当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0211631

漏洞标题:某银行主站伪静态DB2布尔盲注

相关厂商:某银行

漏洞作者: diguoji

提交时间:2016-05-22 22:50

修复时间:2016-07-10 12:00

公开时间:2016-07-10 12:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-22: 细节已通知厂商并且等待厂商处理中
2016-05-26: 厂商已经确认,细节仅向厂商公开
2016-06-05: 细节向核心白帽子及相关领域专家公开
2016-06-15: 细节向普通白帽子公开
2016-06-25: 细节向实习白帽子公开
2016-07-10: 细节向公众公开

简要描述:

.

详细说明:

这个也帮忙给审核下吧 thanks
http://**.**.**.**/bugs/wooyun-2016-0211479/trace/8722c6d1776df3a473e61e3dc44c12f9
http://**.**.**.**/Site/Home/CN

1.png


2.png


3.png


4.png


没waf 直接上sqlmap 未脱裤
available databases [10]:
[*] DB2INST1
[*] NULLID
[*] SQLJ
[*] SYSCAT
[*] SYSFUN
[*] SYSIBM
[*] SYSIBMADM
[*] SYSPROC
[*] SYSSTAT
[*] SYSTOOLS
current database: 'CMSDB'
database management system users [1]:
[*] DB2INST1

漏洞证明:

