当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110166

漏洞标题:某票务系统sql注入漏洞,影响大量商务网站#3

相关厂商:票友软件

漏洞作者: 路人甲

提交时间:2015-04-29 11:28

修复时间:2015-08-02 08:04

公开时间:2015-08-02 08:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-29: 细节已通知厂商并且等待厂商处理中
2015-05-04: 厂商已经确认,细节仅向厂商公开
2015-05-07: 细节向第三方安全合作伙伴开放
2015-06-28: 细节向核心白帽子及相关领域专家公开
2015-07-08: 细节向普通白帽子公开
2015-07-18: 细节向实习白帽子公开
2015-08-02: 细节向公众公开

简要描述:

两处注入

详细说明:

票友软件 http://www.piaoyou.org/
票友软件是一款用于航空票务代理专用机票管理系统,集成网上订票管理、电话录音弹屏、企业差旅管理、同业订单管理、会员管理、积分管理、短信发送、员工管理、报表生成、财务管理等强大功能。
这里以官方演示站来进行演示
http://demo.piaoyou.org/
具体案例的话可以通过搜索
intitle:票友ERP管理系统 来进行寻找
用官方演示站演示账户密码登陆后
注入点位于统计汇总->机票年销售对比->客户卡号和年份处
搜索111
截包

POST /Finance/Month_flight_tab.aspx HTTP/1.1
Host: demo.piaoyou.org
Proxy-Connection: keep-alive
Content-Length: 4084
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://demo.piaoyou.org
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://demo.piaoyou.org/Finance/Month_flight_tab.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4
Cookie: ASP.NET_SessionId=yw3uiho3ncyfvvifwyff2u0q; pycookie=loginname=admin&truename=%e7%b3%bb%e7%bb%9f%e7%ae%a1%e7%90%86%e5%91%98&flag=1&datagroup=&kefugroup=%e7%bd%91%e7%bb%9c%e9%83%a8&kpgroup=0&kpdian=none%7c%e5%a4%a9%e5%9c%b0%e8%a1%8c%7c%e4%b8%8d%e5%a4%9c%e5%9f%8e%7c%e4%bb%8a%e6%97%a5%e5%a4%a9%e4%b8%8b%e9%80%9a%7c%e5%8d%97%e8%88%aa%e7%bd%91%e7%ab%99%7c%e5%9b%bd%e8%88%aa%7c; Hm_lvt_c15d2259f5eee2c03f0739e5f8ff792c=1429862606; Hm_lpvt_c15d2259f5eee2c03f0739e5f8ff792c=1429864362
__VIEWSTATE=%2FwEPDwUKLTk2MzYyNjM1MA9kFgICAw9kFgQCBQ8QDxYGHg1EYXRhVGV4dEZpZWxkBQdjb21wYW55Hg5EYXRhVmFsdWVGaWVsZAUCaWQeC18hRGF0YUJvdW5kZ2QQFQkRPeS%2Bm%2BW6lOWVhuS4jemZkD0J5LiN5aSc5Z%2BOD%2BS7iuaXpeWkqeS4i%2BmAmgzljZfoiKrnvZHnq5kG5Zu96IiqDOe9kee7nOiuouWNlQnlm73lhoVCU1AM5piT6KGM5aSp5LiLABUJET3kvpvlupTllYbkuI3pmZA9ATMBOQIxMQIxNgIxOAIzNgIzOAI0MBQrAwlnZ2dnZ2dnZ2dkZAIPDzwrABECAA8WBB8CZx4LXyFJdGVtQ291bnQCC2QBEBYAFgAWABYCZg9kFhgCAQ9kFhxmDw8WAh4EVGV4dAUJ6ZSA5ZSu5Lu3ZGQCAQ8PFgIfBAUBMGRkAgIPDxYCHwQFATBkZAIDDw8WAh8EBQQ4MzcwZGQCBA8PFgIfBAUFMjQzODhkZAIFDw8WAh8EBQEwZGQCBg8PFgIfBAUBMGRkAgcPDxYCHwQFATBkZAIIDw8WAh8EBQEwZGQCCQ8PFgIfBAUBMGRkAgoPDxYCHwQFATBkZAILDw8WAh8EBQEwZGQCDA8PFgIfBAUBMGRkAg0PDxYCHwQFBTMyNzU4ZGQCAg9kFhxmDw8WAh8EBQnplIDllK7nqI5kZAIBDw8WAh8EBQEwZGQCAg8PFgIfBAUBMGRkAgMPDxYCHwQFAzYyMGRkAgQPDxYCHwQFAzkwMGRkAgUPDxYCHwQFATBkZAIGDw8WAh8EBQEwZGQCBw8PFgIfBAUBMGRkAggPDxYCHwQFATBkZAIJDw8WAh8EBQEwZGQCCg8PFgIfBAUBMGRkAgsPDxYCHwQFATBkZAIMDw8WAh8EBQEwZGQCDQ8PFgIfBAUEMTUyMGRkAgMPZBYcZg8PFgIfBAUJ5bqU5pS25qy%2BZGQCAQ8PFgIfBAUBMGRkAgIPDxYCHwQFATBkZAIDDw8WAh8EBQQ5MTkwZGQCBA8PFgIfBAUFMjY3MzlkZAIFDw8WAh8EBQEwZGQCBg8PFgIfBAUBMGRkAgcPDxYCHwQFATBkZAIIDw8WAh8EBQEwZGQCCQ8PFgIfBAUBMGRkAgoPDxYCHwQFATBkZAILDw8WAh8EBQEwZGQCDA8PFgIfBAUBMGRkAg0PDxYCHwQFBTM1OTI5ZGQCBA9kFhxmDw8WAh8EBQnlrp7mlLbmrL5kZAIBDw8WAh8EBQEwZGQCAg8PFgIfBAUBMGRkAgMPDxYCHwQFBDM2NTBkZAIEDw8WAh8EBQQyMzQxZGQCBQ8PFgIfBAUBMGRkAgYPDxYCHwQFATBkZAIHDw8WAh8EBQEwZGQCCA8PFgIfBAUBMGRkAgkPDxYCHwQFATBkZAIKDw8WAh8EBQEwZGQCCw8PFgIfBAUBMGRkAgwPDxYCHwQFATBkZAINDw8WAh8EBQQ1OTkxZGQCBQ9kFhxmDw8WAh8EBQbmrKDmrL5kZAIBDw8WAh8EBQEwZGQCAg8PFgIfBAUBMGRkAgMPDxYCHwQFBDU1NDBkZAIEDw8WAh8EBQUyNDM5OGRkAgUPDxYCHwQFATBkZAIGDw8WAh8EBQEwZGQCBw8PFgIfBAUBMGRkAggPDxYCHwQFATBkZAIJDw8WAh8EBQEwZGQCCg8PFgIfBAUBMGRkAgsPDxYCHwQFATBkZAIMDw8WAh8EBQEwZGQCDQ8PFgIfBAUFMjk5MzhkZAIGD2QWHGYPDxYCHwQFCee7k%2Beul%2BS7t2RkAgEPDxYCHwQFATBkZAICDw8WAh8EBQEwZGQCAw8PFgIfBAUENTIyMGRkAgQPDxYCHwQFCDE4NzAxLjA4ZGQCBQ8PFgIfBAUBMGRkAgYPDxYCHwQFATBkZAIHDw8WAh8EBQEwZGQCCA8PFgIfBAUBMGRkAgkPDxYCHwQFATBkZAIKDw8WAh8EBQEwZGQCCw8PFgIfBAUBMGRkAgwPDxYCHwQFATBkZAINDw8WAh8EBQgyMzkyMS4wOGRkAgcPZBYcZg8PFgIfBAUJ57uT566X56iOZGQCAQ8PFgIfBAUBMGRkAgIPDxYCHwQFATBkZAIDDw8WAh8EBQM2MjBkZAIEDw8WAh8EBQQzNjU0ZGQCBQ8PFgIfBAUBMGRkAgYPDxYCHwQFATBkZAIHDw8WAh8EBQEwZGQCCA8PFgIfBAUBMGRkAgkPDxYCHwQFATBkZAIKDw8WAh8EBQEwZGQCCw8PFgIfBAUBMGRkAgwPDxYCHwQFATBkZAINDw8WAh8EBQQ0Mjc0ZGQCCA9kFhxmDw8WAh8EBQnlupTku5jmrL5kZAIBDw8WAh8EBQEwZGQCAg8PFgIfBAUBMGRkAgMPDxYCHwQFBDU5NjVkZAIEDw8WAh8EBQgyMjc3MS4xNmRkAgUPDxYCHwQFATBkZAIGDw8WAh8EBQEwZGQCBw8PFgIfBAUBMGRkAggPDxYCHwQFATBkZAIJDw8WAh8EBQEwZGQCCg8PFgIfBAUBMGRkAgsPDxYCHwQFATBkZAIMDw8WAh8EBQEwZGQCDQ8PFgIfBAUIMjg3MzYuMTZkZAIJD2QWHGYPDxYCHwQFCeWunuS7mOasvmRkAgEPDxYCHwQFATBkZAICDw8WAh8EBQEwZGQCAw8PFgIfBAUEMTcwMGRkAgQPDxYCHwQFBDUyMDRkZAIFDw8WAh8EBQEwZGQCBg8PFgIfBAUBMGRkAgcPDxYCHwQFATBkZAIIDw8WAh8EBQEwZGQCCQ8PFgIfBAUBMGRkAgoPDxYCHwQFATBkZAILDw8WAh8EBQEwZGQCDA8PFgIfBAUBMGRkAg0PDxYCHwQFBDY5MDRkZAIKD2QWHGYPDxYCHwQFCeacquS7mOasvmRkAgEPDxYCHwQFATBkZAICDw8WAh8EBQEwZGQCAw8PFgIfBAUENDI2NWRkAgQPDxYCHwQFCDE3NTY3LjE2ZGQCBQ8PFgIfBAUBMGRkAgYPDxYCHwQFATBkZAIHDw8WAh8EBQEwZGQCCA8PFgIfBAUBMGRkAgkPDxYCHwQFATBkZAIKDw8WAh8EBQEwZGQCCw8PFgIfBAUBMGRkAgwPDxYCHwQFATBkZAINDw8WAh8EBQgyMTgzMi4xNmRkAgsPZBYcZg8PFgIfBAUG5q%2Bb5YipZGQCAQ8PFgIfBAUBMGRkAgIPDxYCHwQFATBkZAIDDw8WAh8EBQQzMTU1ZGQCBA8PFgIfBAUHMzkxMy44NGRkAgUPDxYCHwQFATBkZAIGDw8WAh8EBQEwZGQCBw8PFgIfBAUBMGRkAggPDxYCHwQFATBkZAIJDw8WAh8EBQEwZGQCCg8PFgIfBAUBMGRkAgsPDxYCHwQFATBkZAIMDw8WAh8EBQEwZGQCDQ8PFgIfBAUHNzA2OC44NGRkAgwPDxYCHgdWaXNpYmxlaGRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYGBQdzdHlwZSQwBQdzdHlwZSQxBQdzdHlwZSQyBQdzdHlwZSQzBQdzdHlwZSQ0BQdzdHlwZSQ0BQVtbGlzdA88KwAMAQgCAWS0OGXBpWN%2FF%2FH80MyFlDeu4upS5Szgmva%2FyIfTYx0bdw%3D%3D&__EVENTVALIDATION=%2FwEWFgKdlcGBDQKF1rL5CQK33%2BizDgL8q7jwAQL8q7jyDQK00pKHCgK3rZDCAQKtrZDCAQK1rdzBAQK1rejBAQK1rbDCAQK3rejBAQK3rbDCAQK2rdDBAQKvpuq2CALjo9XvCgLIurdaAq3RmcUGApLo%2B68MAs%2FIzMQDAoznisYGArursYYIki66bJm4869fugK486xePEdNrZi23QxiH2JVwCG7a4k%3D&years=2015&jpclass_ser=&piaodian=%3D%E4%BE%9B%E5%BA%94%E5%95%86%E4%B8%8D%E9%99%90%3D&username=11111&Button1=%E7%94%9F%E6%88%90%E6%8A%A5%E8%A1%A8


可以看出是对参数username和years过滤不严,导致注入

1.jpg


3.jpg


2.jpg


其他案例
吉日通旅行网
http://zw.jiritong.com/
商务航空
http://www.yeehang.cc/
北京保盛航空服务有限公司
http://sdn.4000211929.com/
上海迦南商务航空
http://jy.4000211929.com/

漏洞证明:

如上

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-05-04 08:03

厂商回复:

暂未能建立与软件生产厂商的直接处置渠道,待认领。

最新状态:

暂无