中国电信某站从sql注入到GETSHELL可导致百万数据泄露（包括姓名/邮箱/电话/身份证号等敏感信息）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157821

漏洞标题：中国电信某站从sql注入到GETSHELL可导致百万数据泄露（包括姓名/邮箱/电话/身份证号等敏感信息）

漏洞作者：路人甲

提交时间：2015-12-03 12:28

修复时间：2016-01-21 11:00

公开时间：2016-01-21 11:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-03：细节已通知厂商并且等待厂商处理中
2015-12-07：厂商已经确认，细节仅向厂商公开
2015-12-17：细节向核心白帽子及相关领域专家公开
2015-12-27：细节向普通白帽子公开
2016-01-06：细节向实习白帽子公开
2016-01-21：细节向公众公开

简要描述：

中国电信某站从sql注入到GETSHELL，400W+数据泄露（包括姓名/邮箱/电话/身份证号等敏感信息）

详细说明：

中国电信某商城主站

存在注入 current user: 'root@localhost'

400w+数据

密码明文存储 66666

某接口报错可泄露管理路径

登陆管理后台

大量敏感数据泄露

可以修改各种接口

抓包上传绕过
GETSHELL

数据库表如下

Database: hallylure
[293 tables]
+-----------------------------------------+
| hallylure_common_admincp_cmenu          |
| hallylure_common_admincp_group          |
| hallylure_common_admincp_member         |
| hallylure_common_admincp_perm           |
| hallylure_common_admincp_session        |
| hallylure_common_admingroup             |
| hallylure_common_adminnote              |
| hallylure_common_advertisement          |
| hallylure_common_advertisement_custom   |
| hallylure_common_banned                 |
| hallylure_common_block                  |
| hallylure_common_block_favorite         |
| hallylure_common_block_item             |
| hallylure_common_block_item_data        |
| hallylure_common_block_permission       |
| hallylure_common_block_pic              |
| hallylure_common_block_style            |
| hallylure_common_block_xml              |
| hallylure_common_cache                  |
| hallylure_common_card                   |
| hallylure_common_card_log               |
| hallylure_common_card_type              |
| hallylure_common_connect_guest          |
| hallylure_common_credit_log             |
| hallylure_common_credit_log_field       |
| hallylure_common_credit_rule            |
| hallylure_common_credit_rule_log        |
| hallylure_common_credit_rule_log_field  |
| hallylure_common_cron                   |
| hallylure_common_devicetoken            |
| hallylure_common_district               |
| hallylure_common_diy_data               |
| hallylure_common_domain                 |
| hallylure_common_failedip               |
| hallylure_common_failedlogin            |
| hallylure_common_friendlink             |
| hallylure_common_grouppm                |
| hallylure_common_invite                 |
| hallylure_common_magic                  |
| hallylure_common_magiclog               |
| hallylure_common_mailcron               |
| hallylure_common_mailqueue              |
| hallylure_common_member                 |
| hallylure_common_member_action_log      |
| hallylure_common_member_connect         |
| hallylure_common_member_count           |
| hallylure_common_member_crime           |
| hallylure_common_member_field_forum     |
| hallylure_common_member_field_home      |
| hallylure_common_member_forum_buylog    |
| hallylure_common_member_grouppm         |
| hallylure_common_member_log             |
| hallylure_common_member_magic           |
| hallylure_common_member_medal           |
| hallylure_common_member_newprompt       |
| hallylure_common_member_profile         |
| hallylure_common_member_profile_setting |
| hallylure_common_member_security        |
| hallylure_common_member_secwhite        |
| hallylure_common_member_stat_field      |
| hallylure_common_member_status          |
| hallylure_common_member_validate        |
| hallylure_common_member_verify          |
| hallylure_common_member_verify_info     |
| hallylure_common_myapp                  |
| hallylure_common_myinvite               |
| hallylure_common_mytask                 |
| hallylure_common_nav                    |
| hallylure_common_onlinetime             |
| hallylure_common_optimizer              |
| hallylure_common_patch                  |
| hallylure_common_plugin                 |
| hallylure_common_pluginvar              |
| hallylure_common_process                |
| hallylure_common_regip                  |
| hallylure_common_relatedlink            |
| hallylure_common_remote_port            |
| hallylure_common_report                 |
| hallylure_common_searchindex            |
| hallylure_common_seccheck               |
| hallylure_common_secquestion            |
| hallylure_common_session                |
| hallylure_common_setting                |
| hallylure_common_smiley                 |
| hallylure_common_sphinxcounter          |
| hallylure_common_stat                   |
| hallylure_common_statuser               |
| hallylure_common_style                  |
| hallylure_common_stylevar               |
| hallylure_common_syscache               |
| hallylure_common_tag                    |
| hallylure_common_tagitem                |
| hallylure_common_task                   |
| hallylure_common_taskvar                |
| hallylure_common_template               |
| hallylure_common_template_block         |
| hallylure_common_template_permission    |
| hallylure_common_uin_black              |
| hallylure_common_usergroup              |
| hallylure_common_usergroup_field        |
| hallylure_common_visit                  |
| hallylure_common_word                   |
| hallylure_common_word_type              |
| hallylure_connect_disktask              |
| hallylure_connect_feedlog               |
| hallylure_connect_memberbindlog         |
| hallylure_connect_postfeedlog           |
| hallylure_connect_tthreadlog            |
| hallylure_forum_access                  |
| hallylure_forum_activity                |
| hallylure_forum_activityapply           |