[313 tables]
+--------------------------------+
| ADVISE_WORKLOAD |
| AREA |
| AREA_EMAIL |
| COMPANY_LOANS |
| D2S_BLOCK_TEMPLATEMAP |
| D2S_CHANEL_CHANEL_RELATIONSHIP |
| D2S_CHANNEL_BLOCKMAP |
| D2S_CHANNEL_INFO_RELATIONSHIP |
| D2S_CHANNEL_TEMPLATEMAP |
| D2S_INFO_BLOCKMAP |
| D2S_INFO_CHANNEL_RELATIONSHIP |
| D2S_INFO_INFO_RELATIONSHIP |
| D2S_INFO_TEMPLATEMAP |
| D2S_TEMPLATE |
| EMAIL_SEND_LOG |
| EXPLAIN_ARGUMENT |
| EXPLAIN_INSTANCE |
| EXPLAIN_OBJECT |
| EXPLAIN_OPERATOR |
| EXPLAIN_PREDICATE |
| EXPLAIN_STATEMENT |
| EXPLAIN_STREAM |
| LOANS_TYPE |
| LOANS_VARIETIES |
| PERSONAL_BUSINESS_LOANS |
| PERSONAL_CONSUMER_LOANS |
| PERSONAL_INFORMATION |
| PERSONAL_LOANS_REF |
| T_CHANNEL_OPERATOR |
| T_CMSWF_DEF_SET |
| T_CMSWF_DESIGN_TRACK |
| T_CMSWF_SITE_MAP |
| T_CMS_CHANNELWORKFLOW |
| T_CMS_CHANNEL_RSS |
| T_CMS_D2S_EVENT |
| T_CMS_DEPARTMENT |
| T_CMS_DUTY |
| T_CMS_ENTITYWORKFLOW |
| T_CMS_ENTITYWORKFLOW_SET |
| T_CMS_HOTKEY |
| T_CMS_KEYCLASS |
| T_CMS_KEYWORD |
| T_CMS_MEMBER |
| T_CMS_MEMBERGROUP_PERMISSION_R |
| T_CMS_MEMBER_GROUP |
| T_CMS_MEMBER_GROUP_RELATION |
| T_CMS_MEMBER_PERMISSION |
| T_CMS_QUICKLINK |
| T_CMS_ROLE |
| T_CMS_RSS |
| T_CMS_SEARCH_FULL |
| T_CMS_STATISTIC |
| T_CMS_STATISTIC_TEMP |
| T_CMS_STATUS_MENU |
| T_CMS_SURVEY_QUESTIONNAIRE |
| T_CMS_SYSTEM |
| T_CMS_USER |
| T_CMS_USERGROUP |
| T_CMS_USER_DUTY |
| T_CMS_USER_LANAGER |
| T_CMS_USER_MENU |
| T_CMS_USER_ROLE |
| T_CMS_USER_SITE |
| T_CMS_USER_SITEHOME |
| T_CONTENT |
| T_FILE |
| T_FILE_CMSTOPIC_M |
| T_FILE_CMSTOPIC_S |
| T_FILE_CMS_ADVERT_M |
| T_FILE_CMS_ADVERT_S |
| T_FILE_CMS_ADV_CAT_M |
| T_FILE_CMS_ADV_CAT_S |
| T_FILE_CMS_CHANNEL_M |
| T_FILE_CMS_CHANNEL_S |
| T_FILE_CMS_FEDBCAT_M |
| T_FILE_CMS_FEDBCAT_S |
| T_FILE_CMS_FEEDBAK_M |
| T_FILE_CMS_FEEDBAK_S |
| T_FILE_CMS_FILE_M |
| T_FILE_CMS_FILE_S |
| T_FILE_CMS_FOLDER_M |
| T_FILE_CMS_FOLDER_S |
| T_FILE_CMS_INFO_M |
| T_FILE_CMS_INFO_S |
| T_FILE_CMS_LANG_M |
| T_FILE_CMS_LANG_S |
| T_FILE_CMS_LINK_C_M |
| T_FILE_CMS_LINK_C_S |
| T_FILE_CMS_LINK_M |
| T_FILE_CMS_LINK_S |
| T_FILE_CMS_PER_COL_M |
| T_FILE_CMS_PER_COL_S |
| T_FILE_CMS_PER_C_M |
| T_FILE_CMS_PER_C_S |
| T_FILE_CMS_PER_M |
| T_FILE_CMS_PER_S |
| T_FILE_CMS_PRODUCT_M |
| T_FILE_CMS_PRODUCT_S |
| T_FILE_CMS_REMARK_M |
| T_FILE_CMS_REMARK_S |
| T_FILE_CMS_SITE_M |
| T_FILE_CMS_SITE_S |
| T_FILE_CMS_SURVEY_M |
| T_FILE_CMS_SURVEY_S |
| T_FILE_CMS_SUR_CAT_M |
| T_FILE_CMS_SUR_CAT_S |
| T_FILE_CMS_SUR_INF_M |
| T_FILE_CMS_SUR_INF_S |
| T_FILE_CMS_SUR_QUS_M |
| T_FILE_CMS_SUR_QUS_S |
| T_FILE_PERMISSION |
| T_FILE_PERMISSION_SPLIT |
| T_FILE_ROOTTYPE_M |
| T_FILE_ROOTTYPE_S |
| T_FILE_VERSION |
| T_FILE_VERSION_CMSTOPIC_M |
| T_FILE_VERSION_CMSTOPIC_S |
| T_FILE_VERSION_CMS_ADVERT_M |
| T_FILE_VERSION_CMS_ADVERT_S |
| T_FILE_VERSION_CMS_ADV_CAT_M |
| T_FILE_VERSION_CMS_ADV_CAT_S |
