习网大量数据库信息泄露 | wooyun-2015-092365| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-092365

漏洞标题：习网大量数据库信息泄露

漏洞作者：爱上平顶山

提交时间：2015-01-17 21:10

修复时间：2015-03-03 21:12

公开时间：2015-03-03 21:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-01-17：细节已通知厂商并且等待厂商处理中
2015-01-19：厂商已经确认，细节仅向厂商公开
2015-01-29：细节向核心白帽子及相关领域专家公开
2015-02-08：细节向普通白帽子公开
2015-02-18：细节向实习白帽子公开
2015-03-03：细节向公众公开

简要描述：

习网
业务很多，本来准备渗透下，结果有人提交，好吧提交算了

详细说明：

习网
点：
http://xxcg.ciwong.com/learninglevel/SubjectDetail?id=89 注入漏洞
http://e.ciwong.com/home/go?schoolId=224161 注入漏洞
http://gxkt.ciwong.com/captcha/index?aid=20130110 注入漏洞

databases [132]:
[*] beehive_listenread
[*] beehive_pointmall
[*] beehive_synchronwork
[*] beehive_voicespeech
[*] beehivedb
[*] bookcase
[*] ciwong_colorful
[*] ciwong_newsmanagement
[*] ciwong_qr
[*] cloudreader
[*] cmsdata
[*] cw_6v68_settlement
[*] cw_admin_elearning
[*] cw_admin_elearning_bak
[*] cw_app_store
[*] cw_audio_video_db
[*] cw_basedapplications
[*] cw_chinadream
[*] cw_cooperator
[*] cw_dw
[*] cw_edu
[*] cw_elearning
[*] cw_elearning_bak
[*] cw_englishshow
[*] cw_eshop_cart
[*] cw_eshop_common
[*] cw_eshop_news
[*] cw_eshop_order
[*] cw_eshop_product
[*] cw_eshop_user
[*] cw_gwy
[*] cw_hd
[*] cw_homepage
[*] cw_jibei
[*] cw_jibei_school
[*] cw_learnmonth
[*] cw_microvideo
[*] cw_netschool
[*] cw_packager_arithmetic
[*] cw_packager_arithmetic_en
[*] cw_packager_ebook
[*] cw_packager_experiment
[*] cw_packager_experiment_v2
[*] cw_packager_kousuan
[*] cw_packager_learning_level
[*] cw_packager_listenning_ch
[*] cw_packager_listenning_ch_v2
[*] cw_packager_listenning_en
[*] cw_packager_listenning_en_v2
[*] cw_packager_playwords
[*] cw_packager_reading_ch
[*] cw_packager_reading_en
[*] cw_packager_speaking_en
[*] cw_pay
[*] cw_press
[*] cw_press_new
[*] cw_recommend
[*] cw_resx_center
[*] cw_settlement
[*] cw_trainingdb
[*] cw_workcategory
[*] cw_workcategory_arithmetic
[*] cw_workcategory_arithmetic_en
[*] cw_workcategory_common
[*] cw_workcategory_ebook
[*] cw_workcategory_experience
[*] cw_workcategory_experiment
[*] cw_workcategory_experiment_v2
[*] cw_workcategory_learning_level
[*] cw_workcategory_listenning_ch
[*] cw_workcategory_listenning_ch_v2
[*] cw_workcategory_listenning_en
[*] cw_workcategory_listenning_en_v2
[*] cw_workcategory_more
[*] cw_workcategory_playwords
[*] cw_workcategory_reading_ch
[*] cw_workcategory_reading_en
[*] cw_workcategory_settings
[*] cw_workcategory_speaking_en
[*] cw_workshop
[*] cw_workshop2
[*] cw_yishang
[*] cw_yishang1
[*] cw_yishang_settle
[*] cw_ziyuan
[*] cwapi
[*] cwfav
[*] db_ciliao
[*] db_filestatus
[*] db_kousuan100
[*] db_statistics
[*] db_txb
[*] db_txb_paipai
[*] efficientclassroom
[*] game
[*] gxktv3
[*] gxktv3_resource
[*] information
[*] information_schema
[*] microrecord
[*] mysql
[*] notebook_good
[*] notebook_mistake
[*] notebook_senten
[*] notebook_word
[*] performance_schema
[*] quesdata
[*] research
[*] research_ky
[*] roompermissionjingsai
[*] schoolzone
[*] searcher
[*] synchpreparation
[*] szdsy2013
[*] t_db_areaconf
[*] t_db_jibei
[*] t_db_listening
[*] t_db_markham
[*] t_db_roomtask
[*] t_db_tinyurl
[*] videouser
[*] wiki
[*] wikicommunity
[*] wikipoint
[*] wikiques
[*] wordstockchinese
[*] wordstockenglish
[*] wordstockenglishchangebuilding
[*] wordstockenglishchangeclassifying
[*] wordstockenglishchangescene
[*] wordstocktempresources
[*] work_listen
Database: beehive_listenread
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| h_stupracticeword        | 2225817 |
| h_studentworkpersentence | 1179092 |
| h_stupracticeread        | 1143587 |
| s_favorites              | 787644  |
| h_studentworkword        | 702708  |
| h_heardrank              | 320771  |
| v_workbook               | 310072  |
| s_workrecord             | 235518  |
| s_workanswer             | 216187  |
| h_stupractice            | 174053  |
