2015-11-04: 细节已通知厂商并且等待厂商处理中 2015-11-04: 厂商已经确认,细节仅向厂商公开 2015-11-10: 厂商已经修复漏洞并主动公开,细节向公众公开
往下看吧、
http://www.dfzq.com.cn/dfzq.rar 源码下载
找到一个orcale链接的数据库 在tzzgx/aguPrice.jsp
在dfzg/i/level-stock.jsp本机ip为192.168.0.88
WooYun: 东方证劵某信息系统泄露 WooYun: 东方证券某处敏感信息泄露 密码又得改了 0.0有这个 应该是够了还有找到一个鸡肋的sql注入 提出来吧 在login.jsp中
<%@ page contentType="text/html;charset=utf-8"%><%@ include file="/global/globalHeader_qt.jsp"%><%@ include file="/global/globalFunction_qt.jsp"%><%@ page import="rewin.ECSN.util.ActiveUser.*"%><%@ page import="rewin.dfzq.client.ta.*"%><%@ page import="rewin.dfzq.client.crm.*"%><%@ page import="java.sql.*" %><%@page import="security.encypt" %><%response.setHeader("Pragma","No-cache");response.setHeader("Cache-Control","no-cache");response.setDateHeader("Expires", 0); %><%//out.println("<script>alert('尊敬的客户:您好!春节期间本栏目暂停服务,敬请谅解!东方证券祝您节日愉快!');window.history.back//();</script>"); String action = request.getParameter("action"); String from = CheckParam(request.getParameter("from"),"");//招聘类别 String infoid = CheckParam(request.getParameter("infoid"),"");//招聘职位ID //zengyif(action.equals("changpass")) { request.setCharacterEncoding("utf-8"); Connection conn=null; ResultSet rs=null; Statement stmt=null; encypt en=new encypt(); Class.forName("oracle.jdbc.driver.OracleDriver").newInstance(); conn= DriverManager.getConnection("jdbc:oracle:thin:@192.168.248.108:1521:wzdb","infouser_df","password"); String taacount= request.getParameter("tavalidatecode"); String valuepass= request.getParameter("tradepassword"); String sfz= request.getParameter("sfz"); String encyptpass=en.getMD5(valuepass.getBytes()); String sql="select count(*) from checktauser where taacount=?"; PreparedStatement pstmt=conn.prepareStatement(sql); pstmt.setString(1,taacount); rs=pstmt.executeQuery(); while(rs.next()) { if(rs.getString(1).equals("1")) { sql="update checktauser set value=?,bz2=? where taacount=?"; pstmt=conn.prepareStatement(sql); pstmt.setString(1,encyptpass); pstmt.setString(2,sfz); pstmt.setString(3,taacount); pstmt.executeUpdate(); } else { sql="insert into checktauser (value,taacount,bz2) values (?,?,?)"; pstmt=conn.prepareStatement(sql); pstmt.setString(1,encyptpass); pstmt.setString(2,taacount); pstmt.setString(3,sfz); pstmt.executeUpdate(); } } out.println("<script>alert('查询密码修改完成,下次登录请使用新密码');window.history.back();</script>"); } //zengy if(action.equals("logon")) { System.out.println("start to login"); UMBean bean = UMBean.getUMBean(); UserManager user = bean.getUM(); //System.out.println("user=============================="+user); ActiveUser au=new ActiveUser(); au.autoSession(request,response); String username = request.getParameter("username"); String password = request.getParameter("userpassword"); String usertype = request.getParameter("usertype")==null?"":request.getParameter("usertype"); if(usertype.equals("1")){ usertype = "web"; }else if(usertype.equals("2")){ usertype = "trade"; }else if(usertype.equals("3")){ usertype = "ta"; }else if(usertype.equals("4")){ usertype = "crm"; } System.out.println("usertype========="+usertype); String dfhfrom = request.getParameter("dfhfrom"); String rtnmsg =""; String tourl = request.getParameter("tourl"); if(usertype.equals("web")){ String randCode = request.getParameter("webvalidate"); String rand = (String)session.getAttribute("rand"); //if(randCode!