | + | 10+24+2012++5:14PM | + | 442000196503090855 |
| 20121027000039 | 022029 | + | %u9648%u76ca%u6c11 | C1 | + | + | 6 | + | 07/25/2008 | 07/25/2008 | + | 10+27+2012+11:18AM | + | 441521198704010812 |
| 20121105000049 | 022031006 | + | %u84dd%u56fd%u82b3 | A1A2 | + | + | 6 | + | 10/12/2008 | 10/12/1994 | + | 11++5+2012++5:32PM | + | 441622197102165515 |
| 20121105000052 | 022030008 | + | %u848b%u5c0a%u6b66 | A2D | %u4e2d%u5c71%u5e02%u4e09%u4e61%u9547%u589f%u4ed4%u534e%u4e30%u82b1%u56ed%u7fe0%u96e8%u5c459%u5e62401%u5ba4 | + | 6 | + | 05/24/2007 | 05/24/2001 | + | 11++5+2012++5:40PM | + | 432927198001256014 |
| 20121106000049 | 015034 | + | %u9ec4%u4fca%u6587 | C1E | %u4e2d%u5c71%u5e02%u6a2a%u680f%u9547%u957f%u5b89%u5357%u8def82%u53f7 | + | 6 | + | 09/05/2008 | 09/05/2008 | + | 11++6+2012++9:57AM | + | 442000198804256117 |
| 20121106000052 | 022030009 | + | %u90d1%u5065%u6069 | CE | %u4e09%u4e61%u9547%u6587%u534e%u4e1c%u8def%u4e09%u4e61%u516c%u5171%u6c7d%u8f66%u6709%u9650%u516c%u53f8 | + | 10 | + | 06/23/2011 | 06/23/2005 | + | 11++6+2012+10:17AM | + | 442000198609051298 |
| 20121106000064 | 022031003 | + | %u6881%u6ce2 | A1A2 | %u5e7f%u4e1c%u7701%u4e2d%u5c71%u5e02%u5357%u533a%u57ce%u5357%u4e09%u8def38%u53f7 | + | 10 | + | 10/13/2011 | 10/13/1999 | + | 11++6+2012+11:22AM | + | 452501197910175311 |
| 20121106000066 | 022031003 | + | %u7f57%u5174%u65fa | A1A2E | %u5e7f%u4e1c%u7701%u4e2d%u5c71%u5e02%u5357%u533a%u57ce%u5357%u4e09%u8def38%u53f7 | + | 6 | + | 02/27/2007 | 02/27/1992 | + | 11++6+2012+11:29AM | + | 440822196912306936 |
| 20121106000068 | 022031003 | + | %u7f57%u5c0f%u519b | A1A2 | %u5e7f%u4e1c%u7701%u4e2d%u5c71%u5e02%u5357%u533a%u57ce%u5357%u4e09%u8def38%u53f7 | + | 6 | + | 06/08/2009 | 06/08/1995 | + | 11++6+2012+11:50AM | + | 360502197607192816 |
| 20121106000074 | 001001002 | + | %u4f59%u57fa%u57fa | C1 | %u4e2d%u5c71%u5e02%u4e1c%u533a%u91d1%u9f99%u8857 | + | 6 | + | 07/13/2010 | 07/13/2010 | + | 11++6+2012++3:10PM | + | 430221197601018199 |
| 20121106000083 | 022030009 | + | %u9648%u96c4%u6770 | A | + | + | 6 | + | 04/16/2010 | 04/16/1998 | + | 11++6+2012++3:58PM | + | 440822197912204117 |
| 20121106000086 | 022030009 | + | %u97e6%u6587%u5c97 | A | +
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:8
确认时间:2015-08-17 08:16
厂商回复:
感谢提交!!
验证确认所描述的问题,已通知其修复。
最新状态:
暂无