当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100611

漏洞标题:中国国际航空股份有限公司旗下某站存在SQL注入(数百万信息数据)之二

相关厂商:中国国际航空股份有限公司

漏洞作者: Ch4r0n

提交时间:2015-03-11 10:07

修复时间:2015-04-25 10:08

公开时间:2015-04-25 10:08

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-11: 细节已通知厂商并且等待厂商处理中
2015-03-13: 厂商已经确认,细节仅向厂商公开
2015-03-23: 细节向核心白帽子及相关领域专家公开
2015-04-02: 细节向普通白帽子公开
2015-04-12: 细节向实习白帽子公开
2015-04-25: 细节向公众公开

简要描述:

提交中国国际航空股份有限公司某站存在SQL注入(数百万信息数据)后,原本以为没有参数存在注入了,没想到就在它旁边还有一个,就简单提交一下吧。rank随便给吧。

详细说明:

民航快递有限责任公司
http://www.cae.com.cn/Default.aspx
大客户登录处存在SQL注入,Oracle数据库,就单单看了CAE一个数据库就可以获取数百万数据信息,同时也可以获取客户信息,公司信息,管理员信息等。
存在SQL注入的地址

http://www.cae.com.cn/webfunction/customerinquiries/CusLogin.aspx?


随便输入,然后登录抓包
========================================================

POST http://www.cae.com.cn/webfunction/customerinquiries/CusLogin.aspx HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; QQBrowser/8.0.3345.400)
Referer: http://www.cae.com.cn/webfunction/customerinquiries/CusLogin.aspx?
Accept-Language: zh-CN
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.cae.com.cn
Content-Length: 9081
Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=ymj0s43y1agbpb45zt3y2g45
__VIEWSTATE=%2FwEPDwUKMjEwMDk5MTMwMg9kFgJmD2QWAgIDD2QWBAIBDw8WAh4EVGV4dAX7CDx0YWJsZSBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIGNsYXNzPSJNZW51VGFibGUiPjx0cj48dGQgYWxpZ249bGVmdCB3aWR0aD0iMTFweCI%2BPGltZyBzcmM9Ii9pbWFnZXMvbWVudV9sZWZ0LmdpZiIgLz48L3RkPiA8dGQgaWQ9Im1lbnV0ZDAiIGNsYXNzPSJNZW51VGRfbW92ZSIgb25tb3VzZW1vdmU9Im5UYWJzKHRoaXMsMCkiIHN0eWxlPSJjdXJzb3I6cG9pbnRlciIgb25jbGljaz0iSmF2YXNjcmlwdDpsb2NhdGlvbi5ocmVmPScvRGVmYXVsdC5hc3B4JyI%2B6aaWIOmhtTwvdGQ%2BPHRkICB3aWR0aD0iMTFweCI%2BPGltZyBzcmM9Ii9pbWFnZXMvbWVudV9iay5naWYiIC8%2BPC90ZD48dGQgaWQ9Im1lbnV0ZDEiIGNsYXNzPSJNZW51VGQiIG9ubW91c2Vtb3ZlPSJuVGFicyh0aGlzLDEpIiBzdHlsZT0iY3Vyc29yOnBvaW50ZXIiID7lnKjnur%2FmlK%2FmjIE8L3RkPjx0ZCAgd2lkdGg9IjExcHgiPjxpbWcgc3JjPSIvaW1hZ2VzL21lbnVfYmsuZ2lmIiAvPjwvdGQ%2BPHRkIGlkPSJtZW51dGQyIiBjbGFzcz0iTWVudVRkIiBvbm1vdXNlbW92ZT0iblRhYnModGhpcywyKSIgc3R5bGU9ImN1cnNvcjpwb2ludGVyIiA%2B5Lqn5ZOB5LiO5pyN5YqhPC90ZD48dGQgIHdpZHRoPSIxMXB4Ij48aW1nIHNyYz0iL2ltYWdlcy9tZW51X2JrLmdpZiIgLz48L3RkPjx0ZCBpZD0ibWVudXRkMyIgY2xhc3M9Ik1lbnVUZCIgb25tb3VzZW1vdmU9Im5UYWJzKHRoaXMsMykiIHN0eWxlPSJjdXJzb3I6cG9pbnRlciIgPuaWsOmXu%2BWKqOaAgTwvdGQ%2BPHRkICB3aWR0aD0iMTFweCI%2BPGltZyBzcmM9Ii9pbWFnZXMvbWVudV9iay5naWYiIC8%2BPC90ZD48dGQgaWQ9Im1lbnV0ZDQiIGNsYXNzPSJNZW51VGQiIG9ubW91c2Vtb3ZlPSJuVGFicyh0aGlzLDQpIiBzdHlsZT0iY3Vyc29yOnBvaW50ZXIiID7kurrmiY3mi5vogZg8L3RkPjx0ZCAgd2lkdGg9IjExcHgiPjxpbWcgc3JjPSIvaW1hZ2VzL21lbnVfYmsuZ2lmIiAvPjwvdGQ%2BPHRkIGlkPSJtZW51dGQ1IiBjbGFzcz0iTWVudVRkIiBvbm1vdXNlbW92ZT0iblRhYnModGhpcyw1KSIgc3R5bGU9ImN1cnNvcjpwb2ludGVyIiA%2B6LWw6L%2BbQ0FFPC90ZD48dGQgYWxpZ249cmlnaHQgd2lkdGg9IjExcHgiPjxpbWcgc3JjPSIvaW1hZ2VzL21lbnVfcmlnaHQuZ2lmIj48L3RkPjwvdHI%2BPC90YWJsZT5kZAIDDw8WAh8ABdcoPHRhYmxlIGNlbGxwYWRkaW5nPTAgY2VsbHNwYWNpbmc9MCB3aWR0aD0iOTglIiAgaWQ9Im15VGFiMF9Db250ZW50MCIgY2xhc3M9IlRhYkNvbnRlbnREaXZTaG93Ij48dHI%2BPHRkIHdpZHRoPTMzcHg%2BJm5ic3A7PC90ZD4gPHRkPiA8dGFibGUgY2VsbHBhZGRpbmc9MCBjZWxsc3BhY2luZz0wPjx0cj48dGQ%2BPHVsPjwvdWw%2BPC90ZD48L3RyPjwvdGFibGU%2BPC90ZD48L3RyPjwvdGFibGU%2BPHRhYmxlIGNlbGxwYWRkaW5nPTAgY2VsbHNwYWNpbmc9MCB3aWR0aD0iOTglIiAgaWQ9Im15VGFiMF9Db250ZW50MSIgY2xhc3M9IlRhYkNvbnRlbnREaXYiPjx0cj48dGQgd2lkdGg9MTU1cHg%2BJm5ic3A7PC90ZD4gPHRkPiA8dGFibGUgY2VsbHBhZGRpbmc9MCBjZWxsc3BhY2luZz0wPjx0cj48dGQ%2BPHVsPjxsaT48YSBocmVmPSIvd2ViRnVuY3Rpb24vRGVsaXZlcnlSYW5nZS9EZWZhdWx0LmFzcHgiPuWPlumAgeiMg%2BWbtDwvYT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iL3dlYkZ1bmN0aW9uL0V4cHJlc3NRdWVyeS9EZWZhdWx0LmFzcHgiPuW%2Fq%2BS7tuafpeivojwvYT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iL3dlYkZ1bmN0aW9uL0N1c3RvbWVySW5xdWlyaWVzL0RlZmF1bHQuYXNweCI%2B5aSn5a6i5oi35p%2Bl6K%2BiPC9hPjwvbGk%2BPGxpPiZuYnNwOyZuYnNwOyZuYnNwO3wmbmJzcDsmbmJzcDsmbmJzcDs8L2xpPjxsaT48YSBocmVmPSIvd2ViRnVuY3Rpb24vV2ViQ29tcGxhaW50L0RlZmF1bHQuYXNweCI%2B5oqV6K%2BJ5LiO5bu66K6uPC9hPjwvbGk%2BPGxpPiZuYnNwOyZuYnNwOyZuYnNwO3wmbmJzcDsmbmJzcDsmbmJzcDs8L2xpPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vUXNjV2ViL2RlZmF1bHQuYXNweCI%2B5Y2P5L2c5bmz5Y