当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128977

漏洞标题:重庆市敏感单位数据库泄露导致部分信息泄露

相关厂商:cncert国家互联网应急中心

漏洞作者: xoav

提交时间:2015-07-25 08:20

修复时间:2015-09-12 15:30

公开时间:2015-09-12 15:30

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-25: 细节已通知厂商并且等待厂商处理中
2015-07-29: 厂商已经确认,细节仅向厂商公开
2015-08-08: 细节向核心白帽子及相关领域专家公开
2015-08-18: 细节向普通白帽子公开
2015-08-28: 细节向实习白帽子公开
2015-09-12: 细节向公众公开

简要描述:

详细说明:

在通过扫描目录的时候突然提示下载1.rar文件下载解压一看,里面有好多车主数据.
http://www.cqcgs.gov.cn/1.rar

漏洞证明:

insert into T_NEWXH_JDCXX_DC (N_XHBH, C_KEY, C_LPHM, D_DJRQ, C_LPXH, N_BH, C_HPZL, C_HPHM, C_CLPP1, C_CLXH, C_CLSBDH, C_FDJH, C_CLLX, C_SFZMMC, C_SFZMHM, C_SYR, C_XXDZ, C_YZBM, C_LXDH, C_BXGS, C_BXPZH, D_BXQQ, D_BXZQ, D_YXHPSJ, D_QDHPSJ, D_YBLSJ, C_BLYWGLBM, C_JYM, C_JYW, C_IP, C_XHZT, D_CJSJ, C_SFZD, D_ZDSJ, N_ZDUSERID, C_SFBLYW, C_SPBZ, D_SPSJ, C_SPGLBM, C_ZT, C_WXYY)
values (2873157, '1jnIPRXxm1u-VXbNckyHdyR194436', 'A05791', to_date('12-08-2014 13:25:00', 'dd-mm-yyyy hh24:mi:ss'), 'L602713791', 2, '02', 'FPF806', '丰田', 'CA64602FXE5', 'LFMK440F1E3036243', 'T079548', 'K32', 'A', '512224197611190022', '王晓莉', '重庆市梁平县', '405200', '18696887900', null, 'PDZA201450020000038753', to_date('24-07-2014', 'dd-mm-yyyy'), to_date('24-07-2015', 'dd-mm-yyyy'), to_date('13-08-2014 17:20:08', 'dd-mm-yyyy hh24:mi:ss'), to_date('13-08-2014 17:20:26', 'dd-mm-yyyy hh24:mi:ss'), to_date('22-08-2014', 'dd-mm-yyyy'), '500000000405|500000000444|500000000445|500000000449|500000000450|500000000451|500000000452|500000000453|500000000454|500000000462', null, '1d108b3dce1e4c636fd36d38e694d916', '183.65.23.147', '4', to_date('13-08-2014 17:19:12', 'dd-mm-yyyy hh24:mi:ss'), '1', to_date('14-08-2014 08:53:53', 'dd-mm-yyyy hh24:mi:ss'), 7471, '0', '0', null, null, '1', null);
insert into T_NEWXH_JDCXX_DC (N_XHBH, C_KEY, C_LPHM, D_DJRQ, C_LPXH, N_BH, C_HPZL, C_HPHM, C_CLPP1, C_CLXH, C_CLSBDH, C_FDJH, C_CLLX, C_SFZMMC, C_SFZMHM, C_SYR, C_XXDZ, C_YZBM, C_LXDH, C_BXGS, C_BXPZH, D_BXQQ, D_BXZQ, D_YXHPSJ, D_QDHPSJ, D_YBLSJ, C_BLYWGLBM, C_JYM, C_JYW, C_IP, C_XHZT, D_CJSJ, C_SFZD, D_ZDSJ, N_ZDUSERID, C_SFBLYW, C_SPBZ, D_SPSJ, C_SPGLBM, C_ZT, C_WXYY)