| hallylure_forum_announcement            |
| hallylure_forum_attachment              |
| hallylure_forum_attachment_0            |
| hallylure_forum_attachment_1            |
| hallylure_forum_attachment_2            |
| hallylure_forum_attachment_3            |
| hallylure_forum_attachment_4            |
| hallylure_forum_attachment_5            |
| hallylure_forum_attachment_6            |
| hallylure_forum_attachment_7            |
| hallylure_forum_attachment_8            |
| hallylure_forum_attachment_9            |
| hallylure_forum_attachment_exif         |
| hallylure_forum_attachment_unused       |
| hallylure_forum_attachtype              |
| hallylure_forum_bbcode                  |
| hallylure_forum_collection              |
| hallylure_forum_collectioncomment       |
| hallylure_forum_collectionfollow        |
| hallylure_forum_collectioninvite        |
| hallylure_forum_collectionrelated       |
| hallylure_forum_collectionteamworker    |
| hallylure_forum_collectionthread        |
| hallylure_forum_creditslog              |
| hallylure_forum_debate                  |
| hallylure_forum_debatepost              |
| hallylure_forum_faq                     |
| hallylure_forum_filter_post             |
| hallylure_forum_forum                   |
| hallylure_forum_forum_threadtable       |
| hallylure_forum_forumfield              |
| hallylure_forum_forumrecommend          |
| hallylure_forum_groupcreditslog         |
| hallylure_forum_groupfield              |
| hallylure_forum_groupinvite             |
| hallylure_forum_grouplevel              |
| hallylure_forum_groupuser               |
| hallylure_forum_hotreply_member         |
| hallylure_forum_hotreply_number         |
| hallylure_forum_imagetype               |
| hallylure_forum_medal                   |
| hallylure_forum_medallog                |
| hallylure_forum_memberrecommend         |
| hallylure_forum_moderator               |
| hallylure_forum_modwork                 |
| hallylure_forum_newthread               |
| hallylure_forum_onlinelist              |
| hallylure_forum_order                   |
| hallylure_forum_poll                    |
| hallylure_forum_polloption              |
| hallylure_forum_polloption_image        |
| hallylure_forum_pollvoter               |
| hallylure_forum_post                    |
| hallylure_forum_post_location           |
| hallylure_forum_post_moderate           |
| hallylure_forum_post_tableid            |
| hallylure_forum_postcache               |
| hallylure_forum_postcomment             |
| hallylure_forum_postlog                 |
| hallylure_forum_poststick               |
| hallylure_forum_promotion               |
| hallylure_forum_ratelog                 |
| hallylure_forum_relatedthread           |
| hallylure_forum_replycredit             |
| hallylure_forum_rsscache                |
| hallylure_forum_sofa                    |
| hallylure_forum_spacecache              |
| hallylure_forum_statlog                 |
| hallylure_forum_thread                  |
| hallylure_forum_thread_moderate         |
| hallylure_forum_threadaddviews          |
| hallylure_forum_threadcalendar          |
| hallylure_forum_threadclass             |
| hallylure_forum_threadclosed            |
| hallylure_forum_threaddisablepos        |
| hallylure_forum_threadhidelog           |
| hallylure_forum_threadhot               |
| hallylure_forum_threadimage             |
| hallylure_forum_threadlog               |
| hallylure_forum_threadmod               |
| hallylure_forum_threadpartake           |
| hallylure_forum_threadpreview           |
| hallylure_forum_threadprofile           |
| hallylure_forum_threadprofile_group     |
| hallylure_forum_threadrush              |
| hallylure_forum_threadtype              |
| hallylure_forum_trade                   |
| hallylure_forum_tradecomment            |
| hallylure_forum_tradelog                |
| hallylure_forum_typeoption              |
| hallylure_forum_typeoptionvar           |
| hallylure_forum_typevar                 |
| hallylure_forum_warning                 |
| hallylure_home_album                    |
| hallylure_home_album_category           |
| hallylure_home_appcreditlog             |
| hallylure_home_blacklist                |
| hallylure_home_blog                     |
| hallylure_home_blog_category            |
| hallylure_home_blog_moderate            |
| hallylure_home_blogfield                |
| hallylure_home_class                    |
| hallylure_home_click                    |
| hallylure_home_clickuser                |
| hallylure_home_comment                  |
| hallylure_home_comment_moderate         |
| hallylure_home_docomment                |
| hallylure_home_doing                    |
| hallylure_home_doing_moderate           |
| hallylure_home_favorite                 |
| hallylure_home_feed                     |
| hallylure_home_feed_app                 |
| hallylure_home_follow                   |
| hallylure_home_follow_feed              |
| hallylure_home_follow_feed_archiver     |
| hallylure_home_friend                   |
| hallylure_home_friend_request           |
| hallylure_home_friendlog                |
| hallylure_home_notification             |
| hallylure_home_pic                      |
| hallylure_home_pic_moderate             |
| hallylure_home_picfield                 |
| hallylure_home_poke                     |
| hallylure_home_pokearchive              |
| hallylure_home_share                    |
| hallylure_home_share_moderate           |
| hallylure_home_show                     |
| hallylure_home_specialuser              |