%2BwPC9hPjwvbGk%2BPC91bD48L3RkPjwvdHI%2BPC90YWJsZT48L3RkPjwvdHI%2BPC90YWJsZT48dGFibGUgY2VsbHBhZGRpbmc9MCBjZWxsc3BhY2luZz0wIHdpZHRoPSI5OCUiICBpZD0ibXlUYWIwX0NvbnRlbnQyIiBjbGFzcz0iVGFiQ29udGVudERpdiI%2BPHRyPjx0ZD4mbmJzcDs8L3RkPiA8dGQgcm93bmFwIGFsaWduPWNlbnRlcj4gPHRhYmxlIGNlbGxwYWRkaW5nPTAgY2VsbHNwYWNpbmc9MD48dHI%2BPHRkPjx1bD48bGk%2BPGEgaHJlZj0iamF2YXNjcmlwdDp2b2lkKDApIj7moIflh4bkuqflk4E8L2E%2BPHVsPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD1mOTNmY2ZiNzllM2Q0YzM3YTY5NTk4ZDAxOTdhNzkzMCI%2B6ZmQ5pe25pyN5YqhPC9hPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD0zYjZlOTQ1NDBiZDE0NTRkYjAyNjk5Zjk0ZTFmNGUwNiI%2B5YiG5pe26YCS6YCBPC9hPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD1iYjc4NTAyMWJlYzE0NzIxOTcyODI5ZDY0ZDYxNjAwYSI%2B5pmu6LSn6L%2BQ6L6TPC9hPjwvdWw%2BPC9saT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iamF2YXNjcmlwdDp2b2lkKDApIj7lop7lgLzmnI3liqE8L2E%2BPHVsPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD1lNTI2OWM2YTU2NTk0MGRjYmI1YmE4NmYyNjI4Mjk5NCI%2B5byA566x6aqM6LSnPC9hPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD0wY2RiNTU5ZTJjODc0MDVlOTU1NTQxZTJiZWIzODY1ZCI%2B562%2B5Y2V6L%2BU5ZuePC9hPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD1mMGExNWE0ZTZlMTA0ZGYzYTRmOGY1NDI5NTUwZWIxOCI%2B5Lul5pen5o2i5pawPC9hPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD00ZGRhMTAzM2ZmOWM0YTE3OGYyMGRlMTQ3MjFiNDNmMiI%2B5L%2Bd5Lu35pyN5YqhPC9hPjwvdWw%2BPC9saT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iamF2YXNjcmlwdDp2b2lkKDApIj7kuKrmgKfmlrnmoYg8L2E%2BPHVsPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD1iMTJlNDY3ZmRjOTQ0OWZlODIwNTcyZmI4OTVhOTRlMiI%2B5aSH5Lu254mp5rWB6Kej5Yaz5pa55qGIPC9hPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD02ZDYwZjJiNzgyZTA0NDc2ODcwNWMyNjk2OWRlNmQxNyI%2B57u85ZCI54mp5rWB6Kej5Yaz5pa55qGIPC9hPjwvdWw%2BPC9saT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iL3dlYmZ1bmN0aW9uL3dlYnBhZ2UuYXNweD9uaWQ9MDllNmVjZTFmODY4NDU2YWJjNTdhOTNkMDRkZWI0YTAiPuWbvemZheS4muWKoTwvYT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iamF2YXNjcmlwdDp2b2lkKDApIj7lrqLmiLfpobvnn6U8L2E%2BPHVsPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD01MjEyNjUwMzM3ZjY0ZmM0YTE1OGUwNDU5MWJmZThmZSI%2B5b%2Br6YCS5Y2V5aGr5YaZ5oyH5byVPC9hPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD1jNzcwZjE3ZDM2ZTU0NDFmYmU5ZGYzOWM3YzIzZjJhYSI%2B56aB6L%2BQ44CB6ZmQ6L%2BQ54mp5ZOBPC9hPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD1jZDZlZDEwMDk4Y2Y0NmQwOTU3NDU5MmM1MWNmOGE3OSI%2B5pyN5Yqh5rWB56iLPC9hPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD0yYjVkOThjYzcwY2Y0ZDRkOWQ4OTk4ZjE5MjM2NTZiNiI%2B6LWU5YG%2F5pa55rOVPC9hPjxsaT48YSBocmVmPSIvd2ViZnVuY3Rpb24vd2VicGFnZS5hc3B4P25pZD00ODI4ZTYyZjgzODI0OTI5ODFhYTFhMWIyYzJjNWFlMCI%2B6LSn54mp5L%2Bd5Lu3PC9hPjwvdWw%2BPC9saT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iL3dlYmZ1bmN0aW9uL3dlYnBhZ2UuYXNweD9uaWQ9MzljOTUzY2NhOTcxNDFlMDgzMjlkZTMyYjE5MDM3MzEiPuS%2Fg%2BmUgOa0u%2BWKqDwvYT48L2xpPjwvdWw%2BPC90ZD48L3RyPjwvdGFibGU%2BPC90ZD48L3RyPjwvdGFibGU%2BPHRhYmxlIGNlbGxwYWRkaW5nPTAgY2VsbHNwYWNpbmc9MCB3aWR0aD0iOTglIiAgaWQ9Im15VGFiMF9Db250ZW50MyIgY2xhc3M9IlRhYkNvbnRlbnREaXYiPjx0cj48dGQgd2lkdGg9MjU1cHg%2BJm5ic3A7PC90ZD4gPHRkIGFsaWduPWNlbnRlcj4gPHRhYmxlIGNlbGxwYWRkaW5nPTAgY2VsbHNwYWNpbmc9MD48dHI%2BPHRkPjx1bD48bGk%2BPGEgaHJlZj0iL3dlYkZ1bmN0aW9uL3dlYnBhZ2VuZXdzbGlzdC5hc3B4P25yaWQ9NjQ2ZmUwODcwZDRkNGFiYjgxNzM4NWQwYmYwNjEyZWYiPkNBReaWsOmXuzwvYT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iL3dlYkZ1bmN0aW9uL3dlYnBhZ2VuZXdzbGlzdC5hc3B4P25yaWQ9YzUzMDAwNDZjNTA3NDkzNWI4MTg2Mzc3ZmNmNzJhMTIiPuWbvei1hOWnlOimgemXuzwvYT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iL3dlYkZ1bmN0aW9uL3dlYnBhZ2VuZXdzbGlzdC5hc3B4P25yaWQ9YTg5NWNkZmMxZDg2NGVlNTkxNWJmZjFiOWUxOGEzMGYiPuacgOaWsOWFrOWRijwvYT48L2xpPjwvdWw%2BPC90ZD48L3RyPjwvdGFibGU%2BPC90ZD48L3RyPjwvdGFibGU%2BPHRhYmxlIGNlbGxwYWRkaW5nPTAgY2VsbHNwYWNpbmc9MCB3aWR0aD0iOTglIiAgaWQ9Im15VGFiMF9Db250ZW50NCIgY2xhc3M9IlRhYkNvbnRlbnREaXYiPjx0cj48dGQ%2BJm5ic3A7PC90ZD4gPHRkICBhbGlnbj1yaWdodD4gPHRhYmxlIGNlbGxwYWRkaW5nPTAgY2VsbHNwYWNpbmc9MD48dHI%2BPHRkPjx1bD48bGk%2BPGEgaHJlZj0iL3dlYmZ1bmN0aW9uL3dlYnBhZ2UuYXNweD9uaWQ9OTliMGNlNTA2ODkzNDM1OWJhMWJlMmNhMTZjYTk5ZmMiPuagoeWbreaLm%2BiBmDwvYT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iL3dlYmZ1bmN0aW9uL3dlYnBhZ2UuYXNweD9uaWQ9M2UxZTgxOGJmNDg4NDg3YzkzNTYyZTNhZGJkMGM2ZjkiPuekvuS8muaLm%2BiBmDwvYT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iL3dlYmZ1bmN0aW9uL3dlYnBhZ2UuYXNweD9uaWQ9OTU5MjBjNTE5M2NkNDY1OThhZDYxMDM1ZWZiMjBkYzIiPue7hOe7h%2BacuuaehDwvYT48L2xpPjwvdWw%2BPC90ZD48L3RyPjwvdGFibGU%2BPC90ZD48L3RyPjwvdGFibGU%2BPHRhYmxlIGNlbGxwYWRkaW5nPTAgY2VsbHNwYWNpbmc9MCB3aWR0aD0iOTglIiAgaWQ9Im15VGFiMF9Db250ZW50NSIgY2xhc3M9IlRhYkNvbnRlbnREaXYiPjx0cj48dGQ%2BJm5ic3A7PC90ZD4gPHRkICBhbGlnbj1yaWdodD4gPHRhYmxlIGNlbGxwYWRkaW5nPTAgY2VsbHNwYWNpbmc9MD48dHI%2BPHRkPjx1bD48bGk%2BPGEgaHJlZj0iL3dlYmZ1bmN0aW9uL3dlYnBhZ2UuYXNweD9uaWQ9MThlMmI1NGRlOGRkNDQ0Nzg3Yzk3NjZjNDc4YTUzYWEiPuWFrOWPuOeugOS7izwvYT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iL3dlYmZ1bmN0aW9uL3dlYnBhZ2UuYXNweD9uaWQ9OGE0OGRkMzRmYjZlNDY1ZGEzNGY2NDBjMDY1NWM5MjUiPuiNo%2BiqieWllumhuTwvYT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iL3dlYmZ1bmN0aW9uL3dlYnBhZ2UuYXNweD9uaWQ9NDM3MTdhMzhkZTJlNGFmNGFkZjRiYzBjMjRmNGM1M2EiPuekvuS8mui0o%2BS7uzwvYT48L2xpPjxsaT4mbmJzcDsmbmJzcDsmbmJzcDt8Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9saT48bGk%2BPGEgaHJlZj0iL3dlYmZ1bmN0aW9uL3RwYyI%2B6IGM5bel5pGE5b2xPC9hPjwvbGk%2BPC91bD48L3RkPjwvdHI%2BPC90YWJsZT48L3RkPjwvdHI%2BPC90YWJsZT5kZGT0mAfcvqhDKQI2kzBu9UyObtsaDA%3D%3D&__VIEWSTATEGENERATOR=AE5782F1&__EVENTVALIDATION=%2FwEWBAK%2Bi5q8CQKzw6qfBwKitfm4CgKugbOqA1lvp1DFBSSWXxhoONbn0wk7MTt3&ctl00%24Content_Body%24Cp_User=admin&ctl00%24Content_Body%24Cp_Pass=123456&ctl00%24Content_Body%24Button1=%E7%99%BB+%E5%BD%95


===================================================
ctl00%24Content_Body%24Cp_Pass(也就是sqlmap处显示的ctl00$Content_Body$Cp_Pass)参数也存在注入
直接看神器sqlmap的测试过程吧,使用--tamper "between.py,space2comment.py,randomcase.py" --level 3
直接看sqlmap的结果吧!~~~

1.jpg


2.jpg


3.jpg


4.jpg


漏洞证明:

3.jpg

修复方案:

过滤修复
你们比我懂得多。

版权声明:转载请注明来源 Ch4r0n@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-03-13 21:42

厂商回复:

感谢对快递公司的帮助!

最新状态:

暂无