当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-097345

漏洞标题:海南航空某站点弱口令+sql注入漏洞

相关厂商:海南航空

漏洞作者: depycode

提交时间:2015-02-15 10:06

修复时间:2015-04-01 10:08

公开时间:2015-04-01 10:08

漏洞类型:后台弱口令

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-15: 细节已通知厂商并且等待厂商处理中
2015-02-15: 厂商已经确认,细节仅向厂商公开
2015-02-25: 细节向核心白帽子及相关领域专家公开
2015-03-07: 细节向普通白帽子公开
2015-03-17: 细节向实习白帽子公开
2015-04-01: 细节向公众公开

简要描述:

海南航空某站点弱口令+sql注入

详细说明:

url:http://1.202.236.211/FrameWork/Login.aspx
用户名:admin
密码:123

0.jpg


2.jpg


SQL注入:

POST /FlightReserve/Insurance/InsuranceList.aspx HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://1.202.236.211/FlightReserve/Insurance/InsuranceList.aspx
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E; BOIE9;ZHCN)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 1.202.236.211
Content-Length: 1166
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=tj04v4npp5413bz1clrkio45; CheckCode=5034; Manage=3C008DD1C4434A011A5288CD90CE97E28CD3584BCB091B6E36E57DD1783DF38E5EEAE2388B85CB11262524817F304D94D9EE6D47D98F001193A65368C4A558509D6144DF1CE7C51758321E898866B8286CE6DD5DC52F81EA8308333152F03645820D6C73EF0C3F10EA0576568784357701CE4626
__VIEWSTATE=%2FwEPDwUKMTY5ODAzMzM5Mw9kFgICAw9kFgoCBw8PZBYKHgdvbmNsaWNrBQxzZXRkYXkodGhpcykeBm9uYmx1cgUMc2V0ZGF5KHRoaXMpHgpvbmtleXByZXNzBRhqYXZhc2NyaXB0OnJldHVybiBmYWxzZTseCW9ua2V5ZG93bgUYamF2YXNjcmlwdDpyZXR1cm4gZmFsc2U7HgdvbmtleXVwBRhqYXZhc2NyaXB0OnJldHVybiBmYWxzZTtkAgkPD2QWCh8ABQxzZXRkYXkodGhpcykfAQUMc2V0ZGF5KHRoaXMpHwIFGGphdmFzY3JpcHQ6cmV0dXJuIGZhbHNlOx8DBRhqYXZhc2NyaXB0OnJldHVybiBmYWxzZTsfBAUYamF2YXNjcmlwdDpyZXR1cm4gZmFsc2U7ZAIPDw9kFgYfAgUdamF2YXNjcmlwdDpyZXR1cm4gQ2xlYXJUeHQoKTsfAwUdamF2YXNjcmlwdDpyZXR1cm4gQ2xlYXJUeHQoKTsfBAUdamF2YXNjcmlwdDpyZXR1cm4gQ2xlYXJUeHQoKTtkAhkPZBYCAgEPFgIeC18hSXRlbUNvdW50ZmQCGw9kFgJmDw8WAh4LUmVjb3JkY291bnRmZGRkXaG5ZoTrjQLd93lJUVgJyXfXyiI%3D&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWFAKl%2Bbj%2FDQLogvuaCQL74r3wCQLkwtn1DwLxwtn1DwL2wtn1DwLqwtn1DwK27t2jDgKp7t2jDgKo7t2jDgLI8tiJCQKMmNvZAwKln%2FPuCgLx9YKkDwLElP2TDgKDm9jiDQKklZejAgLFqfiRCwLJ1Lb1CwLWy%2FTBDj%2Bi0xjDptQSTz998NRihXD4SLLC&txtPsrName=1&dropOperateType=All&drpTimeType=0&txtInsuranceDtBegin=2015-02-15&txtInsuranceDtEnd=2015-02-15&btnSearch=%B2%E9%D1%AF&txtCustomerNo=&txtCustomer=&txtOrderNo=&txtIdentityNo=&Pager%24pagerCurrentPage=1&Pager%24pagerFilter=


其中txtPsrName 参数存在sql 注入

1.jpg


3.jpg


4.jpg


漏洞证明:

3.jpg


4.jpg

修复方案:

修改密码 后台功能将查询参数过滤严格

版权声明:转载请注明来源 depycode@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-02-15 10:57

厂商回复:

谢谢depycode,这个问题我们将联系开发和后台进行处理。

最新状态:

暂无