当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146357

漏洞标题:51766旅游网报错注入(17个库/542表/几十万用户)

相关厂商:51766旅游网

漏洞作者: 路人甲

提交时间:2015-10-13 12:07

修复时间:2015-11-27 12:08

公开时间:2015-11-27 12:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

/**/

详细说明:

http://www.51766.com/www2009/dujia/search.jsp?startAdd_name=%E9%98%B3%E6%B1%9F%E7%9F%B3%E8%A7%89%E5%AF%BA&linetype=5&ent_id=bjql&minPrice=10000&pageNo=1


参数linetype

1.png

漏洞证明:

2.png


Database: TRAVEL1
[542 tables]
+-------------------------------+
| USER |
| AD_CONTENT |
| AD_PAGE |
| AD_SEAT |
| AD_SEAT_IMG |
| AD_SEAT_LINK |
| AIRPORT |
| AREA_BIG |
| AREA_MICRO |
| ARM_TEMP |
| AUCTION_BUZ_LOG |
| AUCTION_CLASS |
| AUCTION_LOG |
| AUCTION_PAYLOG |
| AUCTION_PROP |
| AUCTION_TRANS |
| AUK_HOME_CONTENT |
| AUK_HOME_MAP |
| AUK_HOME_SUB |
| B2B_BOOK |
| B2B_CUST |
| B2B_ORDER |
| B2B_ORDER_DETAIL |
| B2B_ORDER_LOG |
| B2B_PRICE |
| B2C_ALIPAY |
| B2C_JOIN_INFO |
| B2C_JOIN_MEMBER |
| B2C_ORDER |
| B2C_ORDERS |
| B2C_ORDER_BASE |
| B2C_ORDER_CAR |
| B2C_ORDER_CAR_SERV |
| B2C_ORDER_COMB |
| B2C_ORDER_CONF |
| B2C_ORDER_CONF_HOTEL |
| B2C_ORDER_CONF_OPTIONS |
| B2C_ORDER_DETAIL |
| B2C_ORDER_ENT |
| B2C_ORDER_HOTEL_ROOM |
| B2C_ORDER_PRODUCT |
| B2C_ORDER_ROOM |
| B2C_ORDER_SCENIC |
| B2C_ORDER_TRAVEL |
| B2C_ORDER_VISA |
| B2C_ROOM_LOG |
| B2C_SHOPCAR |
| B2C_TEMPPAY |
| B2C_TOUR_INFO |
| B2C_TOUR_MEMBER |
| B2C_TOUR_TYPE |
| B2C_TRAG_INFO |
| BBS_CONTAIN |
| BUG_INFO |
| BUG_MODEL |
| CACHE_CUST_TYPENUM |
| CHANNEL_BALANCE_LOG |
| CHANNEL_REPORT |
| CHANNEL_REPORT_STAT |
| CITY_MAPBAR |
| CLUB_IMPORT |
| CONDUCT |
| CONF_OPTIONS_CONFIG |
| CONF_ORDER_PARAMETER |
| CORP_POINT_BALANCE |
| CUST_AREA |
| CUST_VOTER |
| CUST_VOTE_INFO |
| DERBY_HOTEL |
| DERBY_ROOMTYPE |
| DERBY_ROOMTYPE_PRICE |
| EM_CONTENT |
| EM_CYCLE |
| EM_REL_CONTENT |
| EM_SUBSCRIBE |
| ENT_CAR_INFO |
| ENT_CAR_SERVICE |
| ENT_CAR_SHOP_INFO |
| ENT_CITM |
| EVENTS |
| EXPO_ORDER |
| GROUP_MEMBER_LINK |
| HOTEL_ASK_MONITOR |
| HOTEL_ORDER3 |
| HOTEL_ROOM_POLICY |
| HOTEL_ROOM_PRICE |
| HOTEL_ROOM_PRICE_BAK |
| INFO_ACTIVITY |
| INFO_AD |
| INFO_AGENTPRICE |
| INFO_AREA |
| INFO_AREA_CELLPHONE |
| INFO_AREA_ENG |
| INFO_AREA_ENG_OTHER |
| INFO_AREA_EX |
| INFO_AREA_GBT |
