当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112674

漏洞标题:宇信易诚银行服务商某系统漏洞可被沦陷(一个SQL注入引发的血案)

相关厂商:yuchengtech.com

漏洞作者: set

提交时间:2015-05-07 18:06

修复时间:2015-06-25 18:44

公开时间:2015-06-25 18:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-07: 细节已通知厂商并且等待厂商处理中
2015-05-11: 厂商已经确认,细节仅向厂商公开
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

今天哥又是一边测试一边提交
希望不会再半路停电了
哦米拖佛!

详细说明:

号称是中国金融IT行业规模最大、最具影响力的企业之一。员工人数超过5000名,在十余个城市设立了分子公司和代表处的金融方案解决商、为百家银行服务、后院着火了!

1.png


问题出现在运营支撑系统

http://219.143.38.248/paycenter/


2.png


发现SQL注入(参数email)

http://219.143.38.248/DeliveryCenter/login.do?email=


0.png


3.png


好像好多银行系统托管给你们打理
想必里面内容不会少

漏洞证明:

4.png


试了下[YUCHENG]表太多了、sqlmap都pass了不知道多少页了、估计成百上千

| ITEM_INFO_BF_20130307       |
| ITEM_INFO_XNCLOSE |
| JSBB_INFO |
| KAOQIN1 |
| KAOQIN_LOG |
| KJ_1 |
| KJ_2 |
| KM_YS |
| KM_YS_20140310 |
| KM_YS_20140415 |
| KM_YS_20140528 |
| KM_YS_BF20130607 |
| LINSHI |
| LOGININFO |
| MEET |
| MEET_140307 |
| MEET_150307 |
| MEET_RIGHTS |
| MEET_ROOM |
| MEET_ROOM_140307 |
| MEET_ROOM_150307 |
| MODIFY_PLANDATA |
| N |
| NAMECOMP |
| NBDD_FAS_TMP |
| NCCBMX |
| NCCBMX2 |
| NCCBMXJS |
| NCCBMXJS2 |
| NCCBMX_0520 |
| NCCBMX_V1 |
| NCCBMX_V117 |
| NCCBMX_V1200 |
| NCCBMX_V2 |
| NCCBMX_VC |
| NCFYMX |
| NCKMDZ |
| NCKMDZ_JSFW |
| NCKMDZ_YFFY |
| NCKMDZ_ZN |
| NCQT |
| NCQT1 |
| NCQT_201001 |
| NCQT_201010 |
| NCQT_201011 |
| NCQT_201012 |
| NCQT_201100 |
| NCQT_201101 |
| NCQT_201102 |
| NCQT_201103 |
| NCQT_201104 |
| NCQT_201105 |
| NCQT_201106 |
| NCQT_201107 |
| NCQT_201108 |
| NCQT_201109 |
| NCQT_201110 |
| NCQT_201111 |
| NCQT_201112 |
| NCQT_201201 |
| NCQT_201202 |
| NCQT_201203 |
| NCQT_201204 |
| NCQT_201205 |
| NCQT_201206 |
| NCQT_201207 |
| NCQT_201208 |
| NCQT_201209 |
| NCQT_201210 |
| NCQT_201211 |
| NCQT_201212 |
| NCQT_201302 |
| NCQT_201303 |
| NCQT_201304 |
| NCQT_201305 |
| NCQT_201306 |
| NCQT_201307 |
| NCQT_201308 |
| NCQT_201309 |
| NCQT_201310 |
| NCQT_201311 |
| NCQT_201312 |
| NCQT_201403 |
| NCQT_201404 |
| NCQT_201405 |
| NCQT_201406 |
| NCQT_201407 |
| NCQT_201408 |
| NCQT_201409 |
| NCQT_201410 |
| NCQT_201411 |
| NCQT_201412 |
| NCQT_201502 |
| NCQT_201503 |
| NCQT_201504 |
| NCQT_TEMP |
| NCQT_ZP |
| NCQT_ZP_201004 |
| NCRJHZ |
| NCRJHZ0601 |
| NCRJHZ0605 |
| NCRJHZ0608 |
| NCRJHZ09 |
| NCRJHZ17 |
| NCRJHZQC |
| NCRJHZ_BAK |
| NCTSTZ |
| NC_CRM_EXPDATA |
| NC_OA_EXPDATA |
| NEWTABLE |