| hallylure_home_userapp                  |
| hallylure_home_userappfield             |
| hallylure_home_visitor                  |
| hallylure_mobile_setting                |
| hallylure_mobileoem_member              |
| hallylure_mobileoem_pushthreads         |
| hallylure_portal_article_content        |
| hallylure_portal_article_count          |
| hallylure_portal_article_moderate       |
| hallylure_portal_article_related        |
| hallylure_portal_article_title          |
| hallylure_portal_article_trash          |
| hallylure_portal_attachment             |
| hallylure_portal_category               |
| hallylure_portal_category_permission    |
| hallylure_portal_comment                |
| hallylure_portal_comment_moderate       |
| hallylure_portal_rsscache               |
| hallylure_portal_topic                  |
| hallylure_portal_topic_pic              |
| hallylure_security_evilpost             |
| hallylure_security_eviluser             |
| hallylure_security_failedlog            |
| hallylure_ucenter_admins                |
| hallylure_ucenter_applications          |
| hallylure_ucenter_badwords              |
| hallylure_ucenter_domains               |
| hallylure_ucenter_failedlogins          |
| hallylure_ucenter_feeds                 |
| hallylure_ucenter_friends               |
| hallylure_ucenter_mailqueue             |
| hallylure_ucenter_memberfields          |
| hallylure_ucenter_members               |
| hallylure_ucenter_mergemembers          |
| hallylure_ucenter_newpm                 |
| hallylure_ucenter_notelist              |
| hallylure_ucenter_pm_indexes            |
| hallylure_ucenter_pm_lists              |
| hallylure_ucenter_pm_members            |
| hallylure_ucenter_pm_messages_0         |
| hallylure_ucenter_pm_messages_1         |
| hallylure_ucenter_pm_messages_2         |
| hallylure_ucenter_pm_messages_3         |
| hallylure_ucenter_pm_messages_4         |
| hallylure_ucenter_pm_messages_5         |
| hallylure_ucenter_pm_messages_6         |
| hallylure_ucenter_pm_messages_7         |
| hallylure_ucenter_pm_messages_8         |
| hallylure_ucenter_pm_messages_9         |
| hallylure_ucenter_protectedmembers      |
| hallylure_ucenter_settings              |
| hallylure_ucenter_sqlcache              |
| hallylure_ucenter_tags                  |
| hallylure_ucenter_vars                  |
+-----------------------------------------+
Database: shopstit
[32 tables]
+-----------------------------------------+
| act_award_info                          |
| act_user_award_info                     |
| activityinfo                            |
| admingroup                              |
| adminmenu                               |
| adminuser                               |
| ask_goods_info                          |
| attribute_class_info                    |
| attribute_class_select_value_info       |
| attribute_value_info                    |
| class_info                              |
| create_html                             |
| dispatch_mode_info                      |
| dispatch_pay_mutuality_info             |
| goods_fav                               |
| goods_fitting_mutuality_info            |
| goods_image_info                        |
| goods_info                              |
| goods_mutuality_info                    |
| gp_class                                |
| news                                    |
| notice                                  |
| order_detail_info                       |
| order_info                              |
| rcmdgoods                               |
| repair                                  |
| search_log                              |
| shop_basket                             |
| sms                                     |
| telnumber                               |
| usercent                                |
| userinfo                                |
+-----------------------------------------+
Database: ybzdb
[99 tables]
+-----------------------------------------+
| v9_admin                                |
| v9_admin_panel                          |
| v9_admin_role                           |
| v9_admin_role_priv                      |
| v9_announce                             |
| v9_attachment                           |
| v9_attachment_index                     |
| v9_badword                              |
| v9_biaodan                              |
| v9_biaodan_data                         |
| v9_block                                |
| v9_block_history                        |
| v9_block_priv                           |
| v9_cache                                |
| v9_category                             |
| v9_category_priv                        |
| v9_collection_content                   |
| v9_collection_history                   |
| v9_collection_node                      |
| v9_collection_program                   |
| v9_comment                              |
| v9_comment_check                        |
| v9_comment_data_1                       |
| v9_comment_setting                      |
| v9_comment_table                        |
| v9_content_check                        |
| v9_copyfrom                             |
| v9_datacall                             |
| v9_dbsource                             |
| v9_download                             |
| v9_download_data                        |
| v9_downservers                          |
| v9_extend_setting                       |
| v9_favorite                             |
| v9_guestbook                            |
| v9_hits                                 |
| v9_ipbanned                             |
