当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132298

漏洞标题:深圳某宽带系统SQL注射(泄露几百万用户套餐信息+宽带充值业务记录)

相关厂商:长城宽带

漏洞作者: 路人甲

提交时间:2015-08-07 10:12

修复时间:2015-09-24 15:06

公开时间:2015-09-24 15:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:17

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-07: 细节已通知厂商并且等待厂商处理中
2015-08-10: 厂商已经确认,细节仅向厂商公开
2015-08-20: 细节向核心白帽子及相关领域专家公开
2015-08-30: 细节向普通白帽子公开
2015-09-09: 细节向实习白帽子公开
2015-09-24: 细节向公众公开

简要描述:

详细说明:

help.szgwbn.net.cn 登录处POST包注射
抓包跑出几百万深圳长城用户信息,宽带付费业务购买记录等
以及部分子公司信息和设备MAC以及其他信息

漏洞证明:

sqlmap.png

150000.png

搜狗截图15年07月27日1332_13.png

搜狗截图15年07月27日1335_15.png

搜狗截图15年07月27日1336_16.png

搜狗截图15年07月27日1336_17.png

搜狗截图15年07月27日1338_18.png

搜狗截图15年07月27日1338_19.png

搜狗截图15年07月27日1344_20.png

mac.png

[13:41:02] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[13:41:02] [INFO] fetching tables for database: GwbnBoss
[13:41:02] [INFO] the SQL query used returns 237 entries
Database: GwbnBoss
[237 tables]
+---------------------------------------+
| A                                     |
| AAQ                                   |
| AP_Userlist                           |
| A_Blishi                              |
| AccountItemList                       |
| Account_Business                      |
| Account_Business_View                 |
| Account_Example                       |
| Account_Example0708                   |
| Account_Example2009                   |
| Account_Example2010                   |
| Account_Example2011                   |
| AcctTicket                            |
| AcctTicketBak                         |
| AcctionTypeTable                      |
| AliasList                             |
| AllCommunityIncome                    |
| AllTicket                             |
| AppointmentList                       |
| AreaList                              |
| AreaSheQuTable                        |
| AreaSheQuTablebak15                   |
| Auditing                              |
| Bank                                  |
| BankFee                               |
| BankFeeLog                            |
| BankProtocal                          |
| BankProtocalDetail                    |
| BankProtocalLog                       |
| BindModeList                          |
| BmdBmuTable                           |
| BmdList                               |
| BmuAreaTable                          |
| BmuBusinessTable                      |
| BmuBusinessView                       |
| BmuList                               |
| BossLog                               |
| BossLogRsCmdView                      |
| BossLogView                           |
| BrandList                             |
| BusinessList                          |
| BusinessType                          |
| CRM_CustomerList                      |
| CRM_CustomerOrderService              |
| CRM_CustomerType                      |
| CRM_View                              |
| Card                                  |
| ChargingUnitTypeList                  |
| ChargingValuatePolicyList             |
| CheckStateList                        |
| CommunityList                         |
| CommunityListbak                      |
| CommunityListbak12                    |
| CommunityListbak15                    |
| CommunityListbak150207                |
| CommunityMachineRoomTable             |
| ConcessionPolicyList                  |
| ConcessionSessionList                 |
| CreditList                            |
| CustomerCRMAttribute                  |
| CustomerCRMAttributeList              |
| CustomerCRMAttributeManageDomainTable |
| CustomerCRMAttributeTable             |
| CustomerList                          |
| CustomerType                          |
| DM                                    |
| DM1                                   |
| DX_Customer                           |
| DX_Package                            |
| DX_UserPackage                        |
| DataDict                              |
| Day_AddUser                           |
| Day_AddUser2                          |
| DevelopmenTypeList                    |
| DocCatalog                            |
| DocumentList                          |
| DocumentLog                           |
| DummyTrans                            |
| Dw_Dim_AccountItem                    |
| Dw_Dim_AccountState                   |
| Dw_Dim_Brand                          |
| Dw_Dim_Community                      |
| Dw_Dim_Customer                       |
| Dw_Dim_DevelopmenType                 |
| Dw_Dim_DevelopmentState               |
| Dw_Dim_Package                        |
| Dw_Dim_PaymentType                    |
| Dw_Dim_Product                        |
| Dw_Dim_UserServiceState               |
| Dw_Dim_UserType                       |
| Dw_Fact_AccountAccruals               |
| Dw_Fact_AccountBusiness               |
| Dw_Fact_Bosslog                       |
| Dw_Fact_SalePackageLog                |
| Dw_Fact_User                          |
| DynPropertySupportList                |
| EfectiveStateType                     |
| EffectiveStateCount                   |
| ErrorList                             |
| ExpireUserSalePackageLog              |
| Falseusefeemingxi                     |
| FeeApportionView                      |
| FunctionInverseParam                  |
| FunctionList                          |
| FunctionPositiveParam                 |
| FunctionType                          |
| HDding                                |
| HDxian                                |
| IPTV_EquipmentList                    |
| IPTV_EquipmentLog                     |