| NEW_PRO_NIANDU |
| OAEXPENSE |
| OAEXPENSE1 |
| OAEXPENSE2 |
| OA_ERP_COMPANY |
| OA_ERP_CRMKM |
| OA_ERP_CRMKM_20140505 |
| OA_ERP_DZ |
| OA_ERP_DZ_TEST |
| OA_ERP_DZ_TEST1 |
| OA_ERP_INFODZ |
| OA_ERP_INFODZ_TEST |
| OA_ERP_INFODZ_TEST1 |
| OA_ERP_KM |
| OA_ERP_KMDZ |
| OA_ERP_KMDZ_20140306_T |
| OA_ERP_KMDZ_20140311 |
| OA_ERP_KMDZ_20140327 |
| OA_ERP_KMDZ_BAK |
| OA_ERP_KMDZ_BAK_20120118 |
| OA_ERP_KMDZ_BAK_20120322 |
| OA_ERP_MID |
| OA_ERP_MID_BAK |
| OA_ERP_MID_TEST |
| OA_ERP_VPDZ |
| OA_ERP_XMLX |
| OA_ERP_XMLX_20140410 |
| OA_QJ |
| OPPORTUNITY |
| OPPORTUNITY_YX |
| OPTYPE_DICT |
| PAY_TZ_LOG |
| PERSYNCH |
| PER_PLAN_SCHE |
| PLAN_TABLE |
| POST_INFO |
| PRE_SALES_PER |
| PRE_SALE_DATA |
| PROCED |
| PROJECT_2013 |
| PROJ_EXPENSE |
| PROPERTY |
| PROPERTY_141030 |
| PRO_ATTE_INFO |
| PRO_CAIWU |
| PRO_JINDU |
| PRO_JINDU0525 |
| PRO_JINDUQC0608 |
| PRO_JINDUQC_V |
| PRO_JINDUQC_V1 |
| PRO_JINDUQC_V1_0720WSL |
| PRO_JINDUQC_V2 |
| PRO_JINDUQC_V5 |
| PRO_JINDUQC_V6 |
| PRO_JINDUQC_VC |
| PRO_JINDURY_V1 |
| PRO_JINDU_0519 |
| PRO_JINDU_OLD0513 |
| PRO_JINDU_V |
| PRO_JINDU_V1 |
| PRO_JINDU_V1000 |
| PRO_JINDU_V11 |
| PRO_JINDU_V1333 |
| PRO_JINDU_V199 |
| PRO_JINDU_V1_0720WSL |
| PRO_JINDU_V2 |
| PRO_JINDU_V5 |
| PRO_JINDU_V6 |
| PRO_JINDU_VC |
| PRO_NIANDU |
| PRO_NIANDU0525 |
| PRO_NIANDUOLD0511 |
| PRO_NIANDUQC_V1 |
| PRO_NIANDU_V1 |
| PRO_NIANDU_V10625 |
| PRO_PER |
| PRO_PERF_PLAN |
| PRO_PER_DATA |
| PRO_RY_HIS |
| PRO_RY_NOW |
| PRO_RY_V1 |
| PRO_RY_V2 |
| PRO_RY_V3 |
| PRO_RY_V4 |
| QC_V1 |
| RIQI |
| RQ_NY |
| RUNQIAN_RY |
| RYB_JHRY |
| RYB_SJRY |
| RYB_STAFF |
| RYB_XMJHRY |
| RY_JINDU |
| RY_YCOMS |
| RY_ZHCH |
| R_CLUSTER |
| R_CLUSTER_SLAVE |
| R_CONDITION |
| R_DATABASE |
| R_DATABASE_ATTRIBUTE |
| R_DATABASE_CONTYPE |
| R_DATABASE_TYPE |
| R_DEPENDENCY |
| R_DIRECTORY |
| R_JOB |
| R_JOBENTRY |
| R_JOBENTRY_ATTRIBUTE |
| R_JOBENTRY_COPY |
| R_JOBENTRY_TYPE |
| R_JOB_ATTRIBUTE |
| R_JOB_HOP |
| R_JOB_NOTE |
| R_LOG |
| R_LOGLEVEL |
| R_NOTE |
| R_PARTITION |
| R_PARTITION_SCHEMA |
| R_PERMISSION |
| R_PROFILE |
| R_PROFILE_PERMISSION |
| R_REPOSITORY_LOG |
| R_SLAVE |
| R_STEP |
| R_STEP_ATTRIBUTE |
| R_STEP_DATABASE |
| R_STEP_TYPE |
| R_TRANSFORMATION |
| R_TRANS_ATTRIBUTE |
| R_TRANS_CLUSTER |
| R_TRANS_HOP |
| R_TRANS_NOTE |
| R_TRANS_PARTITION_SCHEMA |
| R_TRANS_SLAVE |
| R_TRANS_STEP_CONDITION |
| R_USER |
| R_VALUE |
| R_VERSION |
| SALE_ERP_V_BAOXIAO_NY_HZ |
| SALE_OA_V_BAOXIAO_VIEW |
| SALE_PROJECTCOST_ALL |
| SALE_TEST_ERP_T_CBMX_FAS |
| SCORE |
| SCREENSAVER |
| SKILLTYPE |
| SQXMLX |
| STAFF_ALL |
| STAFF_ALL_2011 |
| STAFF_ALL_2012 |
| STAFF_ALL_2013 |
| STAFF_CARD |
| STAFF_DEPT_CHANGE |
| STAFF_EDUCATION_INFO |
| STAFF_HOME_INFO |
| STAFF_INFO |
| STAFF_INFO2 |
| STAFF_INFO_2011 |
| STAFF_INFO_2012 |
| STAFF_INFO_2013 |
| STAFF_INFO_OLD |
| STAFF_INFO_TEMP1 |
| STAFF_INFO_TEMP2 |
| STAFF_LD_LOG |
| STAFF_POST |
| STAFF_POWER |
| STAFF_POWER_OLD |
| STAFF_PROJECT_INFO |
| STAFF_RECORD_INFO |
| STAFF_RESERVE_CADRE_INFO |
| STAFF_RESEVE_CHOOSE_INFO |
| STAFF_R_P_INFO |
| STAFF_SKILL_INFO |
| STAFF_TRAIN_INFO |
| STAFF_VP |
| SYSTEMDATA |
| SYS_BAK |
| SYS_CONFIG |
| SYS_DICT |
| SYS_DICT0414 |
| SYS_DICT0522 |
| SYS_DICT21 |
| SYS_DICT_20140306_T |
| SYS_DICT_20140311 |
| SYS_DICT_20140327 |
| SYS_DICT_BAK_20120118 |
| SYS_MSG |
| T0414_PRO_JINDU |
| TALKAGENT |
| TALKDATA |
| TALKLASTTIME |
| TALKMESSAGE |
| TALKVIEW |
| TEMP2_PRO_JINDU |
| TEMPBAK_PRO_JINDU |
| TEMPRESULT |
| TEMPRESULTCRM |
| TEMP_20140327_A |
| TEMP_20140327_C |
| TEMP_20140327_D |
| TEMP_20140327_E |
| TEMP_CARD_UPDATE |
| TEMP_EXPENSE_NO_140116 |
| TEMP_NCFYMX |
| TEMP_PRO_JINDU |
| TEMP_PRO_JINDU2 |
| TEMP_PRO_NIANDU |
| TEMP_YCOMS_ORG_20140224 |
| TEST123 |
| TESTKQ |
| TESTTRANSFERDATA |
| TESTXMBH |
| TEST_20140218 |
| TEST_BJD |
| TEST_BJDMX |
| TEST_EHR |
| TEST_ESB_A |
| TEST_ESB_B |
| TEST_EXPENSEDATA |
| TEST_NCCBMX |
| TEST_SKJH |
| TEST_XX_STAFF |
| TEST_ZZXXM |
| TE_PRO_JINDU |
| TMP_NO_ATTENDANCE_PROJECT |
| TMP_ONE |
| TRYTABLE |
| TRYTABLE1 |
| TUSER |
| TZ_BACK |
| TZ_CBMXJS |
| TZ_CBMXJSW |
| TZ_CBMXJS_BACK |
| TZ_CBMXJS_BAK |
| TZ_JINDUQC |
| TZ_JINDUQCW |
| TZ_JINDUQC_2011 |
| TZ_JINDUQC_2012 |
| TZ_JINDUQC_2013 |
| TZ_JINDUQC_BAK |
| TZ_START |
| TZ_START2 |
| TZ_START2_131212 |
| TZ_START3 |
| T_ATEST |
| T_ATTENDANCE |
| T_ATTENDANCE1 |
| T_ATTENDANCE2 |
| T_CHANGCHAI |
| T_CUOSHU |
| T_DUANCHAI |
| T_PRO_JINDU |
| T_PRO_NIANDU |
| T_QINDI |
| T_RICHANG |
| T_STAFF |
| USERINFO |
| USERINFO_TEST |
| VPALLO |
| VPALLO1 |
| VPATTEN |
| VP_T_WORKLOAD |
| VP_T_XMXX_FAS |
| VP_T_XMYS_FAS |
| VP_T_XMYS_FAS_141204 |
| VP_T_XMYS_FAS_20141228 |
| VP_V_XMXX_ERP |
| WJ_ANSWER |
| WJ_ANSWER_20150130 |
| WJ_ANSWER_20150325 |
| WJ_OPTION |
| WJ_QUES |
| WJ_RIGHTS |
| WJ_RIGHTS_20140217 |
