当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145949

漏洞标题:中国战略网主站存注入#敏感信息泄露60+万用户信息

相关厂商:chinaiiss.com

漏洞作者: AuGe

提交时间:2015-10-12 10:11

修复时间:2015-11-26 13:54

公开时间:2015-11-26 13:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-12: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开

简要描述:

厂商好人 没深入

详细说明:

详情见漏洞证明

漏洞证明:

#SQL Post 注入
注入URL:
http://www.chinaiiss.com/term/create/200


抓下包就能看到提交数据了

“edit=123456&categoryid=200&action=edit&editpart=123456&infoid=477”


参数infoid可控

0.jpg


database.jpg


current_db.jpg


列举下敏感信息内容


user.jpg


泄露惊人数据:

数据量:
Database: comment
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| iiss_infocomment | 744288 |
| iiss_review_record | 308407 |
| iiss_quick_comment | 19 |
+---------------------------------------+---------+
Database: cis
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| iiss_attachment | 14496899 |
| iiss_viewrecord_201402 | 3068980 |
| iiss_yearvoterecord | 2253254 |
| iiss_viewrecord_201301 | 2173173 |
| iiss_viewrecord_201408 | 1855638 |
| iiss_viewrecord_201106 | 1519727 |
| iiss_viewrecord_201105 | 1267288 |
| iiss_viewrecord_201409 | 1223850 |
| iiss_viewrecord_201411 | 1203208 |
| iiss_viewrecord_201212 | 1185806 |
| iiss_viewrecord_201410 | 1163972 |
| iiss_viewrecord_201412 | 1147289 |
| iiss_hours | 1115803 |
| iiss_viewrecord_201407 | 1107123 |
| iiss_viewrecord_201208 | 1096895 |
| iiss_viewrecord_201207 | 1053565 |
| iiss_viewrecord_201405 | 1039090 |
| iiss_viewrecord_201206 | 1038447 |
| iiss_viewrecord_201205 | 1035402 |
| iiss_viewrecord_201506 | 1017471 |
| iiss_viewrecord_201210 | 994558 |
| iiss_viewrecord_201209 | 990930 |
| iiss_viewrecord_201501 | 984107 |
| iiss_viewrecord_201312 | 983531 |
| iiss_viewrecord_201112 | 975218 |
| iiss_viewrecord_201204 | 968013 |
| iiss_viewrecord_201503 | 956340 |
| iiss_viewrecord_201502 | 947877 |
| iiss_viewrecord_201404 | 943125 |
| iiss_viewrecord_201504 | 939907 |
| iiss_viewrecord_201401 | 938255 |
| iiss_viewrecord_201505 | 935194 |
| iiss_viewrecord_201304 | 923384 |
| iiss_viewrecord_201306 | 923319 |
| iiss_viewrecord_201201 | 917392 |
| iiss_viewrecord_201211 | 912345 |
| iiss_viewrecord_201406 | 911696 |
| iiss_viewrecord_201507 | 907999 |
| iiss_viewrecord_201508 | 904698 |
| iiss_viewrecord_201403 | 895322 |
| iiss_viewrecord_201305 | 890521 |
| iiss_viewrecord_201308 | 877540 |
| iiss_viewrecord_201203 | 874948 |
| iiss_viewrecord_201311 | 868112 |
| iiss_viewrecord_201310 | 865791 |
| iiss_viewrecord_201111 | 833055 |
| iiss_viewrecord_201307 | 818138 |
| iiss_viewrecord_201309 | 797088 |
| iiss_contest_record | 792328 |
| iiss_viewrecord_201110 | 766970 |
| iiss_tagart | 760149 |
| iiss_viewrecord_201202 | 753816 |
| iiss_viewrecord_201108 | 750010 |
| iiss_viewrecord_201107 | 718607 |
| iiss_viewrecord_201109 | 710169 |
| iiss_viewrecord_201303 | 709895 |
| iiss_member | 698607 |
| iissblog_feed | 684212 |
| iiss_voteuser | 675182 |
| iiss_viewrecord_201509 | 662761 |
| iiss_infocomment | 654012 |
| iiss_jump | 603966 |
| iiss_links_record | 573904 |
| iissblog_user_20140806 | 551997 |
| iiss_viewrecord_201302 | 551949 |
| iiss_day | 524651 |
| iiss_facecount | 519687 |
| iissblog_viewnum | 463055 |
| iissblog_blog2 | 445353 |
| iiss_articlefield | 425590 |
| iiss_article | 425535 |
| iiss_viewrecord_201101 | 382722 |
| iiss_pkvote | 364312 |
| iiss_viewrecord_201012 | 363598 |
| iiss_viewrecord_201104 | 318692 |
| iiss_viewrecord_201102 | 317694 |
| iiss_viewrecord_201010 | 317194 |
