漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-039092
漏洞标题:北大方正#1 某系统数据库等信息泄露
相关厂商:北大方正
漏洞作者: 爱上平顶山
提交时间:2013-10-08 15:24
修复时间:2013-11-22 15:24
公开时间:2013-11-22 15:24
漏洞类型:网络敏感信息泄漏
危害等级:中
自评Rank:8
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-10-08: 细节已通知厂商并且等待厂商处理中
2013-10-12: 厂商已经确认,细节仅向厂商公开
2013-10-22: 细节向核心白帽子及相关领域专家公开
2013-11-01: 细节向普通白帽子公开
2013-11-11: 细节向实习白帽子公开
2013-11-22: 细节向公众公开
简要描述:
0.0
详细说明:
北大方正人寿某系统数据库等信息泄露
proxool一个数据库连接池框架 Proxool 0.9.0RC3
地址:https://sp.pkufi.com/admin 未授权直接访问
图:
地址信息等:
alias: myblogdb
driver-url: jdbc:microsoft:sqlserver://192.168.101.35:1433;DatabaseName=EMAP
driver-class: com.microsoft.jdbc.sqlserver.SQLServerDriver
user (delegated): salesportal
password (delegated): ******
sql = select count(1) from emap.dbo.EMAP_SM_MT_SENT_LOG where RESERVED4='7ACB36E6-E4FC-450B-A2E3-FF48A29917C9';
sql = select count(1) from emap.dbo.EMAP_SM_MT_UNSENT_LOG where RESERVED4='7ACB36E6-E4FC-450B-A2E3-FF48A29917C9';
proxy = 345d6fbe
delegate = 1b833243
url = jdbc:microsoft:sqlserver://192.168.101.35:1433;DatabaseName=EMAP
alias: businessDb
driver-url: jdbc:oracle:thin:@192.168.101.23:6820:salesportal
driver-class: oracle.jdbc.driver.OracleDriver
user (delegated): toi
password (delegated): ******
dll (delegated): ocijdbc9
protocol (delegated): thin
sql = select count(1) from policy a,relation_person_info b,coverage c, person_info d,relation_person_info e,value_table
v,relation_ap p Where a.policy_no = c.policy_no and c.rider='01' and a.policy_no = b.policy_no and b.relation='O' and
c.insured1=d.client_no and a.policy_no = e.policy_no and a.policy_no=p.policy_no and p.relation='S' and a.system='CAPSIL' and
p.agent_code = '1002280A60' and e.relation in ('A','P') and e.credit_cat='M' and e.bank_code = v.value and
v.value_type='BANK_NAME' and to_date(e.credit_exp_date,'yyyy-mm-dd')-to_date('2013-09-01','yyyy-MM-dd')>=0 and to_date
(e.credit_exp_date,'yyyy-mm-dd')-to_date('2013-10-31','yyyy-MM-dd')<=0 and length(trim(e.credit_exp_date))=10 order by
e.credit_exp_date desc ;
proxy = 74548ffc
delegate = 32addcb7
url = jdbc:oracle:thin:@192.168.101.23:6820:salesportal
alias: SQSdb
driver-url: jdbc:oracle:thin:@192.168.101.23:6820:SALESPORTAL
driver-class: oracle.jdbc.driver.OracleDriver
user (delegated): salesportal
password (delegated): ******
dll (delegated): ocijdbc9
protocol (delegated): thin
sql = select count(*) from lsactivitydata4day where usercode ='1002280A60' and datadate = '2013-10-01' and ((newcus is null or
newcus ='') and (telact is null or telact ='') and (demandinter is null or demandinter ='') and (dealinter is null or dealinter
='') and (newcand is null or newcand ='') and (recuinter is null or recuinter ='') and (PrpNum is null or PrpNum ='') and (IidNum
is null or IidNum ='') and (FodNum is null or FodNum =''));
proxy = 3974ba55
delegate = 1e753feb
url = jdbc:oracle:thin:@192.168.101.23:6820:SALESPORTAL
ok
漏洞证明:
alias: myblogdb
driver-url: jdbc:microsoft:sqlserver://192.168.101.35:1433;DatabaseName=EMAP
driver-class: com.microsoft.jdbc.sqlserver.SQLServerDriver
user (delegated): salesportal
password (delegated): ******
sql = select count(1) from emap.dbo.EMAP_SM_MT_SENT_LOG where RESERVED4='7ACB36E6-E4FC-450B-A2E3-FF48A29917C9';
sql = select count(1) from emap.dbo.EMAP_SM_MT_UNSENT_LOG where RESERVED4='7ACB36E6-E4FC-450B-A2E3-FF48A29917C9';
proxy = 345d6fbe
delegate = 1b833243
url = jdbc:microsoft:sqlserver://192.168.101.35:1433;DatabaseName=EMAP
alias: businessDb
driver-url: jdbc:oracle:thin:@192.168.101.23:6820:salesportal
driver-class: oracle.jdbc.driver.OracleDriver
user (delegated): toi
password (delegated): ******
dll (delegated): ocijdbc9
protocol (delegated): thin
sql = select count(1) from policy a,relation_person_info b,coverage c, person_info d,relation_person_info e,value_table
v,relation_ap p Where a.policy_no = c.policy_no and c.rider='01' and a.policy_no = b.policy_no and b.relation='O' and
c.insured1=d.client_no and a.policy_no = e.policy_no and a.policy_no=p.policy_no and p.relation='S' and a.system='CAPSIL' and
p.agent_code = '1002280A60' and e.relation in ('A','P') and e.credit_cat='M' and e.bank_code = v.value and
v.value_type='BANK_NAME' and to_date(e.credit_exp_date,'yyyy-mm-dd')-to_date('2013-09-01','yyyy-MM-dd')>=0 and to_date
(e.credit_exp_date,'yyyy-mm-dd')-to_date('2013-10-31','yyyy-MM-dd')<=0 and length(trim(e.credit_exp_date))=10 order by
e.credit_exp_date desc ;
proxy = 74548ffc
delegate = 32addcb7
url = jdbc:oracle:thin:@192.168.101.23:6820:salesportal
alias: SQSdb
driver-url: jdbc:oracle:thin:@192.168.101.23:6820:SALESPORTAL
driver-class: oracle.jdbc.driver.OracleDriver
user (delegated): salesportal
password (delegated): ******
dll (delegated): ocijdbc9
protocol (delegated): thin
sql = select count(*) from lsactivitydata4day where usercode ='1002280A60' and datadate = '2013-10-01' and ((newcus is null or
newcus ='') and (telact is null or telact ='') and (demandinter is null or demandinter ='') and (dealinter is null or dealinter
='') and (newcand is null or newcand ='') and (recuinter is null or recuinter ='') and (PrpNum is null or PrpNum ='') and (IidNum
is null or IidNum ='') and (FodNum is null or FodNum =''));
proxy = 3974ba55
delegate = 1e753feb
url = jdbc:oracle:thin:@192.168.101.23:6820:SALESPORTAL
修复方案:
做权限控制。 礼物? `(*∩_∩*)′
版权声明:转载请注明来源 爱上平顶山@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:9
确认时间:2013-10-12 22:33
厂商回复:
最新状态:
暂无