当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140905

漏洞标题:上海农商银行可以用一个用户名可以发送银行任意虚假消息钓鱼(附赠一疑似SQL注射)

相关厂商:上海农商银行网上商城

漏洞作者: Maxson

提交时间:2015-09-15 16:27

修复时间:2015-11-01 16:02

公开时间:2015-11-01 16:02

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-15: 细节已通知厂商并且等待厂商处理中
2015-09-17: 厂商已经确认,细节仅向厂商公开
2015-09-27: 细节向核心白帽子及相关领域专家公开
2015-10-07: 细节向普通白帽子公开
2015-10-17: 细节向实习白帽子公开
2015-11-01: 细节向公众公开

简要描述:

#_# 我自己先提现了100万。

详细说明:

http://mall.srcb.com/customer/member/memberedit.jhtml


随便注册一个账号,然后修改账户信息。
利用短信验证钓鱼。

test.png


全部是用JS做过滤。

$(document).ready(function(){
      $("#zip").province_city_county("province", "city", "county", "102","10201","1020101","");
      $("#savebtn").click(function() {
    	  
    	  	//验证手机号码
    	  if($("#memberMobile").val()!=""){
	    	  if(!$("#memberMobile").val().match(/^1[3|4|5|8][0-9]\d{8}$/)){
	    	    alert("手机号码格式不正确,请重新输入。");
	    	    $("#memberMobile").focus();
	    	    return false;
	    	  }
    	  }
    	  if($("#memberNick").val().length > 20){
    	 		alert("昵称不能大于20个字符");
    	 		$("#memberNick").focus();
    	 		return false;
    	 	}
	 	 if($("#memberName").val().length > 16){
	 		alert("真实姓名不能大于16个字符");
	 		$("#memberName").focus();
	 		return false;
	 	}
	 	if ($("[name=idTypeCode] :selected").val() == 1 && $("#certNum").val()!="") {  //身份证验证
	 		if (($("#certNum").val().length==15 && $("#certNum").val().match(/^[1-9]\d{7}((0\d)|(1[0-2]))(([0|1|2]\d)|3[0-1])\d{3}$/)) ||
	 			($("#certNum").val().length==18 && $("#certNum").val().match(/^[1-9]\d{5}[1-9]\d{3}((0\d)|(1[0-2]))(([0|1|2]\d)|3[0-1])(\d{4}|(\d{3}[xX]{1}))$/)) 
	 			) {
	 			
	 		} else {
	 			alert("身份证格式不正确,请重新输入。");
	    	    $("#certNum").focus();
	    	    return false;
	 		}
	 	}
	 	 if($("#certNum").val().length > 26){
	 		alert("证件号码不能大于26个字符");
	 		$("#certNum").focus();
	 		return false;
	 	}
	 	if($("#certNum").val() != ""){
	 		if(!$("#certNum").val().match(/[A-Za-z0-9]$/)){
	    	    alert("证件号码格式不正确,请重新输入。");
	    	    $("#certNum").focus();
	    	    return false;
	    	  }
	 	}
	 	if($("#memberAddr").val().length > 170){
	 		alert("街道地址不能大于170个字符");
	 		$("#memberAddr").focus();
	 		return false;
	 	}
    	 
    	  //邮箱验证
    	  if(!$("#memberEmail").val() != ""){
	    	  if(!$("#memberEmail").val().match(/^\w+((-\w+)|(\.\w+))*\@[A-Za-z0-9]+((\.|-)[A-Za-z0-9]+)*\.[A-Za-z0-9]+$/)){
			    alert("邮箱格式不正确,请重新输。");
			    $("#email").focus();
			    return false;
			   } 
    	  }


点击账户安全。
提交一下,得到短信:

bank.jpg


既然是JS过滤,完全可以修改内容,- -可想而知。逻辑漏洞还是有的。
还有一个难题我不会利用。
貌似存在POST SQL注入:

