当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154763

漏洞标题:基金从业人员资格考试SQL注入两枚/备份文件下载

相关厂商:中国证券投资基金业协会

漏洞作者: 路人甲

提交时间:2015-11-26 15:18

修复时间:2016-01-14 15:22

公开时间:2016-01-14 15:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-11-30: 厂商已经确认,细节仅向厂商公开
2015-12-10: 细节向核心白帽子及相关领域专家公开
2015-12-20: 细节向普通白帽子公开
2015-12-30: 细节向实习白帽子公开
2016-01-14: 细节向公众公开

简要描述:

昨晚打算报名考试的时候无意间发现了注入,然后顺便扫瞄了下既然有备份文件。
中国证券投资基金业协会http://baoming.amac.org.cn:10080/,备份文件里面有几个站的源代码,sql注入泄露所有报名学生详细信息

详细说明:

备份文件:http://**.**.**.**:10080/jjksreg/123.rar

2.PNG

1.PNG


sql注入:在注册页面,专业选择及所在院校都存在sql注入:

3.PNG


3.PNG


4.PNG


用burpsuite抓包

5.PNG


也可以用union select 注入
用sqlmap 跑一下吧

6.PNG


400多个表
-------------------------------+---------+
| dbo.Ttmp | 274043 |
| dbo.TPrintCertLog | 240443 |
| dbo.TCandidateCashAccount | 164740 |
| dbo.MCP_VCandidateInfo | 163618 |
| dbo.TCandidate | 163618 |
| dbo.TCandidateDetail | 163618 |
| dbo.TCandidateUser | 163618 |
| dbo.VBaseCandidate | 163618 |
| dbo.vCandidate | 163618 |
| dbo.vCandidateFeeReturnInfo | 163618 |
| dbo.vCandidateInfo | 163618 |
| dbo.VCSVScoreCandidate | 163618 |
| dbo.vExamRegInfo | 163618 |
| dbo.voCandidate | 163618 |
| dbo.VScoreCandidate | 163618 |
| dbo.tcandidate20150918 | 163606 |
| dbo.TCandidateDetailEncrypt | 163574 |
| dbo.TcandidateGetPSWAnswer | 163573 |
| dbo.TApplyInvoice | 44248 |
| dbo.vApplyInvoice | 44246 |
| dbo.TCandidateGroup | 7087 |
| dbo.V_SGT_CandidateGroup | 7087 |
| dbo.V_SGT_GroupCandidate | 7087 |
| dbo.VCandidateGroup | 7087 |
| dbo.EMP_Testscene_NCMS | 5169 |
| dbo.T_MiddleSchool | 2541 |
| dbo.TCandidateGroupHistory | 1485 |
| dbo.TCandidateForbid | 1355 |
| dbo.TGroupUser | 1122 |
| dbo.VRegionStru | 1121 |
| dbo.MCP_RegionsInfo | 1116 |
| dbo.MCP_VRegionsInfo | 1116 |
| dbo.TRegionInfo | 1116 |
| dbo.EMP_MapRule | 500 |
| dbo.EMP_Step | 450 |
| dbo.TDictDetail | 370 |
| dbo.T_ZhuanYe | 317 |
| dbo.TFuncInfo | 295 |
| dbo.T1231111 | 146 |
| dbo.TTestConfigItem | 123 |
| dbo.TWebDictDetail | 122 |
| dbo.T_ZhengQuan | 112 |
| dbo.TOrganizationCoordinate | 111 |
| dbo.EMP_BulkAppointRegion | 100 |
| dbo.T_ZiXun | 89 |
| dbo.T_ZhiWei | 78 |
| dbo.TSysParam | 75 |
| dbo.T_JiJin | 71 |
| dbo.TDictInfo | 65 |
| dbo.TExamRCtrlInfo | 60 |
| dbo.VNation | 57 |
| dbo.TExamCertStencilFieldsInfo | 50 |
| dbo.TCandidateInfoConfig | 47 |
| dbo.VLogType | 21 |
| dbo.TLogType | 18 |
| dbo.TTemplateRule | 18 |
