乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-02-19: 细节已通知厂商并且等待厂商处理中 2014-02-24: 厂商已经确认,细节仅向厂商公开 2014-03-06: 细节向核心白帽子及相关领域专家公开 2014-03-16: 细节向普通白帽子公开 2014-03-26: 细节向实习白帽子公开 2014-04-05: 细节向公众公开
RT,或可泄漏大量敏感信息
1)测试对象:http://hb.ccb365.com/
2)测试注入点:
3)获取的数据库信息:
available databases [7]:[*] ABCKEY[*] Cmbc[*] JSCCBKEY[*] master[*] model[*] msdb[*] tempdb
Database: JSCCBKEY[222 tables]+--------------------------+| AH_UserVerify || ActivitiesLimitRemoved || ActivitiesSet || ActivitiesTypes || ActivityCard || ActivityPeriod || ActivityRemoved || ActivityStatistics || AdManage || AdSetting || AffirAword || AnswerActivity || AnswerRecord || ApplyMiniCard || ApplyPointsLog || AuctionGoods || AuctionOKList || AuctionRecord || AwardOrder || AwardPeriod || AwardPro || AwardTurntableOK || AwardTurntableOK20121127 || AwardTurntableOrder || AwardTurntablePro || AwardUser || Balance || BankActivity || BankLobbyManager || BankUser || Blacklist || BookingPeriod || BranchActivity || Brand || CCBBranch || CQ_Area || CQ_Merchant || CQ_OfferType || CQ_Region || CQ_Reviews || CQ_SmallClass || CashCoupons || CcbFinanceService || CharityBook || CharityBookCategory || CharityBookOrder || CharityDonationOrder || Cities || City || CommonUsers || CouponCode || CouponOrders || Coupons || D99_Tmp || DC_Admin || DC_BaoJian_Code || DC_CaiPin || DC_CaiPin_Code || DC_CaiXi_Code || DC_KouWei_Code || DC_Order || DC_Order_CaiPin || DC_ShangJia || DC_ShangJia_CaiXi || DC_ShangQuan_Code || DC_XingZheng_Code || DeliverRemoved || DiceOrders || DicePrize || DiceSet || DiscountProducts || DrawPrizes || DrawPrizesOrder || EducationBackGround || EmailInvite || EmailTemplet || ExpressCompany || Feedback || FinanceCoupon || FinanceCouponReceiveLog || FinancialMerchant || FinancialProduct || ForumTopic || FreightTemplate || GS_UserVerify || GoodHarmonyOrder || GroupMembers || GroupTerms || Groups || HLJUkeyUser20121127 || HalfCard || HalfCard_Temp || HistoryStatistics || InvitationCode || InvitationCodeUsers || Invite || InviteStat || JSAwardOrder || JSAwardPro || JSCity || JSSchool || KeySNBatch || KeySequence || LN_MS_UserInfo || MailBox || Manager || ManagerUsbkey || ManagerUserBranchName || Menus || MiaoShaOK || MiaoShaOkBak || MiaoShaPro || MiaoShaZC || ModuleCategory || MovieOrder || MsgTempletRemoved || News || NewsCategory || Options || OrderDetail || P_Commodity || P_CommodityDetail || P_OrderDetail || P_Orders || P_ProductSpecifications || P_ThreeSpecifications || P_TwoSpecifications || P_UserCoupon || PhilatelicSpike || PointsConsumptionLog || PointsToVoucherLog || ProductCategory || ProductFreightTemplate || ProductItem || ProductOrders || Province || RaffleItemsSettings || ReceiveManager || Receiving || RechargeLog || RechargeLotteryRecords || RechargePayment || SMSLog || SecondsKillLog || SendCardRechargeOrder || ShareDetail || Signedpolite || SuAwardFlashOrder || SuAwardFlashPro || SuZhouT_UserVerify || Subject || Supplier || SupplierActivity || SupplierCategory || Sys_Function || Sys_Role || Sys_RoleFunction || Sys_UserRole || Tbl_SPPParameter || Tbl_SellerProduct || Tbl_SellersOrder || Tbl_SellersOrderProduct || Tbl_Vouchers || Tbl_VouchersPay || TuanGoldType || TuanGou || TuanGouBranchShop || TuanGouCars || TuanGouCarsType || TuanGouCode || TuanOrder || TuanProCateg || TurnOKLobbyManagerExtend || UkeyUser || UkeyUser20121127 || UkeyUserTransform || UserActivity || UserBindPoints || UserBlackList || UserBooking || UserPerm || UserPoints || UserTemp || VAnswerList || VAuctionRecord || VCouponOrderList || VCouponOrderStatistics || VOIP || V_DicePrize || V_P_Commodity || VerificationCodeRecord || VersionUpgrad || VisitOrder || Vote || VoteItem || Voucher || VoucherSupplier || WeChatMenu || WeChatNews || Whitelist || WinningLimit || XJ_CCBUserInfo || XJ_UserAccess || YZMActivityCodeSN || YZMActivityCodeSNCJ || YZMActivityCodeSNRemoved || YZMActivityType || YouLifeOrders || ZQAward || ZQAwardRemark || aukeyuser || choujiangdingdan || eCouponOrders || gsBranch || gssubbranch || temptable || test10 || test11 || test20 || vCouponOrder || vGroupList || xinchoujiangdingdan |+--------------------------+
PS:由于金融行业的敏感性,这里未近一步测试~
过滤
危害等级:低
漏洞Rank:5
确认时间:2014-02-24 09:24
CNVD确认并复现所述情况,与http:///bugs/wooyun-2014-一并处置,由于案例重复,总计rank 25。此外,经建设银行确认,网站为合作方网站,对标题由wooyun进行了更正。
暂无