记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

苏省某市计生系统漏洞(涉及海量个人详细信息/涉及全市某些隐私信息/大量具体信息

2016-03-04 15:50

**.**.**.**/jsw2/ 南京计生系统存在命令执行,泄露了1400W+900W详细的个人信息(详细到门牌号,)30W+30W+30W个人身份信息。个人身份信息在第一个数据库,前三个表,1400W+900W在第二个数据库第一个表和第二个表,在下文中会详细标注出来。





数据过于庞大,只给出部分作为证明。

漏洞证明:

1111.png

db.png

db1.png

xinxi.png

xinxi1.png

xinxi2.png

xinxi3.png

xinxi4.png

xinxi5.png

xinxi6.png

code 区域
<url>jdbc:oracle:thin:@**.**.**.**:1521:newjsw</url>

<driver-name>oracle.jdbc.xa.client.OracleXADataSource</driver-name>

<properties>

<property>

<name>user</name>

<value>newjsw</value>

</property>

</properties>

<password-encrypted>{AES}dEZPo7qIt3MM2zCL6du/3BzOPatkRFQOWGy6BH70FvY=</password-encrypted> les1028







<url>jdbc:oracle:thin:@**.**.**.**:1521:jswbt</url>

<driver-name>oracle.jdbc.xa.client.OracleXADataSource</driver-name>

<properties>

<property>

<name>user</name>

<value>jswbt</value>

</property>

</properties>

<password-encrypted>{AES}rHKIQNE6mqsNW75maekqELa5lggoDu9WfMKz48gvtdM=</password-encrypted> les1028

数据库配置

code 区域
Query#0 : select t.TABLE_NAME,t.NUM_ROWS from user_tables t order by NUM_ROWS desc



TABLE_NAME

VARCHAR2NUM_ROWS

NUMBER

JSBT_TXDA_320100V3333965

JSW_TXDA333849

JSW_TXDA_20151111BAK325576

JSW_TXDA_20151012BAK320655

JSW_TXDA_20150813BAK314212

JSW_TXDA_20150630BAK311708

JSW_TXDA_20150604BAK309579

JSW_TXDA_20150513BAK300563

JSW_TXDA_20150309BAK295287

JSW_TXDA_20150202BAK292358

JSW_TXDA_20141215283399

JSW_TXDA_20150114BAK283399

JSBT_TXDA2283004

JSBT_TXDA280297

JSW_TXDA_20141201BAK278586

JSW_TXDA_20141104BAK273934

JSW_TXDA_20141010BAK270572

JSW_TXDA_20140801BAK264138

JSW_TXDA_20140911BAK264138

JSW_TXDA_20140804BAK260116

JSW_TXDA_20140701BAK256633

JSW_TXDA_20140509253179

JSW_TXDA_20140603BAK253119

JSW_SQJLB_20150402252870

JSW_TXDA_20140505BAK249626

JSW_TXDA_20140403BAK245901

JSW_TXDA_20140307BAK243457

JSW_TXDA_20140112BAK235669

JSW_TXDA_20140220BAK235669

JSW_TXDA_20140107BAK230191

JSW_TXDA_20131013BAK219642

JSW_TXDA_20131231BAK219642

JSW_TXDA_20131009BAK214630

JSW_TXDA_20130901BAK206081

TMP_JSW_ZFQKMXB_BAK20131009201596

JSW_TXDA_20130703BAK201569

JSW_TXDA_20130617BAK196804

JSW_TXDA_20130428BAK192955

TMP_JSW_ZFQKMXB187912

JSW_TXDA_20130403BAK184605

JSW_TXDA_BAK_20130301184605

VVV_FFRYTJ163072

JSW_GSQKMXB154644

JSW_SQJLB153461

JSW_ZFQKMXB150289

JSW_SQJLB_20150402BAK128999

JSW_SQJLB20140619104158

TMP_JSW_HPQKMXB79085

JSBT_TXDA_BC73455

JSW_HPQKMXB245515

VVV_FFFFF41875

JSW_SQJLB_20131013BAK38099

JSW_GSQKMXB_20131013BAK37748

JSW_ZFQKMXB_20131013BAK37095

JSW_JFRY29506

JSW_GSQKMXB_20130424BAK25210

JSW_HPQKMXB2_20140415BAK24426

JSW_JFRY_20150416_BAK23017

JSW_SQJLB_BAK2013051422799

OA_MANAGER_QX21206

JSW_DWDA_20151111BAK18295

JSW_DWDA_20151012BAK18061

JSW_DWDA17762









Query#0 : select t.TABLE_NAME,t.NUM_ROWS from user_tables t order by NUM_ROWS desc



