当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168874

漏洞标题:旅务通某结算系统漏洞(泄露200W订单详情/200W注册会员详细信息/可伪造数据骗取结算)

相关厂商:云南旅务通科技有限公司

漏洞作者: 路人甲

提交时间:2016-01-10 18:52

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-10: 细节已通知厂商并且等待厂商处理中
2016-01-14: 厂商已经确认,细节仅向厂商公开
2016-01-24: 细节向核心白帽子及相关领域专家公开
2016-02-03: 细节向普通白帽子公开
2016-02-13: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

详细说明:

http://**.**.**.**/ 存在命令执行,通过写shell,配置数据库,发现近300W订单详情,200W注册会员信息,详细信息。其他就是旅务通西双版纳结算平台的整体运作数据。
数据量巨大,只截取部分证明,

漏洞证明:

db.png

xinxi.png

xinxi1.png

xinxi2.png

xinxi3.png

<img

xinxi7.png

/>

xinxi5.png

xinxi6.png

xinxi8.png

xinxi9.png

xinxi10.png

xinxi11.png

xinxi12.png

Query#0 : select t.TABLE_NAME,t.NUM_ROWS from user_tables t order by NUM_ROWS desc
TABLE_NAME
VARCHAR2	NUM_ROWS
NUMBER
BTA_FEE	2327220
BTA_POLICY_DETAIL	1806745
ORDER_LIST_1	1636319
BTA_POLICY_TOTAL	1031336
ORDER_BASIC2	837674
ORDER_LIST	614221
CHECKSUM_CODE	596028
ORDER_DERATE	558030
ORDER_IDCARD_DETAIL	538203
BTA_DETAIL	488175
ORDER_IDCARD	355001
ORDER_BASIC	321833
BTA_TICKET	260909
BTA_ORDER	253170
DEAL_ORDER_LOG	82505
MEMBER_CREDITS_LIST	50764
ORDER_DISCOUNT	46812
RUN_LOG	39795
ORDER_IDCARD_CHECK	36775
TICKET_ORDER	31126
DRP_INTEGRAL_DETAIL	25526
BTAP_DETAIL	22948
MEM_INTEGRAL_DETAIL	21800
TRANS_DETAIL	14507
BTA_TOTAL	13803
MEMBER_CARD	11760
ORDER_COUNT_TMP	11694
CMG_LIST	10927
GUIDE_CREDITS_LIST	10905
BTA_PAY_DATA	10256
REWARD_TICKET_DETAIL	10188
HOTEL_ORDER_TOTAL	8846
GUIDE_CHARGE_LIST	7662
PRICE_DETAIL	6284
MANUAL_PROCESS_ORDER	2252
TEST	1688
CORP_PRICE	1623
COMBINE_TICKET_AUTHORITY	1244
GUIDE_CREDITS_TOTAL	1076
TEMP	928
GUIDE_USER	861
PRICE_LOG	858
COMBIN_TICKET_MUNIT_PRICE	775
REPORT_ITEMS	595
MEMBER_USER	503
MEM_CONFIG	495
SALE_POLICY_ACTOR	441
COMBINE_TICKET_DETAIL	411
ECAR_ORDER_TOTAL	393
CORP_MEMBER_GROUP	389
ZONE	329
PRICE	291
COUNT_MEMBER_PRODUCT_CONSUME	275
NOTICE	273
REPORT_CONS	259
COMBINE_TICKET_PRICE	237
MANUAL_ORDER_COUNT	229
CTL_ACT_ORDER	220
MEMBER	204
MEMBER_MAP	197
GUIDE_BANK_LIST	196
CORP_RATE	196
MUNIT_CASH	167
USER_RIGHT	150
REPORT_ELEMENT	147
MEMBER2	143
MEMBER_ACOUNT_TOTAL	143
COMBINE_TICKET	138
COMB_WHO_CAN_ORDER_DIC	135
CASH_POINTER	134
CENTER_SMSCHECKCODE	128
GUIDE_MUNIT_PRODUCT	128
BTA_POLICY_DETAIL_TEMP	120
N_BOOK_CARD_GROUP	112
SQL_DEBUG	112
CORP_USER	112
TRAVEL_REC	106
MEMBER_PAY_PASS	100
MEM_INTEGRAL_TOTAL	97
AUTO_CONFIRM	85
KC_MEMBER_BIND	80
CORP_MENU	74
REWARD_TICKET_TOTAL	71
NEED_CREATE	62
CENTER_MENU	60
MEMBER_CREDITS_TOTAL	59
DRP_INTEGRAL_TOTAL	57
REPORT_CON_ELEMENT	56
REPORTS	54
MUNIT	52
SALE_POLICY_EXE	46