| WJ_TOP |
| WS_COPY_RYB_JHRY |
| WS_NEW_RYB_JHRY |
| WS_NEW_RYB_SJRY |
| XLSDB |
| XMDZ |
| XMLDATA |
| XMLX |
| XMTABLE |
| XMXX |
| XMXX_FAS_TMP |
| XMXX_TMP |
| XSZZ |
| XULIE_ZHIJI_DATA |
| XV_CRM_ACCOUNT |
| XV_CRM_BJDMX_OBJ__C |
| XV_CRM_BJD_OBJ__C |
| XV_CRM_BM_OBJ__C |
| XV_CRM_FYKM |
| XV_CRM_FYLX |
| XV_CRM_FYMX_OBJ__C |
| XV_CRM_HTPS_OBJ__C |
| XV_CRM_HTPS_OBJ__C_TEST |
| XV_CRM_HTSK_OBJ__C |
| XV_CRM_HZCS_OBJ_C |
| XV_CRM_JZDS_OBJ_C |
| XV_CRM_NBDD_OBJ__C |
| XV_CRM_NBDD_OBJ__C_TEST |
| XV_CRM_NBHT_OBJ__C |
| XV_CRM_OPPORTUNITY |
| XV_CRM_OPPORTUNITY_TEST |
| XV_CRM_SKJH_APPROVE |
| XV_CRM_SKJH_OBJ__C |
| XV_CRM_SKMX_OBJ__C |
| XV_CRM_SQCCSQ_OBJ__C |
| XV_CRM_SQXMBG_OBJ__C |
| XV_CRM_SQXMJX_OBJ__C |
| XV_CRM_SQXM_OBJ__C |
| XV_CRM_SQZCSQ_OBJ_C |
| XV_CRM_TBPS_OBJ__C |
| XV_CRM_TEMP_SKJDBH_OBJ__C |
| XV_CRM_TEST |
| XV_CRM_TEST2 |
| XV_CRM_TEST_1 |
| XV_CRM_USER |
| XV_CRM_VIEW_ZZXXM_OBJ__C1 |
| XV_CRM_XSXMYCKH_OBJ__C |
| XV_CRM_YWJHXZ |
| XV_CRM_YWJHXZCY_OBJ__C |
| XV_CRM_YWJHXZ_OBJ__C |
| XV_CRM_ZB_OBJ__C |
| XV_CRM_ZB_OBJ__C_TEST |
| XV_CRM_ZDYS |
| XV_CRM_ZZXXM_OBJ__C |
| XV_EHR_BUMENCHANGEVIEW |
| XV_EHR_CRM_RYXX |
| XV_EHR_DEPTVIEW |
| XV_EHR_EDUCATIONVIEW |
| XV_EHR_FAMILYVIEW |
| XV_EHR_GANGWEICHANGEVIEW |
| XV_EHR_JIANGCHENGVIEW |
| XV_EHR_JINENGVIEW |
| XV_EHR_LVLIVIEW |
| XV_EHR_PEIXUNVIEW |
| XV_EHR_STAFFVIEW |
| XV_EHR_XIANGMUVIEW |
| XV_EHR_YUYANVIEW |
| XV_EHR_ZHIJICHANGEVIEW |
| XV_VP_CRMSSXM |
| XV_VP_CRMSSXMTEST |
| XV_VP_CRMSSXM_V2 |
| XV_VP_CRM_ZXXM |
| XV_VP_CRM_ZXXM_EXCEPTION |
| XV_VP_ETL_FIN_BASEINFO |
| XV_VP_ETL_FIN_CBS_TRACK |
| XV_VP_ETL_PJ_ASSIGNMENT |
| XV_VP_ETL_PJ_RESASSESS |
| XV_VP_RCYZ |
| XV_VP_SKJH |
| XV_VP_USER_SYNC |
| XV_VP_VIEW_PROJMGR_ADDR |
| XV_VP_VP_XV_CCBM |
| XV_VP_XMXX |
| XV_VP_XMYSMX |
| XV_VP_YC_TIMEINFO |
| XV_VP_YC_TIMEINFO_BT |
| XV_VP_YC_TIMEINFO_HIS |
| XV_VP_YC_TIMEINFO_WEEK |
| XV_VP_YC_TIMESHEET |
| XV_VP_ZYJH |
| X_CBMX |
| X_CBMXJS |
| X_CBMXJSNC |
| X_CBMXJS_V1 |
| X_CBMXJS_V1_2011 |
| X_CBMXJS_V1_2012 |
| X_CBMXJS_V1_2013 |
| X_CBMXJS_V2 |
| YC_DEPT |
| YC_DEPT_2011 |
| YC_DEPT_2012 |
| YC_DEPT_2013 |
| YC_LOG |
| YC_MENU |
| YC_POST |
| YC_POST_20140418 |
| YC_POST_20140517 |
| YC_POST_20140517A |
| YC_POST_20140517B |
| YC_RLS |
| YC_STAFF |
| YC_STAFF_20140418 |
| YC_STAFF_20140702 |
| YC_THM |
| YU_JS |
| YU_RJ |
| ZHIDENG_DATA |
| ZHIJI_DATA |
| ZNYS |
| ZNYS0512 |
| ZN_XMXX