TABLE_NAME

VARCHAR2NUM_ROWS

NUMBER

TP_JSBT_TXDWMX

TP_JSBT_SQJLMX

TP_JSBT_TXCXMX

WAS_TRANSDATASET14028748 1400W个人的详细信息

BAK$WAS_TRANSDATASET1012199732609 900W个人详细信息

BAK$WAS_TRANSDATA1012195664107

WAS_TRANSDATA5071046

WAS_TRANSLOG739474

BAK$WAS_TRANSDATA518357

BAK_JSBT_HPQKMXB_20141208447799

BAK_JSBT_HPQKMXB_20140530445908

BAK_JSBT_HPQKMXB_20150716444970

BAK_JSBT_HPQKMXB_20121025443914

BAK_JSBT_HPQKMXB_20121106441857

JSBT_KPQKMXB_TMP440432

BAK_JSBT_HPQKMXB_20120112439701

JSBT_HPQKMXB429604

BAK$JSBT_HPQKMXB$20110701423722

BAK_JSBT_KPQKMXB_20121025418216

BAK_JSBT_KPQKMXB_20120112416273

JSBT_KPQKMXB416034

YY_HP1410698

BAK$JSBT_KPQKMXB$20110701398972

BAK$JSBT_HPQKMXB$20101224386080

JSBT_TXDA_OLD302870

JSBT_TXDA_20100623302870

JSBT_TXDA20100525294326

JSBT_TXDA20100524292479

JSBT_TXDA2283004

JSBT_TXDA_20140212_BAK282494

JSBT_TXDA_20140125BAK282394

JSBT_TXDA_20131028BAK282384

BAK_JSBT_TXDA_20121012282384

BAK_JSBT_TXDA_20120112280474

BAK_JSBT_TXDA_20111130280343

BAK_JSBT_TXDA_20111111280335

BAK_JSBT_TXDA_20111101280299

JSBT_TXDA280297

BAK$JSBT_TXDA$20110701280297

BAK$JSBT_TXDA$20101224279825

JSBT_TXDA_20101222279672

BAK$WAS_TRANSDATASET276151

BAK$JSBT_KPQKMXB$20101224268207

JSBT_KPQKMXB_20100623262354

JSBT_TXDA_320100V3211848

JSBT_TXDA_320100V2_BAK211838

JSBT_GSQKLSB193956

BAK_JSBT_ZFQKMXB_20150716178992

JSBT_ZFQKMXB178980

BAK_JSBT_ZFQKMXB_20141208178778

JSB_ZFQKMXB_20140612178776

BAK_JSBT_ZFQKMXB_20140530178774

BAK_JSBT_ZFQKMXB_20130606178488

BAK_JSBT_ZFQKMXB_201314178484

BAK_JSBT_ZFQKMXB_201313178484

BAK_JSBT_ZFQKMXB_20121012175282

BAK_JSBT_ZFQKMXB_20121025175282

BAK_JSBT_ZFQKMXB_20121106175263

JSBT_ZFQKMXB_20120712174764

BAK_JSBT_ZFQKMXB_20120112172590

YY_ZF_HP166316

BAK$JSBT_ZFQKMXB$20110701143144

JSBT_ZFQKMXB20101229137440

BAK$JSBT_ZFQKMXB$20101224137136

TMP_JSBT_HPQKMXB135980

TP_LDFF_20121115128836

TP_LDFF128451

TP_JSBT_FFHP20110228117368

JSBT_TXDA_320100V2_BC_BAK103778

JSBT_TXDA_BC73455

JSBT_TXDA_BC_2010122273167

JSBT_TXDA_BC_20131030BAK72815

JSBT_TXDA_320100V2_BC_2010062268152

WAS_CZRZB59385

TP_JSBT_DXQY55338

TP_JSBT_ZXDW33163

BAK$JSBT_KPQKMXB_SBSQY31092

TP_JSBT_TXDA_SBSQY_QH30487

BAK$JSBT_TXDA_BC_SBSQY30319

JSBT_TXDA_BAK21764

BAK_JSBT_SQJLB_2012102517608

BAK_JSBT_GSQKMXB_2012102517603

JSBT_SQJLB17561

BAK$JSBT_GSQKMXB$2011070117510

JSBT_GSQKMXB17388

BAK$JSBT_SQJLB$2010122416819

BAK$JSBT_GSQKMXB$2010122416490

JSBT_SQJLB_2010070515481

YY_HP212890

TP_JSBT_WD10394

JSBT_HPQKMXB_2010062310235

BAK_JSBT_HPQKB_201507169929

JSBT_TXDA_20110916_SWRY9911

BAK_JSBT_HPQKB_201412089895