| dbo.TSysmbol | 15 |
| dbo.TSysInfo | 13 |
| dbo.VCountry | 13 |
| dbo.TFlowCondition | 12 |
| dbo.TFuncGroup | 11 |
| dbo.TExamCertConfig | 10 |
| dbo.T_PingJi | 9 |
| dbo.TTestRoomEnvCheck | 9 |
| dbo.TCandidateState | 8 |
| dbo.TConfigInfo | 7 |
| dbo.TSubPassRuleDetail | 6 |
| dbo.TTestSchedule | 6 |
| dbo.TTimeRange | 6 |
| dbo.voTTestSchedule | 6 |
| dbo.vViewTaskTree | 6 |
| dbo.TAgent | 5 |
| dbo.TAgentOrg | 5 |
| dbo.TExamCertPrintStencil | 5 |
| dbo.TGroupInfo | 5 |
| dbo.vAgentOrgInfo | 5 |
| dbo.VEducation | 5 |
| dbo.TDefaultTestConfig | 4 |
| dbo.EMP_TSubjectNotice | 3 |
| dbo.MCP_VSubjectInfo | 3 |
| dbo.TAgeRange | 3 |
| dbo.TControlStates | 3 |
| dbo.TExamCheck | 3 |
| dbo.TItemScoreRate | 3 |
| dbo.TPrintModel | 3 |
| dbo.TQueryField | 3 |
| dbo.TQueryItem | 3 |
| dbo.TRule | 3 |
| dbo.TScoreRange | 3 |
| dbo.TSubject | 3 |
| dbo.TSubPassRule | 3 |
| dbo.vCheckSubjejectUsed | 3 |
| dbo.vEverySubjectAverageScore | 3 |
| dbo.vExamResult | 3 |
| dbo.VOccupation | 3 |
| dbo.VPrintModel | 3 |
| dbo.VSubjectInfo | 3 |
| dbo.VSubPassRule | 3 |
| dbo.vViewPaperTree | 3 |
| dbo.vViewSubjectTree | 3 |
| dbo.dictTimeMode | 2 |
| dbo.EMP_Upload_EFSInfo | 2 |
| dbo.EMP_Upload_SKINInfo | 2 |
| dbo.TQPPackage | 2 |
| dbo.TSubPassRuleDetailUsed | 2 |
| dbo.TSysTable | 2 |
| dbo.TTestBaseInfo | 2 |
| dbo.TTrackRule | 2 |
| dbo.TUserGroup | 2 |
| dbo.TUserInfo | 2 |
| dbo.vSceneType | 2 |
| dbo.VSex | 2 |
| dbo.vTestBaseInfo | 2 |
| dbo.EMP_Abspaper_Mapping | 1 |
| dbo.EMP_OpenPaperDownload | 1 |
| dbo.EMP_PreQPPackage | 1 |
| dbo.EMP_PreSetAbsPaper | 1 |
| dbo.EMP_TQPHistory | 1 |
| dbo.MCP_VExamOrgInfo | 1 |
| dbo.TCheckList | 1 |
| dbo.TEfsImportInfo | 1 |
| dbo.TNews | 1 |
| dbo.TOrganization | 1 |
| dbo.TQPPackageSkinFile | 1 |
| dbo.TQueryTable | 1 |
| dbo.TSceneTemplate | 1 |
| dbo.TTemplateScene | 1 |
| dbo.TVersion | 1 |
| dbo.VOrganization | 1 |
| dbo.VSceneExamStru | 1 |
| dbo.VSceneStru | 1 |
| dbo.VSceneStruAvailability | 1 |
| dbo.VSubjectStru_New | 1 |
| dbo.VTestRoomStru | 1 |
| dbo.VUsedSceneStru | 1 |
+--------------------------------+---------+

漏洞证明:

sql注入:

7.PNG


备份文件http://**.**.**.**:10080/jjksreg/123.rar

修复方案:

注入点要全面防护阿,备份文件放网站目录之外阿。即使只能用IE进行登陆,但是我用IE登陆上去后把cookie拿下来,再拿到firefox插入之后,同样可以在firefox进行登陆。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-30 15:21

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向证券业信息化主管部门通报,由其后续协调网站管理单位处置。

最新状态:

暂无