| iiss_viewrecord_201011 | 300866 |
| iiss_spec_nanhai | 296882 |
| iiss_viewrecord_201103 | 293900 |
| iiss_viewrecord_201009 | 280996 |
| iissblog_log | 264152 |
| iiss_tagsend | 225352 |
| iiss_list_accesslog | 222282 |
| iiss_review_record | 222179 |
| iiss_viewrecord_201008 | 213104 |
| iiss_viewrecord_201007 | 193198 |
| iiss_viewrecord_day | 187982 |
| iiss_tag | 177548 |
| iiss_viewrecord_201006 | 173719 |
| iiss_viewrecord_201005 | 150917 |
| iiss_viewrecord_201510 | 136634 |
| iiss_viewrecord_201004 | 118779 |
| iiss_writerartfield | 102878 |
| iiss_writerart | 100932 |
| iiss_spec_baodiaovote | 86610 |
| iissblog_pic | 83828 |
| iiss_image | 74896 |
| iiss_tagimg | 74718 |
| iiss_imagefield | 73756 |
| iissblog_comment | 72822 |
| iiss_worship | 67038 |
| iissblog_blog | 65808 |
| iiss_pkvoteuser | 39199 |
| iissblog_class | 31213 |
| iissblog_user | 27294 |
| iiss_viewrecord_201003 | 21319 |
| iiss_spiderpic | 20767 |
| iiss_promotionstatistics | 20690 |
| iiss_blogger_iprecord | 20479 |
| iiss_spec_qiongdingzhixia | 19965 |
| iiss_contest_userscore | 15716 |
| iiss_article_sendmail | 13946 |
| iiss_wap_article | 10675 |
| iiss_mobile_article | 6696 |
| iiss_special_foruminfo | 5396 |
| iissblog_album | 5303 |
| iissblog_favorites | 4310 |
| iiss_image_comic | 3234 |
| iiss_member_field | 2648 |
| iiss_answer | 2295 |
| iiss_member_verifycode | 2263 |
| iiss_member_verifycode2 | 1571 |
| iiss_wap_image | 1569 |
| iiss_conference_praise_record | 1215 |
| iiss_guestbook | 1204 |
| iiss_viewrecord_daybysite | 1004 |
| iiss_contest_question | 1000 |
| iiss_vote | 925 |
| iiss_mobile_image | 824 |
| iiss_conference_candidate | 810 |
| iiss_history_today | 794 |
| iiss_perspective | 744 |
| iiss_perspectivefield | 744 |
| iiss_infocategory | 738 |
| iiss_tagperspective | 726 |
| iiss_voice | 706 |
| iiss_special | 690 |
| iiss_links | 683 |
| iiss_clickrecord | 682 |
| iiss_article_special | 658 |
| iiss_article_specialfield | 658 |
| iiss_clickcount | 639 |
| iiss_weibo_repostusers_record | 601 |
| iiss_pk | 589 |
| iiss_session | 582 |
| iiss_promotionlink | 549 |
| iiss_userquestion | 457 |
| iiss_wikipedia | 451 |
| iiss_wikipediafield | 451 |
| iiss_sethome | 450 |
| iiss_downimage | 436 |
| iiss_figure | 429 |
| iiss_conference | 399 |
| iiss_figure_impression | 395 |
| iiss_member_failedlogins | 377 |
| iiss_blogger_vote | 371 |
| iiss_contest_userquestion | 308 |
| iiss_article_hezuo | 306 |
| iiss_clickinfo | 304 |
| iiss_tagartspec | 254 |
| iiss_promotion_iprecord | 249 |
| iiss_weibo_repostrecord | 237 |
| iiss_livetelecast_article | 233 |
| iiss_leader | 211 |
| forum_remark | 194 |
| iiss_milcountry | 192 |
| iiss_admin | 136 |
| iiss_navi | 127 |
| iiss_linkscooper | 121 |
| iiss_file_attachment | 115 |
| iiss_milcountryelse | 108 |
| iiss_question | 104 |
| iiss_hero | 91 |
| iiss_table | 90 |
| iiss_weibo_repost | 90 |
| iiss_mobile_conference | 88 |
| iiss_linkstype | 80 |
| iiss_mobile_pk | 79 |
| iiss_weibo_activeusers | 75 |
| iiss_people | 71 |
| iiss_country | 67 |
| iiss_member_recommend | 56 |
| iiss_defense_elite | 55 |
| iiss_contest | 50 |
| iiss_conference_author_praise | 48 |
| iiss_writer | 48 |
| iiss_articlerelated | 45 |
| iiss_country_area | 45 |
| iiss_mobile_wallpaper | 37 |
| iiss_clicklocation | 31 |
| iiss_conference_user_medal | 31 |
| iiss_weibo_users | 30 |
| iiss_admintype | 29 |
| iiss_figure_year | 29 |
| iiss_milarea | 29 |
| iiss_infomodel | 27 |
| iiss_wikipediaedition | 25 |