BAK_JSBT_HPQKB_201405309864

BAK_JSBT_HPQKB_201211069667

BAK_JSBT_HPQKB_201210259666

BAK_JSBT_HPQKB_201201129554

JSBT_HPQKB9522

BAK$JSBT_HPQKB$201107019370

OA_MANAGER_QX8926

JSBT_TXDA201006018544

TP_JNTXDA8280

JSBT_HPQKB201012308156

BAK$JSBT_HPQKB$201012247960

TP_JSBT_YHYFF_201201137254

TP_JSBT_SBSQY_RYB6115

TP_GCTXDA6073

TP_JSBT_SWRQ20101201TO201106305536

JSBT_DWDA_OLD5505

JSBT_DWDA_201006235505

JSBT_DWDA201005255497

JSBT_DWDA201005245476

JSBT_DWDA_20140408BAK5464

JSBT_DWDA_20140212_BAK5458

BAK$JSBT_DWDA$201107015457

BAK$JSBT_DWDA$201012245455

JSBT_DWDA_201007075454

JSBT_DWDA5454

TMP_HASNOTSEND5126

BAK_JSBT_KPQKB_201210254985

BAK_JSBT_KPQKB_201201124966

BAK$JSBT_KPQKB$201107014877

BAK_JSBT_ZFQKMXB_YFHRY4835

BAK$JSBT_KPQKB$201012244823

JSBT_KPQKB4791

TP_JSBT_FFRY_LH_06174444

JSBT_DWDA_320100V2_201006224272

JSBT_DWDA_320100V2_BAK4272

JSBT_KPQKB_201006234049

TP_LDFF_201306063847

TP_JSBT_ZFQKMXB_201210113576

TP_JSBT_ZFQKMXB_201306063489

TP_PANDA_SENDED_201211142888

TP_JSBT_FFRY_JN_06172864

TP_SWRY_201211152761

TP_SWRY2737

JSBT_ZFQKMXB_BAK2689

JSBT_HPQKMXB_BAK2683

TP_JSBT_SWZFB2498

TP_JSBT_SWFF201103082492

TP_JSBT_SWFF201104292491

TP_JSBT_SWRY_201109152443

TP_JSBT_SWFF201107272443

TP_JSBT_XSRY_GC2360

BZ_JSBT_SQMCH2292

JSBT_DWDA_320100V2_BC_BAK2281

JSBT_DWDA_BC2281

BZ_JSBT_SQB2127

BZ_SQB2110

TMP_JSBT_QYFH_20130130_22100

TP_JSBT_FFRY_GC_06171961

JSW_TXDA_201201131907

TP_JSBT_FFRY_LS_06171623

TP_JSBT_FFRY_LS1623

TP_JSBT_KPQKMXB_SBSQY1557

TP_FFQKMX_201211281513

JSBT_HPQKMXB_000000391422

TP_JSBT_FFRY_PK_06171416

JSBT_DWDA_BAK1409

JSBT_SQJLB_BAK1143

JSBT_HPQKB_201006231069

BAK_JSBT_ZFQKB_20150716837

JSBT_ZFQKB831

BAK_JSBT_ZFQKB_20141208821

BAK_JSBT_ZFQKB_20140530815

TP_JSBT_1ST2HPDW775

BAK_JSBT_ZFQKB_20121025769

BAK_JSBT_ZFQKB_20121106761

JSBT_TXDA_320100V2748

BAK_JSBT_ZFQKB_20120112744

BAK$JSBT_ZFQKB$20110701721

TP_JSBT_TXDA712

JSBT_GSQKB690

TP_JSBT_XSRY_LH675

WAS_FIELD636

JSBT_ZFQKB20101229519

BAK$JSBT_GSQKB$20110701513

TMP_JSBT_HASNOTINSERT507

TMP_JSBT_QYFH_20130130505

BAK$JSBT_ZFQKB$20101224487

TP_JSBT_TXDA_20110616466

JSBT_FFCWMXB460

JSBT_DWFFQKB440

TP_FHQYMX_20121115360

TP_FHQYMX360

TP_JSBT_ZFQKMXB_20130613358

TP_KNQY341

BAK$JSBT_KPQKB_SBSQY317

OA_ROLES_QX300

YX_RYB291

BAK$JSBT_GSQKB$20101224287

OA_MAN_ROLES287

ZFTEST286

P286

TP_JSBT_CZRY274

OA_TZ_SJKSB257

TP_JSBT_ZTQY_0720255

TP_JSBT_DW20110107253

TP_JSBT_DWDA_20110915247

OA_ACTMENU244

JSBT_DWDA_ZLKP234

TP_JSBT_KPQKB_SBSQY207

WAS_BMXZB205

BAK_JSBT_KPQKMXB_100528204

TMP_ZDXM_20121107197

JSBT_GSDYB192

TP_JSBT_GZQY171