| h_studentwork            | 139538  |
| h_teacherfixword         | 135150  |
| s_mybookshelf            | 119652  |
| e_s_work_item            | 119166  |
| v_saledetail             | 115829  |
| o_order_off_detail       | 115256  |
| h_studentvistor          | 82884   |
| s_publishques            | 47454   |
| h_unitword               | 43505   |
| e_s_work                 | 29547   |
| h_teacherworkdetail      | 20967   |
| s_publishquessummary     | 19550   |
| h_teacherpublishrecord   | 11344   |
| h_teacherwork            | 9817    |
| h_studentprivacy         | 6758    |
| p_agent_books            | 5840    |
| h_studentfollow          | 5674    |
| s_publishrecorddetails   | 5613    |
| h_unitcourse             | 5447    |
| s_publishpaper           | 4133    |
| h_units                  | 3759    |
| o_apply_free_record      | 3693    |
| questionbookversion      | 2786    |
| h_units_copy             | 1855    |
| s_question               | 1730    |
| tmp_booksresource        | 1391    |
| tmp_resourceversion      | 1390    |
| s_publishrecord          | 1324    |
| tmp_booksresource_bak    | 1164    |
| tmp_booksresource_bak2   | 1164    |
| s_questionsummary        | 711     |
| o_order_off_line         | 640     |
| o_order                  | 573     |
| e_t_work_chapter         | 562     |
| e_t_work_class           | 554     |
| o_openservicedetail      | 447     |
| s_book_areas             | 320     |
| e_t_work_record          | 308     |
| h_bookinfo               | 290     |
| p_class_recommend        | 276     |
| s_chapter                | 228     |
| o_service_message        | 223     |
| o_openservice            | 213     |
| h_bookinfo_copy1         | 169     |
| h_bookinfo_copy          | 168     |
| h_bookinfo_copy_copy     | 168     |
| s_chapter_copy           | 150     |
| s_paper                  | 149     |
| s_book_copy1             | 27      |
| s_book_copy              | 25      |
| s_template_kind          | 21      |
| p_message                | 10      |
| h_courseinfo             | 9       |
| s_book                   | 7       |
| s_book_template          | 4       |
+--------------------------+---------+
Database: beehive_pointmall
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| tb_goods         | 102     |
| tb_pointsrule    | 24      |
| tb_pointssummary | 19      |
| tb_goodscategory | 12      |
| tb_orders        | 11      |
| tb_address       | 7       |
| tb_supplier      | 5       |
| tb_notices       | 2       |
| tb_manager       | 1       |
+------------------+---------+
Database: beehive_synchronwork
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| studentworkquestiondetail | 6053    |
| studentwork               | 5493    |
| message                   | 1440    |
| publisherdetail           | 1140    |
| messageuser               | 1033    |
| workstatistical           | 722     |
| classworkpublicrec        | 685     |
| studentworddetail         | 619     |
| workpublish               | 388     |
| messageclass              | 369     |
| workcontent               | 293     |
| workcategory              | 122     |
| workstep                  | 111     |
| worksummary               | 10      |
+---------------------------+---------+
Database: beehive_voicespeech
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| voiceprop   | 373441  |
| voicespeech | 93360   |
+-------------+---------+
Database: beehivedb
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| a_settlement_order_detail    | 115723  |
| tb_classmember               | 85263   |
| tb_groupmember               | 84710   |
| tb_classmember_20140627_1520 | 60961   |
| tb_classproduct              | 664     |
| tb_users                     | 579     |
| tb_productuse                | 492     |
| tb_areas                     | 466     |
