当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144685

漏洞标题:海南航空某站SQL注入漏洞之二(时间盲注)

相关厂商:海南航空

漏洞作者: Xmyth_夏洛克

提交时间:2015-10-03 21:59

修复时间:2015-11-22 14:04

公开时间:2015-11-22 14:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-03: 细节已通知厂商并且等待厂商处理中
2015-10-08: 厂商已经确认,细节仅向厂商公开
2015-10-18: 细节向核心白帽子及相关领域专家公开
2015-10-28: 细节向普通白帽子公开
2015-11-07: 细节向实习白帽子公开
2015-11-22: 细节向公众公开

简要描述:

RT

详细说明:

同样是海航旗下的互联网金融保险站

页面.png


GET /USER/flsc_bxcp_myyfk_queryPrice.action?age=12&date=1&flag=1&plan=1&t=1443344676650 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://baoxian.jbwchina.com:80/
Cookie: JSESSIONID=807CFE60B5E40C7289DFB92972068F67
Host: baoxian.jbwchina.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


age和date均为注入点

注入点.png

漏洞证明:

数据库

dbs.png


122个表

Database: jbw_baoxian
[122 tables]
+-------------------------+
| dual                    |
| ldcode                  |
| ldmenu                  |
| ldtask                  |
| ldtaskaudit             |
| ldtaskparam             |
| ldtaskparamaudit        |
| ldtaskplan              |
| ldtaskplanaudit         |
| ldtaskrunlog            |
| lduser                  |
| seqmysql                |
| tbl_commentinfo         |
| tbl_dxlabelmgt          |
| tbl_dxmoduleconfig      |
| tbl_dxsendrecord        |
| tbl_easypayoinfo        |
| tbl_easypaytype         |
| tbl_faaddress           |
| tbl_faagent             |
| tbl_faagentpost         |
| tbl_fadistribution      |
| tbl_fahealth            |
| tbl_fahealthb           |
| tbl_fcappnt             |
| tbl_fcbnf               |
| tbl_fccont              |
| tbl_fcconttoplan        |
| tbl_fcinsured           |
| tbl_fcpol               |
| tbl_fcprojectplan       |
| tbl_fdaddress           |
| tbl_fdcity              |
| tbl_fdcom               |
| tbl_fdcomarea           |
| tbl_fdcounty            |
| tbl_fdhrcom             |
| tbl_fdmenu              |
| tbl_fdmenugrp           |
| tbl_fdmenugrptomenu     |
| tbl_fdnewproduct        |
| tbl_fdplan              |
| tbl_fdplanrisk          |
| tbl_fdplantocom         |
| tbl_fdplantopro         |
| tbl_fdpriovince         |
| tbl_fdproductfile       |
| tbl_fdroletomenugrp     |
| tbl_fdsyslog            |
| tbl_fdsysvar            |
| tbl_fduser              |
| tbl_fduseraddress       |
| tbl_fduserlog           |
| tbl_fdusertomenugrp     |
| tbl_fiaccpass           |
| tbl_fianswer            |
| tbl_ficustomeracc       |
| tbl_ficustomeracctrace  |
| tbl_fiquestion          |
| tbl_flemployerapp       |
| tbl_flemployerins       |
| tbl_flemployerins_track |
| tbl_flgroundins         |
| tbl_flmedicalapp        |
| tbl_flmedicalins        |
| tbl_fmcalmode           |
| tbl_fmcalmodepams       |
| tbl_fmcheckfield        |
| tbl_fmemail             |
| tbl_fmemail_template    |
| tbl_fmetemplate         |
| tbl_fmlabelmgt          |
| tbl_fmpremiumrate       |
| tbl_fmproductact        |
| tbl_fmproductdef        |
| tbl_fmproductplan       |
| tbl_fmriskapp           |
| tbl_fmriskparamsdef     |
| tbl_fmriskrela          |
| tbl_fmsupplier          |
| tbl_fofxinsorder        |
| tbl_fofxinsorderinfo    |
| tbl_fofxotoattach       |
| tbl_fofxotorder         |
| tbl_fofxotorderinfo     |
| tbl_foorderdetail       |
| tbl_fouserorder         |
| tbl_frcbankre           |
| tbl_frcustinfo          |
| tbl_frinputlog          |
| tbl_froutputlog         |
| tbl_fxaccidentins       |
| tbl_fxannuityins        |
| tbl_fxappset            |
| tbl_fxappset_comarea    |
| tbl_fxemployerapp       |
| tbl_fxemployerins       |
| tbl_fxglains            |
| tbl_fxgroundins         |
| tbl_fxinpersonins       |
| tbl_fxitains            |
| tbl_fxmedicalapp        |
| tbl_fxmedicalapp_jb_sf  |
| tbl_fxmedicalapp_sf     |
| tbl_fxmedicalins        |
| tbl_fxpensionins        |
| tbl_import_errorinfolog |
| tbl_interfaceinfo       |
| tbl_interfaceinfoparas  |
| tbl_interfacelog        |
| tbl_interfacelogparas   |
| tbl_ldrole              |
| tbl_lp_access           |
| tbl_lp_attch            |
| tbl_lwuser              |
| tbl_medicalbranch       |
| tbl_message             |
| tbl_occupationcode      |
| tbl_operatorinfo        |
| tbl_pinganinfo          |
| tbl_roadrescue          |
| tbl_uploadinfo          |
+-------------------------+

修复方案:

过滤

版权声明:转载请注明来源 Xmyth_夏洛克@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-10-08 14:02

厂商回复:

谢谢对海航的关注和支持,我们将安排整改

最新状态:

暂无