| INFO_AREA_GRADE |
| INFO_AREA_MAP |
| INFO_AREA_NEWS |
| INFO_AREA_PRICE |
| INFO_AREA_PRICE1 |
| INFO_ARTICLE |
| INFO_AUCTION |
| INFO_BASIC |
| INFO_CAR_BRAND |
| INFO_CAR_SHOP |
| INFO_CAR_TYPE |
| INFO_CATALOG |
| INFO_CICERONE |
| INFO_COLUMN |
| INFO_COMB |
| INFO_COMB_RELATION |
| INFO_COMB_TEXT |
| INFO_COMMENT |
| INFO_CONTAIN |
| INFO_CUSTM_AUCTION |
| INFO_ENTBOOK |
| INFO_FRAME |
| INFO_GOVFUNC |
| INFO_HOME_NAV |
| INFO_HOTEL |
| INFO_HOTEL_PRICEDESC |
| INFO_INTERFACE_DATA |
| INFO_LINE_CONTAIN |
| INFO_LINE_PARTNER |
| INFO_LINE_RELATION |
| INFO_LINE_STORE |
| INFO_LINK |
| INFO_MAGAZINE |
| INFO_MAGAZINE_CAT |
| INFO_MESSAGE |
| INFO_METTING |
| INFO_MONTH_2009 |
| INFO_MONTH_2010 |
| INFO_MONTH_2011 |
| INFO_MONTH_2012 |
| INFO_MONTH_2013 |
| INFO_MONTH_2014 |
| INFO_MONTH_2015 |
| INFO_PASSENGER |
| INFO_PRICE |
| INFO_PRODUCT |
| INFO_PUBLIC |
| INFO_RELATION |
| INFO_SUBJECT |
| INFO_TASK_LIST |
| INFO_TEMP |
| INFO_TEXT |
| INFO_TEXT_COPY |
| INFO_TICKET |
| INFO_TICKET_SCEN |
| INFO_TRAVEL |
| INFO_TRAVEL_CYCLE |
| INFO_TRAVEL_PLAN |
| INFO_TUAN |
| INFO_TUAN_BAK |
| INFO_TVCOLUMN |
| INFO_USER |
| INFO_USERAREA |
| INFO_VIEW_CONTENT |
| INFO_VISA |
| INFO_VISA_BAK |
| INFO_WHEATHER |
| JJZX_AREA |
| JJZX_HOTEL |
| JJZX_SERVICE |
| JP_ORDER |
| KCITY |
| LIFE_CITY_INAREA |
| LIFE_CUST |
| LIFE_CUST_COMMENT |
| LIFE_CUST_TYPE |
| LIFE_INFO_PUBLIC |
| MAIL_REQ |
| MAIL_SERVICE |
| MAP_BBS_AREA |
| MEMBER |
| MEMBER_ABLUM_PHOTO |
| MEMBER_ALBUM |
| MEMBER_ALBUM_CATALOG |
| MEMBER_ALBUM_POST |
| MEMBER_AREA_NEWS |
| MEMBER_AREA_NEWS_AREA |
| MEMBER_BLACKLIST |
| MEMBER_CHANNELS |
| MEMBER_CHARACTER |
| MEMBER_CORP_LINK |
| MEMBER_EMAIL |
| MEMBER_EMAIL_MODIFY_LOG |
| MEMBER_EMAIL_TASK |
| MEMBER_FAVORITE |
| MEMBER_FRIEND |
| MEMBER_GROUP |
| MEMBER_HIS |
| MEMBER_INFO |
| MEMBER_INFO_HIS |
| MEMBER_LOGIN_LOG |
| MEMBER_MAIL_LOG |
| MEMBER_MERGE_EMAIL |
| MEMBER_MERGE_MOBILE |
| MEMBER_MESSAGE |
| MEMBER_MESS_CONTENT |
| MEMBER_MODIFY_EMAIL |
| MEMBER_NEWS |
| MEMBER_QQ |
| MEMBER_SAFETY |
| MEMBER_SAFETY_LOG |
| MEMBER_SAFETY_QUESTION |
| MEMBER_SERVER_CONFIG |
| MEMBER_SMS |
| MEMBER_SMS_TASK |
| MEMBER_SPACE_BASE |
| MEMBER_SPACE_LINK |
| MEMBER_SPACE_STATS |
| MEMBER_TRADE |