| v9_keylink                              |
| v9_link                                 |
| v9_linkage                              |
| v9_log                                  |
| v9_member                               |
| v9_member_detail                        |
| v9_member_group                         |
| v9_member_menu                          |
| v9_member_verify                        |
| v9_member_vip                           |
| v9_menu                                 |
| v9_message                              |
| v9_message_data                         |
| v9_message_group                        |
| v9_model                                |
| v9_model_field                          |
| v9_module                               |
| v9_mood                                 |
| v9_news                                 |
| v9_news_data                            |
| v9_page                                 |
| v9_pay_account                          |
| v9_pay_payment                          |
| v9_pay_spend                            |
| v9_picture                              |
| v9_picture_data                         |
| v9_plugin                               |
| v9_plugin_var                           |
| v9_position                             |
| v9_position_data                        |
| v9_poster                               |
| v9_poster_201206                        |
| v9_poster_201207                        |
| v9_poster_space                         |
| v9_queue                                |
| v9_release_point                        |
| v9_search                               |
| v9_search_keyword                       |
| v9_session                              |
| v9_site                                 |
| v9_sms_report                           |
| v9_special                              |
| v9_special_c_data                       |
| v9_special_content                      |
| v9_sphinx_counter                       |
| v9_sso_admin                            |
| v9_sso_applications                     |
| v9_sso_members                          |
| v9_sso_messagequeue                     |
| v9_sso_session                          |
| v9_sso_settings                         |
| v9_tag                                  |
| v9_template_bak                         |
| v9_times                                |
| v9_type                                 |
| v9_urlrule                              |
| v9_vote_data                            |
| v9_vote_option                          |
| v9_vote_subject                         |
| v9_wap                                  |
| v9_wap_type                             |
| v9_workflow                             |
+-----------------------------------------+
Database: mysql
[40 tables]
+-----------------------------------------+
| user                                    |
| abcgv                                   |
| abcgvmo                                 |
| cgfuhc                                  |
| columns_priv                            |
| db                                      |
| ehuyzk32                                |
| ejfjxv32                                |
| event                                   |
| func                                    |
| general_log                             |
| gjippi                                  |
| help_category                           |
| help_keyword                            |
| help_relation                           |
| help_topic                              |
| host                                    |
| jtjqbr                                  |
| nciupb32                                |
| ndb_binlog_index                        |
| omrnqa                                  |
| plugin                                  |
| proc                                    |
| procs_priv                              |
| qpicbb                                  |
| servers                                 |
| slow_log                                |
| tables_priv                             |
| tempEx                                  |
| tempExT                                 |
| tempExT1                                |
| time_zone                               |
| time_zone_leap_second                   |
| time_zone_name                          |
| time_zone_transition                    |
| time_zone_transition_type               |
| ysqzut                                  |
| yttxfg32                                |
| zcsxqm32                                |
| zfdipw32                                |
+-----------------------------------------+
Database: dspam
[5 tables]
+-----------------------------------------+
| dspam_preferences                       |
| dspam_signature_data                    |
| dspam_stats                             |
| dspam_token_data                        |
| dspam_virtual_uids                      |
+-----------------------------------------+
Database: ego10000
[46 tables]
+-----------------------------------------+
| act_award_info                          |
| act_user_award_info                     |
| activityinfo                            |
| ad_info                                 |
| admingroup                              |
| adminmenu                               |
| adminuser                               |
| ask_goods_info                          |
| attribute_class_info                    |
| attribute_class_select_value_info       |
| attribute_value_info                    |
| class_info                              |
