当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145937

漏洞标题:平安星儿童手表控制页面存在SQL注入(涉及17库,泄露设备ID,图片,地图定位等)

相关厂商:gpspax.com

漏洞作者: 小龙

提交时间:2015-11-02 13:53

修复时间:2015-11-07 13:54

公开时间:2015-11-07 13:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-02: 细节已通知厂商并且等待厂商处理中
2015-11-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

为毛物联网发展这么快却没人去注意他的安全。。。

详细说明:

 WooYun: 平安星儿童手表可以枚举所有设备并可修改任意账号密码


看了宋甲兵的洞,就对他动了歪念。。。
http://cn.gpspax.com/loginRCZX.aspx
人车在线,用户名处sql注入

1.png


2.png


主数据库:

LBSDB_V5

包括地图,图片等信息都储存在此库

3.png


漏洞证明:

D_51DiTu_E_China
 D_AlarmAndStatus
 D_BSInfo
 D_City
 D_Company
 D_Detail
 D_DetailMDTParam
 D_District
 D_Event
 D_Fitting
 D_FittingType
 D_GMSCallWebURL
 D_InsureCompany
 D_MDTCommand
 D_MDTDirect
 D_MDTParamType
 D_MDTProduct
 D_MDTPurview
 D_MDTSeries
 D_MDTType
 D_MGGPS
 D_MapsKey
 D_Master
 D_MasterMDTParam
 D_OBDDTC
 D_OBDFactory
 D_OBDPID
 D_OBDUnit
 D_OBDVehiclePID
 D_POIType
 D_Province
 D_Region
 D_RepairStandard
 D_SNSPlatform
 D_VehicleBrand
 D_VehicleSeries
 D_VehicleType
 S4_ActiveReserveTopic
 S4_AdvertiseInfo
 S4_CallHistory
 S4_CheckReport
 S4_InspectionLog
 S4_InsureLog
 S4_MaintainLog
 S4_News
 S4_ReserveAccepted
 S4_ReserveService
 S4_SecondHandCarInfo
 S4_TransactionInfo
 V_Std_DriverInfo
 V_Std_ObjectInfoAll
 V_stdObjectsInfo
 YWT_NoticeExceInfo
 YWT_NoticeInfo
 YWT_NoticeLink
 YWT_TaskExecInfo
 YWT_TaskInfo
 YWT_TaskLink
 crm_CustomerInfo
 fee_HostedLicense
 fee_OperationLog
 fee_RechargeCode
 fee_TimeControl
 fee_UserBalance
 info_InfoTypeRate
 info_OrderRequest
 info_ReqCache
 info_Send
 info_SendCache
 lgt_JomDetail
 obd_ActiveInfo
 obd_ParamInfo
 road_SegmentInfo
 road_SegmentPoint
 road_StationInfo
 rpt_Attendance
 s4_MsgSend
 s4_MsgSendPlan
 std_AccidentInfo
 std_ActiveAlarm
 std_ActiveBSInfo
 std_ActiveMultiBSInfo
 std_ActiveTracks
 std_ActiveWiFi
 std_AlarmDataRecIndex
 std_AnnualInspect
 std_AttentionInfo
 std_Center
 std_CenterLog
 std_CenterPolyHold
 std_CenterPolyObject
 std_CenterPolygon
 std_CenterPolygonPoint
 std_ClientAccessLog
 std_CodeRule
 std_CodeRuleDetail
 std_DataRecIndex
 std_DispatchDataRecIndex
 std_DownDataRecIndex
 std_DriverAppend
 std_EventInfoCache
 std_ExecScript
 std_FriendShipRequest
 std_FunItem
 std_HoldChangeInfo
 std_HoldConnHold
 std_HoldConnObject
 std_HoldHold
 std_HoldObj
 std_HumanAppend
 std_HumanInfo
 std_InsureBill
 std_InviteInfo
 std_MDTAlarm
 std_MDTInfo
 std_MDTMaintenance
 std_MDTParamValue
 std_MDTTypeFun
 std_MTCmdPlan
 std_MTCmdRule
 std_MTCmdRuleObject
 std_MTCommand
 std_Maintain
 std_ManyDataTable
 std_MdtUpInfo3Day
 std_MsgAllocate
 std_ObjAppend
 std_ObjAttendance
 std_ObjDriver
 std_ObjFriendShip
 std_ObjGroup
 std_ObjHold
 std_ObjHoldAppend
 std_ObjHoldContactInfo