| MEMBER_UPLOAD_FILE |
| MEMBER_UPLOAD_IMG |
| MEMBER_VERIFY_MOBILE |
| MGMT$REORG_OBJECTS |
| MGMT$REORG_SCRIPTS |
| MLOG$_AREA_BIG |
| MLOG$_AREA_MICRO |
| MLOG$_B2C_ORDER |
| MLOG$_B2C_ORDER_CAR |
| MLOG$_B2C_ORDER_SCENIC |
| MLOG$_B2C_ORDER_TRAVEL |
| MLOG$_B2C_ORDER_VISA |
| MLOG$_DERBY_HOTEL |
| MLOG$_DERBY_ROOMTYPE |
| MLOG$_DERBY_ROOMTYPE_PRICE |
| MLOG$_ENT_CAR_INFO |
| MLOG$_ENT_CAR_SHOP_INFO |
| MLOG$_INFO_AD |
| MLOG$_INFO_AREA |
| MLOG$_INFO_AREA_CELLPHONE |
| MLOG$_INFO_AREA_ENG_OTHER |
| MLOG$_INFO_AREA_EX |
| MLOG$_INFO_ARTICLE |
| MLOG$_INFO_BASIC |
| MLOG$_INFO_CAR_BRAND |
| MLOG$_INFO_CAR_SHOP |
| MLOG$_INFO_CAR_TYPE |
| MLOG$_INFO_CATALOG |
| MLOG$_INFO_COMMENT |
| MLOG$_INFO_CONTAIN |
| MLOG$_INFO_HOTEL |
| MLOG$_INFO_HOTEL_PRICEDESC |
| MLOG$_INFO_LINE_PARTNER |
| MLOG$_INFO_LINE_RELATION |
| MLOG$_INFO_PRICE |
| MLOG$_INFO_PRODUCT |
| MLOG$_INFO_PUBLIC |
| MLOG$_INFO_RELATION |
| MLOG$_INFO_TEXT |
| MLOG$_INFO_TICKET |
| MLOG$_INFO_TICKET_SCEN |
| MLOG$_INFO_TRAVEL |
| MLOG$_INFO_TRAVEL_CYCLE |
| MLOG$_INFO_VISA |
| MLOG$_MEMBER |
| MLOG$_MEMBER_INFO |
| MLOG$_PAY_BALANCE_LOG |
| MLOG$_SYSTEM_VISA_SORT |
| MLOG$_TEL400_BILL |
| MLOG$_TEL400_SETING |
| MLOG$_USR_AGENT_CAT |
| MLOG$_USR_AGENT_CUST |
| MLOG$_USR_COLUMN |
| MLOG$_USR_CREDIT |
| MLOG$_USR_ENTERPRISE_C |
| MLOG$_USR_ENTERPRISE_TAG |
| MLOG$_USR_HOTEL_EXT |
| MLOG$_USR_HOTEL_REL |
| MOBILE_CITYINFO |
| MODULE_VM |
| MOD_COLUMN |
| MOD_RELATION |
| MOD_VM |
| MOD_VM_INFO |
| MONITOR_JOB |
| NEAR_CITY |
| NOTICE |
| OH_BASE_AMENITY |
| OH_BASE_BBLIST |
| OH_BASE_FACILITY |
| OH_BASE_HOTELDESC |
| OH_BASE_ROOMTYPE |
| OH_DRIVING_DIRECTION |
| OH_HOTEL_INFO |
| OH_MAPPING_AMENITY |
| OH_MAPPING_FACILITY |
| OH_MAPPING_IMAGES |
| OH_MAPPING_ROOMTYPE |
| ORDER_MAIN |
| ORDER_PAY_LOG |
| ORDER_REPORT |
| ORDER_TRIP |
| ORDER_TUAN |
| PAY_BALANCE_LOG |
| PLAN_TABLE |
| POINT_BALANCE |
| POINT_BALANCE_BAK |
| POINT_GIFT |
| POINT_GIFT_ORDER |
| POST_REQ |
| PROD_PRICE |
| QMY_AREA |
| QMY_CARTYPE |
| QMY_DATA |
| REPORT_DETAIL |
| REPORT_IMG |
| REP_HOTEL_PRICE |
| REP_TRAVEL_PRICE |
| RFQ_ORDER |
| RFQ_ORDER_CONSULTATION |
| RFQ_ORDER_CONSULTATION_EDI |
| RFQ_ORDER_DETAIL |
| RFQ_ORDER_EDI |
| RUPD$_AREA_BIG |
| RUPD$_AREA_MICRO |