| tb_products                  | 457     |
| a_settlement_detail          | 341     |
| appmanager                   | 226     |
| tmp_user_service_record      | 218     |
| tmp_proxyschoolopen          | 215     |
| tb_bank_account              | 205     |
| tb_schoolmodules             | 166     |
| tb_schoolproxy               | 147     |
| tb_schoolinfo                | 142     |
| a_settlement_type_detail     | 67      |
| tb_app_menurole              | 65      |
| tb_areaproxy                 | 46      |
| tb_productsorder             | 29      |
| a_settlement_remark          | 25      |
| tb_app_menu                  | 25      |
| tb_procate                   | 24      |
| course                       | 23      |
| a_settlement_record          | 20      |
| tb_proxyproduct              | 20      |
| tb_apprecommend              | 17      |
| tb_schoolmanager             | 12      |
| tb_app_itemrole              | 10      |
| tb_app_menuitem              | 10      |
| tb_app_role                  | 6       |
| tmp_proxyyearopen            | 6       |
| tb_bank_pay_record           | 5       |
| stage                        | 4       |
| tb_appinfo                   | 3       |
| tb_modules                   | 3       |
| a_settlement_rate            | 1       |
| tb_appuserrole               | 1       |
| tb_myproducts                | 1       |
+------------------------------+---------+
Database: bookcase
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| paperlist     | 632983  |
| bookshelflist | 538160  |
| ebookstep     | 407616  |
| paperclip     | 189647  |
| ebooktheme    | 41311   |
| mybookshelf   | 23656   |
| bookmark      | 3946    |
| recommendbook | 32      |
+---------------+---------+
Database: ciwong_colorful
+-----------------------+---------+
| Table                 | Entries |
+-----------------------+---------+
| tb_hist_testexercises | 7760    |
| tb_cmt_comment        | 557     |
| tb_uer_usermsg        | 242     |
+-----------------------+---------+
Database: ciwong_newsmanagement
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| newsdetails             | 401     |
| newsdetailsassistant    | 401     |
| newscategoryrelation    | 203     |
| competitionnews         | 139     |
| newscompetitionrelation | 126     |
| newscategory            | 22      |
| newsfrom                | 4       |
+-------------------------+---------+
Database: ciwong_qr
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| personalcard | 436791  |
| classcard    | 81708   |
| app          | 5       |
+--------------+---------+
Database: cloudreader
+------------------------+---------+
| Table                  | Entries |
+------------------------+---------+
| tb_creditsrecord       | 27854   |
| tb_dynamic             | 7232    |
| tb_recentvisitors      | 7101    |
| tb_review              | 6705    |
| tb_taskdetail          | 3203    |
| tb_dotask              | 1935    |
| tb_content             | 1835    |
| tb_autostudytestreport | 1764    |
| tb_ucrelation          | 1455    |
| tb_user                | 1434    |
| tb_recommend           | 1226    |
| tb_errorquesnote       | 777     |
| tb_article             | 620     |
| v_totaldotask          | 378     |
| v_totalreview          | 336     |
| tb_quesoption          | 318     |
| tb_questext            | 279     |
| tb_ques                | 278     |
| tb_userdetail          | 224     |
| v_totalstudyreview     | 156     |
| tb_section             | 138     |
| tb_attachment          | 129     |
| tb_photo               | 118     |
| tb_relation            | 85      |
| tb_albums              | 79      |
| tb_task                | 64      |
| tb_menu                | 60      |
| tb_classlearninggroup  | 54      |
| tb_topic               | 46      |
| tb_privateletter       | 45      |
| tb_unit                | 42      |