| IPTV_EquipmentTypeList                |
| IPTV_EquipmentUseLog                  |
| IPTV_PackageRights                    |
| IPTV_ProviderList                     |
| IPTV_TerminalCount                    |
| IPTV_TerminalList                     |
| InvoiceList                           |
| JTJYEffectiveStateCount               |
| JTJYPresents                          |
| JTJYRMBRadiusMoneyTable               |
| JTJYSalePackageSituation              |
| MachineList                           |
| MeteringPeriodList                    |
| MeteringPeriodPolicy_Day              |
| MeteringPeriodPolicy_Hour             |
| MeteringPeriodPolicy_Month            |
| OperateLog                            |
| Operation                             |
| OperatorRoleTable                     |
| PackageSatisticsList                  |
| PaymentTypeList                       |
| PolicyCombinationTable                |
| PolicyList                            |
| PolicySessionList                     |
| PrepaidBalance                        |
| PresentList                           |
| PrintJobList                          |
| ProductAttrList                       |
| ProductAttrTable                      |
| ProductCommunityTable                 |
| ProductList                           |
| ProductRadiusAttrTable                |
| ProjectList                           |
| ProjectListbak201312                  |
| Quanzemingxi                          |
| RMBRadiusMoneyTable                   |
| RechargeCardList                      |
| RoleBusinessTable                     |
| RoleBusinessView                      |
| RoleList                              |
| RootAccountList                       |
| Rpt_Community                         |
| Rpt_CustomerList                      |
| Rpt_DocmentList                       |
| Rpt_Package                           |
| Rpt_ServiceHall                       |
| RsCmdList                             |
| RsCmdListbak                          |
| Rtp_Business                          |
| SalePackageLog                        |
| SalePackageLogNew                     |
| SalePackageLogbak20121217             |
| SaleTypeList                          |
| ServiceHallBmdTable                   |
| ServiceHallBmdTablebak11              |
| ServiceHallList                       |
| ServiceState                          |
| SheQuList                             |
| StatisticsUserInfo                    |
| StoredProcedureList                   |
| TimePolicyList                        |
| UnitTypeList                          |
| UserBackFeeBill                       |
| UserBill                              |
| UserHistory                           |
| UserLinkInfo                          |
| UserList                              |
| UserPriceAdjustment                   |
| UserProductCustomizeAttrTable         |
| VBossLog                              |
| VBossLog2                             |
| VBossLog_SMS                          |
| VCustomer_Num                         |
| VSalePackageLog2                      |
| V_AccountExample                      |
| V_Account_Business                    |
| V_Account_Example                     |
| V_CommunityList                       |
| V_Customer_PriceAdjust                |
| V_Customer_User                       |
| V_Customer_User_SMS                   |
| V_Customer_User_Test                  |
| V_Customers                           |
| V_UserLocationTag                     |
| V_UserLocation_Test                   |
| V_User_RFID                           |
| ValuateList                           |
| VlanList                              |
| Websysuser                            |
| YS1                                   |
| Account_Business07-09                 |
| BossLog07-09                          |
| vLiuShi-old                           |
| dtproperties                          |
| saleceshi                             |
| sys_user                              |
| sysdiagrams                           |
| vAllUser                              |
| vBA_Business                          |
| vBA_BusinessAccount                   |
| vBA_BusinessCustomer                  |
| vBA_BusinessCustomerInfo              |
| vBA_BusinessDocument                  |
| vBA_BusinessLog                       |
| vBA_BusinessSale                      |
| vBA_DevisionOfWorks                   |
| vBA_RootAccountList                   |
| vBankFee                              |
| vBankProtocal                         |
| vCustomerUserList                     |
| vInvoiceList                          |
| vLiuShi                               |
| vNewOpen                              |
| vPolicyList                           |
| vProductFeePeriod                     |
| vProductSet                           |
| vProduct_MeteringPeriod               |
| vReceiptList                          |
| vSalePackageLog                       |
| vSalePackageLog2_base                 |
| vUserAccount                          |
| vXuFee                                |
| vsys_user                             |
| yuyue                                 |
| 商业收入检查                                |
| 在网用户数社区统计                             |
| 月流失统计                                 |
+---------------------------------------+
[13:41:02] [INFO] fetched data logged to text files under 'C:\Users\k\.sqlmap\o
tput\help.szgwbn.net.cn'
[*] shutting down at 13:41:02

当前裤所有表段

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-10 15:04

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:12
正在联系相关网站管理单位处置。

最新状态:

暂无