当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171037

漏洞标题:辽宁省某电子化学籍管理系统(涉及几百万学生信息/大量考试成绩信息/信息量达到几千万)

相关厂商:center

漏洞作者: 路人甲

提交时间:2016-01-19 09:47

修复时间:2016-03-05 09:52

公开时间:2016-03-05 09:52

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-19: 细节已通知厂商并且等待厂商处理中
2016-01-22: 厂商已经确认,细节仅向厂商公开
2016-02-01: 细节向核心白帽子及相关领域专家公开
2016-02-11: 细节向普通白帽子公开
2016-02-21: 细节向实习白帽子公开
2016-03-05: 细节向公众公开

简要描述:

详细说明:

**.**.**.**/bin/ 辽宁省电子化学籍管理系统,存在命令执行,通过配置数据库。发现几千万的信息。主要是300W+详细的学生个人信息,还有考试成绩。在测试过程中,由于数据库执行语句的问题,导致宕机了...网站暂时无法访问。
只能出示截图以及学生信息作为证明危害程度。
影响实在巨大,在网站目录备份里有近30G学生照片压缩包。

漏洞证明:

1111.png

2222.png

3333.png

100000W.png

xinxi1.png

xinxi2.png

xinxi3.png

xinxi4.png

xinxi5.png

xinxi6.png

xinxi7.png

xinxi8.png

xinxi9.png

xinxi10.png

xinxi11.png

xinxi12.png

xinxi13.png

xinxi14.png

xinxi15.png

<jdbc-driver-params>
    <url>jdbc:oracle:thin:@(DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST =**.**.**.**)(PORT = 1521))(ADDRESS = (PROTOCOL = TCP)(HOST =**.**.**.**)(PORT = 1521))(LOAD_BALANCE = yes)(FAILOVER = ON)(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = LNGZXX)(FAILOVER_MODE=(TYPE = SELECT)(METHOD = BASIC)(RETIRES = 20)(DELAY = 15))))</url>
    <driver-name>oracle.jdbc.xa.client.OracleXADataSource</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>EDU_TEST_JYJ</value>
      </property>
    </properties>
    <password-encrypted>{AES}exWafqhWStJP0wKPL4/hh+vlM3sy4CbU7LZ6Mbx13XQ=</password-encrypted>
jdbc:oracle:thin:@**.**.**.**:1521/LNGZXX