| RUPD$_B2C_ORDER |
| RUPD$_B2C_ORDER_CAR |
| RUPD$_B2C_ORDER_SCENIC |
| RUPD$_B2C_ORDER_TRAVEL |
| RUPD$_B2C_ORDER_VISA |
| RUPD$_DERBY_HOTEL |
| RUPD$_DERBY_ROOMTYPE |
| RUPD$_DERBY_ROOMTYPE_PRICE |
| RUPD$_ENT_CAR_INFO |
| RUPD$_INFO_AD |
| RUPD$_INFO_AREA |
| RUPD$_INFO_AREA_CELLPHONE |
| RUPD$_INFO_AREA_ENG_OTHER |
| RUPD$_INFO_AREA_EX |
| RUPD$_INFO_ARTICLE |
| RUPD$_INFO_BASIC |
| RUPD$_INFO_CAR_BRAND |
| RUPD$_INFO_CAR_SHOP |
| RUPD$_INFO_CAR_TYPE |
| RUPD$_INFO_CATALOG |
| RUPD$_INFO_COMMENT |
| RUPD$_INFO_CONTAIN |
| RUPD$_INFO_HOTEL |
| RUPD$_INFO_HOTEL_PRICEDESC |
| RUPD$_INFO_LINE_RELATION |
| RUPD$_INFO_PRICE |
| RUPD$_INFO_PRODUCT |
| RUPD$_INFO_PUBLIC |
| RUPD$_INFO_RELATION |
| RUPD$_INFO_TEXT |
| RUPD$_INFO_TICKET |
| RUPD$_INFO_TRAVEL |
| RUPD$_INFO_TRAVEL_CYCLE |
| RUPD$_INFO_VISA |
| RUPD$_MEMBER |
| RUPD$_MEMBER_INFO |
| RUPD$_PAY_BALANCE_LOG |
| RUPD$_SYSTEM_VISA_SORT |
| RUPD$_TEL400_BILL |
| RUPD$_TEL400_SETING |
| RUPD$_USR_COLUMN |
| RUPD$_USR_CREDIT |
| RUPD$_USR_ENTERPRISE_C |
| RUPD$_USR_ENTERPRISE_TAG |
| RUPD$_USR_HOTEL_EXT |
| RUPD$_USR_HOTEL_REL |
| SEIZE_TMP_QUMANYOU_AREA |
| SEIZE_TMP_QUMANYOU_CARDETAIL |
| SEIZE_TMP_QUMANYOU_CARTYPE |
| SERVICE_PRICE |
| SERVICE_PRICE_SHOP |
| SERVICE_SHOP_ORDER |
| SERVICE_TYPE |
| SHOP_CHANNEL_CONTENT |
| SHOP_PRODUCT_CONTENT |
| SHOP_PRODUCT_TYPE |
| SITE_AREA |
| SITE_AREA_CARD |
| SITE_BOOK |
| SITE_CARD |
| SITE_CHANNEL |
| SITE_CLICK |
| SITE_COLUMN |
| SITE_CONTENT |
| SITE_CUSTOMER |
| SITE_FORECAST |
| SITE_LINK |
| SITE_PLOY |
| SITE_QUEST |
| SITE_QUEST_INFO |
| SITE_REPORT_DAY |
| SITE_SEARCH |
| SITE_SUBJECT |
| SITE_SUB_AREA |
| SITE_USER |
| SITE_USER_CARD |
| SITE_VISIT_WEEK_INFO_2007 |
| SITE_VISIT_WEEK_INFO_2008 |
| SITE_VISIT_WEEK_INFO_2009 |
| SITE_VISIT_WEEK_INFO_2010 |
| SITE_VISIT_WEEK_INFO_2011 |
| SITE_VISIT_WEEK_INFO_2012 |
| SITE_VISIT_WEEK_INFO_2013 |
| SITE_VISIT_WEEK_INFO_2014 |
| SMS_REQUEST |
| SPACE_TIME |
| SYSTEM_VISA_SORT |
| SYS_BUTTON |
| SYS_CMD |
| SYS_CMD_GROUP |
| SYS_CODE |
| SYS_CODE_CON |
| SYS_DEPT |
| SYS_FIELD |
| SYS_FIELD_CHK |
| SYS_FIELD_OP |
| SYS_FUNC_BTN |
| SYS_GROUP |
| SYS_HELP |
| SYS_INFOTYPE |
| SYS_LOG |
| SYS_LOGIN |
| SYS_LOG_2007 |
| SYS_LOG_2008 |
| SYS_LOG_2009 |