=null&&randCode.length()>0&&randCode.equals(rand)){ if(true){ username = request.getParameter("webname"); password = request.getParameter("webpassword"); //System.out.println(username+"==============="+password); if(!user.isValidUser(username)){ if(!user.checkUserPswd(username,password)) { // 密码错 System.out.println("用户名:"+username); System.out.println("密码:"+password); rtnmsg = "登陆出错:用户名密码不匹配"; out.println("<script>alert('"+rtnmsg+"');window.history.back();</script>"); //au.setData("logon_error",rtnmsg); //response.sendRedirect("./logon.jsp?f="+Math.random()); }else{ // 登陆成功 rtnmsg = "登陆成功"; au.logon(username); out.println("<script>alert('"+rtnmsg+"');</script>"); if(!"".equals(from)&&from!=null&&!"dfh".equals(from)){ response.sendRedirect("/dfzq/dfqj/"+from+".jsp?infoid="+infoid); }else{ out.println("<script>window.location.href='/dfzq/index.jsp?usertype=web';</script>"); } } //out.println(userinfo); }else { // 无此用户 //System.out.println("登陆出错:用户名不存在!"); rtnmsg = "登陆出错:用户名不存在"; out.println("<script>alert('"+rtnmsg+"');window.history.back();</script>"); //au.setData("logon_error",rtnmsg); //response.sendRedirect("./logon.jsp?f="+Math.random()); } }else{ //System.out.println("登陆出错:用户名不存在!"); rtnmsg = "登陆出错:验证码不正确"; out.println("<script>alert('"+rtnmsg+"');window.history.back();</script>"); //au.setData("logon_error",rtnmsg); //response.sendRedirect("index.jsp?f="+Math.random()); } }else if(usertype.equals("trade")){ String randCode = request.getParameter("crmvalidatecode"); String rand = (String)session.getAttribute("crmrand"); //if(randCode!=null&&randCode.length()>0&&randCode.equals(rand)){ if(true){ CrmClient client = new CrmClient(); username = request.getParameter("tradename"); password = request.getParameter("tradepassword"); System.out.println("username========================"+username); System.out.println("password========================"+password); String ip = request.getHeader("X-Forwarded-For"); if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("WL-Proxy-Client-IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("HTTP_CLIENT_IP"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getHeader("HTTP_X_FORWARDED_FOR"); } if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) { ip = request.getRemoteAddr(); } //rewin.dfzq.client.trade.TradeImpl impl = new rewin.dfzq.client.trade.TradeImpl(); rewin.dfzq.client.trade.TradeClient impl = new rewin.dfzq.client.trade.TradeClient(); //String result = impl.validate(username,password,ip,"145.146.5.82", 17990); String result = impl.validate(username,password,ip,"172.16.46.66", 17990); if(result!=null&&result.startsWith("Y")){ String[] results = result.split("\\|"); String orgid = results[1]; session.setAttribute("customcode",username); session.setAttribute("orgid",orgid); session.setAttribute("customname",results[2]); out.print("<script languange=javascript>window.location.href='/dfzq/tzzyd/risk_question.jsp?classid=0002000100070014';</script>"); }else{ rtnmsg = result; out.println("<script>alert('资金账号或身份证有误!');window.history.back();</script>"); } }else{ //System.out.println("登陆出错:用户名不存在!"); rtnmsg = "登陆出错:验证码不正确"; out.println("<script>alert('"+rtnmsg+"');window.history.back();</script>"); //au.setData("logon_error",rtnmsg); //response.sendRedirect("index.jsp?f="+Math.random()); } }else if(usertype.equals("crm")){ String randCode = request.getParameter("crmvalidatecode"); String rand = (String)session.getAttribute("crmrand"); //if(randCode!