数据库配置

Query#0 : select t.TABLE_NAME,t.NUM_ROWS from user_tables t order by NUM_ROWS desc
TABLE_NAME
VARCHAR2	NUM_ROWS
NUMBER
T_ZXXS_WJPATH	 
TEMP_BP_ZXXS_XSJBXX_DEL	 
TEMP_BP_ZXXS_XSJBXX_DEL_WTXJ	 
TBL_UPLOAD_LOG	2245088
ZXXS_XS_JTCY	1999763
TBL_XYSPKS_CJ	1104097
TB_REGISTER_INFO	1102541
ZXXS_XS_JBXX	1100448
ZXXS_XS_JBXX_SCK_GRBSM	1088752
ZXXS_XS_JTCY_YJ	1054029
ZXXS_XS_JCYY_SCRZB	998589
ZXXS_XS_JBXXBAK20150901	911816
ZXXS_XS_PIC	872219
ZXXS_XS_PIC_BK_20141212	866493
ZXXS_XS_PIC_JHK	862775
GGFW_GRBSM_SC	850178
ZXXS_XS_JBXX_LS	845583
ZXXS_XS_JTCY_LS	823760
ZXXS_XS_JBXX_BK20140930	791404
ZXXS_XS_JBXX_20140924	732990
ZXXS_XS_SJBGZB	732924
ZXXS_XS_PIC_BK20150204	657960
ZXXS_XS_XSBY_YJ	634868
ZXXS_XS_XSBY_YJ20151214	634861
ZXXS_XS_JBXX_SCK	619892
ZXXS_XS_JBXX_YJ_BAK	587755
ZXXS_XS_BJBGXX	462240
ZXXS_XS_JBXX_YJ	462086
ZXXS_XS_XSBY20151214	460141
ZXXS_XS_XSBY20151202	460133
ZXXS_XS_XSBY	458444
TB_XXQR_WJXX	400275
TBL_LOG	349395
ZXXS_XS_XSBY_YJ_BK	320191
ZXXS_XS_JBXX_LS_20140924	287421
ZXXS_XS_ZSRX	211460
ZXXS_XS_ZSRX_BAK20150810	208072
TBL_OUT_INTERFACE	188101
ZXXS_XS_PIC_SJJH	103342
ZXXS_XS_JBXX_SB_LS	91875
ZXXS_XS_WJXX	87283
ZXXS_XS_ZSRX_BAK20150821	79820
TBL_POWER	53127
TB_TROUBLE_XJ20151202	43989
TBL_POWER_BK	43443
TB_TROUBLE_XJ	43367
TB_JTCYID_FROM_JTCY	41610
ZXXS_XS_WJXX_BAK20150209	39259
TB_TROUBLE_XJ_20150518	37877
ZXXS_XS_XJYD	31728
ZXXS_XS_XJYD20151218	31669
ZXXS_XX_BJXX	29329
ZXXS_WTXJ	27624
GGFW_XJCC_CFSJ	25318
ZXXS_XX_BJXX_BK20140930	23936
ZXXS_KSZS_LOG	23015
ZXXS_KSZX_ZCZRLOG	22040
ZXXS_XS_JTJJQK_YJ	13502
ZXXS_XS_PIC_NULL	11763
ZXXS_XS_JTJJQK	11438
ZXXS_XJZCXX_BAK20150724	8223
ZXXS_XJZCXX_20150202	8031
TB_WEB_TO_WHERE	7716
ZXXS_KSZS_ZMCL	6696
TB_TEST	6680
ZXXS_XS_ZSRX_SCB	6212
ZXXS_XJZCXX_1231	5987
ZXXS_JS_JBXX	5719
ZXXS_WTXJ20151202	4735
TB_ZSRX_SH	4384
COM_MEMS_ORGAN	4278
TB_WTXJ_TEST	4077
ZXXS_XS_JBXX_SCB	3729
TB_SJJH_ERR	3607
ZXXS_KSZS_JBXX	3481
TB_UPLOAD_EXCEPTION_LOG	3458
TB_WTXJ_TEST_DH	3245
ZXXS_KSZX_ZCZR	2795
ZXXS_XS_PIC_U20150328	2763
ZXXS_XS_JTJJQK_LS	2630
ZXXS_XS_PIC_CF	2544
DV_XS_ZSRX_ERRLOG	2404
ZXXS_XX_JBXX_YJ	2179
ZXXS_XX_NJXX	2162
ZXXS_XJZCXX	1909
TB_SCHOOL_CHANGE	1780
TB_USER_LOGIN	1762
TB_USER_LOGIN_BAK20140402	1734