| SYS_MAIL_HISTORY |
| SYS_PERMISSION |
| SYS_POWER |
| SYS_QUERY |
| SYS_QUERY_CON |
| SYS_ROLE |
| SYS_ROLE_PERMISSION |
| SYS_SMS_MO_HISTORY |
| SYS_SMS_MT_HISTORY |
| SYS_TABLE |
| SYS_USER_CATALOG |
| SYS_USER_GROUP |
| SYS_USER_PERMISSION |
| SYS_USER_ROLE |
| SYS_WHERE |
| TEL400_BASEINFO |
| TEL400_BILL |
| TEL400_BILL_BAK |
| TEL400_BOOK |
| TEL400_CUSTOMER_INFO |
| TEL400_INFO |
| TEL400_SETING |
| TEL400_VOICE |
| TEL400_WORKTIME |
| TEMP_JOIN |
| TEMP_ORDER |
| TEMP_ORDER_CONF |
| TEMP_ORDER_CONF_OPTIONS |
| TEMP_ORDER_DETAIL |
| TEMP_RFQ_ORDER_HOTEL_ENT_INFO |
| TEMP_RFQ_ORDER_ROOM |
| TEST |
| TESTS |
| TEST_CAR_BRAND |
| TEST_CAR_SHOP |
| TEST_CAR_TYPE |
| TEST_TEL400 |
| TEST_USR_ENTERPRISE_C |
| TMP_AREA |
| TMP_HOTEL |
| TMP_HOTEL_UPDATE |
| TMP_POSITION_REMARK |
| TMP_ROOM |
| TUAN_COMMENT |
| TUAN_SUBSCRIBE |
| USERS |
| USER_APPENDIX |
| USER_ASK |
| USER_CATALOG |
| USER_COMPLAINT |
| USER_GROUP |
| USER_GROUP_MAP |
| USER_LINE |
| USER_LINE_PLAN |
| USER_LINE_VIEW |
| USER_REPLY |
| USR_AD |
| USR_ADDMONEY |
| USR_ADDRESSLIST |
| USR_AGENT_CAT |
| USR_AGENT_CUST |
| USR_ANSWER |
| USR_AROUND |
| USR_BANNER |
| USR_BLOCK |
| USR_CATALOG |
| USR_CHANNEL |
| USR_CHANNEL_TEMP |
| USR_CHARGE |
| USR_CHECKMONEY |
| USR_CHECKMONEY_BAK |
| USR_COLUMN |
| USR_CREDIT |
| USR_ENTERPRISE_APPLY |
| USR_ENTERPRISE_C |
| USR_ENTERPRISE_C_2012 |
| USR_ENTERPRISE_C_BAK |
| USR_ENTERPRISE_C_IMG |
| USR_ENTERPRISE_C_TEMP |
| USR_ENTERPRISE_E |
| USR_ENTERPRISE_J |
| USR_ENTERPRISE_TAG |
| USR_GOLD |
| USR_HOTEL_AREA |
| USR_HOTEL_EXT |
| USR_HOTEL_REL |
| USR_INFO_MANAGE |
| USR_LINKINFO |
| USR_LOGIN |
| USR_MAP_AROUND |
| USR_MEMBER |
| USR_PHONE |
| USR_POWER |
| USR_PROBATION |
| USR_PUBLISH_INFO |
| USR_QUESTION |
| USR_REPORT_DAY |
| USR_REPORT_DAY_TEMP |
| USR_SHARECLASS |
| USR_SHARE_GROUP |
| USR_SHARE_USER |
| USR_SHARE_WHERE |
| USR_SOURCE |
| USR_TAG |
| USR_TEMP |
| USR_TRAVEL_MONOPOLY |
| USR_VIEW_EXT |
| VISITOR_LOGIN |
| VISITOR_MOD |
| VISITOR_SER |
| VISIT_ENT_TEMP |
| VISIT_ENT_TEMP_229 |
| VISIT_INFO_TEMP |
| VISIT_INFO_TEMP_229 |
| VOTE_CLICK_INFO |
| VOTE_MAN_INFO |
| GROUP_USER_LINK |
+-------------------------------+

3.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评价