=null&&randCode.length()>0&&randCode.equals(rand)){ if(true){ CrmClient client = new CrmClient(); username = request.getParameter("crmname"); password = request.getParameter("crmpassword"); System.out.println("username========================"+username); System.out.println("password========================"+password); JjrValue value = client.Jjrlogon(username,password); System.out.println(value); if(value!=null){ rewin.ubsi.util.ObjSet set = client.findJjrxx(" jjrbh ='"+value.getUserid()+"'" ,1,1); JjrxxValue jjrvalue = null; if(set!=null&&set.size()>0){ jjrvalue = (JjrxxValue)set.get(0); au.setData("usertype","crm"); session.setAttribute("usertypesession","crm"); //session.setAttribute("usertypesession","crm"); au.logon(value.getUserid()); au.setData("crmname",jjrvalue.getJjrxm()); session.setAttribute("crmname_bak",jjrvalue.getJjrxm()); System.out.println("======================"+jjrvalue.getJjrxm()); response.sendRedirect("/dfzq/lcgw/crmtrain.jsp?classid=0002000100010008&f="+Math.random()); }else{ rtnmsg = "登陆出错:用户名或密码错误."; out.println("<script>alert('"+rtnmsg+"');window.history.back();</script>"); //au.setData("logon_error",rtnmsg); //response.sendRedirect("logon.jsp?f="+Math.random()); } }else{ rtnmsg = "登陆出错:用户名或密码错误。"; out.println("<script>alert('"+rtnmsg+"');window.history.back();</script>"); //au.setData("logon_error",rtnmsg); //response.sendRedirect("./logon.jsp?f="+Math.random()); } }else{ //System.out.println("登陆出错:用户名不存在!"); rtnmsg = "登陆出错:验证码不正确"; out.println("<script>alert('"+rtnmsg+"');window.history.back();</script>"); //au.setData("logon_error",rtnmsg); //response.sendRedirect("index.jsp?f="+Math.random()); } }else if(usertype.equals("ta")){ String randCode = request.getParameter("tavalidatecode"); String rand = (String)session.getAttribute("tarand"); request.setCharacterEncoding("utf-8"); Connection conn=null; ResultSet rs=null; Statement stmt=null; Class.forName("oracle.jdbc.driver.OracleDriver").newInstance(); conn= DriverManager.getConnection("jdbc:oracle:thin:@192.168.248.108:1521:wzdb","infouser_df","password"); try { //String taacount=request.getParameter("taacount"); //String value=request.getParameter("value"); encypt en=new encypt(); String encyptpass=en.getMD5(password.getBytes()); String taacount=username; String valuepass=password; String sql="select count(*) from checktauser where taacount=?"; PreparedStatement pstmt=conn.prepareStatement(sql); pstmt.setString(1,taacount); rs=pstmt.executeQuery(); while(rs.next()) { if(rs.getString(1).equals("1"))//有这个用户 { sql="select bz2 from checktauser where taacount=?"; pstmt=conn.prepareStatement(sql); pstmt.setString(1,taacount); rs=pstmt.executeQuery(); String sfz=""; while(rs.next()) { sfz=rs.getString(1); } sql="select count(*) from checktauser where taacount='" + taacount + "' and value=?"; pstmt=conn.prepareStatement(sql); //pstmt.setString(1,taacount); pstmt.setString(1,encyptpass); rs=pstmt.executeQuery(); while (rs.next()) { if(rs.getString(1).equals("1"))//有这个用户,密码也对的 { if(true){ TaClient client = new TaClient(); //CustomInfoValue value = client.validate(username,password); CustomInfoValue value = client.validate(username,sfz); if(value!=null){ System.out.println("userid===="+value.getC_custno()); if(user.isValidUser(value.getC_custno())){//判断数据库中是否存在该记录,如果不存在,进行插入。 