ZXXS_XX_NJXX_BK20140930	1729
TB_BYSJ_STATUS_INFO	1718
TB_BYSJ_CHECKNOPASS_INFO	1200
SYS_ENUM_VALUE	1168
TBL_TEST_ERR	1012
ZXXS_XS_XXJL	1001
ZXXS_ZSGM	804
ZXXS_XJZCXX_NULL	573
ZXXS_XS_JBXX_JHK20150901	573
ZXXS_XS_JBXX_3Z	512
TB_XSBY	493
TBL_USBKEY	482
ZXXS_XX_JBXX	452
TBL_SAM	450
TBL_SAM_BK	445
TBL_CAMERAID	443
TBL_TABLE_NUM	441
ZXXS_XX_NJXX_GJ	432
ZXXS_XX_NJXX_YJ	431
ZXXS_XS_JBXX_SCB_LS	345
TBL_USBKEY_SC	269
TBL_SYSTEM	262
ZXXS_XX_BJBG	162
TBL_XYSPKS_XF	154
TB_SETUP_LIST	136
ZXXS_XS_JBXX_SCB_SCK	136
TB_DISTRICT_INFO	135
ZXXS_XX_FSBXX	131
TB_XS_ZSRX_WJ_BAK20150810	130
SYS_ENUM_TYPE	125
TBL_MENU	117
TBL_MENU20150604	112
TB_CONTEST	103
ZXXS_XS_JLXX	100
TB_ZSRX_KSZSGM	91
TB_XS_ZSRX_WJ	75
DV_TAB_INFO	42
TB_COMMIT_GJ	41
ZXXS_XX_XQXX	36
ZXXS_SKZDB	25
TB_TO_WHERE	25
ZXXS_XS_JBXX_JHK	16
TBL_XYSPKS_KM	15
TB_WEB_MESSAGE20151204	12
TB_WEB_MESSAGE	11
TB_UPLOAD_TABLE	11
TB_HEALTH_INFO	8
GRADE_THREE_LIMIT	4
ZXXS_XS_CCXX	2
TBL_WARNING	2
TB_SCHOOL_CODE	2
TB_MESSAGE	1
TB_STUDENT_CHECK	1
ZXXS_BEPZB	1
ZXXS_XS_XJYDBAK20150701	1
ZXXS_XS_XXJL_LS	1
TBL_REVDATA_ERROR	0
TBL_XYSPKS_CJ_BKNULL	0
TBL_REVDATA	0
TB_TEST_DELETE_BYXS	0
ZXXS_XS_JBXX_NULL	0
ZXXS_KSZS_DATA_REV_HIS	0
ZXXS_KSZS_CLJK	0
ZXXS_KSZS_DZDA	0
ZXXS_KSZS_DATA_RELAY	0
ZXXS_KSZS_DATA_DEAL	0
ZXXS_KSZS_DATA_REV	0
ZXXS_KSZS_DATA_SEND	0
TBL_XYSPKS_CJ_TEMP	0
TB_EXAMINATION_INFO_T	0
TB_EXAMINATION_INFO	0
ZXXS_XS_PICBG	0
ZXXS_XX_FSXX	0
ZXXS_XS_SJBG	0
ZXXS_XS_BDZC	0
TB_UPDATE	0
TB_SKIP	0
TB_SERVICE_TIHUI	0
TB_SERVICE	0
TB_SELECT_T	0
TB_SELECT_CLASS_T	0
TB_SELECT_CLASS	0
TB_SELECT_ASSESS_T	0
TB_SELECT_ASSESS_EXPERIENCE	0
TB_SELECT_ASSESS	0
TB_SELECT	0
TB_SCORE_TYPE_SIZE	0
TB_SCORE_TYPE	0
TB_SCHOOL_OPERATION	0
TB_RESEARCH_STUDY_T	0
TB_RESEARCH_STUDY_ASSESS	0
TB_RESEARCH_STUDY	0
TB_PRACTICE	0
TB_MORAL	0
TB_LOAD_PROGRASS	0
TB_FREE_CLASS_T	0
TB_FREE_CLASS	0
TB_EXEM_ABSENT_T	0
TB_EXEM_ABSENT	0
TB_ENROLLMENT_INFO	0
TB_DUTY	0
TB_COURSE_CODE_T	0
TB_COURSE_CODE	0
TB_COURSE_CLASS	0
TB_BYSJ_FAILURE_INFO	0
TB_APPRAISE	0
TBL_IMPORT_PIC_LOG	0
GGFW_GRBSM_SC_BAK	0
TBL_XYSPKS_TY	0

数据库结构。

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-22 10:36

厂商回复:

CNVD确认未复现所述情况,已经转由CNCERT下发给辽宁分中心,由其后续协调网站管理单位处置.

最新状态:

暂无