| iissblog_pic_favorites | 25 |
| iiss_taghero | 15 |
| iiss_weibo_tokenuser | 15 |
| iiss_votetype | 14 |
| iiss_weibo_friendships | 14 |
| iiss_hire | 13 |
| iiss_voice_news | 13 |
| iiss_figure_character | 12 |
| iiss_mobile_manual | 12 |
| iiss_viewrecord_201002 | 12 |
| iiss_bottom | 10 |
| iiss_sysdata | 10 |
| iiss_datatype | 8 |
| iiss_livetelecast | 8 |
| iiss_quick_member | 8 |
| iiss_banned | 4 |
| iiss_milcontrast | 3 |
| iiss_mobile_version | 3 |
| iiss_spec_baodiaovotetotal | 1 |
| iiss_weaponspec | 1 |
+---------------------------------------+---------+
Database: performance_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| setup_consumers | 8 |
| performance_timers | 5 |
| setup_timers | 1 |
+---------------------------------------+---------+
Database: mobile
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| iiss_wap_article | 97000 |
| iiss_mobile_article | 50373 |
| iiss_wap_image | 21398 |
| iiss_mobile_image | 12856 |
| iiss_mobile_jump | 10106 |
| iiss_mobile_conference | 377 |
| iiss_mobile_pk | 320 |
| iiss_wap_pk | 179 |
| iis_wap_qianming | 160 |
| iiss_mobile_wallpaper | 37 |
| iiss_mobile_manual | 26 |
| iiss_mobile_push | 26 |
| iiss_mobile_article_push | 13 |
| iiss_mobile_apps | 4 |
| iiss_mobile_version | 3 |
+---------------------------------------+---------+
Database: app
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| app_binding | 327 |
| app_person | 55 |
| app_job | 34 |
+---------------------------------------+---------+
Database: cis_en
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| en_attachment | 677 |
| en_article | 300 |
| en_articlefield | 300 |
| en_viewrecord_201409 | 107 |
| en_jump | 42 |
| en_viewrecord_201410 | 33 |
| en_admin | 29 |
| en_viewrecord_201411 | 12 |
| en_infocategory | 10 |
| en_sysdata | 6 |
| en_adtype | 4 |
| en_table | 3 |
| en_adcity | 2 |
| en_admintype | 2 |
| en_infomodel | 2 |
+---------------------------------------+---------+
Database: member
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| member_transaction | 14472 |
| member_credit | 33 |
+---------------------------------------+---------+
Database: cis_back
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| iiss_articlefield | 27878 |
| iiss_article_chinanews | 27876 |
| iiss_imagefield | 1256 |
| iiss_image_chinanews | 1255 |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| help_relation | 992 |
| help_topic | 505 |
| help_keyword | 453 |
| help_category | 38 |
| `user` | 3 |
| proxies_priv | 2 |
+---------------------------------------+---------+
Database: military
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| shijiemil_list | 2326 |
+---------------------------------------+---------+
Database: cis_ad
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| iiss_ad_record | 636694 |
| iiss_ad_iprecord | 5033 |
| iiss_ad | 3124 |
| iiss_adtype | 574 |
| iiss_adcity | 19 |
+---------------------------------------+---------+
Database: war
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| war_userunit | 24612 |
| war_buylog | 20321 |
| war_users | 5840 |
| war_record | 5313 |
| war_queuecompare | 25 |
| war_parameter | 18 |
| war_describe | 12 |
| war_elements | 5 |
| war_queue | 5 |
+---------------------------------------+---------+

修复方案:

厂商好人 过滤吧~

版权声明:转载请注明来源 AuGe@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-12 13:52

厂商回复:

感谢支持

最新状态:

暂无


漏洞评价:

评价

  1. 2015-10-12 16:22 | AuGe ( 普通白帽子 | Rank:107 漏洞数:16 | I'm coming)

    走小厂商了~?