当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107116

漏洞标题:上海快趣旅游泄露大量旅客航空订单(含客户资料)支付订单数据

相关厂商:上海快趣旅游

漏洞作者: 路人甲

提交时间:2015-04-10 17:21

修复时间:2015-05-25 17:22

公开时间:2015-05-25 17:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:19

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

树不要皮必死无疑,人不要脸天下无敌

详细说明:

QQ截图20150410162808.jpg


漏洞出在上海快趣旅游咨询有限公司_票友ERP管理系统

QQ截图20150410162844.jpg


该系统有多处注入就不一一列举了。

mask 区域 
1.http://**.**.**/json_db/other_report.aspxits=3&jq=0&stype=&dfs=0&levels=111

22.png

33.png

44.png

漏洞证明:

00.png


mask 区域 
*****523*****
*****ang_*****
*****ang_*****
*****lq_s*****
*****_tra*****
*****ht_*****
*****ir_s*****
*****yf_*****
*****gyue*****
*****you_*****
*****tkj*****
*****iqu_*****
*****gxia*****
*****ui_d*****
*****ast*****
*****ode*****
*****sdb*****
*****a_u*****
*****_hsd*****
*****ou_le*****
*****ou_sh*****
*****ou_sh*****
*****heng_*****
*****ang_*****
*****orse*****
*****comp*****
*****bo_k*****
*****oxin*****
*****ilu*****
*****emp*****
*****scy*****
*****ghai*****
*****e_sh*****
*****inc*****
*****ps_*****
*****gpp*****


+---------------------+
| Airways |
| Bank |
| CW_out |
| Hotel_City |
| Hotel_LandMarks |
| Hotel_OrderInfo |
| Hotel_PageSumInfo |
| Hotel_SingleAvail |
| Hotel_StaticInfos |
| Invoice |
| MybunkMessage |
| Notebook |
| OtherParm |
| PayOut |
| Report_mb |
| Report_mb_member |
| Roles |
| Roles_flag |
| System_Warn |
| System_info |
| Tplanetype |
| admin |
| air |
| air_cab_class |
| aircity |
| airpiao |
| b2b_users |
| bm_login |
| books |
| bx_base |
| bx_product |
| cardnumjl |
| cgimg |
| cjr_login |
| cjrcard |
| company_bm |
| company_center |
| company_clk |
| company_flag |
| company_logo |
| company_news |
| company_sms |
| contact_info |
| cw_gd |
| cwkou |
| dbbak_history |
| fax_send |
| fax_submit |
| ft_City |
| ft_Config |
| ft_TAPrice |
| gjqz |
| gjqz_f |
| gjticket |
| hbzh |
| hccity |
| hcsheng |
| hcsite |
| hf_history |
| hide_flight |
| hotel |
| huoche |
| james_tab |
| jbitem |
| jp_detail |
| jp_line |
| kefu |
| kefu_files |
| kefu_mail |
| kefubm |
| kq_history |
| kq_items |
| ldt_history |
| link |
| lv_items |
| lv_items_mb |
| lv_orders_mx |
| lv_sclass |
| member |
| member_sales |
| member_sales_his |
| member_table |
| member_warn |
| member_yu |
| menu_b |
| menu_s |
| message_mb |
| money_mx |
| money_other |
| news_read |
| oa_item |
| oa_main |
| orders_design |
| otherclass |
| pay_money |
| pay_money_main |
| pay_money_other |
| payfs |
| piaobei |
| piaodian |
| piaodian_yu |
| plane_xinhao |
| pnr |
| pnr_history |
| pnrdetail |
| postMain |
| postRe |
| ptype_set |
| resms |
| room |
| salestable |
| sfk_submit |
| sfk_submit_mx |
| sfkmx_other_view |
| sfkmx_view |
| shop_bigclass |
| shop_order |
| shop_product |
| shop_smallclass |
| sms |
| sms_key |
| soupiaoren |
| sys_nav |
| system_tx |
| tourbig |
| tourclass |
| tourday |
| tourline |
| tourlist |
| tournews |
| tourorder |
| traininfo |
| travel_item |
| travel_money |
| travel_order |
| travel_order_detail |
| tuipiao |
| view_cw |
| view_hctuipiao |
| view_js |
| view_kefu |
| view_kq_history |
| view_ldhistory |
| view_member_yu |
| view_pay_mx_main |
| view_piaodian_yu |
| view_scgq |
| view_travel_order |
| view_tuipiao |
| viewbmpnr |
| viewcjr |
| viewgjticket |
+---------------------+
该网站使用的数据库一共有170多个表··没一一跑完。
因为是分站的原因,所以数据库权限有限。

修复方案:

乌云大法好
该系统还有多出未知注入,建议装个WAF把··

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:18 (WooYun评价)