System.out.println("new user===="+value.getC_custno()); user.addUser(value.getC_custno(),value.getC_custname(),"111111"); Properties pro = new Properties(); pro.setProperty("id",value.getC_custno()); pro.setProperty("name",value.getC_custname()); pro.setProperty("identity",value.getC_identityno()); pro.setProperty("count","1"); user.setUserInfo(value.getC_custno(), "tainfo", pro); user.setUserTemplet(value.getC_custno(), "tainfo", 1);// 设置用户模板 } int usercount = Integer.parseInt(user.getValue(value.getC_custno(),"tainfo.count")); user.setValue(value.getC_custno(),"tainfo.count",String.valueOf(usercount+1)); au.setData("usertype","ta"); au.logon(value.getC_custno()); au.logon(value.getC_custno()); //au.setData("userpassword",password); au.setData("userpassword",sfz); //session.setAttribute("userpassword",password); session.setAttribute("userpassword",sfz); session.setAttribute("usertype","ta"); if(dfhfrom!=null&&dfhfrom.equals("dfh")){ response.sendRedirect("/dfzq/dfh/tainfo.jsp?classid=00020002000700010001"); } } else { rtnmsg = "登陆出错:用户名或密码错误2"; out.println("<script>alert('"+rtnmsg+"');window.history.back();</script>"); //au.setData("logon_error",rtnmsg); //response.sendRedirect("./logon.jsp?f="+Math.random()); } } else { rtnmsg = "登陆出错:验证码不正确"; out.println("<script>alert('"+rtnmsg+"');window.history.back();</script>"); //au.setData("logon_error",rtnmsg); //response.sendRedirect("index.jsp?f="+Math.random()); } } else//有这个用户,密码不对 { rtnmsg = "对不起,用户资料已经加密,密码错误不可查询"; out.println("<script>alert('"+rtnmsg+"');window.history.back();</script>"); } } } else//没有这个用户 { if(true){ TaClient client = new TaClient(); CustomInfoValue value = client.validate(username,password); if(value!=null){ System.out.println("userid===="+value.getC_custno()); if(user.isValidUser(value.getC_custno())){//判断数据库中是否存在该记录,如果不存在,进行插入。 System.out.println("new user===="+value.getC_custno()); user.addUser(value.getC_custno(),value.getC_custname(),"111111"); Properties pro = new Properties(); pro.setProperty("id",value.getC_custno()); pro.setProperty("name",value.getC_custname()); pro.setProperty("identity",value.getC_identityno()); pro.setProperty("count","1"); user.setUserInfo(value.getC_custno(), "tainfo", pro); user.setUserTemplet(value.getC_custno(), "tainfo", 1);// 设置用户模板 } int usercount = Integer.parseInt(user.getValue(value.getC_custno(),"tainfo.count")); user.setValue(value.getC_custno(),"tainfo.count",String.valueOf(usercount+1)); au.setData("usertype","ta"); au.logon(value.getC_custno()); au.logon(value.getC_custno()); au.setData("userpassword",password); session.setAttribute("userpassword",password); session.setAttribute("usertype","ta"); if(dfhfrom!=null&&dfhfrom.equals("dfh")) { response.sendRedirect("/dfzq/dfh/tainfo.jsp?classid=00020002000700010001"); } } else { rtnmsg = "登陆出错:用户名或密码错误1"; out.println("<script>alert('"+rtnmsg+"');window.history.back();</script>"); //au.setData("logon_error",rtnmsg); //response.sendRedirect("./logon.jsp?f="+Math.random()); } } else { rtnmsg = "登陆出错:验证码不正确"; out.println("<script>alert('"+rtnmsg+"');window.history.back();</script>"); //au.setData("logon_error",rtnmsg); //response.sendRedirect("index.jsp?f="+Math.random()); } } }//while rs.next } catch(Exception ex){ ex.printStackTrace(); } } } %>
存在Boolean注入 但是sqlmap跑不出什么数据 应该是有验证码 也用了cdn orcale手注不会 ..建议用CheckParam方法对元素过滤下 这里简单提出下
运维老是犯这种错误啊0.0
危害等级:中
漏洞Rank:10
确认时间:2015-11-04 17:16
问题已确认,计划删除。
2015-11-10:文件已删除
每天都有提醒~厉害!!~@whynot
@霝z 前一阵子写程序 没好好找洞.. 这几天一直在找 嘿嘿