| T_FILE_VERSION_CMS_CHANNEL_M |
| T_FILE_VERSION_CMS_CHANNEL_S |
| T_FILE_VERSION_CMS_FEDBCAT_M |
| T_FILE_VERSION_CMS_FEDBCAT_S |
| T_FILE_VERSION_CMS_FEEDBAK_M |
| T_FILE_VERSION_CMS_FEEDBAK_S |
| T_FILE_VERSION_CMS_FILE_M |
| T_FILE_VERSION_CMS_FILE_S |
| T_FILE_VERSION_CMS_FOLDER_M |
| T_FILE_VERSION_CMS_FOLDER_S |
| T_FILE_VERSION_CMS_INFO_M |
| T_FILE_VERSION_CMS_INFO_S |
| T_FILE_VERSION_CMS_LANG_M |
| T_FILE_VERSION_CMS_LANG_S |
| T_FILE_VERSION_CMS_LINK_C_M |
| T_FILE_VERSION_CMS_LINK_C_S |
| T_FILE_VERSION_CMS_LINK_M |
| T_FILE_VERSION_CMS_LINK_S |
| T_FILE_VERSION_CMS_PER_COL_M |
| T_FILE_VERSION_CMS_PER_COL_S |
| T_FILE_VERSION_CMS_PER_C_M |
| T_FILE_VERSION_CMS_PER_C_S |
| T_FILE_VERSION_CMS_PER_M |
| T_FILE_VERSION_CMS_PER_S |
| T_FILE_VERSION_CMS_PRODUCT_M |
| T_FILE_VERSION_CMS_PRODUCT_S |
| T_FILE_VERSION_CMS_REMARK_M |
| T_FILE_VERSION_CMS_REMARK_S |
| T_FILE_VERSION_CMS_SITE_M |
| T_FILE_VERSION_CMS_SITE_S |
| T_FILE_VERSION_CMS_SURVEY_M |
| T_FILE_VERSION_CMS_SURVEY_S |
| T_FILE_VERSION_CMS_SUR_CAT_M |
| T_FILE_VERSION_CMS_SUR_CAT_S |
| T_FILE_VERSION_CMS_SUR_INF_M |
| T_FILE_VERSION_CMS_SUR_INF_S |
| T_FILE_VERSION_CMS_SUR_QUS_M |
| T_FILE_VERSION_CMS_SUR_QUS_S |
| T_FILE_VERSION_LABEL |
| T_FILE_VERSION_ROOTTYPE_M |
| T_FILE_VERSION_ROOTTYPE_S |
| T_FOLDER |
| T_FOLDER_ALIAS |
| T_FOLDER_CMSTOPIC_M |
| T_FOLDER_CMSTOPIC_S |
| T_FOLDER_CMS_ADVERT_M |
| T_FOLDER_CMS_ADVERT_S |
| T_FOLDER_CMS_ADV_CAT_M |
| T_FOLDER_CMS_ADV_CAT_S |
| T_FOLDER_CMS_CHANNEL_M |
| T_FOLDER_CMS_CHANNEL_S |
| T_FOLDER_CMS_FEDBCAT_M |
| T_FOLDER_CMS_FEDBCAT_S |
| T_FOLDER_CMS_FEEDBAK_M |
| T_FOLDER_CMS_FEEDBAK_S |
| T_FOLDER_CMS_FILE_M |
| T_FOLDER_CMS_FILE_S |
| T_FOLDER_CMS_FOLDER_M |
| T_FOLDER_CMS_FOLDER_S |
| T_FOLDER_CMS_INFO_M |
| T_FOLDER_CMS_INFO_S |
| T_FOLDER_CMS_LANG_M |
| T_FOLDER_CMS_LANG_S |
| T_FOLDER_CMS_LINK_C_M |
| T_FOLDER_CMS_LINK_C_S |
| T_FOLDER_CMS_LINK_M |
| T_FOLDER_CMS_LINK_S |
| T_FOLDER_CMS_PER_COL_M |
| T_FOLDER_CMS_PER_COL_S |
| T_FOLDER_CMS_PER_C_M |
| T_FOLDER_CMS_PER_C_S |
| T_FOLDER_CMS_PER_M |
| T_FOLDER_CMS_PER_S |
| T_FOLDER_CMS_PRODUCT_M |
| T_FOLDER_CMS_PRODUCT_S |
| T_FOLDER_CMS_REMARK_M |
| T_FOLDER_CMS_REMARK_S |
| T_FOLDER_CMS_SITE_M |
| T_FOLDER_CMS_SITE_S |
| T_FOLDER_CMS_SURVEY_M |
| T_FOLDER_CMS_SURVEY_S |
| T_FOLDER_CMS_SUR_CAT_M |
| T_FOLDER_CMS_SUR_CAT_S |
| T_FOLDER_CMS_SUR_INF_M |
| T_FOLDER_CMS_SUR_INF_S |
| T_FOLDER_CMS_SUR_QUS_M |
| T_FOLDER_CMS_SUR_QUS_S |
| T_FOLDER_PERMISSION |
| T_FOLDER_PERMISSION_SPLIT |
| T_FOLDER_ROOTTYPE_M |
| T_FOLDER_ROOTTYPE_S |
| T_FOLDER_VERSION |
| T_FOLDER_VERSION_CMSTOPIC_M |
| T_FOLDER_VERSION_CMSTOPIC_S |
| T_FOLDER_VERSION_CMS_ADVERT_M |
| T_FOLDER_VERSION_CMS_ADVERT_S |
| T_FOLDER_VERSION_CMS_ADV_CAT_M |
| T_FOLDER_VERSION_CMS_ADV_CAT_S |
| T_FOLDER_VERSION_CMS_CHANNEL_M |
| T_FOLDER_VERSION_CMS_CHANNEL_S |
| T_FOLDER_VERSION_CMS_FEDBCAT_M |