POST /customer/member/membersave.jhtml HTTP/1.1
Host: mall.srcb.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://mall.srcb.com/customer/member/memberedit.jhtml
Content-Length: 294
Cookie: JSESSIONID=00005GL786GN0NjzTAtsQf0QHlL:173qolaje; i2shopping-main=%7B%22userid%22%3A%2200211241%22%2C%22username%22%3A%22%E6%9D%8E%E5%85%88%E7%94%9F%EF%BC%8C%E5%B7%B2%E7%BB%8F%E8%BD%AC%E8%B4%A610000000%E4%B8%87%22%2C%22mobile%22%3A%2213783533827%22%2C%22encode%22%3A%2256d90c0d50a84a3047e52d04e1a5828d%22%2C%22userkind%22%3A%2201%22%2C%22name%22%3A%22%22%2C%22provinceno%22%3A%22102%22%2C%22cityno%22%3A%2210201%22%2C%22email%22%3A%221643216797%40qq.com%22%7D
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"email":"**16797@qq.com","memberNickname":"李帅ssssô	Sۄ 	Û帅先生,已经转账100万","name":"李帅帅先生,已经转账100万","mobile":"**3533827","idNumber":"","idTypeCode":"1","address":"","province":"1","city":"1","county":"1","memberBirth":"","marital":"","income":"1","interest":""}


部分*代替了。
效果如下:

结果.png


SqlMapClient operation; SQL []; --- The error occurred while applying a parameter map. --- Check the B2C_MALL_MEMBERINFO.updateByPrimaryKeySelective-InlineParameterMap. --- Check the statement (update failed). --- Cause: com.ibm.db2.jcc.am.SqlDataException: The value of a host variable in the EXECUTE or OPEN statement is out of range for its corresponding use.. SQLCODE=-302, SQLSTATE=22001, DRIVER=3.59.81; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException: --- The error occurred while applying a parameter map. --- Check the B2C_MALL_MEMBERINFO.updateByPrimaryKeySelective-InlineParameterMap. --- Check the statement (update failed). --- Cause: com.ibm.db2.jcc.am.SqlDataException: The value of a host variable in the EXECUTE or OPEN statement is out of range for its corresponding use.. SQLCODE=-302, SQLSTATE=22001, DRIVER=3.59.81


我也看不懂,大神继续。

漏洞证明:

http://mall.srcb.com/customer/member/memberedit.jhtml


随便注册一个账号,然后修改账户信息。
利用短信验证钓鱼。

test.png


全部是用JS做过滤。

$(document).ready(function(){
      $("#zip").province_city_county("province", "city", "county", "102","10201","1020101","");
      $("#savebtn").click(function() {
    	  
    	  	//验证手机号码
    	  if($("#memberMobile").val()!=""){
	    	  if(!$("#memberMobile").val().match(/^1[3|4|5|8][0-9]\d{8}$/)){
	    	    alert("手机号码格式不正确,请重新输入。");
	    	    $("#memberMobile").focus();
	    	    return false;
	    	  }
    	  }
    	  if($("#memberNick").val().length > 20){
    	 		alert("昵称不能大于20个字符");
    	 		$("#memberNick").focus();
    	 		return false;
    	 	}
	 	 if($("#memberName").val().length > 16){
	 		alert("真实姓名不能大于16个字符");
	 		$("#memberName").focus();
	 		return false;
	 	}
	 	if ($("[name=idTypeCode] :selected").val() == 1 && $("#certNum").val()!="") {  //身份证验证
	 		if (($("#certNum").val().length==15 && $("#certNum").val().match(/^[1-9]\d{7}((0\d)|(1[0-2]))(([0|1|2]\d)|3[0-1])\d{3}$/)) ||
	 			($("#certNum").val().length==18 && $("#certNum").val().match(/^[1-9]\d{5}[1-9]\d{3}((0\d)|(1[0-2]))(([0|1|2]\d)|3[0-1])(\d{4}|(\d{3}[xX]{1}))$/)) 
	 			) {
	 			