CENTER_USER	46
COUNT_CORPINCOME	44
MEMBER_RIGHT	42
KC_LOGINTEMP	38
BEAN_HEADER	38
ACCOUNTS_NO_CASH	37
NATION	37
ORDER_OPENAPI	35
PROVINCE	34
MEMBER_MENU	34
PAY_MODE	31
USER_ROLE	31
LOG_EVENTS	31
TRANS_DIC	30
MUNIT_ADDITION_INFO	27
LOG_TYPE	27
BTA_FEE_UNIT	27
PRICE_DIC	26
MENU_GROUP	24
PRICE_RULE	23
COUNT_CORPINCOME_RESULT	22
TICKET_TYPE_DIC	21
ACCOUNTS_NO	20
ID_VALIDATION_RATE	19
COUNT_CORPINCOME_TMP	18
ORDER_STATUS_DIC	17
CASH_TEMP	14
REPORT_CON_SEL_LIST	14
AUDIT_GRADE	13
N_BOOK_GROUP_DIC	13
N_BOOK_PRICE_DIC	13
CORP_GRADE	12
GUIDE_LOG	12
N_BOOK_CARD_LIST	12
ADDITION_ITEM	12
SYS_CONFIG	12
BTA_SPECIAL_BOUNTY	12
BTA_MEMBER_TYPE	12
N_BOOK_PRICE	12
PRICE_RISE	10
ID_INPUT	10
STD_DIC_CODE	9
REPORT_CON_TYPE	9
BTA_POLICY_AP	8
MEMBER_LEVEL	8
ARRIVE_DIC	8
ROOM_INFO	8
MEMBER_MENU_GROUP	8
SPECIAL_FEE_OBJECT	7
CORP_TYPE	7
BTA_FEE_DIC	6
FEE_LIST	6
WARES	6
SPECIAL_FEE	6
TERM_TYPE	6
FEE_TYPE	6
BTA_TYPE	5
EXT_DATA_PRICE	5
EXT_DATA_TYPE	5
SPECIAL_FEE_PRICE	5
POLICY_GROUP	5
POLICY_MEM_GROUP_DETAIL	5
GUIDE_MUNIT	5
CASH_TYPE	4
COMB_PRICE_DIC	4
EXTEND_INFO	4
IP_JUDGE	4
POLICY_OBJECT	4
UNIT_TYPE	4
INTEGRAL_TYPE_DIC	4
BTA_LOG	3
CAL_MODE	3
COMB_TKT_TYPE	3
CTP_TYPE_DIC	3
ARRIVE_CORP_LIST	3
MANAGE_CORP	3
MEMBER_TYPE	3
ROOM_TYPE	3
DISCOUNT	3
CMG_TYPE	2
ECAR_PRICE_DIC	2
ECAR_PRICE_INFO	2
EXT_AUTH_MAN	2
POLICY_TYPE	2
WL_LLR_ADMINSERVER	2
SALE_POLICY	2
SALE_POLICY_MEM_GROUP	2
SUM_TYPE	2
SYSTEM_LOG	2
REWARD_TICKET_PERIODS	2
EXT_CUSTOMER_SRC	1
EXT_CUSTOMER_UNIT	1
ACT_INFO	1
POLICY_MEM_GROUP	1
TMP1	1
EXT_DATA_DETAIL	1
MEMBER_GROUP_WEB	0
FEE_RATE	0
NEWS	0
NORESULT	0
ORDER_LOG	0
ORDER_SPECIAL_FEE	0
PLAN_TABLE	0
POLICY_GROUP_DETAIL	0
TRAVEL_CONSUME_COUNT	0
USER_LOG	0
WASTE_BOOK	0
ADVICE	0
ADVICE_TYPE	0
BANK_ACCOUNT	0
BANK_ACCOUNT_QUEUE	0
BTA_DETAIL_TEMP	0
BTA_FEE_TEMP	0
BTA_ORDER_TEMP	0
BTA_PAY_DATA_TEMP	0
BTA_POLICY_TOTAL_TEMP	0
BTA_PROC	0
BTA_TICKET_TEMP	0
CHECK_LOG	0
CMG_MOVE_LOG	0
COMBINE	0
COMBINE_CORPS	0
COMBINE_DETAILS_WEB	0
COMBINE_POLICY_WEB	0
CORP_POLICY	0
CORP_REBATE	0
CUSTOMER_SERVICE	0
DIC_CORP_STATUS	0
DIV_DETAILS	0
EXT_CERTI_TYPE	0
FEE_COMP	0
MUNIT_LOG	0

数据库结构

<url>jdbc:oracle:thin:@**.**.**.**:1521/tour</url>
    <driver-name>oracle.jdbc.OracleDriver</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>bntour</value>
      </property>
    </properties>
    <password-encrypted>{AES}9EBK20rfSY4r10PX7tqTvg2Sfgq7IurgizU94MniYwk=</password-encrypted> tour

http://**.**.**.**/1.jsp?o=vLogin 7

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-14 16:43

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给云南分中心,由其后续协调网站管理单位处置.

最新状态:

暂无