| T_FOLDER_VERSION_CMS_FEDBCAT_S |
| T_FOLDER_VERSION_CMS_FEEDBAK_M |
| T_FOLDER_VERSION_CMS_FEEDBAK_S |
| T_FOLDER_VERSION_CMS_FILE_M |
| T_FOLDER_VERSION_CMS_FILE_S |
| T_FOLDER_VERSION_CMS_FOLDER_M |
| T_FOLDER_VERSION_CMS_FOLDER_S |
| T_FOLDER_VERSION_CMS_INFO_M |
| T_FOLDER_VERSION_CMS_INFO_S |
| T_FOLDER_VERSION_CMS_LANG_M |
| T_FOLDER_VERSION_CMS_LANG_S |
| T_FOLDER_VERSION_CMS_LINK_C_M |
| T_FOLDER_VERSION_CMS_LINK_C_S |
| T_FOLDER_VERSION_CMS_LINK_M |
| T_FOLDER_VERSION_CMS_LINK_S |
| T_FOLDER_VERSION_CMS_PER_COL_M |
| T_FOLDER_VERSION_CMS_PER_COL_S |
| T_FOLDER_VERSION_CMS_PER_C_M |
| T_FOLDER_VERSION_CMS_PER_C_S |
| T_FOLDER_VERSION_CMS_PER_M |
| T_FOLDER_VERSION_CMS_PER_S |
| T_FOLDER_VERSION_CMS_PRODUCT_M |
| T_FOLDER_VERSION_CMS_PRODUCT_S |
| T_FOLDER_VERSION_CMS_REMARK_M |
| T_FOLDER_VERSION_CMS_REMARK_S |
| T_FOLDER_VERSION_CMS_SITE_M |
| T_FOLDER_VERSION_CMS_SITE_S |
| T_FOLDER_VERSION_CMS_SURVEY_M |
| T_FOLDER_VERSION_CMS_SURVEY_S |
| T_FOLDER_VERSION_CMS_SUR_CAT_M |
| T_FOLDER_VERSION_CMS_SUR_CAT_S |
| T_FOLDER_VERSION_CMS_SUR_INF_M |
| T_FOLDER_VERSION_CMS_SUR_INF_S |
| T_FOLDER_VERSION_CMS_SUR_QUS_M |
| T_FOLDER_VERSION_CMS_SUR_QUS_S |
| T_FOLDER_VERSION_LABEL |
| T_FOLDER_VERSION_ROOTTYPE_M |
| T_FOLDER_VERSION_ROOTTYPE_S |
| T_INFO_OPERATOR |
| T_PAI_DEPARTMENT |
| T_PAI_DEPARTMENTROLERELATION |
| T_PAI_DEPT_DEPT |
| T_PAI_DEPT_GROUP |
| T_PAI_GROUPROLERELATION |
| T_PAI_GROUP_GROUP |
| T_PAI_GUSER_DEPARTMENT |
| T_PAI_GUSER_GROUP |
| T_PAI_GUSER_ROLE |
| T_PAI_HI_VALUE |
| T_PAI_HI_VALUE_GUSER |
| T_PAI_HI_VALUE_ROLE |
| T_PAI_REFRESHFLAG |
| T_PAI_ROLE |
| T_PAI_ROLE_ROLE |
| T_PAI_USER |
| T_PAI_USERGROUP |
| T_PERMISSION_SET |
| T_PERMISSION_SET_BLACK |
| T_PORTAL_PAGE_ACTION |
| T_PORTAL_PAGE_DEF |
| T_PORTAL_PAGE_FILTER |
| T_PORTAL_PAGE_ROLE_RELATION |
| T_PORTAL_PORTLET_DATA |
| T_PORTAL_PORTLET_DATA_STORE |
| T_PORTAL_PORTLET_INSTANCE |
| T_PORTAL_PORTLET_ROLE_RELATION |
| T_REFERENCE |
| T_REFERENCE_VERSION |
| T_SEQUENCE |
| T_SITE_TEMPLATE |
| T_SYSTEM |
| T_SYS_PERMISSION |
| T_TEMPLATE_CHANNELMAP |
| T_TEMPLATE_HOMEINFOMAP |
| T_TEMPLATE_INFOMAP |
| T_TYPE_DEFINITION |
| T_TYPE_INDEX |
| T_TYPE_INDEX_PROP |
| T_TYPE_PROPERTY |
| T_VALUE_ID |
| T_VERSION_CONTENT |
| T_WF_ACTIVITY |
| T_WF_ANDJOINENTRY |
| T_WF_COMMONRELEVANTDATA |
| T_WF_DEFINITION |
| T_WF_DEFINITIONFLAG |
| T_WF_EXTERNALRD |
| T_WF_PROCESS |
| T_WF_TESTCUSTOMRD |
| T_WF_USERACTION |
| T_WF_WORKITEM |
+--------------------------------+

修复方案:

版权声明:转载请注明来源 diguoji@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-05-26 11:57

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,并抄报山东分中心协助处置,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-22 23:25 | 坏男孩-A_A ( 实习白帽子 | Rank:81 漏洞数:23 | 膜拜学习中)

    银行主站?

  2. 2016-05-26 12:32 | 放逐 ( 路人 | Rank:2 漏洞数:1 | 白帽子放逐Gg?得失乐与悲与Av Qq205655539)

    QWQ