5.png


里面东西太多了、不一一去看了
就拿这上千个邮箱来说就有很多文章可做
短暂的测试到此为止
如果继续、我相信各大银行都会躺枪

修复方案:

你们人多、我还是继续在工地搬砖

版权声明:转载请注明来源 set@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-05-11 18:43

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门及网站方通报,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-07 18:12 | 茜茜公主 ( 普通白帽子 | Rank:2360 漏洞数:406 | 家里二宝出生,这几个月忙着把屎把尿...忒...)

    可被滦县,什么

  2. 2015-05-07 18:17 | set ( 实习白帽子 | Rank:41 漏洞数:7 | Especially for you)

    @茜茜公主 :小编改了我的标题和部分内容啊

  3. 2015-05-07 18:19 | set ( 实习白帽子 | Rank:41 漏洞数:7 | Especially for you)

    @茜茜公主 :原来你是大神、小弟这厢有礼了

  4. 2015-05-07 18:49 | 茜茜公主 ( 普通白帽子 | Rank:2360 漏洞数:406 | 家里二宝出生,这几个月忙着把屎把尿...忒...)

    不是大神

  5. 2015-05-07 19:04 | set ( 实习白帽子 | Rank:41 漏洞数:7 | Especially for you)

    @茜茜公主 :这么多Rank已经暴露了你好屌的样子

  6. 2015-06-01 15:03 | 大漠長河 ( 实习白帽子 | Rank:43 漏洞数:7 | ̷̸̨̀͒̏̃ͦ̈́̾( 天龙源景区欢迎您...)

    学习下,这里有BUG 我不能点赞