	 		} else {
	 			alert("身份证格式不正确,请重新输入。");
	    	    $("#certNum").focus();
	    	    return false;
	 		}
	 	}
	 	 if($("#certNum").val().length > 26){
	 		alert("证件号码不能大于26个字符");
	 		$("#certNum").focus();
	 		return false;
	 	}
	 	if($("#certNum").val() != ""){
	 		if(!$("#certNum").val().match(/[A-Za-z0-9]$/)){
	    	    alert("证件号码格式不正确,请重新输入。");
	    	    $("#certNum").focus();
	    	    return false;
	    	  }
	 	}
	 	if($("#memberAddr").val().length > 170){
	 		alert("街道地址不能大于170个字符");
	 		$("#memberAddr").focus();
	 		return false;
	 	}
    	 
    	  //邮箱验证
    	  if(!$("#memberEmail").val() != ""){
	    	  if(!$("#memberEmail").val().match(/^\w+((-\w+)|(\.\w+))*\@[A-Za-z0-9]+((\.|-)[A-Za-z0-9]+)*\.[A-Za-z0-9]+$/)){
			    alert("邮箱格式不正确,请重新输。");
			    $("#email").focus();
			    return false;
			   } 
    	  }


点击账户安全。
提交一下,得到短信:

bank.jpg


既然是JS过滤,完全可以修改内容,- -可想而知。逻辑漏洞还是有的。
还有一个难题我不会利用。
貌似存在POST SQL注入:

POST /customer/member/membersave.jhtml HTTP/1.1
Host: mall.srcb.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://mall.srcb.com/customer/member/memberedit.jhtml
Content-Length: 294
Cookie: JSESSIONID=00005GL786GN0NjzTAtsQf0QHlL:173qolaje; i2shopping-main=%7B%22userid%22%3A%2200211241%22%2C%22username%22%3A%22%E6%9D%8E%E5%85%88%E7%94%9F%EF%BC%8C%E5%B7%B2%E7%BB%8F%E8%BD%AC%E8%B4%A610000000%E4%B8%87%22%2C%22mobile%22%3A%2213783533827%22%2C%22encode%22%3A%2256d90c0d50a84a3047e52d04e1a5828d%22%2C%22userkind%22%3A%2201%22%2C%22name%22%3A%22%22%2C%22provinceno%22%3A%22102%22%2C%22cityno%22%3A%2210201%22%2C%22email%22%3A%221643216797%40qq.com%22%7D
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"email":"**16797@qq.com","memberNickname":"李帅ssssô	Sۄ 	Û帅先生,已经转账100万","name":"李帅帅先生,已经转账100万","mobile":"**3533827","idNumber":"","idTypeCode":"1","address":"","province":"1","city":"1","county":"1","memberBirth":"","marital":"","income":"1","interest":""}


部分*代替了。
效果如下:

结果.png


SqlMapClient operation; SQL []; --- The error occurred while applying a parameter map. --- Check the B2C_MALL_MEMBERINFO.updateByPrimaryKeySelective-InlineParameterMap. --- Check the statement (update failed). --- Cause: com.ibm.db2.jcc.am.SqlDataException: The value of a host variable in the EXECUTE or OPEN statement is out of range for its corresponding use.. SQLCODE=-302, SQLSTATE=22001, DRIVER=3.59.81; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException: --- The error occurred while applying a parameter map. --- Check the B2C_MALL_MEMBERINFO.updateByPrimaryKeySelective-InlineParameterMap. --- Check the statement (update failed). --- Cause: com.ibm.db2.jcc.am.SqlDataException: The value of a host variable in the EXECUTE or OPEN statement is out of range for its corresponding use.. SQLCODE=-302, SQLSTATE=22001, DRIVER=3.59.81


我也看不懂,大神继续。

修复方案:

搞得我好乱啊。

版权声明:转载请注明来源 Maxson@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-17 16:00

厂商回复:


CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置. 同时已经转报给上海分中心,由其后续联系处置.

最新状态:

暂无