JSBT_KPTOJDDW168

BAK_JSBT_KPTOJDDW_20121025167

TP_JSBT_KPQKMXB_20110616157

TEST3_20140626149

TEST4_20140626149

BZ_JDB148

BZ_JSBT_JDB148

TEST20140701145

TP_JSBT_ZTDW_V2136

TEST_20140626129

JSBT_FF_LH123

TP_JSBT_XM122

TP_JSBT_KPWDJQY119

TP_PANDA114

JSBT_ZFQKMXB_BAK_20130926114

TMP_JSBT_RSFF_20130704113

JSBT_QRSB113

TP_JSBT_ZFQKMXB_20130614112

TP_PANDA_FF112

TMP_BBB108

JSBT_DWDA_CXKP107

WAS_NODE84

PP81

TP_JSBT_GTQY69

BAK_JSBT_DWDA_2013032568

TMP_JSBT_4TO9968

TMP_JSBT_FFQK_CHECK_2013012166

OA_TYMENU56

TP_JSBT_XSRY_JN45

TP_JSBT_XSRY_LS43

JSBT_CDLQ42

JSBT_ZFQKMXB_20131025BAK42

TP_JSBT_DW2011091641

TP_SWRY_2012010937

WAS_DATASET36

TP_JSBT_NOFF36

WAS_DATASETCOL36

WAS_ITEMAPPID32

WAS_RWPRO31

WAS_ITEM31

TMP_JSBT_LEFT_RY27

TP_JSBT_XSRY_PK26

TP_JSBT_TXDA_2012101226

JSBT_ZFQKMXB_2010062322

PBCATEDT21

PBCATFMT20

OA_TZ_XXB19

TP_JSBT_ZTDW_V319

JSBT_ZFQKB_2010062318

BZ_JSBT_QHDZB17

BZ_QMB17

TP_JSBT_ZTDW_V516

TP_JSBT_ZTDW_V416

JSBT_ZFQKMXB_BAK_2011062016

JSBT_HPQKMXB_BAK_2011062016

JSBT_DWDA_RECOVERY16

JSBT_SQJLB2014062614

OA_TZ_FJB12

BZ_JSBT_LSGXB10

JSBT_HPQKMXB_2014_DELINFO9

BAK_JSBT_GSQKMXB_201111228

JSBT_ZFQKMXB_2014_DELINFO8

JSBT_DWDA201006018

OA_ROLES7

BZ_JSBT_TCQHB6

JSBT_HPQKB_RECOVERY6

JSBT_HPQKMXB_RECOVERY6

JSBT_ZFQKMXB_CG6R6

OA_THEME6

JSBT_ZFQKMXB_BAK_201306065

JSBT_TXDA_BC_RECOVERY5

JSBT_HPQKB_000000395

JSBT_HPQKMXB_BAK_201306065

BZ_JSBT_RYLBB5

JSBT_DWDA_320100V25

JSBT_ZFQKB_RECOVERY4

JSBT_HPQKB_BAK_201106204

JSBT_ZFQKMXB_RECOVERY4

JSBT_ZFQKB_BAK_201106204

BZ_JSBT_DWTZHB4

JSBT_TXDA_201407DELINFO3

BZ_JSBT_DLGXB3

TP_JSBT_DWDA_201106163

BZ_JSBT_XBB3

JSBT_ZFQKMXB201407023

JSBT_GSQKMXB_RECOVERY3

JSBT_SQJLB_BAK201309032

JSBT_SQJLB_201407DELINFO2

JSBT_HPQKB_BAK_201306062

JSBT_GSQKMXB_BAK201309032

BZ_JSBT_ZJLXB2

BZ_JSBT_TXTZB2

BZ_JSBT_FFFSB2

BZ_JSBT_BTJGB2

OA_STATUS2

OA_YCCSB2

OA_YDCSB2

OA_GQCSB2

OA_FJCSB2

JSBT_ZFQKB_BAK_201306062

JSBT_TXDA_RECOVERY2

JSBT_HPQKMXB_DELINFO1

JSBT_KPQKMXB_DELINFO1

TP_JSBT_HPQKMXB_000042621

BZ_JSBT_BTJS1

JSBT_TXDA_BC_DELINFO1

JSBT_TXDA_DELINFO1

JSBT_GSQKB_BAK201309031

JSBT_KPTOJDDW_201309031

JSBT_TKQKB0

JSBT_ZFQKMXB_TMP0

OA_FJB0

OA_JSXXB0

OA_XXB0

ZH_ERR_JL0

PBCATTBL0

PBCATVLD0

WAS_DTBMXZB0

WAS_TAB_COL0

WAS_TRANSDATA_BF0

PBCATCOL0



OA_JSXXB0

JSW_ZFQKMXB_JC20130301BAK0

数据库结构

code 区域
**.**.**.**/jsw2/1.jspx  9635789

修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2016-0170110

阅读:83257 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“苏省某市计生系统漏洞(涉及海量个人详细信息/涉及全市某些隐私信息/大量具体信息”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云