| tb_book                | 41      |
| v_totaltopstudyreview  | 34      |
| v_totaltopreview       | 29      |
| tb_creditsrules        | 28      |
| tb_creditgradedetail   | 22      |
| tb_type                | 15      |
| tb_apprequesservices   | 10      |
| tb_schoolinfo          | 6       |
| tb_openservices        | 5       |
| tb_topteacherteam      | 5       |
| tb_services            | 1       |
+------------------------+---------+
Database: cmsdata
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| syslog                   | 23016   |
| sitepagetemplaterelation | 9721    |
| moduletemplaterelation   | 3211    |
| templateconfig           | 498     |
| moduleconfig             | 427     |
| domainsiterelation       | 387     |
| domainconfig             | 73      |
| task                     | 31      |
| siteextendinfo           | 19      |
| sitetype                 | 8       |
+--------------------------+---------+
Database: cw_6v68_settlement
+-----------------------+---------+
| Table                 | Entries |
+-----------------------+---------+
| settlement            | 25996   |
| settlementrelation    | 6691    |
| settlementdatasynclog | 124     |
| userrightrelation     | 89      |
| shopaudit             | 70      |
| publisheraudit        | 42      |
| userrolerelation      | 25      |
| agentinfo             | 19      |
| auditrecords          | 10      |
| userright             | 9       |
| userinfo              | 8       |
| roleinfo              | 6       |
+-----------------------+---------+
Database: cw_admin_elearning
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| admin                    | 3988    |
| site_admin               | 3984    |
| siteinfo                 | 3913    |
| siteinfo_new             | 3674    |
| admin_new                | 3671    |
| sitemodule               | 3574    |
| tmp_tb4                  | 3309    |
| tmp2_tb                  | 3304    |
| tmp_tb3                  | 3304    |
| site_admin_bak           | 392     |
| siteinfo_bak             | 370     |
| admin_bak                | 367     |
| siterecommendapplication | 13      |
| sitemodule_bak           | 8       |
| sitenavigation           | 7       |
| `module`                 | 6       |
| sitefriendlylink         | 5       |
| sqlmapfile               | 3       |
| deploy                   | 2       |
| newsarea                 | 2       |
| sitebanner               | 2       |
| newsinfo                 | 1       |
| sitelogo                 | 1       |
+--------------------------+---------+
Database: cw_dw
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| dw_user_learning_history        | 14689703|
| user_learning_records           | 7756018 |
| dw_learnning_words              | 2292036 |
| chapterreport                   | 1710845 |
| dw_user_answer_detail_history   | 1686803 |
| dw_user_answers_statistics      | 676806  |
| workreport                      | 488690  |
| dw_user_learning_history_record | 7       |
+---------------------------------+---------+

ok
数据库全部可访问权限太大先到这

漏洞证明：

···

修复方案：

过滤

版权声明：转载请注明来源爱上平顶山@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-01-19 15:33

厂商回复：

漏洞修复中....

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-092365

漏洞标题：习网大量数据库信息泄露

相关厂商：习网

漏洞作者：爱上平顶山

提交时间：2015-01-17 21:10

修复时间：2015-03-03 21:12

公开时间：2015-03-03 21:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源爱上平顶山@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-092365

漏洞标题：习网大量数据库信息泄露

相关厂商：习网

漏洞作者： 爱上平顶山

提交时间：2015-01-17 21:10

修复时间：2015-03-03 21:12

公开时间：2015-03-03 21:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-092365"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 爱上平顶山@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：爱上平顶山

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源爱上平顶山@乌云