| create_html                             |
| dianxin_order                           |
| dispatch_mode_info                      |
| dispatch_pay_mutuality_info             |
| gift_info                               |
| gift_order                              |
| goods_fav                               |
| goods_fitting_mutuality_info            |
| goods_image_info                        |
| goods_info                              |
| goods_more_info                         |
| goods_mutuality_info                    |
| goods_taocan                            |
| goods_taocan_attr                       |
| goods_taocan_value                      |
| gp_class                                |
| news                                    |
| notice                                  |
| order_detail_info                       |
| order_info                              |
| order_network                           |
| rcmdgoods                               |
| repair                                  |
| search_log                              |
| shop_basket                             |
| sms                                     |
| tel_number                              |
| tel_taocan_value                        |
| tel_type                                |
| tel_type_template                       |
| tel_type_template_attr                  |
| telnumber                               |
| usercent                                |
| userinfo                                |
+-----------------------------------------+
Database: information_schema
[28 tables]
+-----------------------------------------+
| CHARACTER_SETS                          |
| COLLATIONS                              |
| COLLATION_CHARACTER_SET_APPLICABILITY   |
| COLUMNS                                 |
| COLUMN_PRIVILEGES                       |
| ENGINES                                 |
| EVENTS                                  |
| FILES                                   |
| GLOBAL_STATUS                           |
| GLOBAL_VARIABLES                        |
| KEY_COLUMN_USAGE                        |
| PARTITIONS                              |
| PLUGINS                                 |
| PROCESSLIST                             |
| PROFILING                               |
| REFERENTIAL_CONSTRAINTS                 |
| ROUTINES                                |
| SCHEMATA                                |
| SCHEMA_PRIVILEGES                       |
| SESSION_STATUS                          |
| SESSION_VARIABLES                       |
| STATISTICS                              |
| TABLES                                  |
| TABLE_CONSTRAINTS                       |
| TABLE_PRIVILEGES                        |
| TRIGGERS                                |
| USER_PRIVILEGES                         |
| VIEWS                                   |
+-----------------------------------------+
Database: stit_v3
[45 tables]
+-----------------------------------------+
| act_award_info                          |
| act_user_award_info                     |
| activityinfo                            |
| ad_info                                 |
| admingroup                              |
| adminmenu                               |
| adminuser                               |
| ask_goods_info                          |
| attribute_class_info                    |
| attribute_class_select_value_info       |
| attribute_value_info                    |
| class_info                              |
| create_html                             |
| dispatch_mode_info                      |
| dispatch_pay_mutuality_info             |
| gift_info                               |
| gift_order                              |
| goods_fav                               |
| goods_fitting_mutuality_info            |
| goods_image_info                        |
| goods_info                              |
| goods_more_info                         |
| goods_mutuality_info                    |
| goods_taocan                            |
| goods_taocan_attr                       |
| goods_taocan_value                      |
| gp_class                                |
| news                                    |
| notice                                  |
| order_detail_info                       |
| order_info                              |
| order_network                           |
| rcmdgoods                               |
| repair                                  |
| search_log                              |
| shop_basket                             |
| sms                                     |
| tel_number                              |
| tel_taocan_value                        |
| tel_type                                |
| tel_type_template                       |
| tel_type_template_attr                  |
| telnumber                               |
| usercent                                |
| userinfo                                |
+-----------------------------------------+

漏洞证明：

已经证明

修复方案：

过滤密码加密啊亲

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：13

确认时间：2015-12-07 10:57

厂商回复：

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157821

漏洞标题：中国电信某站从sql注入到GETSHELL可导致百万数据泄露（包括姓名/邮箱/电话/身份证号等敏感信息）

相关厂商：中国电信

漏洞作者：路人甲

提交时间：2015-12-03 12:28

修复时间：2016-01-21 11:00

公开时间：2016-01-21 11:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157821

漏洞标题：中国电信某站从sql注入到GETSHELL可导致百万数据泄露（包括姓名/邮箱/电话/身份证号等敏感信息）

相关厂商：中国电信

漏洞作者： 路人甲

提交时间：2015-12-03 12:28

修复时间：2016-01-21 11:00

公开时间：2016-01-21 11:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0157821"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云