 std_ObjOilAppend
 std_ObjWeChat
 std_Object4SContactInfo
 std_ObjectInfo
 std_ObjectParamValue
 std_OrigDataRecIndex
 std_POI
 std_PeopleInfo
 std_PreSetFun
 std_ReportDetail
 std_RoleFun
 std_RoleMDTType
 std_RoleMDTTypeEx
 std_SMSSendLog
 std_SendMessageInfo
 std_StatisticsData
 std_SysApp
 std_SysCustom
 std_SysFun
 std_SysPost
 std_SysRole
 std_SysSubject
 std_TravelBook
 std_UserAppend
 std_UserAuthToken
 std_UserDefault
 std_UserDownAccount
 std_UserInfo
 std_UserObj
 std_UserOperLog
 std_UserRegVerify
 std_UserRole
 std_VerifyCodeInfo
 std_WzcxCache
 std_WzcxRequestCache
 std_appUserSubInfo
 std_appinfo
 std_appusersubinfo_1
 std_appusersubinfo_bak_20140611
 std_feedback
 std_oauth
 std_pushmsglog
 v4_HomeInfoCache
 v_AllAlarm
 v_AllData
 v_AllDownInfo
 v_UserRights
 v_report_std_objectInfo
 vis_AgedInfo
 vis_Attendance
 vis_CheckingImages
 vis_CheckingInfo
 vis_EventSet
 vis_HousesInfo
 vis_NoticeInfo
 vis_PhotoSet
 vis_SecurityImages
 vis_SecurityInfo
 vis_ServiceInfo
 vis_ServiceProject
 vis_ServiceProjectType
 vis_ServiceReser
 vis_ServiceStaff
 vis_ShippingService
 vis_Streetscape
 vis_VisitsTask
 vis_VisitserAged
 vis_VisitserAppend
 vis_Volunteer
 vt_Img_PicInfo
 vt_Report_ObjectStopDetail
 vt_jxq_Attendance
 vt_obd_ActiveStateInfo
 vt_obd_PIDInfo
 vt_obd_TravelInfo
 vt_report_ObjectMileageDetail
 vt_report_ObjectOfflineDetail
 vt_report_ObjectOnOfflineDetail
 vt_report_ObjectOnlineHourTotal
 vt_report_ObjectOnlineHourTotalByH
 vt_report_ObjectOnlineHourTotalEx
 vt_report_StopNotAccClosed
 vt_std_Alarm
 vt_std_DispAlamOperaLog
 vt_std_DispAlarm
 vt_std_DownInfo
 vt_std_DownInfoCache
 vt_std_ExchangeInfo
 vt_std_MDTOnOffDetail
 vt_std_MDTUpInfo
 vt_std_SpecMsg
 vt_std_TravelEvent
 vt_std_TravelImg
 vt_std_TravelNotes
 vt_std_TravelPOI
 vt_std_UpOrigInfo
 vt_std_UserLog
 web_UserLog
 wx_ObjectInfo
 wx_UserInfo
 ywt_ComprodInfo
 ywt_Contacts
 ywt_CustomTBColumn
 ywt_CustomTable
 ywt_DepartInfo
 ywt_DictColumn
 ywt_KX_CustomerInfo
 ywt_OrderFitting
 ywt_PhotoInfo
 ywt_ReportType
 ywt_TaskCustomer
 ywt_TaskOrder
 ywt_TaskOrderExec
 ywt_TaskType
 ywt_WorkReport


大量内部数据。。。

修复方案:

111

版权声明:转载请注明来源 小龙@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-07 13:54

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无

漏洞评价:

评论

  1. 2015-10-11 09:51 | 大师兄 ( 路人 | Rank:14 漏洞数:6 | 每日必关注乌云)

    mark

  2. 2015-10-12 08:32 | 大漠長河 ( 实习白帽子 | Rank:64 漏洞数:9 | ̷̸̨̀͒̏̃ͦ̈́̾( 天龙源景区枫叶正...)

    好好人贩子不是黑客

  3. 2015-10-12 10:49 | 小龙 ( 普通白帽子 | Rank:1259 漏洞数:324 | 乌云有着这么一群人,在乌云学技术,去某数...)

    @大漠長河 离离原上草,黑阔遍地跑

  4. 2015-10-12 10:50 | 小龙 ( 普通白帽子 | Rank:1259 漏洞数:324 | 乌云有着这么一群人,在乌云学技术,去某数...)

    大师兄 湿胸,你是我的粉丝吗/害羞

  5. 2015-11-02 14:50 | iiiiiiiii ( 普通白帽子 | Rank:695 漏洞数:90 | 已死!!!!)

    人贩子的发财路被你挡了