values (2873199, 'DSjNbYVVI92yJ9YH_Wz0l4m118508', 'A07694', to_date('11-08-2014 11:05:00', 'dd-mm-yyyy hh24:mi:ss'), 'L602715694', 3, '02', 'BUH506', '大众牌', 'FV7146FBDGG', 'LFV2A21KXE4168867', '008994', 'K33', 'A', '510214197806221517', '王学兴', '重庆市开县汉丰体育场111号附9号', '400000', '13908265665', null, '11824013900040217346', to_date('29-07-2014', 'dd-mm-yyyy'), to_date('29-07-2015', 'dd-mm-yyyy'), to_date('13-08-2014 17:32:22', 'dd-mm-yyyy hh24:mi:ss'), to_date('13-08-2014 17:32:41', 'dd-mm-yyyy hh24:mi:ss'), to_date('22-08-2014', 'dd-mm-yyyy'), '500000000407|500000000401|500000000402|500000000408|500000000423|500000000424|500000000425|500000000426|500000000427|500000000428|500000000429|500000000431|500000000432|500000000433|500000000437|500000000438', null, '653334c853245d04617a3c431c6d81a8', '106.83.154.16', '4', to_date('13-08-2014 17:25:35', 'dd-mm-yyyy hh24:mi:ss'), '1', to_date('14-08-2014 08:53:53', 'dd-mm-yyyy hh24:mi:ss'), 7471, '0', '0', null, null, '1', null);
insert into T_NEWXH_JDCXX_DC (N_XHBH, C_KEY, C_LPHM, D_DJRQ, C_LPXH, N_BH, C_HPZL, C_HPHM, C_CLPP1, C_CLXH, C_CLSBDH, C_FDJH, C_CLLX, C_SFZMMC, C_SFZMHM, C_SYR, C_XXDZ, C_YZBM, C_LXDH, C_BXGS, C_BXPZH, D_BXQQ, D_BXZQ, D_YXHPSJ, D_QDHPSJ, D_YBLSJ, C_BLYWGLBM, C_JYM, C_JYW, C_IP, C_XHZT, D_CJSJ, C_SFZD, D_ZDSJ, N_ZDUSERID, C_SFBLYW, C_SPBZ, D_SPSJ, C_SPGLBM, C_ZT, C_WXYY)
values (2873192, 'K_phKRyq5dm3PuoIG1bz5fI752520', 'A59293', to_date('03-08-2014 12:04:00', 'dd-mm-yyyy hh24:mi:ss'), 'L602667293', 1, '02', 'CHB637', '上海大众', 'SVW71411GR', 'LSVGX46R7E2045548', '001059', 'K33', 'A', '510232197609041325', '申琰琳', '重庆市璧山县河边镇文昌3组', '400000', '18723483899', null, 'PDZA201450010000269475', to_date('03-08-2014', 'dd-mm-yyyy'), to_date('03-08-2015', 'dd-mm-yyyy'), to_date('13-08-2014 17:33:21', 'dd-mm-yyyy hh24:mi:ss'), to_date('13-08-2014 17:34:03', 'dd-mm-yyyy hh24:mi:ss'), to_date('22-08-2014', 'dd-mm-yyyy'), '500000000403|500000000410|500000000430|500000000434|500000000439|500000000440|500000000441|500000000442|500000000443|500000000460|500000000464', null, '4361b51bc16d0d134387eb92bae4009a', '183.70.49.186', '4', to_date('13-08-2014 17:24:27', 'dd-mm-yyyy hh24:mi:ss'), '1', to_date('14-08-2014 08:53:53', 'dd-mm-yyyy hh24:mi:ss'), 7471, '0', '0', null, null, '1', null);

QQ截图20150724143640.png


修复方案:

删除1.rar

版权声明:转载请注明来源 xoav@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-07-29 15:28

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给重庆分中心,由重庆分中心后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-09-03 20:52 | SunnyDoll ( 实习白帽子 | Rank:32 漏洞数:10 | 职业搬砖工)

    PL X妹